Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Can't get IPV6 to receive an address
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't get IPV6 to receive an address
Hello All,
I'm trying to get IPV6 working on my fortigate 60D.
The ISP i have is KPN, which is a dutch provider which uses PPPOE, dhcp-pd and SLAAC for the ipv6 side.
As i understand the process on this provider (i found some setup-guides for different devices) i should create a pppoe connection for and IPV4 address and request a /48 subnet and ipv6 address using dhcp on the same connection.
When i configure ipv6 as DHCP it doesn't receive an address, and when i configure it as a PPPOE connection it only gets a link-local address.
The strange thing is that the host systems in my internal network do seem to get a proper ipv6 address however are unable to connect to the internet, as it appears that the fortinet doesn't know what the next hop in the network is.
I can not ping external ipv6 addresses from the host systems or from the fortinet cli.
Am i missing something in my config, or did i do something wrong?
Gateway # diag ipv6 address list dev=26 devname=ppp1 flag=P scope=253 prefix=10 addr=fe80::a5b:e6f:fffe:387c dev=23 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1 dev=21 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1 dev=16 devname=root flag=P scope=254 prefix=128 addr=::1 dev=5 devname=wan1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe6f:387c dev=7 devname=internal1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe6f:387a dev=7 devname=internal1 flag= scope=0 prefix=64 addr=2a02:XXXX:XXXX::1 preferred=102405 valid=188805
Gateway # show system interface wan1 config system interface edit "wan1" set vdom "root" set mode pppoe set allowaccess ping set vlanforward enable set type physical set spillover-threshold 12500 set estimated-upstream-bandwidth 100000 set estimated-downstream-bandwidth 100000 set role wan set snmp-index 2 config ipv6 set ip6-mode pppoe set ip6-allowaccess ping set dhcp6-prefix-delegation enable set dhcp6-prefix-hint ::/48 set autoconf enable end set username "XXX@direct-adsl" set password ENC next end
Gateway # show system interface internal1 config system interface edit "internal1" set vdom "root" set ip 10.9.28.1 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct capwap set vlanforward enable set type physical set alias "Local Lan" set device-identification enable set device-identification-active-scan enable set role lan set snmp-index 1 config ipv6 set ip6-mode delegated set ip6-allowaccess ping https ssh snmp set ip6-send-adv enable set ip6-manage-flag enable disable set ip6-upstream-interface "wan1" set ip6-subnet ::1/64 config ip6-delegated-prefix-list edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet ::/64 next end end next end
Gateway # show firewall policy6 config firewall policy6 edit 3 set name "local-ipv6" set uuid 2a82ad84-20b2-51e8-17ee-c356f376f04a set srcintf "internal1" set dstintf "wan1" set srcaddr "local ipv6 subnet" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next edit 1 set name "Default out" set uuid 113d6d60-2089-51e8-8f23-04ae3c89a6f1 set srcintf "internal1" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next edit 2 set name "Allow ICMP in" set uuid 11852786-2089-51e8-28cc-df82a34d651a set srcintf "wan1" set dstintf "internal1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL_ICMP6" set logtraffic all next end
Gateway # show router static6 3 config router static6 edit 3 set device "wan1" next end
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had exactly the same behavior, and all the example where people had working IPv6 on pppoe, they didn't have an accompanying IPv4 configuration. For example: https://cjdwyer.com/2018/11/15/enabling-ipv6/
Reading into various KBs, I'm reading that the same interface can't get a secondary IP. While I assume this means the same family. i.e. can't get two IPv4 addresses, I thought I would try creating a virtual pppoe address for the IPv6 addressing with my IPv4 pppoe on my WAN connection. For example from what I found here:
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/682734/system-pppoe-interface
However after checking my IPv6 routes, address list and neighbor cache there is a disconnect between them, and don't seem to align. So it seems I need to understand further how the provider is sending out the IPv6 network info on my wan and go from there. Also I'll have to keep in mind any changes may require an interface reset or FGT reboot. Did you have any luck with your configuration?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So is pppoe working for ipv4 family ? I would run that and ensure it' working and correctly before doing deeper diagnostic into ipv6 .
e.g
dia debug enable dia debug application ppp -1 dia debug applicaiton pppoe -1
get router info routing all
If IPV4 is working & correctly, than you need to do a packet on ppp0 or whatever is the interface for icmp6 or ip6 datagrams
e.g
diag sniffer packet ppp0 "icmp6"
or
diag sniffer packet ppp0 "ip6"
What do you see? BTW I never seen issues pppoe and with KPN. Have you check that ipv6-pd is working with a 3rd party item ( i.e linux ) .
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jeremy,
Strangely I have been discussing this topic at some lenght this week- after someone PM'd me with a similar question.
Since 5.6 GA I have been running the config that you are after.
From what I can see you are missing some config on the WAN side.
Basically when I looked at this in 5.6 GA I was told that you have to create a "pppoe" interface on the physical WAN port.
Prompted by my discussions this week I have also checked with support and they confirm this is still the best approach- even under the lastest 6.4.1 release.
The way I am configured is that I have only physical config on the WAN interface. So it looks like this:- config system interface edit "wan1" set vdom "root" set ip 0.0.0.0 255.255.255.255 set type physical set lldp-reception disable set lldp-transmission disable set role wan set snmp-index 1 config ipv6 set ip6-send-adv enable set ip6-manage-flag enable set ip6-other-flag enable end set mtu-override enable set mtu 1492 The PPPOE interface contains all the ISP related config. That sets my IPv4 address (via the PPPOE session) and the IPv6 address (via the DCHPv6 CP delegation). So that looks like this:- edit "wan1 pppoe" set vdom "root" set mode pppoe set type tunnel set estimated-upstream-bandwidth XXXXXX set estimated-downstream-bandwidth XXXXXX set monitor-bandwidth enable set role wan set snmp-index 12 config ipv6 set ip6-mode dhcp set dhcp6-prefix-delegation enable set ip6-dns-server-override disable end set dns-server-override disable set interface "wan1" next And then finally I have the "system pppoe-interface" like this:- config system pppoe-interface edit "wan1 pppoe" set ipv6 enable set device "wan1" set username "XXXXXXXX" set password ENC JwyVMXAiFeo500qfevgbJj2+XXXXXXXXhVUZgEJkqT/e1S0Yg4ecx+y+rgkc5lgDyRXNTbBo/GtHMfmIR+X5GykaQ9VhMs5JYXB1zyy+e210fDDdycyz5ohXXXXXXXXXXXX/7VVefHkEN/G4PkQ2xRZQ0RegdXXXXXXXXXXXXXXXXXX282G7zYrxBnHS49Xn1J0sDS2g== next end
You will need an IPv4 and IPv6 static route towards the "wan1 pppoe" interface.
Then all of my traffic routes via that PPPOE interface.
When I went through this 3 years or so back I had similar issues to what you are seeing- this was the resolution so I hope it helps you too. All my traffic polices routes via the "wan1 pppoe" interface in my case and I never reference the "wan1" interface.
Good luck- and if there is anything else I can do to help please let me know.
Kind Regards,
Andy.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,729 -
FortiClient
1,771 -
5.2
801 -
FortiManager
734 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
247 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
Fortiweb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
FortiGate-VM
17 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1721 | |
| 1098 | |
| 752 | |
| 447 | |
| 234 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.