Hello All,
I'm trying to get IPV6 working on my fortigate 60D.
The ISP i have is KPN, which is a dutch provider which uses PPPOE, dhcp-pd and SLAAC for the ipv6 side.
As i understand the process on this provider (i found some setup-guides for different devices) i should create a pppoe connection for and IPV4 address and request a /48 subnet and ipv6 address using dhcp on the same connection.
When i configure ipv6 as DHCP it doesn't receive an address, and when i configure it as a PPPOE connection it only gets a link-local address.
The strange thing is that the host systems in my internal network do seem to get a proper ipv6 address however are unable to connect to the internet, as it appears that the fortinet doesn't know what the next hop in the network is.
I can not ping external ipv6 addresses from the host systems or from the fortinet cli.
Am i missing something in my config, or did i do something wrong?
Gateway # diag ipv6 address list dev=26 devname=ppp1 flag=P scope=253 prefix=10 addr=fe80::a5b:e6f:fffe:387c dev=23 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1 dev=21 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1 dev=16 devname=root flag=P scope=254 prefix=128 addr=::1 dev=5 devname=wan1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe6f:387c dev=7 devname=internal1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe6f:387a dev=7 devname=internal1 flag= scope=0 prefix=64 addr=2a02:XXXX:XXXX::1 preferred=102405 valid=188805
Gateway # show system interface wan1 config system interface edit "wan1" set vdom "root" set mode pppoe set allowaccess ping set vlanforward enable set type physical set spillover-threshold 12500 set estimated-upstream-bandwidth 100000 set estimated-downstream-bandwidth 100000 set role wan set snmp-index 2 config ipv6 set ip6-mode pppoe set ip6-allowaccess ping set dhcp6-prefix-delegation enable set dhcp6-prefix-hint ::/48 set autoconf enable end set username "XXX@direct-adsl" set password ENC next end
Gateway # show system interface internal1 config system interface edit "internal1" set vdom "root" set ip 10.9.28.1 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct capwap set vlanforward enable set type physical set alias "Local Lan" set device-identification enable set device-identification-active-scan enable set role lan set snmp-index 1 config ipv6 set ip6-mode delegated set ip6-allowaccess ping https ssh snmp set ip6-send-adv enable set ip6-manage-flag enable disable set ip6-upstream-interface "wan1" set ip6-subnet ::1/64 config ip6-delegated-prefix-list edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet ::/64 next end end next end
Gateway # show firewall policy6 config firewall policy6 edit 3 set name "local-ipv6" set uuid 2a82ad84-20b2-51e8-17ee-c356f376f04a set srcintf "internal1" set dstintf "wan1" set srcaddr "local ipv6 subnet" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next edit 1 set name "Default out" set uuid 113d6d60-2089-51e8-8f23-04ae3c89a6f1 set srcintf "internal1" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next edit 2 set name "Allow ICMP in" set uuid 11852786-2089-51e8-28cc-df82a34d651a set srcintf "wan1" set dstintf "internal1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL_ICMP6" set logtraffic all next end
Gateway # show router static6 3 config router static6 edit 3 set device "wan1" next end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I had exactly the same behavior, and all the example where people had working IPv6 on pppoe, they didn't have an accompanying IPv4 configuration. For example: https://cjdwyer.com/2018/11/15/enabling-ipv6/
Reading into various KBs, I'm reading that the same interface can't get a secondary IP. While I assume this means the same family. i.e. can't get two IPv4 addresses, I thought I would try creating a virtual pppoe address for the IPv6 addressing with my IPv4 pppoe on my WAN connection. For example from what I found here:
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/682734/system-pppoe-interface
However after checking my IPv6 routes, address list and neighbor cache there is a disconnect between them, and don't seem to align. So it seems I need to understand further how the provider is sending out the IPv6 network info on my wan and go from there. Also I'll have to keep in mind any changes may require an interface reset or FGT reboot. Did you have any luck with your configuration?
So is pppoe working for ipv4 family ? I would run that and ensure it' working and correctly before doing deeper diagnostic into ipv6 .
e.g
dia debug enable dia debug application ppp -1 dia debug applicaiton pppoe -1
get router info routing all
If IPV4 is working & correctly, than you need to do a packet on ppp0 or whatever is the interface for icmp6 or ip6 datagrams
e.g
diag sniffer packet ppp0 "icmp6"
or
diag sniffer packet ppp0 "ip6"
What do you see? BTW I never seen issues pppoe and with KPN. Have you check that ipv6-pd is working with a 3rd party item ( i.e linux ) .
Ken Felix
PCNSE
NSE
StrongSwan
Hi Jeremy,
Strangely I have been discussing this topic at some lenght this week- after someone PM'd me with a similar question.
Since 5.6 GA I have been running the config that you are after.
From what I can see you are missing some config on the WAN side.
Basically when I looked at this in 5.6 GA I was told that you have to create a "pppoe" interface on the physical WAN port.
Prompted by my discussions this week I have also checked with support and they confirm this is still the best approach- even under the lastest 6.4.1 release.
The way I am configured is that I have only physical config on the WAN interface. So it looks like this:- config system interface edit "wan1" set vdom "root" set ip 0.0.0.0 255.255.255.255 set type physical set lldp-reception disable set lldp-transmission disable set role wan set snmp-index 1 config ipv6 set ip6-send-adv enable set ip6-manage-flag enable set ip6-other-flag enable end set mtu-override enable set mtu 1492 The PPPOE interface contains all the ISP related config. That sets my IPv4 address (via the PPPOE session) and the IPv6 address (via the DCHPv6 CP delegation). So that looks like this:- edit "wan1 pppoe" set vdom "root" set mode pppoe set type tunnel set estimated-upstream-bandwidth XXXXXX set estimated-downstream-bandwidth XXXXXX set monitor-bandwidth enable set role wan set snmp-index 12 config ipv6 set ip6-mode dhcp set dhcp6-prefix-delegation enable set ip6-dns-server-override disable end set dns-server-override disable set interface "wan1" next And then finally I have the "system pppoe-interface" like this:- config system pppoe-interface edit "wan1 pppoe" set ipv6 enable set device "wan1" set username "XXXXXXXX" set password ENC JwyVMXAiFeo500qfevgbJj2+XXXXXXXXhVUZgEJkqT/e1S0Yg4ecx+y+rgkc5lgDyRXNTbBo/GtHMfmIR+X5GykaQ9VhMs5JYXB1zyy+e210fDDdycyz5ohXXXXXXXXXXXX/7VVefHkEN/G4PkQ2xRZQ0RegdXXXXXXXXXXXXXXXXXX282G7zYrxBnHS49Xn1J0sDS2g== next end
You will need an IPv4 and IPv6 static route towards the "wan1 pppoe" interface.
Then all of my traffic routes via that PPPOE interface.
When I went through this 3 years or so back I had similar issues to what you are seeing- this was the resolution so I hope it helps you too. All my traffic polices routes via the "wan1 pppoe" interface in my case and I never reference the "wan1" interface.
Good luck- and if there is anything else I can do to help please let me know.
Kind Regards,
Andy.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.