Hi, I'm trying to setup a FortiGate 51E at home on a vdsl-Line with dual-stack IPv4/IPv6. The dsl-modem is in PPPoE passthrough mode (bridge), ISP is Proximus (belgium). The wan interface is in PPPOE mode and receives it IPv4 address, so far so good. On the IPv6 side on the other hand I do not receive any IP. Normally, once the PPP session is established, the FG should use IPv6CP to allocate an IP address to the (wan) interface. Getting the IPv6 prefix delegated is done over DHCPv6, the DHCPv6 server should then assign a /56 prefix. None of this is happening, and I can't see where it goes wrong. This setup is previously validated on a Ubiquiti EdgeRouter and working. When I sniff on the wan interface I can see the RA's from the upstream router and DHCPv6 solicit messages originating form the FortiGate. Config for the wan interface:
config system interface
edit "wan1"
set vdom "root"
set mode pppoe
set allowaccess ping
set type physical
set alias "BBOX"
set estimated-upstream-bandwidth 5000
set estimated-downstream-bandwidth 900000
set role wan
set snmp-index 1
config ipv6
set ip6-mode dhcp
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
set dhcp6-prefix-hint ::/56
end
set username "secret@PROXIMUS"
set password ENC secret==
next
end
Bart,
Was this something you were able to resolve?
I've with an ISP here in the UK with a similar configuration and struggling to get it working.
Like you, i can DHCP CP exchanges going on, but dont seem to get any delegated prefix etc.
Has anyone else got any ideas on how this situation should work?
Andy.
Andy Bailey wrote:Bart,
Was this something you were able to resolve?
I've with an ISP here in the UK with a similar configuration and struggling to get it working.
Like you, i can DHCP CP exchanges going on, but dont seem to get any delegated prefix etc.
Has anyone else got any ideas on how this situation should work?
Andy.
No, I've had a ticket open at Fortinet Support for this problem for 6 weeks without solution.
The ticket is closed now, it got me to a point where I was fed up with repeating things and performing pointless config changes.
Not giving up, will to upgrade to 5.4.4 and give it another shot.
No idea why it is so hard to get this configured, allready done this on a Cisco and Ubiquiti router in 10-15 minutes googeling for the info included.
Bart,
Yes, my experiences have been pretty frustrating so far. Certainly not as easy as it could or should be.
I'm currently on 5.4.4 and have got to the point now that I can see an IPv6 prexfix being delegated. I can setup delegated subnets to internal ports and that seems to be working with internal devices getting valid IPv6 addresses in the delegated range.
However, I dont seem to have a valid outoging route. The routing table shows the internal sub-nets as connected, but nothing towards the internet. It almost seems like the wan interface (with the delegated subnet) doesn't have a valid address or something and therefore doesn't show up as a valid route in the routing table.
I had been on 5.6 Beta 3 (as part of the 5.6 Beta programme) but rolled back to see if that made any difference. I see on the beta forum there someone questioning the routing of IPv6 in this type of configuration.........
I'll keep you updated on my own config and let you know if find anything more interesting!
Good luck,
Andy.
Andy Bailey wrote:
I'm currently on 5.4.4 and have got to the point now that I can see an IPv6 prexfix being delegated. I can setup delegated subnets to internal ports and that seems to be working with internal devices getting valid IPv6 addresses in the delegated range.
However, I dont seem to have a valid outoging route. The routing table shows the internal sub-nets as connected, but nothing towards the internet. It almost seems like the wan interface (with the delegated subnet) doesn't have a valid address or something and therefore doesn't show up as a valid route in the routing table.
Exactly on the same point here in 5.4.3, it took a while to get there.
IMO the only thing wrong now is that the fortigate does not assign a ip6 on its own WAN interface.
Bart,
OK, good we have both got to the same point I guess. Makes me feel better know someone else is having similar issues.
I think I'll raise a ticket as well and reference this forum thread as some background. I suspect I'll have similar issues as you had with your ticket- but at least that highlights it and hopefully gets support looking into the issue more.
As I'm registered for the 5.6 Beta programme I did check the release notes there. Nothing obvious that would seem this issue is addressed yet. I might try upgrading to 5.6 Beta 3 just in case but I'm not hopeful!
Would you like to add your support ticket to this thread?
I'll post mine here as well :)
Good luck!
Andy.
Bart,
I've raised ticket number 2106741 to cover this issue.
Let you know what happens.
Kind Regards,
Andy.
Quick update, got it working.
Please, pm/post your
- lan & wan interface config
- ip received on host
- ips assigned on your FG interfaces (ppp & lan).
Bart,
That's interesting news! Can't wait to see how you have done it.
My ticket with Foritnet is still rumbling on- not much progress so far.
I've attached a text file which shows:-
- Current Interface Config (extracted from my running config)
- "Get" command for each interface which shows the aquired and assinged adddresses, paramters etc for my WAN and LAN interfaces (the LAN interfaces are receiving delegated prefexes from the delegated prefix assigned to the WAN).
- Current IPv6 address list and IPv6 routing table.
For obvious reasons I've replaced a few sensitive pieces with XXX. Thought your probably realise that but worth pointing it out!
Hope that all makes sense.
I look forward to hearing your thoughts or comments!
Kind Regards,
Andy.
Im not entirely sure we are facing the same problem. Turns out I overlooked a tiny detail. Comparing your config with mine: Wan interface: set dhcp6-prefix-hint 2001:XXX:XXXX:ed3f::/64 I have played with the "set dhcp6-prefix-hint" before but it looks like this setting is not necessary. Lan interface Enabled in my config: set dhcp6-prefix-delegation Not enabled in my config: set ip6-manage-flag set ip6-other-flag
Again,I remember playing with these parameters because they where mentioned on various forums but it works without them.
Here are the steps I've taken to find my error. In this situation, the internal hosts receive their ipv6 but cant reach the internet. hyperion # get router info6 interface ppp1 [up/up] 2axx:xxxx:xxxx:b6ac:926c:ac5b:fffe:c509 fe80::926c:ac5b:fffe:c509 lan [up/up] 2axx:xxxx:xxxx:a800::10 fe80::926c:acff:fe5b:c50b Then check if your FG can reach ipv6 hosts externally. hyperion # execute ping6 ipv6.google.com PING ipv6.google.com(2a00:1450:4001:825::200e) 56 data bytes 64 bytes from 2a00:1450:4001:825::200e: icmp_seq=1 ttl=54 time=10.3 ms 64 bytes from 2a00:1450:4001:825::200e: icmp_seq=2 ttl=54 time=10.4 ms From my desktop I tried to ping the link local ip of the lan interface (fe80::926c:acff:fe5b:c50b). This was OK. The I tried to ping its offical ip (2axx:xxxx:xxxx:a800::10). This failed. C:\Users\Bart>ipconfig /all .... Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2axx:xxxx:xxxx:a810:7596:b234:eb2f:8722(Preferred) Temporary IPv6 Address. . . . . . : 2axx:xxxx:xxxx:a810:ea:18c6:d614:30ca(Preferred) Link-local IPv6 Address . . . . . : fe80::7596:b234:eb2f:8722%4(Preferred) Default Gateway . . . . . . . . . : fe80::926c:acff:fe5b:c50b%4 ... As you can see my desktop recieved an IP in the 2axx:xxxx:xxxx:a810 range but the lan interface is on 2axx:xxxx:xxxx:a800. I did not notice this before. So on the lan interface I changed the subnet parameter of the ip6-delegated-prefix-list config part. Renew leases, et voila!
Hope this helps!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.