Hi,
TLDR - I have a /63 prefix and I'd like to delegate a /64 to each of two interfaces. Delegation works but both interfaces get the same prefix. Where in Forti documentation would I find the correct syntax?
I'm a home user looking to upgrade an old router. I played with *sense, then found FortiGate-VM. I have no experience with FG but prefer the UI. I'm continuing to play with an FG-VM, with a view to purchasing a hardware FG. Thanks to FortiNet for providing an easy way to get a VM.
My ISP delegates a dynamic /62 prefix, and seems to require an ONT which then essentially limits anything downstream to a /63 (long story, and is the only available ISP). I've never used IPv6 either but I'm determined to try it out with the FG-VM.
I'm trying to delegate a /64 on the FG-VM to each of two LAN interfaces. Both interfaces get the same prefix so I'm missing something.
port1, my WAN interface, has the following ipv6 config -
config ipv6
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
set autoconf enable
config dhcp6-iapd-list
edit 3
set prefix-hint ::/63
next
end
end
port2 successfully gets the first /64 -
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping https http
set ip6-send-adv enable
set ip6-other-flag enable
set ip6-delegated-prefix-iaid 3
set ip6-upstream-interface "port1"
set ip6-subnet ::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "port1"
set delegated-prefix-iaid 3
set subnet ::/64
next
end
end
FGVMEVELBTXEYO59 (port2) # co ipv6
FGVMEVELBTXEYO59 (ipv6) # get
ip6-mode :
nd-mode : basic
ip6-address : 2a02:b98:4736:c5da::1/64
port3 gets the same 'IP Address/Prefix' as port2 -
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-other-flag enable
set ip6-delegated-prefix-iaid 3
set ip6-upstream-interface "port1"
set ip6-subnet ::2:0:0:0:1/64
config ip6-delegated-prefix-list
edit 2
set upstream-interface "port1"
set delegated-prefix-iaid 3
set subnet ::/64
next
end
end
FGVMEVELBTXEYO59 (port3) # co ipv6
FGVMEVELBTXEYO59 (ipv6) # get
ip6-mode :
nd-mode : basic
ip6-address : 2a02:b98:4736:c5da::1/64
I guess I have the wrong syntax for 'ip6-subnet' and inside 'ip6-delegated-prefix-list' but I can't see from documentation how to splice a /63 to two different /64 nets.
Cheers!
Solved! Go to Solution.
Please check the doc: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/37673/ipv6-prefix-delegation
Please check the doc: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/37673/ipv6-prefix-delegation
Hi @spoojary ,
Thanks! I have already looked at that doc. Unfortunately the doc does not mention how to delegate more than one prefix. I also looked at older versions, to no avail.
I have found several different ways to specify 'ip6-subnet' and 'ip6-delegated-prefix-list' in this forum. Whatever I try, the second interface gets the same address as the first.
Cheers!
Hello,
I'm embarrassed.
I thought I'd first tried -
set ip6-subnet ::1:0:0:0:1/64
but it works. Sorry and thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.