Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FlorSus
New Contributor

FortiGate IPv6 address objects for delegated prefixes

Hi everyone,

I am trying to configure firewall policies for IPv6 with an ISP delegated prefix.

Is there a way to configure an IPv6 address object that will automatically use the delegated prefix from the upstream interface?

 

Example:

I have wan1 configured as upstream interface and request a ::/56 prefix from my ISP.

I assign IPv6 addresses to my VLAN Interface with a ::/64 netmask with the delegated prefix.
All this is working flawlessly.
However I'd like to be able to configure a IPv6 address object for the network of one of my VLAN sub-interfaces which gets updated automatically in case the ISP changes the prefix delegated to me.

I am aware that using FQDN address objects would circumvent this problem, but in my case, the Fortigate is also acting as the DNS Server.
This only moves the problem to the FortiGate DNS Server configuration, and I haven't found a way to configure an A record entry that would use the delegated prefix and also update it.

 

I've googled my problem but haven't found any useful information on the web so maybe some IPv6 expert here can help me out...

 

Thanks,

Flo

4 REPLIES 4
abelio
Valued Contributor

Hello Flo

"I am aware that using FQDN address objects would circumvent this problem, but in my case, the Fortigate is also acting as the DNS Server."

 

I'm afraid you have the correct answer in your post.

Fortigate as a DNS server is a bad idea (IMHO), useful only in a very basic scenarios where there's not other choice.

regards




/ Abel

regards / Abel
FlorSus
New Contributor

Hi Abel,

Thanks for your reply, even though that's not the answer I wanted to hear/read ;)

Maybe some time in the future we will get this feature, since home equipment vendors like AVM have it already.

Regards, Flo

nanda015
New Contributor

I can post my working DHCPv6-PD config later this afternoon/tonight when I get home if no one else does. I know SLAAC works on it, and nothing is hard-coded. They made a couple changes in 7.0/7.2? code related to this, so it can be a little off if following older doc.

https://19216801.onl/ https://routerlogin.uno/
FlorSus

I am not sure how DHCPv6-PD config would help in the scenario I've described, but maybe I am missing something. So sure, if you want to share it I'll have a look.

Thanks,

Flo