config sys int edit vlan1 config ipv6 set ip6-allowaccess ping https ssh capwap set ip6-address 2001:db8:1::/64 set ip6-send-adv enable set ip6-manage-flag enable set ip6-other-flag enable config ip6-prefix-list edit 2001:db8:1::/64 set autonomous-flag enable set onlink-flag enable next end for the wanl; config sys int edit wan1 config ipv6 set ip6-allowaccess ping https ssh capwap set ip6-address 2001:db8:2::2/127 end For the ipv6 static route to your provideer next-hop-ipv6 of 2001:db8:2::1 config router static6 edit 1 set gateway 2001:db8:2::1 set device " wan1" next end change the address and prefixes to be that which was given to you by your provider. And to answer some questions & point out some info; 1: yes it' s common to run ipv4 and ipv6 on the same interface 2: ND is part of the " autoconfiguration" it' s for discovery of neighbors ( SEND is just doing it securely , I don' t think fortigate support SEND ) 3: even a static ipv6 address interfaces uses ND for neighbor-discovery 4: it uses the link-local-address and multicast and ALL host must support it per the ipv6 RFCs. if not , you would not gain neighbors So fill in the address for the WAN and LAn with the information given to you by the provider. Then use a ipv6 looking-glass ( searcg NTT and looking-glass on google ) and select a node, try to ping your wan address ( ensure allowaccess ping is enable ) and then try the lan side of things.

Hello and thanks again for this. I feel like wow! All that has to be done for IPv6 and there' s no word about it in FG manuals! How come... Anyway, more specifically, I started entering this configuration and found that there is something unclear. For vlan1, the prefix is 2001:db8:1::, but for wan1, it is 2001:db8:2::. But how can I operate these routable addresses if I have only one /64? Should I operate using /65' s? I noticed this when I entered /127 address for wan1 and got message that there are overlapping prefixes.

What did the ISP give you for addressing ? for the wan and lan segments? Typically they would given you a wan uplink ipv6 address and then a lan ipv6 address. Go back to your ISP and get clearity on what was requested and delivered, and then fill in the correct details in the outline configuration. Worst case, just do SNAT into the /64 address they gave you , but ideally you don' t want or let me re-phrase should not need NAT66 w/IPv6. follow this blog here; http://socpuppet.blogspot.com/2014/04/nat66-in-crunch-on-fortigate.html

Well, ISP gave us just one /64 address. I had read somewhere that ISP should give /48' s instead of /64' s and I never figured it out why, but still we asked for bigger and were not given one. Is it really necessary to have more than that? That would be... quite groundbreaking to me, and raises questions. First I would still try to do your recipe by dividng that /64 into /65' s. And then, if I am still not devastated :) use link-locals for " internal" , also the crunch. I' ll let you know.

You can' t just divide the /64 in half. You need to find out how the ISP is going to route that subnet. You should ask for a WAN ipv6 block and LAN ipv6 block ( the one you have is good ) They will give you a most likely a /127 or even waste a /64 block in some cases. Q: Does your provider have a IPV6 FAQ page? Did you review? Do they have a IPV6 request form? What did it say? What did you ask for ? Do they have sample or scenarios on what they provide ( network schemes )

Sorry for not replying here earlier, things went too busy and there was no time for IPv6 anymore. I have to answer " no" for all these questions, they gave IPv6 only when asked, there is no other information. I haven' t made any further tests that I planned to do, but eventually I will and then continue the discussion here. Thank you!