Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
micahawitt
New Contributor III

IPV6

Forgive if this is loaded somewhere else.

 

I'm running into a snag here.  I am currently on Spectrum and getting a /128 from them.  According to my WAN1 interface.  

 

I am trying to get the DHCP to passthrough to my clients on a vlan, anyone have any luck with this?

1 Solution
emnoc
Esteemed Contributor III

Did you speak with your provider? They will tell you what size prefix is belng delegated , typically /48 or /56 and then you configure the fortigate for the ipv6 delegation on the wan and you pass a prefix in that delegation to your inside lans

 

e.g

 

config sys inteface

     edit wan1

        config ipv6

          set ipv6 dhcp-prefix-delegation enable

          set dhcp6-prefix-hint 2001:db8:44 /56

end

 

 

 Once you have the assignment, you use slacc on your internal lans for assignments of the /64 to the hosts machines.

 

   config sys int 

       edit port1

           config ipv6

                  set ip6-allowaccess ssh ping https

                  set ip6-mode delegate

                  set ip6-upstream wan1

      end

 

Yes it's really that easy you need to speak to your ISP

 

Ken Felix

 

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
13 REPLIES 13
micahawitt

So here is latest, neither wan config above is getting me an ipv6 address on my fortigate, keeps getting a /128 as it shows.

 

With that though, i am able to get ipv6 on my laptop if i hook directly.

lobstercreed

Micah,

 

I should emphasize that in my experience your FortiGate will not get anything larger than a /128 by design.  If you're looking for that to change, you're looking in the wrong place. 

 

The way delegation works is that it gives you a prefix to work with for your downstream networks.  The exact config commands I gave above worked fine for me as you can see in this screenshot:

 

 

(Though I ended up tweaking my downstream a bit and am using two /60 for reasons that go way beyond the scope of this.)

 

- Daniel

micahawitt

Its not that i care that its a /128, i just want it to work.  I know that if i hook up my laptop it does work. Trying to get the Fortigate is another issue.

 

i have set my config verbatim to what you have listed.

 

 

when i got to test-ipv6.com or whatismyip.com its not even picking up an ipv6 address on my wan interface it seems as it doesn't show one.

Thiudans

Hello everyone,

 

Brand new to this forum and brand new to Fortinet.

 

Regarding the /128 on the outside interface. That is a gateway address to route to the prefix(es) behind your firewall via router advertisement daemon (radvss I think).

 

I worked on getting IPv6 working on my firewall for two days or so, it took me a bit but everything is fine now. Here are my interface configs -- I am using SLAAC, not DHCPv6 though. You can see if you are delegating properly by typing in 

 

diagnose ipv6 address list

 

If you see ipv6 addresses on your interface(s), you are successfully delegating and you will have your prefix.

 

I actually opened a ticket with support and there is no concise way to get your prefix!

 

In any case, here is my interface config:

 

edit "XXXX"

        set vdom "root"

        set ip RFC-1918.254 255.255.255.0

        set allowaccess ping https ssh snmp http

        set type hard-switch

        set device-identification enable

        set role lan

        set snmp-index 4

        config ipv6

            set ip6-mode delegated

            set ip6-allowaccess ping

            set ip6-send-adv enable

            set ip6-other-flag enable

            set ip6-upstream-interface "wan"

            set ip6-subnet ::55:0:0:0:ffff/64

            config ip6-delegated-prefix-list

                edit 6

                    set upstream-interface "wan"

                    set subnet 0:0:0:55::/64

                    set rdnss-service default

                next

            end

        end

 

 

My wan:

 

edit "wan"
        set vdom "root"
        set mode dhcp
        set allowaccess ping fgfm
        set type physical
        set role wan
        set snmp-index 1
        config ipv6
            set ip6-mode dhcp
            set ip6-allowaccess ping
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint ::/56
        end
        set dns-server-override disable

 

I am using Spectrum. 

 

With a /56, the last 2 HEX numbers are my network addresses, so the delegated interface above is the 5th network, out of 256 networks. Incidentally, if Spectrum ever changes the prefix, this should automatically popogate to your interfaces and clients.

 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors