Hi all!

Background, I need to deploy IPv6 in production pretty soon , so I have been trying to test in KVM since I have no site that actually has IPv6. I have spent days reading up on IPv6, and searching Fortigate specific tutorials etc, but I am at a loss at what I think should be a fairly simple thing to do. There seem to be a lot of similar posts, but nothing here seems to solve my problem (a lot of them have passed where I am!) I am probably missing something fundamental. Any help would be greatly appreciated! It may be something Fortigate or IPv6 related that I am overlooking!

I have two networks in my environment, the first has IPv4 and IPv6 configuration which routes to the host machine, which I connect the FGT_VM port1 "wan" interface to. I am able to communicate between host and FGT_VM over IPv4 and IPv6. (Note that I don't have IPv6 LAN in this office so it ends at the virtual network). This network has the below IPv6 config in libvirt. The second interface has no configuration, and is connected to port2 and a VM. If enable IPv4 on FGT and VM, then they connect fine.

<ip family='ipv6' address='fd9b:91bb:fd26:e188::1' prefix='64'>
    <dhcp>
      <range start='fd9b:91bb:fd26:e188::100' end='fd9b:91bb:fd26:e188::1ff'/>
    </dhcp>
  </ip>

Trying to get the delegated prefix configuration... from a factory reset, I configure only port1 (wan) and port2 (lan) on the FGT_VM

FortiGate-VM64-KVM # show system interface
config system interface
    edit "port1"
        set vdom "root"
        set ip 192.168.122.30 255.255.255.0
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
        config ipv6
            set ip6-address fd9b:91bb:fd26:e188::4/64
            set ip6-allowaccess ping ssh http
            set dhcp6-prefix-delegation enable
        end
    next

    edit "port2"
        set vdom "root"
        set type physical
        set snmp-index 2
        config ipv6
            set ip6-mode delegated
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-upstream-interface "port1"
            set ip6-subnet ::1/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "port1"
                    set autonomous-flag enable
                    set onlink-flag enable
                    set subnet ::/64
                next
            end
        end
    next

I have tweaked a lot of these settings a lot, based on various sources on the internet including https://docs.fortinet.com/document/fortigate/6.0.6/handbook/800956/dhcpv6, but at no point does port2 ever obtain an IP address. I thought the ip-subnet of ::1/64 was conflicting with the libvirt IP, so changed this to various values, and also the ip6-delegated-prefix-list subet, to not avail. Port2 just wont take.

FortiGate-VM64-KVM # diagnose ipv6 address list
dev=3 devname=port1 flag=P scope=0 prefix=64 addr=fd9b:91bb:fd26:e188::4 preferred=4294967295 valid=4294967295
dev=3 devname=port1 flag=P scope=253 prefix=64 addr=fe80::5054:ff:fef8:8ec2 preferred=4294967295 valid=4294967295
dev=5 devname=root flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295
dev=7 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295
dev=9 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295

Not that I think its required at this stage, but I have also set routes, configured DHCP6 server, and allow-all policies, all to no avail.

FortiGate-VM64-KVM # show system dhcp6 server
config system dhcp6 server
    edit 1
        set dns-service delegated
        set subnet 0:0:0:102::/64
        set interface "port2"
        set upstream-interface "port1"
        set ip-mode delegated
    next
end

If anyone can point out what I'm missing, I would greatly appreciate this! :) Thanks!