Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Oliver_Jones
New Contributor

IPv6 configuration - subnetting

I have a connection to Fiber7, an ISP that offers dual-stack IPv4/IPv6 internet, here in Switzerland. I've been trying to get my head around subnetting, and I'm afraid I've drawn a blank. Fiber7 offers a /48 prefix (e.g. aaaa:bbbb:cccc::/48), so I want to subnet my network - say, dddd in this case - using the next 16 bits (e.g. aaaa:bbbb:cccc:dddd::/64), and then use the last 64 bits for the host address. (Standard practice for IPv6...)

 

For my outgoing interface to my ISP, I have this configuration:

 

config system interface
    edit "port16"
        set vdom "root"
        set mode dhcp
        set allowaccess ping
        set type physical
        set alias "Fiber7"
        set estimated-upstream-bandwidth 1000
        set estimated-downstream-bandwidth 1000
        set role wan
        set snmp-index 13
        config ipv6
            set ip6-mode dhcp
            set ip6-allowaccess ping
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint ::/48
        end
    next
end

 

Looking at the management interface, I do indeed see that my Fortigate has acquired a 128-bit address with the specified aaaa:bbbb:cccc 48-bit prefix that my ISP told me about in my connection documentation. So far, so good. Then I tried configuring an internal interface, according to online instructions, which looked like this:

 

config system interface
    edit "lacp1"
        set vdom "root"
        set ip 10.20.30.40 255.255.255.0
        set allowaccess ping
        set type aggregate
        set member "port1" "port2"
        set alias "Internal 1"
        set device-identification enable
        set role lan
        set snmp-index 14
        config ipv6
            set ip6-mode delegated
            set ip6-allowaccess ping
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-upstream-interface "port16"
            set ip6-subnet ::1000/64
            config ip6-delegated-prefix-list
                edit 1000
                    set upstream-interface "port16"
                    set subnet ::/64
                next
            end
        end
    next
end

 

Here, I tried using an example of 1000 for dddd, so the interface address should be aaaa:bbbb:cccc:1000::/64 (I plan to assign aaaa:bbbb:cccc:2000::/64 to the next subnet, and so on). But it didn't work out that way - dddd actually ended up being zero. Everything worked, however - I could surf to an IPv6 test website, and it would light up green.

 

So, I tried a variation on this theme, and altered the configuration so that it looked like this, instead:

 

config system interface
    edit "lacp1"
        set vdom "root"
        set ip 10.20.30.40 255.255.255.0
        set allowaccess ping
        set type aggregate
        set member "port1" "port2"
        set alias "Internal 1"
        set device-identification enable
        set role lan
        set snmp-index 14
        config ipv6
            set ip6-mode delegated
            set ip6-allowaccess ping
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-upstream-interface "port16"
            set ip6-subnet ::1000/64
            config ip6-delegated-prefix-list
                edit 1000
                    set upstream-interface "port16"
                    set subnet 0:0:0:1000::/64
                next
            end
        end
    next
end

 

This massively slowed things down: DNS queries were almost instant previously, but now they took about 20 seconds. However, the assigned IPv6 addresses were in the form of aaaa:bbbb:cccc:1000::/64, which is what I originally expected.

 

What am I doing wrong, here? I am running this on a Fortigate 100E with firmware 6.2.1.

0 REPLIES 0
Top Kudoed Authors