I'm trying to setup my prefix delegation the "correct" way with my new FortiGate 61F. I only have a /60 delegated, and half of that is only available to my router (a pfSense). I am delegating the xxxa through xxxe networks to the FortiGate. This appears to be working as I can see those prefixes on the wan-uplink ipv6 'get' output:
However, when assigning these to specific interfaces via the iaid, I get very strange results. For example, one of my wifi networks is configured with ip6-delegated-prefix-iaid of 4, which correctly assigns the xxxa to the ip6-address, however setting the ip6-delegated-prefix-list delegated-prefix-iaid to 4 and my Router Announcements have no prefix assigned. I changed this around to several values and finally get a prefix if I change it to iaid 1, but it's the wrong prefix (xxxe instead of xxxa). Am I missing something important in this Prefix Delegation configuration?
Configuration:
config system interface
edit "wan-uplink"
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
set ip6-dns-server-override disable
config dhcp6-iapd-list
edit 1
set prefix-hint ::/64
next
edit 2
set prefix-hint 0:0:0:1::/64
next
edit 3
set prefix-hint 0:0:0:2::/64
next
edit 4
set prefix-hint 0:0:0:3::/64
next
edit 5
set prefix-hint 0:0:0:4::/64
next
end
end
next
edit "internal"
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-delegated-prefix-iaid 2 # I set 2 to get xxxe in the ip6-address
set ip6-upstream-interface "wan-uplink"
set ip6-subnet ::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan-uplink"
set delegated-prefix-iaid 1 # I have to set 1 here to get xxxe in router announcments
set subnet ::/64
set rdnss-service default
next
end
end
next
edit "wifi"
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-delegated-prefix-iaid 4 # I want xxxa
set ip6-upstream-interface "wan-uplink"
set ip6-subnet ::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan-uplink"
set delegated-prefix-iaid 1 # this gives me xxxe, 4 gives no prefix
set subnet ::/64
set rdnss-service default
next
end
end
next
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Decided to mock this out inside a vdom and found some weird and disturbing results.
I setup a vdom "downstream" with the b interface. This interface is configured with a dhcp6 server, presenting the a-e /64 prefixes.
config system interface
edit "b"
set vdom "downstream"
set allowaccess ping
set type physical
set snmp-index 5
config ipv6
set ip6-address 2001:db8:0:3000::1/64
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
end
next
end
config system dhcp6 server
edit 2
set subnet 2001:db8:0:3000::/60
set interface "b"
config prefix-range
edit 1
set start-prefix 2001:db8:0:300a::
set end-prefix 2001:db8:0:300e::
set prefix-length 64
next
end
config ip-range
edit 1
set start-ip 2001:db8:0:3000::2
set end-ip 2001:db8:0:3000::ffff
next
end
next
end
I then have a separate vdom with the "a" interface which is physically connected to the "b" interface, and "a" is able to request a dhcp6 IP and prefix delegations as expected. I have two delegated interfaces (vlan200 and vlan400) which have different iaids.
config system interface
edit "a"
set vdom "delegator"
set allowaccess ping
set type physical
set snmp-index 4
config ipv6
set ip6-mode dhcp
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
config dhcp6-iapd-list
edit 1
set prefix-hint 0:0:0:1::/64
next
edit 2
set prefix-hint 0:0:0:2::/64
next
edit 3
set prefix-hint 0:0:0:3::/64
next
end
end
next
edit "vlan200"
set vdom "delegator"
set role lan
set snmp-index 42
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
set ip6-delegated-prefix-iaid 1
set ip6-upstream-interface "a"
end
set interface "a"
set vlanid 200
next
edit "vlan400"
set vdom "delegator"
set device-identification enable
set role lan
set snmp-index 43
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
set ip6-delegated-prefix-iaid 2
set ip6-upstream-interface "a"
end
set interface "a"
set vlanid 400
next
end
The issue now is that both vlan200 and vlan400 have the same prefix delegated to them.
# diagnose ipv6 address list
dev=13 devname=a flag=P scope=0 prefix=128 addr=2001:db8:0:3000::2 preferred=4294967295 valid=4294967295 cstamp=906223 tstamp=906223
dev=14 devname=b flag=P scope=0 prefix=64 addr=2001:db8:0:3000::1 preferred=4294967295 valid=4294967295 cstamp=707256 tstamp=707256
dev=55 devname=vlan200 flag=P scope=0 prefix=64 addr=2001:db8:0:300c:: preferred=4294967295 valid=4294967295 cstamp=918230 tstamp=918230
dev=56 devname=vlan400 flag=P scope=0 prefix=64 addr=2001:db8:0:300c:: preferred=4294967295 valid=4294967295 cstamp=919828 tstamp=919828
"a"'s ipv6 get:
(ipv6) # get
ip6-mode : dhcp
nd-mode : basic
ip6-address : 2001:db8:0:3000::2/128
ip6-allowaccess : ping
icmp6-send-redirect : enable
ra-send-mtu : enable
ip6-reachable-time : 0
ip6-retrans-time : 0
ip6-hop-limit : 0
dhcp6-prefix-delegation: enable
delegated-prefix iaid 1 : 2001:db8:0:300a::/64
preferred-life-time : 604800
valid-life-time : 604800
delegated-prefix iaid 2 : 2001:db8:0:300b::/64
preferred-life-time : 604800
valid-life-time : 604800
delegated-prefix iaid 3 : 2001:db8:0:300c::/64
preferred-life-time : 604800
valid-life-time : 604800
delegated-DNS1 : ::
delegated-DNS2 : ::
delegated-domain :
cli-conn6-status : 2
vrrp-virtual-mac6 : disable
vrip6_link_local : ::
dhcp6-iapd-list:
== [ 1 ]
iaid: 1 prefix-hint: 0:0:0:1::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 2 ]
iaid: 2 prefix-hint: 0:0:0:2::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 3 ]
iaid: 3 prefix-hint: 0:0:0:3::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
Hello, below article might help you:
https://docs.fortinet.com/document/fortigate/7.4.0/new-features/108391/bgp-conditional-advertisement...
Hi Jack_
If you are getting the IAIDs you expect (which seems to be the case) then it's likely to be a problem on the internal interfaces. Although I can't see anything particularly obvious there.
I do something similar for my internet connection- but just take the one /56 prefix and then split that up within the Fortigate. He's a sample of my config:-
edit "internet"
.......
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
config dhcp6-iapd-list
edit 1
set prefix-hint ::/56
next
end
end
end
And on one of the internal interfaces:-
config ipv6
set ip6-mode delegated
set ip6-prefix-mode ra
set ip6-send-adv enable
set ip6-other-flag enable
set ip6-delegated-prefix-iaid 1
set ip6-upstream-interface "internet"
set ip6-subnet ::64:0:0:0:1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "internet"
set delegated-prefix-iaid 1
set subnet 0:0:0:64::/64
set rdnss-service default
next
end
end
end
I've included the flag settings I use too- as I'm sure you are aware it is important to get these right for devices to be able to form their IP addresses.
Not sure if that helps you are all?
Kind Regards,
Thanks for the reply Andy. This seems to work with a single iaid, which you select the specific prefix you want of that /56 using the ip6-subnet option. Most of the example configurations show this method. My configuration is using multiple iaids because I don't have a "neat" subnet to delegate from my upstream. I found this article online showing the exact setup I want, it just doesn't seem to work as expected.
Sahmed, the linked article deals entirely with BGP and not DHCPv6.
In the meantime I filed a p4 support ticket to see if maybe this is a bug.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.