- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Incorrect Router Announcement with Prefix Delegati...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Incorrect Router Announcement with Prefix Delegation
I'm trying to setup my prefix delegation the "correct" way with my new FortiGate 61F. I only have a /60 delegated, and half of that is only available to my router (a pfSense). I am delegating the xxxa through xxxe networks to the FortiGate. This appears to be working as I can see those prefixes on the wan-uplink ipv6 'get' output:
Spoiler
delegated-prefix iaid 1 : xxxx:xxxx:xxxx:xxxe::/64
preferred-life-time : 4500
valid-life-time : 7200
delegated-prefix iaid 2 : xxxx:xxxx:xxxx:xxxc::/64
preferred-life-time : 4500
valid-life-time : 7200
delegated-prefix iaid 3 : xxxx:xxxx:xxxx:xxxd::/64
preferred-life-time : 4500
valid-life-time : 7200
delegated-prefix iaid 4 : xxxx:xxxx:xxxx:xxxa::/64
preferred-life-time : 4500
valid-life-time : 7200
delegated-prefix iaid 5 : xxxx:xxxx:xxxx:xxxb::/64
preferred-life-time : 4500
valid-life-time : 7200
dhcp6-iapd-list:
== [ 1 ]
iaid: 1 prefix-hint: ::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 2 ]
iaid: 2 prefix-hint: 0:0:0:1::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 3 ]
iaid: 3 prefix-hint: 0:0:0:2::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 4 ]
iaid: 4 prefix-hint: 0:0:0:3::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 5 ]
iaid: 5 prefix-hint: 0:0:0:4::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
preferred-life-time : 4500
valid-life-time : 7200
delegated-prefix iaid 2 : xxxx:xxxx:xxxx:xxxc::/64
preferred-life-time : 4500
valid-life-time : 7200
delegated-prefix iaid 3 : xxxx:xxxx:xxxx:xxxd::/64
preferred-life-time : 4500
valid-life-time : 7200
delegated-prefix iaid 4 : xxxx:xxxx:xxxx:xxxa::/64
preferred-life-time : 4500
valid-life-time : 7200
delegated-prefix iaid 5 : xxxx:xxxx:xxxx:xxxb::/64
preferred-life-time : 4500
valid-life-time : 7200
dhcp6-iapd-list:
== [ 1 ]
iaid: 1 prefix-hint: ::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 2 ]
iaid: 2 prefix-hint: 0:0:0:1::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 3 ]
iaid: 3 prefix-hint: 0:0:0:2::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 4 ]
iaid: 4 prefix-hint: 0:0:0:3::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 5 ]
iaid: 5 prefix-hint: 0:0:0:4::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
However, when assigning these to specific interfaces via the iaid, I get very strange results. For example, one of my wifi networks is configured with ip6-delegated-prefix-iaid of 4, which correctly assigns the xxxa to the ip6-address, however setting the ip6-delegated-prefix-list delegated-prefix-iaid to 4 and my Router Announcements have no prefix assigned. I changed this around to several values and finally get a prefix if I change it to iaid 1, but it's the wrong prefix (xxxe instead of xxxa). Am I missing something important in this Prefix Delegation configuration?
Configuration:
config system interface
edit "wan-uplink"
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
set ip6-dns-server-override disable
config dhcp6-iapd-list
edit 1
set prefix-hint ::/64
next
edit 2
set prefix-hint 0:0:0:1::/64
next
edit 3
set prefix-hint 0:0:0:2::/64
next
edit 4
set prefix-hint 0:0:0:3::/64
next
edit 5
set prefix-hint 0:0:0:4::/64
next
end
end
next
edit "internal"
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-delegated-prefix-iaid 2 # I set 2 to get xxxe in the ip6-address
set ip6-upstream-interface "wan-uplink"
set ip6-subnet ::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan-uplink"
set delegated-prefix-iaid 1 # I have to set 1 here to get xxxe in router announcments
set subnet ::/64
set rdnss-service default
next
end
end
next
edit "wifi"
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-delegated-prefix-iaid 4 # I want xxxa
set ip6-upstream-interface "wan-uplink"
set ip6-subnet ::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan-uplink"
set delegated-prefix-iaid 1 # this gives me xxxe, 4 gives no prefix
set subnet ::/64
set rdnss-service default
next
end
end
next
end
FortiGate
FortiGate
Labels:
- Labels:
-
FortiGate
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Decided to mock this out inside a vdom and found some weird and disturbing results.
I setup a vdom "downstream" with the b interface. This interface is configured with a dhcp6 server, presenting the a-e /64 prefixes.
config system interface
edit "b"
set vdom "downstream"
set allowaccess ping
set type physical
set snmp-index 5
config ipv6
set ip6-address 2001:db8:0:3000::1/64
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
end
next
end
config system dhcp6 server
edit 2
set subnet 2001:db8:0:3000::/60
set interface "b"
config prefix-range
edit 1
set start-prefix 2001:db8:0:300a::
set end-prefix 2001:db8:0:300e::
set prefix-length 64
next
end
config ip-range
edit 1
set start-ip 2001:db8:0:3000::2
set end-ip 2001:db8:0:3000::ffff
next
end
next
endI then have a separate vdom with the "a" interface which is physically connected to the "b" interface, and "a" is able to request a dhcp6 IP and prefix delegations as expected. I have two delegated interfaces (vlan200 and vlan400) which have different iaids.
config system interface
edit "a"
set vdom "delegator"
set allowaccess ping
set type physical
set snmp-index 4
config ipv6
set ip6-mode dhcp
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
config dhcp6-iapd-list
edit 1
set prefix-hint 0:0:0:1::/64
next
edit 2
set prefix-hint 0:0:0:2::/64
next
edit 3
set prefix-hint 0:0:0:3::/64
next
end
end
next
edit "vlan200"
set vdom "delegator"
set role lan
set snmp-index 42
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
set ip6-delegated-prefix-iaid 1
set ip6-upstream-interface "a"
end
set interface "a"
set vlanid 200
next
edit "vlan400"
set vdom "delegator"
set device-identification enable
set role lan
set snmp-index 43
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
set ip6-delegated-prefix-iaid 2
set ip6-upstream-interface "a"
end
set interface "a"
set vlanid 400
next
endThe issue now is that both vlan200 and vlan400 have the same prefix delegated to them.
# diagnose ipv6 address list
dev=13 devname=a flag=P scope=0 prefix=128 addr=2001:db8:0:3000::2 preferred=4294967295 valid=4294967295 cstamp=906223 tstamp=906223
dev=14 devname=b flag=P scope=0 prefix=64 addr=2001:db8:0:3000::1 preferred=4294967295 valid=4294967295 cstamp=707256 tstamp=707256
dev=55 devname=vlan200 flag=P scope=0 prefix=64 addr=2001:db8:0:300c:: preferred=4294967295 valid=4294967295 cstamp=918230 tstamp=918230
dev=56 devname=vlan400 flag=P scope=0 prefix=64 addr=2001:db8:0:300c:: preferred=4294967295 valid=4294967295 cstamp=919828 tstamp=919828"a"'s ipv6 get:
(ipv6) # get
ip6-mode : dhcp
nd-mode : basic
ip6-address : 2001:db8:0:3000::2/128
ip6-allowaccess : ping
icmp6-send-redirect : enable
ra-send-mtu : enable
ip6-reachable-time : 0
ip6-retrans-time : 0
ip6-hop-limit : 0
dhcp6-prefix-delegation: enable
delegated-prefix iaid 1 : 2001:db8:0:300a::/64
preferred-life-time : 604800
valid-life-time : 604800
delegated-prefix iaid 2 : 2001:db8:0:300b::/64
preferred-life-time : 604800
valid-life-time : 604800
delegated-prefix iaid 3 : 2001:db8:0:300c::/64
preferred-life-time : 604800
valid-life-time : 604800
delegated-DNS1 : ::
delegated-DNS2 : ::
delegated-domain :
cli-conn6-status : 2
vrrp-virtual-mac6 : disable
vrip6_link_local : ::
dhcp6-iapd-list:
== [ 1 ]
iaid: 1 prefix-hint: 0:0:0:1::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 2 ]
iaid: 2 prefix-hint: 0:0:0:2::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
== [ 3 ]
iaid: 3 prefix-hint: 0:0:0:3::/64 prefix-hint-plt: 604800 prefix-hint-vlt: 2592000
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, below article might help you:
https://docs.fortinet.com/document/fortigate/7.4.0/new-features/108391/bgp-conditional-advertisement...
Security all we want
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jack_
If you are getting the IAIDs you expect (which seems to be the case) then it's likely to be a problem on the internal interfaces. Although I can't see anything particularly obvious there.
I do something similar for my internet connection- but just take the one /56 prefix and then split that up within the Fortigate. He's a sample of my config:-
edit "internet"
.......
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
config dhcp6-iapd-list
edit 1
set prefix-hint ::/56
next
end
end
end
And on one of the internal interfaces:-
config ipv6
set ip6-mode delegated
set ip6-prefix-mode ra
set ip6-send-adv enable
set ip6-other-flag enable
set ip6-delegated-prefix-iaid 1
set ip6-upstream-interface "internet"
set ip6-subnet ::64:0:0:0:1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "internet"
set delegated-prefix-iaid 1
set subnet 0:0:0:64::/64
set rdnss-service default
next
end
end
end
I've included the flag settings I use too- as I'm sure you are aware it is important to get these right for devices to be able to form their IP addresses.
Not sure if that helps you are all?
Kind Regards,
Andy Bailey, Christchurch, New Zealand
Andy Bailey, Christchurch, New Zealand
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply Andy. This seems to work with a single iaid, which you select the specific prefix you want of that /56 using the ip6-subnet option. Most of the example configurations show this method. My configuration is using multiple iaids because I don't have a "neat" subnet to delegate from my upstream. I found this article online showing the exact setup I want, it just doesn't seem to work as expected.
Sahmed, the linked article deals entirely with BGP and not DHCPv6.
In the meantime I filed a p4 support ticket to see if maybe this is a bug.
Labels
-
FortiGate
6,538 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
SSL SSH inspection
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
Schedule
1 -
4.0MR1
1 -
SDN connector
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.