Hi-
I have read numerous docs, forum posts, blogs, etc. on how to get ipv6 working on this unit and each configuration attempt has always been met with failure. I've tried numerous configuration examples etc and no go. One of biggest challenges is what ipv6 addresses to enter in some areas of configuration. I have residential cable service with Comcast. I was hoping with the cost of this unit that ipv6 would be automatic and work natively out of the box like ipv4 in dual stack mode, but no. I have given up on trying to configure ipv6 for now, but was hoping there was someone with some insight or a straight forward set of configuration steps to get it working. maybe examples of config files from someone With the cable modem plugged into wan1 and with 1 lan interface using the physical switch ports connecting my access point, server, client machines etc. autoconf was met with failure. DHCP mode on my two interfaces was met with failure, prefix delegation- failed. and a host of other different configurations failed. I can ping an ipv6 address from the cli but what good is that?
Thanks ahead of time , and my apologies if this is posted in the wrong area, or covered somewhere else, or no longer up for discussion. I usually get this kind of stuff sorted out myself, but after almost having to reset the device trying to get it working on ipv4 properly again, I decided to give up until support for native ipv6 is coded into the os or someone with technical expertise can explain it all to me better. It's working fine now ipv4 only. ipv6 turned off!
Sam11123
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
IPv6 has works great for foritigate has been that way for years if not a decade. What/where are you finding your configuration assistance & knowledge? The KBs, Cookbook, and goog searches will show you tons of examples and configurations.
You can't do IPv6-PD btw in a fortigate but auto address works after you set the interface. As far natively out the box, NO...but it's only like 5 to 9 commands just to setup a fortigate up for basic ipv6 imho.
BTW: COMCAST has been supporting ipv6 for awhile I had it b4 & even assignment b4 I had to start paying.
PCNSE
NSE
StrongSwan
Thanks for replying emnoc!
I've read documentation from all those sources you listed. Closest I got was when I used the autoconf enable on the wan1 interface and an assigned ipv6 address actually showed up in the gui. I thought I was good to go, but then then all the sudden nothing worked (no internet connectivity at all) and it scared me so I backed off thinking my tinkering with the ipv6 configuration had somehow messed up my ipv4 configuration when it may have just been an internet outage by Comcast at the time. Either way, I never got it configured to work properly. It always seemed that when I thought I was close to a working config, apple devices would try to connect via ipv6 having detected it's presence in the network environment but of course couldn't connect because something else was missing, so I'd have to try to start over, and over, and over. Anyway, thanks for your input. If only I had an expert that could remote into the unit and configure ipv6 on the unit for me. That would be awesome! With my last Cisco UTM device, I had my windows server box on the network provide DNS, DHCP client/server, AD, and DC roles along with ipv6 but no longer desire to have my network be dependent on the server for network connectivity. I want my Fortigate to do it all. It's a great product. Again, thanks for replying.
I think your problem is your dual-stack device probably used ipv6 for preference and this why it broke. You need to 1t ( imho ) determine if your going to run dual-stack and what services you will reach over ipv4 or ipv6.
example;
goog gmail is located at
2a00:1450:4004:800::2005 ( ipv6)
or
216.58.210.101 ( ipv4 )
What want do you want to use IPv4 or v6 ? Some systems will always take the ipv6 return DNS record for access ( i.e http/https web-browsers, dns etc.... ) . So if you had no ipv6 path, than your " not able to reach the site " message will appear even tho the ipv4 path is available.
read the follow demo on behavior
https://labs.apnic.net/presentations/store/2012-08-28-dual-stack-quality-apnic34.pdf
With comcast-business, I would 1st configured my outside network on the untrusted wan/port and test ping and reach to the next-hop and beyond from the FGT directly
then
Configure the internal port with a ipv6 and SLAAC setup or a new lan interface if possible and do limited testing after you have a fw-policy6 crafted and with the host single-stacked as a ipv6 host.
if your running windows/linux machines DHCPv6 with other/manager flag support would be ideal. But in Apple approach, they haven't deploy a DHCPv6-client so DHCPv6 is useless & I'm afraid they will never do it natively. Maybe the new MACOSX might have start doing it or a 3rd party client.
Go slow, research dual-stack behavior and dive in. It's not that much harder, just understand the differences ( stateless vrs stateful, NDP , etc.....)
Once you have confirm reach and access, it's more about issues with ipv4/v6 preferences.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.