Fortigate IPv6: Difference between revisions

also this blogpost (completely unrelated to A&A) may be useful: https://blah.cloud/networks/enabling-ipv6-dhcpv6-pd-pppoe-fortigate/

=Version 7.2=

These details were updated late 2022 for Version 7.2 from a customer (thank you!)

[[File:Fortigate 7.2 Delegated IPv6 Diagram.jpg|thumb|center]]

Example set up to provide 3 ::/64 networks behind customer Fortigate using delegated IP from AA DHCPv6 server. For OS version 7.2

Note with 7.2 it is possible to configure PPPoE on the wan interface directly and this works for IPv4 but not for IPv6. If the interface is PPPoE and ipV6 addresssing is set for DHCP for IPv6 no address is obtained So a PPoe subinterface still needs to used.

Also with 7.2 the "set ip6-delegated-prefix-iaid x" command must be used otherwise the PPPoE interface cannot be assigned as the upstream interface.

See https://community.fortinet.com/t5/Fortinet-Forum/Error-when-addin-IPv6-with-deligation-to-LAN-interface/m-p/199091

and

https://blah.cloud/networks/enabling-ipv6-dhcpv6-pd-pppoe-fortigate/

for more details as to what each command does.

Example configurations below note the three IPv6 subnets need to be replaced with ones assigned from AA control pages:

I've also assigned .1 as the firewall address but this is strictly not required

<syntaxhighlight lang=bash>

config system interface

edit "wan"

set type physical

set role wan

config ipv6

end

set dns-server-override disable

next

edit "lan1"

set ip 192.168.1.1 255.255.255.0

set type physical

set device-identification enable

set role lan

config ipv6

set ip6-mode delegated

set ip6-allowaccess ping https ssh snmp http fgfm fabric

set ip6-send-adv enable

set ip6-manage-flag enable

set ip6-other-flag enable

set ip6-upstream-interface "PPPOE1"

set ip6-delegated-prefix-iaid 1

set ip6-subnet ::1/64

end

next

edit "lan2"

set ip 192.168.2.1 255.255.255.0

set type physical

set device-identification enable

set role lan

config ipv6

set ip6-mode delegated

set ip6-allowaccess ping https ssh snmp http fgfm fabric

set ip6-send-adv enable

set ip6-manage-flag enable

set ip6-other-flag enable

set ip6-upstream-interface "PPPOE1"

set ip6-delegated-prefix-iaid 2

set ip6-subnet ::1/64

end

next

edit "lan3"

set ip 192.168.3.1 255.255.255.0

set type physical

set device-identification enable

set role lan

config ipv6

set ip6-mode delegated

set ip6-allowaccess ping https ssh snmp http fgfm fabric

set ip6-send-adv enable

set ip6-manage-flag enable

set ip6-other-flag enable

set ip6-upstream-interface "PPPOE1"

set ip6-delegated-prefix-iaid 3

set ip6-subnet ::1/64

end

next

edit "PPPOE1"

set mode pppoe

set allowaccess ping

set type tunnel

set role wan

config ipv6

set ip6-mode dhcp

set ip6-allowaccess ping

set dhcp6-prefix-delegation enable

config dhcp6-iapd-list

edit 1

set prefix-hint 2001:8b0:xxxx:13fa9::/64

next

edit 2

set prefix-hint 2001:8b0:xxxx:13fb0::/64

next

edit 3

set prefix-hint 2001:8b0:xxxx:13fb1::/64

next

end

end

set interface "wan"

next

config system dhcp6 server

edit 1

set dns-service delegated

set interface "lan1"

set upstream-interface "PPPOE1"

set delegated-prefix-iaid 1

set ip-mode delegated

next

edit 2

set dns-service delegated

set interface "lan2"

set upstream-interface "PPPOE1"

set delegated-prefix-iaid 2

set ip-mode delegated

next

edit 3

set dns-service delegated

set interface "lan3"

set upstream-interface "PPPOE1"

set delegated-prefix-iaid 3

set ip-mode delegated

next

end

</syntaxhighlight>

=(Older) Version 5.6=