Log into your Fortigate with SSH and enter the vdom context you are using then edit the WAN interface:
Assumtion
wan1
is for pppoe portinternal
internal switchvlan30
guest vlan
config system interface
edit "wan1"
config ipv6
set ip6-mode pppoe
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
set dhcp6-prefix-hint ::/60
set autoconf enable
end
next
end
If your ISP assign ipv6 prefix, add set dhcp6-prefix-hint 2a02:xxxx:yyyy::/48
to the config
set ipv6-mode pppoe
– Tells the unit to grab an address via pppoe (this is issued automatically and is within the ND Prefix from the email).
set ip6-allowaccess ping
– Simply, allow ping access on WAN.
set dhcp6-prefix-delegation enable
– This tells the Fortigate to accept DHCPv6 prefix delegation (essentially how IPv6 addresses are issued by ISPs to non-edge devices).
set dhcp6-prefix-hint 2a02:xxxx:yyyy::/48
– This is the PD Prefix from the email/issued by your provider
set autoconf enable
– Allow configuration of interface address automatically via SLAAC
Assign IPv6 to LAN/Guest network
config system interface
edit "internal"
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-upstream-interface "wan1"
set ip6-subnet ::2/64
set ip6-other-flag enable
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set autonomous-flag enable
set onlink-flag enable
set subnet ::/64
next
end
end
next
end
config system interface
edit "vlan30"
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-upstream-interface "wan1"
set ip6-subnet ::1/64
set ip6-other-flag enable
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set autonomous-flag enable
set onlink-flag enable
set subnet ::/64
next
end
end
next
end
breakdown of the above (note none of the LAN config has been nulled, it works as-is):
set ip6-mode delegated
– Tells the interface to get its IP via protocol delegation
set ip6-allowaccess ping
– Allows access to the firewall via these protocols
set ip6-send-adv enable
– Allow IPv6 routing advertisements to be sent from this interface.
set ip6-manage-flag enable
– Required to tell end devices to receive IPv6 addresses via DHCPv6 and not SLAAC (more info)
set ip6-upstream-interface "wan1"
– This informs the Fortigate from what interface it should have its address delegated
set ip6-subnet ::1/64
– Tells the interface to take the first address in the delegated /64
configure a delegated prefix list – this is used to hand out addresses via DHCPv6 on this interface:
config ip6-delegated-prefix-list
– Enter context command
edit 1
– You can have multiple prefix lists, but we just use one here
set upstream-interface "wan1"
– As above, tells the list where to have its addresses delegated from
set autonomous-flag enable
– Allows clients to construct their global IPv6 address from their 64-bit interface identifier with the prefix scope provided in the RA
set onlink-flag enable
– Treat the prefix in the RA as “on-link”/L2 connected (typically only link-local FE80 addresses)
set subnet ::/64
– Use the first /64 in the /48 prefix for address allocation
configure some firewall policies remember IPv6 requires no NAT at all, ever
. I am enabling all traffic outbound and all ICMPv6 inbound:
config firewall policy6
edit 1
set name "Default out"
set srcintf "vlan30"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "Allow ICMP in"
set srcintf "wan1"
set dstintf "vlan30"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL_ICMP6"
set logtraffic all
next
edit 3
set name "Default out"
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 4
set name "Allow ICMP in"
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL_ICMP6"
set logtraffic all
next
end
configure our DHCPv6 server
config system dhcp6 server
edit 1
set interface "internal"
set ip-mode delegated
set upstream-interface "wan1"
set dns-server1 2001:4860:4860::8888
set dns-server2 2001:4860:4860::8844
next
edit 2
set interface "vlan30"
set ip-mode delegated
set upstream-interface "wan1"
set dns-server1 2001:4860:4860::8888
set dns-server2 2001:4860:4860::8844
next
end
Ref: https://blah.cloud/networks/enabling-ipv6-dhcpv6-pd-pppoe-fortigate/