Skip to content

Instantly share code, notes, and snippets.

@ainuoyan
Forked from tienthanh2509/fortigate-ipv6.md
Created May 7, 2023 02:22
Show Gist options
  • Save ainuoyan/811ea9d91713ace6d21d8afa06deb2c4 to your computer and use it in GitHub Desktop.
Save ainuoyan/811ea9d91713ace6d21d8afa06deb2c4 to your computer and use it in GitHub Desktop.
Enabling IPv6 with DHCPv6-PD and PPPoE on a Fortigate

Log into your Fortigate with SSH and enter the vdom context you are using then edit the WAN interface:

Assumtion

  • wan1 is for pppoe port
  • internal internal switch
  • vlan30 guest vlan
config system interface
    edit "wan1"
        config ipv6
            set ip6-mode pppoe
            set ip6-allowaccess ping
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint ::/60
            set autoconf enable
        end
    next
end

If your ISP assign ipv6 prefix, add set dhcp6-prefix-hint 2a02:xxxx:yyyy::/48 to the config

set ipv6-mode pppoe – Tells the unit to grab an address via pppoe (this is issued automatically and is within the ND Prefix from the email). set ip6-allowaccess ping – Simply, allow ping access on WAN. set dhcp6-prefix-delegation enable – This tells the Fortigate to accept DHCPv6 prefix delegation (essentially how IPv6 addresses are issued by ISPs to non-edge devices). set dhcp6-prefix-hint 2a02:xxxx:yyyy::/48 – This is the PD Prefix from the email/issued by your provider set autoconf enable – Allow configuration of interface address automatically via SLAAC

Assign IPv6 to LAN/Guest network


config system interface
    edit "internal"
        config ipv6
            set ip6-mode delegated
            set ip6-allowaccess ping
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-subnet ::2/64
            set ip6-other-flag enable
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set autonomous-flag enable
                    set onlink-flag enable
                    set subnet ::/64
                next
            end
        end
    next
end

config system interface
    edit "vlan30"
        config ipv6
            set ip6-mode delegated
            set ip6-allowaccess ping
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-subnet ::1/64
            set ip6-other-flag enable
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set autonomous-flag enable
                    set onlink-flag enable
                    set subnet ::/64
                next
            end
        end
    next
end

breakdown of the above (note none of the LAN config has been nulled, it works as-is):

set ip6-mode delegated – Tells the interface to get its IP via protocol delegation set ip6-allowaccess ping – Allows access to the firewall via these protocols set ip6-send-adv enable – Allow IPv6 routing advertisements to be sent from this interface. set ip6-manage-flag enable – Required to tell end devices to receive IPv6 addresses via DHCPv6 and not SLAAC (more info) set ip6-upstream-interface "wan1" – This informs the Fortigate from what interface it should have its address delegated set ip6-subnet ::1/64 – Tells the interface to take the first address in the delegated /64

configure a delegated prefix list – this is used to hand out addresses via DHCPv6 on this interface:

config ip6-delegated-prefix-list – Enter context command edit 1 – You can have multiple prefix lists, but we just use one here set upstream-interface "wan1" – As above, tells the list where to have its addresses delegated from set autonomous-flag enable – Allows clients to construct their global IPv6 address from their 64-bit interface identifier with the prefix scope provided in the RA set onlink-flag enable – Treat the prefix in the RA as “on-link”/L2 connected (typically only link-local FE80 addresses) set subnet ::/64 – Use the first /64 in the /48 prefix for address allocation

configure some firewall policies remember IPv6 requires no NAT at all, ever. I am enabling all traffic outbound and all ICMPv6 inbound:

config firewall policy6
    edit 1
        set name "Default out"
        set srcintf "vlan30"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 2
        set name "Allow ICMP in"
        set srcintf "wan1"
        set dstintf "vlan30"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL_ICMP6"
        set logtraffic all
    next
    edit 3
        set name "Default out"
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 4
        set name "Allow ICMP in"
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL_ICMP6"
        set logtraffic all
    next
end

configure our DHCPv6 server

config system dhcp6 server
    edit 1
        set interface "internal"
        set ip-mode delegated
        set upstream-interface "wan1"
        set dns-server1 2001:4860:4860::8888
        set dns-server2 2001:4860:4860::8844
    next
    edit 2
        set interface "vlan30"
        set ip-mode delegated
        set upstream-interface "wan1"
        set dns-server1 2001:4860:4860::8888
        set dns-server2 2001:4860:4860::8844
    next
end

Ref: https://blah.cloud/networks/enabling-ipv6-dhcpv6-pd-pppoe-fortigate/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment