Skip to content

Instantly share code, notes, and snippets.

@tienthanh2509

tienthanh2509/fortigate-ipv6.md

Last active May 7, 2023 02:22
Show Gist options
  • Save tienthanh2509/a7da206c1950b318dbee4fc8c17bfd7a to your computer and use it in GitHub Desktop.
Save tienthanh2509/a7da206c1950b318dbee4fc8c17bfd7a to your computer and use it in GitHub Desktop.
Download ZIP
Enabling IPv6 with DHCPv6-PD and PPPoE on a Fortigate
Raw
fortigate-ipv6.md

Log into your Fortigate with SSH and enter the vdom context you are using then edit the WAN interface:

Assumtion

  • wan1 is for pppoe port
  • internal internal switch
  • vlan30 guest vlan
config system interface
    edit "wan1"
        config ipv6
            set ip6-mode pppoe
            set ip6-allowaccess ping
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint ::/60
            set autoconf enable
        end
    next
end

If your ISP assign ipv6 prefix, add set dhcp6-prefix-hint 2a02:xxxx:yyyy::/48 to the config

set ipv6-mode pppoe – Tells the unit to grab an address via pppoe (this is issued automatically and is within the ND Prefix from the email). set ip6-allowaccess ping – Simply, allow ping access on WAN. set dhcp6-prefix-delegation enable – This tells the Fortigate to accept DHCPv6 prefix delegation (essentially how IPv6 addresses are issued by ISPs to non-edge devices). set dhcp6-prefix-hint 2a02:xxxx:yyyy::/48 – This is the PD Prefix from the email/issued by your provider set autoconf enable – Allow configuration of interface address automatically via SLAAC

Assign IPv6 to LAN/Guest network


config system interface
    edit "internal"
        config ipv6
            set ip6-mode delegated
            set ip6-allowaccess ping
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-subnet ::2/64
            set ip6-other-flag enable
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set autonomous-flag enable
                    set onlink-flag enable
                    set subnet ::/64
                next
            end
        end
    next
end

config system interface
    edit "vlan30"
        config ipv6
            set ip6-mode delegated
            set ip6-allowaccess ping
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-subnet ::1/64
            set ip6-other-flag enable
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set autonomous-flag enable
                    set onlink-flag enable
                    set subnet ::/64
                next
            end
        end
    next
end

breakdown of the above (note none of the LAN config has been nulled, it works as-is):

set ip6-mode delegated – Tells the interface to get its IP via protocol delegation set ip6-allowaccess ping – Allows access to the firewall via these protocols set ip6-send-adv enable – Allow IPv6 routing advertisements to be sent from this interface. set ip6-manage-flag enable – Required to tell end devices to receive IPv6 addresses via DHCPv6 and not SLAAC (more info) set ip6-upstream-interface "wan1" – This informs the Fortigate from what interface it should have its address delegated set ip6-subnet ::1/64 – Tells the interface to take the first address in the delegated /64

configure a delegated prefix list – this is used to hand out addresses via DHCPv6 on this interface:

config ip6-delegated-prefix-list – Enter context command edit 1 – You can have multiple prefix lists, but we just use one here set upstream-interface "wan1" – As above, tells the list where to have its addresses delegated from set autonomous-flag enable – Allows clients to construct their global IPv6 address from their 64-bit interface identifier with the prefix scope provided in the RA set onlink-flag enable – Treat the prefix in the RA as “on-link”/L2 connected (typically only link-local FE80 addresses) set subnet ::/64 – Use the first /64 in the /48 prefix for address allocation

configure some firewall policies remember IPv6 requires no NAT at all, ever. I am enabling all traffic outbound and all ICMPv6 inbound:

config firewall policy6
    edit 1
        set name "Default out"
        set srcintf "vlan30"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 2
        set name "Allow ICMP in"
        set srcintf "wan1"
        set dstintf "vlan30"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL_ICMP6"
        set logtraffic all
    next
    edit 3
        set name "Default out"
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 4
        set name "Allow ICMP in"
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL_ICMP6"
        set logtraffic all
    next
end

configure our DHCPv6 server

config system dhcp6 server
    edit 1
        set interface "internal"
        set ip-mode delegated
        set upstream-interface "wan1"
        set dns-server1 2001:4860:4860::8888
        set dns-server2 2001:4860:4860::8844
    next
    edit 2
        set interface "vlan30"
        set ip-mode delegated
        set upstream-interface "wan1"
        set dns-server1 2001:4860:4860::8888
        set dns-server2 2001:4860:4860::8844
    next
end

Ref: https://blah.cloud/networks/enabling-ipv6-dhcpv6-pd-pppoe-fortigate/

@tienthanh2509
Copy link
Author

Test IP assigned on interfaces

diag ipv6 address list

# diag ipv6 address list

dev=23 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1
dev=21 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1
dev=16 devname=root flag=P scope=254 prefix=128 addr=::1
dev=25 devname=ppp1 flag= scope=0 prefix=64 addr=2402:xx:xx:xx:926c:ac26:fffe:xx preferred=604259 valid=2591459 cstamp=0 tstamp=0
dev=20 devname=vlan30 flag=P scope=0 prefix=64 addr=2402:xx:6311:5126::1
dev=18 devname=internal flag=P scope=0 prefix=64 addr=2402:xx:6311:5126::1
dev=20 devname=vlan30 flag=P scope=253 prefix=10 addr=fe80::xx:acff:fe26:893a
dev=18 devname=internal flag=P scope=253 prefix=10 addr=fe80::xx:acff:fe26:893a
dev=25 devname=ppp1 flag=P scope=253 prefix=10 addr=fe80::xxac26:fffe:893c

@tienthanh2509
Copy link
Author

For ISP strictly MAC address on WAN port, we need to change MAC address to match the Modern MAC address

config sys int
edit wan1
set macaddr XX:b5:ZZ:eb:fc:YY
end

@tienthanh2509
Copy link
Author

tienthanh2509 commented Jun 5, 2021
edited
Loading

Remove IPv6 on an interface

config system interface
edit "internal"
config ipv6
unset ip6-mode
unset ip6-address
unset ip6-allowaccess
unset ip6-send-adv
end
end

@tienthanh2509
Copy link
Author 

get router info6 routing-table
execute ping6 2001:4860:4860::8888
execute tracert6 2001:4860:4860::8888

@tienthanh2509
Copy link
Author

Enabling RIPng on the FortiGate’s vlan30 interface:

config router ripng
    config interface
        edit "vlan30"
        next
    end
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment