- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD
These are mutually exclusive but both exceptionally important features, required for ISPs to dynamically allocate IPv6 addresses. Required in most situations to deploy the FortiGate as an IPv6 CPE with PPP.
Supported by pfSense, Mikrotik, Cisco in IOS, as well as Juniper in ScreenOS and JunOS. Also supported by a large number of CPE vendor hardware (Apple, D-link, Linksys, Netgear, Draytek, Fritz, Huawei as examples I' ve seen in production and lost projects to personally).
(Optional Step 1). Once the PPP session is established, the CPE uses IPv6CP to allocate an IP address to the interface. This gives the CPE a routable IPv6 address in much the same way as IPCP does for IPv4. I noticed 5.2 added support for DHCPv6 Client here, so Fortinet clearly understands the importance of this functionality.
Most of the deployments I' ve seen in New Zealand aren' t actually doing this, relying on link-local addressing - but we' re just weird and it is used globally.
Step 2 - DHCPv6 requests a subnet via DHCPv6-PD which the ISP or upstream router delegates (Typically a /48, /56, /60 or /64) which may be allocated to clients. These subnets are divided and the CPE allocates /64 networks to internal interfaces sequentially. One address from the final 64 bits is allocated to the interface with the remaining allocated to clients via either SLAAC or DHCPv6 Server.
In CSCO' s implementation you can choose which networks are allocated where (First 48-64 bits remain as a wildcard, next 0-16 bits remain consistent.
(Optional Step 3) - Downstream DHCPv6 enabled routers, including downstream FortiGates or VDOMs, may request a subnet from the CPE, allowing downstream routers to also access with IPv6 internet. Usually requires a /48 from your ISP, the first /56 being reserved for local networks and additional /56 networks being allocated sequentially as requested.
Several features are required to make this solution complete:
- IPv6CP in addition to DHCPv6 Client on PPP interfaces
- DHCPv6 Client Prefix Delegation Request
- Should be able to handle any ISP delegation, reducing functionality for smaller subnets. Comcast in the USA gives you either a /60 or /64 as an example.
- New interface IPv6 Address Mode " Delegated" when this is enabled on the WAN.
- $Prefix::1/64 setting for wildcard subnets on interfaces
- Should allow multiple instances, each bound to a specific WAN interface to optionally allow for multiple upstream ISPs
- $Prefix::/64 option on DHCPv6 server
- $Prefix support on IPv6 Firewall Address Objects
- $Prefix on FortiAnalyzer, FortiCloud and FortiView to merge internal hosts.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
David
Have you spoken to your SSE team? If fortinet get' s enough users asking for this feature, than they might put it on the milestone board and maybe 5.2.X will have this as a new feature in the near future.
IPv6 DHCP/S and PD has been a weak and sore spot in fortinet offering. Why I really don' t know and specially when they have probably the biggest SOHO lineup.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand that with the 5.2 release Fortinet have finally " Feature Frozen" their major releases, so i don' t anticipate any new features until the 5.4 release.
My SE team, and their manager, are all well aware of the request - it' s just hard to get any real motivation for a feature when neither Checkpoint, PAN or Watchguard offer it either.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No chance to have a new feature in 5.2 for all that Fortinet has communicated about ' feature freeze, bug fix only' in the 5.2 line of FortiOS. But it might be incorporated in 5.1 or 5.3 if enough user demand is signalled to Fortinet.
So people, open support cases and make a feature request. State that big deals are lost in case this feature is not offered and see how flexible FTN can be.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I persuaded a company to replace fully working Linux router with FGT-92D (with 3-year UTM) in good faith this 'feature request' will be resolved in FOS 5.4.. But it seems IPv6 compatibility isn't a top priority for Fortinet.
So... Almost a year and a half after OP in this topic - is Fortinet planning FOS support for IPv6CP + DHCPv6-PD?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar request! I need dhcpv6 IA_PD option for Comcast to work properly. I paid a ton of money for my fortigate unit (considering im a hardcore home user) and just wanted capable equipment that's fast and reliable with three years of utm services and support. I assumed by now these routers would be able to to run dual stack fairly simply by selecting the options required by the ISP, Comcast in my case just as in ipv4. I hear a lot of talk about how similar ipv6 is to ipv4.... If they are so similar why doesn't it just work like ipv4? Network gurus at Fortinet cant preconfigure the interfaces for ipv6 as in ipv4? Or do some research and have straight forward guides on exacty how to configure the wan interface and lan interface via the gui or cli something concrete that works? I realize there are differences in networks and how interfaces are set up and going to be used, but if that is the problem or complexity of establishing a ipv6 connection set on dhcp on wan and dhcp on lan and not have proper connectivity, like ipv4, what's the use? For ipv4, as soon as I hooked up the unit when I recieved it, the wan interface set on dhcp was assigned an ip address the nessecary policies were already configured and boom, all the devices in my home, and there are quite a few, were assigned addresses and connecting to the internet! believe me I don't say this without having already trying numerous configurations and done tons of reading of all kinds of fotinet docs and web blogs , forums ipv6 sites etc. I think for ipv6 to work properly I need the following to be supported by my router.
"Brucew wrote:
if your local Comcast system and your cable modem support IPv6 --
- A computer connected directly to the modem should get a /128
- A router that supports IPv6, DHCPv6 and Prefix Delegation (PD) should get a /64 block of addresses.
True plus:
The router's WAN interface will get a/128, the router will get a /64 for the LAN side. If you have a router that supports IA_PD your router can request anything from /64- /60.. So if you have more than 1 LAN interface you can have more /64s.
I personally currently have set my ipv6 mode on Wan1 set to dhcp. I get a /128 address. With no IA_PD option ipv6 will not work properly. I have all the recommended policies enabled to allow ipv6 traffic flow the best I know how. And believe me I've played around with this enough to give up on it. my current ipv6 lan config is below
config ipv6
set ip6-allowaccess ping https ssh snmp http fgfm capwap
set ip6-retrans-time 4000
set ip6-address fd0b:7186::/64
set ip6-send-adv enable
config ip6-prefix-list
edit fd0b:7186::/64
set autonomous-flag enable
set onlink-flag enable
next
end
end
as a last resort with that configuration being my last attempt to completely abandon ipv6. I decided to turn NAT on for my ipv6 traffic policies and got clients to have some ipv6 connectivity. Why? I've read NAT is not needed for ipv6! But that must pertain to properly configured ipv6 set ups. so I can access some sites, not all, browsers prefer, and go to ipv4 instead of 6 unless you specify an ipv6 address. ipv6 test sites, Netalizer etc., report problems with icmp filtering which I've tried to disable to fix those errors, then there are DNS errors which I have no idea, not connecting at all to some sites and always using ipv4 over ipv6 when both are avaible. I'm sure all the problems that remain are tied to the unsupported ipv6 IA_PD on the fortigate unit. sounds like the next update for forti os doesn't address an of these issues if I read the release notes correctly. there is one thing we account on for now though, and that is that IPV4 still works, is esay to set up and automatic on amost all devices and is supported by just about every device.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Fortigate 60E v5.6.8, I am trying to connect with IPv6 PPPoE and get an address assignment with DHCPv6-PD.
Since there is no answer in this thread, I asked a question.
To perform DHCPv6-PD, it is necessary to support the following functions. Is it supported by FortiOS?
- DHCPv6 (RFC3315), DHCPv6-PD (RFC3633) - Point the default gateway to the address obtained by IPv6CP
Option code used when obtaining IPv6 prefix 25 Information about the Identity Association for Prefix Delegation IA_PD 26 Identity Association for Prefix Delegation prefix IPv6 prefix
Best regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
flathill,
I had a look at this topic some time back with support. I think the functionality you need was added to the 5.6 release. Here's the response I had from support at the time:-
Dear Andy, I may have some good news. It seems that with the support of multiple PPPoE connections on a single interface that has been added to 5.6 we can now configure DHCPv6 client mode on a PPPoE interface. It could be configured like this: config system pppoe-interface edit pppoe1 set ipv6 enable set device port4 ... end config system interface edit pppoe1 config ipv6 set ip6-mode dhcp set dhcp6-prefix-delegation enable end next end With that configuration you will be able to request DHCPv6 IA_NA request over the pppoe1 interface. Also with that configuration, pppoe1 will be considered as a physical interface, so you will firewall policies etc as the other interfaces.
#################################
I'm still using this config in the 6.2.X releases and it certainly seems to work ok. The PPPOE interface becomes a logical inteface from which ever port you are using (in my case in the above CLI snippet it was port4 on an FGT-80D).
I hope that helps.
Kind Regards,
Andy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Had to upgrade to 6.0.x to finally get this working.
There is a major change with creation of PPPoX profile separate from interface and need to move the IPv6 section there, then assign the ppp profile to the interface (or the other way round?).
Let me know if you need more details/config sample.
Stephane.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Andy Thank you for the advice. When the interface was set based on the advice and the default route of IPv6 was set to pppoe1 interface, IPv6CP and DHCPv6-PD operated, and connection to IPv6 Internet became possible.
Best Regards,
Labels
-
FortiGate
6,451 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.