Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bcjenkins
New Contributor

IPv6 Internet access won't work without NAT using DHCP6-PD

Greetings,

 

I have a Fortigate 100D set up for TimeWarner Cable Internet. With the following settings, my inside devices will pull an IP from TWC, but they cannot get out to the Internet. I am able to ping the WAN interface, but not the LAN. 

 

config system interface
  edit "wan1"
     set vdom "root"
    set mode dhcp
    set vlanforward enable
    set type physical
    set role wan
    set snmp-index 2
    config ipv6
      set ip6-mode dhcp
      set dhcp6-prefix-delegation enable
    end
  set dns-server-override disable
  next
  edit "lan"
    set vdom "root"
    set ip 192.168.1.1 255.255.255.0
    set allowaccess ping https ssh
    set vlanforward enable
    set type hard-switch
    set role lan
    set snmp-index 1
    config ipv6
      set ip6-mode delegated
      set ip6-send-adv enable
      set ip6-upstream-interface "wan1"
      set ip6-subnet ::1:0:0:0:1/64
      config ip6-delegated-prefix-list
        edit 1
          set upstream-interface "wan1"
          set autonomous-flag enable
          set onlink-flag enable
          set subnet 0:0:0:100::/64
        next
      end
    end
  next
end

I have a IPv6 policy which allows all LAN to go to WAN. If I enable NAT in the policy, access works. Has anyone been able to use TWC Internet with DHCP6-PD without a NAT?

 

Thanks

3 REPLIES 3
bcjenkins
New Contributor

In the end, the issue boiled down to me blindly following the instructions from the handbook without fully understanding what was going on. Once I adjusted the subnets *and* created a policy to allow the necessary ICMP6 traffic through, IPv6 is now working with prefix delegation on TimeWarner Cable.

 

Pages 34-35 of this document have the basics - http://docs.fortinet.com/uploaded/files/2712/fortigate-ipv6-54.pdf

 

I had to modify the subnets to work properly:

config system interface
    edit "wan1"
        config ipv6
            set ip6-mode dhcp
            set ip6-allowaccess ping https ssh capwap
            set dhcp6-prefix-delegation enable
        end
    next
    edit "lan"
        config ipv6
            set ip6-mode delegated
            set ip6-send-adv enable
            set ip6-upstream-interface "wan1"
            set ip6-subnet ::1/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set autonomous-flag enable
                    set onlink-flag enable
                    set subnet ::/64
                next
            end
        end
    next
end

bcjenkins

As an update, I am also able to supply my own DNS6 server since TWC is not. Now running 5.6.

Use the following for OpenDNS:

config system dhcp6 server
    edit 1
        set interface "lan"
        set dns-server1 2620:0:ccc::2
        set dns-server2 2620:0:ccd::2
    next
end

 

Google's DNS:

config system dhcp6 server
    edit 1
        set interface "lan"
        set dns-server1 2001:4860:4860::8888
        set dns-server2 2001:4860:4860::8844
    next
end

michaelbazy_FTNT

Congrats on solving that one! and a big thanks for all the guys that will encounter the same issue as you! :)

 

Routing in IPv6 can be a bit unsettling when you're not used to it!

I'm operating by "Crocker's Rules"
Labels
Top Kudoed Authors