Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
michael_holloway
New Contributor

IPv6 DHCP-DP testing in KVM environment

Hi all!

 

Background, I need to deploy IPv6 in production pretty soon , so I have been trying to test in KVM since I have no site that actually has IPv6. I have spent days reading up on IPv6, and searching Fortigate specific tutorials etc, but I am at a loss at what I think should be a fairly simple thing to do. There seem to be a lot of similar posts, but nothing here seems to solve my problem (a lot of them have passed where I am!) I am probably missing something fundamental. Any help would be greatly appreciated! It may be something Fortigate or IPv6 related that I am overlooking!

 

I have two networks in my environment, the first has IPv4 and IPv6 configuration which routes to the host machine, which I connect the FGT_VM port1 "wan" interface to. I am able to communicate between host and FGT_VM over IPv4 and IPv6. (Note that I don't have IPv6 LAN in this office so it ends at the virtual network). This network has the below IPv6 config in libvirt. The second interface has no configuration, and is connected to port2 and a VM. If enable IPv4 on FGT and VM, then they connect fine.

<ip family='ipv6' address='fd9b:91bb:fd26:e188::1' prefix='64'>
    <dhcp>
      <range start='fd9b:91bb:fd26:e188::100' end='fd9b:91bb:fd26:e188::1ff'/>
    </dhcp>
  </ip>

 

Trying to get the delegated prefix configuration... from a factory reset, I configure only port1 (wan) and port2 (lan) on the FGT_VM

FortiGate-VM64-KVM # show system interface
config system interface
    edit "port1"
        set vdom "root"
        set ip 192.168.122.30 255.255.255.0
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
        config ipv6
            set ip6-address fd9b:91bb:fd26:e188::4/64
            set ip6-allowaccess ping ssh http
            set dhcp6-prefix-delegation enable
        end
    next

    

    edit "port2"
        set vdom "root"
        set type physical
        set snmp-index 2
        config ipv6
            set ip6-mode delegated
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-upstream-interface "port1"
            set ip6-subnet ::1/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "port1"
                    set autonomous-flag enable
                    set onlink-flag enable
                    set subnet ::/64
                next
            end
        end
    next

 

I have tweaked a lot of these settings a lot, based on various sources on the internet including https://docs.fortinet.com/document/fortigate/6.0.6/handbook/800956/dhcpv6, but at no point does port2 ever obtain an IP address. I thought the ip-subnet of ::1/64 was conflicting with the libvirt IP, so changed this to various values, and also the ip6-delegated-prefix-list subet, to not avail. Port2 just wont take.

FortiGate-VM64-KVM # diagnose ipv6 address list
dev=3 devname=port1 flag=P scope=0 prefix=64 addr=fd9b:91bb:fd26:e188::4 preferred=4294967295 valid=4294967295
dev=3 devname=port1 flag=P scope=253 prefix=64 addr=fe80::5054:ff:fef8:8ec2 preferred=4294967295 valid=4294967295
dev=5 devname=root flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295
dev=7 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295
dev=9 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1 preferred=4294967295 valid=4294967295

 

Not that I think its required at this stage, but I have also set routes, configured DHCP6 server, and allow-all policies, all to no avail.

FortiGate-VM64-KVM # show system dhcp6 server
config system dhcp6 server
    edit 1
        set dns-service delegated
        set subnet 0:0:0:102::/64
        set interface "port2"
        set upstream-interface "port1"
        set ip-mode delegated
    next
end

 

If anyone can point out what I'm missing, I would greatly appreciate this! :) Thanks!

3 REPLIES 3
michael_holloway
New Contributor

UPDATE:

So I reckon I misunderstood a fundamental here. I'm still testing, but I believe the problem is that prefix delegation is used for PPPoE and/or DHCP WAN connections, not STATIC as I am using here. I am playing around with this now, seems to be working, will confirm...

michael_holloway

So this appears to work now. I am not using delegated-prefix, only static, with the LAN using the next subnet id (4673 instead of 4672 on WAN). Full [relevant] config below. I am happy that this all works now, but my only remaining question is (if anyone has read this far) should the LAN devices have Global Unicast Address, should it also have a Unique Local?

 

I plan to share my experience here as a tutorial (full KVM IPv6 + Fortigate) as I have found it very difficult to make sense of the IPv6 world and apply it here! Hopefully this will help others.

 

The config, for reference.

config system interface
    edit port1
        config ipv6
            set ip6-address fde3:896b:9288:4672::2/64
            set ip6-allowaccess ping ssh http
        end
    next
    edit port2
        config ipv6
        set ip6-mode static
        set ip6-address fde3:896b:9288:4673::1/64
        set ip6-allowaccess ping ssh http
        set ip6-send-adv enable
        config ip6-prefix-list
            edit fde3:896b:9288:4673::/64
                set autonomous-flag enable
                set onlink-flag enable
            next
        end
    next
end

config router static6
    edit 1
        set gateway fde3:896b:9288:4672::1
        set device "port1"
    next
end

config system dhcp6 server
    edit 1
        set interface "port2"
        set dns-server1 2001:4860:4860::8888
        set dns-server2 2001:4860:4860::4444
    next
end

config router static6
    edit 1
        set gateway fde3:896b:9288:4672::1
        set device "port1"
    next
end

config firewall policy6
    edit 1
        set name "AllowAllOut6"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set name "AllowAllIn6"
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "PING6" "SSH"
    next
end

emnoc
Esteemed Contributor III

 . Good job.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors