Helpful ReplyHot!IPV6

Author
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
2020/04/16 07:20:12 (permalink)
0

IPV6

Forgive if this is loaded somewhere else.
 
I'm running into a snag here.  I am currently on Spectrum and getting a /128 from them.  According to my WAN1 interface.  
 
I am trying to get the DHCP to passthrough to my clients on a vlan, anyone have any luck with this?
#1
mjcrevier
Bronze Member
  • Total Posts : 23
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/04/28 18:04:36
  • Status: offline
Re: IPV6 2020/04/16 11:48:52 (permalink)
0
Do a search on configuring IPv6 prefix-delegation on your Fortigate.
#2
emnoc
Expert Member
  • Total Posts : 5748
  • Scores: 373
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: IPV6 2020/04/16 12:28:33 (permalink)
0
You need a fortiOS version that support IPV6PD and what is the service provider giving you ( e.g a /48 ) ?
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#3
lobstercreed
Gold Member
  • Total Posts : 251
  • Scores: 32
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: IPV6 2020/04/16 19:53:50 (permalink)
3 (1)
Hey Micah,
 
I've actually done this successfully with Spectrum.  This is where I found the most help: https://www.reddit.com/r/fortinet/comments/4p74xi/541_and_dhcpv6pd_prefix_hint/
 
Here is what I ended up configuring (single LAN for now).  On my WAN interface:
 
edit "wan1"
        set mode dhcp
        set alias "Charter"
        set role wan
        config ipv6
            set ip6-mode dhcp
            set ip6-allowaccess ping https
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint ::/56
        end
    next

 
Then on my internal interface:
 

 
 config ipv6
            set ip6-mode delegated
            set ip6-send-adv enable
            set ip6-other-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-subnet ::1/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set autonomous-flag enable
                    set onlink-flag enable
                    set subnet 0:0:0:1::/64
                next
            end
       end

 
 
 Hope it helps!  - Daniel
#4
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
Re: IPV6 2020/04/17 11:01:57 (permalink)
0
I have a Fortigate 60F running 6.2.3
 
I "think" they are handing out a /64, the fortigate right now shows a /128.  From what i have ready, the fortigate will always show that.  
 
Another thing i noticed, is that Daniel has the following - 
 
edit 1
set upstream-interface "wan1"
set autonomous-flag enable
set onlink-flag enable
set subnet 0:0:0:1::/64
 
When i paste that in, the autonomous and onlink CLI disappear.
#5
emnoc
Expert Member
  • Total Posts : 5748
  • Scores: 373
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: IPV6 2020/04/17 13:19:22 (permalink) ☄ Helpfulby lobstercreed 2020/04/19 12:26:56
0
Did you speak with your provider? They will tell you what size prefix is belng delegated , typically /48 or /56 and then you configure the fortigate for the ipv6 delegation on the wan and you pass a prefix in that delegation to your inside lans
 
e.g
 
config sys inteface
     edit wan1
        config ipv6
          set ipv6 dhcp-prefix-delegation enable
          set dhcp6-prefix-hint 2001:db8:44 /56
end
 
 
 Once you have the assignment, you use slacc on your internal lans for assignments of the /64 to the hosts machines.
 
   config sys int 
       edit port1
           config ipv6
                  set ip6-allowaccess ssh ping https
                  set ip6-mode delegate
                  set ip6-upstream wan1
      end
 
Yes it's really that easy you need to speak to your ISP
 
Ken Felix
 
 
 

PCNSE 
NSE 
StrongSwan  
#6
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
Re: IPV6 2020/04/17 20:11:39 (permalink)
0
Well.
 
I called Spectrum, the first person i talked to said since i have my own firewall, they cant log in and see what im getting for a prefix.  I then told her, that they should know what they are handing out.  there is no need to log into my device.  She then stated they had to in order to see, since multiple firewalls give different prefixes.  I then asked for a manager.  He then told me the same thing.  I tried to explain this in ipv4 terms, and he seemed to understand, but he then came up with, we don't know and they don't deal with those types of issues.  I then asked to talk to his supervisor, which i was told there just busy right now, maybe  call later.
 
I realized i would not be getting a call back, i will try tomorrow.
#7
emnoc
Expert Member
  • Total Posts : 5748
  • Scores: 373
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: IPV6 2020/04/18 03:01:48 (permalink)
0
It sound like your up a creek with no paddle. if you think you have IPV6-DHCP, you can look at your ipv6 routing table and that will show you want you are being assigned. Sounds like you do not have ipv6 since you mention a /128 earlier.
 
What is your wan interface cfg as ( is it static ip6 or mode dhcp6 ) that would be a start and a clue as to where you are at.
 
If you have a linux or window host, you could maybe config it for dhcp6-client and grab the details that 1> dhcp6 is being used 2> what one of the 100s or 1000s ipv6 assignment that spectrum uses.
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#8
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
Re: IPV6 2020/04/18 05:02:57 (permalink)
0
I did some more digging, when i hook up a laptop direct, i do not get an IPV6 address with that either.  So, ill be calling again to see whats up.
 
Once i can get that going, i can start seeing about the rest.  My head already hurts in having to call them
#9
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
Re: IPV6 2020/04/18 06:18:49 (permalink)
0
we have good news, its a ::/56
#10
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
Re: IPV6 2020/04/18 06:58:41 (permalink)
0
So here is latest, neither wan config above is getting me an ipv6 address on my fortigate, keeps getting a /128 as it shows.
 
With that though, i am able to get ipv6 on my laptop if i hook directly.
#11
lobstercreed
Gold Member
  • Total Posts : 251
  • Scores: 32
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: IPV6 2020/04/19 12:33:44 (permalink)
0
Micah,
 
I should emphasize that in my experience your FortiGate will not get anything larger than a /128 by design.  If you're looking for that to change, you're looking in the wrong place. 
 
The way delegation works is that it gives you a prefix to work with for your downstream networks.  The exact config commands I gave above worked fine for me as you can see in this screenshot:
 

 
(Though I ended up tweaking my downstream a bit and am using two /60 for reasons that go way beyond the scope of this.)
 
- Daniel

Attached Image(s)

#12
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
Re: IPV6 2020/04/20 05:51:05 (permalink)
0
Its not that i care that its a /128, i just want it to work.  I know that if i hook up my laptop it does work. Trying to get the Fortigate is another issue.
 
i have set my config verbatim to what you have listed.
 

 
when i got to test-ipv6.com or whatismyip.com its not even picking up an ipv6 address on my wan interface it seems as it doesn't show one.

Attached Image(s)

#13
Thiudans
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/07/03 05:47:08
  • Status: offline
Re: IPV6 2020/07/03 06:04:52 (permalink)
0
Hello everyone,
 
Brand new to this forum and brand new to Fortinet.
 
Regarding the /128 on the outside interface. That is a gateway address to route to the prefix(es) behind your firewall via router advertisement daemon (radvss I think).
 
I worked on getting IPv6 working on my firewall for two days or so, it took me a bit but everything is fine now. Here are my interface configs -- I am using SLAAC, not DHCPv6 though. You can see if you are delegating properly by typing in 
 
diagnose ipv6 address list

 
If you see ipv6 addresses on your interface(s), you are successfully delegating and you will have your prefix.
 
I actually opened a ticket with support and there is no concise way to get your prefix!
 
In any case, here is my interface config:
 
edit "XXXX"
        set vdom "root"
        set ip RFC-1918.254 255.255.255.0
        set allowaccess ping https ssh snmp http
        set type hard-switch
        set device-identification enable
        set role lan
        set snmp-index 4
        config ipv6
            set ip6-mode delegated
            set ip6-allowaccess ping
            set ip6-send-adv enable
            set ip6-other-flag enable
            set ip6-upstream-interface "wan"
            set ip6-subnet ::55:0:0:0:ffff/64
            config ip6-delegated-prefix-list
                edit 6
                    set upstream-interface "wan"
                    set subnet 0:0:0:55::/64
                    set rdnss-service default
                next
            end
        end
 

 
My wan:
 
edit "wan"
        set vdom "root"
        set mode dhcp
        set allowaccess ping fgfm
        set type physical
        set role wan
        set snmp-index 1
        config ipv6
            set ip6-mode dhcp
            set ip6-allowaccess ping
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint ::/56
        end
        set dns-server-override disable

 
I am using Spectrum. 
 
With a /56, the last 2 HEX numbers are my network addresses, so the delegated interface above is the 5th network, out of 256 networks. Incidentally, if Spectrum ever changes the prefix, this should automatically popogate to your interfaces and clients.
 
 
 
#14
Jump to:
© 2020 APG vNext Commercial Version 5.5