Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
micahawitt
New Contributor III

IPV6

Forgive if this is loaded somewhere else.

 

I'm running into a snag here.  I am currently on Spectrum and getting a /128 from them.  According to my WAN1 interface.  

 

I am trying to get the DHCP to passthrough to my clients on a vlan, anyone have any luck with this?

1 Solution
emnoc
Esteemed Contributor III

Did you speak with your provider? They will tell you what size prefix is belng delegated , typically /48 or /56 and then you configure the fortigate for the ipv6 delegation on the wan and you pass a prefix in that delegation to your inside lans

 

e.g

 

config sys inteface

     edit wan1

        config ipv6

          set ipv6 dhcp-prefix-delegation enable

          set dhcp6-prefix-hint 2001:db8:44 /56

end

 

 

 Once you have the assignment, you use slacc on your internal lans for assignments of the /64 to the hosts machines.

 

   config sys int 

       edit port1

           config ipv6

                  set ip6-allowaccess ssh ping https

                  set ip6-mode delegate

                  set ip6-upstream wan1

      end

 

Yes it's really that easy you need to speak to your ISP

 

Ken Felix

 

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
13 REPLIES 13
mjcrevier
New Contributor III

Do a search on configuring IPv6 prefix-delegation on your Fortigate.

emnoc
Esteemed Contributor III

You need a fortiOS version that support IPV6PD and what is the service provider giving you ( e.g a /48 ) ?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
lobstercreed
Valued Contributor

Hey Micah,

 

I've actually done this successfully with Spectrum.  This is where I found the most help: https://www.reddit.com/r/fortinet/comments/4p74xi/541_and_dhcpv6pd_prefix_hint/

 

Here is what I ended up configuring (single LAN for now).  On my WAN interface:

 

edit "wan1"
        set mode dhcp
        set alias "Charter"
        set role wan
        config ipv6
            set ip6-mode dhcp
            set ip6-allowaccess ping https
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint ::/56
        end
    next

 

Then on my internal interface:

 


 
 config ipv6
            set ip6-mode delegated
            set ip6-send-adv enable
            set ip6-other-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-subnet ::1/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set autonomous-flag enable
                    set onlink-flag enable
                    set subnet 0:0:0:1::/64
                next
            end
       end

 

 

 Hope it helps!  - Daniel

micahawitt

I have a Fortigate 60F running 6.2.3

 

I "think" they are handing out a /64, the fortigate right now shows a /128.  From what i have ready, the fortigate will always show that.  

 

Another thing i noticed, is that Daniel has the following - 

 

edit 1 set upstream-interface "wan1" set autonomous-flag enable set onlink-flag enable set subnet 0:0:0:1::/64

 

When i paste that in, the autonomous and onlink CLI disappear.

emnoc
Esteemed Contributor III

Did you speak with your provider? They will tell you what size prefix is belng delegated , typically /48 or /56 and then you configure the fortigate for the ipv6 delegation on the wan and you pass a prefix in that delegation to your inside lans

 

e.g

 

config sys inteface

     edit wan1

        config ipv6

          set ipv6 dhcp-prefix-delegation enable

          set dhcp6-prefix-hint 2001:db8:44 /56

end

 

 

 Once you have the assignment, you use slacc on your internal lans for assignments of the /64 to the hosts machines.

 

   config sys int 

       edit port1

           config ipv6

                  set ip6-allowaccess ssh ping https

                  set ip6-mode delegate

                  set ip6-upstream wan1

      end

 

Yes it's really that easy you need to speak to your ISP

 

Ken Felix

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
micahawitt
New Contributor III

Well.

 

I called Spectrum, the first person i talked to said since i have my own firewall, they cant log in and see what im getting for a prefix.  I then told her, that they should know what they are handing out.  there is no need to log into my device.  She then stated they had to in order to see, since multiple firewalls give different prefixes.  I then asked for a manager.  He then told me the same thing.  I tried to explain this in ipv4 terms, and he seemed to understand, but he then came up with, we don't know and they don't deal with those types of issues.  I then asked to talk to his supervisor, which i was told there just busy right now, maybe  call later.

 

I realized i would not be getting a call back, i will try tomorrow.

emnoc
Esteemed Contributor III

It sound like your up a creek with no paddle. if you think you have IPV6-DHCP, you can look at your ipv6 routing table and that will show you want you are being assigned. Sounds like you do not have ipv6 since you mention a /128 earlier.

 

What is your wan interface cfg as ( is it static ip6 or mode dhcp6 ) that would be a start and a clue as to where you are at.

 

If you have a linux or window host, you could maybe config it for dhcp6-client and grab the details that 1> dhcp6 is being used 2> what one of the 100s or 1000s ipv6 assignment that spectrum uses.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
micahawitt
New Contributor III

I did some more digging, when i hook up a laptop direct, i do not get an IPV6 address with that either.  So, ill be calling again to see whats up.

 

Once i can get that going, i can start seeing about the rest.  My head already hurts in having to call them

micahawitt

we have good news, its a ::/56

Labels
Top Kudoed Authors