You can use a FortiGate to connect to the Internet (that is: Dual-Stack!) directly in various ways. In my current setup, I’m using a PPPoE residential xDLS connection. It’s not that easy to configure everything correctly since it requires the use of many different protocols such as PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. But here it is:
Please refer to this post about DHCPv6-PD in general and this one about configuring DHCPv6-PD on a FortiGate. I’m using a FortiGate FG-60F with FortiOS 7.6.1, which is connected through a DrayTek Vigor167 modem to the German ISP “Deutsche Telekom” on wan1. No VLAN configuration is needed since the DSL modem already encapsulates the traffic within VLAN 7 on the ISP side.
The technical steps work as follows:
- the FortiGate connects/authenticates via PPPoE stuff to the ISP’s router
- it gets the single IPv4 address from the ISP via PPP IPCP
- for IPv6, the FortiGate
- generates its own “wan1” IPv6 address via SLAAC (autoconf),
- uses DHCPv6-PD to get an IPv6 prefix from the ISP,
- and shall propose SLAAC on the “internal” interface for its clients with one /64 out of this delegated prefix. <- This is the tricky part because you have to use the correct “delegated-prefix-iaid” IDs along with the correct flags for the RA (no M- nor O-flag within the RA, but the L- and A-flags for the prefix option).
- At least in FortiOS 7.6.1, there is a bug in which the FortiGate does not reply to RSs with RAs. That is: Your clients won’t get any IPv6 GUA address until the first RA that is sent regularly by the Forti is received by those clients. As a workaround, I’ve set the min- and max-interval values to 10, respectively 30 seconds. Staying with the defaults that are way higher (600 seconds = 10 minutes), clients would have to wait really long until IPv6 is up and running.
- Another bug is related to the output of the routing table for IPv6 since it does not show the default route that is gathered from the RA on the wan1 interface. Funnily, this is only true for the “get router info6 routing-table” but not for the “diagnose ipv6 route list” output.
Side note: Unfortunately, we don’t have static IP addresses nor static IPv6 subnets on most German residential ISPs. Hence, after every DSL reconnect or firewall reboot, we’ll get new public IPv4/IPv6 addresses along with a new IPv6 prefix. 🤦
A little GUI, please
As always when using IPv6 on the FortiGates, very little can be done through the GUI. (This is a major drawback compared to a Palo Alto Networks firewall, where you can configure everything through the GUI perfectly.) At least you can configure the PPPoE username/password, which is used for legacy IP and for IPv6 as well. Nice. Note the “IAPD 5 prefix hint” which is used by default on this FortiOS version. I’ve no idea why Fortinet has chosen the “5” as the default ID, but never mind.
Some more CLI, unfortunately
The big magic is done via these CLI commands. Good luck. ;) It was really hard to find out the correct values for all those commands, especially those “set ip6-subnet ::1/64” for the internal interface while the “set subnet ::/64” for the ip6-delegated-prefix-list, and so on.
config system interface
edit "wan1"
set vdom "root"
set mode pppoe
set allowaccess ping
set role wan
config ipv6
set ip6-mode pppoe
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
set autoconf enable
config dhcp6-iapd-list
edit 5
next
end
end
set username "001234567890#098765432123#0001@t-online.de"
set password ENC ThisIsNotMyRealPasswordOfCourse//
next
edit "internal"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh fabric
set role lan
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping https ssh
set ip6-send-adv enable
set ip6-max-interval 30
set ip6-min-interval 10
set ip6-delegated-prefix-iaid 5
set ip6-upstream-interface "wan1"
set ip6-subnet ::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set delegated-prefix-iaid 5
set subnet ::/64
set rdnss-service delegated
next
end
end
next
end
Runtime IP Addresses
The Interfaces Overview shows the public IPv4 and IPv6 addresses on the wan1 interface as well as the derived IPv6 address on the internal subnet:
Funnily, the Routing pane lists the default IPv4 route but not the IPv6 one. 🤦♂️
Packets Don’t Lie: Wireshark
Looking on the wan1 cable (captured with a real network TAP, the ProfiShark 1G), you can see the PPPoE authentication process along with the legacy IP address through PPP IPCP:
Followed by RAs from the ISP and the DHCPv6-PD process, which hands out the delegated /56 prefix along with two recursive DNS servers:
Captured on the internal interface (to be precise, on a Windows machine connected to the FortiGate), you can see the RSes sent from that client that remain unanswered (packets 14, 35, 114), followed by an RA from the FortiGate (nr. 517) that corretly contains the first /64 prefix out of the delegated /56 prefix along with the recursive DNS servers as well:
This is what an “ipconfig/all” looked like on that Windows PC during that time. You can spot all three IPv6 addresses (1x LL, 2x GUA) that are visible as DAD messages in the Wireshark screenshot as well:
Ethernet-Adapter Ethernet 5:
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Realtek USB GbE Family Controller #2
Physische Adresse . . . . . . . . : 00-E0-4C-68-66-C1
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
IPv6-Adresse. . . . . . . . . . . : 2003:c6:af35:ed00:a1c1:25c8:2189:8512(Bevorzugt)
Temporäre IPv6-Adresse. . . . . . : 2003:c6:af35:ed00:c51:106e:6fa1:5075(Bevorzugt)
Verbindungslokale IPv6-Adresse . : fe80::7df5:d240:f60d:4ae6%15(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 192.168.1.111(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Lease erhalten. . . . . . . . . . : Donnerstag, 19. Dezember 2024 15:10:41
Lease läuft ab. . . . . . . . . . : Donnerstag, 26. Dezember 2024 15:10:41
Standardgateway . . . . . . . . . : fe80::6d5:90ff:fe42:8615%15
192.168.1.99
DHCP-Server . . . . . . . . . . . : 192.168.1.99
DHCPv6-IAID . . . . . . . . . . . : 704700492
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-2A-C5-E5-11-9C-B6-D0-3E-7D-72
DNS-Server . . . . . . . . . . . : 192.168.178.1
2003:180:2:8000::53
2003:180:2:8100::53
NetBIOS über TCP/IP . . . . . . . : Aktiviert
Soli Deo Gloria!
Photo by James Balensiefen on Unsplash.