It’s really great that the FortiGate firewalls have a DHCPv6 server implemented. With this mandatory service, IPv6-only networks can be deployed directly behind a FortiGate because the stateless DHCPv6 server provides the DNS server addresses. (This is unlike Palo Alto or Cisco which have no DHCPv6 server implemented.)
However, the configuration on the FortiGate is really bad because nothing of the IPv6 features can be set via the GUI. (And this is called a Next-Generation Firewall? Not only the features count, but also the usability!) Everything must be done through the CLI which is sometimes hard to remember. Therefore I am publishing this memo of the appropriate CLI configuration commands.
Coming from Cisco devices (which only have the CLI ;)), the structure of the command line interface from Fortinet is quite different. That’s ok but I need some memos for that. What I really don’t like are the inconsistencies within the CLI, e.g. sometimes it’s called “ipv6”, sometimes “ip6”. Oh oh. At least the IPv6 policies can be configured through the GUI.
I am running a FortiWiFi 90D with FortiOS v5.2.4, build688.
End-User Interface
A basic end-user interface needs an IPv6 address, router advertisements with the O-flag (for using stateless DHCPv6), as well as an advertised prefix with the O- and A-flag. Furthermore, a stateless DHCPv6 server provides the DNS server addresses. Here we go:
config system interface
edit "fg-trust3"
config ipv6
set ip6-allowaccess ping https ssh
set ip6-address 2003:51:6012:162::1/64
set ip6-send-adv enable
set ip6-other-flag enable
config ip6-prefix-list
edit 2003:51:6012:162::/64
set autonomous-flag enable
set onlink-flag enable
next
end
end
next
end
config system dhcp6 server
edit 1
set domain "webernetz.net"
set interface "fg-trust3"
set dns-server1 2001:4860:4860::8888
set dns-server2 2001:4860:4860::4444
next
endOf course, there are much more options to fine-tune the timers, etc. But the just listed commands are the very basic configuration steps to make it running.
For your interest, this is how my IPv6-only network on a Windows 7 machine looks like with the just proposed settings:
Routing
For routing IPv6 traffic within the network, static routes or OSPFv3 are quite common. The commands for those are the following. (Have a look at my OSPFv3 blog post which lists the appropriate commands for many other firewall and router devices.)
config router static6
edit 1
set gateway 2003:51:6012:101::1
set device "wan1"
next
end
config router ospf6
set auto-cost-ref-bandwidth 10000
set router-id 172.16.1.6
config area
edit 0.0.0.0
next
end
config ospf6-interface
edit "wan1"
set interface "wan1"
next
edit "fg-trust3"
set interface "fg-trust3"
next
end
set passive-interface "fg-trust3"
end
Show and Get and Diagnose
To verify the working settings of the FortiGate, this CLI commands can be used:
fd-wv-fw04 # diagnose ipv6 address list
dev=73 devname=fg-trust3 flag=P scope=0 prefix=64 addr=2003:51:6012:162::1
dev=70 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1
dev=68 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1
dev=63 devname=fg-trust flag=P scope=0 prefix=64 addr=2003:51:6012:160::1
dev=59 devname=root flag=P scope=254 prefix=128 addr=::1
dev=6 devname=wan1 flag=P scope=0 prefix=64 addr=2003:51:6012:101::6
dev=6 devname=wan1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe3c:115d
dev=73 devname=fg-trust3 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe3c:115c
dev=63 devname=fg-trust flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fe3c:115c
fd-wv-fw04 # diagnose ipv6 neighbor-cache list
ifindex=6 ifname=wan1 ff02::5 33:33:00:00:00:05 state=00000040 use=241 confirm=8282556 update=8276556 ref=1
ifindex=6 ifname=wan1 ff02::6 33:33:00:00:00:06 state=00000040 use=455 confirm=6566 update=566 ref=1
ifindex=59 ifname=root :: 00:00:00:00:00:00 state=00000040 use=8278891 confirm=8284891 update=8278891 ref=10
ifindex=73 ifname=fg-trust3 ff02::c 33:33:00:00:00:0c state=00000040 use=261418 confirm=267418 update=261418 ref=1
ifindex=6 ifname=wan1 2003:51:6012:101::1 00:19:e2:a1:f9:8a state=00000002 use=151 confirm=470 update=470 ref=2
ifindex=73 ifname=fg-trust3 2003:51:6012:162:8458:5fee:7eb2:77d4 00:0c:29:15:f8:40 state=00000002 use=2076 confirm=2016 update=2016 ref=2
ifindex=6 ifname=wan1 fe80::20c:29ff:fe63:2159 00:0c:29:63:21:59 state=00000004 use=6676402 confirm=6676402 update=2760067 ref=1
ifindex=6 ifname=wan1 fe80::219:e2ff:fea1:f98a 00:19:e2:a1:f9:8a state=00000002 use=0 confirm=77 update=77 ref=3
fd-wv-fw04 # get router info6 routing-table
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
I - IS-IS, B - BGP
* - candidate default
Timers: Uptime
S* ::/0 [10/0] via 2003:51:6012:101::1, wan1, 23:00:41
C ::1/128 via ::, root, 23:00:49
O 2003:50:aa3d:1dfe:b2c6:9aff:fefd:ca97/128 [110/10010] via fe80::219:e2ff:fea1:f98a, wan1, 22:59:59
C 2003:51:6012:101::/64 via ::, wan1, 23:00:49
O 2003:51:6012:110::/64 [110/110] via fe80::219:e2ff:fea1:f98a, wan1, 22:59:59
O 2003:51:6012:130::/64 [110/110] via fe80::2a94:fff:fea8:772d, wan1, 22:59:59
C 2003:51:6012:160::/64 via ::, fg-trust, 23:00:49
C 2003:51:6012:162::/64 via ::, fg-trust3, 15:34:22
O 2003:51:6012:180::/64 [110/20] via fe80::20c:29ff:fe63:2159, wan1, 22:59:59
C fe80::/10 via ::, fg-trust3, 15:34:22