This article describes how to configure IPv6 with a stateful DHCPv6 server.
Scope
FortiGate.
Solution
Topology:
Step 1: Enable IPv6 in GUI: Go to System -> Feature Visibility -> Core Features, enable IPv6, and select ‘Apply’.
Step 2: Define the IPv6 address on Port 1 as shown below:
FGT-A(port1) # show config system interface edit "port1" set vdom "root" set ip 10.109.21.79 255.255.240.0 set allowaccess ping https ssh http telnet fgfm set type physical set alias "WAN" set snmp-index 1 config ipv6 set ip6-address 2001:af0:8003:2::54f/64 set ip6-allowaccess ping https ssh end next end
Step 3: Define a default route towards ISP.:
FGT-A(1) # show config router static6 edit 1 set gateway 2001:af0:8003:2::1 set device "port1" next end
Once the Route is defined, try to ping the gateway and see if the gateway is reachable from the port1 interface:
FGT-A# exec ping6 2001:af0:8003:2::1 PING 2001:af0:8003:2::1(2001:af0:8003:2::1) 56 data bytes 64 bytes from 2001:af0:8003:2::1: icmp_seq=1 ttl=255 time=1.05 ms 64 bytes from 2001:af0:8003:2::1: icmp_seq=2 ttl=255 time=0.480 ms 64 bytes from 2001:af0:8003:2::1: icmp_seq=3 ttl=255 time=0.430 ms
Step 4: Once the gateway is reachable, define the IPv6 DNS server:
FGT-A (dns) # show config system DNS set primary 10.109.3.14 set secondary 96.45.46.46 set ip6-primary 2001:4860:4860::8888 set ip6-secondary 2606:4700:4700::1111 end
Step 5: Configure LAN IPv6 subnet on port3 and enable DHCPv6 stateful server:
config system interface edit "port3" set vdom "root" set ip 10.132.5.79 255.255.240.0 set allowaccess ping https ssh http telnet fgfm set type physical set alias "LAN" set snmp-index 3 config ipv6 set ip6-address fd01:af0:8003:2::af/64 set ip6-allowaccess ping https ssh set ip6-send-adv enable set ip6-manage-flag enable set ip6-other-flag enable config ip6-prefix-list edit fd01:af0:8003:2::/64 next end end next end
DHCPv6 Stateful config:
FGT-A(server) # show config system dhcp6 server edit 1 set dns-service default set subnet fd01:af0:8003:2::/64 set interface "port3" config ip-range edit 1 set start-ip fd01:af0:8003:2::1 set end-ip fd01:af0:8003:2::ffff next end next end
Step 6: Configure IPv6 firewall policies to allow traffic from LAN to WAN:
config firewall policy edit 1 set name "LAN ipv6" set uuid efa28f06-4af6-51ef-5593-ddd60f598b8c set srcintf "port3" set dstintf "port1" set action accept set srcaddr6 "fd01:af0:8003:2::/64" set dstaddr6 "all" set schedule "always" set service "ALL" set logtraffic all set nat enable next end
To verify the DHCP assigned IP address run the below command:
FGT-A # exec dhcp6 lease-list port3 Interface DUID IAID IP/Prefix Expiry port3 00:01:00:01:2e:35:1b:a8:00:66:6c:69:17:01 67135084 fd01:af0:8003:2::1 Fri Aug 2 04:08:24 2024 port3 00:01:00:01:2e:33:78:a0:00:6b:72:79:12:01 33581938 fd01:af0:8003:2::2 Fri Aug 2 04:09:14 2024 port3 00:01:00:01:2e:35:1b:5e:00:70:65:74:07:01 67137637 fd01:af0:8003:2::3 Fri Aug 2 04:12:16 2024
Run the below command to check the IPv6 route table:
FGT-A# get router info6 routing-table database routing table for VRF=0 S *> ::/0 [10/0] via 2001:af0:8003:2::1, port1, 19:12:47, [1024/0] C *> ::1/128 via ::, root, 1d01h43m C *> 2001:af0:8003:2::/64 via ::, port1, 19:13:12 C *> fd01:af0:8003:2::/64 via ::, port3, 02:33:49