FortiGate IPv6 Configuration

Problem

Often you don't use IPv6, but sometime you have too and than I have to search the solution from different internet sources together to find the right solution. 
To avoid this in the feature the important commands you have to know. ;)

Solution

Basic IPv6 Config

First of all, we need to enable IPv6 via CLI (this behavior is change in FortiOS 7):
config system global
    set gui-ipv6 enable
end
Afterwards you get new GUI options, for example:

Basic IPv6 Interface Config

Let's take a look to the interface options. In general all IPv6 commands are in config ipv6 

Static IPv6 address

That's easy:
config system interface
    edit wan
        config ipv6
            set ip6-mode static
            set ip6-address 2001:db8:2::2/64
            set ip6-allowaccess ping
        end
    next
    edit lan
        config ipv6
            set ip6-mode static
            set ip6-address 2001:db8:3::1/64
            set ip6-allowaccess ping
            end
    next
end
config router static6
    edit 0
        set gateway fe80::d82:30ab:863:5b7
        set device wan
        set comment "Default Gateway IPv6"
    next
end

  • static IPv6 Route Gateway: The link-local Address from the Provider Router

IPv6 DHCP

A bit more complicate is to get a dynamic IPv6 address from the provider. First enable the WAN interface in DHCPv6 mode to receive and dynamic IP address. 

HINT: Normally, you get an /128 address on the interface.

See the configuration example:
config system interface
    edit wan
        config ipv6
            set ip6-mode dhcp
        end
    next
end
  • ip6-mode: Tell FortiGate to take an IP address from the provider router 
IMPORTANT: If you enable delegation-prefix the WAN interface have no longer an IPv6 address from the DHCPv6 Server!

IPv6 SLAAC for Clients + Prefix Delegation

From above we get the configuration for the WAN Interface. Now it's time to configure the LAN Interface.

Enable the Prefix-delegation on the WAN site if you need a higher than /64 Subnet. Usually, the provider give you an /64 Subnet. If you need multiple /64 Subnets in your local LAN, you can tell the Provider you need a biger one - /60 or /56 depends what your provider give you. For that we need the following cofiguration on the WAN side:
config system interface
    edit wan
        config ipv6
            set ip6-mode dhcp
            set ip6-allowaccess ping
            set dhcpv6-prefix-delegation enable
            set dhcpv6-prefix-hint ::/60
        end
    next
end
  • dhcpv6-prefix-delegation: enable / disable the prefix delegation in general. This command is needed anyway.
  • dhcpv6-prefix-hint: Tell the provider how big the prefix should be. Default is /64

Next, we configure the LAN Interface:
config system interface
    edit lan
        config ipv6
            set ip6-mode delegated
            set ip6-allowaccess ping
            set ip6-send-adv enable
            set ip6-other-flag enable
            set ip6-upstream-interface wan
            set ip6-subnet ::1/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface wan
                    set subnet ::/64
                    set autonomous-flag enable
                    set onlink-flag enable
                    set rdnss-service default
                next
            end
        end
    next
end
Let's take a look to the commands:
  • ip6-mode: Tell the Fortigate to use a delegated address from the upstream interface
  • ip6-send-adv: Activate the Router Router Advertisement (RA) on this interface 
  • ip6-other-flag: Tell the Client that they can receive more information (like DNS Server) from the DHCPv6 Server, if the client want. ;)
  • ip6-upstream-interface: From which interface take the delegated prefix
  • ip6-subnet: With that value the Fortigate build the interface IP address. Take the prefix (e.g. 2001:db8:3::/60 and add ::1 (means plus 1) to the prefix and change it to/64. The result is: 2001:db9:3::1/64 for the Interface itself.
  • ip6-delegated-prefix-list: List with the possible options for the client
  • upstream-interface: Tell from which interface comes the prefix, one time more
  • subnet: Same logic as before. Take the Prefix add the subnet portion to the prefix (in this case, I use the first /64 subnet in the /60 prefix, because of that nothing to add) and change the prefix to /64
  • autonomous-flag: With this command you tell the client, yes you can get an IPv6 over SLAAC
  • onlink-flag: The router (in this case the Fortigate) has an IP in this prefix
  • rdnss-service: Handout the system DNS Servers to Client, if the Client speak RDNSS

DNS and IPv6

With SLAAC, link-local and global addresses, IPv6 actually no longer requires a DHCP server. If it were not for the name resolution.
At the beginning of IPv6 there was no solution for this. Meanwhile there are RDNSS and DNSSL. Here is a short explanation of what these functions can do:

RDNSS

The RDNSS (Recursive DNS Server Search) function provides the possibility to give the end device the option for a DNS server with SLAAC.
This function is still relatively "new" and is not yet supported by all clients. A list can be found here:

Configuration

You have different options to configure RDNSS on the FortiGate:

Delegated
Take the configuration from the Provider:
config system interface
  edit internal
    config ipv6
      set ip6-mode delegated
      config ip6-delegated-prefix-list
        edit 1
          set rdnss-service delegated
        next
      end
    next
end
For sure there are more options to set for the IPv6 Interface. Please refer it in the article above.

Specify
Define the RDNSS Configuration per delegation entry:
config system interface
  edit internal
    config ipv6
      set ip6-mode delegated
      config ip6-delegated-prefix-list
        edit 1
          set rdnss-service spcify
          set rdnss <IPv6 Address>
        next
      end
    next
end
Specify the RDNS Server per delegation entry.

Default
So far I have not found out which settings are used with this option. According to CLI Reference Guide version 6.2.8 there are no global RDNSS settings.

HINT: For the ip6-prefix-list you have the set rdnss option as well.

DNSSL

The DNSSL option replaces the DHCP DNS suffix list option.
With this option, the client can be informed via SLAAC which DNS suffixes are internal and the host resolution works without FQDN.

Configuration

Unfortunately, this possibility exists only for the prefix-list option and is configured as follows.
config system interface
  edit internal
    config ipv6
      set ip6-mode delegated
      config ip6-prefix-list
        edit 2001:db8:3::
          set dnssl "example.local"
        next
      end
    next
end

Credits

The main knowledge of this blog post I have compiled among others with the following websites:
Thanks for the work!

Comments

Post a Comment

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

Image
Problem Design with two ISPs and an RIPE Routed public IP Ranges. How to solve, that the public Range is available over both ISPs but without asymetric Routing and ISP-1 is the primary. Solution FortiGate Basic BGP configuration First start with basic BGP configuration config router bgp set as 65301 set router-id 100.200.100.254 set keepalive-timer 45 set holdtime-timer 120 set bestpath-med-missing-as-worst enable set graceful-restart enable     config redistribution connected          set status enable     end end bestpath-med-missing-as-worst :  The route without MED is automaticly the worst destination. gracefule-restart :  Advertise reboots to neighbors so they don't see the router as offline, wait before declaring them offline, and how long to wait when they reboot before advertising updates. These commands apply to neighbors and are part of the BGP capabilities. This prevents unneeded routing updates. holdtime-timer: How long the router will wait for
Read more

FortiGate as DNS Server or DNS Proxy

Image
 Problem Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server. For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here. Solution A detail documentation about the DNS Server functionality is in the offical documentation:  Fortinet Doc In this post I would like to clearly present the most important functions and configuration types of the DNS function. DNS-Server In the following example the FortiGate act as DNS Server: Enable DNS Feature Enable the DNS Feature in the GUI: CLI command: config system settings     set gui-dns-database enable end Configure DNS Server Enable the DNS Feature on the interface on which DNS requests should be answered: Select Network Select DNS Servers Select the listen Interface Select the DNS Server Mode (see delecration below) The same on the CLI: config system dns-server     edit DMZ2          set mode recu
Read more

FortiGate and Windows L2TP / IPsec with Split Tunneling

 Problem In some scenarios, the user does not want to install an additional VPN client on their device, but use the already built-in one from Windows. Thus, the FortiGate SSL VPN solution cannot be used. So that only systems behind the FortiGate unit are accessible, a split tunnel connection must be established. Solution The L2TP over IPsec VPN solution is used for this purpose. First an IPsec connection is established between the client and FortiGate and then an L2TP connection is established. This is authenticated via a PSK and L2TP via username and password. The following steps are necessary to implement this solution. IPsec Connection config vpn ipsec phase1-interface edit "Dialup" set type dynamic set interface " wan " set peertype any set net-device disable set proposal aes256-md5 3des-sha1 aes192-sha1 set dhgrp 2 set wizard-type dialup-windows set psksecret **** next end config vpn ipsec pha
Read more