Howtos

My Journey to IPv6: Part 2 – Fortigate Address Configuration

How did we get here?

In part 1 of this series I covered some basics about how IPv6 addresses are distributed. In summary we use DHCPv6 PD to find out from an ISP what prefix should be placed on our clients. After that a combination of SLAAC and DHCPv6 result in one (or more) IP address and DNS server combo that gives a client IPv6 connectivity.

As mentioned in the first article I have Verizon FiOS without their router. I use a Fortigate 40F for routing and firewall. My internal network is a flat broadcast domain with wired and wireless clients. My goal is to have those clients automatically assign themselves addresses and get out to the Internet as well as allowing inbound web and media (Plex) service on native IPv6 to servers on the network.

My Fortigate is running FortiOS 7.2.2; the latest and greatest as of this writing. While Fortinet has a long history of IPv6 support, the richness of the feature set and the amount of configuration that can be performed (or even viewed) in the GUI grows with each release. Since this is my home network I have the luxury of no one losing money (or my job) if the network goes down due to a firewall bug so I run the latest firmware. I would not recommend running bleeding edge firmware in a business environment. I only point this out because some of the syntax and screenshots that I have may be different in earlier versions of FortiOS. YMMV.

Grab the delegated prefix from the WAN

UPDATE: I have found that any changes to the DHCP-PD settings on the WAN interface will result in Verizon issuing you a new prefix. My prefix survives a reboot but once i made a change and put it back and i got a new one. Ib my case it was a mistake, i typed “edit 6” intstead of “edit 5” to take a look at the current settings and as soon as the link saw the DHCP-PD ID added to the request (hadn’t removed or touched 5) it gave me a new prefix. Be warned once you have this all working.

Here is the CLI config block from the WAN ethernet interface

You can see the typical DHCP configuration for the IPv4 WAN address and the multiple lines related to IPv6.

set ip6-allowaccess ping

This allows the link local address of the WAN interface to be pinged. Not 1000% sure this is required but the theme in IPv6 is to allow ICMPv6 and not worry about it

set dhcp6-prefix-delegation enable

This is the critical line. It tells the Fortigate to send out a DHCPv6 request for a prefix delegation.

set autoconf enable

This line enables SLAAC for the WAN interface itself. You’ll remember in the first article I talked at length about how WAN interfaces don’t need routable IPs. The reason I know this is that Verizon doesn’t seem to use a standard way of assigning them. There are no router advertisement with routable prefixes and running a stateful DHCPv6 client on the WAN interface (i said DHCPv6 usually doesn’t hand out actual addresses but it CAN) doesn’t result in any offers of an address. It does offer a default route but it will not show in the regular routing table. You can view the link local address of the ISP next hop default route by running

diag ipv6 route list

The dhcp6-iapd-list subsection configures options around the prefix that Verizon is offering.

        config dhcp6-iapd-list
            edit 5
                set prefix-hint ::/56
                set prefix-hint-plt 0
                set prefix-hint-vlt 0
            next

set prefix-hint ::/56

A better word than hint is ask. This is what we are going to ask Verizon to give us. We’re asking for a /56 subnet as that according to my research is the largest size the allocate to residential customers. Its more than enough as a /56 is 256 /64 subnets. We’re only going to use one for now but if we ever wanted to add additional VLAN’s or networks internally we would now have IPv6 space to assign to them.

set prefix-hint-plt 0

set prefix-hint-vlt 0

These two values ask Verizon to lease us the address permanently/perpetually. I dont know if they are actually honored but the less chance of my PD prefix changing the better.

Notice that I am editing position 5 in the list even though there is only one entry. All of the documentation that I found on other implementations had a 1 instead of a 5. I learned that this value is not arbitrary but must match the ID of the prefix in the DHCPv6 message. I assume this is so that one message can contain multiple prefixes. I was able to find the ID that Verizon was sending by renewing the DHCPv6 lease on the WAN interface while running a debug. This value is used several times in the config.

diag debug application dhcp6c -1

Handout SLAAC advertisements on the inside interface

set ip6-mode delegate

This tells the interface to get its own IP from the delegated prefix

set ip6-allowaccess ping

Allow this interface to respond to ping requests

set ip6-send-adv enable

Send router advertisements on this interface

set ip6-other-flag enable

In the advertisements tell clients to get other information (read: DNS servers) from DHCPv6

set ip6-upstream-interface "wan"

Use the delegated prefixes received on the wan interface (you could have multiple WANs) for assigning an IP to this interface.

set ip6-delegated-prefix-iaid 5

This matches the value we used on the WAN configuration and found in the debug

set ip6-subnet ::fff0/64

This indicates how the interface will form its own address. The subnet above is appended to the PD prefix and that is the IP of the inside interface.

        config ip6-delegated-prefix-list
            edit 1
                set upstream-interface "wan"
                set delegated-prefix-iaid 5
                set subnet ::/64
                set rdnss-service delegated
            next
        end

These options indicate what delegated prefix should be used in SLAAC advertisements for clients. The first two lines are self explanatory (match the debug ID). The subnet line tells the client that their subnet is /64 bits in length. The RDNSS line tells the router advertisements to repeat the DNS servers they receive from the ISP in its advertisements. We will configure stateless DHCPv6 for DNS server assignment as most clients will use that but having this doesn’t hurt.

Configure DHCPv6 to assign DNS servers

The DNS servers listed above are OpenDNS publicly available recursive resolvers.

On to part 3

In this part we configured a Fortigate firewall to retrieve an IPv6 prefix from Verizon FiOS and hand them out to clients on the inside network.

Leave a Reply

Your email address will not be published. Required fields are marked *