Getting Started with IPv6 in FortiOS

    Introduction and a bit of theory.

    The origin of IP version 6 dates from 1998 to RFC 2460, which describes IPv6 as the successor protocol for version 4. This transition is associated with the predictable exhaustion of address space in IPv4. The transition from 32-bit to 128-bit addresses allowed us to increase the address space in IPv6 to a limit of 2 in the 128 degree number of addresses. However, in addition to increasing the address space, in the implementation of IPv6 there are a lot of innovations designed to rid this protocol of the problems of its predecessor. These innovations include the lack of broadcast, SLAAC, NDP.

    SLAAC or stateless auto-configuration can be used to automatically configure stateless IP addresses if hosts do not need a specific IP address. SLAAC automatically configures addresses using NDP and a router. Unlike DHCPv6, additional servers are not required to implement SLAAC technology.

    NDP, in turn, replaces ARP, ICMP router discovery, and ICMP redirect. In IPv6, NDP is responsible for automatically configuring the address of network endpoints, detecting other nodes on the line, detecting the addresses of other nodes at the communication channel level, detecting address conflicts, finding available paths and DNS servers, detecting subnets, and maintaining the availability of path information to other active neighbors nodes.

    And what about DHCP? DHCP for IPv6 can be used if you need to control the assignment of IP addresses or provide DNS settings. DHCPv6 can also provide other parameters, query hosts and change their addresses. This is stateful DHCPv6. Stateless DHCPv6 can provide additional information (such as DNS) to hosts that receive their IPv6 addresses using automatic configuration (SLAAC) or manual addressing.

    The FortiOS operating system fully supports IPv6 and, starting with FortiOS 5.4, supports a rather interesting DHCP delegation function, which allows the device interface to receive addresses from subnets provided by a DHCP server located behind another interface. In other words, as soon as the DHCP server has delegated prefixes to the client, the interface that is connected to the local area network (LAN) has an IPv6 address using the received prefix block and the addresses used in the received prefix can be transferred to other clients on the local network.


    To configure this functionality, a real case will be reproduced when the provider sends a specific IPv6 prefix to the client.

    Simplified Topology:

    A Cisco router is used as a DHCPv6 server, and a FortiGate firewall in the form of a virtual machine with the operating system version 5.4.4 is used as an edge device that performs DHCPv6 delegation. For the client side, FortiGate is also used.

    Below are excerpts from the configuration with comments.


    # ipv6 dhcp pool dhcpv6

    We use a DHCP pool called dhcpv6

    # prefix-delegation pool dhcpv6-pool1 lifetime 1800 600

    The name of the pool used to delegate prefixes is dhcpv6-pool1

    #interface Ethernet0 / 0
    #no ip address
    # ipv6 address 2010: AB8: 0: 1 :: 1/64
    - assign an address for the interface e0 / 0
    # ipv6 enable
    # ipv6 dhcp server dhcpv6
    enable the DHCPv6 server on the #exit interface .

    The next command determines the name of the prefix pool for delegation. The address pool 2001: DB8: 1200 :: / 48 will be used, from which we will delegate the / 64

    # ipv6 local pool dhcpv6-pool1 sub-prefixes to the client 2001: DB8: 1200 :: / 48 64

    After that, we proceed to the FortiGate edge configuration.

    FortiGate-VM64-KVM # config system interface

    Go to the configuration mode of the network interfaces

    FortiGate-VM64-KVM (interface) # edit port1 Enter the edit

    mode of the interface port1

    FortiGate-VM64-KVM (port1) # config ipv6

    We begin to configure IPv6

    FortiGate-VM64- KVM (ipv6) # set dhcp6-prefix-delegation enable

    This command enables the delegation of prefixes received from the provider to the downstream firewall interfaces.

    The interface towards the provider is configured, go to the configuration of the LAN interface. By analogy with the settings for port1, we enter the IPv6 configuration mode for the port2 interface.

    #config system interface
    #edit “port1”
    #config ipv6
    #set ip6-mode delegated
    - indicate that the delegated prefix
    #set ip6-upstream-interface “port1” will be used - the interface behind which is the DHCPv6 server
    #set ip6-subnet 2001 : db8: 1200 :: 1/64
    #set ip6-send-adv enable
    #config ipv6-delegated-prefix-list
    #edit 1
    #set upstream-interface "port10"
    #set autonomous-flag enable
    #set onlink-flag enable
    #set subnet 2001: db8: 1200 :: / 64
    - specify the delegation prefix

    Separately, it will stop at the command Ip6-send-adv - enable or disable this option indicates whether the system should periodically send Router Advertisements and listen to Router Solicitations. When this parameter is enabled, the address of this interface will be added to the multicast All Routers group (FF02 :: 02) and included in the Multi Listener Discovery (MLD) report. By default, ip6-send-adv is in the disable state. In this case, with the autoconf option enabled, FortiGate will function as an SLAAC client.

    We check on the client with SLAAC enabled.

    We enable autoconf for the port1 interface on the client firewall according to the topology.

    ip6-client # config system interface
    ip6-client (interface) # edit port1
    ip6-client (port1) # config ipv6
    ip6-client (ipv6) # set autoconf enable
    ip6-client (ipv6) # end By a

    separate command we verify that everything is configured correctly and the device received an IP address.

    This completes the basic setup. Additionally, you can configure a DHCPv6 server on the FortiGate Edge and use the delegated IPv6 prefix as a pool of addresses on end clients.

    This is configured quite simply:

    #config system dhcp6 server - switching to DHCPv6 server configuration mode
    #edit 1
    #set interface “port2”
    - the interface that the DHCP service
    #set upstream-interface "port1" will provide - the interface to the provider side through which we get our prefix
    #set ip-mode delegated - additionally indicate that the configured DHCPv6 server will use the delegated prefix.

    And finally, a few commands for basic network diagnostics in FortiOS:

    # execute interface dhcp6client-renew - update DHCPv6 lease on the specified interface
    #get router info6 routing-table database - display the routing table for IPv6
    #exec ping6 & #exec ping6-options - ping for IPv6 and setting specific parameters, such as packet size, number of retries, source IP, TTL, etc.

    Also popular now: