You’d think this would be an easy thing where perhaps a FortiGate unit would behave like a layer 3 switch; add an IPv6 address, it starts sending router advertisements. Nope. If it were just slightly more simple than I had hoped, this article would not have been warranted, but it wasn’t that simple.
So I want to enable IPv6 on a subnet that the FortiGate is acting as the router for. I add an address in the GUI. Anything exciting happen? Nope. Machines don’t seem to know it’s there, so I run tcpdump to look for router advertisements:
tcpdump -vvvv -ttt icmp6 and ‘ip6[40] = 134’
No RA’s being seen. Hmm okay, go back to FortiGate; nothing in GUI related to router advertisements; odd.
I ssh in and drill down to interface level:
config system interface edit "internal1" config ipv6 fw (ipv6) # set ? ip6-mode Addressing mode (static, DHCP, delegated). ip6-address Primary IPv6 address prefix of interface. ip6-allowaccess Allow management access to the interface. ip6-send-adv Enable/disable send advertisements flag. ip6-manage-flag Enable/disable managed flag. ip6-other-flag Enable/disable other flag. ip6-max-interval Maximum interval (sec; between 4 to 1800). ip6-min-interval Minimum interval (sec; between 3 to 1350). ip6-link-mtu Link MTU. ip6-reachable-time Reachable time (milliseconds; 0 means unspecified). ip6-retrans-time Retransmit time (milliseconds; 0 means unspecified). ip6-default-life Default life (sec). ip6-hop-limit Hop limit (0 means unspecified). dhcp6-relay-service Enable/disable use DHCPv6 relay service. dhcp6-prefix-delegation Enable/disable DHCPv6 prefix delegation.
Oooh, ip6-send-adv looks interesting, I turn it on. Nothing happens. I see some reference on FortiGate’s website in an article related to setting up DHCPv6 that the interface needs to be bounced, so I do that. Nothing happens.
Turns out you need a few more items. You also need ip6-other-flag enabled at the ipv6 level, and I can’t find any docs on what that actually does. Then you need to define the subnet you’re on by way of the ip6-prefix-list, then, within the relevant prefixes, turn on autonomous-flag and onlink-flag under it. Your config will look like this:
config system interface edit "internal1" set ip 192.0.2.1 255.255.255.0 set allowaccess ping https ssh config ipv6 set ip6 allowaccess ping https ssh set ip6-address 2001:db8:0:1::1/64 set ip6-send-adv enable set ip6-other-flag enable config ip6-prefix-list edit 2001:db8:0:1::/64 set autonomous-flag enable set onlink-flag enable next end end next end
Once that’s added, you should start sending RA’s so your devices can see the FortiGate and use SLAAC to add an IPv6 address.