Getting a FortiGate to send IPv6 Router Advertisements

You’d think this would be an easy thing where perhaps a FortiGate unit would behave like a layer 3 switch; add an IPv6 address, it starts sending router advertisements.  Nope.  If it were just slightly more simple than I had hoped, this article would not have been warranted, but it wasn’t that simple.

So I want to enable IPv6 on a subnet that the FortiGate is acting as the router for.  I add an address in the GUI.  Anything exciting happen?  Nope.  Machines don’t seem to know it’s there, so I run tcpdump to look for router advertisements:

tcpdump -vvvv -ttt icmp6 and ‘ip6[40] = 134’

No RA’s being seen.  Hmm okay, go back to FortiGate; nothing in GUI related to router advertisements; odd.

I ssh in and drill down to interface level:

config system interface
 edit "internal1"
  config ipv6

fw (ipv6) # set ?
ip6-mode Addressing mode (static, DHCP, delegated).
ip6-address Primary IPv6 address prefix of interface.
ip6-allowaccess Allow management access to the interface.
ip6-send-adv Enable/disable send advertisements flag.
ip6-manage-flag Enable/disable managed flag.
ip6-other-flag Enable/disable other flag.
ip6-max-interval Maximum interval (sec; between 4 to 1800).
ip6-min-interval Minimum interval (sec; between 3 to 1350).
ip6-link-mtu Link MTU.
ip6-reachable-time Reachable time (milliseconds; 0 means unspecified).
ip6-retrans-time Retransmit time (milliseconds; 0 means unspecified).
ip6-default-life Default life (sec).
ip6-hop-limit Hop limit (0 means unspecified).
dhcp6-relay-service Enable/disable use DHCPv6 relay service.
dhcp6-prefix-delegation Enable/disable DHCPv6 prefix delegation.

Oooh, ip6-send-adv looks interesting, I turn it on.  Nothing happens.  I see some reference on FortiGate’s website in an article related to setting up DHCPv6 that the interface needs to be bounced, so I do that.  Nothing happens.

Turns out you need a few more items.  You also need ip6-other-flag enabled at the ipv6 level, and I can’t find any docs on what that actually does.  Then you need to define the subnet you’re on by way of the ip6-prefix-list, then, within the relevant prefixes, turn on autonomous-flag and onlink-flag under it.  Your config will look like this:

config system interface
    edit "internal1"
        set ip
        set allowaccess ping https ssh
        config ipv6
            set ip6 allowaccess ping https ssh
            set ip6-address 2001:db8:0:1::1/64
            set ip6-send-adv enable
            set ip6-other-flag enable
            config ip6-prefix-list
                edit 2001:db8:0:1::/64
                     set autonomous-flag enable
                     set onlink-flag enable

Once that’s added, you should start sending RA’s so your devices can see the FortiGate and use SLAAC to add an IPv6 address.

Leave a Reply

Your email address will not be published. Required fields are marked *