Getting a FortiGate to send IPv6 Router Advertisements

Posted on

You’d think this would be an easy thing where perhaps a FortiGate unit would behave like a layer 3 switch; add an IPv6 address, it starts sending router advertisements.  Nope.  If it were just slightly more simple than I had hoped, this article would not have been warranted, but it wasn’t that simple.

So I want to enable IPv6 on a subnet that the FortiGate is acting as the router for.  I add an address in the GUI.  Anything exciting happen?  Nope.  Machines don’t seem to know it’s there, so I run tcpdump to look for router advertisements:

tcpdump -vvvv -ttt icmp6 and ‘ip6[40] = 134’

No RA’s being seen.  Hmm okay, go back to FortiGate; nothing in GUI related to router advertisements; odd.

I ssh in and drill down to interface level:

config system interface
 edit "internal1"
  config ipv6
   

fw (ipv6) # set ?
ip6-mode Addressing mode (static, DHCP, delegated).
ip6-address Primary IPv6 address prefix of interface.
ip6-allowaccess Allow management access to the interface.
ip6-send-adv Enable/disable send advertisements flag.
ip6-manage-flag Enable/disable managed flag.
ip6-other-flag Enable/disable other flag.
ip6-max-interval Maximum interval (sec; between 4 to 1800).
ip6-min-interval Minimum interval (sec; between 3 to 1350).
ip6-link-mtu Link MTU.
ip6-reachable-time Reachable time (milliseconds; 0 means unspecified).
ip6-retrans-time Retransmit time (milliseconds; 0 means unspecified).
ip6-default-life Default life (sec).
ip6-hop-limit Hop limit (0 means unspecified).
dhcp6-relay-service Enable/disable use DHCPv6 relay service.
dhcp6-prefix-delegation Enable/disable DHCPv6 prefix delegation.

Oooh, ip6-send-adv looks interesting, I turn it on.  Nothing happens.  I see some reference on FortiGate’s website in an article related to setting up DHCPv6 that the interface needs to be bounced, so I do that.  Nothing happens.

Turns out you need a few more items.  You also need ip6-other-flag enabled at the ipv6 level, and I can’t find any docs on what that actually does.  Then you need to define the subnet you’re on by way of the ip6-prefix-list, then, within the relevant prefixes, turn on autonomous-flag and onlink-flag under it.  Your config will look like this:

config system interface
    edit "internal1"
        set ip 192.0.2.1 255.255.255.0
        set allowaccess ping https ssh
        config ipv6
            set ip6 allowaccess ping https ssh
            set ip6-address 2001:db8:0:1::1/64
            set ip6-send-adv enable
            set ip6-other-flag enable
            config ip6-prefix-list
                edit 2001:db8:0:1::/64
                     set autonomous-flag enable
                     set onlink-flag enable
                next
            end
        end
    next 
end

Once that’s added, you should start sending RA’s so your devices can see the FortiGate and use SLAAC to add an IPv6 address.

Leave a Reply

Your email address will not be published. Required fields are marked *