Friday, February 28, 2014

Configuring dhcpv6 on fortinet fortigate firewall


How to configure the external Interface:

config system interface
    edit "wan1"
        set alias "External"
            config ipv6
                set ip6-address xxxx:xxx:xxx:113::2/64
                set ip6-allowaccess ping
                set ip6-manage-flag enable
                set ip6-other-flag enable
            end
    next

How to configure the static6 route:

config router static6
    edit 1
        set device "wan1"
        set gateway xxxx:xxx:xxx:113::1
    next
end


How to configure the Internal Interface:

config system interface
    edit "Internal"
            config ipv6
                 set ip6-mode static
                 set ip6-address xxxx:xxx:xxx:cccc::1/64
                 set ip6-allowaccess ping
                 set ip6-send-adv enable
              set ip6-manage-flag enable
              set ip6-other-flag enable
                 set ip6-max-interval 600
                 set ip6-min-interval 198
                 set ip6-link-mtu 0
                 set ip6-reachable-time 0
                 set ip6-retrans-time 3000
                 set ip6-default-life 1800
                 set ip6-hop-limit 0
                 set autoconf disable
                 set dhcp6-relay-service disable
            end
    next


How to configure the DHCP server.


config system dhcp6 server
    edit 1
        set dns-service specify
        set enable enable
        set interface "wan2"
            config ip-range
                edit 1
                    set end-ip xxxx:xxx:xxx:cccc::6000
                    set start-ip xxxx:xxx:xxx:cccc::1000
                next
            end
        set lease-time 10800
        set option1 0
        set option2 0
        set option3 0
        set rapid-commit disable
        set subnet xxxx:xxx:xxx:cccc::/64
        set dns-server1 2001:4860:4860::8888
        set dns-server2 2001:4860:4860::4444
        set dns-server3 ::
    next
end


With this configuration, the hosts will get and surf on the Internet with an IP betweenxxxx:xxx:xxx:cccc::1000 and xxxx:xxx:xxx:cccc::6000.

There are others DHCPv6 configuration may interest you. You can configure a prefix-list on the interface.


config system interface
    edit "Internal"
            config ipv6
                 set ip6-address xxxx:xxx:xxx:cccc::1/64
                   set ip6-allowaccess ping
                 set ip6-send-adv enable
                 set ip6-manage-flag enable
                 set ip6-other-flag enable
                 set ip6-retrans-time 3000
                          config ip6-prefix-list
                              edit xxxx:xxx:xxx:cccc::/64
                                 set autonomous-flag enable
                                 set onlink-flag enable
                                 set preferred-life-time 600
                                  set valid-life-time 600
                             next
                         end
                 end


With this configuration, the client host will have three IPv6 address, two of them auto generated with the prefix-list and another IP given by the DHCP server. The client host will surf on the internet with the first one and get the DNS options given by the DHCP.

You can see the IP leases with the next command:

execute dhcp6 lease-list

Interface   DUID                                         IAID      IP                            Expiry
wan2        xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx    1         xx:xx:xx:cccc::1000       Fri May 31 15:49:27 2013


Then you need to create policy rules in order to allow permitted traffic.


Posted by at

1 comment:

  1. AnonymousApril 17, 2020 at 9:36 AM

    It is very helpfull for everyone.. thanks foe sharing this information Kalyx transcanding connections

    ReplyDelete

Subscribe to: Post Comments (Atom)