Fortinet white logo
Fortinet white logo

Administration Guide

IPv6 prefix delegation

IPv6 prefix delegation

IPv6 prefix delegation allows the dynamic assignment of an address prefix and DNS server address to an upstream interface. An upstream interface is typically the interface that is connected to an Internet Service Provider (ISP). This process also automates the assignment of prefixes to downstream interfaces. A downstream interface is any interface that is not an upstream interface and uses delegated addressing mode. Downstream interfaces can be configured to request specific IPv6 subnets from the upstream interface. Once a downstream interface receives the IPv6 address, other devices connected to the downstream interface can obtain an IPv6 address by using DHCPv6 or by configuring their own IP address using auto-configuration.

In this example, Server-Fgt is connected to a DHCPv6 server provided by the ISP through an upstream interface (port1). Server-Fgt is configured with a delegate interface (port5) to receive the IPv6 prefix and DNS server address from the upstream interface.

A downstream interface (port5) connects Client-Fgt to Server-Fgt. The Client-Fgt interface (port5) is configured to receive the IPv6 address and DNS server address from the Server-FortiGate using DHCP addressing mode or auto-configuration.

Using the GUI or CLI to configure a downstream FortiGate to obtain the IPv6 and DNS server address from delegated interface using DHCP mode requires the following steps:

  1. Configure the following items on Server_FGT:

    • Upstream interface
    • Downstream interface
    • DHCPv6 server on the downstream interface.
  2. Configure Client_FGT to receive IPv6 prefix and DNS from the delegated interface.

Instead of configuring a DHCPv6 server on the downstream interface of Server_FGT, you can configure SLAAC. See IPv6 prefix delegation with SLAAC.

GUI configuration

To configure Server_FGT:
  1. Configure the upstream interface on Server-Fgt:

    1. Go to Network > Interfaces and edit the port1.

    2. Enable DHCPv6 prefix delegation.

    3. Select the + in the IAPD prefix hint to open the ID and prefix field.

    4. Enter 1 for ID and ::/48 for prefix field. You can add two or more entries. Select the x icon in the field to remove an entry.

    5. Click OK.

  2. Verify upstream interface obtained the prefix delegation, see Verify upstream interface obtained prefix delegation and DNS server address.

  3. Configure the downstream interface on Server-Fgt:

    1. Go to Network > Interfaces and edit port5.

    2. Set IPv6 addressing mode to Delegated.

    3. Enter 1 for Identity association identifier field.

    4. Set IPv6 upstream interface to port1.

    5. Click OK.

  4. Verify downstream interface obtained an IPv6 Address/Prefix:

    1. Go to Network > Interfaces and edit port5. The IPv6 Address/Prefix field is populated with an IPv6 Address/Prefix.

  5. Configure DHCPv6 Server on the downstream interface:

    1. Go to Network > Interfaces and edit the port5

    2. Enable DHCPv6 Server.

    3. Set DNS service to Delegated.

    4. From the Upstream interface dropdown list, select port1.

    5. Input the following commands from the CLI:

      config system dhcp6 server edit 1 set delegated-prefix-iaid 1 next end

    6. Enable Stateful server.

    7. Set IP mode to Delegated.

    8. Click OK.

To configure Client_FGT:
  1. Configure the Client-Fgt interface using DHCP mode:

    1. Go to Network > Interfaces and edit the port5.

    2. Set IPv6 addressing mode to DHCP. This allows Client_Fgt to obtain the IPv6 prefix and DNS from the delegated interface.

    3. Click OK.

  2. Verify that Client-Fgt obtained an IPv6 address and the DNS server address from the delegated interface:

    1. Go to Network > Interfaces and edit port5. The Obtained IP/Netmask and Acquired DNS fields are populated with an IPv6 address.

CLI configuration

Using the CLI to configure a downstream FortiGate to obtain the IPv6 and DNS server address from delegated interface using DHCP mode requires the following steps:

To configure Server_FGT:
  1. Configure the upstream interface on Server-Fgt:

    config system interface edit "port1" config ipv6 set dhcp6-prefix-delegation enable config dhcp6-iapd-list edit 1 set prefix-hint ::/48 next end end next end

  2. Verify upstream interface obtained prefix delegation and DNS server address:

    config system interface edit port1 config ipv6 Server-Fgt # get ip6-mode : static … dhcp6-prefix-delegation: enabledelegated-prefix iaid 1 : 2001:db8:d0c::/48 preferred-life-time : 4294967295 valid-life-time : 4294967295 delegated-DNS1 : 2001:db8::35 delegated-DNS2 : :: … dhcp6-iapd-list: == [ 1 ] iaid: 1 prefix-hint: ::/48 prefix-hint-plt: 604800 prefix-hint-vlt: 2592001

  3. Configure the downstream interface on Server-Fgt:

    config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-delegated-prefix-iaid 1 set ip6-upstream-interface "port1" end next end

  4. Verify downstream interface obtained an IPv6 Address/Prefix:

    config system interface edit "port5" config ipv6 Server-Fgt # get ip6-mode : delegated nd-mode : basic ip6-address : 2001:db8:d0c::/48ip6-delegated-prefix-iaid: 1 ip6-upstream-interface: port1 ip6-subnet : ::/0

  5. Configure DHCPv6 server on the downstream interface:

    config system dhcp6 server edit 1 set dns-service delegated set interface "port5" set upstream-interface "port1" set delegated-prefix-iaid 1 set ip-mode delegated next end

To configure Client_FGT:
  1. Configure Client-Fgt interface to use DHCP mode:

    config system interface edit "port5" config ipv6 set ip6-mode dhcp end next end

  2. Verify Client-Fgt obtained an IPv6 address and the DNS server address from the delegated interface:

    # diagnose ipv6 address list | grep port5 dev=7 devname=port5 flag=P scope=0 prefix=128 addr=2001:db8:d0c::1 preferred=4294967295 valid=4294967295 cstamp=43208325 tstamp=43208325 # dia test application dnsproxy 3 worker idx: 0 VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1 dns64 is disabled DNS servers: 2001:db8::35:53 vrf=0 tz=0 encrypt=none req=3 to=2 res=0 rt=1046 ready=1 timer=0 probe=0 failure=2 last_failed=65131

IPv6 prefix delegation with SLAAC

A downstream FortiGate can be configured to obtain the IPv6 address and DNS server address from a delegated interface using SLAAC instead of DHCPv6. Following is a summary of the configuration steps:

  1. Configure the following items on Server_FGT:

    • Upstream interface
    • Downstream interface
    • SLAAC on the downstream interface
  2. Configure Client_FGT to receive IPv6 prefix and DNS from the delegated interface.

To configure Server_FGT:
  1. Configure the upstream interface on Server-Fgt:

    1. Go to Network > Interfaces and edit the port1.

    2. Enable DHCPv6 prefix delegation.

    3. Select the + in the IAPD prefix hint to open the ID and prefix field.

    4. Enter 1 for ID and ::/48 for prefix field. You can add two or more entries. Select the x icon in the field to remove an entry.

    5. Click OK.

  2. Verify upstream interface obtained the prefix delegation, see Verify upstream interface obtained prefix delegation and DNS server address.

  3. Configure the downstream interface on Server-Fgt:

    1. Go to Network > Interfaces and edit port5.

    2. Set IPv6 addressing mode to Delegated.

    3. Enter 1 for Identity association identifier field.

    4. Set IPv6 upstream interface to port1.

    5. Click OK.

  4. Verify downstream interface obtained an IPv6 Address/Prefix:

    1. Go to Network > Interfaces and edit port5. The IPv6 Address/Prefix field is populated with an IPv6 Address/Prefix.

  5. Configure SLAAC on downstream interface:

    config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-send-adv enable set ip6-delegated-prefix-iaid 1 set ip6-upstream-interface "port1" config ip6-delegated-prefix-list edit 1 set upstream-interface "port1" set delegated-prefix-iaid 1 set subnet 0:0:0:1::/64 set rdnss-service delegated next end end next end

To configure Client_FGT:
  1. Configure Client-Fgt interface using auto-configure:

    config system interface edit "port5" config ipv6 set autoconf enable end next end

  2. Verify Client-Fgt automatically generated an IPv6 address and obtained the DNS server address from the delegated interface:

    # diagnose ipv6 address list | grep port5 dev=4 devname=port5 flag= scope=0 prefix=64 addr=2000:db8:d0c:1:20c:29ff:fe4d:f847 preferred=4294967295 valid=4294967295 cstamp=17203697 tstamp=17225377

Note

FortiGate can send DNS server addresses using Router Advertisement (RA), which allows any device that is capable of receiving DNS server addresses by using RA to obtain DNS server addresses.

Additionally, FortiGate can receive DNS server addresses through the use of SLAAC with a DHCPv6 stateless server, even though it is currently unable to receive DNS server addresses using RA due to RFC 4862 implementation. See SLAAC with DHCPv6 stateless server for more information.

IPv6 prefix delegation

IPv6 prefix delegation

IPv6 prefix delegation allows the dynamic assignment of an address prefix and DNS server address to an upstream interface. An upstream interface is typically the interface that is connected to an Internet Service Provider (ISP). This process also automates the assignment of prefixes to downstream interfaces. A downstream interface is any interface that is not an upstream interface and uses delegated addressing mode. Downstream interfaces can be configured to request specific IPv6 subnets from the upstream interface. Once a downstream interface receives the IPv6 address, other devices connected to the downstream interface can obtain an IPv6 address by using DHCPv6 or by configuring their own IP address using auto-configuration.

In this example, Server-Fgt is connected to a DHCPv6 server provided by the ISP through an upstream interface (port1). Server-Fgt is configured with a delegate interface (port5) to receive the IPv6 prefix and DNS server address from the upstream interface.

A downstream interface (port5) connects Client-Fgt to Server-Fgt. The Client-Fgt interface (port5) is configured to receive the IPv6 address and DNS server address from the Server-FortiGate using DHCP addressing mode or auto-configuration.

Using the GUI or CLI to configure a downstream FortiGate to obtain the IPv6 and DNS server address from delegated interface using DHCP mode requires the following steps:

  1. Configure the following items on Server_FGT:

    • Upstream interface
    • Downstream interface
    • DHCPv6 server on the downstream interface.
  2. Configure Client_FGT to receive IPv6 prefix and DNS from the delegated interface.

Instead of configuring a DHCPv6 server on the downstream interface of Server_FGT, you can configure SLAAC. See IPv6 prefix delegation with SLAAC.

GUI configuration

To configure Server_FGT:
  1. Configure the upstream interface on Server-Fgt:

    1. Go to Network > Interfaces and edit the port1.

    2. Enable DHCPv6 prefix delegation.

    3. Select the + in the IAPD prefix hint to open the ID and prefix field.

    4. Enter 1 for ID and ::/48 for prefix field. You can add two or more entries. Select the x icon in the field to remove an entry.

    5. Click OK.

  2. Verify upstream interface obtained the prefix delegation, see Verify upstream interface obtained prefix delegation and DNS server address.

  3. Configure the downstream interface on Server-Fgt:

    1. Go to Network > Interfaces and edit port5.

    2. Set IPv6 addressing mode to Delegated.

    3. Enter 1 for Identity association identifier field.

    4. Set IPv6 upstream interface to port1.

    5. Click OK.

  4. Verify downstream interface obtained an IPv6 Address/Prefix:

    1. Go to Network > Interfaces and edit port5. The IPv6 Address/Prefix field is populated with an IPv6 Address/Prefix.

  5. Configure DHCPv6 Server on the downstream interface:

    1. Go to Network > Interfaces and edit the port5

    2. Enable DHCPv6 Server.

    3. Set DNS service to Delegated.

    4. From the Upstream interface dropdown list, select port1.

    5. Input the following commands from the CLI:

      config system dhcp6 server edit 1 set delegated-prefix-iaid 1 next end

    6. Enable Stateful server.

    7. Set IP mode to Delegated.

    8. Click OK.

To configure Client_FGT:
  1. Configure the Client-Fgt interface using DHCP mode:

    1. Go to Network > Interfaces and edit the port5.

    2. Set IPv6 addressing mode to DHCP. This allows Client_Fgt to obtain the IPv6 prefix and DNS from the delegated interface.

    3. Click OK.

  2. Verify that Client-Fgt obtained an IPv6 address and the DNS server address from the delegated interface:

    1. Go to Network > Interfaces and edit port5. The Obtained IP/Netmask and Acquired DNS fields are populated with an IPv6 address.

CLI configuration

Using the CLI to configure a downstream FortiGate to obtain the IPv6 and DNS server address from delegated interface using DHCP mode requires the following steps:

To configure Server_FGT:
  1. Configure the upstream interface on Server-Fgt:

    config system interface edit "port1" config ipv6 set dhcp6-prefix-delegation enable config dhcp6-iapd-list edit 1 set prefix-hint ::/48 next end end next end

  2. Verify upstream interface obtained prefix delegation and DNS server address:

    config system interface edit port1 config ipv6 Server-Fgt # get ip6-mode : static … dhcp6-prefix-delegation: enabledelegated-prefix iaid 1 : 2001:db8:d0c::/48 preferred-life-time : 4294967295 valid-life-time : 4294967295 delegated-DNS1 : 2001:db8::35 delegated-DNS2 : :: … dhcp6-iapd-list: == [ 1 ] iaid: 1 prefix-hint: ::/48 prefix-hint-plt: 604800 prefix-hint-vlt: 2592001

  3. Configure the downstream interface on Server-Fgt:

    config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-delegated-prefix-iaid 1 set ip6-upstream-interface "port1" end next end

  4. Verify downstream interface obtained an IPv6 Address/Prefix:

    config system interface edit "port5" config ipv6 Server-Fgt # get ip6-mode : delegated nd-mode : basic ip6-address : 2001:db8:d0c::/48ip6-delegated-prefix-iaid: 1 ip6-upstream-interface: port1 ip6-subnet : ::/0

  5. Configure DHCPv6 server on the downstream interface:

    config system dhcp6 server edit 1 set dns-service delegated set interface "port5" set upstream-interface "port1" set delegated-prefix-iaid 1 set ip-mode delegated next end

To configure Client_FGT:
  1. Configure Client-Fgt interface to use DHCP mode:

    config system interface edit "port5" config ipv6 set ip6-mode dhcp end next end

  2. Verify Client-Fgt obtained an IPv6 address and the DNS server address from the delegated interface:

    # diagnose ipv6 address list | grep port5 dev=7 devname=port5 flag=P scope=0 prefix=128 addr=2001:db8:d0c::1 preferred=4294967295 valid=4294967295 cstamp=43208325 tstamp=43208325 # dia test application dnsproxy 3 worker idx: 0 VDOM: root, index=0, is primary, vdom dns is enabled, pip-0.0.0.0 dns_log=1 dns64 is disabled DNS servers: 2001:db8::35:53 vrf=0 tz=0 encrypt=none req=3 to=2 res=0 rt=1046 ready=1 timer=0 probe=0 failure=2 last_failed=65131

IPv6 prefix delegation with SLAAC

A downstream FortiGate can be configured to obtain the IPv6 address and DNS server address from a delegated interface using SLAAC instead of DHCPv6. Following is a summary of the configuration steps:

  1. Configure the following items on Server_FGT:

    • Upstream interface
    • Downstream interface
    • SLAAC on the downstream interface
  2. Configure Client_FGT to receive IPv6 prefix and DNS from the delegated interface.

To configure Server_FGT:
  1. Configure the upstream interface on Server-Fgt:

    1. Go to Network > Interfaces and edit the port1.

    2. Enable DHCPv6 prefix delegation.

    3. Select the + in the IAPD prefix hint to open the ID and prefix field.

    4. Enter 1 for ID and ::/48 for prefix field. You can add two or more entries. Select the x icon in the field to remove an entry.

    5. Click OK.

  2. Verify upstream interface obtained the prefix delegation, see Verify upstream interface obtained prefix delegation and DNS server address.

  3. Configure the downstream interface on Server-Fgt:

    1. Go to Network > Interfaces and edit port5.

    2. Set IPv6 addressing mode to Delegated.

    3. Enter 1 for Identity association identifier field.

    4. Set IPv6 upstream interface to port1.

    5. Click OK.

  4. Verify downstream interface obtained an IPv6 Address/Prefix:

    1. Go to Network > Interfaces and edit port5. The IPv6 Address/Prefix field is populated with an IPv6 Address/Prefix.

  5. Configure SLAAC on downstream interface:

    config system interface edit "port5" config ipv6 set ip6-mode delegated set ip6-send-adv enable set ip6-delegated-prefix-iaid 1 set ip6-upstream-interface "port1" config ip6-delegated-prefix-list edit 1 set upstream-interface "port1" set delegated-prefix-iaid 1 set subnet 0:0:0:1::/64 set rdnss-service delegated next end end next end

To configure Client_FGT:
  1. Configure Client-Fgt interface using auto-configure:

    config system interface edit "port5" config ipv6 set autoconf enable end next end

  2. Verify Client-Fgt automatically generated an IPv6 address and obtained the DNS server address from the delegated interface:

    # diagnose ipv6 address list | grep port5 dev=4 devname=port5 flag= scope=0 prefix=64 addr=2000:db8:d0c:1:20c:29ff:fe4d:f847 preferred=4294967295 valid=4294967295 cstamp=17203697 tstamp=17225377

Note

FortiGate can send DNS server addresses using Router Advertisement (RA), which allows any device that is capable of receiving DNS server addresses by using RA to obtain DNS server addresses.

Additionally, FortiGate can receive DNS server addresses through the use of SLAAC with a DHCPv6 stateless server, even though it is currently unable to receive DNS server addresses using RA due to RFC 4862 implementation. See SLAAC with DHCPv6 stateless server for more information.