IPv6 MAC addresses and usage in firewall policies
Users can define IPv6 MAC addresses that can be applied to the following policies:
- Firewall
- Virtual wire pair
- ACL/DoS
- Central NAT
- NAT64
- Local-in
In FortiOS, you can configure a firewall address object with a singular MAC, wildcard MAC, multiple MACs, or a MAC range. In this example, a firewall policy is configured in a NAT mode VDOM with the IPv6 MAC address as a source address.
IPv6 MAC addresses cannot be used as destination addresses in VDOMs when in NAT operation mode. |
To configure IPv6 MAC addresses in a policy in the GUI:
- Create the MAC address:
- Go to Policy & Objects > Addresses and select IPv6 Address.
- Click Create New.
- Enter an address name.
- For Type, select Device (MAC Address).
- Enter the the MAC address.
- Click OK.
- Configure the policy:
- Go to Policy & Objects > Firewall Policy and click Create New.
- For Source, select the IPv6 MAC address object.
- Configure the other settings as needed.
- Click OK.
To configure IPv6 MAC addresses in a policy in the CLI:
- Create the MAC address:
config firewall address6 edit "test-ipv6-mac-addr-1" set type mac set macaddr 00:0c:29:b5:92:8d next end
- Configure the policy:
config firewall policy edit 2 set srcintf "wan2" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set srcaddr6 "test-ipv6-mac-addr-1" "2000-10-1-100-0" set dstaddr6 "all" set action accept set schedule "always" set service "ALL" set logtraffic all set auto-asic-offload disable set nat enable next end