Note: FortiOS v5.6.2 build1486 (17 August 2017) firmware is used as of this writing.
Configure the upstream WAN interface for DHCP with an IA_PD prefix delegation request. Specify a 62-bit prefix hint:
config system interface
edit "wan"
config ipv6
set ip6-mode dhcp
set ip6-allowaccess ping
set dhcp6-prefix-delegation enable
set dhcp6-prefix-hint ::/62
end
next
end
Configure two inside interfaces, vlan1 and vlan2, in delegated mode. Assuming our hypothetical delegated prefix is 2601:43:0:1000::/62, the first interface, vlan1 gets configured with the address 2601:43:0:1000::1/64 (set ip6-subnet ::1/64). It then advertises the prefix 2601:43:0:1000::/64 to other hosts connected to this link for SLAAC autoconfiguration.
vlan2 get s a similar configuration, except it's interface address ends up as 2601:43:0:1001::1/64, and the advertised prefix is 2601:43:0:1001::/64
config system interface
edit "vlan1"
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable disable
set ip6-other-flag enable
set ip6-upstream-interface "wan"
set ip6-subnet ::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan"
set autonomous-flag enable
set onlink-flag enable
set subnet ::/64
set rdnss-service delegated
next
end
end
next
end
config system interface
edit "vlan2"
config ipv6
set ip6-mode delegated
set ip6-allowaccess ping https http
set ip6-send-adv enable
set ip6-manage-flag enable disable
set ip6-other-flag enable
set ip6-upstream-interface "wan"
set ip6-subnet 0:0:0:1::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan"
set autonomous-flag enable
set onlink-flag enable
set subnet 0:0:0:1::/64
set rdnss-service delegated
next
end
end
next
end
A few notes on relavent options:
- ip6-send-adv - send route announcements on this interface (with 1 or more prefixes defined in the list below)
- ip6-manage-flag - I think there's a FortiOS bug here; should be used to announe that addresses can be assigned via stateful DHCP6, but I'm not doing that, and I can't remove this line or I lose all RA options, and the value "enable disable" makes no sense
- ip6-other-flag - "other" network info (e.g. DNS servers) is available via DHCP6 for clients that can make use of it
- ip6-subnet - network address to assign to this inetface from the delegated prefix
- autonomous-flag - flag that tells hosts on this link that they can use this announced prefix to autoconfigure themselves via SLAAC
- onlink-flag - tells hosts that addresses in this prefix are "link-local", or directly accessible rather than having to foward packets for them to a router
- subnet - the network to advertise (relative to the delegated prefix); this is an implicit address (similar to the "ip6-subnet" parameter above). A good way to think about this is that the address specified here is "added" to the delegated prefix to come up with an actual network address, so if your upstream delegation changes, your downstream prefix advertisement will automatically update as well
- rdnss-service delegated - uses the DNS servers provided in the upstream delegation, and advertise them to hosts on this network
Note: DD-WRT v3.0-r32170 big (06/01/17) firmware is used as of this writing. The firmware version I had been using previously did not have the SETUP -> IPv6 tab.
This is fairly self-explainatory - use DHCP6 to make a request upstream, and specify a 62-bit prefix hint.
It is also necessary to add some custom configuration to the dhcp6c client, which is illustrated below (text version here):
If you want to read up more about these specific options, this man page is probably your best bet. The important bits in the IA_PD portion in a nutshell are:
- prefix ::/62 infinity - make an upstream request for a delegated ::/62 prefix with infinite lifetime
- sla-id 1 - assign subnet 1 to our inside interface, br0. If our delegated prefix is 2601:43:0:1000::/62, then this would result in 2601:43:0:1001:: being dynamically assigned here
- sla-len 2 - This value should be 64, minus whatever our delegated prefix is (62), and results in a ::/64 prefix being assinged to our br0 interface; clear as mud, I know. I like to believe this is clearly documented somewhere - it helps me sleep better at night.
Lastly, you need to configure radv on the DD-WRT br0 interface in order to perform route advertisements to hosts on that network (text version here):
Note that the Recursive DNS Servers (RDNSS) shown in this conifg are Comcast's. If you have a different ISP, you'll need different servers here... or, Google's servers perhaps.
If client hosts aren’t automatically picking up DNS servers, you will either need to configure a DHCP6 server to provide that option, or configure DNS on the clients manually. Fortunately, FortiOS supports this in its built-in DHCP6 server, for example:
config system dhcp6 server
edit 1
set dns-service delegated
set interface "vlan1"
set upstream-interface "wan"
next
edit 2
set dns-service delegated
set interface "vlan2"
set upstream-interface "wan"
next
end
This will take the upstream DNS servers provided in the delegation, and provide them to DHCP6 clients on the two VLAN interfaces on the FortiGate. Alternatively, you can explicitly set DNS servers here as well.
Unfortunately, I’ve been unsuccessful so far getting either dhcp6s or dnsmasq on the DD-WRT
router to provide DHCP6 DNS server options. If anyone has made that work, let me know in the comments!
** Problem 1- Prefix too big <- Previous Page | Next Page -> Problem 2 - Can’t cascade**