Fortigate IPv6 Config for 2Degrees Internet

Josh

The below configuration will setup a Fortigate Firewall for IPv6 over a PPOE connection from an ISP (In my case, 2Degrees).
The configuration is for SLAAC with Stateless DHCPv6 – DHCP is required to assign DNS Servers (Note: Windows 10 AU Update has broken IPv6 DNS Servers being assigned).

Setup the WAN Interface for IPv6, this is the interface with the IPv4 PPoE connection.

config system interface
 edit "2Degrees"
   config ipv6
     set ip6-mode pppoe
     set ip6-allowaccess ping
     set dhcp6-prefix-delegation enable
     set dhcp6-prefix-hint ::/56
     set autoconf enable
    end
 end

Setup the LAN Interface for IPv6, this would be the internal\trusted interface.

config system interface
 edit "lan1"
   config ipv6
   set ip6-mode delegated
   set ip6-allowaccess ping
   set ip6-send-adv enable
   set ip6-other-flag-enable
   set ip6-upstream-interface "2Degrees"
   set ip6-subnet ::1:0:0:0:1/64
   config ip6-delegated-prefix-list
    edit 1
      set upstream-interface "2Degrees"
      set autonomous-flag enable
      set onlink-flag enable
      set subnet 0:0:0:1::/64
     end
   end
 end

Setup DHCP to allocate the DNS Servers (Google DNS in this case).

config system dhcp6 server
 edit 1
   set interface "lan1"
   set ip-mode delegated
   set upstream-interface "2Degrees"
   set dns-server1 2001:4860:4860::8888
   set dns-server2 2001:4860:4860::8844
 end

Optional – Setup a second network zone for IPv6, For me this is the wireless network.

config system interface
 edit "lan2"
   config ipv6
    set ip6-mode delegated
    set ip6-allowaccess ping
    set ip6-send-adv enable
    set ip6-other-flag-enable
    set ip6-upstream-interface "2Degrees"
    set ip6-subnet ::2:0:0:0:1/64
    config ip6-delegated-prefix-list
     edit 1
      set upstream-interface "2Degrees"
      set autonomous-flag enable
      set onlink-flag enable
      set subnet 0:0:0:2::/64
     end
   end
 end

Setup your Firewall policies, these should not need to use NAT.

Example IPv6 Firewall Rule:

config firewall policy
 edit 1
   set name "Outbound-IPv6-LAN"
   set srcintf "lan1"
   set dstintf "2Degrees"
   set srcaddr "all"
   set dstaddr "all"
   set action accept
   set schedule "always"
   set service "all"
   set logtraffic all
 end

I have found a reboot is sometimes required on my 51E for settings to be picked up – Test your connection with http://test-ipv6.com/

One thought on “Fortigate IPv6 Config for 2Degrees Internet

  1. Hi Josh.. Thank you mate, this has been very helpful. Works fine on a Vibe circuit too.

    Had been trying to do this for a while with no luck, so really appreciate you posting this up.

    Reply

Leave a Reply to Josh Cancel reply

Your email address will not be published. Required fields are marked *