Last week I had to configure a Fortigate with IPv6. Also the firewall was needed to works as DHCPv6 Server.

Within two weeks, we will have around 200-300 network administrators in a conference room connected by WIFI. We want this users only get IPv6 addresses. So, if the network administrators haven't just implemented the IPv6 in their remote networks, they will not be able to connect to them. We want they to keep in mind the importance of IPv6 in the near future.

The next configuration is running on the v5.0.2 Fortigate firmware version. This version is only recommended for testing propourses. I recommend you the v4.3.10 firmware version. In this case we want to test the last firmware version in an "production environment" too.




How to configure the external Interface:

config system interface
    edit "wan1"
        set alias "External"
            config ipv6
                set ip6-address xxxx:xxx:xxx:113::2/64
                set ip6-allowaccess ping
                set ip6-manage-flag enable
                set ip6-other-flag enable
            end
    next



How to configure the static6 route:
 
config router static6
    edit 1
        set device "wan1"
        set gateway xxxx:xxx:xxx:113::1
    next
end



How to configure the Internal Interface:

config system interface
    edit "Internal"
            config ipv6
                 set ip6-mode static 
                 set ip6-address xxxx:xxx:xxx:cccc::1/64 
                 set ip6-allowaccess ping 
                 set ip6-send-adv enable
              set ip6-manage-flag enable 
              set ip6-other-flag enable 
                 set ip6-max-interval 600 
                 set ip6-min-interval 198
                 set ip6-link-mtu 0
                 set ip6-reachable-time 0
                 set ip6-retrans-time 3000 
                 set ip6-default-life 1800
                 set ip6-hop-limit 0
                 set autoconf disable
                 set dhcp6-relay-service disable 
            end
    next



How to configure the DHCP server.

config system dhcp6 server
    edit 1
        set dns-service specify
        set enable enable
        set interface "wan2"
            config ip-range
                edit 1
                    set end-ip xxxx:xxx:xxx:cccc::6000
                    set start-ip xxxx:xxx:xxx:cccc::1000
                next
            end
        set lease-time 10800
        set option1 0
        set option2 0
        set option3 0
        set rapid-commit disable
        set subnet xxxx:xxx:xxx:cccc::/64
        set dns-server1 2001:4860:4860::8888
        set dns-server2 2001:4860:4860::4444
        set dns-server3 ::
    next
end



With this configuration, the hosts will get and surf on the Internet with an IP between xxxx:xxx:xxx:cccc::1000 and xxxx:xxx:xxx:cccc::6000.

There are others DHCPv6 configuration may interest you. You can configure a prefix-list on the interface.


config system interface
    edit "Internal"
            config ipv6
                 set ip6-address xxxx:xxx:xxx:cccc::1/64
                   set ip6-allowaccess ping 
                 set ip6-send-adv enable 
                 set ip6-manage-flag enable 
                 set ip6-other-flag enable
 
                set ip6-retrans-time 3000
                          config ip6-prefix-list
                              edit xxxx:xxx:xxx:cccc::/64
               
                 set autonomous-flag enable 
                                 set onlink-flag enable 
                                 set preferred-life-time 600
                                  set valid-life-time 600 
                             next 
                         end 
                 end


With this configuration, the client host will have three IPv6 address, two of them auto generated with the prefix-list and another IP given by the DHCP server. The client host will surf on the internet with the first one and get the DNS options given by the DHCP.

You can see the IP leases with the next command:

execute dhcp6 lease-list

Interface   DUID                                         IAID      IP                            Expiry
wan2        xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx    1         xx:xx:xx:cccc::1000       Fri May 31 15:49:27 2013


Then you need to create policy rules in order to allow permitted traffic.