I got an email where someone asked whether I know how to change the link-local IPv6 addresses on a FortiGate similar to any other network/firewall devices. He could not find anything about this on the Fortinet documentation nor on Google.
Well, I could not find anything either. What’s up? It’s not new to me that you cannot really configure IPv6 on the FortiGate GUI, but even on the CLI I couldn’t find anything about changing this link-local IPv6 address from the default EUI-64 based one to a manually assigned one. Hence I opened a ticket at Fortinet. It turned out that you cannot *change* this address at all, but that you must *add* another LL address which will be used for the router advertisements (RA) after a reboot (!) of the firewall. Stupid design!
Again and again and again I am not happy at all with the IPv6 implementation on the FortiGates. Too many bugs and features missing, while everything is too complicated to configure. (Have a look at my Fortinet feature requests.) For the following tests I used a FortiGate FG-90D with firmware v5.6.5 build1600 (GA).
Before (Default Behaviour)
Before I touched the config the state of IPv6 was the following. Have a look at the “fg-trust” interface with its link-local address in line 12:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
fg # diagnose ipv6 address list dev=31 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1 dev=29 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1 dev=28 devname=fg-server flag=P scope=0 prefix=64 addr=2003:de:2016:220::1 dev=27 devname=fg-trust2 flag=P scope=0 prefix=64 addr=2003:de:2016:211::1 dev=26 devname=fg-trust flag=P scope=0 prefix=64 addr=2003:de:2016:210::1 dev=24 devname=root flag=P scope=254 prefix=128 addr=::1 dev=5 devname=wan1 flag=P scope=0 prefix=64 addr=2003:de:2016::2 dev=6 devname=wan2 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:8360 dev=28 devname=fg-server flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e dev=27 devname=fg-trust2 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e dev=26 devname=fg-trust flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e dev=5 devname=wan1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835f |
The configuration at this point was:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
config system interface edit "fg-trust" set vdom "root" set ip 192.168.210.1 255.255.255.0 set allowaccess ping https ssh set role lan set snmp-index 5 config ipv6 set ip6-address 2003:de:2016:210::1/64 set ip6-allowaccess ping https ssh set ip6-send-adv enable config ip6-prefix-list edit 2003:de:2016:210::/64 set autonomous-flag enable set onlink-flag enable next end end set interface "internal1" set vlanid 210 next end |
And a Linux machine got the following routing table, in which the default route had a gateway of fe80::a5b:eff:fea1:835e:
1 2 3 4 |
weberjoh@jw-vm05-Ubuntu-Test-3:~$ ip -6 r s 2003:de:2016:210::/64 dev ens32 proto kernel metric 256 expires 2591699sec pref medium fe80::/64 dev ens32 proto kernel metric 256 pref medium default via fe80::a5b:eff:fea1:835e dev ens32 proto ra metric 1024 expires 1499sec pref medium |
Configuration of the Link-Local Address
To add a link-local address you need the “config ip6-extra-addr” submenu. I added the quite simple fe80::1/64 address to that interface, that is:
1 2 3 4 5 6 7 8 9 |
config system interface edit fg-trust config ipv6 config ip6-extra-addr edit fe80::1/64 next end end end |
Now, in order to have the router advertisements sent from this newly created link-local address, you have to reboot the firewall! Come on Fortinet, you need a complete reboot for this?!? (Note that the support ticket told me to disable the “ip6-send-adv” before adding the LL address, and enabling it again after that. But this was not successful. At this point the RAs were still sent from the old EUI-64 based LL address.) Hence a reboot:
1 |
execute reboot |
After
After this changes and the reboot the added link-local IPv6 was present (line 6):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
fg # diagnose ipv6 address list dev=31 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1 dev=29 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1 dev=28 devname=fg-server flag=P scope=0 prefix=64 addr=2003:de:2016:220::1 dev=27 devname=fg-trust2 flag=P scope=0 prefix=64 addr=2003:de:2016:211::1 dev=26 devname=fg-trust flag=SP scope=253 prefix=64 addr=fe80::1 dev=26 devname=fg-trust flag=P scope=0 prefix=64 addr=2003:de:2016:210::1 dev=24 devname=root flag=P scope=254 prefix=128 addr=::1 dev=5 devname=wan1 flag=P scope=0 prefix=64 addr=2003:de:2016::2 dev=6 devname=wan2 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:8360 dev=28 devname=fg-server flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e dev=27 devname=fg-trust2 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e dev=26 devname=fg-trust flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e dev=5 devname=wan1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835f |
The complete configuration section for this interface looked like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
config system interface edit "fg-trust" set vdom "root" set ip 192.168.210.1 255.255.255.0 set allowaccess ping https ssh set role lan set snmp-index 5 config ipv6 set ip6-address 2003:de:2016:210::1/64 set ip6-allowaccess ping https ssh config ip6-extra-addr edit fe80::1/64 next end set ip6-send-adv enable config ip6-prefix-list edit 2003:de:2016:210::/64 set autonomous-flag enable set onlink-flag enable next end end set interface "internal1" set vlanid 210 next end |
And the Linux machine (after a reboot as well) got the correct next hop for its default route:
1 2 3 4 |
weberjoh@jw-vm05-Ubuntu-Test-3:~$ ip -6 r s 2003:de:2016:210::/64 dev ens32 proto kernel metric 256 expires 2591853sec pref medium fe80::/64 dev ens32 proto kernel metric 256 pref medium default via fe80::1 dev ens32 proto ra metric 1024 expires 1653sec pref medium |
Accordingly I could verify that the router advertisements were sent from my added link-local address fe80::1:
Competitors
That’s it. I am not happy with this approach from Fortinet in “changing” the link-local address. On other firewalls such as the Palo Alto Networks firewall you can clearly change the behaviour of the interface ID portion, and it even works without rebooting the firewall:
Cheers.
Featured image “Buy Local” by Mariano Mantel is licensed under CC BY-NC 2.0.
Hello Johannes,
thank you for publishing a hint about this “feature”.
I’m running a Fortigate with 6.0.6 and another one with 6.2.1 and both still need a reboot to get the extra address full active in RA messages.
It took more reboot in my case because I had a line “set ip6-retrans-time 1795” and only without this line the router in the RA message change to fe80::1
Hi Johannes,
one more question about this wonderful feature:
Did you tried to change the ip6-extra-addr on more than one interface to same fe80::1/64 address? Which result did you see after expiring livetime of router address?
In my test the client lost the default router address and I have to disconnect and reconnect the network cable to get again a working ipv6 configuration.
By the way:
I changed fe80-address on Cisco ASA, works wonderful and looks wonderful in Wireshark, too. Well done, Cisco, at this point!
Hi Ulrich,
no, I havn’t tested something like that.
Whatever you do, keep in mind that this is a FortiGate! Do NOT expect that it works as expected. Do NOT configure anything that isn’t really needed. Do NOT configure any complicated things at all.
(Not to say: Do NOT use it but buy a more profound firewall. ;))
Have a good day
Johannes
Hi Johannes,
about the change of link-local address on Palo Alto Networks Firewall: I found at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ6CAK this isn’t supported. Can you provide your PAN-OS Version and a few config lines how to configure it?
Looking forward to read new posts with tag “link-local-address” :-)
For all readers using a Cisco ASA [Version 9.12(3)]:
interface GigabitEthernet x/y
ipv6 address fe80::1 link-local
exit
Nice day and stay healthy
Ulrich
Hello Ulrich,
interesting knowledgebase article from PAN. I have just tested it again, and it IS possible. I have change the interface ID of a layer 3 subinterface to “2311”:
set network interface ethernet ethernet1/5 layer3 units ethernet1/5.224 ipv6 interface-id 2311
Verifying it through the CLI:
weberjoh@pa> show interface ethernet1/5.224
--------------------------------------------------------------------------------
Name: ethernet1/5.224, ID: 257, 802.1q tag: 224
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 193.24.227.225/27
Interface IPv6 address: fe80::2311/64
2001:470:765b::1/64
DAD: enabled
NDP Monitoring: enabled
IPv6 Client Mode: disabled
Router Advertisement: enabled
And the routing table from a Linux (Raspbian):
pi@pi05-random:~ $ ip -6 r s
2001:470:765b::/64 dev enxb827eb03a0ac proto kernel metric 202 pref medium
fe80::/64 dev enxb827eb03a0ac proto kernel metric 256 pref medium
default via fe80::2311 dev enxb827eb03a0ac metric 202 pref medium
Hence, the RA is really sending the manually configured interface ID.
Q.E.D.
(Maybe this is only true for subinterfaces?!?)