Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Cookbook

6.4.0

CLI commands for IPv6 rules

CLI commands for IPv6 rules

The following IPv6 rules can be used in VAP configurations:

Command

Description

drop-icmp6ra

Drop ICMPv6 router advertisement (RA) packets that originate from wireless clients.

drop-icmp6rs

Drop ICMPv6 router solicitation (RS) packets to be sent to wireless clients.

drop-llmnr6

Drop Link-Local Multicast Name Resolution (LLMNR) packets.

drop-icmp6mld2

Drop ICMPv6 Multicast Listener report V2 (MLD2) packets.

drop-dhcp6s

Drop DHCPv6 server generated packets that originate from wireless clients.

drop-dhcp6c

Drop DHCPv6 client generated packets to be sent to wireless clients.

ndp-proxy

Enable IPv6 NDP proxy; send back NA on behalf of the client and drop the NS.

drop-ns-dad

Drop ICMPv6 NS DAD when target address is not found in the NDP proxy cache.

drop-ns-nondad

Drop ICMPv6 NS non-DAD when target address is not found in the NDP proxy cache.

To configure IPv6 rules on a VAP in FortiOS:
config wireless-controller vap
    edit "wifi4"
        set ssid "FOS_QA_100D-IPv6"
        set passphrase ********
        set schedule "always"
        set ipv6-rules drop-icmp6ra drop-icmp6rs drop-llmnr6 drop-icmp6mld2 drop-dhcp6s drop-dhcp6c ndp-proxy drop-ns-dad drop-ns-nondad
    next
end

The IPv6 rules settings can be pushed to a FortiAP when the VAP is broadcast.

To view the pushed settings on the FortiAP:
FortiAP-S221E # iwpriv wlan00 get_bmcs6
wlan00    get_bmcs6:991  (0x3df)
00000001 icmp6-ra            : yes
00000002 icmp6-rs            : yes
00000004 dhcp6-server        : yes
00000008 dhcp6-client        : yes
00000010 llmnr               : yes
00000040 icmp6-mld2          : yes
00000080 ndp-proxy           : yes
00000100 ns-dad              : yes
00000200 ns-nondad           : yes

CLI commands for IPv6 rules

CLI commands for IPv6 rules

The following IPv6 rules can be used in VAP configurations:

Command

Description

drop-icmp6ra

Drop ICMPv6 router advertisement (RA) packets that originate from wireless clients.

drop-icmp6rs

Drop ICMPv6 router solicitation (RS) packets to be sent to wireless clients.

drop-llmnr6

Drop Link-Local Multicast Name Resolution (LLMNR) packets.

drop-icmp6mld2

Drop ICMPv6 Multicast Listener report V2 (MLD2) packets.

drop-dhcp6s

Drop DHCPv6 server generated packets that originate from wireless clients.

drop-dhcp6c

Drop DHCPv6 client generated packets to be sent to wireless clients.

ndp-proxy

Enable IPv6 NDP proxy; send back NA on behalf of the client and drop the NS.

drop-ns-dad

Drop ICMPv6 NS DAD when target address is not found in the NDP proxy cache.

drop-ns-nondad

Drop ICMPv6 NS non-DAD when target address is not found in the NDP proxy cache.

To configure IPv6 rules on a VAP in FortiOS:
config wireless-controller vap
    edit "wifi4"
        set ssid "FOS_QA_100D-IPv6"
        set passphrase ********
        set schedule "always"
        set ipv6-rules drop-icmp6ra drop-icmp6rs drop-llmnr6 drop-icmp6mld2 drop-dhcp6s drop-dhcp6c ndp-proxy drop-ns-dad drop-ns-nondad
    next
end

The IPv6 rules settings can be pushed to a FortiAP when the VAP is broadcast.

To view the pushed settings on the FortiAP:
FortiAP-S221E # iwpriv wlan00 get_bmcs6
wlan00    get_bmcs6:991  (0x3df)
00000001 icmp6-ra            : yes
00000002 icmp6-rs            : yes
00000004 dhcp6-server        : yes
00000008 dhcp6-client        : yes
00000010 llmnr               : yes
00000040 icmp6-mld2          : yes
00000080 ndp-proxy           : yes
00000100 ns-dad              : yes
00000200 ns-nondad           : yes