Fortinet black logo

FortiWiFi and FortiAP Cookbook

CLI commands for IPv6 rules

6.4.0
Copy Link
Copy Doc ID daf31b55-67cc-11ea-9384-00505692583a:78871
Download PDF

CLI commands for IPv6 rules

The following IPv6 rules can be used in VAP configurations:

Command

Description

drop-icmp6ra

Drop ICMPv6 router advertisement (RA) packets that originate from wireless clients.

drop-icmp6rs

Drop ICMPv6 router solicitation (RS) packets to be sent to wireless clients.

drop-llmnr6

Drop Link-Local Multicast Name Resolution (LLMNR) packets.

drop-icmp6mld2

Drop ICMPv6 Multicast Listener report V2 (MLD2) packets.

drop-dhcp6s

Drop DHCPv6 server generated packets that originate from wireless clients.

drop-dhcp6c

Drop DHCPv6 client generated packets to be sent to wireless clients.

ndp-proxy

Enable IPv6 NDP proxy; send back NA on behalf of the client and drop the NS.

drop-ns-dad

Drop ICMPv6 NS DAD when target address is not found in the NDP proxy cache.

drop-ns-nondad

Drop ICMPv6 NS non-DAD when target address is not found in the NDP proxy cache.

To configure IPv6 rules on a VAP in FortiOS:
config wireless-controller vap
    edit "wifi4"
        set ssid "FOS_QA_100D-IPv6"
        set passphrase ********
        set schedule "always"
        set ipv6-rules drop-icmp6ra drop-icmp6rs drop-llmnr6 drop-icmp6mld2 drop-dhcp6s drop-dhcp6c ndp-proxy drop-ns-dad drop-ns-nondad
    next
end

The IPv6 rules settings can be pushed to a FortiAP when the VAP is broadcast.

To view the pushed settings on the FortiAP:
FortiAP-S221E # iwpriv wlan00 get_bmcs6
wlan00    get_bmcs6:991  (0x3df)
00000001 icmp6-ra            : yes
00000002 icmp6-rs            : yes
00000004 dhcp6-server        : yes
00000008 dhcp6-client        : yes
00000010 llmnr               : yes
00000040 icmp6-mld2          : yes
00000080 ndp-proxy           : yes
00000100 ns-dad              : yes
00000200 ns-nondad           : yes

CLI commands for IPv6 rules

The following IPv6 rules can be used in VAP configurations:

Command

Description

drop-icmp6ra

Drop ICMPv6 router advertisement (RA) packets that originate from wireless clients.

drop-icmp6rs

Drop ICMPv6 router solicitation (RS) packets to be sent to wireless clients.

drop-llmnr6

Drop Link-Local Multicast Name Resolution (LLMNR) packets.

drop-icmp6mld2

Drop ICMPv6 Multicast Listener report V2 (MLD2) packets.

drop-dhcp6s

Drop DHCPv6 server generated packets that originate from wireless clients.

drop-dhcp6c

Drop DHCPv6 client generated packets to be sent to wireless clients.

ndp-proxy

Enable IPv6 NDP proxy; send back NA on behalf of the client and drop the NS.

drop-ns-dad

Drop ICMPv6 NS DAD when target address is not found in the NDP proxy cache.

drop-ns-nondad

Drop ICMPv6 NS non-DAD when target address is not found in the NDP proxy cache.

To configure IPv6 rules on a VAP in FortiOS:
config wireless-controller vap
    edit "wifi4"
        set ssid "FOS_QA_100D-IPv6"
        set passphrase ********
        set schedule "always"
        set ipv6-rules drop-icmp6ra drop-icmp6rs drop-llmnr6 drop-icmp6mld2 drop-dhcp6s drop-dhcp6c ndp-proxy drop-ns-dad drop-ns-nondad
    next
end

The IPv6 rules settings can be pushed to a FortiAP when the VAP is broadcast.

To view the pushed settings on the FortiAP:
FortiAP-S221E # iwpriv wlan00 get_bmcs6
wlan00    get_bmcs6:991  (0x3df)
00000001 icmp6-ra            : yes
00000002 icmp6-rs            : yes
00000004 dhcp6-server        : yes
00000008 dhcp6-client        : yes
00000010 llmnr               : yes
00000040 icmp6-mld2          : yes
00000080 ndp-proxy           : yes
00000100 ns-dad              : yes
00000200 ns-nondad           : yes