Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

Local bridge mode SSID IPv6 traffic

In the following example, FortiAP S221E is managed by FortiGate 100D through a local NATed switch and broadcasts local bridge mode SSID:FOS_QA_100D-LB-IPv6.

To configure a WiFi client accessing IPv6 local bridge mode traffic:
  1. Create a local bridge mode VAP:
    config wireless-controller vap
        edit "test1"
            set ssid "FOS_QA-100D-LB-IPv6"
            set passphrase ********
            set local-bridging enable
            set schedule "always"
        next
    end
  2. Create an IPv6 DHCP server for the local NATed switch (FortiWiFi 60E is used in this example):
    config system interface
        edit "internal6"
            set vdom "vdom1"
            set ip 2.2.3.1 255.255.255.0
            set allowaccess ping https http fabric
            set type physical
            set snmp-index 18
            config ipv6
                set ip6-address 2001:100:122:130::1/64
                set ip6-allowaccess ping https http fabric
                set ip6-send-adv enable
                set ip6-manage-flag enable
                set ip6-other-flag enable
            end
        next
    end
    config system dhcp6 server
        edit 1
            set subnet 2001:100:122:130::/64
            set interface "internal6"
            config ip-range
                edit 1
                    set start-ip 2001:100:122:130::200
                    set end-ip 2001:100:122:130::300
                next
            end
        next
    end
  3. Create an IPv6 policy for the local NATed switch:
    config firewall policy
        edit 2
            set name "ipv6"
            set srcintf "internal6"
            set dstintf "internal7"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
        next
    end
  4. Verify the IPv6 address in the station list:
    1. In the FortiGate CLI:
      # diagnose wireless-controller wlac -d sta online   
          vf=4 wtp=3 rId=2 wlan=test1 vlan_id=0 ip=2.2.3.3 ip6=2001:100:122:130::200 mac=f0:98:9d:76:64:c4 vci= host=iPhoneX user= group= signal=-41 noise=-105 idle=18 bw=0 use=5 chan=36 radio_type=11AC security=wpa2_only_personal mpsk=default encrypt=aes cp_authed=no online=yes mimo=2
                      ip6=fe80::82a:9eba:69c5:5454,13, *2001:100:122:130::200,2,
    2. In the FortiAP CLI:
      FortiAP-S221E # sta
      wlan10 (FOS_QA-100D-LB-IPv6) client count 1
          MAC:f0:98:9d:76:64:c4 ip:2.2.3.3 ip_proto:dhcp ip_age:8 host:iPhoneX vci:
                                ip6:fe80::82a:9eba:69c5:5454 ip6_proto:arp ip6_age:1 ip6_rx:12
                                ip6:2001:100:122:130::200 ip6_proto:dhcp ip6_age:8 ip6_rx:2
              vlanid:0 Auth:Yes channel:36 rate:173Mbps rssi:64dB idle:0s
              Rx bytes:26654 Tx bytes:27949 Rx rate:78Mbps Tx rate:173Mbps Rx last:0s Tx last:0s
              AssocID:1 Mode:  Normal Flags:1000000b PauseCnt:0
              KEY type=aes_ccm pad=0 keyix=65535 keylen=16 flags=3(xmit recv) RSC=0 TSC=0
                  83 25 7e 72   d2 b1 d2 ef   30 9f 6e 9f   50 e5 6f 5a
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
              KEY type=aes_ccm pad=0 keyix=1 keylen=16 flags=83(xmit recv dflt) RSC=0 TSC=0
                  1f 25 64 3e   02 4d e2 f1   2c b0 5e 03   ed 99 a4 47
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
      FortiAP-S221E #
      
      FortiAP-S221E # usta
      
      WTP daemon STA info:
      
       1/1   f0:98:9d:76:64:c4 00:00:00:00:00:00 vId=0    type=wl----sta,  vap=wlan10,FOS_QA-100D-LB-IPv6(0) mpsk=default  ip=2.2.3.3/1  host=iPhoneX vci= os=iOS
                                ip6=fe80::82a:9eba:69c5:5454/2 rx=12
                                ip6=2001:100:122:130::200/1 rx=2
                                replycount=0000000000000002
      
      Total STAs: 1

Local bridge mode SSID IPv6 traffic

In the following example, FortiAP S221E is managed by FortiGate 100D through a local NATed switch and broadcasts local bridge mode SSID:FOS_QA_100D-LB-IPv6.

To configure a WiFi client accessing IPv6 local bridge mode traffic:
  1. Create a local bridge mode VAP:
    config wireless-controller vap
        edit "test1"
            set ssid "FOS_QA-100D-LB-IPv6"
            set passphrase ********
            set local-bridging enable
            set schedule "always"
        next
    end
  2. Create an IPv6 DHCP server for the local NATed switch (FortiWiFi 60E is used in this example):
    config system interface
        edit "internal6"
            set vdom "vdom1"
            set ip 2.2.3.1 255.255.255.0
            set allowaccess ping https http fabric
            set type physical
            set snmp-index 18
            config ipv6
                set ip6-address 2001:100:122:130::1/64
                set ip6-allowaccess ping https http fabric
                set ip6-send-adv enable
                set ip6-manage-flag enable
                set ip6-other-flag enable
            end
        next
    end
    config system dhcp6 server
        edit 1
            set subnet 2001:100:122:130::/64
            set interface "internal6"
            config ip-range
                edit 1
                    set start-ip 2001:100:122:130::200
                    set end-ip 2001:100:122:130::300
                next
            end
        next
    end
  3. Create an IPv6 policy for the local NATed switch:
    config firewall policy
        edit 2
            set name "ipv6"
            set srcintf "internal6"
            set dstintf "internal7"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
        next
    end
  4. Verify the IPv6 address in the station list:
    1. In the FortiGate CLI:
      # diagnose wireless-controller wlac -d sta online   
          vf=4 wtp=3 rId=2 wlan=test1 vlan_id=0 ip=2.2.3.3 ip6=2001:100:122:130::200 mac=f0:98:9d:76:64:c4 vci= host=iPhoneX user= group= signal=-41 noise=-105 idle=18 bw=0 use=5 chan=36 radio_type=11AC security=wpa2_only_personal mpsk=default encrypt=aes cp_authed=no online=yes mimo=2
                      ip6=fe80::82a:9eba:69c5:5454,13, *2001:100:122:130::200,2,
    2. In the FortiAP CLI:
      FortiAP-S221E # sta
      wlan10 (FOS_QA-100D-LB-IPv6) client count 1
          MAC:f0:98:9d:76:64:c4 ip:2.2.3.3 ip_proto:dhcp ip_age:8 host:iPhoneX vci:
                                ip6:fe80::82a:9eba:69c5:5454 ip6_proto:arp ip6_age:1 ip6_rx:12
                                ip6:2001:100:122:130::200 ip6_proto:dhcp ip6_age:8 ip6_rx:2
              vlanid:0 Auth:Yes channel:36 rate:173Mbps rssi:64dB idle:0s
              Rx bytes:26654 Tx bytes:27949 Rx rate:78Mbps Tx rate:173Mbps Rx last:0s Tx last:0s
              AssocID:1 Mode:  Normal Flags:1000000b PauseCnt:0
              KEY type=aes_ccm pad=0 keyix=65535 keylen=16 flags=3(xmit recv) RSC=0 TSC=0
                  83 25 7e 72   d2 b1 d2 ef   30 9f 6e 9f   50 e5 6f 5a
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
              KEY type=aes_ccm pad=0 keyix=1 keylen=16 flags=83(xmit recv dflt) RSC=0 TSC=0
                  1f 25 64 3e   02 4d e2 f1   2c b0 5e 03   ed 99 a4 47
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
      FortiAP-S221E #
      
      FortiAP-S221E # usta
      
      WTP daemon STA info:
      
       1/1   f0:98:9d:76:64:c4 00:00:00:00:00:00 vId=0    type=wl----sta,  vap=wlan10,FOS_QA-100D-LB-IPv6(0) mpsk=default  ip=2.2.3.3/1  host=iPhoneX vci= os=iOS
                                ip6=fe80::82a:9eba:69c5:5454/2 rx=12
                                ip6=2001:100:122:130::200/1 rx=2
                                replycount=0000000000000002
      
      Total STAs: 1