Fortinet black logo

Administration Guide

IPv6 MAC addresses and usage in firewall policies

IPv6 MAC addresses and usage in firewall policies

Users can define IPv6 MAC addresses that can be applied to the following policies:

  • Firewall
  • Virtual wire pair
  • ACL/DoS
  • Central NAT
  • NAT64
  • Local-in

In this example, a firewall policy is configured in a NAT mode VDOM with the IPv6 MAC address range as a source address.

Note

IPv6 MAC addresses cannot be used as destination addresses in VDOMs when in NAT operation mode.

To configure IPv6 MAC addresses in a policy in the GUI:
  1. Create the MAC address range:
    1. Go to Policy & Objects > Addresses and click Create New > Address.
    2. For Category, click IPv6 Address.
    3. Enter an address name.
    4. For Type, select Device (MAC Address).
    5. For MAC Address Scope, click Range.
    6. Enter the Starting and Ending MAC addresses.
    7. Click OK.

  2. Configure the policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, select the IPv6 MAC address object.
    3. Configure the other settings as needed.
    4. Click OK.

To configure IPv6 MAC addresses in a policy in the CLI:
  1. Create the MAC address range:
    config firewall address6
        edit "test-ipv6-mac-addr-1"
            set type mac
            set start-mac 00:0c:29:b5:92:8d
            set end-mac 00:0c:29:b5:92:8d
        next
    end
  2. Configure the policy:
    config firewall policy
        edit 2
            set srcintf "wan2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "test-ipv6-mac-addr-1" "2000-10-1-100-0"
            set dstaddr6 "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set auto-asic-offload disable
            set nat enable
        next
    end

IPv6 MAC addresses and usage in firewall policies

Users can define IPv6 MAC addresses that can be applied to the following policies:

  • Firewall
  • Virtual wire pair
  • ACL/DoS
  • Central NAT
  • NAT64
  • Local-in

In this example, a firewall policy is configured in a NAT mode VDOM with the IPv6 MAC address range as a source address.

Note

IPv6 MAC addresses cannot be used as destination addresses in VDOMs when in NAT operation mode.

To configure IPv6 MAC addresses in a policy in the GUI:
  1. Create the MAC address range:
    1. Go to Policy & Objects > Addresses and click Create New > Address.
    2. For Category, click IPv6 Address.
    3. Enter an address name.
    4. For Type, select Device (MAC Address).
    5. For MAC Address Scope, click Range.
    6. Enter the Starting and Ending MAC addresses.
    7. Click OK.

  2. Configure the policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, select the IPv6 MAC address object.
    3. Configure the other settings as needed.
    4. Click OK.

To configure IPv6 MAC addresses in a policy in the CLI:
  1. Create the MAC address range:
    config firewall address6
        edit "test-ipv6-mac-addr-1"
            set type mac
            set start-mac 00:0c:29:b5:92:8d
            set end-mac 00:0c:29:b5:92:8d
        next
    end
  2. Configure the policy:
    config firewall policy
        edit 2
            set srcintf "wan2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "test-ipv6-mac-addr-1" "2000-10-1-100-0"
            set dstaddr6 "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set auto-asic-offload disable
            set nat enable
        next
    end