Home

Comprehensive Guide to FortiGate PPPoE Configuration for Modern Networks

.

In today's complex network environments, PPP over Ethernet (PPPoE) remains a crucial authentication and connection protocol for many internet service providers worldwide. For organizations and advanced home users utilizing FortiGate firewalls, configuring PPPoE—especially in dual-stack IPv4/IPv6 environments—presents unique challenges that require careful attention to detail. This comprehensive guide synthesizes technical documentation and real-world implementation experience to provide network administrators with actionable insights for successful FortiGate PPPoE deployment.

Based on analysis of available technical resources and real-world configurations, this article addresses both basic PPPoE setup and the complexities of dual-stack implementations. With many ISPs transitioning to IPv6 while maintaining IPv4 connectivity, understanding how to configure both protocols simultaneously on your FortiGate device has become essential for maintaining seamless network operations and future-proofing your infrastructure.

Prerequisites for PPPoE Configuration

Before beginning PPPoE configuration on your FortiGate firewall, ensure you have gathered the following essential information from your Internet Service Provider:

  • PPPoE username and password (authentication credentials)
  • ISP-specific connection details (VLAN requirements, service names)
  • IPv4 configuration requirements (static or dynamic addressing)
  • IPv6 deployment specifics (DHCPv6-PD, SLAAC, or static prefix assignment)
  • DNS server information for both IPv4 and IPv6

Additionally, verify your FortiOS version and hardware capabilities, as PPPoE implementation details can vary between firmware releases. The configuration examples in this article reference FortiOS 7.6.1 but follow principles applicable to multiple versions.

Basic PPPoE Interface Configuration

The foundation of FortiGate PPPoE setup begins with configuring the physical interface for PPPoE operation. According to the Fortinet CLI reference, the config system pppoe-interface command structure provides the essential parameters for establishing the connection.

Core PPPoE Parameters

The following table outlines critical configuration parameters for PPPoE interfaces:

Parameter Description Typical Value
auth-type Authentication protocol (auto, pap, chap, etc.) auto
username PPPoE authentication username Provided by ISP
password PPPoE authentication password Provided by ISP
service-name Optional PPPoE service name ISP-dependent
ac-name Access Concentrator name ISP-dependent
lcp-echo-interval LCP echo request interval (seconds) 5 (default)
lcp-max-echo-fails Maximum missed echoes before disconnect 3 (default)
dial-on-demand Establish connection only when traffic needs to route disable

CLI Configuration Example

config system interface     edit "wan1"         set vdom "root"         set mode pppoe         set allowaccess ping         set role wan         set username "your_pppoe_username@isp.example"         set password ENC YourEncryptedPasswordHere     next end

This basic configuration establishes IPv4 connectivity through PPPoE. The interface will authenticate with the ISP and receive an IPv4 address via PPP's IP Control Protocol (IPCP).

Advanced Dual-Stack PPPoE with IPv6

Modern networks increasingly require dual-stack implementations supporting both IPv4 and IPv6 simultaneously. Real-world implementations, such as those documented for Deutsche Telekom connections, reveal the complexity of this configuration, particularly when combining PPPoE with DHCPv6 Prefix Delegation (PD).

IPv6 Configuration Components

A complete dual-stack PPPoE implementation on FortiGate involves multiple interconnected components:

  1. PPPoE IPv6 Control Protocol (IPv6CP): Enables IPv6 over the PPPoE session
  2. SLAAC (Stateless Address Autoconfiguration): Generates the WAN interface IPv6 address
  3. DHCPv6 Prefix Delegation: Obtains an IPv6 prefix from the ISP for internal network use
  4. Router Advertisement: Distributes IPv6 network information to internal clients

Complete Dual-Stack Configuration Example

Based on a working Deutsche Telekom implementation using FortiOS 7.6.1, here is a comprehensive dual-stack configuration:

config system interface     edit "wan1"         set vdom "root"         set mode pppoe         set allowaccess ping         set role wan         config ipv6             set ip6-mode pppoe             set ip6-allowaccess ping             set dhcp6-prefix-delegation enable             set autoconf enable             config dhcp6-iapd-list                 edit 5                 next             end         end         set username "001234567890#098765432123#0001@t-online.de"         set password ENC ISPProvidedPassword     next     edit "internal"         set vdom "root"         set ip 192.168.1.99 255.255.255.0         set allowaccess ping https ssh fabric         set role lan         config ipv6             set ip6-mode delegated             set ip6-allowaccess ping https ssh             set ip6-send-adv enable             set ip6-max-interval 30             set ip6-min-interval 10             set ip6-delegated-prefix-iaid 5             set ip6-upstream-interface "wan1"             set ip6-subnet ::1/64             config ip6-delegated-prefix-list                 edit 1                     set upstream-interface "wan1"                     set delegated-prefix-iaid 5                     set subnet ::/64                     set rdnss-service delegated                 next             end         end     next end

Critical Implementation Details

This configuration reveals several non-intuitive but essential elements for successful dual-stack PPPoE:

  • The "delegated-prefix-iaid" value (5 in this example) must match between the WAN interface DHCPv6 IAPD list and the internal interface configuration, though the specific value may vary by FortiOS version.

  • The internal interface uses "ip6-subnet ::1/64" while the delegated prefix list uses "subnet ::/64"—a subtle but critical distinction.

  • Router Advertisement intervals are reduced (10-30 seconds instead of default 600 seconds) to work around a FortiOS 7.6.1 bug where clients don't receive immediate responses to Router Solicitations.

Troubleshooting and Common Issues

Even with correct configuration, several issues commonly arise in FortiGate PPPoE implementations:

IPv6 Routing Table Display Bug

In FortiOS 7.6.1, the command get router info6 routing-table may not display the default IPv6 route obtained from the ISP's Router Advertisement, though diagnose ipv6 route list shows it correctly. This is a display issue rather than a functional problem.

Delayed IPv6 Client Addressing

Due to a bug in Router Advertisement response handling, clients may not immediately obtain IPv6 addresses. The workaround involves reducing RA intervals as shown in the configuration above. Without this adjustment, clients might wait up to 10 minutes (default RA interval) for address configuration.

Dynamic Address Changes

Most residential ISPs provide dynamic IP addressing, meaning both IPv4 addresses and IPv6 prefixes can change after reconnection events. This necessitates robust internal DNS and connection tracking for services requiring consistent addressing.

FAQ: FortiGate PPPoE Configuration

Why can't I configure advanced PPPoE settings through the FortiGate GUI?

FortiGate's web interface provides limited PPPoE configuration options, particularly for IPv6 and dual-stack implementations. The CLI offers comprehensive control over all parameters, making it necessary for complex deployments. This design reflects Fortinet's enterprise focus, where CLI configuration is standard practice.

How do I determine the correct "delegated-prefix-iaid" value for my configuration?

The IAID (Identity Association Identifier) varies by FortiOS version and potentially by ISP requirements. Version 7.6.1 defaults to "5" for the DHCPv6 IAPD list. Check your specific FortiOS documentation or use diagnostic commands like diagnose ipv6 address list to examine current delegations and their identifiers.

What should I do if my internal clients aren't getting IPv6 addresses?

First, verify the PPPoE connection has established IPv6CP and obtained a prefix via DHCPv6-PD using diagnose ipv6 address list. Then, check that Router Advertisements are being sent on the internal interface with diagnose ipv6 ra interface internal. If RAs are being sent but clients aren't responding, try reducing the RA intervals as shown in the configuration example.

Why does my IPv6 default route not appear in the routing table?

This is a known display issue in some FortiOS versions. Use diagnose ipv6 route list instead of get router info6 routing-table to view all IPv6 routes, including the default route obtained via Router Advertisement from the ISP.

Can I use PPPoE with VLAN tagging on FortiGate?

Yes, FortiGate supports VLAN configurations with PPPoE. You would configure the physical interface for VLAN operation first, then apply PPPoE configuration to the VLAN subinterface. The specific implementation depends on whether your ISP requires VLAN tagging for PPPoE sessions.

How do I monitor my PPPoE connection status?

Use commands like diagnose pppoe interface list to view PPPoE session status, get system interface physical to see interface states, and diagnose ipv6 address list to verify IPv6 address assignments. For detailed debugging, diagnose debug application pppd -1 and diagnose debug enable provide real-time connection establishment details.

Conclusion

Configuring PPPoE on FortiGate firewalls, particularly for dual-stack IPv4/IPv6 environments, requires careful attention to detail and an understanding of both PPPoE protocols and FortiOS-specific implementation characteristics. While the graphical interface provides basic configuration options, the command-line interface remains essential for complete control, especially for IPv6 deployments with DHCPv6 Prefix Delegation.

Successful implementation depends not only on correct FortiGate configuration but also on understanding your ISP's specific requirements, which can vary significantly between providers. The configuration examples and troubleshooting guidance provided here offer a solid foundation, but administrators should always consult their ISP's documentation and test configurations thoroughly before deploying to production environments.

As network technologies continue to evolve, maintaining updated knowledge of FortiOS capabilities and limitations will remain crucial for network professionals managing FortiGate firewalls in PPPoE environments.