Configure IPv6 for an External Interface
You can configure the external interface with an IPv6 address in addition to the IPv4 address. IPv6 is not enabled on any interface by default. When you enable IPv6 for an external interface, you can configure the interface with one or more static IPv6 addresses, and enable IP address autoconfiguration. You can also configure the interface to use DHCP to get an IPv6 address, and enable the interface as a DHCPv6 client for prefix delegation.
If you use DHCP to get an IPv6 address, or for IPv6 prefix delegation, you can view the assigned IP address and prefix in the Status Report tab in Firebox System Manager.
This topic describes IPv6 settings for an external interface. For information about IPv6 settings for a trusted or optional interface, go to Configure IPv6 for a Trusted or Optional Interface.
You cannot use these special purpose IP addresses as an IPv6 interface address:
- IP addresses that start with 2002, unless bits 17-48 specify a valid IPv4 address
- IP addresses that start with FE80, because this specifies a link local address
- IP addresses that start with FEC0, because this specifies a site local address
- IP addresses that start with FF, because this is used for IPv6 multicast addresses
In Fireware v12.9.2 or higher, you can use an IPv6 static address to configure an interface when you have a link local address as the default gateway.
When you configure an IPv6 address for an interface, you must also configure an IPv4 address. All Firebox interfaces require IPv4 addresses.
Enable IPv6
Before you can configure IPv6 settings, you must enable IPv6 in the interface settings.

- Select Network > Interfaces.
The Network Interfaces page appears. - Select an external interface. Click Configure.
The Interface Settings dialog box appears. - Select the IPv6 tab.
- Select the Enable IPv6 check box.
- Configure the IPv6 network settings, as described in the Add a Static IPv6 Address section.

- Select Network > Configuration.
The Network Configuration dialog box appears. - Select an external interface. Click Configure.
The Interface Settings dialog box appears. - Select the IPv6 tab.
- Select the Enable IPv6 check box.
- Configure the IPv6 network settings, as described in the Add a Static IPv6 Address section.
Add a Static IPv6 Address
To add a static IPv6 address:
- Adjacent to the Static IPv6 Addresses list, click Add.
The Add Static IPv6 Address dialog box appears. - Type the IPv6 IP address and the routing prefix length.
- Click OK.
The IP address is added to the list
Use IPv6 Address Autoconfiguration
IPv6 address autoconfiguration enables the device to automatically assign an IPv6 link-local address to this interface. When you enable IP address autoconfiguration, the external interface is automatically enabled to receive IPv6 router advertisements. With IPv6 address configuration enabled, it is not necessary to specify a default gateway.
To enable IPv6 Address Autoconfiguration:
Select the IP Address Autoconfiguration check box in the IPv6 tab.
For more information about IPv6 stateless address autoconfiguration, go to RFC 4862.
Use DHCPv6 to get an IPv6 Address
You can enable a DHCPv6 client on this interface to request an IP address from a DHCPv6 server. To get IPv6 addresses, the DHCPv6 client can use a rapid two-message exchange (solicit, reply) or a four-message exchange (solicit, advertise, request, reply). By default, the DHCPv6 client uses the four-message exchange. To use the two-message exchange to establish a connection more quickly, enable the Rapid Commit option on the interface and on the DHCPv6 server.
To enable DHCPv6 for the interface:
- Select Enable DHCPv6 Client.
- (Optional) Select the Rapid Commit check box if you want to use a rapid two-message exchange to get an IPv6 address.
Use DHCPv6 to get a Delegated IPv6 Prefix
You can enable a DHCPv6 client on this interface to request an IPv6 network address prefix from a DHCP server on an external network. After you enable prefix delegation, you can use the prefix in the IPv6 settings for your trusted, optional, and custom interfaces. To get an IPv6 prefix, the DHCPv6 client can use a rapid two-message exchange (solicit, reply) or a four-message exchange (solicit, advertise, request, reply). By default, the DHCPv6 client uses the four-message exchange. To use the two-message exchange, enable the Rapid Commit option on the interface and on the DHCPv6 server.
To enable DHCPv6 prefix delegation for the interface:
- Select Enable DHCPv6 Client Prefix Delegation.
- (Optional) Select the Rapid Commit check box if you want to use a rapid two-message exchange to get an IPv6 address.
For more information about prefix delegation, go to About DHCPv6 Prefix Delegation.
About Identity Association for Prefix Delegation and Non-Temporary Address Options
Some service providers require the Firebox (the DHCPv6 client) to send specific arguments or options as part of the initial negotiation to obtain an IPv6 address.
In Fireware v12.11.3 and higher, when you enable DHCPv6 Client Prefix Delegation, this enables DHCPv6 Client Option 25 (Identity Association for Prefix Delegation) by default and also provides the option to enable DHCPv6 Client Option 3 (Identity Association for Non-Temporary Address) and set a custom IAID (Identity Association Identifier).
Both Option 25 and Option 3 share the same IAID. If you configure a custom IAID, both options use this custom IAID. If you do not set a custom IAID, these options use the default IAID value that is based on the last four octets of the MAC address of the external interface of the Firebox.

- Select Enable DHCPv6 Client Prefix Delegation.
DHCPv6 Client Option 3 settings in Fireware Web UI
DHCPv6 Client Option 3 settings in WatchGuard System Manager
- Select Perform IA_NA address query over DHCPv6 (Option 3).
- (Optional) Select Use custom IAID to configure a custom IAID. The IAID uniquely identifies this DHCPv6 client interface on the Firebox.
For example, some service providers might request a custom IAID value, such as 00000001, to receive a delegated prefix.
Enter a hexadecimal value between 00000000 and FFFFFFFF. If you do not set a custom IAID, the Firebox uses a default IAID value based on the last four octets of the MAC address of the external interface of the Firebox.
- (Optional) Select the Rapid Commit check box to use a rapid two-message exchange to get an IPv6 address.
Configure the Default Gateway
When you enable IPv6 for an external interface, if you do not enable IPv6 address autoconfiguration, you must specify the default IPv6 gateway.
To specify the default gateway:
In the Default Gateway text box, type the IPv6 address of the default gateway.
Other IPv6 Settings
For information about the Hop Limit and DAD Transmits settings, go to Configure IPv6 Connection Settings.