Technical Tip: How to enable DHCPv6 server to automatically add routing for IPv6 Prefix Delegation

Before v7.6.3, IPv6 Prefix Delegation is configured according to the following guide: IPv6 prefix delegation

The scenario is like this:

For IP assignment:

FortiGate (DHCP6 server) --->  CPE/ONT  --- > End-Users (PC’s, Tablets, etc)

For Internet traffic:
End-Users (PC’s, Tablets, etc) --- > CPE/ONT --- > FortiGate ---> Internet

After FortiGate acts as a DHCP Server with an IPv6 subnet of /40, the CPE/ONT should receive a Prefix of /64 via the Prefix Delegation.

The endpoint then got an IP, and when it tries to reach the Internet, traffic is dropped on the FortiGate side due to a missing route on the FortiGate to return the traffic to the correct ONT/CPE.

For example:

FGT-HUB # show system dhcp6 server
config system dhcp6 server
   edit 2
     set subnet 2803:4320:1100::/40
     set interface "VLAN300"

        config prefix-range

           edit 1

            set start-prefix 2803:4320:1100:100::

            set end-prefix 2803:4320:11ff::

            set prefix-length 64

          next

       end
   next
end

The DHCP6 server is assigned the prefixes according to the configuration:

FGT-HUB # execute dhcp6 lease-list
Interface   DUID                           IAID    IP/Prefix                  Expiry
VLAN300     00:03:00:01:b3:f3:a4:ff:4d:65  1000    2803:4320:1100:100::/64    Wed Apr 2 16:08:14 2025

VLAN300     00:03:00:01:60:70:2c:99:c2:de   99     2803:4320:1100:101::/64    Mon Mar 31 02:15:06 2025

The endpoint received an IP, and when it tries to browse to the Internet traffic is dropped on the FortiGate side due to 'reverse path check failed':

FGT-HUB # id=65308 trace_id=7 func=resolve_ip6_tuple_fast line=5065 msg="vd-root:0 received a packet(proto=58, 2803:4320:1100:100:b91a:6353:4190:a960:1->2607:f8b0:4008:809::200 from VLAN300. type=128, code=0, id=1, seq=12."
id=65308 trace_id=7 func=resolve_ip6_tuple line=5209 msg="allocate a new session-0000eba2"
id=65308 trace_id=7 func=ip6_route_input line=2190 msg="reverse path check failed, drop" <---

This is expected because there is no route to send the traffic back to the client; instead, a default route is shown on routing-table:

FGT-HUB # get router info6 routing-table 2803:4320:1100:100:b91a:6353:4190:a960

Routing table for VRF=0
Routing entry for ::/0
Known via "static", distance 1, metric 0, best
Last update 1w2d05h ago
* via 2803:4320:401::25, VLAN200 <--- route is associated to VLAN200

On v7.6.3, a new feature was introduced to allow FortiGate to automatically install a route for each IPv6 Delegated prefix and remove it once the lease expires:

FGT-HUB # get system status | grep Version
Version: FortiGate-VM64 v7.6.3,build3510,250415 (GA.F)  <-----

FGT-HUBDC1 (2) # config system dhcp6 server
     edit 2
        set subnet 2803:4320:1100::/40
        set interface "VLAN300"
        set delegated-prefix-route enable <-----
          config prefix-range
             edit 1
                 set start-prefix 2803:4320:1100:100::
                 set end-prefix 2803:4320:11ff::
                 set prefix-length 64
             next
         end
     next
end

There are two possible options for 'delegated-prefix-route':

FGT-HUBDC1 (2) # set delegated-prefix-route

1. disabled: To disable automatically adding routing for the delegated prefix. <----- This is the default value
2. enabled: To automatically add routing for the delegated prefix.

For example, when 'delegated-prefix-route' is enabled and one prefix is delegated, then the route is automatically added to the FortiGate routing-table:

FGT-HUB # get router info6 routing-table 2803:4320:1100:100:54ec:fb84:9b82:a43f

Routing table for VRF=0
Routing entry for 2803:4320:1100:100::/64
Known via "static", distance 10, metric 0, best
Last update 00:03:59 ago
* via 2803:4320:1100:0:a6f3:3bff:fe4a:4c55, VLAN300 < ---