Skip to main content
snobs
snobs
New Member
March 30, 2012
Question

[IPv6] link local address for gateway

  • March 30, 2012
  • 7 replies
  • 10249 views
Hi, I want my Fortigate having a link-local address for next hop/gateway. 
  system interface port4  -  config system interface      edit " port4"           set vdom " root"           set type physical          set alias " external"               config ipv6                  set ip6-address fe80::10:20:30:5/128                  set ip6-allowaccess ping              end      next  end  
  config router static6  -      edit 1          set device " port4"           set gateway fe80::10:20:30:1      next  end
Unfortunately it doesn´t work at all. From the switch (having fe80::10:20:30:1) I can ping the Fortigate (having fe80::10:20:30:5/128) but not the other way round. Also routing fails. Perhaps the Fortinet doesn´t know what interface to take for the FE80 address? But port4 is specified. Did I miss something? Does anyone know what´s going wrong?

    7 replies

    emnoc
    emnoc
    New Member
    March 30, 2012
    Man I never heard of any one usinga FE80 for a next-hop gateway. That address should be local to the link. As a matter of fact a linklocal packet should never leave the link ( no forwarding) So why do you want a link-local for a next-hop-gw is the real question ?
    ddskier
    ddskier
    New Member
    March 30, 2012
    I believe by default FE80 (Link-Local) was not routable by definition of IPv6. See: http://en.wikipedia.org/wiki/Link-local_address
    emnoc
    emnoc
    New Member
    March 30, 2012
    Agreed in some cases ,we use the link-local address on every one of our link since it' s link-local if you have to use a link-local address, make sure it' s true uniqu thru out your FGT configuration.
    snobs
    snobsAuthor
    New Member
    March 31, 2012
    Hi, thanks for your answer. The mentioned gateway with FE80 address is actually directly connected to the Fortigate. Also it is unique. As mentioned before, I can ping the link-local address from the gateway, but not the other way round. So, shouldn´t that work, too?
    emnoc
    emnoc
    New Member
    March 31, 2012
    No because typically these address are use for neighborship discovery and once again, I never seen one just use a link local address in the fashion that you have and with a default ipv6 route-gateway, don' t even know for sure that the FGT will execute ipv6 pings and sources from a FE80 address either. 2nd, your /128 is not going to do you any good or that much good. Typically a FE80s are assigned into a /64 prefix. That /128 is equal to a /32 in ipv4 world. fwiw: You should really read up on ipv6 best practices and designs, to avoid a lot of headaches. That' s the only thing that I can think up immediately that looks strange. Good luck in whatever way you proceed.
    snobs
    snobsAuthor
    New Member
    April 1, 2012
    Well, the question was not whether this works at all, because it seems to work elsewhere, just google around The question is, why it doesn´t work on the Fortigate? Some mistyping? For pinging, it seems I cannot tell a Fortigate to take a specific interface for pinging the link local address, like e.g. " ping6 -I eth0 -c 1 fe80::2e0:18ff:fe90:9205"
    ddskier
    ddskier
    New Member
    April 12, 2012
    Ok putting aside the the link-local address not being routable. The issue is your IPv6 Address setup. Change " set ip6-address fe80::10:20:30:5/128" to " set ip6-address fe80::10:20:30:5/64" and see if it works.
    Terms & ConditionsAccessibility statement