|
Before v7.6.3, IPv6 Prefix Delegation is configured according to the following guide: IPv6 prefix delegation
The scenario is like this:
For IP assignment:
FortiGate (DHCP6 server) ---> CPE/ONT --- > End-Users (PC’s, Tablets, etc)
For Internet traffic:
End-Users (PC’s, Tablets, etc) --- > CPE/ONT --- > FortiGate ---> Internet
After FortiGate acts as a DHCP Server with an IPv6 subnet of /40, the CPE/ONT should receive a Prefix of /64 via the Prefix Delegation.
The endpoint then got an IP, and when it tries to reach the Internet, traffic is dropped on the FortiGate side due to a missing route on the FortiGate to return the traffic to the correct ONT/CPE.
For example:
FGT-HUB # show system dhcp6 server
config system dhcp6 server
edit 2
set subnet 2803:4320:1100::/40
set interface "VLAN300"
config prefix-range
edit 1
set start-prefix 2803:4320:1100:100::
set end-prefix 2803:4320:11ff::
set prefix-length 64
next
end
next
end
The DHCP6 server is assigned the prefixes according to the configuration:
FGT-HUB # execute dhcp6 lease-list
Interface DUID IAID IP/Prefix Expiry
VLAN300 00:03:00:01:b3:f3:a4:ff:4d:65 1000 2803:4320:1100:100::/64 Wed Apr 2 16:08:14 2025
VLAN300 00:03:00:01:60:70:2c:99:c2:de 99 2803:4320:1100:101::/64 Mon Mar 31 02:15:06 2025
The endpoint received an IP, and when it tries to browse to the Internet traffic is dropped on the FortiGate side due to 'reverse path check failed':
FGT-HUB # id=65308 trace_id=7 func=resolve_ip6_tuple_fast line=5065 msg="vd-root:0 received a packet(proto=58, 2803:4320:1100:100:b91a:6353:4190:a960:1->2607:f8b0:4008:809::200 from VLAN300. type=128, code=0, id=1, seq=12."
id=65308 trace_id=7 func=resolve_ip6_tuple line=5209 msg="allocate a new session-0000eba2"
id=65308 trace_id=7 func=ip6_route_input line=2190 msg="reverse path check failed, drop" <---
This is expected because there is no route to send the traffic back to the client; instead, a default route is shown on routing-table:
FGT-HUB # get router info6 routing-table 2803:4320:1100:100:b91a:6353:4190:a960
Routing table for VRF=0
Routing entry for ::/0
Known via "static", distance 1, metric 0, best
Last update 1w2d05h ago
* via 2803:4320:401::25, VLAN200 <--- route is associated to VLAN200
On v7.6.3, a new feature was introduced to allow FortiGate to automatically install a route for each IPv6 Delegated prefix and remove it once the lease expires:
FGT-HUB # get system status | grep Version
Version: FortiGate-VM64 v7.6.3,build3510,250415 (GA.F) <-----
FGT-HUBDC1 (2) # config system dhcp6 server
edit 2
set subnet 2803:4320:1100::/40
set interface "VLAN300"
set delegated-prefix-route enable <-----
config prefix-range
edit 1
set start-prefix 2803:4320:1100:100::
set end-prefix 2803:4320:11ff::
set prefix-length 64
next
end
next
end
There are two possible options for 'delegated-prefix-route':
FGT-HUBDC1 (2) # set delegated-prefix-route
- disabled: To disable automatically adding routing for the delegated prefix. <----- This is the default value
- enabled: To automatically add routing for the delegated prefix.
For example, when 'delegated-prefix-route' is enabled and one prefix is delegated, then the route is automatically added to the FortiGate routing-table:
FGT-HUB # get router info6 routing-table 2803:4320:1100:100:54ec:fb84:9b82:a43f
Routing table for VRF=0
Routing entry for 2803:4320:1100:100::/64
Known via "static", distance 10, metric 0, best
Last update 00:03:59 ago
* via 2803:4320:1100:0:a6f3:3bff:fe4a:4c55, VLAN300 < ---
|
