Description | This article describes the reason why an IPv6 gateway may not be reachable and a workaround using RFC6164. |
Scope | FortiGate. |
Solution |
A simple analogy for an IPv6 subnet-router anycast address is that it looks like a 'network address' for IPv4 as it is the first address in a subnet.
Additionally for the example above, the address range for that subnet is:
2600:5000:9830::29 2600:5000:9830::2a 2600:5000:9830::2b
It is not recommended to have an interface address set to a subnet-router anycast address, but it is possible that some ISP's would deliver a subnet as above and have their device set to the subnet-router anycast address; therefore, the next hop/gateway for FortiGate would be 2600:5000:9830::28.
In order to prevent this issue, starting with FortiOS 7.2.2, it is not allowed to set a subnet-router anycast address as the gateway address of an IPv6 static route. In previous FortiOS versions it is possible to set it, but gateway will not be reachable as in the example below for directly connected devices:
edit "port2" config ipv6 set ip6-address 2600:5000:9830::29/126 set ip6-allowaccess ping https http end next end
# config router static6 edit 1 set gateway 2600:5000:9830::28 set device "port2" next end
With the above configuration, gateway is not reachable and next hop device is not listed in neighbor cache as shown below: FGT1-A # execute ping6 2600:5000:9830::28
Due to the fact that 2600:5000:9830::28 is a subnet-router anycast address, and it should not be used as gateway because FortiGate is a router already and owns the anycast address, the workaround, if the ISP cannot reconfigure the address in their end, is to make use of /127 subnet as detailed in the RFC6164 below.
With the configuration changed to /127 as below, gateway is now reachable and it is shown in the neighbor cache list. # config system interface edit "port2" config ipv6 set ip6-address 2600:5000:9830::29/127 set ip6-allowaccess ping https http end next end
# config router static6 edit 1 set gateway 2600:5000:9830::28 set device "port2" next end
FGT1-A # execute ping6 2600:5000:9830::28
--- 2600:5000:9830::28 ping statistics ---
FGT1-A # di ipv6 neighbor-cache list | grep 00:0c:29:01:3f:f2 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.