Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ameif56hgt
New Contributor II

Created on ‎05-04-2025 05:45 PM

IPv6 delegation frustration

I've been attempting get IPv6 prefix delegation for longer than I want to admit. And I'm close, but no cigar.

So I request a /56 prefix from ISP.

Got: delegated-prefix iaid 1 : 2600:8800:ab81:a100::/56

YES, it works. So on the LAN I have SLAAC and DHCP Stateful server running. 

I have a network IP checker, and it looks like Macs, Android, and others are getting it. For this Mac:

fe80::10e9:87a:620c:eeda

2600:8800:ab81:a101:edf6:9551:c99f:6228 

So it LOOKS like its working, but its not.  So if I look at the IPv6 addresses my Mac has it has several with this prefix, but it also has several others.  See attached below.  But I have no idea where those ab81:4a00 are coming from, but all my computers are using those addresses and they are not externally routable.  So no external web site can see my IPv6 address.  Does anyone know where these other IPv6 addresses are coming from, or maybe more important, how can I get rid of them.  I've come so far, but no cigar, and all my devices have these IPv6 addresses so they must be coming from the Fortigate. I'm on 7.4.7 THANKS IN ADVANCE.

Screenshot 2025-05-04 at 5.38.15 PM.png

Labels:
712
0 Kudos
4 REPLIES 4
Atul_S
Staff & Editor
Staff & Editor

Created on ‎05-05-2025 02:48 PM

Hi There,

 

I am uncertain how those specific devices are connected to the Internet and what the DNS settings are in your upstream devices, but I can confirm that both the network range ab81:4a00 and ab81:a100 belong to the same ISP. I would suggest raising this with your service provider.

 

Thanks,

Atul Srivastava
686
ameif56hgt
New Contributor II
In response to Atul_S

Created on ‎05-05-2025 03:29 PM

Thanks. I did figure it out, I'm not sure how, but I did.  I think some flags not in the GUI had to be set different. I think your suggestion on talking to the ISP is a good one, in theory, but not too good in real life. COX only supports their own equipment, but they have this EXTRA cost program where for some price, per month, they provide support on any device.  I had it back several months ago.  Let me just say, their support people know VERY limited IPv6 knowledge, and "prefix delegation" is WAY over their head.

 

While I'm ranting :) I will say I think Fortinet could do better also.  The WAN side is straight forward. The LAN side, not so much.  The GUI sometimes seems as an afterthought. 

Anyway, thanks for your tips.

 

681
0 Kudos
Atul_S
Staff & Editor
Staff & Editor
In response to ameif56hgt

Created on ‎05-05-2025 04:32 PM

Hi,

If your FGT is acting as a DHCP server and only 2600:8800:ab81:a100::/56 subnet is configured, I don't see any reason why FGT will issue an address outside the configured range unless the add 2600:8800:ab81:4a00:: is coming from another upstream into DHCP RA advertisement. 

 

Thanks,

Atul Srivastava
655
ameif56hgt
New Contributor II
In response to Atul_S

Created on ‎05-05-2025 05:28 PM

So, on the LAN side, there is the selection of DHCP and Delegated.  I picked Delegated.  

 

Screenshot 2025-05-05 at 5.07.31 PM.png

-------

Then when you get to the bottom setting SLAAC and DHCPv6 server, you only tell it the WAN port name.  So I guess that is the confusing part.  On the WAN page, you select one or more IAPD prefix hints. Lets say I as for 3, and it does give me three.  So on the top of the LAN page, you set the IAPD, say to 1, and it fills in the Prefix.  But under that there is a prefix delegation again. What is that for?  How do you have a prefix delegation of a prefix delegation?  Then on the bottom of the LAN screen, for SLAAC and DHCPv6, you ONLY pic a WAN port.  I'm not clear how what gets where.  

 

I have a second LAN. I want to use another part of the prefix delegation for that, but no delegation is displayed, instead it asks you to set even MORE IAPD and hints.  I just don't get it.  

 

And back to the original problem, my devices are still getting these ab81:4a00. addresses from somewhere.  Luckily, for now, the devices seem to be ignoring them. So where are they coming from?  I have no idea.

649
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.