[IPv6] link local address for gateway

snobs · ‎03-30-2012

Hi, I want my Fortigate having a link-local address for next hop/gateway.

 system interface port4
 -
 config system interface
     edit " port4" 
         set vdom " root" 
         set type physical
         set alias " external" 
             config ipv6
                 set ip6-address fe80::10:20:30:5/128
                 set ip6-allowaccess ping
             end
     next
 end

 config router static6
 -
     edit 1
         set device " port4" 
         set gateway fe80::10:20:30:1
     next
 end

Unfortunately it doesnÂ´t work at all. From the switch (having fe80::10:20:30:1) I can ping the Fortigate (having fe80::10:20:30:5/128) but not the other way round. Also routing fails. Perhaps the Fortinet doesnÂ´t know what interface to take for the FE80 address? But port4 is specified. Did I miss something? Does anyone know whatÂ´s going wrong?

emnoc · ‎03-30-2012

Man I never heard of any one usinga FE80 for a next-hop gateway. That address should be local to the link. As a matter of fact a linklocal packet should never leave the link ( no forwarding)

So why do you want a link-local for a next-hop-gw is the real question ?

PCNSE

NSE

StrongSwan

ddskier · ‎03-30-2012

I believe by default FE80 (Link-Local) was not routable by definition of IPv6. See: http://en.wikipedia.org/wiki/Link-local_address

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

emnoc · ‎03-30-2012

Agreed in some cases ,we use the link-local address on every one of our link since it' s link-local if you have to use a link-local address, make sure it' s true uniqu thru out your FGT configuration.

PCNSE

NSE

StrongSwan

snobs · ‎03-30-2012

Hi, thanks for your answer. The mentioned gateway with FE80 address is actually directly connected to the Fortigate. Also it is unique. As mentioned before, I can ping the link-local address from the gateway, but not the other way round. So, shouldnÂ´t that work, too?

emnoc · ‎03-31-2012

No because typically these address are use for neighborship discovery and once again, I never seen one just use a link local address in the fashion that you have and with a default ipv6 route-gateway, don' t even know for sure that the FGT will execute ipv6 pings and sources from a FE80 address either. 2nd, your /128 is not going to do you any good or that much good. Typically a FE80s are assigned into a /64 prefix. That /128 is equal to a /32 in ipv4 world. fwiw: You should really read up on ipv6 best practices and designs, to avoid a lot of headaches. That' s the only thing that I can think up immediately that looks strange. Good luck in whatever way you proceed.

PCNSE

NSE

StrongSwan

snobs · ‎04-01-2012

Well, the question was not whether this works at all, because it seems to work elsewhere, just google around The question is, why it doesnÂ´t work on the Fortigate? Some mistyping? For pinging, it seems I cannot tell a Fortigate to take a specific interface for pinging the link local address, like e.g. " ping6 -I eth0 -c 1 fe80::2e0:18ff:fe90:9205"

ddskier · ‎04-12-2012

Ok putting aside the the link-local address not being routable. The issue is your IPv6 Address setup. Change " set ip6-address fe80::10:20:30:5/128" to " set ip6-address fe80::10:20:30:5/64" and see if it works.

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D