Routing – Fortigate and ipv6 routing

fortigateipv6routing

I have a Fortigate router and my ISP support ipv6. I'm getting a public ipv6 on the Fortigate and also on the computers on the lan (2a02:a18:9041….)

I have not to much understanding of ipv6, but by my understanding the Fortigate and local addresses are configured from SLAAC (something like DHCP?)

I have enabled firewall policies allowing traffic from local network and out..

But still I'm not able to do any ipv6 connections. I have also enabled "ping" for ipv6 for the wan interface, but I'mnot able to ping the address Fortigate gets from the outside world and if I trace the route from outside, it stops at some ip at my ISP.

If i try a trace from a computer on the lan

 C:\WINDOWS\system32>tracert /6 /d /w 500 www.google.com

Tracing route to www.google.com [2a00:1450:400f:808::2004]
over a maximum of 30 hops:

  1     *     Destination net unreachable.

Trace complete.

If i look a the routing table on my Fortigate it does'nt look like there is an ipv6 default gateway (I dont really know if this is needed in the same way as ipv4)

if i look at the routing table on the Fortigate, it looks like this

get router info6 routing-table
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, B - BGP
       * - candidate default

Timers: Uptime

C       ::1/128 via ::, root, 2d17h28m
C       2a02:a18:....../128 via ::, wan1, 2d17h27m
C       2a02:a18:....../64 via ::, VLAN-30, 2d17h27m
C       fe80::/10 via ::, VLAN-30, 2d17h27m

Any idea why I'm not getting any ipv6 connectivity? My ISP answer is only "We dont give any support for any other devices than the one we supplied" – which is some crap.

after adding a static, default route (::/0) on wan1 interface I can route one hop with traceoute

C:\WINDOWS\system32>tracert /6 /d /w 500 www.google.com

Tracing route to www.google.com [2a00:1450:400f:80d::2004]
over a maximum of 30 hops:

  1    27 ms     1 ms     2 ms  2a02:.....::1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4  Destination host unreachable.

Trace complete.

Best Answer

You have to add a default route. Try ping6 ff02::2%wan1 to determine the link-local addresses of your ISP router. Beware that other routers on the link might respond as well if your ISP doesn’t have proper filtering.

Related Topic