Fortigate, IPv6 and /127
The other day I was sent to set up a IPv6 network for a customer. It was a clean setup with a Cisco router from the ISP and a Fortigate firewall on my side. The configuration parameters from the ISP was similar to the addresses shown below.
| My IP/mask | fe80:209::1034/127 |
| ISP IP/mask (and default gateway) | fe80:209::1033/127 |
I configured a static route6 on the firewall and set the IP address on the interface as shown above.
This did not work, I could ping the ISP router from my firewall, but clients could not ping any outside IP address (except my firewalls outside address).
I changed the network mask to /126 on my firewall and everything began to work.
I checked with Fortinet support and they gave me some RFC’s to read.
- RFC5375 strongly discourage you using /127 addresses, see section B2.2.
- RFC3627 - Use of /127 Prefix Length Between Routers Considered Harmful.
This was tested on FortiOS 4.0 MR2 build 291.
posted by Helge Olav Helgsen @ 12:16
1 comments
links to this post
1 Comments:
This came up as a recommended item in my Google Reader...the IETF has reversed its stance on /127 prefixes for point-to-point links due to unforeseen security issues. See http://tools.ietf.org/html/draft-kohno-ipv6-prefixlen-p2p-03 for the current draft that's heading to last call.
Post a Comment
Links to this post:
Create a Link
<< Home