Fortigate, IPv6 and /127

The other day I was sent to set up a IPv6 network for a customer. It was a clean setup with a Cisco router from the ISP and a Fortigate firewall on my side. The configuration parameters from the ISP was similar to the addresses shown below.

My IP/mask	fe80:209::1034/127
ISP IP/mask (and default gateway)	fe80:209::1033/127

I configured a static route6 on the firewall and set the IP address on the interface as shown above.

This did not work, I could ping the ISP router from my firewall, but clients could not ping any outside IP address (except my firewalls outside address).

I changed the network mask to /126 on my firewall and everything began to work.

I checked with Fortinet support and they gave me some RFC’s to read.

• RFC5375 strongly discourage you using /127 addresses, see section B2.2.
• RFC3627 - Use of /127 Prefix Length Between Routers Considered Harmful.

This was tested on FortiOS 4.0 MR2 build 291.