Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

IPv6 tunnel inherits MTU based on physical interface 7.0.2

The MTU of an IPv6 tunnel interface is calculated from the MTU of its parent interface minus headers.

Example

In this topology, FortiGate B and FortiGate D are connected over an IPv6 network. An IPv6 tunnel is formed, and IPv4 can be used over the IPv6 tunnel. The tunnel interface MTU is based on the physical interface MTU minus the IP and TCP headers (40 bytes). On FortiGate B's physical interface port5, the MTU is set to 1320. The IPv6 tunnel is based on port5, and its MTU value of 1280 is automatically calculated from the MTU value of its physical interface minus the header. The same is true for port3 on FortiGate D.

To verify the MTU for the IPv6 tunnel on FortiGate B:
  1. Configure port5:
    config system interface
        edit "port5"
            set vdom "root"
            set type physical
            set snmp-index 7
            config ipv6
                set ip6-address 2000:172:16:202::1/64
                set ip6-allowaccess ping
            end
            set mtu-override enable
            set mtu 1320
        next
    end
  2. Configure the IPv6 tunnel:
    config system ipv6-tunnel
        edit "B_2_D"
            set source 2000:172:16:202::1
            set destination 2000:172:16:202::2
            set interface "port5"
        next
    end
  3. Configure the tunnel interface:
    config system interface
        edit "B_2_D"
            set vdom "root"
            set ip 172.16.210.1 255.255.255.255
            set allowaccess ping https http
            set type tunnel
            set remote-ip 172.16.210.2 255.255.255.255
            set snmp-index 33
            config ipv6
                set ip6-address 2000:172:16:210::1/64
                set ip6-allowaccess ping
                config ip6-extra-addr
                    edit fe80::2222/10
                    next
                end
            end
            set interface "port5"
        next
    end
  4. Verify the interface lists:
    # diagnose netlink interface list port5
    if=port5 family=00 type=1 index=13 mtu=1320 link=0 master=0
    ref=68 state=start present fw_flags=0 flags=up broadcast run multicast
    Qdisc=mq hw_addr=**:**:**:**:**:** broadcast_addr=**:**:**:**:**:**
    stat: rxp=1577 txp=1744 rxb=188890 txb=203948 rxe=0 txe=0 rxd=0 txd=0 mc=825 collision=0 @ time=1631647112
    re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
    te: txa=0 txc=0 txfi=0 txh=0 txw=0
    misc rxc=0 txc=0
    input_type=0 state=3 arp_entry=0 refcnt=68
    
    # diagnose netlink interface list B_2_D
    if=B_2_D family=00 type=769 index=41 mtu=1280 link=0 master=0
    ref=25 state=start present fw_flags=0 flags=up p2p run noarp multicast
    Qdisc=noqueue local=0.0.0.0 remote=0.0.0.0
    stat: rxp=407 txp=417 rxb=66348 txb=65864 rxe=0 txe=61 rxd=0 txd=0 mc=0 collision=60 @ time=1631647126
    re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
    te: txa=0 txc=0 txfi=0 txh=0 txw=0
    misc rxc=0 txc=0
    input_type=0 state=3 arp_entry=0 refcnt=25
To verify the MTU for the IPv6 tunnel on FortiGate D:
  1. Configure port3:
    config system interface
        edit "port3"
            set vdom "root"
            set type physical
            set snmp-index 5
            config ipv6
                set ip6-address 2000:172:16:202::2/64
                set ip6-allowaccess ping
            end
            set mtu-override enable
            set mtu 1320
        next
    end
  2. Configure the IPv6 tunnel:
    config system ipv6-tunnel
        edit "D_2_B"
            set source 2000:172:16:202::2
            set destination 2000:172:16:202::1
            set interface "port3"
        next
    end
  3. Configure the tunnel interface:
    config system interface
        edit "D_2_B"
            set vdom "root"
            set ip 172.16.210.2 255.255.255.255
            set allowaccess ping https http
            set type tunnel
            set remote-ip 172.16.210.1 255.255.255.255
            set snmp-index 36
            config ipv6
                set ip6-address 2000:172:16:210::2/64
                set ip6-allowaccess ping
                config ip6-extra-addr
                    edit fe80::4424/10
                    next
                end
            end
            set interface "port3"
        next
    end
  4. Verify the interface lists:
    # diagnose netlink interface list port3
    # diagnose netlink interface list D_2_B

IPv6 tunnel inherits MTU based on physical interface 7.0.2

The MTU of an IPv6 tunnel interface is calculated from the MTU of its parent interface minus headers.

Example

In this topology, FortiGate B and FortiGate D are connected over an IPv6 network. An IPv6 tunnel is formed, and IPv4 can be used over the IPv6 tunnel. The tunnel interface MTU is based on the physical interface MTU minus the IP and TCP headers (40 bytes). On FortiGate B's physical interface port5, the MTU is set to 1320. The IPv6 tunnel is based on port5, and its MTU value of 1280 is automatically calculated from the MTU value of its physical interface minus the header. The same is true for port3 on FortiGate D.

To verify the MTU for the IPv6 tunnel on FortiGate B:
  1. Configure port5:
    config system interface
        edit "port5"
            set vdom "root"
            set type physical
            set snmp-index 7
            config ipv6
                set ip6-address 2000:172:16:202::1/64
                set ip6-allowaccess ping
            end
            set mtu-override enable
            set mtu 1320
        next
    end
  2. Configure the IPv6 tunnel:
    config system ipv6-tunnel
        edit "B_2_D"
            set source 2000:172:16:202::1
            set destination 2000:172:16:202::2
            set interface "port5"
        next
    end
  3. Configure the tunnel interface:
    config system interface
        edit "B_2_D"
            set vdom "root"
            set ip 172.16.210.1 255.255.255.255
            set allowaccess ping https http
            set type tunnel
            set remote-ip 172.16.210.2 255.255.255.255
            set snmp-index 33
            config ipv6
                set ip6-address 2000:172:16:210::1/64
                set ip6-allowaccess ping
                config ip6-extra-addr
                    edit fe80::2222/10
                    next
                end
            end
            set interface "port5"
        next
    end
  4. Verify the interface lists:
    # diagnose netlink interface list port5
    if=port5 family=00 type=1 index=13 mtu=1320 link=0 master=0
    ref=68 state=start present fw_flags=0 flags=up broadcast run multicast
    Qdisc=mq hw_addr=**:**:**:**:**:** broadcast_addr=**:**:**:**:**:**
    stat: rxp=1577 txp=1744 rxb=188890 txb=203948 rxe=0 txe=0 rxd=0 txd=0 mc=825 collision=0 @ time=1631647112
    re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
    te: txa=0 txc=0 txfi=0 txh=0 txw=0
    misc rxc=0 txc=0
    input_type=0 state=3 arp_entry=0 refcnt=68
    
    # diagnose netlink interface list B_2_D
    if=B_2_D family=00 type=769 index=41 mtu=1280 link=0 master=0
    ref=25 state=start present fw_flags=0 flags=up p2p run noarp multicast
    Qdisc=noqueue local=0.0.0.0 remote=0.0.0.0
    stat: rxp=407 txp=417 rxb=66348 txb=65864 rxe=0 txe=61 rxd=0 txd=0 mc=0 collision=60 @ time=1631647126
    re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
    te: txa=0 txc=0 txfi=0 txh=0 txw=0
    misc rxc=0 txc=0
    input_type=0 state=3 arp_entry=0 refcnt=25
To verify the MTU for the IPv6 tunnel on FortiGate D:
  1. Configure port3:
    config system interface
        edit "port3"
            set vdom "root"
            set type physical
            set snmp-index 5
            config ipv6
                set ip6-address 2000:172:16:202::2/64
                set ip6-allowaccess ping
            end
            set mtu-override enable
            set mtu 1320
        next
    end
  2. Configure the IPv6 tunnel:
    config system ipv6-tunnel
        edit "D_2_B"
            set source 2000:172:16:202::2
            set destination 2000:172:16:202::1
            set interface "port3"
        next
    end
  3. Configure the tunnel interface:
    config system interface
        edit "D_2_B"
            set vdom "root"
            set ip 172.16.210.2 255.255.255.255
            set allowaccess ping https http
            set type tunnel
            set remote-ip 172.16.210.1 255.255.255.255
            set snmp-index 36
            config ipv6
                set ip6-address 2000:172:16:210::2/64
                set ip6-allowaccess ping
                config ip6-extra-addr
                    edit fe80::4424/10
                    next
                end
            end
            set interface "port3"
        next
    end
  4. Verify the interface lists:
    # diagnose netlink interface list port3
    # diagnose netlink interface list D_2_B