Next hop recursive resolution using IPv6 prefix with on-link flag from route aggregation New

When a FortiGate is acting as an IPv4 BGP neighbor and using stateful DHCPv6, it learns BGP routes with the IPv6 next hop belonging to an on-link prefix that is advertised through route aggregation (RA).

By default, the administrative distance for routes learned from the kernel is 255, and the routes do not interfere with the current route selection. To make the RA route usable by BGP, the distance must be set to less than 255 using the new kernel-route-distance command.

config router setting
    set kernel-route-distance <0-255>
end

If there are other user space routes with the same prefix, the best route is selected based on the distance.

To check the effect of changing the administrative distance:

1. Configure FGT_A:

   config system interface
       edit "agg1"
           set vdom "root"
           set ip 172.16.203.1 255.255.255.0
           set allowaccess ping https http
           set type aggregate
           set member "port4"
           set alias "To_FGT_B_agg1"
           set lldp-transmission enable
           set snmp-index 40
           config ipv6
               set ip6-mode dhcp
               set ip6-allowaccess ping
           end
       next
   end

2. Configure FGT_B (RA):

   config system interface
       edit "agg2"
           set vdom "root"
           set ip 172.16.203.2 255.255.255.0
           set allowaccess ping https http
           set bfd disable
           set type aggregate
           set member "port4"
           set alias "To_FGT_A_agg1"
           set lldp-transmission enable
           set snmp-index 28
           config ipv6
               set ip6-address 2001:4::133/64
               set ip6-allowaccess ping
               set ip6-send-adv enable
               set ip6-manage-flag enable
               set ip6-other-flag enable
               set ip6-max-interval 10
               set ip6-min-interval 5
               config ip6-prefix-list
                   edit 2001:4::/64
                   next
               end
           end
       next
   end

   config system dhcp6 server
       edit 1
           set subnet 2001:4::/64
           set interface "agg2"
           config ip-range
               edit 1
                   set start-ip 2001:4::11
                   set end-ip 2001:4::20
               next
           end
       next
   end

3. By default, the learned kernel route has a distance of 255 and does not interfere with the current route selection:

   FGT_A (root)# get router info6 routing-table database
   IPv6 Routing Table
   Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
          IA - OSPF inter area
          N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
          E1 - OSPF external type 1, E2 - OSPF external type 2
          i - IS-IS, B - BGP, V - BGP VPNv6
          > - selected route, * - FIB route, p - stale info
   Timers: Uptime
   
   Routing table for VRF=0
   K    *  ::/0 via fe80::96f3:92ff:fe15:f7b, agg1, 00:00:20
   C    *> ::1/128 via ::, root, 00:03:33
   O       2000::1:1:1:1/128 [110/0] via ::, loopback1 inactive, 00:03:32, [1024/0]
   C    *> 2000::1:1:1:1/128 via ::, loopback1, 00:03:33
   O    *> 2000::2:2:2:2/128 [110/100] via fe80::96f3:92ff:fe15:f7b, agg1, 00:02:16, [1024/0]
   O    *> 2000::3:3:3:3/128 [110/100] via fe80::6d5:90ff:fedb:e538, port1, 00:02:35, [1024/0]
   O IA *> 2000::4:4:4:4/128 [110/1100] via fe80::96f3:92ff:fe15:f7b, agg1, 00:02:16, [1024/0]
   C    *> 2000:10:100:1::/126 via ::, R150, 00:03:33
   O       2000:10:100:1::4/126 [110/10000] via ::, R160, 00:03:32, [1024/0]
   C    *> 2000:10:100:1::4/126 via ::, R160, 00:03:33
   R    *> 2000:10:101:1::/64 [120/2] via fe80::3cd3:7cff:fed5:39, R150, 00:03:31, [1024/0]
   S    *> 2000:10:101:2::/64 [10/0] via ::, Null, 00:03:33, [1024/0]
   S    *> 2000:10:101:3::/64 [10/0] via ::, Null, 00:03:33, [1024/0]
   S    *> 2000:10:102:1::/64 [10/0] via ::, Null, 00:03:33, [1024/0]
   S    *> 2000:10:103:1::/64 [10/0] via ::, Null, 00:03:33, [1024/0]
   S    *> 2000:10:104:1::/64 [10/0] via ::, Null, 00:03:33, [1024/0]
   O    *> 2000:172:16::/48 [110/0] via ::, Null, 00:03:31, [1024/0]
   O       2000:172:16:200::/64 [110/100] via ::, port1, 00:03:32, [1024/0]
   C    *> 2000:172:16:200::/64 via ::, port1, 00:03:33
   O E2 *> 2000:172:16:201::/64 [110/10] via fe80::96f3:92ff:fe15:f7b, agg1, 00:02:16, [1024/0]
   O E2    2000:172:16:204::/64 [110/10] via fe80::96f3:92ff:fe15:f7b, agg1, 00:02:16, [1024/0]
   S    *> 2000:172:16:204::/64 [10/0] via 2000:172:16:200::4, port1, 00:03:33, [1024/0]
         >                      [10/0] via 2000:172:16:203::2, agg1 inactive, 00:03:33, [1024/0]
        *>                      [10/0] via 2000:172:16:206::2, vlan100, 00:03:33, [1024/0]
   C    *> 2000:172:16:206::/64 via ::, vlan100, 00:03:33
   O       2000:172:16:207::/64 [110/10000] via ::, GRE_1, 00:03:32, [1024/0]
   C    *> 2000:172:16:207::/64 via ::, GRE_1, 00:03:33
   S    *> 2000:172:16:209::/64 [5/0] via to_FG_B_root tunnel ::172.16.206.2, 00:03:33, [1/0]
   C    *> 2000:172:16:209::1/128 via ::, to_FG_B_root, 00:03:33
   R    *> 2000:172:16:209::2/128 [120/2] via fe80::96f3:92ff:fe15:f7b, vlan100, 00:03:10, [1024/0]
   R    *> 2000:172:16:210::/64 [120/2] via fe80::96f3:92ff:fe15:f7b, vlan100, 00:03:10, [1024/0]
   C    *> 2000:172:16:211::/64 via ::, sit_A_D, 00:03:33
   B    *> 2000:172:27:1::/64 [200/0] via 2000::2:2:2:2 (recursive via fe80::96f3:92ff:fe15:f7b, agg1), 00:01:25, [1024/0]
   K    *  2001:4::/64 via ::, agg1, 00:00:20
   O    *> 2001:4::/64 [110/100] via ::, agg1, 00:00:24, [1024/0]

   FGT_A (root)# get router info6 routing-table kernel
   No route available

4. Change the distance to 254:

   FGT_A (root)# config router setting
       set kernel-route-distance 254
   end

5. Now there is a kernel route:

   FGT_A (root)# get router info6 routing-table kernel
   Routing table for VRF=0
   K*      ::/0 [254/1024] via fe80::96f3:92ff:fe15:f7b, agg1, 00:01:04
   ...