Tuesday, December 21, 2010

It's an IPv6 World - Get out there and explore!

Have you been dying (like me) to get your hands dirty and head down the information highway in all of its IPv6 glory? Ever wondered if Google REALLY looks different when viewed via IPv6? ;)

Here is a quick walkthrough on how to get started even if your ISP does not provide IPv6 natively yet.

  • Register for an account with an IPv6 Tunnel Broker. I am using Hurricane Electric. Sign-up for a free account at www.tunnelbroker.net
  • Once your registration is confirmed login to www.tunnelbroker.net and use the "Create Regular Tunnel" user function to allocate your IPv6 address space.
  • Hurricane Electric (HE) will try to determine the closest of their POPs. You can manually override if required.
  • In the "IPv4 endpoint (your side of the tunnel)" enter the public IP address of the WAN interface of the Fortinet. This of course works best when you have a static IP address. If your provider assigns you a dynamic IP address you will have to adjust your tunnel configuration on the HE website every time your IP changes. Most likely the IP address listed in "You are viewing from IP" will be your WAN IP.
  • HE will now provide you with your tunnel details.
On to the Fortinet configuration. This must be done via the CLI.

  • config system sit-tunnel
  • edit "HE" (the name you want to give to this tunnel/interface)
  • set destination (HE Server IPv4 address)
  • set interface wan1 (the WAN interface of your firewall)
  • set source (the public IP address of your firewall that you specified above)
  • set ip6 2001:x:x:x::2/64 (HE Client IPv6 address)
  • end
HE will assign a /64 subnet for routing between their equipment and your firewall. Think of this as using a /30 in IPv4. Except in this case you are only using two IP addresses out of a space that is the entire IPv4 Internet address space squared, i.e. you are "wasting" eighteen quintillion, fourhundred forty-six quadrillion, sevenhundred forty-four trillion, seventy-three billion, sevenhundred nine million, five hundred fiftyone thousand, six hundred and fourteen addresses :)

HE will also assign you a /64 subnet for use behind the firewall on your network. For most people trying this at home 18,446,744,073,709,551,616 IP addresses should be plenty.
If you need more space than this, or as is more likely the case, more subnets you can select the "Assign /48 subnet" in the Tunnel Details page on the HE website. This will provide you with 65,536 subnets for internal use.

Now back to the Fortinet GUI. When you configured the sit-tunnel the name you assigned on the CLI will now show up as a firewall interface in the GUI.

Router -> Static Route -> Create New -> IPv6 Route
  • Destination IP/Mask: ::/0 (the default route in IPv6 notation)
  • Device: the tunnel interface you created earlier via the CLI (in my example "HE")
  • Distance: 10
  • Priority: 0
Firewall -> Policy -> IPv6 Policy -> Create New
  • Source Interface: internal
  • Source Address: all
  • Destination Interface: tunnel interface (in my example "HE)
  • Destination Address: all
  • Service: Any
  • Action: Accept
System -> Network -> Interface -> Internal
  • IPv6 Address: An address out of the "Routed /64" from the "HE Tunnel Details" page. For example if HE has assigned 2001:1234:4567:9999::/64 as your "Routed 64" your firewall internal IPv6 address could be 2001:1234:4567:9999:1::/64
Also don't forget to configure your workstation with IPv6. On the "Tunnel Details" page HE provides examples for IPv6 interface configurations for a number of operating systems including Linux and Windows. In the above example your workstation IP could be 2001:1234:4567:9999:2::/64. When configuring Windows simply ignore the error message about multiple default gateways. Windows will only use the IPv6 default gateway when sending IPv6 traffic.

Enjoy the holidays.


Andy said...

You can also enable stateless auto config of LAN clients using the pre-fix settings under the IPv6 interface on the FortiGate... in the CLI, use the commands:
#conf sys int
# edit internal
# conf ip6-prefix-list
# edit 2001:1234:456:789::/64
# set autonomous-flag enable
# set onlink-flag enable
# set preferred-life-time 3600
# next
# end
# set ip6-send-adv enable
# end
# next

jlgb said...

Good morning, I'm trying to comunicate 2 pc's between Dmz1 and DMz2 each one with static ipv6 address. There is no ping response. Is there a special configuration for each interface?
Each interface is a Vlan.
Thanks for your help

Sebastian said...

Hi jlgb,

you should probably post questions like this on the Fortinet support forum:


jlgb said...

Andy: Thanks for your comment.
I did this:
upgrade to 4mr2
create policies for intervlan and other policy to allow Traffic from Internet to the DMZ.


rowie said...


maybe there is a little knot in my brain ..
i ´ve configured my 60d (FortiOS 5.2.1) like your post. i can´t see the interface in the gui. no problem. but how can i configure the clients for ipv6. the sample config on he is for win clients who has no fortigate in the front or?