How to connect to IPv6 from IPv4 using a Fortigate and a tunnel broker.

This is a detailed guide on how to connect to IPv6 from IPv4 using a Fortigate and a tunnel broker.

1. Sign up to a tunnel broker

In this example I have used

Simply click on create regular tunnel and follow the instructions. You will be asked for your IPv4 public IP address.

If you click Example Configurations this will give you the tunnel configuration for your Fortigate.

IMPORTANT: If the firewall is behind a natted device make sure you specify your private IP address on your WAN interface.

2. Fortigate Configuration.

2.1 Enable IPv6


2.2 Configure ipv6 tunnel

These will be specified by your tunnel broker.

config system sit-tunnel
    edit "HE"
        set source x.x.x.x
        set destination x.x.x.x
        set ip6 x.x.x.x

config router static6
    edit 1
        set dst ::/0
        set device "HE"
        set distance 10
        set priority 0
        set comment ''

2.3 Configure IPv6 secondary address

In this example I have used my wifi interface. You will need to generate a private IPv6 address and mask – I have configured the following address fdbb:e529:6f10:f6e2::1/64

config system interface
    edit "wifi"
        set vdom "root"
        set ip
        set allowaccess ping https ssh http
        set type vap-switch
        set snmp-index 9
        set secondary-IP enable
            config ipv6
                set ip6-allowaccess ping
                set ip6-address fdbb:e529:6f10:f6e2::1/64
                set ip6-send-adv enable

2.4 Configure dhcp6

This will provide the end clients with an IPv6 address.

config system dhcp6 server
    edit 1
        set subnet fdbb:e529:6f10:f6e2::/64
        set interface "wifi"
            config ip-range
                edit 1
                    set start-ip fdbb:e529:6f10:f6e2::2
                    set end-ip fdbb:e529:6f10:f6e2::10
        set dns-server1 2001:4860:4860::64

Make sure you specify the interface where clients connect to.

The network address in this example is fdbb:e529:6f10:f6e2::/64

The ip range in this example provides 9 addresses to lease. fdbb:e529:6f10:f6e2::2 -10

I have set the dns to use google dns 2001:4860:4860::64.

2.5 Configure Ipv6 policy

config firewall policy6
    edit 1
        set srcintf "wifi"
        set dstintf "HE"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable

The source interface will be your lan interface and destination will be the ipv6 tunnel interface you created in step 2.2.

3. Test

Make sure you have an ipv6 address leased from the Fortigate and that there is a default gateway.

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : fdbb:e529:6f10:f6e2::2
   Link-local IPv6 Address . . . . . : fe80::b823:5832:141c:1a32%23
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . : fe80::2ff:4cff:fe3e:1425%23

Ping the ipv6 address that you configured on the lan interface of the fortigate.

ping -6 fdbb:e529:6f10:f6e2::1
Pinging fdbb:e529:6f10:f6e2::1 with 32 bytes of data:
Reply from fdbb:e529:6f10:f6e2::1: time=1ms
Reply from fdbb:e529:6f10:f6e2::1: time=3ms


ping -6

Pinging [2a00:1450:4009:809::200e] with 32 bytes of data:
Reply from 2a00:1450:4009:809::200e: time=22ms
Reply from 2a00:1450:4009:809::200e: time=22ms
Reply from 2a00:1450:4009:809::200e: time=22ms
Reply from 2a00:1450:4009:809::200e: time=25ms

Ping statistics for 2a00:1450:4009:809::200e:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 22ms, Maximum = 25ms, Average = 22ms

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to

Thank you for reading and please feel free to leave any feedback.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s