This is a detailed guide on how to connect to IPv6 from IPv4 using a Fortigate and a tunnel broker.
1. Sign up to a tunnel broker
In this example I have used https://www.tunnelbroker.net/
Simply click on create regular tunnel and follow the instructions. You will be asked for your IPv4 public IP address.
If you click Example Configurations this will give you the tunnel configuration for your Fortigate.
IMPORTANT: If the firewall is behind a natted device make sure you specify your private IP address on your WAN interface.
2. Fortigate Configuration.
2.1 Enable IPv6
2.2 Configure ipv6 tunnel
These will be specified by your tunnel broker.
config system sit-tunnel edit "HE" set source x.x.x.x set destination x.x.x.x set ip6 x.x.x.x next end config router static6 edit 1 set dst ::/0 set device "HE" set distance 10 set priority 0 set comment '' next end
2.3 Configure IPv6 secondary address
In this example I have used my wifi interface. You will need to generate a private IPv6 address and mask – I have configured the following address fdbb:e529:6f10:f6e2::1/64
config system interface edit "wifi" set vdom "root" set ip 192.168.254.254 255.255.255.0 set allowaccess ping https ssh http set type vap-switch set snmp-index 9 set secondary-IP enable config ipv6 set ip6-allowaccess ping set ip6-address fdbb:e529:6f10:f6e2::1/64 set ip6-send-adv enable end next end
2.4 Configure dhcp6
This will provide the end clients with an IPv6 address.
config system dhcp6 server edit 1 set subnet fdbb:e529:6f10:f6e2::/64 set interface "wifi" config ip-range edit 1 set start-ip fdbb:e529:6f10:f6e2::2 set end-ip fdbb:e529:6f10:f6e2::10 next end set dns-server1 2001:4860:4860::64 next end
Make sure you specify the interface where clients connect to.
The network address in this example is fdbb:e529:6f10:f6e2::/64
The ip range in this example provides 9 addresses to lease. fdbb:e529:6f10:f6e2::2 -10
I have set the dns to use google dns 2001:4860:4860::64.
2.5 Configure Ipv6 policy
config firewall policy6 edit 1 set srcintf "wifi" set dstintf "HE" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
The source interface will be your lan interface and destination will be the ipv6 tunnel interface you created in step 2.2.
Make sure you have an ipv6 address leased from the Fortigate and that there is a default gateway.
Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : fdbb:e529:6f10:f6e2::2 Link-local IPv6 Address . . . . . : fe80::b823:5832:141c:1a32%23 IPv4 Address. . . . . . . . . . . : 192.168.254.100 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::2ff:4cff:fe3e:1425%23 192.168.254.254
Ping the ipv6 address that you configured on the lan interface of the fortigate.
ping -6 fdbb:e529:6f10:f6e2::1 Pinging fdbb:e529:6f10:f6e2::1 with 32 bytes of data: Reply from fdbb:e529:6f10:f6e2::1: time=1ms Reply from fdbb:e529:6f10:f6e2::1: time=3ms
ping -6 google.com Pinging google.com [2a00:1450:4009:809::200e] with 32 bytes of data: Reply from 2a00:1450:4009:809::200e: time=22ms Reply from 2a00:1450:4009:809::200e: time=22ms Reply from 2a00:1450:4009:809::200e: time=22ms Reply from 2a00:1450:4009:809::200e: time=25ms Ping statistics for 2a00:1450:4009:809::200e: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 25ms, Average = 22ms
If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.
Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud
Thank you for reading and please feel free to leave any feedback.