Fortigate
This article explains how to configure a Fortigate for SixXS.
Part 1 describes how to configure a tunnel between your Fortigate firewall and an IPv6 tunnel provider.
In part 2 a subnet is configured on the Fortigate to allow the machines behind the firewall to connect to the Internet natively with IPv6 via the tunnel.
The configuration was tested on a Fortigate 60 with FortiOS 3.00 MR7 Patch 1 (build 0730) but should apply similarily to other Fortigate units.
MH 2/2013: Additions for v4.0,build0646,121119 (MR3 Patch 11) with "vdom". Marked important things red.
Contents
Part 1: Setting up a tunnel
Note: Be careful: This does not work on vdom-link interfaces
Once your tunnel request has been approved you should have the following information:
- POP v4 address (e.g. 1.2.3.4, provided by the tunnel broker)
- POP v6 address (e.g. 2001:db8:123::1/64, provided by the tunnel broker)
- Your v4 address (e.g. 5.6.7.8, provided by you)
- Your v6 address (e.g. 2001:db8:123::2/64, provided by the tunnel broker)
For Heartbeat Tunnels: Unless FortiOS does not support the tunnel protocol you'll need to run AICCU on a host within your LAN. Due to the fact that the heartbeat uses IPv4 NAT is not an issue
In FortiOS 3.00 MR7 the command for setting up a IPv6 in IPv4 tunnel has changed from config system ipv6-tunnel to config system sit-tunnel. Unfortunately not all of the Fortigate documentation has been updated. (see here for more details)
Configure the tunnel (3.00 MR5 and before)
config system ipv6-tunnel
edit "sixxs.net"
set destination <POP v4 address>
set interface <v4 interface towards POP>
set ip6 <Your v6 address>
set source <Your v4 address>
end
Configure the tunnel (3.00 MR7 and later)
config system sit-tunnel
edit "sixxs.net"
set destination <POP v4 address>
set interface <v4 interface towards POP>
set ip6 <Your v6 address>
set source <Your v4 address>
end
Configure the tunnel (in a vdom with 4v)
config vdom <vdom name>
(vdom) # edit <vdom name>
current vf=<vdom name>:0
config system sit-tunnel
edit "sixxs.net"
set destination <POP v4 address>
set interface <v4 interface towards POP>
set ip6 <Your v6 address>
set source <Your v4 address>
end
Note: If using a PPPoE interface on the FortiGate, leave the 'set interface' setting unset. When your ISP assigns dynamic addresses by DHCP use 'set source 0.0.0.0' When working with vdoms, this has to be done in the vdom section
This will create a tunnel with the name "sixxs.net" and a tunnel interface with the same name which you should be able to see with
show system ipv6-tunnel (<-- 3.00 MR5 and before) show system sit-tunnel (<-- 3.00 MR7 and later) show system interface
Allow the tunnel provider to ping your end of the tunnel. Otherwise the tunnel won't be considered "up" and you won't get any additional credits for requesting a subnet.
config system interface
edit "sixxs.net"
config ipv6
set ip6-allowaccess ping
end
end
Note: When working with vdoms this has to be done in the global section, add "set vdom your-vdom"
Setup the default route
Then configure a default route with
config router static6
edit 1
set device "sixxs.net"
end
Note: when working with vdoms this has to be done in the vdom section.
Note: No need to set a destination route here as ::/0 is implied by default.
Check the tunnel setup
First check if you can ping out
execute ping6 <POP v6 address>
Then check if your provider can ping you. Set up the packet sniffer to see if you are getting traffic from the outside at all
diagnose sniffer packet sixxs.net
Then go to http://www.berkom.blazing.de/tools/ping.cgi and enter your v6 address. To see if the website works you might enter your providers v6 address first. If the ping is working you should see the incoming echo requests and the outgoing echo replies on the command line which should look similar to this
interfaces=[sixxs.net] filters=[none] pcap_lookupnet: sixxs.net: no IPv4 address assigned 9.442391 2a01:30:1000::53 -> 2001:db8:123::2: icmp6: echo request seq 1 9.442588 2001:db8:123::2 -> 2a01:30:1000::53: icmp6: echo reply seq 1 10.447947 2a01:30:1000::53 -> 2001:db8:123::2: icmp6: echo request seq 2 10.448077 2001:db8:123::2 -> 2a01:30:1000::53: icmp6: echo reply seq 2 11.457778 2a01:30:1000::53 -> 2001:db8:123::2: icmp6: echo request seq 3 11.457898 2001:db8:123::2 -> 2a01:30:1000::53: icmp6: echo reply seq 3
That completes the tunnel setup.
Part 2: Setting up a subnet
Once your tunnel has been up for a while you have enough credits to request a subnet. (Writing an article on the Wiki might also help). With a subnet we can connect the machines behind the firewall to the IPv6 network. When the subnet has been approved you have the following information
* Subnet IPv6: <your IPv6 /48 subnet> (e.g. 2001:db8:456:::/48) * Routed to: <your IPv6 address endpoint of the tunnel> (e.g. 2001:db8:123::2/64)
The /48 network provides us with 65536 (2^16) /64 networks which we probably don't need. In the initial configuration we are configuring a single /64 network on the LAN. We choose number 35 arbitrarily as a subnet id and therefore the prefix for our LAN subnet is
2001:db8:456:35::/64 ^^^^^^^^^^^^ ^^ /48 prefix subnet id
Configuring the internal interface of the firewall
First we have to give the firewall an ip address from the subnet and configure it to send out router solicitation messages so that the other machines in the network configure themselves automatically.
In this example we are giving the firewall the address 2001:db8:456:35::1/64 and configure the prefix 2001:db8:456:35::/64 as a prefix
config system interface
edit "internal"
config ipv6
set ip6-address 2001:db8:456:35::1/64 ; ipv6 address of the "internal" interface
set ip6-allowaccess ping ; allow interface to be pinged
config ip6-prefix-list
edit 2001:db8:456:35::/64 ; add a new prefix to the interface
set autonomous-flag enable ; ???
set onlink-flag enable ; the prefix is on this link
set preferred-life-time 3600 ; make autoconfigured addresses valid for 1h
next
end
set ip6-send-adv enable ; enable router advertisement messages.
; Triggers auto-configuration of the machines on the LAN
end
next
end
NOTE: You might need to reboot the FortiGate to get the auto-advertisements to be sent out.
Check auto-configuration
After a while all IPv6 capable machines should have an IPv6 address with the 2001:db8:456:35::/64 prefix. If the link local address of the interface is fe80::469:da12:fe95:b431/64 then the machine should have 2001:db8:456:35:469:da12:fe95:b431/64 as an additional IPv6 address on eth0 for example. Check if you can ping the firewall
ping6 -I eth0 2001:db8:456:35::1
Note: Every thing below this line could be done in the web interface with v4.
The sixx.net interface should be visible below the WAN interface you've used in the web interface.
Configure outbound policies
In order for traffic to go through the firewall you need to add policies. First we have to configure the address for our subnet and the "all" address as the Fortigate doesn't confiure that automatically.
config firewall address6
edit "all"
set ip6 ::/0
next
edit "lan-v6"
set ip6 2001:db8:456:35::/64
next
end
Then we add an outbound policy for ping packets
config firewall policy6
edit 1
set srcintf "internal"
set dstintf "sixxs.net"
set srcaddr "lan-v6"
set dstaddr "all"
set action accept
set schedule "always"
set service "PING6"
next
end
Now you should be able to ping ipv6.google.com
ping6 -I eth0 ipv6.google.com (or ping6 -I eth0 2001:4860:0:1001::68:)
To allow outbound HTTP traffic you can either add another policy with the service "HTTP" or create a service group. As you already know how to add a policy we're going to create a service group for HTTP, HTTPS and PING4/6.
config firewall service group
edit "http-https"
set member "PING" "HTTP" "HTTPS" "PING6"
next
end
Then we just need to update the policy
config firewall policy6
edit 1
set service "http-https"
next
end
Now you should be able to telnet for example to Google on port 80
telnet -6 ipv6.google.com 80 Trying 2001:4860:0:1001::68... Connected to ipv6.google.com. Escape character is '^]'.
or try conneting with your favorite web browser (Don't forget to re-enable IPv6 in the browser in case you have disabled it before).
Configuring inbound policies
In order for our machines to be accessible on the IPv6 internet we need to define inbound policies. For now ping is enough.
config firewall policy6 edit 2 set srcintf "sixxs.net" set dstintf "internal" set srcaddr "all" set dstaddr "lan-v6" set action accept set schedule "always" set service "PING6" end
Go to the IPv6 Ping Check and check if you can ping a machine on your subnet, e.g. 2001:db8:456:35:469:da12:fe95:b431/64
