Here, at Tech With a Hammer, found that as more and more services are providing support for IPv6, ISPs around the world are not jumping on board the IPv6 train. For many reasons, like the lack of proper IPv6 support in the firewalls provided to the end users, to internal infrastructure requiring numerous upgrades which will take years to roll out, services like HurricaneElectric and SixXS have come out providing free IPv6 tunnels to those that request it.
Investigating the two largest IPv6 tunnel brokers, it can be seen that both are using 6to4 tunnels, which is essentially encapsulating the IPv6 packets from the internal network in IPv4 packets and sending this payload through the series of tubes called the Internet to a relay which sends it out. HurricaneElectric will provide a tunnel with a 6to4 IPv6 address, so Proxy services and such will pick this up with some services online refusing access as it’s a 6to4 address. SixXS provides native IPv6 address for the tunnel, though signup is more of a process, as you have to make a case and both the admins of SixxS and of admin of the PoP (Point of Presence) have to accept your application.
We have decided to use SixXS for our tests using FortiGate as the PoP was closer and found we were still able to saturate our link using the closest PoP. Though, the script below can has been tested with HurricaneElectric as well, but requires some modifications.
At the time of this writing, the FortiOS is currently at 5.2.1, so we recommend that you update to at least this version of firmware.
The following script assumes that the FortiGate has been factory reset and then configured to run in Interface mode instead of Switch mode from the interfaces
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 |
# Configure DNS to point to OpenDNS IPv4 servers # and their IPv6 sandbox servers config system dns set primary 208.67.222.222 set secondary 208.67.220.220 set domain "TechWithaHammer.com" set ip6-primary 2620:0:ccc::2 set ip6-secondary 2620:0:ccd::2 end # Configure interfaces # assumes using interface mode instead of switch mode config system switch-interface edit "TWAH-Internal" set vdom root set member internal1 internal2 internal3 internal4 internal5 internal6 internal7 next end # Create SixXS tunnel config system sit-tunnel edit "SixXS-Tunnel" set destination 216.14.98.22 set interface wan1 set ip6 2001:4978:ffff:1234::2/64 set source 208.57.1.101 next end # setup internal interface for IPv6 and IPv6 addressing config system interface edit wan1 set vdom "root" set macaddr 74:44:01:36:5f:6b set allowaccess ping next edit "TWAH-Internal" set ip 10.128.1.1/24 set allowaccess ping http https ssh config ipv6 set ip6-mode static set ip6-address 2001:4978:ffff:5678::1/64 set ip6-allowaccess ping https ssh set ip6-send-adv enable config ip6-prefix-list edit 2001:4978:ffff:5678::/64 set autonomous-flag enable set onlink-flag enable set preferred-life-time 3600 next end set ip6-manage-flag enable set ip6-other-flag enable end next edit "SixXS-Tunnel" set vdom "root" config ipv6 ip6-allowaccess ping end next end # Setting IPv6 default route to the SixXS tunnel config router static6 edit 1 set device "SixXS-Tunnel" next end # Setup firewall policies for IPv6 config firewall address6 edit "TWAH-Int" set ip6 2001:4978:ffff:5678::/64 next end config firewall policy6 edit 1 set srcintf "TWAH-Internal" set dstintf "SixXS-Tunnel" set srcaddr "TWAH-Int" set dstaddr "all" set schedule always set action accept set service ALL next end ################################################## |