One of our techs had their first taste of IPv6 with a dual stack network at home. Of course this dual stack network ended at the edge device, the firewall, but their passion for IPv6 did not. After years of waiting SixXS started their tunnel broken service in 2000, shortly after Hurricane Electric starting their service tunnelbroker.net. Both of these service provided IPv6 through 6to4, by tunneling your IPv6 network through IPv4 to one of their PoP, point of presence, to connect to the IPv6 network.
Hurricane Electric is a backbone provider, with a direct connection to the Internet they provide a ::/56 to all of their tunnels with the ability to request a ::/48. They also provide global ISPs IPv6 Internet access through their tunnel brokering service, and without a direct peer any ISP can use the tunnel broker service to provide to their clients.
SixXS is backed by many public Internet exchanges, with PoPs globally dispersed. Using their service for 6to4, they are able to provide all tunnels with a ::/56 subnet also with the ability to request a ::/48. By using AYIYA if your router or firewall did not support 6to4 you could create a tunnel just for your workstation that would always dial in using a local agent. Unfortunately, with more and more ISPs providing native IPv6 the leaders of the SixXS project and decided to shut it down on June 30th of 2017. But, fear not, with more and more ISPs providing IPv6 connectivity you may already have the ability to connect to the IPv6 Internet!
The french ISP free worked at using IPv6 Rapid Deployment, or 6rd, to push IPv6 throughout their network. 6rd is built off of 6to4, but allowing the use of native IPv6 addresses instead of those prepended with 2002::. While some ISPs like Comcast and Swisscom have opted to use 6rd, others have went with native IPv6 for a true dual stack end-to-end. In both cases it is possible to use statefull, stateless and SLAAC for providing IPv6 addresses to the Internal infrastructure. The following hammer uses SLAAC in combination with Prefix Delegation on a Fortigate using 6.0.1 firmware. The scripting portion has been tested extensively in 5.4 and 5.6, with some differences in the GUI.
To enable IPv6 in the GUI
1 2 3 |
config system global set gui-ipv6 enable end |
First we’ll start with telling the WAN port that it will be using prefix-delegation, the size of subnet to request, and length of request.
1 2 3 4 5 6 7 8 9 10 11 |
config system interface edit "wan2" config ipv6 set ip6-mode dhcp set dhcp6-prefix-delegation enable set dhcp6-prefix-hint ::/56 set dhcp6-prefix-hint-plt 0 set dhcp6-prefix-hint-vlt 0 end next end |
Next, the Internal interface, in this case is a software switch.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
config system interface edit "Internal" config ipv6 set ip6-mode delegated set ip6-allowaccess ping https ssh set dhcp6-prefix-delegation enable set ip6-send-adv enable set ip6-manage-flag enable set ip6-other-flag enable set ip6-upstream-interface "wan2" set ip6-subnet ::/56 config ip6-delegated-prefix-list edit 1 set upstream-interface "wan2" set autonomous-flag enable set onlink-flag enable set subnet ::/56 next end end next end |
If you test IPv6 with ping you should now see IPv6 working on your WAN interface. Once prefix delegation is setup on the inside of the network, this will no longer work as the WAN interface will stop getting an IPv6 address.
1 2 3 4 5 6 7 |
TWAH-Firewall # exec ping6 google.ca PING google.ca(2607:f8b0:400a:800::2003) 56 data bytes 64 bytes from 2607:f8b0:400a:800::2003: icmp_seq=1 ttl=58 time=23.3 ms 64 bytes from 2607:f8b0:400a:800::2003: icmp_seq=2 ttl=58 time=23.2 ms 64 bytes from 2607:f8b0:400a:800::2003: icmp_seq=3 ttl=58 time=22.8 ms 64 bytes from 2607:f8b0:400a:800::2003: icmp_seq=4 ttl=58 time=23.3 ms 64 bytes from 2607:f8b0:400a:800::2003: icmp_seq=5 ttl=58 time=23.3 ms |
Now that IPv6 is working, it is time to set some routes. As with our ISP the prefix delegation can come from many connections and may route our traffic internally depending on the PD we get, it would be safe to assume that all IPv6 should go out of this interface.
1 2 3 4 5 |
config router static6 edit 1 set device "wan2" next end |
For SLAAC we still require the DHCPv6 service to hand out the prefix delegation to internal devices.
1 2 3 4 5 6 7 8 9 |
config system dhcp6 server edit 1 set rapid-commit enable set subnet ::/56 set interface "Internal" set upstream-interface "wan2" set ip-mode delegated next end |
Last configuration change will be the policies. As we do not know the prefix delegation, and to minimize future administration tasks, we are going with the assumption that the delegation could change at any time so the policies are not limiting the address spaces that are allowed to communicate. As ICMPv6 is essential for IPv6 we are allowing ICMP to come back in as some packets come from the network unsolicited which would be stopped by the stateful firewall.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
config firewall policy6 edit 1 set name "IPv6 Internet Access" set srcintf "Internal" set dstintf "wan2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable next edit 2 set name "Allow ICMP in" set srcintf "wan2" set dstintf "Internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL_ICMP6" next end |
Now, if you perform some testing from any of your internal machines you should see that IPv6 is now working as intended.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
C:\Users\justanothertech>ping -6 google.ca Pinging google.ca [2607:f8b0:400a:809::2003] with 32 bytes of data: Reply from 2607:f8b0:400a:809::2003: time=21ms Reply from 2607:f8b0:400a:809::2003: time=22ms Reply from 2607:f8b0:400a:809::2003: time=21ms Reply from 2607:f8b0:400a:809::2003: time=22ms Ping statistics for 2607:f8b0:400a:809::2003: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 21ms, Maximum = 22ms, Average = 21ms C:\Users\justanothertech>tracert -6 -d google.ca Tracing route to google.ca [2607:f8b0:400a:809::2003] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 2001:xxxx:: 2 6 ms 4 ms 5 ms 2001:xxxx:: 3 22 ms 21 ms 22 ms 2001:xxxx:: 4 25 ms 25 ms 25 ms 2001:4860:1:1:0:354:0:4 5 21 ms 21 ms 21 ms 2001:4860:0:1040::1 6 20 ms 21 ms 20 ms 2001:4860:0:1::491 7 22 ms 21 ms 21 ms 2607:f8b0:400a:809::2003 Trace complete. |
Hello,
Thank you for te documentation, I’m french and have Free ISP.
I try to follow your explaination but I’ve 2 few questions.
1 – What about your scope address ? Your scope is kept by delegation so if Free gives me XXXX:XXXX:XXXX::/64, the SLAAC use automaticaly XXXX:XXXX:XXXX ?
2 – what about multiple internal ? I have 3 internal netwotks and thought to use 3 distinct subnet for each network, how to do it ?
Many thanks
Jerome
Thank you for the interest in the article Jerome, that depends on how Free gives you IPv6. If they still use 6rd this may not help, but if they use prefix delegation it might work. This is just a theory, but worth testing if you have a Fortigate.
Also, I recommend doing some testing with the dhcp6-prefix-hint-plt and dhcp6-prefix-hint-vlt commands, if set too high or too low you may lose IPv6 connectivity intermittently or until the firewall and modem are rebooted.
Sorry for messy formatting, recent update to the theme broke some of the tags.
Hello,
Free is known for his 6rd use so I think it’s the case. I’m not sure to have only 1 range of /64 but in my ISP interface there is 8 subet for my personal usage.
In the interface, I have to enter the nexthop of every netwotk. The idea is to enter the link local of every internal interface then I’ve a /64 by interface.
In the exemple you give me, it’s near my usage exept you’re with /68 subnet. I ‘ll try to calculate subet to have good use of manual IPV6 address in a range.
Many thanks
Jerome
Hello,
Do you have a good site to calculate how to cut my/64 subnet into 2 or 3 /68 for each interface.
My ISF gives me 8 subnet /64 (XXXX:XXXX:XXXX:4010::/64 =>XXXX:XXXX:XXXX:4018::/64) . My Freebox have XXXX:XXXX:XXXX:4010::1 and I give XXXX:XXXX:XXXX:4010::2 to my wan interface.
2 options : wan1 have XXXX:XXXX:XXXX:4010::1 & XXXX:XXXX:XXXX:4010::2
internal1 have XXXX:XXXX:XXXX:4010::?/68
internal2 have XXXX:XXXX:XXXX:4010::?/68 (another subnet from internal1)
or my second option:
wan1 have XXXX:XXXX:XXXX:4010::1 & XXXX:XXXX:XXXX:4010::2
internal1 have XXXX:XXXX:XXXX:4011::?/64
internal2 have XXXX:XXXX:XXXX:4012::?/64
Many thanks for your help and ideas.
Jerome
Sorry for the late reply Jerome,
Unfortunately I do all my subnetting by hand when it comes to IPv6, stick to nibbles (4bits) as the subnets are split by the hex digit.
xxxx:xxxx:xxxx:xxxx::/64
==
xxxx:xxxx:xxxx:xxxx:1000:/68
xxxx:xxxx:xxxx:xxxx:2000:/68
xxxx:xxxx:xxxx:xxxx:3000:/68
..
And so forth
My ISP has given me 2 /64, for some reason my delegate interface (WAN) has one /64 and then inside gets another /64. Internally anything that has access to the internet uses that same globally unique IPv6 address as my lab environment isn’t large enough to try subnetting the /64 I get.
Sorry that I’m not of much help here, but if you find a solution don’t hesitate to reply or post up on your site/blog and link it here!
I am using a FortiGate 61E with 6.4.5 and “Deutsche Glasfaser” as ISP and your tutorial works like a charm.
Just a short hint for those that will config SLAAC for the first time:
Please enter the following lines:
set upstream-interface “wan2”
set ip-mode delegated
in inverted order, otherwise “set-upstream” interface is not available.
Thank you for this tutorial and all the best!
Maik
Awesome to hear that it worked for you Maik!
Your ISP may still end up cycling both the inside and outside IPv6 address spaces assigned to you, when this happens you’ll find that your FortiGate will continue to hand out the previous address as delegation and IPv6 Internet traffic will stop working.
For this you will need to speak to Deutsche Glasfaser and find their lease/hint length for both your inside and outside IPv6 address space to set “set dhcp6-prefix-hint-plt” and “set dhcp6-prefix-hint-vlt” to the correct values.