6in4 tunnel on FortiWifi-30D

Before you can start your manual IPv6 tunnel configuration, the only thing you need is so called Tunnel Broker. I use the Hurricane Electric Free IPv6 Tunnel Broker.
See my post “IPv6 tunnel on Time Capsule” if you need more details about the Tunnel Broker.

The FortiGate/FortiWifi 30D don’t support the 6in4 configuration via the GUI, but only via CLI. The CLI configuration should look like:

For the config parts I use some IP’s is what they mean:
<IPv4_A> = Server IPv4 Address (www.whatismyip.com)
<IPv6_A> = Server IPv6 Address (HE IPv6, mostly x::1/64)
<IPv4_B> = Client IPv4 Address (HE IPv4 address)
<IPv6_B> = Client IPv6 Address (Your IPv6, mostly x::1/64)
<IPv6_C> = Routed IPv6 Prefix gateway
<IPv6_D> = Routed IPv6 Prefix

Create the sit-tunnel interface

config system sit-tunnel
    edit "HE_6in4_TUNNEL"
        set source <IPv4_A>
        set destination <IPv4_B>
        set ip6 <IPv6_B>
        set interface "wan"
    next
end

Now you should already be able to ping the HE Ipv6 address: execute ping6 <IPv6_A>

Add the default IPv6 route

config router static6
    edit 1
        set device "HE_6in4_TUNNEL"
    next
end

You can check if the default route is added via get router info6 routing-table, you should see something like this

S*      ::/0 [10/0] via ::, HE_6in4_TUNNEL, 00:01:08

Add the Routed IPv6 address to your LAN and enable router advertisements

config system interface
    edit "internal"
            config ipv6
                set ip6-allowaccess ping https ssh fgfm capwap
                set ip6-address <IPv6_C>
                set ip6-send-adv enable
                    config ip6-prefix-list
                        edit <IPv6_D>
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                    end
            end
    next
end

Add the policy to allow clients to reach the Internet

config firewall address6
    edit "HE_ROUTED_/64"
        set ip6 <IPv6_D>
    next
end
config firewall policy6
    edit 1
        set srcintf "internal"
        set dstintf "HE_6in4_TUNNEL"
        set srcaddr "HE_ROUTED_/64"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Most of the time with IPv4 you will enable NAT, with IPv6 this is not needed since the IPv6 address you got from HE (in this case) is specifically assigned to you.

You can also add IPv6 servers in DNS, for example the DNS servers from OpenDNS:

config system dns
    set ip6-primary 2620:0:ccd::2
    set ip6-secondary 2620:0:ccc::2
end

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.