6in4 tunnel on FortiWifi-30D

Before you can start your manual IPv6 tunnel configuration, the only thing you need is so called Tunnel Broker. I use the Hurricane Electric Free IPv6 Tunnel Broker.
See my post “IPv6 tunnel on Time Capsule” if you need more details about the Tunnel Broker.

The FortiGate/FortiWifi 30D don’t support the 6in4 configuration via the GUI, but only via CLI. The CLI configuration should look like:

For the config parts I use some IP’s is what they mean:
<IPv4_A> = Server IPv4 Address (www.whatismyip.com)
<IPv6_A> = Server IPv6 Address (HE IPv6, mostly x::1/64)
<IPv4_B> = Client IPv4 Address (HE IPv4 address)
<IPv6_B> = Client IPv6 Address (Your IPv6, mostly x::1/64)
<IPv6_C> = Routed IPv6 Prefix gateway
<IPv6_D> = Routed IPv6 Prefix

Create the sit-tunnel interface

config system sit-tunnel
    edit "HE_6in4_TUNNEL"
        set source <IPv4_A>
        set destination <IPv4_B>
        set ip6 <IPv6_B>
        set interface "wan"

Now you should already be able to ping the HE Ipv6 address: execute ping6 <IPv6_A>

Add the default IPv6 route

config router static6
    edit 1
        set device "HE_6in4_TUNNEL"

You can check if the default route is added via get router info6 routing-table, you should see something like this

S*      ::/0 [10/0] via ::, HE_6in4_TUNNEL, 00:01:08

Add the Routed IPv6 address to your LAN and enable router advertisements

config system interface
    edit "internal"
            config ipv6
                set ip6-allowaccess ping https ssh fgfm capwap
                set ip6-address <IPv6_C>
                set ip6-send-adv enable
                    config ip6-prefix-list
                        edit <IPv6_D>
                            set autonomous-flag enable
                            set onlink-flag enable

Add the policy to allow clients to reach the Internet

config firewall address6
    edit "HE_ROUTED_/64"
        set ip6 <IPv6_D>
config firewall policy6
    edit 1
        set srcintf "internal"
        set dstintf "HE_6in4_TUNNEL"
        set srcaddr "HE_ROUTED_/64"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"

Most of the time with IPv4 you will enable NAT, with IPv6 this is not needed since the IPv6 address you got from HE (in this case) is specifically assigned to you.

You can also add IPv6 servers in DNS, for example the DNS servers from OpenDNS:

config system dns
    set ip6-primary 2620:0:ccd::2
    set ip6-secondary 2620:0:ccc::2

IPv6 addressing on point-to-point links

IPv6 subnets are normally not smaller than /64. But this seems a bit excessive use of the IPv6 space. In this post I’m trying to show u the possibilities to use alternative subnet sizes. You can decide for yourself what prefix size you prefer. You could consider the following alternatives;

You could see this as the equivalent of the 31-bit prefixes in IPv4. Previously a /127 prefix was considered harmful and described in RFC 3627, but RFC 6547 describes that guidance provided in RFC 6164 is to be followed when the two documents are in conflict. This is a quote from RFC 6164 where the authors refute the arguments from the old RFC.

[RFC3627] discourages the use of 127-bit prefix lengths due to
conflicts with the Subnet-Router anycast addresses, while stating
that the utility of Subnet-Router anycast for point-to-point links is

[RFC5375] also says the usage of 127-bit prefix lengths is not valid
and should be strongly discouraged, but the stated reason for doing
this is to be in compliance with [RFC3627].

Though the analyses in the RFCs are correct, operational experience
with IPv6 has shown that /127 prefixes can be used successfully.

The same RFC explains the following reasons to use more then 64-bits, particularly 127-bits, as prefix length:

  • Ping-Pong Issue
  • Neighbor Cache Exhaustion Issue

The lowest possible address in every IPv6 subnet is the “all routers anycast address”. Using a /127 prefix when a vendor is not supporting this could cause problems. Using a 126-bit prefix length solves this issue. However, the highest 128 addresses in every IPv6 prefix are also reserved for anycast addresses (RFC 2526).

Skips all anycast addresses and you should be save to implement this prefix length.

same as the /120, but might be more readable for the network engineer. The last four-digit hexadecimal value is used for the host part, so the whole part after the last colon.


Start Chrome with IPv6 disabled

I was testing something in Chrome on a Mac and I wanted to be sure IPv6 was not cause of the issue. In Firefox you have the option to disable IPv6 by browsing to about:config and toggle the preference name network.dns.disableIPv6 to the value true.

Within Chrome I was not able to find such an option.  The alternative is Read more “Start Chrome with IPv6 disabled”