Fortigate

From SixXS Wiki
Jump to: navigation, search

This article explains how to configure a Fortigate for SixXS.

Part 1 describes how to configure a tunnel between your Fortigate firewall and an IPv6 tunnel provider.

In part 2 a subnet is configured on the Fortigate to allow the machines behind the firewall to connect to the Internet natively with IPv6 via the tunnel.

The configuration was tested on a Fortigate 60 with FortiOS 3.00 MR7 Patch 1 (build 0730) but should apply similarily to other Fortigate units.

MH 2/2013: Additions for v4.0,build0646,121119 (MR3 Patch 11) with "vdom". Marked important things red.

Part 1: Setting up a tunnel

Note: Be careful: This does not work on vdom-link interfaces

Once your tunnel request has been approved you should have the following information:

  • POP v4 address (e.g. 1.2.3.4, provided by the tunnel broker)
  • POP v6 address (e.g. 2001:db8:123::1/64, provided by the tunnel broker)
  • Your v4 address (e.g. 5.6.7.8, provided by you)
  • Your v6 address (e.g. 2001:db8:123::2/64, provided by the tunnel broker)

For Heartbeat Tunnels: Unless FortiOS does not support the tunnel protocol you'll need to run AICCU on a host within your LAN. Due to the fact that the heartbeat uses IPv4 NAT is not an issue

In FortiOS 3.00 MR7 the command for setting up a IPv6 in IPv4 tunnel has 
changed from config system ipv6-tunnel to config system sit-tunnel. 
Unfortunately not all of the Fortigate documentation has been updated. 
(see here 
for more details)

Configure the tunnel (3.00 MR5 and before)

config system ipv6-tunnel
edit "sixxs.net"
    set destination <POP v4 address>
    set interface <v4 interface towards POP>
    set ip6 <Your v6 address>
    set source <Your v4 address>
end

Configure the tunnel (3.00 MR7 and later)

config system sit-tunnel
edit "sixxs.net"
    set destination <POP v4 address>
    set interface <v4 interface towards POP>
    set ip6 <Your v6 address>
    set source <Your v4 address>
end

Configure the tunnel (in a vdom with 4v)

config vdom <vdom name>
(vdom) # edit <vdom name>
current vf=<vdom name>:0
config system sit-tunnel
edit "sixxs.net"
    set destination <POP v4 address>
    set interface <v4 interface towards POP>
    set ip6 <Your v6 address>
    set source <Your v4 address>
end

Note: If using a PPPoE interface on the FortiGate, leave the 'set interface' setting unset. When your ISP assigns dynamic addresses by DHCP use 'set source 0.0.0.0' When working with vdoms, this has to be done in the vdom section


This will create a tunnel with the name "sixxs.net" and a tunnel interface with the same name which you should be able to see with

show system ipv6-tunnel (<-- 3.00 MR5 and before)
show system sit-tunnel  (<-- 3.00 MR7 and later)
show system interface

Allow the tunnel provider to ping your end of the tunnel. Otherwise the tunnel won't be considered "up" and you won't get any additional credits for requesting a subnet.

config system interface
edit "sixxs.net"
    config ipv6
        set ip6-allowaccess ping
    end
end

Note: When working with vdoms this has to be done in the global section, add "set vdom your-vdom"

Setup the default route

Then configure a default route with

config router static6
edit 1
    set device "sixxs.net"
end

Note: when working with vdoms this has to be done in the vdom section.

Note: No need to set a destination route here as ::/0 is implied by default.

Check the tunnel setup

First check if you can ping out

execute ping6 <POP v6 address>

Then check if your provider can ping you. Set up the packet sniffer to see if you are getting traffic from the outside at all

diagnose sniffer packet sixxs.net

Then go to http://www.berkom.blazing.de/tools/ping.cgi and enter your v6 address. To see if the website works you might enter your providers v6 address first. If the ping is working you should see the incoming echo requests and the outgoing echo replies on the command line which should look similar to this

interfaces=[sixxs.net]
filters=[none]
pcap_lookupnet: sixxs.net: no IPv4 address assigned
9.442391 2a01:30:1000::53 -> 2001:db8:123::2: icmp6: echo request seq 1
9.442588 2001:db8:123::2 -> 2a01:30:1000::53: icmp6: echo reply seq 1
10.447947 2a01:30:1000::53 -> 2001:db8:123::2: icmp6: echo request seq 2
10.448077 2001:db8:123::2 -> 2a01:30:1000::53: icmp6: echo reply seq 2
11.457778 2a01:30:1000::53 -> 2001:db8:123::2: icmp6: echo request seq 3
11.457898 2001:db8:123::2 -> 2a01:30:1000::53: icmp6: echo reply seq 3

That completes the tunnel setup.

Part 2: Setting up a subnet

Once your tunnel has been up for a while you have enough credits to request a subnet. (Writing an article on the Wiki might also help). With a subnet we can connect the machines behind the firewall to the IPv6 network. When the subnet has been approved you have the following information

* Subnet IPv6: <your IPv6 /48 subnet> (e.g. 2001:db8:456:::/48)
* Routed to: <your IPv6 address endpoint of the tunnel> (e.g. 2001:db8:123::2/64)

The /48 network provides us with 65536 (2^16) /64 networks which we probably don't need. In the initial configuration we are configuring a single /64 network on the LAN. We choose number 35 arbitrarily as a subnet id and therefore the prefix for our LAN subnet is

2001:db8:456:35::/64
^^^^^^^^^^^^ ^^
/48 prefix    subnet id

Configuring the internal interface of the firewall

First we have to give the firewall an ip address from the subnet and configure it to send out router solicitation messages so that the other machines in the network configure themselves automatically.

In this example we are giving the firewall the address 2001:db8:456:35::1/64 and configure the prefix 2001:db8:456:35::/64 as a prefix

config system interface
    edit "internal"
        config ipv6
            set ip6-address 2001:db8:456:35::1/64     ; ipv6 address of the "internal" interface
            set ip6-allowaccess ping                  ; allow interface to be pinged
                config ip6-prefix-list                 
                    edit 2001:db8:456:35::/64         ; add a new prefix to the interface
                        set autonomous-flag enable    ; ???
                        set onlink-flag enable        ; the prefix is on this link
                        set preferred-life-time 3600  ; make autoconfigured addresses valid for 1h
                    next
                end
            set ip6-send-adv enable                   ; enable router advertisement messages. 
                                                      ; Triggers auto-configuration of the machines on the LAN
        end
    next
end

NOTE: You might need to reboot the FortiGate to get the auto-advertisements to be sent out.

Check auto-configuration

After a while all IPv6 capable machines should have an IPv6 address with the 2001:db8:456:35::/64 prefix. If the link local address of the interface is fe80::469:da12:fe95:b431/64 then the machine should have 2001:db8:456:35:469:da12:fe95:b431/64 as an additional IPv6 address on eth0 for example. Check if you can ping the firewall

ping6 -I eth0 2001:db8:456:35::1

Note: Every thing below this line could be done in the web interface with v4.

The sixx.net interface should be visible below the WAN interface you've used in the web interface.

Configure outbound policies

In order for traffic to go through the firewall you need to add policies. First we have to configure the address for our subnet and the "all" address as the Fortigate doesn't confiure that automatically.

config firewall address6
    edit "all" 
        set ip6 ::/0
    next
    edit "lan-v6"
        set ip6 2001:db8:456:35::/64
    next
end

Then we add an outbound policy for ping packets

config firewall policy6    
    edit 1
        set srcintf "internal"
        set dstintf "sixxs.net"
        set srcaddr "lan-v6"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "PING6"
    next
end

Now you should be able to ping ipv6.google.com

ping6 -I eth0 ipv6.google.com (or ping6 -I eth0 2001:4860:0:1001::68:)

To allow outbound HTTP traffic you can either add another policy with the service "HTTP" or create a service group. As you already know how to add a policy we're going to create a service group for HTTP, HTTPS and PING4/6.

config firewall service group
    edit "http-https"
        set member "PING" "HTTP" "HTTPS" "PING6"  
    next
end

Then we just need to update the policy

config firewall policy6
    edit 1
        set service "http-https"
    next
end

Now you should be able to telnet for example to Google on port 80

telnet -6 ipv6.google.com 80

Trying 2001:4860:0:1001::68...
Connected to ipv6.google.com.
Escape character is '^]'.

or try conneting with your favorite web browser (Don't forget to re-enable IPv6 in the browser in case you have disabled it before).

Configuring inbound policies

In order for our machines to be accessible on the IPv6 internet we need to define inbound policies. For now ping is enough.

config firewall policy6
edit 2
   set srcintf "sixxs.net"
   set dstintf "internal"
   set srcaddr "all"
   set dstaddr "lan-v6"
   set action accept
   set schedule "always"
   set service "PING6"
end

Go to the IPv6 Ping Check and check if you can ping a machine on your subnet, e.g. 2001:db8:456:35:469:da12:fe95:b431/64

Links