Tunnel mode SSID IPv6 traffic

In the following example, FortiAP S221E is managed by FortiGate 100D and broadcasts tunnel mode SSID:FOS_QA_100D-IPv6.

To configure a WiFi client accessing IPv6 tunnel mode traffic:

1. Create a tunnel mode VAP:

   config wireless-controller vap
       edit "wifi4"
           set ssid "FOS_QA_100D-IPv6"
           set passphrase ********
           set schedule "always"
       next
   end

2. Create an IPv6 address for the VAP with DHCP enabled:

   config system interface
       edit "wifi4"
           set vdom "vdom1"
           set ip 10.40.80.1 255.255.255.0
           set allowaccess ping https http
           set type vap-switch
           set alias "vdom1:"
           set device-identification enable
           set role lan
           set snmp-index 36
           config ipv6
               set ip6-address 2001:10:40:80::1/64
               set ip6-allowaccess ping https http
               set ip6-send-adv enable
               set ip6-manage-flag enable
               set ip6-other-flag enable
           end
       next
   end

   config system dhcp6 server
       edit 1
           set subnet 2001:10:40:80::/64
           set interface "wifi4"
           config ip-range
               edit 1
                   set start-ip 2001:10:40:80::1000
                   set end-ip 2001:10:40:80::1100
               next
           end
       next
   end

3. Create an IPv6 policy from the VAP to WAN1:

   config firewall policy
       edit 1
           set name "ipv6"
           set srcintf "wifi4"
           set dstintf "wan1"
           set srcaddr "all"
           set dstaddr "all"
           set action accept
           set schedule "always"
           set service "ALL"
           set logtraffic all
           set nat enable
       next
   end

4. Verify the IPv6 address in the station list:
   1. In the FortiGate CLI:

      # diagnose wireless-controller wlac -d sta online
         vf=4 wtp=3 rId=1 wlan=wifi4 vlan_id=0 ip=10.40.80.2 ip6=2001:10:40:80::1000 mac=b4:ae:2b:cb:d1:72 vci=MSFT 5.0 host=DESKTOP-DO33HQP user= group= signal=-29 noise=-93 idle=1 bw=48 use=5 chan=6 radio_type=11N security=wpa2_only_personal mpsk=default encrypt=aes cp_authed=no online=yes mimo=2
                      ip6=fe80::c5c5:6c09:8021:d2d0,88, *2001:10:40:80::1000,8,

   2. In the FortiAP CLI:

      FortiAP-S221E # sta
      wlan00 (FOS_QA_100D-IPv6) client count 1
          MAC:b4:ae:2b:cb:d1:72 ip:10.40.80.2 ip_proto:dhcp ip_age:84 host:DESKTOP-DO33HQP vci:MSFT 5.0
                                ip6:fe80::c5c5:6c09:8021:d2d0 ip6_proto:arp ip6_age:2 ip6_rx:101
                                ip6:2001:10:40:80::1000 ip6_proto:dhcp ip6_age:82 ip6_rx:20
              vlanid:0 Auth:Yes channel:6 rate:130Mbps rssi:65dB idle:0s
              Rx bytes:256951 Tx bytes:53947 Rx rate:130Mbps Tx rate:130Mbps Rx last:0s Tx last:0s
              AssocID:1 Mode:  Normal Flags:f PauseCnt:0
              KEY type=aes_ccm pad=0 keyix=65535 keylen=16 flags=3(xmit recv) RSC=0 TSC=0
                  e7 6f 05 ce   06 e1 4a 9b   3a d4 4f 43   1f 57 bb 49
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
              KEY type=aes_ccm pad=0 keyix=1 keylen=16 flags=83(xmit recv dflt) RSC=0 TSC=0
                  01 47 6f 21   9b ac 73 4b   7c ae 07 66   7e 5a c6 7e
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
                  00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00
      FortiAP-S221E #
      
      FortiAP-S221E # usta
      
      WTP daemon STA info:
      
        1/1   b4:ae:2b:cb:d1:72 00:00:00:00:00:00 vId=0    type=wl----sta,  vap=wlan00,FOS_QA_100D-IPv6(0) mpsk=default  ip=10.40.80.2/1  host=DESKTOP-DO33HQP vci=MSFT 5.0 os=Windows
                                ip6=fe80::c5c5:6c09:8021:d2d0/2 rx=101
                                ip6=2001:10:40:80::1000/1 rx=21
                                replycount=0000000000000002
      
      Total STAs: 1