IPv6 quick start example
In this example, a host belonging to a specific range on the internal IPv6 network can communicate exclusively with the web server and FTP server.
Additionally, all internal clients can access the Internet.
Prerequisites
Before you begin to configure IPv6, go through the following steps:
-
Obtain an IPv6 /48 global routing prefix, commonly known as a site prefix. To procure a 48-bit IPv6 site prefix for your organization simply liaise with your ISP.
-
Design a subnetting plan for your organization's IPv6 network using a 16-bit subnet ID, allowing for up to 65 535 subnets. The specific scheme will depend on the network's size, structure, and the organization's needs.
At this stage, the following installation and configuration conditions are assumed:
-
You have administrative access to the GUI or CLI.
-
The FortiGate unit is incorporated into your WAN or other networks, but for simplicity, only the standalone ForiGate configuration is displayed.
Topology
The following topology is used for this example:
-
The company is assigned the site prefix of 2001:db8:d0c::/48 by their ISP.
-
The IPv6 address for the Web Server is 2001:db8:d0c:3::1/64.
-
The IPv6 address for the FTP Server is 2001:db8:d0c:3::2/64.
-
The IPv6 address for the TFTP Server is 2001:db8:d0c:3::3/64.
-
The range on the internal IPv6 network that can access both servers is from 2001:db8:d0c:2::1 to 2001:db8:d0c:2::32.
-
The IPv6 address of port1 is 2001:db8:d0c:1::1/64.
-
The IPv6 address of port2 is 2001:db8:d0c:2::f/64.
-
The IPv6 address of port3 is 2001:db8:d0c:3::f/64.
-
The IPv6 address of the default gateway is 2001:db8:d0c:1::f/64.
Please note that the IPv6 addresses used in this example are for illustrative purposes only and should not be used in your environment. The 2001:db8::/32 prefix is a special IPv6 prefix designated for use in documentation examples. See RFC 3849 for more information. |
To configure the example in the GUI:
-
Configure the IPv6 address on port1, port2 and port3:
-
Go to Network > Interfaces and edit port1.
-
For IPv6 addressing Mode, select manual and enter the IPv6 Address/Prefix.
IPv6 Address/Prefix 2001:db8:d0c:1::1/64 -
Click OK.
-
Repeat steps a and b for port2.
IPv6 Address/Prefix 2001:db8:d0c:2::f/64 -
Repeat steps a and b for port3.
IPv6 Address/Prefix 2001:db8:d0c:3::f/64
-
-
Configure the default route:
-
Go to Network > Static Routes.
-
Click Create New > IPv6 Static Route.
-
Configure the following settings:
Destination ::/0 Gateway Address 2001:db8:d0c:1::f Interface port1 -
Select OK.
-
-
Configure the IPv6 firewall address for the Web Server:
-
Go to Policy & Objects > Addresses.
-
Select Create New > Address.
-
Select IPv6 Address and fill out the fields with the following information:
Name Web_Server Type IPv6 Subnet IPv6 Address 2001:db8:d0c:3::1/128 -
Select OK.
-
-
Configure the IPv6 firewall address for the FTP Server:
-
Go to Policy & Objects > Addresses.
-
Select Create New > Address.
-
Select IPv6 Address and fill out the fields with the following information:
Name FTP_Server Type IPv6 Subnet IPv6 Address 2001:db8:d0c:3::2/128 -
Select OK.
-
-
Configure the IPv6 address group, which includes both the Web and FTP servers:
-
Go to Policy & Objects > Addresses.
-
Select Create New > Address Group.
-
Select IPv6 Group and fill out the fields with the following information:
Group name Custom_Server Members Web_Server, FTP_Server -
Select OK.
-
-
Configure the IPv6 firewall address for the Internal IPv6 network range which can access both the Web and FTP server:
-
Go to Policy & Objects > Addresses.
-
Select Create New > Address.
-
Select IPv6 Address and fill out the fields with the following information:
Name Internal_Custom_Range Type IPv6 Range IP Range 2001:db8:d0c:2::1 - 2001:db8:d0c:2::32 -
Select OK.
-
-
Configure the IPv6 firewall policy to allow IPv6 traffic from Internal_Custom_Range to Custom_Server:
-
Go to Policy & Objects > Firewall Policy.
-
Click Create New.
-
Name the policy and configure the following parameters:
Incoming Interface port2 Outgoing Interface port3 Source Internal_Custom_Range Destination Custom_Server Schedule always Service FTP, HTTPS Action ACCEPT -
Click OK.
-
-
Configure the IPv6 firewall policy to allow IPv6 traffic from internal clients to the Internet:
-
Go to Policy & Objects > Firewall Policy.
-
Click Create New.
-
Name the policy and configure the following parameters:
Incoming Interface port2 Outgoing Interface port1 Source all Destination all Schedule always Service ALL Action ACCEPT -
Click OK.
-
To configure the example in the CLI:
-
Configure the IPv6 address on port1, port2, and port3:
config system interface edit "port1" config ipv6 set ip6-address 2001:db8:d0c:1::1/64 end next edit "port2" config ipv6 set ip6-address 2001:db8:d0c:2::f/64 end next edit "port3" config ipv6 set ip6-address 2001:db8:d0c:3::f/64 end next end
-
Configure the default route:
config router static6 edit 0 set gateway 2001:db8:d0c:1::f set device "port1" next end
-
Configure the IPv6 firewall address for the Web Server:
config firewall address6 edit "Web_Server" set ip6 2001:db8:d0c:3::1/128 next end
-
Configure the IPv6 firewall address for the FTP Server:
config firewall address6 edit "FTP_Server" set ip6 2001:db8:d0c:3::2/128 next end
-
Configure the IPv6 address group, which includes for the Web and FTP Servers:
config firewall addrgrp6 edit "Custom_Server" set member "FTP_Server" "Web_Server" next end
-
Configure the IPv6 firewall address for the Internal IPv6 network range which can access both the Web and FTP Server:
config firewall address6 edit "Internal_Custom_Range" set type iprange set start-ip 2001:db8:d0c:2::1 set end-ip 2001:db8:d0c:2::32 next end
-
Configure the IPv6 firewall policy to allow IPv6 traffic from Internal_Custom_Range to Custom_Server:
config firewall policy edit 1 set name "IPv6_internal_to_server" set srcintf "port2" set dstintf "port3" set action accept set srcaddr6 "Internal_Custom_Range" set dstaddr6 "Custom_Server" set schedule "always" set service "FTP" "HTTPS" set utm-status enable set logtraffic all next end
-
Configure the IPv6 firewall policy to allow IPv6 traffic from Internal clients to the Internet:
config firewall policy edit 1 set name "IPv6_internal_to_internet" set srcintf "port2" set dstintf "port1" set action accept set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set utm-status enable set logtraffic all next end
Verification
The following commands can be used to verify that IPv6 traffic is entering and leaving the FortiGate as expected. See Debugging the packet flow for more information.
diagnose debug enable diagnose debug flow trace start6 200
The output below indicates that hosts belonging to the Internal_Custom_Range can successfully reach both the Web_Server and FTP_Server defined in the Custom_Server address group.
However, they are unable to reach the TFTP server, as it is not included in the Custom_Server group. Furthermore, hosts with IPv6 addresses that do not belong to the Internal_Custom_Range are not able to access Custom_Server.
Host belonging to Internal_Custom_Range accessing Web_Server:
id=65308 trace_id=21 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet(proto=6, 2001:db8:d0c:2::1:55114->2001:db8:d0c:3::1:443) from port2." id=65308 trace_id=21 func=resolve_ip6_tuple line=5102 msg="allocate a new session-0000006b" id=65308 trace_id=21 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0 flags 40000001" id=65308 trace_id=21 func=fw6_forward_handler line=501 msg="Check policy between port2 -> port3" id=65308 trace_id=21 func=fw6_forward_handler line=638 msg="Allowed by Policy-1:"
Host belonging to Internal_Custom_Range accessing FTP_Server:
id=65308 trace_id=6 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet(proto=6, 2001:db8:d0c:2::32:50982->2001:db8:d0c:3::2:21) from port2." id=65308 trace_id=6 func=resolve_ip6_tuple line=5102 msg="allocate a new session-00000053" id=65308 trace_id=6 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0 flags 40000001" id=65308 trace_id=6 func=fw6_forward_handler line=501 msg="Check policy between port2 -> port3" id=65308 trace_id=6 func=fw6_forward_handler line=638 msg="Allowed by Policy-1:"
Host belonging to Internal_Custom_Range accessing TFTP Server:
id=65308 trace_id=17 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet(proto=17, 2001:db8:d0c:2::32:65316->2001:db8:d0c:3::3:69) from port2." id=65308 trace_id=17 func=resolve_ip6_tuple line=5102 msg="allocate a new session-00000055" id=65308 trace_id=17 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0 flags 40000001" id=65308 trace_id=17 func=fw6_forward_handler line=501 msg="Check policy between port2 -> port3" id=65308 trace_id=17 func=fw6_forward_handler line=530 msg="Denied by forward policy check"
Host not belonging to Internal_Custom_Range accessing FTP_Server:
id=65308 trace_id=1 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet(proto=6, 2001:db8:d0c:2::33:52555->2001:db8:d0c:3::2:21) from port2." id=65308 trace_id=1 func=resolve_ip6_tuple line=5102 msg="allocate a new session-0000004d" id=65308 trace_id=1 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0 flags 40000001" id=65308 trace_id=1 func=fw6_forward_handler line=501 msg="Check policy between port2 -> port3" id=65308 trace_id=1 func=fw6_forward_handler line=530 msg="Denied by forward policy check"
Internal clients accessing the Internet:
The output below indicates that internal clients can successfully reach the internet.
-
Go to Log & Report > Forward Traffic.
-
View the log details in the GUI, or download the log file:
1: date=2023-05-10 time=13:22:54 eventtime=1683750174692262952 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=2001:db8:d0c:2::1 srcport=64780 srcintf="port2" srcintfrole="undefined" dstip=64:ff9b::83fd:21c8 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=15723 proto=6 action="close" policyid=2 policytype="policy" poluuid="ea8a972e-d7e9-51ed-9b29-757f04e7194c" policyname="IPv6_internal_to_internet" srccountry="Reserved" service="HTTPS" trandisp="noop" duration=3 sentbyte=47192 rcvdbyte=13199 sentpkt=49 rcvdpkt=48 appcat="unscanned" 2: date=2023-05-10 time=13:19:47 eventtime=1683749987902192921 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=2001:db8:d0c:2::33 srcport=51246 srcintf="port2" srcintfrole="undefined" dstip=64:ff9b::349f:31c7 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=15126 proto=6 action="close" policyid=2 policytype="policy" poluuid="ea8a972e-d7e9-51ed-9b29-757f04e7194c" policyname="IPv6_internal_to_internet" srccountry="Reserved" service="HTTPS" trandisp="noop" duration=59 sentbyte=5109 rcvdbyte=7726 sentpkt=13 rcvdpkt=11 appcat="unscanned"