Last week I had to configure a Fortigate with IPv6. Also the firewall was needed to works as DHCPv6 Server.
Within two weeks, we will have around 200-300 network administrators in a conference room connected by WIFI. We want this users only get IPv6 addresses. So, if the network administrators haven't just implemented the IPv6 in their remote networks, they will not be able to connect to them. We want they to keep in mind the importance of IPv6 in the near future.
The next configuration is running on the v5.0.2 Fortigate firmware version. This version is only recommended for testing propourses. I recommend you the v4.3.10 firmware version. In this case we want to test the last firmware version in an "production environment" too.
How to configure the external Interface:
config system interface
edit "wan1"
set alias "External"
config ipv6
set ip6-address xxxx:xxx:xxx:113::2/64
set ip6-allowaccess ping
set ip6-manage-flag enable
set ip6-other-flag enable
end
next
How to configure the static6 route:
config router static6
edit 1
set device "wan1"
set gateway xxxx:xxx:xxx:113::1
next
end
How to configure the Internal Interface:
config system interface
edit "Internal"
config ipv6
set ip6-mode static
set ip6-address xxxx:xxx:xxx:cccc::1/64
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
set ip6-max-interval 600
set ip6-min-interval 198
set ip6-link-mtu 0
set ip6-reachable-time 0
set ip6-retrans-time 3000
set ip6-default-life 1800
set ip6-hop-limit 0
set autoconf disable
set dhcp6-relay-service disable
end
next
How to configure the DHCP server.
config system dhcp6 server
edit 1
set dns-service specify
set enable enable
set interface "wan2"
config ip-range
edit 1
set end-ip xxxx:xxx:xxx:cccc::6000
set start-ip xxxx:xxx:xxx:cccc::1000
next
end
set lease-time 10800
set option1 0
set option2 0
set option3 0
set rapid-commit disable
set subnet xxxx:xxx:xxx:cccc::/64
set dns-server1 2001:4860:4860::8888
set dns-server2 2001:4860:4860::4444
set dns-server3 ::
next
end
With this configuration, the hosts will get and surf on the Internet with an IP between xxxx:xxx:xxx:cccc::1000 and xxxx:xxx:xxx:cccc::6000.
There are others DHCPv6 configuration may interest you. You can configure a prefix-list on the interface.
config system interface
edit "Internal"
config ipv6
set ip6-address xxxx:xxx:xxx:cccc::1/64
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
set ip6-retrans-time 3000
config ip6-prefix-list
edit xxxx:xxx:xxx:cccc::/64
set autonomous-flag enable
set onlink-flag enable
set preferred-life-time 600
set valid-life-time 600
next
end
end
With this configuration, the client host will have three IPv6 address, two of them auto generated with the prefix-list and another IP given by the DHCP server. The client host will surf on the internet with the first one and get the DNS options given by the DHCP.
You can see the IP leases with the next command:
execute dhcp6 lease-list
Interface DUID IAID IP Expiry
wan2 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 1 xx:xx:xx:cccc::1000 Fri May 31 15:49:27 2013
Then you need to create policy rules in order to allow permitted traffic.
Subscribe to:
Post Comments (Atom)
About Me
Popular Posts
-
Some months ago, I participated in something like a "Hacker Competition" to get a job in a CERT. One of the tests consisted of g...
-
When we are involved in an incident handling and we are in charge of analyzing a traffic capture in a pcap format related to an attack, one...
-
Introduction Wordpress is the CMS most used Worldwide. According to w3techs.com WordPress is used by 61.1% of all the websites whose con...
-
Introduction Some months ago, I reported to the Fortinet PSIRT team two vulnerabilities which affect different Fortigate firmware version...
-
Assuming that time enough has happened since the security update was released by phpMyAdmin, we want to share our researches. As you alre...
Behind The Firewalls. Powered by Blogger.
0 comments:
Post a Comment