ipv6 between fortigate and fritz box

EDIT: AVM is not parsing /var/flash/debug.cfg anymore :(

so it turns out the IPv6 ready devices AVM fritz box 7360 and FortiWifi 40c are not so IPv6 ready as they claim they are…

both can not handle prefix delegation so I have to hack static routes to make it work.
(I tried it all, it seems the fritz’s firewall blocks IPv6 when it was assigned via dhcp6 (“adminstratively prohibited” even when Prefix delegation is enabled and the firewall is set to “exposed host”)

so let’s do it the hard way:

first enable telnet on the fritz box: (use a telephone!)
– #96*7* Telnet on
– #96*8* Telnet off

then do ifconfig to get the interface ip config – you need the LAN one.
in my case:
inet6 addr: xxxx:xxxx:xxxx:1:2665:11ff:feb4:6343/64 Scope:Global

the Fritz Box will take your prefix (/48 in my case) and use the first and second range for lan and guest – so xxxx.xxxx.xxxx.1::/64 is LAN and xxxx.xxxx.xxxx.2::/64 is guest.

My Fortigate LAN subnet will be: xxxx:xxxx:xxxx:40::/62
out of which I want to break :42::/64 later for no reason ;)

lets get a dynamic address behind the WAN: use Fritz box settings like described here:
http://service.avm.de/support/de/SKB/FRITZ-Box-7360-int/1239:IPv6-Subnetz-im-FRITZ-Box-Heimnetz-einrichten

then config the wan port:

vuurmuur (wan1) # show
config system interface
edit “wan1”
set mode dhcp
set allowaccess ping https ssh auto-ipsec
set type physical
set snmp-index 1
config ipv6
set ip6-mode dhcp
set ip6-allowaccess ping https ssh
end
next
end

figure out the assigned address by using:
#get system interface physical

note it – you will need it later when configuring the FritzBox :)

set a static6 on the fortigate towards the Fritz Box
(find the Fritz Box’s ipv6 address from the GUI >

config router static6
edit 1
set gateway xxxx:xxxx:xxxx:1:2665:11ff:feb4:6343
set device “wan1”
set comment “fritz”
next
end

and add a policy to allow traffic out (and ICMPv6 back in)

config firewall policy6
edit 1
set srcintf “lan”
set dstintf “wan1”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
next
edit 2
set srcintf “wan1”
set dstintf “lan”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL_ICMP6”
next
end

now in the fritz box set up a static ipv6 route:
# route -A inet6 add xxxx:xxxx:xxxx:42::/64 gw xxxx:xxxx:xxxx:[interface IP of the firewall] dev lan

(to make this permanent add it to /var/flash/debug.cfg but test first :)

ping6 from fritz to Fortigate LAN port:

# ping6 xxxx:xxxx:xxxx:42::99
PING xxxx:xxxx:xxxx:42::99 (xxxx:xxxx:xxxx:42::99): 56 data bytes
64 bytes from xxxx:xxxx:xxxx:42::99: seq=0 ttl=255 time=3.551 ms
64 bytes from xxxx:xxxx:xxxx:42::99: seq=1 ttl=255 time=0.603 ms
64 bytes from xxxx:xxxx:xxxx:42::99: seq=2 ttl=255 time=0.593 ms
^C
— xxxx:xxxx:xxxx:42::99 ping statistics —
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.593/1.582/3.551 ms
#

so let’s make the route in the FritzBox permanent:

# echo “route -A inet6 add 2001:980:3289:42::/64 gw 2001:980:3289:[interface ip] dev lan” > /var/flash/debug.cfg
# cat /var/flash/debug.cfg
route -A inet6 add 2001:980:3289:42::/64 gw 2001:980:3289:[interface ip] dev lan
#

now let’s assign ip addresses on the inside via autoconfig/SLAAC and via dhcp6 just for fun and because we can… and because I want to control the DNS servers that are sent to my clients… which is the only thing the Fritz box actually successfully did send to all my clients :D

autoconfig will assign by MAC, dhcp6 will assign between 1000 and 6000 (to be consistent with the DHCPv4 server)

config system interface
edit “lan”
set ip xxx.xxx.xxx.xxx 255.255.255.0
set allowaccess ping https ssh snmp http
config ipv6
set ip6-allowaccess ping https ssh
set ip6-retrans-time 3000
set ip6-address xxxx:xxxx:xxxx:42::99/64
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
config ip6-prefix-list
edit xxxx:xxxx:xxxx:42::/64
set autonomous-flag enable
set onlink-flag enable
set valid-life-time 600
set preferred-life-time 600
next
end
end
next
end

config system dhcp6 server
edit 1
set lease-time 10800
set subnet xxxx:xxxx:xxxx:42::/64
set interface “lan”
config ip-range
edit 1
set start-ip xxxx:xxxx:xxxx:42::110
set end-ip xxxx:xxxx:xxxx:42::210
next
end
set dns-server1 2001:888:0:6::66
set dns-server2 2001:888:0:9::99
next
end

now.. bounce the interfaces (or reload the whole stuff) to force prefix delegation / get some dhcp leases

find them with:

execute dhcp6 lease-list

blog.rudel.nl

it's a blog. Also I like snowflakes.

ipv6 between fortigate and fritz box