Skip to main content
jkoelker
jkoelker
New Member
July 28, 2015
Question

Help allowing IPv6 traffic into IPv4 network over VIP

  • July 28, 2015
  • 2 replies
  • 4492 views

Our network consists of IPv4 addresses. We are a financial institution and our main website and banking site are setup with IPv4 Public addresses which then VIP to internal DMZ IPv4 addresses. Recently we have had our first member with an IPv6 public address and is not able to access our site. I went ahead and enabled IPv6 on the 300C device we have. I found out I needed to add IPv6 policies into our environment to allow the traffic. I attempted creating a policy from external to internal but am stumped as it won't let me use my IPv4 VIP as a destination on an IPv6 policy. I would create an IPv6 VIP but my website doesn't have an IPv6 public address. Would we have to purchase some IPv6 addresses from our ISP to then create IPv6 VIPs to our sites? I've contacted Fortinet and they indicate that is what I have to do and can't allow IPv6 traffic to talk to IPv4 traffic the way we have it setup. What are my options if any? I honestly can't believe we haven't run into this issue until now. Our firmware version is 5.0.7. I'm not opposed to upgrading if necessary but don't always like to when I'm on a stable version. I know this question may not contain everything but let me know if I can provide anymore information. Thanks in advance.

    2 replies

    jkoelker
    jkoelkerAuthor
    New Member
    July 28, 2015

    So I've been looking into this a little more. By doing a nat from IPv6 to IPv4 are they indicating I need to convert my IPv4 address to an equivalent IPv6 address and create a vip with that?

    emnoc
    emnoc
    New Member
    July 28, 2015

    You have a chicken and egg scenario, here's some choices;

     

    1: you purchase a ipv6 block  from the existing provider ( assuming they are ipv6 enabled and provision )

     

    2: maybe you ISP will provide ipv6 range ( i.e comcast for example)

     

    3: the client conducts  SNATv6-to-v4 ( they probably already does this with DNS64 if they are attaching to existing ipv4 address .....I'm surprise if they don't have that today  specially if they have a ipv4 access......I'm assuming not since this is an issue )

     

    4a: you acquire a ipv6 via tunnel broker ( i.e HE hurricane Electric is quick as 1-2-3 .....) here you could stack a ipv6 external vip over your tunnel to HE and have they access your services via public ipv6 and with you doing a DNAT64

     

    or

     

    4b: with HE you could run dual-stack and avoid the DNAT64 vip, &  if you hosts and inside networks is ipv6 ready

     

    5: have you  client look at ipv4 mapping to your pubic ipv4 ( once again see #3 from and how do they access ipv4 site today ? )

     

     

    Terms & ConditionsAccessibility statement