Dual-Stack Lite (DS-Lite) is a technology that enables applications using Internet Protocol v4 (IPv4) to function over Internet connections based on Internet Protocol v6 (IPv6). Internet service providers (ISPs) implement DS-Lite when they lack sufficient public IPv4 addresses for their customers. Using DS-Lite, ISPs can offer IPv6-based internet access while allowing IPv4 applications to operate.

This test scenario uses a well-known ISP that uses DS-Lite technology for residential users.

The internet connectivity information from the DS-Lite software concentrator, aka AFTR or Border Relay BR Router, is listed.

Cable: Connected, 1.13 Gbit/s ↓ 52.5 Mbit/s ↑
Internet, IPv4: VendorName uses a DS-Lite tunnel
AFTR-Gateway: 2a03:1234:abcd::4003
Internet, IPv6: Connected since 18.02.2025, 11:55 AM
IPv6 Address: 2a03:5678:90ab:c::e1/64, Validity: 84438/84438s
IPv6 Prefix: 2a03:5678:162:1460::/59, Validity: 84438/84438s
Used DNS Server:
2a03:5678:2::1 (currently used for standard queries)
2a03:5678:2::b:1

IPv6 addresses in this example have been randomized for privacy.

DS-Lite VNE tunnel mode is used between the FortiGate and the BR.

VNE stays for the virtual network enabler tunnel.

Configure the IPv6 interface:

config system interface
     edit "wan1"
           set vdom "root"
           set mode dhcp
           set allowaccess ping https ssh
           set type physical
           set snmp-index 1
           config ipv6
                 set ip6-allowaccess ping https ssh HTTP
                 set dhcp6-information-request enable
                 set autoconf enable
                 set unique-autoconf-addr enable
           end
     next
end

Configure the VNE tunnel:

config system vne-tunnel

    set status enable

    set interface "wan1"

    set ipv4-address 192.168.1.99 255.255.255.255

    set br "2a03:1234:abcd::4003"

    set mode ds-lite
end

When configuring the VNE tunnel, ensure that 'set mode ds-lite' is specified as one of the primary settings.

To verify available modes, use the following command:

FortiWiFi-60E (vne-tunnel) # set mode
map-e Map-e mode.
fixed-ip Fixed-ip mode.
ds-lite DS-Lite mode.

To display the full configuration:

FortiWiFi-60E (vne-tunnel) # show full
config system vne-tunnel

    set status enable

    set interface "wan1"

    set ssl-certificate "Fortinet_Factory"

    set auto-asic-offload enable

    set ipv4-address 192.168.1.99 255.255.255.255

    set br "2a03:1234:abcd::4003"

    set mode ds-lite
end

To quickly check everything is working as expected, test the tunnel connection by pinging the Google public DNS IPv6 address:

FortiWiFi-60E # execute ping6 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=59 time=21.6 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=59 time=11.8 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=59 time=6.39 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=59 time=7.90 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=59 time=13.4 ms

--- 2001:4860:4860::8888 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss, time 4038ms
rtt min/avg/max/mdev = 6.395/12.254/21.689/5.365 ms

FortiWiFi-60E #

Verify the FortiGate device, which can be accessed via SSH using the assigned IPv6 address.

XXXXXX@MBP-di-XXXXXXX ~ % ssh admin@2a02:908:abcd:1234:5678:9abc:def0:fedc admin@2a02:908:abcd:1234:5678:9abc:def0:fedc's password:

FortiWiFi-60E