|
When remote VPN connectivity is established without split tunneling, all internet-bound traffic is expected to be routed through the VPN tunnel. In secure environments such as banking and finance, there may be a requirement to completely block internet access for a remote user while they are accessing resources on a network protected by the FortiGate.
Typically, the VPN client pushes a default IPv4 route (0.0.0.0/0) to ensure that all IPv4 traffic is tunneled. Then only the necessary traffic can be allowed using a policy and the rest can be dropped by the firewall with the default deny policy.
However, if IPv6 is not enabled on the firewall, a matching default IPv6 route (::/0) is not created.
As a result, IPv6 traffic is routed through the user's local network interface instead of the VPN tunnel. Applications that support IPv6, such as WhatsApp, may continue to function over the local internet connection, effectively bypassing the VPN and any associated security policies.
Technical Explanation:
-
Most modern operating systems maintain separate routing tables for IPv4 and IPv6.
-
In the absence of an IPv6 route through the VPN, FortiOS defaults to using the physical (local) network interface for IPv6 traffic.
-
Since the firewall does not see this traffic, it does not have any control over this traffic.
Recommended Solution:
To prevent IPv6 traffic from bypassing the VPN:
-
Go to Control Panel -> Network and Sharing Center -> Change adapter settings.
-
'Right-click' the active network connection > select Properties.
-
Uncheck Internet Protocol Version 6 (TCP/IPv6).
-
Save changes and reconnect the VPN.
This forces all traffic to use IPv4, which is then routed through the VPN as expected.
|
