Using a FortiGate with a 6in4 Tunnel

For some reason, I am currently using a FortiGate on a location that has no native IPv6 support. Uh, I don’t want to talk about that. ;) However, at least the FortiGate firewalls are capable of 6in4 tunnels. Hence I am using the IPv6 Tunnel Broker from Hurricane Electric again. Quite easy so far.

But note, as always: Though FortiGate supports these IPv6 features such as a 6in4 tunnel or stateful/-less DHCPv6 server, those features are NOT stable or well designed at all. I had many bugs and outages during my last years. Having “NAT enabled” on every new IPv6 policy is ridiculous. Furthermore, having independent security policies for legacy IP and IPv6 is obviously a really bad design. One single policy responsible for both Internet protocols is a MUST. Anyway, let’s look at the 6in4 tunnel:

Note that this post is one of many related to IPv6. Click here for a structured list.

Configuring this IPv6-in-IPv4 tunnel is quite easy since HE itself offers the configuration:

Of course, you need an internal layer 3 interface as well. That is, a complete configuration (6in4 tunnel, default route, inside interface with RDNSS) looks like that:

Finally, you need some IPv6 policy entries to permit traffic. Again, note that you MUST NOT select the NAT, which is stupidly pre-selected by Fortinet:

Stumbling Blocks

I am using a FortiGate FG-90D with FortiOS 5.6.8 build1672 (GA).

Note that this “HE” interface, as it is named in the example configuration above, is NOT visible in the interface section in the GUI:

while it IS visible in the routing section:

Honestly: Who is approving such decisions at Fortinet? This is not sound at all, isn’t it?


You can have a look at the routing monitor to see the default route in place:

Some CLI commands are as follows. Getting information about the tunnel interface you can use this kind of hidden command: fnsysctl ifconfig such as:

IPv6 routing table:

And some basic network connectivity test, aka ping:

That’s it. Thanks for watching. ;) Don’t forget to hit the subscribe button.

Featured image “Make It Count” by Mr. Nixter is licensed under CC BY-NC 2.0.

4 thoughts on “Using a FortiGate with a 6in4 Tunnel

    1. Hey Dominik.

      Naja, wenn man es genau nimmt, dann ja doch. ;) Du hast halt das Zentral NAT aktiviert. Dennoch wird es bei einer IPv6 Policy eingeblendet, also der NAT Bereich. Schlimm genug. :)

  1. I have a question about factory resetting a Fortinet. After running a the factory reset command i booted to the back up firmware and it still had a host name, password and user setup. When i logged into the backup none of the ‘execute command was not available to execute the factory reset . How would you go about resetting it.

    1. Hi Sean.

      Uh, good question. To be honest, I don’t know. I have not yet tried to boot into the backup firmware after a reset. Sorry. Please ask your question to the official Fortinet support. (It’s probably not good at all that the backup firmware still has configurations on it after a “factory reset”. To my mind, this should not be the case.)


Leave a Reply

Your email address will not be published. Required fields are marked *