As I have started to embark on this journey with creating a blog to share information, I have been encountering some interesting problems to solve. I was very excited to set up my colocated server running Proxmox at Dacentec and build out the infrastructure to get my blog up and running. After setting everything up, I could access the blog fine from my WiFi however when I switched to my cellular service (Verizon), I kept getting a default domain parking page. Upon further investigation (and some trial and error), I came to the conclusion that my phone was attempting to access my website via IPv6. I confirmed this by seeing the following settings within my registrar (1and1.com):
Now that I had identified the problem, it was time to come up with the solution. When I deployed my environment, I did not consider IPv6 as part of the design and therefore, did not have support for IPv6 on my virtual machines running on Proxmox. Lucky for me, my colocation provider (Dacentec) said that they could provide me an IPv6 network I could use in my deployment for free. Now that I had IPv6 connectivity, I had to figure out a way to use that to solve the current problem at hand:
How do I get IPv4 devices to communicate over IPv6?
I constantly refer to the FortiGate as being the “swiss army knife” of next-generation firewalls. I say that because this platform provides a set of components you can put together in order to solve different types of problems in challenging environments. In this case, I was able to use the NAT64 feature in FortiOS. Below is a how-to on the configuration I have set up on my FortiGate to solve this problem:
1.Enable the “IPv6” and “NAT46 & NAT64” under the “Feature Visibility” section:
GUI
CLI
config system global
set gui-ipv6 enable
end
config system settings
set gui-nat46-64 enable
end2.Configure the IPv6 Address to the Interface:
GUI
CLI
config system interface
edit port1
config ipv6
set ip6-address 2607:5600:293::2/48
end
end3.Configure the default static route for IPv6:
GUI
CLI
config router static6
edit 1
set gateway 2607:5600:293::1
set device "port1"
next
end4.Create a NAT64 Virtual IP
GUI
CLI
config firewall vip64
edit "dnat_in_https_fortiweb_v6v4"
set extip 2607:5600:293::2
set mappedip 172.X.X.X
set portforward enable
set extport 443
set mappedport 443
next
end5. Create a “NAT64 Policy”
GUI
CLI
config firewall policy64
edit 1
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "dnat_in_http_fortiweb_v6v4" "dnat_in_https_fortiweb_v6v4"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set logtraffic enable
set comments "Allow inbound v6 to v4 for FortiWeb"
next
end6.Ensure that “NAT64 Forwarding” is enabled under “NAT64 Policy”
GUI
CLI
config system nat64
set status enable
endOnce you have completed these steps, your IPv4 webserver should be accessible from IPv6 clients (assuming all of your networking is done correctly). One important caveat to mention is that security profiles cannot be assigned to this type of policy. Fortunately for me, I have my traffic being sent to a FortiWeb for inspection before delivery on to my blog.
Here’s confirmation of this traffic via my FortiWeb logs:
And lastly, the results from IPv6 Test:
