If you getting error during config restore
then type
# diagnose debug config-error-log read
then type
# diagnose debug config-error-log read
netwoking Firewall solution
config system accprofile
edit "no_access"
next
end
config system admin
edit "HE"
set trusthost1 66.220.2.74 255.255.255.255
set accprofile "no_access"
set vdom "root"
set password "your_own_secret"
next
end
config system interface
# your external interface name may be different
edit "external"
set allowaccess ping ...
next
end
config system sit-tunnel
edit "HE"
set destination 216.66.80.26
set interface "external"
set ip6 "client IPv6 address/mask from HE portal (e.g. 2001:470:1234:567::2/64)"
next
end
config router static6
edit 1
set device "HE"
next
end
# exec ping6 2001:470:1234:567::1
PING 2001:470:1234:567::1(2001:470:1234:567::1) 56 data bytes
64 bytes from 2001:470:1234:567::1: icmp_seq=1 ttl=64 time=13.4 ms
64 bytes from 2001:470:1234:567::1: icmp_seq=2 ttl=64 time=13.2 ms
...
# exec ping6 ipv6.google.com
PING ipv6.google.com(2a00:1450:4009:802::1012) 56 data bytes
64 bytes from 2a00:1450:4009:802::1012: icmp_seq=1 ttl=59 time=14.3 ms
64 bytes from 2a00:1450:4009:802::1012: icmp_seq=2 ttl=59 time=14.0 ms
...
config system ddns
edit 1
set ddns-server dyndns.org
set ddns-domain "myhost.dyndns.org"
set ddns-username "my username"
set ddns-password "my password"
set monitor-interface "external"
next
end
FortiGuardDDNS FortiGuard DDNS service.
dhs.org members.dhs.org
dipdns.net dipdnsserver.dipdns.com
dyndns.org members.dyndns.org and dnsalias.com
dyns.net www.dyns.net
easydns.com members.easydns.com
genericDDNS Generic DDNS based on RFC2136.
now.net.cn ip.todayisp.com
ods.org ods.org
tzo.com rh.tzo.com
vavic.com Peanut Hull
config system interface
# your internal interface name may be different
edit "internal"
...
config ipv6
set ip6-allowaccess ping https ssh snmp
set ip6-address "first IPv6/mask in the routed/64 prefix from HE portal (e.g. 2001:470:890a:bcd::1/64)"
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
config ip6-prefix-list
edit "routed/64 IPv6 prefix from HE portal e.g. 2001:470:890a:bcd::/64"
set autonomous-flag disable
set onlink-flag enable
next
end
end
next
end
config firewall address6
edit "all"
next
edit "net_2001:470:890a:bcd::/64"
set ip6 2001:470:890a:bcd::/64
next
end
config firewall policy6
edit 1
set srcintf "HE"
set dstintf "internal"
set srcaddr "all"
set dstaddr "net_2001:470:890a:bcd::/64"
set action accept
set schedule "always"
set service "ALL_ICMP6"
next
edit 2
set srcintf "internal"
set dstintf "HE"
set srcaddr "net_2001:470:890a:bcd::/64"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
# diag sniffer packet HE "icmp6" 4
interfaces=[HE]
filters=[icmp6]
pcap_lookupnet: HE: no IPv4 address assigned
4.211481 HE -- 2001:1640:3::3 -> 2001:470:890a:bcd::1: icmp6: echo request seq 1
4.211575 HE -- 2001:470:890a:bcd::1 -> 2001:1640:3::3: icmp6: echo reply seq 1
...
config system dns-server
edit "internal"
next
end
config system dhcp6 server
edit 1
set interface "internal"
config ip-range
edit 1
set end-ip 2001:470:890a:bcd::ffff
set start-ip 2001:470:890a:bcd::1000
next
end
set lease-time 3600
set rapid-commit enable
set subnet 2001:470:890a:bcd::/112
set dns-server1 2001:470:890a:bcd::1
next
end
config system dhcp server
edit 1
set dns-service local
next
end
$ ifconfig
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: 2001:470:890a:bcd::1000/128 Scope:Global
inet6 addr: fe80::ba27:ebff:fee9:d775/64 Scope:Link
...
$ grep 2001 /etc/resolv.conf
nameserver 2001:470:890a:bcd::1
BeastGate # exec dhcp6 lease-list
Interface DUID IAID IP Expiry
internal:xx:xx:xx:xx:xx:xx 15 2001:470:890a:bcd::1000 Mon Jun 24 10:48:27 2013
$ ping6 -c 2 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:890a:bcd::1000 --> 2a00:1450:4009:809::1012
16 bytes from 2a00:1450:4009:809::1012, icmp_seq=0 hlim=58 time=22.427 ms
16 bytes from 2a00:1450:4009:809::1012, icmp_seq=1 hlim=58 time=31.112 ms
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
set ip6-primary 2001:470:20::2
set ip6-secondary 2001:4860:4860::8888
end
config system nat64
set status enable
set always-synthesize-aaaa-record disable
end
config firewall ippool
edit "nat64-exit-pool"
next
end
config firewall policy64
edit 1
set srcintf "internal"
set dstintf "external"
set srcaddr "net_2001:470:890a:bcd::/64"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set ippool enable
set poolname "nat64-exit-pool"
next
end
$ curl -I -4 www.fortinet.com
curl: (7) Failed to connect to 66.171.121.34: No route to host
$ dig aaaa www.fortinet.com @8.8.8.8
...
;; QUESTION SECTION:
;www.fortinet.com. IN AAAA
$ dig aaaa www.fortinet.com
...
;; QUESTION SECTION:
;www.fortinet.com. IN AAAA
;; ANSWER SECTION:
www.fortinet.com. 2339 IN AAAA 64:ff9b::42ab:7922
...
$ curl -I -6 www.fortinet.com
HTTP/1.1 200 OK
Date: Sun, 23 Jun 2013 17:24:26 GMT
Server: Apache/2.2.3 (Red Hat)
...
<interface>
can be internal
, external
, dmz
, wan1
, port1
, port2
, and so on.