It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Firewall
Overview Documentation Training Certification Materials

How to Configure IPv6 for CloudGen Firewalls in AWS

  • Last updated on

AWS supports IPv6 in selected regions for EC2 instances running in VPCs. IPv6 must be enabled for the VPC, the subnets, and the ENI attached to the firewall instance. The firewall can then retrieve the IPv6 IP address via SLAAC and DHCPv6 from AWS.

Before You Begin

  • Deploy a CloudGen Firewall in an AWS region with IPv6 VPC support. E.g., us-east-2 (OHIO)

Step 1. Enable and Assign IPv6 to VPC

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Your VPCs.
    your_vpcs.png
  4. Right-click your VPC and select Edit CIDRs.
    edit_cidr.png
  5.  The Edit CIDRs window opens. Click Add new IPv6 CIDR.
    add_cidr.png
  6. Select the IPv6 CIDR block you wish to allocate.
    select_cidr.png
  7. Click Select CIDR.
  8. Click Close.

 A /56 IPv6 network is now associated with your VPC.

new_cidr.png

Step 2. Add IPv6 Network to VPC Subnets

Assign a /64 IPv6 network out of the /56 IPv6 VPC network to each subnet. Only one /64 can be assigned per subnet.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Subnets.
  4. Right-click the subnet and select Edit IPv6 CIDRs.
    edit_ipv6_cidr.png
  5. Click Add IPv6 CIDR.
  6. Enter the last two digits of the /64 IPv6 network.
    sub_block.png
  7. Click Save
  8. Repeat for all subnets in the VPC.

All subnets in the VPC now have both IPv4 and IPv6 networks assigned to them.

ipv6_subnets.png

Step 3. Edit the Route Table to include a default IPv6 route

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Route tables.
  4. Select the route table associated with the public subnets.
  5. In the lower half of the screen click on the Routes tab.
    edit_routes.png
  6. Click Edit routes.
  7. Click Add route
  8. Enter the IPv6 default route:
    • Destination – Enter ::/0
    • Target – Enter the Internet gateway id. E..g., igw-123456
    add_route.png
  9. Click Save changes.

IPv6 traffic is now routed over the Internet Gateway of the VPC for the public subnets.

Step 4. Edit Security Groups to Allow IPv6 Traffic to the Firewall

Create rules in the security group associated with your firewall for IPv6 traffic.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Security groups.
  4. Click on the security group associated with your firewall instance.
  5. In the lower half of the screen, click the Inbound rules tab.
  6. Click Edit inbound rules.
  7. For each type of traffic, click Add rule and enter the Source network. Use ::0/0 to allow this type and protocol from all IPv6 networks.
    edit_inbound.png
  8. Click Save rules.

Step 5. Assign IPv6 Addresses to the Firewall Instance

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the left menu, click Instances.
  4. Right-click the firewall instance, click Networking, and then select Manage IP Addresses.
    manage_ips.png
  5. The Manage IP Addresses window opens. Expand the IPv6 Addresses section.
  6. Click Assign new IP for each IPv6 address you want to add.
  7. (optional) Enter an explicit IPv6 address from the IPv6 network assigned to the subnet the firewall instance is in.
  8. Click Save.

Step 6. Enable IPv6 on the Firewall 

Log into the firewall, enable IPv6, activate the network configuration, and then reboot the instance. 

For more information, see How to Enable IPv6.

Step 7. Configure the IPv6 on the DHCP Interface of the Firewall

Configure the firewall to retrieve the IPv6 via SLAAC and DHCPv6 from AWS.

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. Click Lock.
  3. In the left menu, click IP Configuration.
  4. In the IPv6 Stateless Configuration table click +.
  5. Enter a Name and click OK.
  6. Select the Other checkbox to be able to manually enter an interface name.
  7. For the Interface enter dhcp.
    select_if.png
  8. Click OK.
  9. In the left menu, click xDSL/DHCP/ISDN.
  10. In the DHCPv6 Links table, click +.
  11. Enter a Name.
  12. Click OK. The DHCPv6 Links window opens.
  13. In the Connection Details section, click Other to be able to manually enter a DHCP Interface.
  14. For the DHCP Interface, enter dhcp
  15. From the Mode of Operation list, select Stateful.
  16. From the Use Provider DNS list, select yes.
  17. From the Use Provider Domain Name list, select yes.
    aws_IPv6_11.png
  18. Click OK
  19. Click Send Changes and Activate.

Step 8. Activate the Network Configuration

  1. Go to CONTROL > Box
  2. In the left menu, expand the Network section and click Activate new network configuration.
  3. Select Failsafe.

The IPv6 addresses are now listed for the dhcp interface on the CONTROL > Network page.

  aws_IPv6_12.png

The default gateway learned via IPv6 autoconfiguration is now listed in the route table on the CONTROL > Network page.

aws_IPv6_13.png