It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure IPv6 for CloudGen Firewalls in AWS

  • Last updated on

AWS supports IPv6 in selected regions for EC2 instances running in VPCs. IPv6 must be enabled for the VPC, the subnets, and the ENI attached to the firewall instance. The firewall can then retrieve the IPv6 IP address via SLAAC and DHCPv6 from AWS.

Before You Begin

  • Deploy a CloudGen Firewall in an AWS region with IPv6 VPC support. E.g., us-east-2 (OHIO)

Step 1. Enable and Assign IPv6 to VPC

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Your VPCs.
  4. Right-click your VPC and select Edit CIDRs. The Edit CIDRs pop-over window opens.
    aws_IPv6_01.png
  5. Click Add IPv6 CIDR.

 A /56 IPv6 network is now associated with your VPC.

aws_IPv6_02.png

Step 2. Add IPv6 Network to VPC Subnets

Assign a /64 IPv6 network out of the /56 IPv6 VPC network to each subnet. Only one /64 can be assigned per subnet.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Subnets.
  4. Right-click the subnet and select Edit IPv6 CIDRs.
    aws_IPv6_02a.png
  5. Click Add IPv6 CIDR.
  6. Enter the last two digits of the /64 IPv6 network.
  7. Select the check mark.
    aws_IPv6_03.png
  8. Click Close
  9. Repeat for all subnets in the VPC.

All subnets in the VPC now have both IPv4 and IPv6 networks assigned to them.

aws_IPv6_04.png

Step 3. Edit the Route Table to include a default IPv6 route

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Route Tables.
  4. Select the route table associated with the public subnets.
  5. In the lower half of the screen click on the Routes tab.
    aws_IPv6_4.png
  6. Click Edit.
  7. Click Add another route
  8. Enter the IPv6 default route:
    • Destination – Enter ::/0
    • Target – Enter the Internet gateway id. E..g., igw-123456
    aws_IPv6_5.png
  9. Click Save.

IPv6 traffic is now routed over the Internet Gateway of the VPC for the public subnets.

Step 4. Edit Security Groups to Allow IPv6 Traffic to the Firewall

Create rules in the security group associated with your firewall for IPv6 traffic.

  1. Log into the AWS console.
  2. Click Services and select VPC.
  3. In the left menu, click Security Groups.
  4. Click on the security group associated with your firewall instance.
  5. In the lower half of the screen, click the Inbound Rules tab.
  6. Click Edit.
  7. For each type of traffic, click Add another rule and enter the Source network. Use ::0/0 to allow this type and protocol from all IPv6 networks.
    aws_IPv6_07.png
  8. Click Save.

Step 5. Assign IPv6 Addresses to the Firewall Instance

  1. Log into the AWS console.
  2. Click Services and select EC2.
  3. In the left menu, click Instances.
  4. Right-click the firewall instance, click Networking, and then select Manage IP Addresses. The Manage IP Addresses pop-over window opens.
    aws_IPv6_08.png
  5. In the IPv6 Addresses section, click Assign new IP for each IPv6 address you want to add.
  6. (optional) Enter an explicit IPv6 address from the IPv6 network assigned to the subnet the firewall instance is in.
    aws_IPv6_09.png
  7. Click Yes, Update.

Step 6. Enable IPv6 on the Firewall 

Log into the firewall, enable IPv6, activate the network configuration, and then reboot the instance. 

For more information, see How to Enable IPv6.

Step 7. Configure the IPv6 on the DHCP Interface of the Firewall

Configure the firewall to retrieve the IPv6 via SLAAC and DHCPv6 from AWS.

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. Click Lock.
  3. In the left menu, click IP Configuration.
  4. In the IPv6 Stateless Configuration table click +.
  5. Enter a Name.
  6. Click Other to be able to manually enter a Interface Name.
  7. For the Interface Name enter dhcp.
    aws_IPv6_10a.png
  8. Click OK.
  9. In the left menu, click xDSL/DHCP/ISDN.
  10. In the DHCPv6 Links table, click +.
  11. Enter a Name.
  12. Click OK. The DHCPv6 Links window opens.
  13. In the Connection Details section, click Other to be able to manually enter a DHCP Interface.
  14. For the DHCP Interface, enter dhcp
  15. From the Mode of Operation list, select Stateful.
  16. From the Use Provider DNS list, select yes.
  17. From the Use Provider Domain Name list, select yes.
    aws_IPv6_11.png
  18. Click OK
  19. Click Send Changes and Activate.

Step 8. Activate the Network Configuration

  1. Go to CONTROL > Box
  2. In the left menu, expand the Network section and click Activate new network configuration.
  3. Select Failsafe.

The IPv6 addresses are now listed for the dhcp interface on the CONTROL > Network page.

 aws_IPv6_12.png

The default gateway learned via IPv6 autoconfiguration is now listed in the route table on the CONTROL > Network page.

aws_IPv6_13.png