Routing

The configuration of IPv6 routing is separated into three segments:

  • IPv6 static route: allows defining static routes for IPv6 packets. Static routing represents a set of rules defined by the administrator as well as a default route.
  • IPv6 Bird dynamic routing: Allows configuring dynamic routing protocols (RIP, OSPF, BGP) in an IPv6 Bird engine, in order to allow the firewall to learn routes managed by other appliances.

WARNING: IPv4 dynamic routing

The BIRD6 dynamic routing engine is dedicated to IPv6 dynamic routing. This configuration has to be performed in console mode in the files:

/usr/Firewall/ConfigFiles/Bird/global ([bird6] section) /usr/Firewall/ConfigFiles/Bird/bird6.conf

For more information on the configuration of dynamic routing, please refer to the Technical Note BIRD Dynamic Routing, available on Stormshield's Technical Documentation website.

 

Static routing and dynamic routing run simultaneously; static routing however has priority for transmitting packets over the network.

“IPv6 static routes” tab

Default gateway (router)

The default router is generally the equipment which allows your network to access the Internet. This is the address to which the firewall sends packets that need to go on the public network. If you do not configure a default router, the firewall would not know where to direct packets that have a destination address that differs from the networks directly linked to it. Hosts will therefore not be able to access any other network apart from their own.

 

Click on the button to access the object database and select a host. The “Default gateway” field will be grayed out if a list of gateways has been defined in the advanced configuration zone.

Button bar

Search

Search that covers host, network and group objects.

Add

Adds an “empty” static route. The addition of the route (sending of the command) is applied once the new line is edited and the fields Destination network (host, network or group object) and Interface are entered.

Delete

Deletes one or several selected routes. Use the keys Ctrl/Shift + Delete to delete several routes.

 

Apply

Sends the configuration of the static routes.

Cancel

Cancels the configuration of the static routes.

Interactive features

Some operations listed in the taskbar can be performed by right-clicking on the table of IPv6 static routes:

  • Add,
  • Remove.

Presentation of the table

The table sets out six fields of information:

Status

Status of the static routes:

Enabled: Double-click to enable the route created.

Disabled: The route is not functional. The line will be grayed out in order to reflect this.

Destination network (host, network or group object) (Mandatory)

Clicking on this column will open the object database to allow selecting a host, network or group.

Address range

IP address or group of addresses linked to the selected items in the column “Destination network (host, network or group object)”. This field is entered automatically.

Interface (Mandatory)

A drop-down list allows selecting the outgoing interface for contacting the destination network. This object may either be an Ethernet interface, VLAN or modem (dialup).

Protected

This column indicates whether the route is protected.

 

Protected routes are added to the object Network_internals. The behavior of the security configuration will take this parameter into account. Hosts that can be contacted via this route will be remembered in the intrusion prevention engine.

Gateway (Optional)

Clicking on this column will open the objects database in order to select a host (router).

Color (Optional)

A window will appear, allowing the selection of an interface color (used in Stormshield Network REAL-TIME MONITOR).

(Optional) Comments

Any text.

“IPv6 dynamic routing” tab

This tab makes it possible to enable and configure the IPv6 Bird dynamic routing engine (Bird6).

 

Enable dynamic routing (Bird)

This option activates the use of the routing Bird6 dynamic engine.

The window located under the Bird6 activation option makes it possible to directly enter the configuration of the Bird6 dynamic routing engine.

For further information on how to configure dynamic routing or on migrating from ZebOS to BIRD, please refer to the BIRD Dynamic routing technical note, available on Stormshield's Technical Documentation website.

Advanced properties

Add IPv6 networks distributed via dynamic routing to the table of protected networks In the table listing the intrusion prevention system's protected networks, this option allows automatically injecting networks spread by the dynamic routing engine (IPv4 / IPv6).

Sending the configuration

Changes made in this window can be confirmed using the "Apply" button.

WARNING

Syntax checks will not be conducted when the configuration is sent to the dynamic routing engine.

“IPv6 return routes” tab

When several gateways are used for load balancing, this tab will allow defining the gateway through which return packets will need to go in order to guarantee the consistence of connections.

REMARK

If the gateway selected from the drop-down list is a host object, this object must specify a MAC address.

Button bar

Add

Adds an “empty” return route. An added route (sending of a command) is effective only if its fields Gateway and Interface have been entered.

Delete

Deletes the selected route.

 

Apply

Sends the configuration of the return routes.

Cancel

Cancels the configuration of the return routes.

Interactive features

Some operations listed in the taskbar can be performed by right-clicking on the table of IPv6 return routes:

  • Add,
  • Remove.

Presentation of the table

The table sets out four fields of information:

 

Status

Status of the static routes:

Enabled: Double-click to enable the route created.

Disabled: The route is not functional. The line will be grayed out in order to reflect this.

Interface (Mandatory)

Drop-down list that allows selecting a Loopback, Ethernet, VLAN, Dialup, GRE or GRETAP interface.

Gateway (Optional)

Clicking on this column will open the objects database in order to select a host or a virtual interface (IPSec). If the object is a host object, it must specify a MAC address.

Comments (Optional)

Any text.