IPv6 Neighbor Discovery Proxy

The following is an example configuration of a FortiGate using ND Proxy. Some of these configuration steps have been covered elsewhere, but are shown here to demonstrate how they all work together to achieve the desired effect.

Steps:

  • Create zone for ND proxy use that includes the upstream and downstream interfaces.
  • Create policies to allow ICMPv6 and DHCPv6 traffic.
  • Enable ND Proxy on the interfaces.
  • Enable "autoconf" on the upstream interface.
  1. Add a zone including wan and lan.

It is possible to use firewall and multicast policies that don't use a zone, but using a zone simplifies the configuration, especially if you have more than two interfaces.

config system zone

edit ndproxy_zone

set interface wan lan

end

tooltip icon On some models the "lan" interface is named "internal".
  1. Add forward firewall policy and multicast policy to allow at least ICMPv6 and DHCPv6 traffic.

config firewall multicast-policy6

edit 0

set srcintf ndproxy_zone

set dstintf ndproxy_zone

set srcaddr all

set dstaddr all

end

 

and

config firewall policy6

edit 0

set srcintf ndproxy_zone

set dstintf ndproxy_zone

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ALL

end

 

  1. Enable ND proxy on WAN and LAN.

config system nd-proxy

set status enable

set member wan lan

end

 

  1. Enable autoconf on the upstream interface.

RA received on the other interface(s) will be dropped.

config system interface

edit wan

...

config ipv6

set autoconf enable

end

end