IPv6 Neighbor Discovery Proxy
The following is an example configuration of a FortiGate using ND Proxy. Some of these configuration steps have been covered elsewhere, but are shown here to demonstrate how they all work together to achieve the desired effect.
Steps:
- Create zone for ND proxy use that includes the upstream and downstream interfaces.
- Create policies to allow ICMPv6 and DHCPv6 traffic.
- Enable ND Proxy on the interfaces.
- Enable "autoconf" on the upstream interface.
- Add a zone including wan and lan.
It is possible to use firewall and multicast policies that don't use a zone, but using a zone simplifies the configuration, especially if you have more than two interfaces.
config system zone
edit ndproxy_zone
set interface wan lan
end
On some models the "lan" interface is named "internal". |
- Add forward firewall policy and multicast policy to allow at least ICMPv6 and DHCPv6 traffic.
config firewall multicast-policy6
edit 0
set srcintf ndproxy_zone
set dstintf ndproxy_zone
set srcaddr all
set dstaddr all
end
and
config firewall policy6
edit 0
set srcintf ndproxy_zone
set dstintf ndproxy_zone
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
end
- Enable ND proxy on WAN and LAN.
config system nd-proxy
set status enable
set member wan lan
end
- Enable
autoconf
on the upstream interface.
RA received on the other interface(s) will be dropped.
config system interface
edit wan
...
config ipv6
set autoconf enable
end
end