IPv6 Neighbor Discovery Proxy
The following is an example configuration of a FortiGate using ND Proxy. Some of these configuration steps have been covered elsewhere, but are shown here to demonstrate how they all work together to achieve the desired effect.
Steps:
- Create zone for ND proxy use that includes the upstream and downstream interfaces. l Create policies to allow ICMPv6 and DHCPv6 traffic. l Enable ND Proxy on the interfaces.
- Enable “autoconf” on the upstream interface.
- Add a zone including wan and lan.
It is possible to use firewall and multicast policies that don’t use a zone, but using a zone simplifies the configuration, especially if you have more than two interfaces. config system zone edit ndproxy_zone set interface wan lan
end
- Add forward firewall policy and multicast policy to allow at least ICMPv6 and DHCPv6 traffic.
config firewall multicast-policy6 edit 0 set srcintf ndproxy_zone set dstintf ndproxy_zone set srcaddr all set dstaddr all
end and
config firewall policy6 edit 0 set srcintf ndproxy_zone set dstintf ndproxy_zone set srcaddr all set dstaddr all set action accept set schedule always set service ALL
end
- Enable ND proxy on WAN and LAN.
config system nd-proxy set status enable set member wan lan end
- Enable autoconf on the upstream interface.
RA received on the other interface(s) will be dropped.
config system interface edit wan …
config ipv6
set autoconf enable end end