Fortinet black logo

Handbook

Neighbor discovery proxy

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:967274
Download PDF

Neighbor discovery proxy

The following is an example configuration of a FortiGate using ND Proxy. Some of these configuration steps have been covered elsewhere, but are shown here to demonstrate how they all work together to achieve the desired effect.

Steps:

  • Create zone for ND proxy use that includes the upstream and downstream interfaces.
  • Create policies to allow ICMPv6 and DHCPv6 traffic.
  • Enable ND Proxy on the interfaces.
  • Enable "autoconf" on the upstream interface.
  1. Add a zone including wan and lan.

    It is possible to use firewall and multicast policies that don't use a zone, but using a zone simplifies the configuration, especially if you have more than two interfaces.

    config system zone

    edit ndproxy_zone

    set interface wan lan

    end

    tooltip icon On some models the "lan" interface is named "internal".
  2. Add forward firewall policy and multicast policy to allow at least ICMPv6 and DHCPv6 traffic.

    config firewall multicast-policy6

    edit 0

    set srcintf ndproxy_zone

    set dstintf ndproxy_zone

    set srcaddr all

    set dstaddr all

    end

    config firewall policy6

    edit 0

    set srcintf ndproxy_zone

    set dstintf ndproxy_zone

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    end

  3. Enable ND proxy on WAN and LAN.

    config system nd-proxy

    set status enable

    set member wan lan

    end

  4. Enable autoconf on the upstream interface.

    RA received on the other interface(s) will be dropped.

    config system interface

    edit wan

    ...

    config ipv6

    set autoconf enable

    end

    end

Neighbor discovery proxy

The following is an example configuration of a FortiGate using ND Proxy. Some of these configuration steps have been covered elsewhere, but are shown here to demonstrate how they all work together to achieve the desired effect.

Steps:

  • Create zone for ND proxy use that includes the upstream and downstream interfaces.
  • Create policies to allow ICMPv6 and DHCPv6 traffic.
  • Enable ND Proxy on the interfaces.
  • Enable "autoconf" on the upstream interface.
  1. Add a zone including wan and lan.

    It is possible to use firewall and multicast policies that don't use a zone, but using a zone simplifies the configuration, especially if you have more than two interfaces.

    config system zone

    edit ndproxy_zone

    set interface wan lan

    end

    tooltip icon On some models the "lan" interface is named "internal".
  2. Add forward firewall policy and multicast policy to allow at least ICMPv6 and DHCPv6 traffic.

    config firewall multicast-policy6

    edit 0

    set srcintf ndproxy_zone

    set dstintf ndproxy_zone

    set srcaddr all

    set dstaddr all

    end

    config firewall policy6

    edit 0

    set srcintf ndproxy_zone

    set dstintf ndproxy_zone

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    end

  3. Enable ND proxy on WAN and LAN.

    config system nd-proxy

    set status enable

    set member wan lan

    end

  4. Enable autoconf on the upstream interface.

    RA received on the other interface(s) will be dropped.

    config system interface

    edit wan

    ...

    config ipv6

    set autoconf enable

    end

    end