IPv6 Neighbor Discovery Proxy

IPv6 Neighbor Discovery Proxy

The following is an example configuration of a FortiGate using ND Proxy. Some of these configuration steps have been covered elsewhere, but are shown here to demonstrate how they all work together to achieve the desired effect.


  • Create zone for ND proxy use that includes the upstream and downstream interfaces. l Create policies to allow ICMPv6 and DHCPv6 traffic. l Enable ND Proxy on the interfaces.
  • Enable “autoconf” on the upstream interface.
  1. Add a zone including wan and lan.

It is possible to use firewall and multicast policies that don’t use a zone, but using a zone simplifies the configuration, especially if you have more than two interfaces. config system zone edit ndproxy_zone set interface wan lan


  1. Add forward firewall policy and multicast policy to allow at least ICMPv6 and DHCPv6 traffic.

config firewall multicast-policy6 edit 0 set srcintf ndproxy_zone set dstintf ndproxy_zone set srcaddr all set dstaddr all

end and

config firewall policy6 edit 0 set srcintf ndproxy_zone set dstintf ndproxy_zone set srcaddr all set dstaddr all set action accept set schedule always set service ALL


  1. Enable ND proxy on WAN and LAN.

config system nd-proxy set status enable set member wan lan end

  1. Enable autoconf on the upstream interface.

RA received on the other interface(s) will be dropped.

config system interface edit wan …

config ipv6

set autoconf enable end end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos