IPv6 Neighbor Discovery Proxy

IPv6 Neighbor Discovery Proxy

The following is an example configuration of a FortiGate using ND Proxy. Some of these configuration steps have been covered elsewhere, but are shown here to demonstrate how they all work together to achieve the desired effect.

Steps:

  • Create zone for ND proxy use that includes the upstream and downstream interfaces. l Create policies to allow ICMPv6 and DHCPv6 traffic. l Enable ND Proxy on the interfaces.
  • Enable “autoconf” on the upstream interface.
  1. Add a zone including wan and lan.

It is possible to use firewall and multicast policies that don’t use a zone, but using a zone simplifies the configuration, especially if you have more than two interfaces. config system zone edit ndproxy_zone set interface wan lan

end

  1. Add forward firewall policy and multicast policy to allow at least ICMPv6 and DHCPv6 traffic.

config firewall multicast-policy6 edit 0 set srcintf ndproxy_zone set dstintf ndproxy_zone set srcaddr all set dstaddr all

end and

config firewall policy6 edit 0 set srcintf ndproxy_zone set dstintf ndproxy_zone set srcaddr all set dstaddr all set action accept set schedule always set service ALL

end

  1. Enable ND proxy on WAN and LAN.

config system nd-proxy set status enable set member wan lan end

  1. Enable autoconf on the upstream interface.

RA received on the other interface(s) will be dropped.

config system interface edit wan …

config ipv6

set autoconf enable end end

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.