From 0adffaafdf12674fea621c81e054091e97ea2c28 Mon Sep 17 00:00:00 2001 From: Monviech <79600909+Monviech@users.noreply.github.com> Date: Tue, 6 Jan 2026 08:40:47 +0100 Subject: [PATCH] net/ndp-proxy-go: Enhance NDP Proxy documentation with CARP and DNS setup (#829) Added instructions for enabling CARP failover and redirecting DNS requests to Unbound server. Updated interface and alias descriptions for clarity. --- source/manual/ndp-proxy-go.rst | 118 ++++++++++++++++++++++++++++++--- 1 file changed, 107 insertions(+), 11 deletions(-) diff --git a/source/manual/ndp-proxy-go.rst b/source/manual/ndp-proxy-go.rst index d5c05cca..4e4defe5 100644 --- a/source/manual/ndp-proxy-go.rst +++ b/source/manual/ndp-proxy-go.rst @@ -42,6 +42,9 @@ Proxy Settings **Option** **Description** ========================================= ==================================================================================== **Enable** Enable or disable this service. + **Enable CARP failover** If any CARP VHID on this node is in MASTER state the service will be started, otherwise + stopped. As NDP is stateless, a short interruption of IPv6 connectivity must be expected + during CARP transitions. **Upstream interface** Choose the upstream interface which receives the external IPv6 prefix from the ISP. Usually, this is the WAN interface. Ethernet interfaces are fully supported, point-to-point (PPPoE) devices are experimental. @@ -181,11 +184,6 @@ Verify the setup by pinging an IPv6 location on the internet. Since in the default setup, the router advertisements of the ISP are used, please stop any other router advertisement daemons on the LAN interface. -.. Tip:: - - If you receive a DNS server from your ISP, but want the router to be the sole DNS server, use a Port Forward to force traffic destined to port 53 to - the local running Unbound server instead. Please note that ``::1`` is not a valid redirect target, use a dynamic IPv6 alias instead. - Firewall Rules -------------------------------------------------- @@ -225,14 +223,14 @@ Option Value Option Value ================================== ======================================================================================================= **Interface** ``any`` -**Name** ``ndp_proxy_global`` +**Firewall alias** ``ndp_proxy_global`` ================================== ======================================================================================================= ================================== ======================================================================================================= Option Value ================================== ======================================================================================================= **Interface** ``LAN`` -**Name** ``ndp_proxy_lan`` +**Firewall alias** ``ndp_proxy_lan`` ================================== ======================================================================================================= - Press **Apply** @@ -259,13 +257,111 @@ Now your IPv6 firewalling is tight. It is self-healing when client addresses cha .. Tip:: - If additional networks are proxied, just add more aliases (e.g., ``ndp_proxy_vlan1``) and create the same rule on that interface. + If additional networks are proxied, just add more aliases (e.g., ``ndp_proxy_vlan1``) and create the same rule on that interface. .. Tip:: - If you need client specific aliases, take a look at the ``Mac address`` alias type in :menuselection:`Firewall --> Aliases`, - which can dynamically track IPv4 and IPv6 addresses of a single client. + If you need client specific aliases, take a look at the ``MAC address`` alias type in :menuselection:`Firewall --> Aliases`, + which can dynamically track IPv4 and IPv6 addresses of a single client. + + +NAT Rules (Redirect DNS) +-------------------------------------------------- + +NAT rules are only required if you want to redirect DNS requests to the local running Unbound server. +Most ISPs will include DNS servers as RDNSS options in the RAs, which could circumvent the local DNS server. + +Since IPv6 requires a routable address as target, we will configure a loopback device. + +Go to :menuselection:`Interfaces --> Devices --> Loopback` and create a new loopback device: + +================================== ======================================================================================================= +Option Value +================================== ======================================================================================================= +**Device ID** ``1`` (automatic, if number is different just change description accordingly) +**Description** ``lo1`` +================================== ======================================================================================================= + +- Press **Apply** + +Go to :menuselection:`Interfaces --> Assignments` and assign the new loopback device: + +================================== ======================================================================================================= +Option Value +================================== ======================================================================================================= +**Device** ``lo1`` +**Description** ``lo1_DNS`` +================================== ======================================================================================================= + +- Press **Add** + +Go to :menuselection:`Interfaces --> lo1_DNS` and assign IP addresses to the loopback device: + +================================== ======================================================================================================= +Option Value +================================== ======================================================================================================= +**Enable** ``X`` +**Description** ``lo1_DNS`` +**IPv6 Configuration Type** ``Static`` +**IPv6 address** ``fd01::1/128`` +================================== ======================================================================================================= + +- Press **Save** + +Go to :menuselection:`Firewall --> NAT --> Port Forward` and create a NAT rule that redirects IPv6 DNS. We will use the same firewall aliases +that have been created in the `Firewall Rules` step: + +============================================== ==================================================================================================== +**Interface** LAN +**TCP/IP Version** IPv6 +**Protocol** TCP/UDP +**Source** ``ndp_proxy_lan`` +**Source Port** any +**Invert Destination** ``X`` +**Destination** ``ndp_proxy_global`` +**Destination port** DNS +**Redirect target IP** ``fd01::1`` +**Redirect target port** DNS +**Filter rule association** Pass +**Description** Redirect LAN IPv6 DNS requests to Unbound +============================================== ==================================================================================================== + +- Press **Save** and **Apply** + +.. Attention:: + + Ensure that Unbound listens on port 53 and on all network interfaces, or the loopback device will not be included and IPv6 DNS will not work. + + +.. Tip:: + + If additional networks are proxied, just add more aliases (e.g., ``ndp_proxy_vlan1``) and create the same NAT rule on that interface. + Alternatively, `any` could be used as source and destination, though this will match any traffic so be careful. + + +High Availability +-------------------------------------------------- + +To use the proxy in HA, enable the advanced mode in :menuselection:`Services --> NDP Proxy --> Settings` and toggle `Enable CARP failover`. + +Ensure that you use `Proxy router advertisements` to proxy the RAs of the ISP. Deactivate any other RA daemon on the selected downstream interfaces. + +Since Neighbor Discovery relies on a single link-layer router identity, a brief interruption may occur during failover while both the +upstream ISP router and downstream clients relearn the router’s MAC address. + +Do not configure any virtual IPv6 addresses on any of the upstream and downstream interfaces, the proxy will only use the real +interface link-local and MAC addresses. + +.. Tip:: + + If you use NAT to rewrite the DNS server, create the same loopback device as outlined in the `NAT Rules (Redirect DNS)` section on both Master + and Backup with the same IPv6 address. That way, you can use the same IPv6 address as target in the NAT rule without a virtual IP address. + + +.. Attention:: + + Do not forget to add NDP Proxy to `Services` in :menuselection:`System --> High Availability --> Settings` and synchronize. Logging @@ -273,7 +369,7 @@ Logging With the debug logging you can find out the details of the proxies behavior. -You can see logs of received and sent RA, NDP (NS, NA) and DPD messages. If something does not work as expected, +You can see logs of received and sent RA, NDP (NS, NA) and DAD messages. If something does not work as expected, reading the log file is the first step to troubleshoot. Go to :menuselection:`Services --> NDP Proxy --> Settings`