Remove ndproxy from documentation as it will not be maintained anymore.

2026-05-28 04:02:12 -04:00 · 2026-05-20 14:00:28 +02:00 · 2026-05-20 14:00:28 +02:00 · 78c254add3
commit 78c254add3
parent 04849f4d0e
3 changed files with 2 additions and 140 deletions
--- a/source/manual/ipv6.rst
+++ b/source/manual/ipv6.rst
@ -146,9 +146,8 @@ received. This part of the configuration is specified on the lan interface as "t
 .. Note::

    When your provider or cloud hosting does not offer a PD, routing is not reliably possible. In some cases
-    network address translation may be an option (example in  :doc:`ndproxy <ndproxy>`).
-    There is an experimental `rfc <https://datatracker.ietf.org/doc/html/rfc4389>`__
-    to proxy neighbor discovery packets, but no implementation exists yet.
+    proxying neighbor discovery packets may be an option as explained in `RFC4389 <https://datatracker.ietf.org/doc/html/rfc4389>`__.
+    An implementation is available via :doc:`ndp-proxy-go <ndp-proxy-go>`.

 .. Note::
    There is some overlap in what DHCPv6 offers and router advertisements bring to the table, but in most auto-configured
--- a/source/manual/ndproxy.rst
+++ b/source/manual/ndproxy.rst
@ -1,136 +0,0 @@
-==================================================
-ndproxy (Neighbour Discovery Proxy)
-==================================================
-
-.. contents::
-   :local:
-   :depth: 2
-
-This manual provides a quick overview of ndproxy and how to configure it for general use.
-
-.. Attention::
-
-   The ndproxy setup is pretty fragile. Only use it as a last resort if there are no better alternatives.
-   Due to limitations, ndproxy can only work with static prefixes. If your prefix changes often,
-   it is not a permanent working solution. And even if it works, it can just randomly decide to stop working
-   due to various reasons out of your control.
-
-
-Introduction to ndproxy
-==================================================
-
-Ndproxy is a kernel module that acts as a proxy for IPv6 Neighbor Discovery (ND) messages between a Provider Edge (PE) router
-and Customer Premises Equipment (CPE).
-
-When ndproxy runs on the same device as the CPE (e.g., OPNsense), it allows the device
-to act as both the home network’s router and the proxy for handling ND messages. This setup is particularly useful in cases
-where an ISP only provides limited IPv6 delegation (e.g., a single /64 prefix). By using ndproxy, such limitations can be
-bypassed to allow the LAN to use the ISP provided prefix.
-
-For more technical details: `ndproxy(4) <https://man.freebsd.org/cgi/man.cgi?query=ndproxy>`_
-
-
-Installation
--------------------------------------------------
-
-Install ``os-ndproxy`` from :menuselection:`System --> Firmware --> Plugins`.
-
-
-Important configuration details
--------------------------------------------------
-
- **IPv6 Global Unicast Address**:
-    The WAN and LAN interface must not configure a GUA in the same /64 prefix. A GUA on WAN is required,
-    ensure it is /128.
-
- **Promiscuous Mode**:
-    The listening interface (WAN) must be set to promiscuous mode.
-    If it is a VLAN, it must be set on the parent interface.
-    The router must join multicast groups to respond to solicitations for hosts in the LAN.
-
-.. Attention::
-
-   You can proxy from WAN to one internal interface (e.g., LAN), not to multiple interfaces.
-
-
-Offering services behind NAT (cloud setup)
-==================================================
-
-Introduction
--------------------------------------------------
-
-Quite some cloud providers only offer a single :code:`/64` block via SLAAC which you can't easily push
-down to your LAN interface when offering services with a firewall in between.
-
-In these types of setups, it's usually practical to offer a private range to the machines (servers) behind
-the firewall and forward the traffic mapping external addresses on the firewall via NAT.
-
-One of the challenges of these setups is the need to configure (virtual) addresses on the firewall in order
-to send it to the machine on the LAN interface, without a local address on the firewall, it wouldn't answer to neighbor discoveries
-as these addresses are not local.
-
-This is where :code:`ndproxy` can play a role and answer to neighbor discoveries for addresses only used in network addresses
-translation rules.
-
-Setup
--------------------------------------------------
-
-First we configure the wan interface via :menuselection:`Interfaces --> WAN`
-
-==============================================  ====================================================================
-**IPv6 Configuration Type**                     ``SLAAC``
-**Promiscuous mode**                            ``X``
-==============================================  ====================================================================
-
-
-Next we allocate an address from a private range in :menuselection:`Interfaces --> LAN`
-
-==============================================  ====================================================================
-**IPv6 Configuration Type**                     ``Static IPv6``
-**IPv6 address**                                ``fd12:3456:789a:ffff::/64``
-==============================================  ====================================================================
-
-.. Note::
-
-   The unique local address (ULA) prefix to use for machines in your network within the :code:`fc00::/7` range.
-
-And configure router advertisements on LAN, :menuselection:`Services --> Router Advertisements --> [LAN]`, using the
-settings below:
-
-==============================================  ====================================================================
-**Router Advertisements**                       ``Stateless``
-==============================================  ====================================================================
-
-
-In :menuselection:`Services --> Ndproxy` we will enable the ndproxy service, for this we need the MAC address of our WAN interface
-and the default gateway received via WAN (Search for :code:`default` in :menuselection:`System --> Routes --> Status`), which is usually
-quite static information.
-
-
-==============================================  ====================================================================
-**Enable**                                      ``X``
-**Uplink Interface**                            ``WAN``
-**Downlink MAC Address**                        ``1a:11:22:33:44:55``         (WAN MAC)
-**Uplink IPv6 Addresses**                       ``fe80::fc00:ff:1111:2222``   (default route)
-==============================================  ====================================================================
-
-Finally we will map the internal addresses to the external ones using :menuselection:`Firewall --> NAT --> NPTv6`,
-add a new rule using the following settings:
-
-
-==============================================  ====================================================================
-**Interface**                                   ``WAN``
-**Internal IPv6 Prefix (source)**               ``fd12:3456:789a:ffff::/64``
-==============================================  ====================================================================
-
-
-Test
--------------------------------------------------
-
-When all goes well, a client on LAN should receive an address via SLAAC in the ``fd12:3456:789a:ffff::/64`` range
-and you should be able to ping an address on the internet.
-
-Debugging
--------------------------------------------------
-
-In case of malfunction, make sure to capture `icmp6` packets on both interfaces to inspect neighbor discovery packets.
--- a/source/plugins.rst
+++ b/source/plugins.rst
@ -24,7 +24,6 @@ Routing
   manual/dynamic_routing
   manual/how-tos/tayga
   manual/ndp-proxy-go
-   manual/ndproxy

 --------------------
 DNS