From 78c254add373a3bf2d9535d23ac579677dbff0c6 Mon Sep 17 00:00:00 2001 From: Monviech Date: Wed, 20 May 2026 14:00:28 +0200 Subject: [PATCH] Remove ndproxy from documentation as it will not be maintained anymore. --- source/manual/ipv6.rst | 5 +- source/manual/ndproxy.rst | 136 -------------------------------------- source/plugins.rst | 1 - 3 files changed, 2 insertions(+), 140 deletions(-) delete mode 100644 source/manual/ndproxy.rst diff --git a/source/manual/ipv6.rst b/source/manual/ipv6.rst index a6674efd..99084964 100644 --- a/source/manual/ipv6.rst +++ b/source/manual/ipv6.rst @@ -146,9 +146,8 @@ received. This part of the configuration is specified on the lan interface as "t .. Note:: When your provider or cloud hosting does not offer a PD, routing is not reliably possible. In some cases - network address translation may be an option (example in :doc:`ndproxy `). - There is an experimental `rfc `__ - to proxy neighbor discovery packets, but no implementation exists yet. + proxying neighbor discovery packets may be an option as explained in `RFC4389 `__. + An implementation is available via :doc:`ndp-proxy-go `. .. Note:: There is some overlap in what DHCPv6 offers and router advertisements bring to the table, but in most auto-configured diff --git a/source/manual/ndproxy.rst b/source/manual/ndproxy.rst deleted file mode 100644 index 037d9c13..00000000 --- a/source/manual/ndproxy.rst +++ /dev/null @@ -1,136 +0,0 @@ -================================================== -ndproxy (Neighbour Discovery Proxy) -================================================== - -.. contents:: - :local: - :depth: 2 - -This manual provides a quick overview of ndproxy and how to configure it for general use. - -.. Attention:: - - The ndproxy setup is pretty fragile. Only use it as a last resort if there are no better alternatives. - Due to limitations, ndproxy can only work with static prefixes. If your prefix changes often, - it is not a permanent working solution. And even if it works, it can just randomly decide to stop working - due to various reasons out of your control. - - -Introduction to ndproxy -================================================== - -Ndproxy is a kernel module that acts as a proxy for IPv6 Neighbor Discovery (ND) messages between a Provider Edge (PE) router -and Customer Premises Equipment (CPE). - -When ndproxy runs on the same device as the CPE (e.g., OPNsense), it allows the device -to act as both the home network’s router and the proxy for handling ND messages. This setup is particularly useful in cases -where an ISP only provides limited IPv6 delegation (e.g., a single /64 prefix). By using ndproxy, such limitations can be -bypassed to allow the LAN to use the ISP provided prefix. - -For more technical details: `ndproxy(4) `_ - - -Installation --------------------------------------------------- - -Install ``os-ndproxy`` from :menuselection:`System --> Firmware --> Plugins`. - - -Important configuration details --------------------------------------------------- - -- **IPv6 Global Unicast Address**: - The WAN and LAN interface must not configure a GUA in the same /64 prefix. A GUA on WAN is required, - ensure it is /128. - -- **Promiscuous Mode**: - The listening interface (WAN) must be set to promiscuous mode. - If it is a VLAN, it must be set on the parent interface. - The router must join multicast groups to respond to solicitations for hosts in the LAN. - -.. Attention:: - - You can proxy from WAN to one internal interface (e.g., LAN), not to multiple interfaces. - - -Offering services behind NAT (cloud setup) -================================================== - -Introduction --------------------------------------------------- - -Quite some cloud providers only offer a single :code:`/64` block via SLAAC which you can't easily push -down to your LAN interface when offering services with a firewall in between. - -In these types of setups, it's usually practical to offer a private range to the machines (servers) behind -the firewall and forward the traffic mapping external addresses on the firewall via NAT. - -One of the challenges of these setups is the need to configure (virtual) addresses on the firewall in order -to send it to the machine on the LAN interface, without a local address on the firewall, it wouldn't answer to neighbor discoveries -as these addresses are not local. - -This is where :code:`ndproxy` can play a role and answer to neighbor discoveries for addresses only used in network addresses -translation rules. - -Setup --------------------------------------------------- - -First we configure the wan interface via :menuselection:`Interfaces --> WAN` - -============================================== ==================================================================== -**IPv6 Configuration Type** ``SLAAC`` -**Promiscuous mode** ``X`` -============================================== ==================================================================== - - -Next we allocate an address from a private range in :menuselection:`Interfaces --> LAN` - -============================================== ==================================================================== -**IPv6 Configuration Type** ``Static IPv6`` -**IPv6 address** ``fd12:3456:789a:ffff::/64`` -============================================== ==================================================================== - -.. Note:: - - The unique local address (ULA) prefix to use for machines in your network within the :code:`fc00::/7` range. - -And configure router advertisements on LAN, :menuselection:`Services --> Router Advertisements --> [LAN]`, using the -settings below: - -============================================== ==================================================================== -**Router Advertisements** ``Stateless`` -============================================== ==================================================================== - - -In :menuselection:`Services --> Ndproxy` we will enable the ndproxy service, for this we need the MAC address of our WAN interface -and the default gateway received via WAN (Search for :code:`default` in :menuselection:`System --> Routes --> Status`), which is usually -quite static information. - - -============================================== ==================================================================== -**Enable** ``X`` -**Uplink Interface** ``WAN`` -**Downlink MAC Address** ``1a:11:22:33:44:55`` (WAN MAC) -**Uplink IPv6 Addresses** ``fe80::fc00:ff:1111:2222`` (default route) -============================================== ==================================================================== - -Finally we will map the internal addresses to the external ones using :menuselection:`Firewall --> NAT --> NPTv6`, -add a new rule using the following settings: - - -============================================== ==================================================================== -**Interface** ``WAN`` -**Internal IPv6 Prefix (source)** ``fd12:3456:789a:ffff::/64`` -============================================== ==================================================================== - - -Test --------------------------------------------------- - -When all goes well, a client on LAN should receive an address via SLAAC in the ``fd12:3456:789a:ffff::/64`` range -and you should be able to ping an address on the internet. - -Debugging --------------------------------------------------- - -In case of malfunction, make sure to capture `icmp6` packets on both interfaces to inspect neighbor discovery packets. diff --git a/source/plugins.rst b/source/plugins.rst index 01aafd1c..8c4c23c2 100644 --- a/source/plugins.rst +++ b/source/plugins.rst @@ -24,7 +24,6 @@ Routing manual/dynamic_routing manual/how-tos/tayga manual/ndp-proxy-go - manual/ndproxy -------------------- DNS