upstream/opnsense-docs
1
0
Fork 0
mirror of https://github.com/opnsense/docs.git synced 2026-05-27 19:52:11 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge dc9969b3da into e12575e086

Browse source
This commit is contained in:
Monviech 2026-05-26 01:22:30 +03:00 committed by GitHub
commit cacebb9fdc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 14 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
source/manual/ndp-proxy-go.rst
View file

@ -148,7 +148,7 @@ In such a setup, your router will not receive a prefix delegation via DHCPv6-PD,
Settings
--------------------------------------------------
Go to :menuselection:`Interfaces --> WAN`
Go to :menuselection:`Interfaces --> WAN` and select SLAAC as IPv6 configuration.
============================================== ====================================================================
**IPv6 Configuration Type** ``SLAAC``
@ -156,7 +156,7 @@ Go to :menuselection:`Interfaces --> WAN`
Save the settings.
Go to :menuselection:`Interfaces --> LAN` and choose either a link-local IPv6 configuration.
Go to :menuselection:`Interfaces --> LAN` and select link-local as IPv6 configuration.
============================================== ====================================================================
**IPv6 Configuration Type** ``link-local``
@ -180,9 +180,17 @@ After applying the configuration, all devices in your LAN network will autogener
the router as their default gateway. Check the firewall rules on LAN if IPv6 is allowed to any destination.
Verify the setup by pinging an IPv6 location on the internet.
.. Note::
In the default setup, the Router Advertisements from the ISP are forwarded directly.
Any other Router Advertisement daemons on the LAN interface must be disabled, for example in
:menuselection:`Services --> Router Advertisements` and :menuselection:`Services --> Dnsmasq DNS & DHCP`.
.. Attention::
Since in the default setup, the router advertisements of the ISP are used, please stop any other router advertisement daemons on the LAN interface.
The default firewall aliases (e.g., LAN network) will not contain any proxied IPv6 addresses.
Either follow the `Firewall Rules` example, or set the source to any in your default IPv6 allow rule.
Firewall Rules
@ -196,7 +204,7 @@ Since only learned clients are added, the alias will always have an up to date s
.. Note::
The proxy only learns IPv6 addresses that are inside the WAN on-link prefix and only of clients it manages.
These aliases are not for general use, but only for combination with the proxy to ease creating the correct firewall rules.
After initial setup, it can take a few minutes until all clients have been learned.
- Go to :menuselection:`Firewall --> Aliases` and create these aliases:
@ -204,7 +212,7 @@ Since only learned clients are added, the alias will always have an up to date s
================================== =======================================================================================================
Option Value
================================== =======================================================================================================
**Name** ``ndp_proxy_all`` (Will contain all learned IPv6 addresses)
**Name** ``ndp_proxy_global`` (Will contain all learned IPv6 addresses)
**Type** ``External (advanced)``
================================== =======================================================================================================
@ -252,8 +260,6 @@ Option Value
============================================== ====================================================================================================
- Press **Apply**
Now your IPv6 firewalling is tight. It is self-healing when client addresses change due to IPv6 privacy extensions or when the on-link prefix changes.
.. Tip::
@ -420,7 +426,7 @@ The proxy must install host routes to target the individual downstream clients:
- route deleted: "IPv6 address"
- A route was deleted, most likely the client was offline longer than the neighbor caching time, or it changed its IPv6 address via privacy
extension. On a clean shutdown, all routes of learned clients in the cache will be deleted.
extension.
- route add err: exit status 1 (out: add host "IPv6 address": gateway eth0 fib 0: route already in table)
- There is already a different route that would overlap with the one the proxy tries to install.