ndproxy (Neighbour Discovery Proxy)
This manual provides a quick overview of ndproxy and how to configure it for general use.
Attention
The ndproxy setup is pretty fragile. Only use it as a last resort if there are no better alternatives. Due to limitations, ndproxy can only work with static prefixes. If your prefix changes often, it is not a permanent working solution. And even if it works, it can just randomly decide to stop working due to various reasons out of your control.
Introduction to ndproxy
Ndproxy is a kernel module that acts as a proxy for IPv6 Neighbor Discovery (ND) messages between a Provider Edge (PE) router and Customer Premises Equipment (CPE).
When ndproxy runs on the same device as the CPE (e.g., OPNsense), it allows the device to act as both the home network’s router and the proxy for handling ND messages. This setup is particularly useful in cases where an ISP only provides limited IPv6 delegation (e.g., a single /64 prefix). By using ndproxy, such limitations can be bypassed to allow the LAN to use the ISP provided prefix.
For more technical details: ndproxy(4)
Installation
Install os-ndproxy from .
Important configuration details
- IPv6 Global Unicast Address:
The WAN and LAN interface must not configure a GUA in the same /64 prefix. A GUA on WAN is required, ensure it is /128.
- Promiscuous Mode:
The listening interface (WAN) must be set to promiscuous mode. If it is a VLAN, it must be set on the parent interface. The router must join multicast groups to respond to solicitations for hosts in the LAN.
Attention
You can proxy from WAN to one internal interface (e.g., LAN), not to multiple interfaces.
Offering services behind NAT (cloud setup)
Introduction
Quite some cloud providers only offer a single /64 block via SLAAC which you can’t easily push
down to your LAN interface when offering services with a firewall in between.
In these types of setups, it’s usually practical to offer a private range to the machines (servers) behind the firewall and forward the traffic mapping external addresses on the firewall via NAT.
One of the challenges of these setups is the need to configure (virtual) addresses on the firewall in order to send it to the machine on the LAN interface, without a local address on the firewall, it wouldn’t answer to neighbor discoveries as these addresses are not local.
This is where ndproxy can play a role and answer to neighbor discoveries for addresses only used in network addresses
translation rules.
Setup
First we configure the wan interface via
IPv6 Configuration Type |
|
Promiscuous mode |
|
Next we allocate an address from a private range in
IPv6 Configuration Type |
|
IPv6 address |
|
Note
The unique local address (ULA) prefix to use for machines in your network within the fc00::/7 range.
And configure router advertisements on LAN, , using the settings below:
Router Advertisements |
|
In we will enable the ndproxy service, for this we need the MAC address of our WAN interface
and the default gateway received via WAN (Search for default in ), which is usually
quite static information.
Enable |
|
Uplink Interface |
|
Downlink MAC Address |
|
Uplink IPv6 Addresses |
|
Finally we will map the internal addresses to the external ones using , add a new rule using the following settings:
Interface |
|
Internal IPv6 Prefix (source) |
|