Feature #14032
open
Neighbor Discovery Proxy (NDproxy)
0%
Description
ISPs around the world are making effective use of IPv6.
DHCPv6-PD and others are already supported, but pfsense has no documentation on ndproxy.
The ndproxy package exists in FreebSD.
We strongly prefer that the ndproxy package be integrated into the pfsense plus package rather than having to manually install it in pfsense plus!
Files
Updated by Jim Pingle over 2 years ago
- Project changed from pfSense Plus to pfSense Packages
- Subject changed from I would like to be able to use Neighbor Discovery Proxy (NDproxy) to Neighbor Discovery Proxy (NDproxy)
- Category changed from IPv6 Router Advertisements (RADVD) to New Package Request
- Release Notes deleted (
Default)
Updated by Yuki Hiramatsu over 2 years ago
Yuki Hiramatsu wrote:
ISPs around the world are making effective use of IPv6.
DHCPv6-PD and others are already supported, but pfsense has no documentation on ndproxy.The ndproxy package exists in FreebSD.
We strongly prefer that the ndproxy package be integrated into the pfsense plus package rather than having to manually install it in pfsense plus!
I know that a similar FR was opened long ago and you responded. (Feature# 7746)
There is now a ndproxy package in the FreeBSD repo.
Therefore, I would love to see it integrated into pfsense.
Updated by spoon spoon about 2 years ago
There is a growing need for this with more providers sticking us with /64. It's understandable that this wouldn't be wanted in all configurations since it goes against IPv6 practices, but we are left with no choice in some cases and it leads to hacky workarounds that are worse.
With the package now in FreeBSD I hope this request can be revisited.
Updated by Filippo Tessarotto about 2 years ago
NDProxy is the only way we have been able to get IPv6 working for our company network, and that have been possible only moving from pfSense to OpenWrt, which already supports this feature (see https://openwrt.org/docs/guide-user/network/ipv6/configuration#ipv6_relay).
We hope to see NDProxy coming to pfSense too in the near future, so we can get back to our most loved firewall.
Updated by Marcos M about 2 years ago
The port does not currently build on FreeBSD 14 according to:
https://gitlab.com/FreeBSD/freebsd-ports/-/commit/d7389449aa8031688c211004edf013573b2d16f7
That would need to be resolved first at least.
https://github.com/AlexandreFenyo/ndproxy
Updated by Firstname Surname over 1 year ago
Bump! ndproxy has been patched and now builds on FreeBSD 14 - see commit history:
https://www.freshports.org/net/ndproxy
A binary package exists for 14 now, but as opposed to earlier versions where I happily used a FreeBSD 12 module for several years in pfSense up to 2.6.x, I can't load a prebuilt 14 module on 2.7. I'd have to build a specific kernel and compile it under that, and then keep doing it if pfsense kernel changes.
Having this package available would be a godsend for a huge number of users only having access to a single /64. VPS, ISPs, many others. With all the caveats ndproxy brings, it is really useful. It's currently preventing me from upgrading to 2.7 because my pfsense sits on a /64 and hands out VPN client addresses from the same /64. Others have other uses I'm sure...
Updated by Firstname Surname 6 months ago
- File ndproxy.ko ndproxy.ko added
- File ndproxy.tar.gz ndproxy.tar.gz added
OK, here's ndproxy for 2.7.2 if anyone needs it:
ndproxy is marked broken in the stock 14.0-RELEASE port, but it's been fixed since. I managed to build it for pfSense CE 2.7.2 without issues - you don't need to build the whole kernel and clone the whole git repo and the whole process only takes minutes including the file downloads, excluding building a FreeBSD host. The resulting module is attached - of course it's rather risky to load a kernel module that Some Guy On The Internetâ„¢ uploaded, so if you want to build it yourself:
1. Get hold of a FreeBSD host, VM, whatever - I used a disposable VM running 14.0. Could probably be 14.2 or whatever, but I used 14.0 and didn't check with a more recent release.
2. Grab the zip https://github.com/pfsense/FreeBSD-src/archive/refs/heads/RELENG_2_7_2.zip - quicker than git and you don't need a git tree just to build a single module. Unzip that.
3. Refresh your ports tree or grab a fresh version of the net/ndproxy port, or use the one I attached here (ndproxy.tar.gz) and extract it. If you used a FreeBSD release above 14.0, chances are you can build it straight away.
4. cd where/you/untarred/ndproxy or /somewhere/net/ndproxy where your port lives
5. `make SRCTOP=/where/you/unzipped/FreeBSD-src-RELENG_2_7_2 SYSDIR=/where/you/unzipped/FreeBSD-src-RELENG_2_7_2/sys build`
6. If it builds, and it should build fine, your module is now in `./work/ndproxy-3.2/ndproxy.ko`, checksums for my build: md5sum 5bab380fe5b8afb8ecc5b7d7881dffe1, sha256sum 314db723972e2e017b191d2df0e981c338baa182fe6c821e49f052a89f6621a2
7. Copy the resulting ndproxy.ko to your pfsense 2.7.2 host(s) into /boot/modules
8. Load the module (kldload ndproxy), if you get no warnings on load and no errors in dmesg and `sysctl -a | grep ndproxy` shows the series of net.inet6.ndproxy* sysctls, all is well, continue using ndproxy as before on 2.6 or whatever. I normally use a shellcmd to load and configure ndproxy.
Hope this helps anyone who needed this feature, all caveats of using an NDP proxy in the first place aside. If you need it, you need it. Of course likely repeat the process on the next kernel version bump, with the respective pfsense kernel branch.
Updated by Filippo Tessarotto 6 months ago
Firstname Surname wrote in #note-7:
8. Load the module (kldload ndproxy), if you get no warnings on load and no errors in dmesg and `sysctl -a | grep ndproxy` shows the series of net.inet6.ndproxy* sysctls, all is well, continue using ndproxy as before on 2.6 or whatever. I normally use a shellcmd to load and configure ndproxy.
Hello, I was able to successfully load the module, but pfSense config differs a lot from FreeBSD one.
Do you mind posting a functioning configuration, please?