Feature #14032
open
Neighbor Discovery Proxy (NDproxy)
0%
Description
ISPs around the world are making effective use of IPv6.
DHCPv6-PD and others are already supported, but pfsense has no documentation on ndproxy.
The ndproxy package exists in FreebSD.
We strongly prefer that the ndproxy package be integrated into the pfsense plus package rather than having to manually install it in pfsense plus!
Files
Updated by Jim Pingle over 2 years ago
- Project changed from pfSense Plus to pfSense Packages
- Subject changed from I would like to be able to use Neighbor Discovery Proxy (NDproxy) to Neighbor Discovery Proxy (NDproxy)
- Category changed from IPv6 Router Advertisements (RADVD) to New Package Request
- Release Notes deleted (
Default)
Updated by Yuki Hiramatsu over 2 years ago
Yuki Hiramatsu wrote:
ISPs around the world are making effective use of IPv6.
DHCPv6-PD and others are already supported, but pfsense has no documentation on ndproxy.The ndproxy package exists in FreebSD.
We strongly prefer that the ndproxy package be integrated into the pfsense plus package rather than having to manually install it in pfsense plus!
I know that a similar FR was opened long ago and you responded. (Feature# 7746)
There is now a ndproxy package in the FreeBSD repo.
Therefore, I would love to see it integrated into pfsense.
Updated by spoon spoon over 2 years ago
There is a growing need for this with more providers sticking us with /64. It's understandable that this wouldn't be wanted in all configurations since it goes against IPv6 practices, but we are left with no choice in some cases and it leads to hacky workarounds that are worse.
With the package now in FreeBSD I hope this request can be revisited.
Updated by Filippo Tessarotto about 2 years ago
NDProxy is the only way we have been able to get IPv6 working for our company network, and that have been possible only moving from pfSense to OpenWrt, which already supports this feature (see https://openwrt.org/docs/guide-user/network/ipv6/configuration#ipv6_relay).
We hope to see NDProxy coming to pfSense too in the near future, so we can get back to our most loved firewall.
Updated by Marcos M about 2 years ago
The port does not currently build on FreeBSD 14 according to:
https://gitlab.com/FreeBSD/freebsd-ports/-/commit/d7389449aa8031688c211004edf013573b2d16f7
That would need to be resolved first at least.
https://github.com/AlexandreFenyo/ndproxy
Updated by Firstname Surname over 1 year ago
Bump! ndproxy has been patched and now builds on FreeBSD 14 - see commit history:
https://www.freshports.org/net/ndproxy
A binary package exists for 14 now, but as opposed to earlier versions where I happily used a FreeBSD 12 module for several years in pfSense up to 2.6.x, I can't load a prebuilt 14 module on 2.7. I'd have to build a specific kernel and compile it under that, and then keep doing it if pfsense kernel changes.
Having this package available would be a godsend for a huge number of users only having access to a single /64. VPS, ISPs, many others. With all the caveats ndproxy brings, it is really useful. It's currently preventing me from upgrading to 2.7 because my pfsense sits on a /64 and hands out VPN client addresses from the same /64. Others have other uses I'm sure...
Updated by Firstname Surname 6 months ago
- File ndproxy.ko ndproxy.ko added
- File ndproxy.tar.gz ndproxy.tar.gz added
OK, here's ndproxy for 2.7.2 if anyone needs it:
ndproxy is marked broken in the stock 14.0-RELEASE port, but it's been fixed since. I managed to build it for pfSense CE 2.7.2 without issues - you don't need to build the whole kernel and clone the whole git repo and the whole process only takes minutes including the file downloads, excluding building a FreeBSD host. The resulting module is attached - of course it's rather risky to load a kernel module that Some Guy On The Internetâ„¢ uploaded, so if you want to build it yourself:
1. Get hold of a FreeBSD host, VM, whatever - I used a disposable VM running 14.0. Could probably be 14.2 or whatever, but I used 14.0 and didn't check with a more recent release.
2. Grab the zip https://github.com/pfsense/FreeBSD-src/archive/refs/heads/RELENG_2_7_2.zip - quicker than git and you don't need a git tree just to build a single module. Unzip that.
3. Refresh your ports tree or grab a fresh version of the net/ndproxy port, or use the one I attached here (ndproxy.tar.gz) and extract it. If you used a FreeBSD release above 14.0, chances are you can build it straight away.
4. cd where/you/untarred/ndproxy or /somewhere/net/ndproxy where your port lives
5. `make SRCTOP=/where/you/unzipped/FreeBSD-src-RELENG_2_7_2 SYSDIR=/where/you/unzipped/FreeBSD-src-RELENG_2_7_2/sys build`
6. If it builds, and it should build fine, your module is now in `./work/ndproxy-3.2/ndproxy.ko`, checksums for my build: md5sum 5bab380fe5b8afb8ecc5b7d7881dffe1, sha256sum 314db723972e2e017b191d2df0e981c338baa182fe6c821e49f052a89f6621a2
7. Copy the resulting ndproxy.ko to your pfsense 2.7.2 host(s) into /boot/modules
8. Load the module (kldload ndproxy), if you get no warnings on load and no errors in dmesg and `sysctl -a | grep ndproxy` shows the series of net.inet6.ndproxy* sysctls, all is well, continue using ndproxy as before on 2.6 or whatever. I normally use a shellcmd to load and configure ndproxy.
Hope this helps anyone who needed this feature, all caveats of using an NDP proxy in the first place aside. If you need it, you need it. Of course likely repeat the process on the next kernel version bump, with the respective pfsense kernel branch.
Updated by Filippo Tessarotto 6 months ago
Firstname Surname wrote in #note-7:
8. Load the module (kldload ndproxy), if you get no warnings on load and no errors in dmesg and `sysctl -a | grep ndproxy` shows the series of net.inet6.ndproxy* sysctls, all is well, continue using ndproxy as before on 2.6 or whatever. I normally use a shellcmd to load and configure ndproxy.
Hello, I was able to successfully load the module, but pfSense config differs a lot from FreeBSD one.
Do you mind posting a functioning configuration, please?
Updated by Kevin Stallard 6 days ago
A few points that might be helpful to others.
Version 25 and greater are currently using FreeBSD 15, you can clone the above pfsense FreeBSD-src repo and checkout git hash
bf06074106cfI installed FreeBSD 15 in a VM, renamed the /usr/src directory and then clone FreeBSD-src into a new /usr/src directory. I'm sure SRCTOP variable will work...but went down this road instead.
zfs rename zroot/usr/src zroot/usr/src.old
git clone https://github.com/pfsense/FreeBSD-src.git /usr/src
git checkout bf06074106cf
Then you can build ndproxy.ko:
cd /usr/ports/net/ndproxy
make clean
make
Then scp the resulting
./work/ndproxy-3.2/ndproxy.koType kldload ndproxy and then type
sysctl -a | grep ndproxynet.inet6.ndproxycount: 0
net.inet6.ndproxyconf_uplink_ipv6_addresses:
net.inet6.ndproxyconf_exception_ipv6_addresses:
net.inet6.ndproxyconf_downlink_mac_address:
net.inet6.ndproxyconf_uplink_interface:
I'm currently hunting down how to make the sysctl parameters persistent. pfSense doesn't seem to be loading the values in `sysctl.conf`
UPDATE:
Don't use a /boot/loader.conf.local file to load ndproxy.ko at boot time. It seems to be loaded too early in the boot process and won't receive icmpv6 packets from any interfaces created after the kernel module is loaded (or so it seems).
Also, getting sysctl entries set and putting your WAN interface into promiscuous mode proved futile using standard means.
The solution I found came from Netgates (very good) documentation, specifically https://docs.netgate.com/pfsense/en/latest/development/boot-commands.html
Create a shell script in /usr/local/etc/rc.d, make sure it has a .sh extension and that it is executable.
Here is a sample script:
kldload ndproxy
sysctl -w net.inet6.ndproxyconf_uplink_ipv6_addresses="fe80::ipv6:address:of:your:isps:modem;2603::global:ipv6:address:of:isp:modem"
sysctl -w net.inet6.ndproxyconf_downlink_mac_address=<mac address of your routers interface facing the isp equipment>
sysctl -w net.inet6.ndproxyconf_exception_ipv6_addresses="fe80::your:routers:WAN:link:local:address;2603:your:routers:WAN:global:ipv6:address"
sysctl -w net.inet6.ndproxyconf_uplink_interface=wan_iface_name
ifconfig wan_iface_name promisc
NOTES:
- Address for the uplink_ipv6_addresses can be found by using
tcpdumpon your pfsense router (e.g.tcpdump -i igb3 "icmp6 and icmp6[0]=135"). While running tcpdump, ping a remote ipv6 address from a device inside your network and look to see what ipv6 address is trying to find that internal machine (via NS packets). That ipv6 address is the uplink address. Most of the time it will be a link local address, it is possible that your ISP's equipment might use a global address as well, so keep an eye out for it. Multiple addresses are delineated with a semi-colon.
- Mac address format for
downlink_mac_addressis just as it is from ifconfig, xx:xx:xx:xx:xx:xx
- It is good practice to add the addresses of your WAN interface of your router to the exceptions address list (exception_ipv6_addresses) so that ndproxy doesn't respond to the router's own NS solicitations. Add all of the IPv6 addresses assigned to your WAN interface to this list.
- For what it is worth, you can clone directly from FreeBSPs git repository instead of using the snapshot in pfSense's github repo, the git hash to find the right /usr/src files is the same.