ndproxy Install Script for OPNSense (run with sudo)

install_ndproxy.sh

#!/bin/sh

# save previous working directory to preserve state
PWD=$(pwd)

# download the opnsense OS source
echo ">>> Downloading OPNsense Source Code..."
rm -r /usr/src
git clone --recurse-submodules https://github.com/opnsense/src /usr/src
cd /usr/src

# Download the freebsd ports repo and get ready to build
echo ">>> Downloading FreeBSD Ports Repository..."
rm -r /usr/ports-upstream
git clone --recurse-submodules https://git.FreeBSD.org/ports.git /usr/ports-upstream
cd /usr/ports-upstream/net/ndproxy

# build and install ndproxy again
echo ">>> Building and Installing ndproxy..."
make clean
make install

echo ">>> Done. Cleaning Up..."
# restore PWD
cd $PWD

sorry for the questions but i don't know how. I must put all the variables? ndproxy_uplink_interface ndproxy_downlink_mac_address ndproxy_exception_ipv6_addresses ndproxy_uplink_ipv6_addresses

net.inet6.ndproxycount this says through sysctl entry??? and how many ?

yes they must go in rc.conf.local
you need to set them according to what's in the manual; run man ndproxy
you'll need to get your interface MAC, ISP router IPs, among other things

Hi @MCterra10 which mode are you using for the Router Advertisements? Also for the LAN interface, should I give a private range IP for it? Many thanks!

Hi @MCterra10 which mode are you using for the Router Advertisements? Also for the LAN interface, should I give a private range IP for it? Many thanks!

I am using unmanaged (SLAAC) mode with RDDNS enabled.
You don't need a private IPv6 range (ULA or otherwise) on the LAN interface, use the same range as for the WAN (i.e. if ??::1 is your WAN address then use say ??::2 for LAN. This is arbitrary, and you can use whatever you see fit).

To be clear, I have since stopped using ndproxy because it just has too many caveats, so I'm using prefix translation currently, although it requires a lot more configuration when adding new hosts, it's more reliable.

@MCterra10 I just set the LAN interface address to one of the /64 ranges and enabled DHCPv6, everything seems to be working now and I got 10/10 on test-ipv6.com. What kind of caveats do you recall? Thanks again for the help :)

Thank you!

EDIT: Seems to work only if your WAN IP is not changing.

I got it to work also with that.

My setup and config for someone else with same issue, but please note that I have no idea what I'm doing:
I use DNA 5G with ZTE MC7010 in bridge mode.

WAN:
IPv6 Configuration Type -> DHCPv6
Prefix delegation size -> 64
Request prefix only -> Unchecked
Send prefix hint -> Unchecked

LAN
IPv6 Configuration Type -> Static
IPv6 address -> Based on WAN IP for example WAN IP is A:B:C:D:E:F:G:H/64 I have -> A:B:C:D::1/64. No idea about that why I did that but I'm afraid to change.

RA LAN
Router Advertisements -> Assisted
Router Priority -> High
Advertise Default Gateway -> Check

ISC DHCPv6: [LAN]
Enable -> Check
Range -> A:B:C:D::100 - A:B:C:D::FFFF

My ndproxyconf:

net.inet6.ndproxyconf_uplink_interface: -> re0
net.inet6.ndproxyconf_downlink_mac_address: -> LAN MAC
net.inet6.ndproxyconf_exception_ipv6_addresses: -> LAN Local IPv6;WAN Local IPv6
net.inet6.ndproxyconf_uplink_ipv6_addresses: -> WAN Local IPv6;Gateway (WAN) local IPv6

Save.

Now when i refreshed my IP on windows PC I noticed it came up to WAN interface in ISC DHCPv6 Leases. But then I rebooted the opnsense and everything just started to work. And the same MAC came to LAN interface in same page.

@MCterra10 I just set the LAN interface address to one of the /64 ranges and enabled DHCPv6, everything seems to be working now and I got 10/10 on test-ipv6.com. What kind of caveats do you recall? Thanks again for the help :)

Sorry for over half a year to reply; the issues I was having is that the ndproxy module has no ability to set a network whitelist; it will respond to ALL neighbor discovery packets on the interface, regardless of whether you are actually using those addresses or not. Because my hosting provider OVH implements IPv6 horribly, I actually receive ND packets for other people's servers, and ended up inadvertently performing a router hijack on their servers 😂
Because of that I had my server shut off a couple of times, and was forced to start using a NAT setup instead, which is horrible but at least my server stays on.