IPv6 Proxy NDP not working?

[twobithacker]

I'm running FreeBSD 10.3-RELEASE-p5 on a VPS with DigitalOcean. They give out a range of IPv6 addresses per host, 16 addresses total, with only one of them configured by default, and all in the same /64 network.

I'd like to configure this VPS to run OpenVPN with IPv6, and I'd like to be able to have it hand out some of the other v6 addresses out to clients without having to do NATv6, which I think means I'll need to proxy NDP requests for those IPs.

Following the documentation in ndp(8) I've added an NDP entry for one of the IPs with the proxy options: ndp -s 2604:a880:800:10::5a5:b002 04:01:55:4e:cf:01 proxy

And I see it in my NDP table:

$ ndp -an
Neighbor                             Linklayer Address  Netif Expire    S Flags
fe80::601:55ff:fe4e:cf02%vtnet1      04:01:55:4e:cf:02 vtnet1 permanent R
fe80::1%vtnet0                       00:00:5e:00:02:63 vtnet0 23h52m24s S R
2604:a880:800:10::1                  00:00:5e:00:02:63 vtnet0 18s       R R
2604:a880:800:10::5a5:b001           04:01:55:4e:cf:01 vtnet0 permanent R
2604:a880:800:10::5a5:b002           04:01:55:4e:cf:01 vtnet0 permanent R p
2604:a880:800:10::14:2001            04:01:35:08:cc:01 vtnet0 23h46m17s S
2604:a880:800:10::5c8:d001           04:01:42:26:fa:01 vtnet0 22h29m14s S
fe80::601:55ff:fe4e:cf01%vtnet0      04:01:55:4e:cf:01 vtnet0 permanent R

And with tcpdump I see the incoming neighbor solicitation:

22:33:26.823247 IP6 fe80::1 > ff02::1:ffa5:b002: ICMP6, neighbor solicitation, who has 2604:a880:800:10::5a5:b002, length 32

But no matching neighbor advertisement is sent. I've also tried adding the address in question to a loopback interface (lo1) but that made no difference.

Am I missing something obvious here, or does this not work for some reason?

 

[MATPOCKuH]

Hello from Great Necroposter!
Any news about working ndp proxy?
I have similar problem - my freebsd13 node does not respond to NS packets for proxied addresses.

 

[SirDice]

Don't expect an answer any time soon:

twobithacker
New Member
Joined: Jun 12, 2013
Last seen: Jul 24, 2017

 

[mumu]

Abit late but I manage to get ndproxy working on FreeBSD 13.2-RELEASE with Wireguard on a Vultr VPS. You have to add a new Reserved IP(/64) and attach it to your instance first. I haven't had success getting ndproxy to work with my existing /64 assigned by Vultr.

1. Load the module: kldload ndproxy
2. Add the module to /boot/loader.conf (ndproxy_load="YES")
3. Add the following to /etc/rc.conf:-

ndproxy_enable="YES"
ndproxy_uplink_interface="vtnet0"
ndproxy_downlink_mac_address="vtnet0:Mac:Address"
ndproxy_uplink_ipv6_addresses="fe80::xx:xx:xx:xx" # uplink router's mac address(ndp -na)

4. Start ndproxy: service ndproxy start
5. Setup Wireguard and assign to a peer an /128 GUA address from the new Reserved IP /64 block.
6. Start Wireguard and setup the client peer to use the new /128 GUA address

Hope this helps someone out there. Cheers.