NDP proxy in an HA setup?

Started by Patrick M. Hausen, December 19, 2025, 02:14:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 19, 2025, 02:14:17 PM
Hi all,

is anybody running NDP proxy in a high availability configuration? Anything special to consider?

WAN will be a flat Ethernet (vSwitch) with router advertisements and SLAAC.

TIA,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 19, 2025, 02:29:40 PM #1
The NDP proxy cannot be used inside a HA environment at the moment.

To become HA capable, it would need to exchange data between multiple running instances via a network socket, most likely in the scope of KEAs implementation. Though that would imply the proxy is stateful, which it isn't, and there are no plans to create such a data socket for it.

Another way would be a depend on CARP option that starts and stops it depending on CARP status. That could work theoretically work in ethernet multi-access networks. Yet the issue with this are the source of the router advertisements, they cannot be a CARP IP address like with radvd.

There are ways to combine it with radvd but right now its not possible yet because Base64Interface is missing as an option. https://github.com/opnsense/core/issues/9334

All in all, such a setup is not currently possible.
Hardware:
DEC740
December 19, 2025, 02:42:37 PM #2
That's bad. Hetzner will only assign a public /64 to our external vSwitch. No routing of prefixes is possible.
So we are stuck with port forwarding or Caddy. Not really "the v6 way" ;-)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 19, 2025, 02:48:45 PM #3
Well with a depend on CARP option (which does not need any changes to the proxy binary itself) and with eventual Base6Interface radvd, it could work. Yet the scope was never HA setups in the first place, it's a different problem domain that needs the help of radvd to work correctly.
Hardware:
DEC740
Today at 09:21:17 AM #4
@Patrick

If you feel like testing something, I added a simple depend on carp hook to the plugin. If you build/patch the plugin with it, it will make sure there is only one running instance on the current master. It only triggers on CARP transitions, there is no guard against starting the service manually on the backup (just fyi to keep in mind). The ndp-proxy-go binary doesn't need any changes, it's the current one from the opnsense repo.

- You must use "Proxy router advertisements", and do not use any RA daemons running on the OPNsense itself. As stated in above posts thats currently not possible due to missing features
- You must use "Install host routes"
- Best would be to also use "Neighbor cache file" so in case of CARP flapping there is less downtime
-> Some downtime during transitions is always expected. The upstream (ISP) router must learn the new MAC address after a failover. I don't know how long that takes, but I assume less than a minute (most NDP states have a 60s lifetime). But IPv6 failover is never really interruption free.

I feel like essentially this is all it should take to HA enable the plugin, yet I would really like some feedback before implementing this "for real". Thank you if you take a look at it :)

https://github.com/Monviech/plugins/tree/ndp-proxy-carp

Hardware:
DEC740
Print
Go Up Pages1
User actions