NDP proxy in an HA setup?

[Patrick M. Hausen]

Hi all,

is anybody running NDP proxy in a high availability configuration? Anything special to consider?

WAN will be a flat Ethernet (vSwitch) with router advertisements and SLAAC.

TIA,
Patrick

[Monviech (Cedrik)]

The NDP proxy cannot be used inside a HA environment at the moment.

To become HA capable, it would need to exchange data between multiple running instances via a network socket, most likely in the scope of KEAs implementation. Though that would imply the proxy is stateful, which it isn't, and there are no plans to create such a data socket for it.

Another way would be a depend on CARP option that starts and stops it depending on CARP status. That could work theoretically work in ethernet multi-access networks. Yet the issue with this are the source of the router advertisements, they cannot be a CARP IP address like with radvd.

There are ways to combine it with radvd but right now its not possible yet because Base64Interface is missing as an option. https://github.com/opnsense/core/issues/9334

All in all, such a setup is not currently possible.

[Patrick M. Hausen]

That's bad. Hetzner will only assign a public /64 to our external vSwitch. No routing of prefixes is possible.
So we are stuck with port forwarding or Caddy. Not really "the v6 way" ;-)

[Monviech (Cedrik)]

Well with a depend on CARP option (which does not need any changes to the proxy binary itself) and with eventual Base6Interface radvd, it could work. Yet the scope was never HA setups in the first place, it's a different problem domain that needs the help of radvd to work correctly.