Majornetwork

Gateway of last resort is not set

Juniper SRX100 and HE IPv6 Tunnel

“And now something totally different”

I bought a Juniper SRX100 as my Buffalo access point/router did not keep up with my upgraded Internet connection speed. I hadn’t used Junos practically at all before that so that world was new for me.

I had some specific requirements for my new router: Size (small enough to fit my “main distribution facility”), not very power-hungry, but feature-rich. From the features full IPv6 support was one of the most important ones. Cisco ASA5505 was one candidate but it has a ridiculously big power brick. This also seemed like a good chance to check Junos, so with SRX100 I went.

I’ve had my Hurricane Electric Tunnelbroker account for several months so now I finally had a chance to implement a tunnel. There are lots of hints and instructions about configuring the HE tunnel with SRX100 but somehow they all (all that I found) missed some details. Here is my configuration for the IPv6 tunnel.

Note that I started from out-of-the-box configuration with my SRX100. There are other configuration statements as well, for my IPv4 policies and services and other “basic” stuff. Here are only the commands needed for IPv6 tunnel and RA.

(Please check the HE Tunnelbroker configuration hints/instructions before doing anything! I’m using the Stockholm tunnel in my configurations.)

# This is the Junos version that my SRX100 came with:
set version 10.4R4.5

# First start with the tunnel configurations and the default route:
set interfaces ip-0/0/0 unit 0 tunnel source <my.ipv4.address>
set interfaces ip-0/0/0 unit 0 tunnel destination 216.66.80.90
set interfaces ip-0/0/0 unit 0 family inet6 address 2001:470:my.link::2/64
set routing-options rib inet6.0 static route ::/0 next-hop 2001:470:my.link::1

# Then configure the inside VLAN interface address and router advertisements:
set interfaces vlan unit 0 family inet6 address 2001:470:my.network::1/64
set protocols router-advertisement interface vlan.0 max-advertisement-interval 90
set protocols router-advertisement interface vlan.0 min-advertisement-interval 60
set protocols router-advertisement interface vlan.0 prefix 2001:470:my.network::/64

# Enable flow mode for IPv6 (see below for more info...):
set security forwarding-options family inet6 mode flow-based

# and assign the tunnel interface to "untrust" zone:
set security zones security-zone untrust interfaces ip-0/0/0.0
# (I have the usual basic setup: anything is allowed from "trust" to "untrust",
# and the inside VLAN interface is already in the trust zone)

Now, the IPv6 flow mode does not apparently work correctly on this version of Junos, so some recommend using packet mode instead. I don’t like the idea of using plain packet filters (or whatever) instead of the stateful firewall (at least that is now I understand using packet mode instead of flow mode: you lose the stateful firewall policies).

This workaround was suggested in some discussions:

# Creating a packet filter named "outside"
# First enable pings from HE servers (they want to check the tunnel endpoint):
set firewall filter outside term allow-pings from source-address 66.220.2.0/24
set firewall filter outside term allow-pings from icmp-type echo-request
set firewall filter outside term allow-pings then accept
# Deny other pings
set firewall filter outside term discard-pings from icmp-type echo-request
set firewall filter outside term discard-pings then discard

# And here is the actual fix: protocol 41 packets to/from the tunnel endpoint
# are handled in packet mode instead of the normal flow mode:
set firewall filter outside term fix-6in4-source from source-address 216.66.80.90
set firewall filter outside term fix-6in4-source from protocol 41
set firewall filter outside term fix-6in4-source then packet-mode
set firewall filter outside term fix-6in4-destination from destination-address 216.66.80.90
set firewall filter outside term fix-6in4-destination from protocol 41
set firewall filter outside term fix-6in4-destination then packet-mode
set firewall filter outside term accept-the-rest then accept

# Finally assign the packet filter in the outside IPv4 interface:
set interfaces fe-0/0/0 unit 0 family inet filter input outside

After that the IPv6 flow mode started working. I thought that the “filter input” statement there meant that the filter is only applied to packets coming in the interface but apparently there is also something else: the filter fix did not work without the “destination-address 216.66.80.90” rule. Don’t ask me why (but if you know please comment below!).

But there you go anyway, my Windows 7 workstation is happy with the router advertisements and everything seems to work just fine. The tunnel obviously causes some additional latency (tunnel traffic is being routed from Finland to Sweden and back) but not necessarily anything huge:

C:\>ping -4 www.funet.fi

Pinging www.funet.fi [81.90.77.32] with 32 bytes of data:
Reply from 81.90.77.32: bytes=32 time=2ms TTL=58
Reply from 81.90.77.32: bytes=32 time=2ms TTL=58
Reply from 81.90.77.32: bytes=32 time=2ms TTL=58
Reply from 81.90.77.32: bytes=32 time=2ms TTL=58
...

C:\>ping -6 www.funet.fi

Pinging www.funet.fi [2a00:16a0:0:100::21:3] with 32 bytes of data:
Reply from 2a00:16a0:0:100::21:3: time=17ms
Reply from 2a00:16a0:0:100::21:3: time=17ms
Reply from 2a00:16a0:0:100::21:3: time=17ms
Reply from 2a00:16a0:0:100::21:3: time=16ms
...

user@srx100> show security flow session family inet6
Session ID: 11293, Policy name: trust-to-untrust/4, Timeout: 2, Valid
  In: 2001:470:my.ipv6.host/54 --> 2a00:16a0:0:100::21:3/1;icmp6, If: vlan.0, Pkts: 1, Bytes: 80
  Out: 2a00:16a0:0:100::21:3/1 --> 2001:470:my.ipv6.host/54;icmp6, If: ip-0/0/0.0, Pkts: 1, Bytes: 80

As shown, the flow was also recorded correctly in the process.

Happy IPv6ing!

Feel free to comment if you know how to get the DNS server IPv6 address distributed with DHCPv6! 🙂

The obvious testing sites for IPv6 connectivity:

3 Comments

Add a Comment
  1. Hi,

    Just done on my box, great; even simpler, just one term on the firewall filter, with protocol 41 and packet-based does the job.

    Great post anyway!

  2. I use a Dell Juniper SRX 210B with version 10.3R2.11 but I can’t use the command set interfaces vlan unit 0 family inet6 … Is this a OS problem ?

    1. Hi Kevin! I don’t have personal experiences of Junos versions prior to 10.4 so I don’t know exactly, but I would guess “yes”. I have a post about upgrading Junos here if it helps, just search for Junos.

Leave a Reply

Majornetwork.net © Markku Leiniö 2011-2017 Frontier Theme