Juniper SRX100 and HE IPv6 Tunnel

“And now something totally different”

I bought a Juniper SRX100 as my Buffalo access point/router did not keep up with my upgraded Internet connection speed. I hadn’t used Junos practically at all before that so that world was new for me.

I had some specific requirements for my new router: Size (small enough to fit my “main distribution facility”), not very power-hungry, but feature-rich. From the features full IPv6 support was one of the most important ones. Cisco ASA5505 was one candidate but it has a ridiculously big power brick. This also seemed like a good chance to check Junos, so with SRX100 I went.

I’ve had my Hurricane Electric Tunnelbroker account for several months so now I finally had a chance to implement a tunnel. There are lots of hints and instructions about configuring the HE tunnel with SRX100 but somehow they all (all that I found) missed some details. Here is my configuration for the IPv6 tunnel.

Note that I started from out-of-the-box configuration with my SRX100. There are other configuration statements as well, for my IPv4 policies and services and other “basic” stuff. Here are only the commands needed for IPv6 tunnel and RA.

(Please check the HE Tunnelbroker configuration hints/instructions before doing anything! I’m using the Stockholm tunnel in my configurations.)

# This is the Junos version that my SRX100 came with:
set version 10.4R4.5

# First start with the tunnel configurations and the default route:
set interfaces ip-0/0/0 unit 0 tunnel source <my.ipv4.address>
set interfaces ip-0/0/0 unit 0 tunnel destination 216.66.80.90
set interfaces ip-0/0/0 unit 0 family inet6 address 2001:470:my.link::2/64
set routing-options rib inet6.0 static route ::/0 next-hop 2001:470:my.link::1

# Then configure the inside VLAN interface address and router advertisements:
set interfaces vlan unit 0 family inet6 address 2001:470:my.network::1/64
set protocols router-advertisement interface vlan.0 max-advertisement-interval 90
set protocols router-advertisement interface vlan.0 min-advertisement-interval 60
set protocols router-advertisement interface vlan.0 prefix 2001:470:my.network::/64

# Enable flow mode for IPv6 (see below for more info...):
set security forwarding-options family inet6 mode flow-based

# and assign the tunnel interface to "untrust" zone:
set security zones security-zone untrust interfaces ip-0/0/0.0
# (I have the usual basic setup: anything is allowed from "trust" to "untrust",
# and the inside VLAN interface is already in the trust zone)

Now, the IPv6 flow mode does not apparently work correctly on this version of Junos, so some recommend using packet mode instead. I don’t like the idea of using plain packet filters (or whatever) instead of the stateful firewall (at least that is now I understand using packet mode instead of flow mode: you lose the stateful firewall policies).

This workaround was suggested in some discussions:

# Creating a packet filter named "outside"
# First enable pings from HE servers (they want to check the tunnel endpoint):
set firewall filter outside term allow-pings from source-address 66.220.2.0/24
set firewall filter outside term allow-pings from icmp-type echo-request
set firewall filter outside term allow-pings then accept
# Deny other pings
set firewall filter outside term discard-pings from icmp-type echo-request
set firewall filter outside term discard-pings then discard

# And here is the actual fix: protocol 41 packets to/from the tunnel endpoint
# are handled in packet mode instead of the normal flow mode:
set firewall filter outside term fix-6in4-source from source-address 216.66.80.90
set firewall filter outside term fix-6in4-source from protocol 41
set firewall filter outside term fix-6in4-source then packet-mode
set firewall filter outside term fix-6in4-destination from destination-address 216.66.80.90
set firewall filter outside term fix-6in4-destination from protocol 41
set firewall filter outside term fix-6in4-destination then packet-mode
set firewall filter outside term accept-the-rest then accept

# Finally assign the packet filter in the outside IPv4 interface:
set interfaces fe-0/0/0 unit 0 family inet filter input outside

After that the IPv6 flow mode started working. I thought that the “filter input” statement there meant that the filter is only applied to packets coming in the interface but apparently there is also something else: the filter fix did not work without the “destination-address 216.66.80.90” rule. Don’t ask me why (but if you know please comment below!).

But there you go anyway, my Windows 7 workstation is happy with the router advertisements and everything seems to work just fine. The tunnel obviously causes some additional latency (tunnel traffic is being routed from Finland to Sweden and back) but not necessarily anything huge:

C:\>ping -4 www.funet.fi

Pinging www.funet.fi [81.90.77.32] with 32 bytes of data:
Reply from 81.90.77.32: bytes=32 time=2ms TTL=58
Reply from 81.90.77.32: bytes=32 time=2ms TTL=58
Reply from 81.90.77.32: bytes=32 time=2ms TTL=58
Reply from 81.90.77.32: bytes=32 time=2ms TTL=58
...

C:\>ping -6 www.funet.fi

Pinging www.funet.fi [2a00:16a0:0:100::21:3] with 32 bytes of data:
Reply from 2a00:16a0:0:100::21:3: time=17ms
Reply from 2a00:16a0:0:100::21:3: time=17ms
Reply from 2a00:16a0:0:100::21:3: time=17ms
Reply from 2a00:16a0:0:100::21:3: time=16ms
...

user@srx100> show security flow session family inet6
Session ID: 11293, Policy name: trust-to-untrust/4, Timeout: 2, Valid
  In: 2001:470:my.ipv6.host/54 --> 2a00:16a0:0:100::21:3/1;icmp6, If: vlan.0, Pkts: 1, Bytes: 80
  Out: 2a00:16a0:0:100::21:3/1 --> 2001:470:my.ipv6.host/54;icmp6, If: ip-0/0/0.0, Pkts: 1, Bytes: 80

As shown, the flow was also recorded correctly in the process.

Happy IPv6ing!

Feel free to comment if you know how to get the DNS server IPv6 address distributed with DHCPv6! 🙂

The obvious testing sites for IPv6 connectivity:

11 Comments

Add a Comment
  1. Hi,

    Just done on my box, great; even simpler, just one term on the firewall filter, with protocol 41 and packet-based does the job.

    Great post anyway!

  2. I use a Dell Juniper SRX 210B with version 10.3R2.11 but I can’t use the command set interfaces vlan unit 0 family inet6 … Is this a OS problem ?

    1. Hi Kevin! I don’t have personal experiences of Junos versions prior to 10.4 so I don’t know exactly, but I would guess “yes”. I have a post about upgrading Junos here if it helps, just search for Junos.

  3. [quote]
    # Creating a packet filter named “outside”
    # First enable pings from HE servers (they want to check the tunnel endpoint):
    set firewall filter outside term allow-pings from source-address 66.220.2.0/24
    set firewall filter outside term allow-pings from icmp-type echo-request
    set firewall filter outside term allow-pings then accept
    # Deny other pings
    set firewall filter outside term discard-pings from icmp-type echo-request
    set firewall filter outside term discard-pings then discard

    # And here is the actual fix: protocol 41 packets to/from the tunnel endpoint
    # are handled in packet mode instead of the normal flow mode:
    set firewall filter outside term fix-6in4-source from source-address 216.66.80.90
    set firewall filter outside term fix-6in4-source from protocol 41
    set firewall filter outside term fix-6in4-source then packet-mode
    set firewall filter outside term fix-6in4-destination from destination-address 216.66.80.90
    set firewall filter outside term fix-6in4-destination from protocol 41
    set firewall filter outside term fix-6in4-destination then packet-mode
    set firewall filter outside term accept-the-rest then accept

    # Finally assign the packet filter in the outside IPv4 interface:
    set interfaces fe-0/0/0 unit 0 family inet filter input outside
    After that the IPv6 flow mode started working. I thought that the “filter input” statement there meant that the filter is only applied to packets coming in the interface but apparently there is also something else: the filter fix did not work without the “destination-address 216.66.80.90” rule. Don’t ask me why (but if you know please comment below!).
    [/quote]

    The tunnel outbound packets will match “from source-address 216.66.80.90”.
    The tunnel inbound packets will match “from destination-address 216.66.80.90”.

    If you don’t have both terms, you’ll only be applying packet mode to the packets in one direction. It might work without the “from source-address”, but it might not.

    If you have just the “from source-address” filter term, then you’ll pass packets outbound in packet mode (they won’t create state table entries) and the reply packets will be rejected because they are from untrust->trust and don’t match a permit statement and also don’t match a state table entry.

    Hope that clarifies things.

    Also, the differences between flow and packet mode are much greater than just the “stateful firewall”. SRX products (and any Juniper product with “security” features or “services JunOS”) is essentially a hybrid product involving lineage from Juniper Routers and lineage from a company Juniper acquired which was known as “Netscreen”. In flow mode, the device will behave more like a Netscreen firewall and less like a stateless router. In packet mode, the device will behave almost entirely like a traditional router.

    Features that require flow mode include, but are not limited to:
    + IPSEC VPNs
    + Stateful Firewall policies (security { policy {} } hierarchy)
    + NAT
    + Clustering

    Pretty much anything that is configured under the security {} hierarchy will require flow mode. (Note that the stateless firewall rules are configured under the firewall {} hierarchy rather than the security {} hierarchy.

  4. [quote]
    # First enable pings from HE servers (they want to check the tunnel endpoint):
    set firewall filter outside term allow-pings from source-address 66.220.2.0/24
    [/quote]

    can’t figure out what is 66.220.2.0/24 (how this refers to HE servers?)

    1. I believe it was the IP address range from where the HE servers would ping the tunnel endpoint to verify the availability. Maybe not needed anymore if you haven’t found it in the current instructions.

      1. Thanks for the response
        I can’t confirm or deny this completely because my SRX is behind a nated router
        I know that my public IPv4 responds to pings from any source and I can’t monitor anything or change the behaviour for ICMP on my modem.

        The great thing is that it’s working with your instructions

        Important for me was to change the tunnel endpoint IPv4 address to my actual IPv4 address for the egress interface

  5. you can delete that post before and this post
    thank you

  6. DNS server with DHCPv6:

    set access address-assignment pool ADDR6-POOL family inet6 prefix 2001:470:1f06:5dad::/64
    set access address-assignment pool ADDR6-POOL family inet6 dhcp-attributes maximum-lease-time 120
    set access address-assignment pool ADDR6-POOL family inet6 dhcp-attributes grace-period 3600
    set access address-assignment pool ADDR6-POOL family inet6 dhcp-attributes dns-server 2001:470:1f06:5dad:dea6:32ff:fe1d:2049
    set access address-assignment pool ADDR6-POOL family inet6 dhcp-attributes dns-server 2001:470:1f06:5dad:dea6:32ff:fe1d:209c access address-assignment pool ADDR6-POOL

  7. Can you please explain why you put fe-0/0/0 on the following?

    # Finally assign the packet filter in the outside IPv4 interface:
    set interfaces fe-0/0/0 unit 0 family inet filter input outside

    I’m connected using VDSL to my ISP and my router-advertisement is on interface vlan.

    1. Hi, fe-0/0/0 unit 0 (fe-0/0/0.0) is the IP interface that I was using for Internet connection, not for the inside LAN.

Leave a Reply