IPv6 at home or office, part 4.1: 6in4 tunnel on Juniper ScreenOS firewall

This blog post is part of a series on ipv6. Part 4.0 describes requesting a Hurricane Electric tunnel; this part explains how to configure a Juniper ScreenOS firewall – SSG, ISG or Netscreen – to work with such a tunnel.

Sample environment

I am going to give an example based on ScreenOS 6.0.0 or later syntax. ScreenOS 5.4 is reported to support IPv6 6in4 tunnels, as well, though it does not expose the configuration to the web interface.

These settings can (almost) all be configured through the web interface. In the interest of brevity, I am going to show CLI commands instead.

Here are the interface names and addresses used in this example. In this example, I use the IPv6 documentation prefix. When configuring this, you get the real addresses from the Tunnel Details page.

External interface name: ethernet0/0, Untrust zone

Internal interface name: bgroup0, Trust zone

Tunnel interface name: tunnel.1, Untrust zone

Server IPv4 address: 255.254.253.252

Server IPv6 address: 2001:0db8:1:223::1/64

Client IPv6 address: 2001:0db8:1:223::2/64

Routed /64: 2001:0db8:2:223::/64

Anycasted IPv6 Caching Nameserver: 2001:0db8:1234::2

Enabling IPv6

This is the one step you must do from command line. Enter:

set envar ipv6=yes

and reboot. This will enable IPv6 features on your ScreenOS device.

Setting up the tunnel

The first step is to set up a tunnel interface that will allow you to encapsulate IPv6 packets in IPv4 packets.

set interface “tunnel.1” zone “Untrust”
set interface “tunnel.1” ipv6 mode “host”
set interface “tunnel.1” ipv6 ip <Client IPv6 address>
set interface “tunnel.1” ipv6 enable
set interface tunnel.1 tunnel encap ip6in4 manual
set interface tunnel.1 tunnel local-if <External interface> dst-ip <Server IPv4 address>
set interface tunnel.1 mtu 1480
unset interface tunnel.1 ipv6 nd nud
set interface tunnel.1 ipv6 nd dad-count 0
set route ::/0 interface tunnel.1 gateway <Server IPv6 address>

We’re creating the tunnel.1 interface, assign it to the “Untrust” zone, and give it its IP address, the “Client IPv6 address”.

Next we’re creating the tunnel itself, terminating on the external interface on one side and the Server IPv4 address on the other side.

We restrict MTU to 1480 as that is the largest packet that can go through without fragmentation, and disable Neighbor Unreachable Detection for good measure. I haven’t had issues with nud on, but others have.

Finally, create a default IPv6 route through the tunnel.1 interface, so our IPv6 traffic has somewhere to go.

Setting up IPv6 for the local network

Next, we’ll use the “Routed /64” that HE gave us for our internal network.

set interface “bgroup0” ipv6 mode “router”
set interface “bgroup0” ipv6 ip 2001:0db8:2:223::1/64
set interface “bgroup0” ipv6 enable
unset interface bgroup0 ipv6 ra link-address
set interface bgroup0 ipv6 ra preference high
set interface bgroup0 ipv6 ra other
set interface bgroup0 ipv6 ra transmit
set interface bgroup0 ipv6 nd nud
set interface bgroup0 ipv6 nd dad-count 0
set interface bgroup0 dhcp6 server
set interface bgroup0 dhcp6 server options dns dns1 <HE IPv6 Name Server>
set interface bgroup0 dhcp6 server enable

Here, we are giving the LAN interface an IPv6 address from the “Routed /64” range – in the interest of simplicity, I chose “1”. We then enable Router Advertisement so that local machines can receive IPv6 addresses from this interface.

We’re also setting the RA “other” bit and enabling DHCPv6 to give out HE’s IPv6 DNS server. Those two steps are optional: It’ll mean that Google’s IPv6-enabled services will resolve with both an IPv4 and an IPv6 address – otherwise, Google will only be reachable by IPv4.

Setting up an IPv6 firewall policy

As an example, here is a very simple policy that allows all outgoing IPv6 traffic, and denies all incoming IPv6 traffic. Adjust as fits your environment.

set policy from “Trust” to “Untrust”  “Any-IPv6” “Any-IPv6” “ANY” permit
set policy from “Untrust” to “Trust”  “Any-IPv6” “Any-IPv6” “ANY” deny

Advertisements

IPv6 at home or office, part 4.0: tunnelbroker.net, IPv6 routers

This blog post is part of a series on ipv6. In part 1, I provided an overview of ipv6 and looked at Teredo, the technology built into Windows Vista; in part 2, I looked at AYIYA tunnels through aiccu, using sixxs net as a tunnel broker. Part 2.5 is a collection of useful ipv6 tidbits, and part 3 describes gogonet/freenet6 tunnels.

In part 4, I will describe the IPv6 tunnel I have been using all along since 2008: A Hurricane Electric 6in4 tunnel, typically terminating on a router, though it could be terminated on a PC, as well. I aim to break part 4 into chunks, each describing setup for a different make and model of router.

Provisioning of the tunnel

Make sure the router you will be using allows itself to be pinged from either “the Internet”, or at the least from HE’s server, currently66.220.2.74.

Sign up with Hurricane’s Electric tunnelbroker.net service.

Once signed in, under “user functions”, choose “Create Regular Tunnel”.

Enter the IPv4 endpoint, and hit “Submit”. If you are a home user, your IPv4 endpoint is the public IP your ISP assigned to you, see whatismyip.org.

And you are done. Helpfully, the tunnel details page also allows you to get sample configurations for a variety of PC and router operating systems, including Linux, Windows, Cisco IOS, Juniper JunOS and Juniper ScreenOS.

Updating your dynamic IPv4 address

If you are in a home environment, your public IPv4 address may change from time to time. You can update it from the tunnel details page, or you can use tunnelbroker.net’s ipv4 update page that is intended to be used from a script, for automatic updates.

Routers supporting 6in4 tunnels

Whether enterprise class or home router, here are some of the devices that support 6to4 with 6in4 tunnels today (February 2010). On the home router side, it’s clear that it is early days yet. Comcast’s ipv6 trials may change the competitive landscape here.

Juniper

Any SSG or ISG firewall running ScreenOS 6.0.0 or later, as well as (with some limitations) Netscreen firewalls on ScreenOS 5.4.0. Part 4.1 describes the setup.

Any JunOS router – J-Series, M-Series, E-Series, T-Series, &c. All the way back to JunOS 9.1 if need be.

Any SRX firewall, with the caveat that SRX does not yet support ipv6 firewalling as of JunOS 10.1, though it does support ipv6 tunneling and routing.

EX switches do not support ipv6 tunnels yet, though the feature is road-mapped.

Cisco

It’s the usual mess of IOS versions depending on model, paired with feature set. A very Cisco-savvy fellow over at the HE forums has an excellent breakdown. In a nutshell, IOS 12.4 or later should work, and you’ll need the right feature set.

Switch support for IPv6 is good. You’ll need to check model / IOS version / feature set here, too.

Apple

Apple Airport Extreme supports 6to4, and a one-click tunnel provisioning, too. This is the only home router that I’d be confident to use for IPv6 today, without needing to fear that a firmware update would break IPv6. Mainly because a firmware update did break IPv6, and Apple fixed it in v1.5. For this router, IPv6 is an officially supported feature.

[Update 2010-04-28] Comcast will use this router in their IPv6 dual-stack trials, as one of three choices.

Netgear

Comcast will use the Netgear WNR3500 and Netgear WNR1000 in their IPv6 dual-stack trials. Whether these routers support 6in4 tunnels is unknown to me at this point.

D-Link

[Update 2011-08-03: D-Link have updated their site with a list of devices supporting native IPv6] According to D-Link, the following router models support IPv6. Comcast are using the DIR-655 and DIR-825 in their native dualstack IPv6 trial.

D-Link IPv6 Certified Routers

  • DIR-601 Wireless N 150 Home Router (Hardware Revision A1)
  • DIR-615 Wireless N 300 Router (Hardware Revision E1)
  • DIR-632 Wireless N 8-Port Router (Hardware Revision A1)
  • DIR-655 Xtreme N Gigabit Router (Hardware Revision B1)
  • DIR-825 Xtreme N Dual Band Gigabit Router (Hardware Revision B1)
  • DHP-1320 Wireless N PowerLine Router (Hardware Revision A1)

Other IPv6 Certified Products

  • DHP-W306AV PowerLine AV Wireless N Extender (Hardware Revision A1)
  • DAP-1350 Wireless N Pocket Router and Access Point (Hardware Revision A1)
  • DAP-1360 Wireless N Range Extender (Hardware Revision B1)
  • DAP-2590 AirPremier N Dual Band PoE Access Point

D-Link state that their DSL modem routers, the DSL-2540B and DSL-2640B also support IPv6.

D-Link DGS-3200 and DGS-3600 switches officially support IPv6.

Linksys

WRT610N, with reports that firmware updates break ipv6 support and that Linksys support is firm that ipv6 is not an officially supported feature. More testing is in order here, too.

[Update] A Linksys live chat operator tells me that native IPv6 is supported on the WRT610N, and that there is no official documentation for this. No word on tunnels. I have reached out to their press office to get details and will update if/when I get an answer.

[Update] The Comcast trial forums float the WRVS4400N as supporting tunneled and native IPv6.

Buffalo Technology

A “number of” their wireless products support ipv6. I have reached out to their press office to get details and will update if/when I get an answer.

AVM

FRITZ!Box 7270 (experimental “Labor” version)

I have reached out to their press office to get details and will update if/when I get an answer.