The SRX300 (and SRX550M) are configured to drop IPv6 traffic by default: see documentation:
When IPv6 is configured on SRX300 Series and the SRX550M devices, the default behavior is set to drop mode because of memory constraints.
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ipv6-flow-processing-enabling.html
This can be confirmed:
admin@CS7-HQ-FW02> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: drop
MPLS forwarding mode: drop
ISO forwarding mode: drop
Enhanced route scaling mode: Disabled
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: RR-based
GTP-U distribution: Disabled
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
Configure IPv6 flow mode and reload:
set security forwarding-options family inet6 mode flow-based
commit and-quit
request system reload
…and reboot the SRX.
Next we need to configured a point-to-point interface using the parameters supplied by HE. The source address and IPv6 prefix will be specfic to your location and account, the destination IP can be can any HE broker, but should be geograhpicaly close.
interface ip-0/0/0 {
unit 0 {
tunnel {
source <your_globally_routable_ip>;
destination 216.66.80.26;
path-mtu-discovery;
}
family inet6 {
mtu 1280;
address 2001:470:aaaa:bbbb::2/64;
}
}
}
routing-options {
rib inet6.0 {
static {
route ::/0 next-hop 2001:470:aaaa:bbbb::1;
}
}
}
Next we need to secure the interface and permit access to it. I will create a new security zone for the tunnel interface and only permit devices residing in the INSIDE zone access to it:
security {
zones {
security-zone VPN-HE {
interfaces {
ip-0/0/0.0;
}
}
}
polices {
from-zone INSIDE to-zone VPN-HE {
policy INSIDE_TO_VPN-HE {
match {
source-address any-ipv6;
destination-address any-ipv6;
application any;
}
then {
permit;
}
}
}
}
}
Finally configure interface IPv6 addresses and enable Router Advertisements
interfaces {
irb {
unit 30 {
description INSIDE_VLAN;
family inet6 {
address 2001:470:cccc:30::1/64;
}
}
}
}
protocols {
router-advertisement {
interface irb.30 {
prefix 2001:470:cccc:30::/64;
}
}
}Now confirm we can ping6 out to the internet and also that local devices have globally routable addresses:
admin@CS7-HQ-FW02> ping 2607:f8b0:4005:804::200e
PING6(56=40+8+8 bytes) 2001:470:1f08:32d::2 --> 2607:f8b0:4005:804::200e
16 bytes from 2607:f8b0:4005:804::200e, icmp_seq=0 hlim=56 time=147.995 ms
16 bytes from 2607:f8b0:4005:804::200e, icmp_seq=1 hlim=56 time=150.713 ms
16 bytes from 2607:f8b0:4005:804::200e, icmp_seq=2 hlim=56 time=147.667 ms
^C
--- 2607:f8b0:4005:804::200e ping6 statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 147.667/148.792/150.713/1.365 ms
admin@CS7-HQ-FW02> show ipv6 neighbors
IPv6 Address Linklayer Address State Exp Rtr Secure Interface
2001:470:cccc:30:646f:99f:ae9 50:76:af:cb:f9:99 stale 879 no no irb.30 [ge-0/0/5.0]
2001:470:cccc:30:d466:d6d5:30 bc:3d:85:1a:cc:f7 stale 1135 no no irb.30 [ge-0/0/5.0]
2001:470:cccc:30:dd98:1d46:b9 f0:43:47:c5:53:43 stale 1050 no no irb.30 [ge-0/0/5.0]
fe80::39dc:3092:8553:92e6 50:76:af:cb:f9:99 stale 864 no no irb.30 [ge-0/0/5.0]
fe80::be3d:85ff:fe1a:ccf7 bc:3d:85:1a:cc:f7 stale 1046 no no irb.30 [ge-0/0/5.0]
fe80::f243:47ff:fec5:5343 f0:43:47:c5:53:43 stale 1181 no no irb.30 [ge-0/0/5.0]
Total entries: 6
Leave a Reply