/ networking

Fun with IPv6

I was bored at work and took it upon myself to set up my own private tunnel broker ala Hurricane Electric. In this case, though, the remote end would be on a system I manage (A FreeBSD VPS, actually) and the local endpoint would be my Juniper SRX210HE.

First thing's first - some parameters:

  • FreeBSD or similar box with some native routable IPv6 address space. I highly recommend Arp Networks and Linode.
  • Juniper SRX210HE or other SRX class services gateway. It helps to be familiar with JunOS. It also helps to have a recent software build.

Next up: configure your tunnel server:

Open /etc/rc.conf in your favorite editor.

Set up your tunnel (gif0 for IPIP):
gif_interfaces="gif0" this will be the name of the interface.

gifconfig_gif0="server.ipv4.address home.ipv4.address"
ifconfig_gif0_ipv6="server:ipv6:address client:ipv6:address prefixlen 128"

The server and client IPv6 prefix needs to be configured on your box, either via an alias or dedicated to an interface on the box. Decide which part of your prefix you want to use, specify /128 (single addresses) from it for this part. i use ::1 for the server and ::2 for the client to keep it easy.

static_routes="tunnelsix"

You can use whatever name you want here, I just happened to use tunnelsix.

route_tunnelsix="-inet6 -net ipv6:routed:prefix -interface gif0"

This is like executing the command "route" with all the stuff within the quotes following it; e.g. route -inet6 -net ipv6:routed:prefix -interface gif0

The routed prefix is another separate /64 or similar pulled from your larger block of space.

Restart networking and routing, check with ifconfig that your tunnel interface (gif0) came up.

	gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet server.ipv4.address --> home.ipv4.address
        inet6 fe80::a8af:d377:91bb:703e%gif0 prefixlen 64 scopeid 0x4
        inet6 server:ipv6:address --> client:ipv6:address prefixlen 128
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        options=1<ACCEPT_REV_ETHIP_VER>

So, if at this point, your tunnel interface is up, then it's time to take a look at your SRX. Mine's on 12.1X45-D15.5 (2013 release) I left flow mode enabled because I don't wanna deal with ACLs or specific firewall rules for traffic on the tunnel. If your software version is older, or buggier, you may need to engage packet mode on your SRX for IPv6.

I'm only going to excerpt the relevant stuff:

	interfaces {
    	ip-0/0/0 {
        	unit 0 {
          tunnel {
              source home.ipv4.address;
              destination server.ip4.address;
          }
          family inet6 {
              client:ipv6:address/prefix;
          }
    }
    vlan {
        unit 0 {
            family inet6 {
                address some:address:from:your:routed:prefix/64; 
                # think the ::1 example mentioned above, to keep it simple.
            }
        }
    }
}

Here, you have the tun interface (ip-0/0/0), then the source (home addr) and destination (server addr) as well as the client ipv6 address. You then also have the vlan config, with an address pulled from the routable pool mentioned above.

Next, routing:

	routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop server:ipv6:address; 
            #don't add the prefix, just the addr
        }
    }
}

After which, you want to make sure your SRX is announcing this route to clients that connect to it:

protocols {
    router-advertisement {
        interface vlan.0 {
            prefix ipv6:routed:prefix/64;
        }
    }
}

Now, for the firewall rules that permit protocol 41 (IPv6 tun traffic) through the screen:

firewall {
    family inet {
             filter fix-6in4 {
        term t1 {
            from {
                source-address {
                    server.ipv4.address/32;
                }
                protocol 41;
            }
            then packet-mode;
        }
        term t2 {
            from {
                destination-address {
                    server.ipv4.address/32;
                }
                protocol 41;
            }
            then packet-mode;
        }
        term t99 {
            then accept;
        }
    }
}

There we go. I hope this helps someone. I spent a bit of time trying to figure out how to avoid having to throw my SRX's IPv6 routing into packet mode vs flow mode (for the reason I mentioned earlier) and as it turns out, I was able to do it just by using a filter rule applied directly to the tunnel traffic. This works out a lot better.