IPv6 is another up coming trend on the internet. Since most of the ISPs do not provide the IPv6 service, how do we enjoy or experience the IPv6 benefit??
\nThere are some IPv6 brokers on the internet that we can use IPv6 service over the existing IPv4 service. Some of the brokers are Hurricane Electric, Hinet, and etc….
\nThere are some sample setup guide are already included in their website already, but their guide makes the SRX to route the IPv6 packets without policy restrictions capability. So I will attach mine as a reference for using IPv6 in flow mode.
\n![\"SRX-IPIP\"](\"https:\/\/networkingnotesblog.files.wordpress.com\/2018\/04\/srx-ipip.png\")
\n<\/p>\n
| Syntax<\/th>\n | definition<\/th>\n<\/tr>\n | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| set security forwarding-options family inet6 mode flow-based<\/td>\n | This command is to enable IPv6 support under the SRX. Although most of the sample config suggest to route mode, but we can use flow mode with 6in4. \nApplying this requires a reboot!!!<\/td>\n<\/tr>\n | ||||||||||
| set interfaces ip-0\/0\/0 unit 0 tunnel source 138.19.XXX.XXX \nset interfaces ip-0\/0\/0 unit 0 tunnel destination 209.51.161.14 \nset interfaces ip-0\/0\/0 unit 0 family inet6 address 2001:470:1f06<\/span>:XXXX::2\/64<\/td>\n | The tunnel source is the SRX external IPv4 address. \nThe destination is the HE.net IPv6 broker IPv4 address. \nThe IPv6\u00a0 address is the subnet used for the IP IP tunnel.<\/td>\n<\/tr>\n | ||||||||||
| set interfaces ge-0\/0\/3 unit 0 description “guest vlan – 172.16.2.64\/27” \nset interfaces ge-0\/0\/3 unit 0 family inet address 172.16.2.65\/27 \nset interfaces ge-0\/0\/3 unit 0 family inet6 address 2001:470:1f07<\/span>:XXXX::0041\/123<\/td>\n | The ge-0\/0\/3 is the interface for my guest vlan at home. \nThis IPv6 address is using another route-able subnet provided by HE.net, and we can notice the different of this subnet is not part of the subnet that is being used in the IP IP tunnel. \nThe tunnel is using 1f06, but the guest vlan is using 1f07 as highlighted in red.<\/td>\n<\/tr>\n | ||||||||||
| set routing-options rib inet6.0<\/span> static route ::\/0 next-hop 2001:470:1f06:XXXX::1<\/td>\n | This is the default route for inet.6, aka IPv6. However, the static route needs to be applied into the inet6.0 table, therefore we have to apply the static route under “rib inet6.0<\/span>“.<\/td>\n<\/tr>\n| set access address-assignment pool vlan36-Guest-pool-ipv6-pool family inet6 prefix 2001:470:1f07:XXXX::0040\/123 | \nset access address-assignment pool vlan36-Guest-pool-ipv6-pool family inet6 range vlan36-Guest-pool low 2001:470:1f07:XXXX::0043\/128 \nset access address-assignment pool vlan36-Guest-pool-ipv6-pool family inet6 range vlan36-Guest-pool high 2001:470:1f07:XXXX::004f\/128 \nset access address-assignment pool vlan36-Guest-pool-ipv6-pool family inet6 dhcp-attributes maximum-lease-time 120 \nset access address-assignment pool vlan36-Guest-pool-ipv6-pool family inet6 dhcp-attributes grace-period 3600 \nset access address-assignment pool vlan36-Guest-pool-ipv6-pool family inet6 dhcp-attributes dns-server 2001:4860:4860::8888 \nset access address-assignment pool vlan36-Guest-pool-ipv6-pool family inet6 dhcp-attributes dns-server 2001:4860:4860::8844set security zones security-zone guest interfaces ge-0\/0\/3.0 host-inbound-traffic system-services dhcpv6<\/td>\n This is the IPv6 DHCP setup for my guest vlan, and we have allowed the machines under guest zone to take obtain IPv6 addresses via DHCPv6 .<\/td>\n<\/tr>\n | set security policies from-zone guest to-zone untrust policy 05-guest_to_untrust-icmp match source-address any | \nset security policies from-zone guest to-zone untrust policy 05-guest_to_untrust-icmp match destination-address any \nset security policies from-zone guest to-zone untrust policy 05-guest_to_untrust-icmp match application junos-icmp6-all \nset security policies from-zone guest to-zone untrust policy 05-guest_to_untrust-icmp then permit \nset security policies from-zone guest to-zone untrust policy 05-guest_to_untrust-icmp then log session-init \nset security policies from-zone guest to-zone untrust policy 05-guest_to_untrust-icmp then log session-close<\/td>\n This is a sample policy for IPv6. The any being used in both source and destination includes IPv4 and IPv6.<\/td>\n<\/tr>\n | set security zones security-zone untrust interfaces ip-0\/0\/0.0 host-inbound-traffic system-services ping<\/td>\n | This is to assign the IP-0\/0\/0.0 into the untrust zone.<\/td>\n<\/tr>\n | <\/td>\n | <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n | I have attached the snapshot of the traceroute to yahoo.com s IPv6 address. The latency of the traceroute is quite high since my SRX is in Hong Kong and the tunnel terminated in New York.<\/p>\n
|