Native IPv6 on Juniper SSG5
Hi everyone, I'm an IPv6 n00b.. there, it's out. :) I had native IPv6 running on a Linksys WRT54GL running a modded version of Tomato provided by Teksavvy for their DSL service but now I'm trying to get it working on a Juniper SSG5... because this is a beta service it's YMMV and there's no official support past assigning the addresses.
I've followed the instructions here: »michaeldale.com.au/archive/2010/···er-ssg5/ but no joy. Seems like my Mac and PC both get an IPv6 address from RA but that's as far as I can get. :(
Can someone tell me what I'm doing wrong and/or guide me in the right direction?
IPv6 assigned by my ISP
bgroup0 is my trusted zone, ethernet 0/3-6 and wireless0/0
set envar ipv6=yes
set pppoe name "Teksavvy" ppp ipv6cp ipcp
set interface "ethernet0/0" ipv6 mode "host"
set interface "ethernet0/0" ipv6 enable
set interface ethernet0/0 ipv6 ra accept
unset interface ethernet0/0 ipv6 nd nud
set interface "ethernet0/0" ipv6 ip 2607:f2c0:xxxx:1ad::/64
set interface ethernet0/0 dhcp6 client
set interface ethernet0/0 dhcp6 client options rapid-commit
set interface ethernet0/0 dhcp6 client options request pd
set interface ethernet0/0 dhcp6 client pd ra-interface "bgroup0"
set interface ethernet0/0 dhcp6 client enable
set interface "bgroup0" ipv6 mode "router"
set interface "bgroup0" ipv6 ip 2607:f2c0:xxxx:a00::/56
set interface "bgroup0" ipv6 enable
set interface bgroup0 ipv6 ra link-address
set interface bgroup0 ipv6 ra transmit
unset interface bgroup0 ipv6 nd nud
set route ::/0 interface ethernet0/0 gateway ::
set policy id 12 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log
ssg5-isdn-wlan-> get interface e0/0
number 0, if_info 0, if_index 0, mode route
link up, phy-link up/full-duplex, admin status up
status change:1, last change:08/27/2011 00:59:39
ipv6 is enable/operable, host mode.
ipv6 operating mtu 1492, learned mtu 0
ipv6 Interface-ID: 0217cbfffe8a3c80
ipv6 fe80::217:cbff:xxxx:3c80/64, link local, PREFIX
ipv6 2607:f2c0:xxxx:1ad:217:cbff:fe8a:3c80/64, global aggregatable, PREFIX, STATEFUL
ipv6 ff02::1:ff8a:3c80(2), solicited-node scope
vsys Root, zone Untrust, vr trust-vr
PPPoE instance Teksavvy enabled
admin mtu 0, operating mtu 1492, default mtu 1492
*ip 184.108.40.206/32 mac 0017.cb8a.3c80
*manage ip 220.127.116.11, mac 0017.cb8a.3c80
pmtu-v4 disabled, pmtu-v6 enabled(1492),
ping disabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
OSPF disabled OSPFv3 disabled BGP disabled RIP disabled RIPng disabled
PIM: not configured IGMP not configured
MLD not configured
bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
DHCP-Relay disabled at interface level
West Bloomfield, MI
From the SSG, can you ping an IPv6 address and get a response? If not, perform a get route, is the default static for IPv6 active? If it isn't you can either try assigning a gateway and/or making that route a static permanent route.
Sweet!!! Ok, so I can resolve domains and ping ipv6 sites from the SSG5. Now I'm trying to understand how to get it to my trust-vr.... ergh.
IP version [4/6]:6
Target IPv6 address:ipv6.google.com
Using Echo request [Y/n]y
Repeat count :
Datagram size :
Timeout in seconds:
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 2001:4860:800f::63, timeout is 1 seconds
Success Rate is 100 percent (5/5), round-trip time min/avg/max=43/44/45 ms
|reply to videonerd |
The prefix length for bgroup0 is /56. This must be /64 for SLAAC to function.
If you're using PPPoE (ipv6cp), why are you hardcoding the interface address? Also, if you're getting the lan prefix via dhcp6, why hardcode bgroup0's address? It doesn't look like PPP is providing an IPv6 address. The ISP may require your router use a specific address (::1 maybe) to route your lan side addresses to you.
Look at the configuration of your working linksys router... interface addresses, pppoe setup, and routes.
I'm happy to help, but I have to have the full addresses to ping/traceroute.
(also, "pmtu-v4 disabled" should be enabled or you're very likely to have problems with the v4 internet.)