Native IPv6 on Juniper SSG5

Author	All Replies
videonerd join:2007-01-21	Native IPv6 on Juniper SSG5 Hi everyone, I'm an IPv6 n00b.. there, it's out. :) I had native IPv6 running on a Linksys WRT54GL running a modded version of Tomato provided by Teksavvy for their DSL service but now I'm trying to get it working on a Juniper SSG5... because this is a beta service it's YMMV and there's no official support past assigning the addresses. I've followed the instructions here: »michaeldale.com.au/archive/2010/···er-ssg5/ but no joy. Seems like my Mac and PC both get an IPv6 address from RA but that's as far as I can get. :( Can someone tell me what I'm doing wrong and/or guide me in the right direction? IPv6 assigned by my ISP IPv4 DHCP bgroup0 is my trusted zone, ethernet 0/3-6 and wireless0/0 set envar ipv6=yes set pppoe name "Teksavvy" ppp ipv6cp ipcp set interface "ethernet0/0" ipv6 mode "host" set interface "ethernet0/0" ipv6 enable set interface ethernet0/0 ipv6 ra accept unset interface ethernet0/0 ipv6 nd nud set interface "ethernet0/0" ipv6 ip 2607:f2c0:xxxx:1ad::/64 set interface ethernet0/0 dhcp6 client set interface ethernet0/0 dhcp6 client options rapid-commit set interface ethernet0/0 dhcp6 client options request pd set interface ethernet0/0 dhcp6 client pd ra-interface "bgroup0" set interface ethernet0/0 dhcp6 client enable set interface "bgroup0" ipv6 mode "router" set interface "bgroup0" ipv6 ip 2607:f2c0:xxxx:a00::/56 set interface "bgroup0" ipv6 enable set interface bgroup0 ipv6 ra link-address set interface bgroup0 ipv6 ra transmit unset interface bgroup0 ipv6 nd nud set route ::/0 interface ethernet0/0 gateway :: set policy id 12 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log ssg5-isdn-wlan-> get interface e0/0 Interface ethernet0/0: description ethernet0/0 number 0, if_info 0, if_index 0, mode route link up, phy-link up/full-duplex, admin status up status change:1, last change:08/27/2011 00:59:39 ipv6 is enable/operable, host mode. ipv6 operating mtu 1492, learned mtu 0 ipv6 Interface-ID: 0217cbfffe8a3c80 ipv6 fe80::217:cbff:xxxx:3c80/64, link local, PREFIX ipv6 2607:f2c0:xxxx:1ad:217:cbff:fe8a:3c80/64, global aggregatable, PREFIX, STATEFUL ipv6 ff02::1:ff8a:3c80(2), solicited-node scope vsys Root, zone Untrust, vr trust-vr PPPoE instance Teksavvy enabled admin mtu 0, operating mtu 1492, default mtu 1492 ip 206.248.185.72/32 mac 0017.cb8a.3c80 gateway 206.248.154.103 manage ip 206.248.185.72, mac 0017.cb8a.3c80 route-deny disable pmtu-v4 disabled, pmtu-v6 enabled(1492), ping disabled, telnet disabled, SSH disabled, SNMP disabled web disabled, ident-reset disabled, SSL disabled DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0 OSPF disabled OSPFv3 disabled BGP disabled RIP disabled RIPng disabled mtrace disabled PIM: not configured IGMP not configured MLD not configured NHRP disabled bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps] configured ingress mbw 0kbps, current bw 0kbps total allocated gbw 0kbps DHCP-Relay disabled at interface level DHCP-server disabled
	to forum · permalink · 2011-08-28 01:21:18 ·
lanbrown join:2009-04-05 West Bloomfield, MI	From the SSG, can you ping an IPv6 address and get a response? If not, perform a get route, is the default static for IPv6 active? If it isn't you can either try assigning a gateway and/or making that route a static permanent route.
	to forum · permalink · 2011-09-01 14:11:30 ·
videonerd join:2007-01-21	Sweet!!! Ok, so I can resolve domains and ping ipv6 sites from the SSG5. Now I'm trying to understand how to get it to my trust-vr.... ergh. ssg5-isdn-wlan-> ping IP version [4/6]:6 Target IPv6 address:ipv6.google.com Using Echo request [Y/n]y Repeat count [5]: Datagram size [100]: Timeout in seconds[1]: Source interface: Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 2001:4860:800f::63, timeout is 1 seconds !!!!! Success Rate is 100 percent (5/5), round-trip time min/avg/max=43/44/45 ms ssg5-isdn-wlan->
	to forum · permalink · 2011-09-06 03:00:34 ·
lanbrown join:2009-04-05 West Bloomfield, MI	They didn't assign you a /64 block? There will be an IPv6 address on the Untrust side and then there will be another (at least as some ISP's plan on assigning more than one /64 per subscriber) /64 block on the Trust side. The Trust and Untrust need to have two different blocks so routing can occur.
	to forum · permalink · 2011-09-08 10:04:56 ·

videonerd join:2007-01-21	Yes, I do have a /56 and /64. I've currently gone back to Tomato on the Linksys WRT54GL and I'm IPv6-ing just fine. 10/10 on test-ipv6.com and I get the dancing turtle.... maybe it's meant to be...
	to forum · permalink · 2011-09-08 14:07:28 ·
cramer join:2007-04-10 Raleigh, NC kudos:7	reply to videonerd The prefix length for bgroup0 is /56. This must be /64 for SLAAC to function. If you're using PPPoE (ipv6cp), why are you hardcoding the interface address? Also, if you're getting the lan prefix via dhcp6, why hardcode bgroup0's address? It doesn't look like PPP is providing an IPv6 address. The ISP may require your router use a specific address (::1 maybe) to route your lan side addresses to you. Look at the configuration of your working linksys router... interface addresses, pppoe setup, and routes. I'm happy to help, but I have to have the full addresses to ping/traceroute. (also, "pmtu-v4 disabled" should be enabled or you're very likely to have problems with the v4 internet.)
	to forum · permalink · 2011-09-08 16:59:42 ·

Broadband Tech > IPv6 > Native IPv6 on Juniper SSG5