dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed



Native IPv6 on Juniper SSG5

Hi everyone, I'm an IPv6 n00b.. there, it's out. :) I had native IPv6 running on a Linksys WRT54GL running a modded version of Tomato provided by Teksavvy for their DSL service but now I'm trying to get it working on a Juniper SSG5... because this is a beta service it's YMMV and there's no official support past assigning the addresses.

I've followed the instructions here: »michaeldale.com.au/archive/2010/ ··· er-ssg5/ but no joy. Seems like my Mac and PC both get an IPv6 address from RA but that's as far as I can get. :(

Can someone tell me what I'm doing wrong and/or guide me in the right direction?

IPv6 assigned by my ISP
bgroup0 is my trusted zone, ethernet 0/3-6 and wireless0/0

set envar ipv6=yes
set pppoe name "Teksavvy" ppp ipv6cp ipcp
set interface "ethernet0/0" ipv6 mode "host"
set interface "ethernet0/0" ipv6 enable
set interface ethernet0/0 ipv6 ra accept
unset interface ethernet0/0 ipv6 nd nud
set interface "ethernet0/0" ipv6 ip 2607:f2c0:xxxx:1ad::/64
set interface ethernet0/0 dhcp6 client
set interface ethernet0/0 dhcp6 client options rapid-commit
set interface ethernet0/0 dhcp6 client options request pd
set interface ethernet0/0 dhcp6 client pd ra-interface "bgroup0"
set interface ethernet0/0 dhcp6 client enable
set interface "bgroup0" ipv6 mode "router"
set interface "bgroup0" ipv6 ip 2607:f2c0:xxxx:a00::/56
set interface "bgroup0" ipv6 enable
set interface bgroup0 ipv6 ra link-address
set interface bgroup0 ipv6 ra transmit
unset interface bgroup0 ipv6 nd nud
set route ::/0 interface ethernet0/0 gateway ::
set policy id 12 from "Trust" to "Untrust"  "Any-IPv6" "Any-IPv6" "ANY" permit log

ssg5-isdn-wlan-> get interface e0/0
Interface ethernet0/0:
  description ethernet0/0
  number 0, if_info 0, if_index 0, mode route
  link up, phy-link up/full-duplex, admin status up
  status change:1, last change:08/27/2011 00:59:39
  ipv6 is enable/operable, host mode.
  ipv6 operating mtu 1492, learned mtu 0
  ipv6 Interface-ID: 0217cbfffe8a3c80
  ipv6 fe80::217:cbff:xxxx:3c80/64, link local, PREFIX
  ipv6 2607:f2c0:xxxx:1ad:217:cbff:fe8a:3c80/64, global aggregatable, PREFIX, STATEFUL
  ipv6 ff02::1:ff8a:3c80(2), solicited-node scope
  vsys Root, zone Untrust, vr trust-vr
  PPPoE instance Teksavvy enabled
  admin mtu 0, operating mtu 1492, default mtu 1492
  *ip   mac 0017.cb8a.3c80
  *manage ip, mac 0017.cb8a.3c80
  route-deny disable
  pmtu-v4 disabled, pmtu-v6 enabled(1492), 
  ping disabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip
  OSPF disabled  OSPFv3 disabled  BGP disabled  RIP disabled  RIPng disabled
  mtrace disabled
  PIM: not configured  IGMP not configured
  MLD not configured
  NHRP disabled
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
  DHCP-Relay disabled at interface level
  DHCP-server disabled


West Bloomfield, MI
From the SSG, can you ping an IPv6 address and get a response? If not, perform a get route, is the default static for IPv6 active? If it isn't you can either try assigning a gateway and/or making that route a static permanent route.


Sweet!!! Ok, so I can resolve domains and ping ipv6 sites from the SSG5. Now I'm trying to understand how to get it to my trust-vr.... ergh.

ssg5-isdn-wlan-> ping
IP version [4/6]:6
Target IPv6 address:ipv6.google.com
Using Echo request [Y/n]y
Repeat count [5]:
Datagram size [100]:
Timeout in seconds[1]:
Source interface:
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 2001:4860:800f::63, timeout is 1 seconds 
Success Rate is 100 percent (5/5), round-trip time min/avg/max=43/44/45 ms


West Bloomfield, MI
They didn't assign you a /64 block? There will be an IPv6 address on the Untrust side and then there will be another (at least as some ISP's plan on assigning more than one /64 per subscriber) /64 block on the Trust side. The Trust and Untrust need to have two different blocks so routing can occur.


Yes, I do have a /56 and /64. I've currently gone back to Tomato on the Linksys WRT54GL and I'm IPv6-ing just fine. 10/10 on test-ipv6.com and I get the dancing turtle.... maybe it's meant to be...

Raleigh, NC
reply to videonerd
The prefix length for bgroup0 is /56. This must be /64 for SLAAC to function.

If you're using PPPoE (ipv6cp), why are you hardcoding the interface address? Also, if you're getting the lan prefix via dhcp6, why hardcode bgroup0's address? It doesn't look like PPP is providing an IPv6 address. The ISP may require your router use a specific address (::1 maybe) to route your lan side addresses to you.

Look at the configuration of your working linksys router... interface addresses, pppoe setup, and routes.

I'm happy to help, but I have to have the full addresses to ping/traceroute.

(also, "pmtu-v4 disabled" should be enabled or you're very likely to have problems with the v4 internet.)