dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
963
jr3727
join:2014-05-17

jr3727

Member

[DSL] teksavvy/ipv6/netscreen 5gt

is there any documents that could help assist with getting IPV6 up and running via teksavvy using an old Netscreen 5gt router? The Documentation is confusing me to heck and back
henry128
join:2010-09-03
Hillsboro, OR

henry128

Member

gah... the documentation is awful. Is this the right one? »www.juniper.net/techpubs ··· _ref.pdf

(The Netscreen 5gt user's guide makes no mention of IPv6 at all: »www.juniper.net/techpubs ··· _5gt.pdf)
henry128

henry128 to jr3727

Member

to jr3727
Disclaimer: I've never used one of these, so the following is just my interpretation of the documentation.

I'm assuming you're trying to use this as a router for a LAN? If so, the general idea is to enable IPv6, set the device into router mode, get a prefix from TSI, then advertise the prefix out the LAN.

Enable IPv6 and set it for router mode: The documentation seems ok for this.

Get a prefix: Normally this is done by the router acting as a DHCP client to make a Prefix Delegation request to TSI to get the /56 prefix. It looks like the entire manual talks only about the router acting as a DHCP server. There is a hint on p.25 of the PDF ("page 7") that it doesn't support being a DHCP client, and only allows manual configuration of the address:
6. Assign at least one IPv6 prefix to the interface (mandatory only if the interface is in router mode.)
The manual also hints that it can't use stateless autoconfiguration (SLAAC) to set up the address in router mode. On p.46: Accepting incoming router advertisements:
Note: This option is available only when the interface is in host mode
This means you have no method of using the /56, because the /56 is routed to you only after you make a DHCP-PD request as a client, and no method to auto-configure the /64. I think you can manually set it up to use the /64 here, as long as you're ok with having just one subnet. Probably a good start for now.

Advertise the prefix out to the LAN: See section 2 (p.31 of the PDF). The simplest setup enables stateless address autoconfiguration (SLAAC) and does not use DHCP. (Future work: No mention of whether its implementation of SLAAC supports the RDNSS option to configure DNS servers, so you may be forced to use DHCPv6 or configure the LAN clients' DNS servers some other way.)

-----
This is how a customer edge router is now recommended to work, and TSI's setup makes it easy to connect one of these: »tools.ietf.org/html/rfc7084
jr3727
join:2014-05-17

jr3727 to henry128

Member

to henry128
yes thats the right one.
jr3727

jr3727 to henry128

Member

to henry128
I cant even get the dhcp6 to pass out info to my devices, I've had it work on IPV6 router to internet, but nothing from lan to internet (or router)
henry128
join:2010-09-03
Hillsboro, OR

henry128

Member

I don't understand. The simplest setup would not use DHCP on the LAN. It would use SLAAC only. Does that work, at least?

I don't understand your second sentence. Are you saying the router has successfully gotten an address and can access the IPv6 internet, but not from the LAN?
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to jr3727

MVM

to jr3727
Dumb question, but what version of ScreenOS are you running?

According to this, IPv6 support for the 5GT isn't available unless you're on 6.2 or higher.

I'm also curious exactly WHERE you're getting hung up on.

My 00000010bits

Regards
jr3727
join:2014-05-17

jr3727 to henry128

Member

to henry128
I manually entered my WAN ipv6 info, can ping from router (via ssh) to ipv6.google.com, but I do not see where to setup SLAAC on the router for the LAN side.
jr3727

jr3727 to HELLFIRE

Member

to HELLFIRE

5.4.0r27.0

and ipv6 does work wan side only, no dhcp6 working,
henry128
join:2010-09-03
Hillsboro, OR

henry128 to jr3727

Member

to jr3727
Nice. That's most of the way there

The documentation on setting up SLAAC starts on page 31, "Address Autoconfiguration Setup"
henry128

henry128 to HELLFIRE

Member

to HELLFIRE
»kb.juniper.net/InfoCente ··· =KB15692

"IPv6 support was introduced in ScreenOS 5.3 and above."
jr3727
join:2014-05-17

jr3727

Member

followed intrustions. and still no go
henry128
join:2010-09-03
Hillsboro, OR

henry128

Member

To enable host autoconfiguration, you must do all of the following:
* Enable the Outgoing Router Advertisements setting.
* Disable the Managed Configuration Flag.
* Disable the Other Parameters Configuration Flag.
 

And this is done for the LAN-side interface?
Do you observe any router advertisements being sent out to the LAN? (e.g., use radvdump)
jr3727
join:2014-05-17

1 edit

jr3727

Member

there isnt a command for radvdump. below info might help

ns5gt-> get interface trust ipv6 ra
Router advertisement configuration info for interface trust
--------------------------------------------------------------------------------
transmit : on
accept : off
hop-limit : 64
default-life-time : 1800
retransmit-time : off
reachable-time : off
link-mtu : on
link-address : on
other : off
managed : off
min-adv-int : 200
max-adv-int : 600
next-send-time : 325
Prefix list on interface trust to be advertised via RA
Adv Prefix Flags (PF): O On Link, A Autonomous
State (St): O On Link, D Detached
--------------------------------------------------------------------------------
IPv6 Prefix:2607:f2c0:f00f:b200:: Len:56 PF:OA St:O
Valid Life Time :30d00h00m
Preferred Life Time :07d00h00m
henry128
join:2010-09-03
Hillsboro, OR

henry128

Member

All of that looks ok to me except...
Why is the prefix length /56? The /56 that you were assigned from TSI doesn't work unless you request it using DHCP-PD, which I think the Netscreen doesn't support? Only the /64 can be manually configured.
henry128

henry128

Member

The suggestion to use radvdump was to run that on one of the clients to see whether it was receiving router advertisement broadcasts from the router.

Do you know if your client machines are doing autoconfiguration correctly? (i.e., have assigned themselves an address out of the prefix you are advertising)
jr3727
join:2014-05-17

jr3727 to henry128

Member

to henry128
well the 64 works fine manually entered. but trying to get my pc's working on the 56.
jr3727

jr3727 to henry128

Member

to henry128
radvdump is not a command on win7
henry128
join:2010-09-03
Hillsboro, OR

henry128 to jr3727

Member

to jr3727
You cannot use the /56 unless your router requests it using a DHCP-PD request. It is simply not routed to you from TSI until you do so.
henry128

henry128 to jr3727

Member

to jr3727
I guess the important part is to know whether router advertisements are working. i.e., whether the client machines are autoconfiguring an address or not (ipconfig, perhaps?). There's a difference between failing to acquire an address, and not being able to route data out to TSI using the assigned address, and it would help to distinguish which of these cases is causing your problems.
henry128

henry128 to jr3727

Member

to jr3727
If you've already gotten the /64 to work with SLAAC and so on, the documentation for setting up a DHCPv6 client seems to be page 55, steps 5-7. "Client Interface (to Upstream Router)"

Note that the prefix you advertise out to your LAN should always be a /64. i.e., if you request a /56 (via DHCP-PD) from TSI, you need to choose just one /64 subnet out of that and advertise that.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to jr3727

MVM

to jr3727
said by henry128:

»kb.juniper.net/InfoCente ··· =KB15692

"IPv6 support was introduced in ScreenOS 5.3 and above."

Always better to get it in the hand of the vendor... thanks henry128 See Profile

Regards
jr3727
join:2014-05-17

jr3727

Member

ok. let me run this simple.

wan ipv6 works only when manually entered
lan ipv6 entered, but no computer or device is getting a ipv6 address from router.

TSI gave me the ipv6 address's so you dont think they would route it?
henry128
join:2010-09-03
Hillsboro, OR

henry128

Member

TSI gives you two prefixes: a /64 and a /56.

The /64 is routed to you unconditionally. You can manually configure this one.

The /56 is *not* routed to you until you ask for it using DHCPv6 prefix delegation. After sending a DHCP-PD request, the prefix is routed to you. You also always get assigned the same prefix every time (i.e., "static"), but you still need to ask for it.

Therefore, if you're debugging, don't use the /56 until you can get the /64 working, since setting up DHCP-PD is yet another layer of complexity.
henry128

henry128 to jr3727

Member

to jr3727
said by jr3727:

lan ipv6 entered, but no computer or device is getting a ipv6 address from router.

Also, there was a hint that you were trying to advertise a /56 using stateless address autoconfiguration (SLAAC) to your LAN. SLAAC really only works for a /64. That might be one reason why your LAN computers aren't getting an address assigned.
jr3727
join:2014-05-17

1 recommendation

jr3727

Member

ok. well, I'll try again some other time. this thing has ticked me off too much. I swear i have reset to defaults atleast 40 times since trying to make it work