Problems pinging through IPv6 tunnel

kbreit · May 31, 2014, 12:27:16 PM

I am trying to setup an IPv6 tunnel to HE from my SRX210. The SRX210 is in what is basically a DMZ but with more restriction on what can get out. The front-end router is a EdgeMAX which is basically Vyatta. It seems I am unable to ping the tunnel server. Here are my configurations. What does it seem I'm doing wrong?

Note, I've removed sections which seem to be irrelevant for brevity.

Juniper
interfaces {
ip-0/0/0 {
unit 0 {
tunnel {
source 108.77.133.89;
destination 184.105.253.14;
}
family inet6 {
address 2001:470:1f10:6d::2/64;
}
}
}
fe-0/0/7 {
description "Home network interface";
unit 0 {
family inet {
filter {
input fix-6in4;
}
address 10.1.1.2/24;
}
}
}
vlan {
unit 0 {
family inet6 {
address 2001:470:c017::1/48;
}
}
}
}
routing-options {
rib inet6.0 {
static {
route ::/0 next-hop 2001:470:1f10:6d::1;
}
}
}
protocols {
router-advertisement {
interface vlan.0 {
prefix 2001:470:c017::/48;
}
}
}
security {
forwarding-options {
family {
inet6 {
mode flow-based;
}
}
}
from-zone internet to-zone junos-host {
policy inbound-service-permit {
match {
source-address any;
destination-address any;
application [ junos-ssh junos-ping junos-icmp-all ];
}
then {
permit;
log {
session-init;
}
}
}
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone junos-host to-zone lab {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internet to-zone junos-host {
policy inbound-service-permit {
match {
source-address any;
destination-address any;
application [ junos-ssh junos-ping junos-icmp-all ];
}
then {
permit;
log {
session-init;
}
}
}
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
firewall {
family inet {
filter fix-6in4 {
term t1 {
from {
source-address {
184.105.253.14/32;
}
protocol 41;
}
then packet-mode;
}
term t2 {
from {
destination-address {
184.105.253.14/32;
}
protocol 41;
}
then packet-mode;
}
term t99 {
then accept;
}
}
}
}
vlans {
vlan-0 {
vlan-id 1;
l3-interface vlan.0;
}
}

EdgeMAX
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name internet-lab {
default-action reject
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action reject
log enable
state {
invalid enable
}
}
rule 100 {
action accept
destination {
port 22
}
log enable
protocol tcp
}
rule 200 {
action accept
log enable
protocol icmp
}
rule 300 {
action accept
log enable
protocol 41
}
}
name lab-internet {
default-action reject
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action reject
log enable
state {
invalid enable
}
}
rule 100 {
action accept
log enable
protocol icmp
}
rule 200 {
action accept
log enable
protocol 41
}
}
zone-policy {
zone lab {
default-action drop
from home {
firewall {
name home-lab
}
}
from internet {
firewall {
name internet-lab
}
}
from local {
firewall {
name local-lab
}
}
interface eth2
}
}

PatrickDickey · May 31, 2014, 08:17:57 PM

First question. What do you see when you run tracert (or traceroute) to an ipv6 site? Does it even make it past your router/firewall?
Second question. Do you need an IPv6 address on your LAN side interfaces (specifically fe-0/0/7?), or does the vlan {} do that for you (I'm not familiar with Juniper's configurations--only Cisco's). I know in Cisco, you have to specify something for ipv6 on each interface (probably including the vlan) that's being used. Well to be clear, you don't put one on the interface that's connected to your modem.

Those are the only things I can think of. Have a great day.:)
Patrick.

kbreit · May 31, 2014, 08:30:47 PM

Good questions. Traceroute showed no ping responses but IPv6 ICMP (is it any different?) may be filtered. So no, it's not getting past the head-end router. Troubleshooting isn't easy because I can't tell which device is causing the problems.

Great question about the VLAN addressing. I need to look more thoroughly to see which method is proper to do. However, I would expect the tunnel endpoint address to be the src address.

PatrickDickey · June 01, 2014, 07:27:57 AM

Am I understanding correctly that your setup is something like this:

Internet --> Modem --> EdgeMAX ---> Juniper (as DMZ)
|
---> Rest of your LAN

If so, then you would need to configure a Tunnel Interface on the EdgeMAX possibly using the information from this link http://onebadpixel.com/blog/2014/02/09/part-7-ipv6-enabling-your-vyatta-router-using-a-tunnelbroker/ Either way, if your Juniper SRX210 is between the EdgeMAX and the modem, or vice versa, you'll need the tunnel interface set up. Again, I'm only guessing, as I've never used any Juniper devices.

Have a great day.:)
Patrick.

kbreit · June 01, 2014, 08:16:45 PM

That is exactly my topology. I was going to put the tunnel on the SRX210 and provide IPv6 to only my DMZ but I'm happy to put it on my whole network. IPv6 for my personal gear would be fun anyways. Thanks :)

News:

Problems pinging through IPv6 tunnel

kbreit

PatrickDickey

kbreit

PatrickDickey

kbreit