SRX Prefix Delegation for IPv6 in home LAN

In a previous post, I went through how to enable IPv6 on an SRX facing Comcast’s HSI service. I limited the scope of that post to  IPv6 on the egress interface. This post will be enabling IPv6 on the local LAN. As I mentioned in my first post, this config is not optimized for security. It also currently does not automatically delegate the prefix learned from Comcast’s gateway. These are static configurations that I’ve hard coded currently. It may be necessary to hard code these configurations, it may not – hard coding them was the only way that I was able to get them to work.

The first things I did was disable IPv6 tunneling protocols via group policy across my entire domain. As I was troubleshooting, that provided me assurance that the only way IPv6 was working was via native IPv6 connectivity.

Per my previous post – there are some caveats to watch:

1) I’ve got a weird issue where some devices in my home network are being matched against zone untrust – maybe SRX code bugs. So, do yourself a failure and turn on logging for your SRX firewall policies - good ‘how to’ here on how to do that

2) I’m using JunOS’ recently released firmware 12.1X45-D15.5 on a SRX210H

3) If you’re using the legacy ‘set system services dhcp’ DHCP mode, you’ve got to convert that to dhcp-local-server and ‘set access’ DHCP mode

4) In this scenario, my local LAN is vlan.0

Here are the steps I performed to get DHCPv6 working on my LAN.

1) Ensure that the SRX will accept DHCP packets

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

2) Configure a DHCPv6  server on the SRX – make sure you tailor to your specific environment

set system services dhcp-local-server dhcpv6 overrides interface-client-limit 100 <– may not be necessary was just a configuration I used
set system services dhcp-local-server dhcpv6 group trust6 interface vlan.0

set access address-assignment pool trust6 family inet6 prefix 2601:8:ac80:78e::/64  <—- this was my prefix delegated from Comcast displayed via show dhcpv6 client binding detail
set access address-assignment pool trust6 family inet6 range r1 prefix-length 128  <— i don’t set a high and low range just a prefix

set access address-assignment neighbor-discovery-router-advertisement trust6

3) Enable router-advertisement on vlan.0

set protocols router-advertisement interface vlan.0 managed-configuration
set protocols router-advertisement interface vlan.0 other-stateful-configuration
set protocols router-advertisement interface vlan.0 prefix 2601:8:ac80:78e::/64   <— this is my prefix

4) Modify your firewall policy to allow untrust to trust communication. Modifying NAT config is not necessary. Example policy snippet below.

policy trust-to-untrust {
match {
source-address [ 10net v6prefix 1cast ];
destination-address any;
application any;
then {

5) Test!  Here are some helpful commands and the output

a) Show DHCPv6 clients you’ve served

show dhcpv6 server binding
Prefix Session Id Expires State Interface Client DUID
2601:8:ac80:78e::12/128 3895 84604 BOUND vlan.0 LL_TIME0x1-0x195f7aab-84:3a:4b:98:9d:28

b) Verify that you’re making a router advertisement on vlan.0

show ipv6 router-advertisement

Interface: vlan.0
Advertisements sent: 47, last sent 00:01:00 ago
Solicits received: 14, last received 00:31:21 ago
Advertisements received: 0

c) Show IPv6 neighbors

show ipv6 neighbors
IPv6 Address Linklayer Address State Exp Rtr Secure Interface
2601:8:ac80:78e::8 00:0c:29:e8:6e:64 stale 654 no no vlan.0
2601:8:ac80:78e::d 50:e5:49:ce:5e:e4 stale 621 no no vlan.0
2601:8:ac80:78e::e 00:0c:29:d8:48:74 stale 226 no no vlan.0
2601:8:ac80:78e::11 64:80:99:20:b9:ac stale 894 no no vlan.0
2601:8:ac80:78e::12 84:3a:4b:98:9d:28 stale 494 no no vlan.0
2601:8:ac80:78e::101 84:3a:4b:98:9d:28 stale 504 no no vlan.0

d) Ping across devices in the network – use the non-LL prefixes to ping

e) If traffic is not passing then your best troubleshooting may be looking at the firewall deny logs. My previous post gives information on how to configure this.

3 Responses to “SRX Prefix Delegation for IPv6 in home LAN”
  1. Sweendog

    That’s some fancy IP address you’ve got there, Mr. Mayberry!

  2. David Knill

    Thanks for the post. I’m in Portland, OR, and I just submitted to Comcast to get a new DOCSIS 3.0 modem so I can get IPv6 support. I have an SRX100 and PAN PA-200 at my disposal and hoping to get some combination of those two working to supply native IPv6 to my office network.

    I’m sure your info will come in handy – I’ll let you know how it goes.

    • mayberry0404

      You have to get Comcast to put your D3.0 modem into ‘bridge mode’ not NAT/router mode. It is something they flip in the call center. I tried to call the normal 1-800-comcast # to get them to do that and it was a disaster via the call center. I had instant success through the online support webchat feature.

Leave a Reply

+ 9 = fourteen