traceroute6 to ns3.dalegroup.net (2001:470:1:41:a800:ff:fe59:ad77) from 2001:44b8:73f3:30a0:223:6cff:fe87:d1b0, 64 hops max, 12 byte packets
Internode released a trial of native IPv6 over ADSL a few months back, so anyone with an ADSL account with them can try it.
So one of my clients has an SSG5 and an internode connection so I thought I'd set it up.
So the setup:
The very first step is to enable IPv6 on the SSG5, this requires you to run the following command and then restart/reboot the device:
Once done you should now have access to all the IPv6 functions in the WebUI.
The next step is to modify your PPPoE connection settings.
set pppoe name "Internode" username "firstname.lastname@example.org" password "encryptedpassword"
set pppoe name "Internode" ppp ipv6cp ipcp
Now you need to enable IPv6 on the interface that the PPPoE connection is setup on.
set interface "ethernet0/0" ipv6 mode "host"
set interface "ethernet0/0" ipv6 enable
set interface ethernet0/0 ipv6 ra accept
unset interface ethernet0/0 ipv6 nd nud
So the above should be enough for you to get the /64 on the PPPoE interface.
Internode is currently handing out a /60 for use in your network (via DHCPv6), so lets now set that up.
set interface ethernet0/0 dhcp6 client
set interface ethernet0/0 dhcp6 client options rapid-commit
set interface ethernet0/0 dhcp6 client options request pd
set interface ethernet0/0 dhcp6 client pd ra-interface bgroup0
set interface ethernet0/0 dhcp6 client enable
In the above "bgroup0" is my LAN interface.
Now let's get IPv6 running on "bgroup0"
set interface "bgroup0" ipv6 mode "router"
set interface "bgroup0" ipv6 ip 2001:44b8:7763:baa0::1/64
set interface "bgroup0" ipv6 enable
set interface bgroup0 ipv6 ra link-address
set interface bgroup0 ipv6 ra transmit
unset interface bgroup0 ipv6 nd nud
In the above the IPv6 address there is my first /64 out of the /60, I've manually set it to a :1 address but you can use whatever it's default auto assigned address is.
Now you might want to hand out internodes IPv6 DNS server addresses to your LAN
set interface bgroup0 dhcp6 server
set interface bgroup0 dhcp6 server options dns dns1 2001:44b8:1::6
set interface bgroup0 dhcp6 server options dns dns2 2001:44b8:2::6
set interface bgroup0 dhcp6 server enable
Now we need to setup the default IPv6 route, as the one that is added by default is incorrect.
set route ::/0 interface ethernet0/0 gateway ::
And finally the IPv6 policy to allow traffic out (yay no NAT).
set policy id 12 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log
That should be all you need to do to get IPv6 working on your network.
There is more information over at the internode site if needed.
And here is a traceroute from a computer on the LAN
C:\Users\Administrator>tracert -6 ipv6.google.com
Tracing route to ipv6.l.google.com [2001:4860:c004::68]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 2001:44b8:7763:baa0::1
2 37 ms 37 ms 37 ms loop0.lns6.syd7.internode.on.net [2001:44b8:b070::4]
3 37 ms 37 ms 37 ms gi1-1.cor2.syd7.internode.on.net [2001:44b8:b070:5::1]
4 37 ms * 37 ms gi6-0-0-146.bdr1.syd6.internode.on.net [2001:44b8:b060:146::1]
5 37 ms 37 ms 37 ms 2001:4860:1:1:0:1283:0:2
6 38 ms 38 ms 39 ms 2001:4860::1:0:9f8
7 184 ms 295 ms 174 ms 2001:4860::1:0:165
8 175 ms 175 ms 175 ms 2001:4860::1:0:890
9 181 ms 176 ms 182 ms 2001:4860::29
10 185 ms 176 ms 244 ms tx-in-x68.1e100.net [2001:4860:c004::68]
I spent a bit of time last night getting more of my network IPv6 ready.
EDIT: And now my IPv6 tunnel is completely broken :( I've email aarnet and hopefully it will be working soon!
Just a quick development update.
The following is a list of the major changes that have happened since Code Example 1:
There are a couple of things that need doing before I can upgrade this site to Bluetrait 2:
The cron support is pretty cool and really easy to use. It will be used in future to handle update notifications, session garbage collection and "monthly database maintenance".
On another note this site is now accessible via IPv6 (2001:388:c021::20), which has already seen traffic!
I finally got an IPv6 tunnel going on my Netscreen SSG 5. So I thought I'd post the relevant configuration details here.
I'm currently running ScreenOS 5.4.0r3a0; there seems to be some WebUI bugs with IPv6 so it is best to do it via the command line.
Update: I just got a response back from JTAC. IPv6 is only supported on the ISG2000. So I'm unsure when/if it the WebUI bugs will be fixed.
Update2: IPv6 is now supported on the SSG 5 under screenos 6, the WEBUI bug has been fixed.
The first step is to enable IPv6 on your Netscreen.
Type the following then save your config and restart the device:
Now let's setup the trust interface:
So we've setup my trust interface with the IPv6 subnet and autoconfiguration should be working.
Now let's setup a tunnel interface for the traffic to run through:
Now we'll setup a static route for IPv6 traffic to go through:
And finally we need to setup a policy to allow traffic out:
You may want to setup some policies to allow traffic in too.
That should be all you need to do.
I've done some basic IPv6 stuff in the past, which only involved a single IPv6 address and a connection to aarnet. I was going to look into setting up a tunnel on my router (a m0n0wall box) so that I had both a IPv4 address and a IPv6 address but it didn't support IPv6 stuff.
Anyway I've got my cisco 2651 up and connected to the internet and it has full IPv6 support so I decided to give it a go. Aarnet also give you an option to run a full /64 subnet, so I decided to give it a go.
The web interface outputs a shell script that gives you the configuration needed for the router. So I modified by config (with some small changes).
The last section (prefix-advertisement) is similar to DHCP, it assigns an IPv6 address to any IPv6 capable computer/OS. So both my Windows 2000 box (with IPv6 kit installed) and Mac OS X system were given a full routed IPv6 address. No dodgy natted connection here, a full routed /64 subnet. :)
The speed of the IPv6 is pretty good seeing as it is running through an aarnet tunnel.
electra:~ michaeldale$ ping vee-six.telstra.net
PING vee-six.telstra.net (220.127.116.11): 56 data bytes
64 bytes from 18.104.22.168: icmp_seq=0 ttl=56 time=21.330 ms
64 bytes from 22.214.171.124: icmp_seq=1 ttl=56 time=19.761 ms
64 bytes from 126.96.36.199: icmp_seq=2 ttl=56 time=21.125 ms
64 bytes from 188.8.131.52: icmp_seq=3 ttl=56 time=19.949 ms
--- vee-six.telstra.net ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 19.761/20.541/21.330/0.693 ms
electra:~ michaeldale$ ping6 vee-six.telstra.net
PING6(56=40+8+8 bytes) 2001:388:c148:1:211:24ff:fe2a:f1b3 --> 2001:360::3
16 bytes from 2001:360::3, icmp_seq=0 hlim=58 time=25.059 ms
16 bytes from 2001:360::3, icmp_seq=1 hlim=58 time=25.874 ms
16 bytes from 2001:360::3, icmp_seq=2 hlim=58 time=23.465 ms
16 bytes from 2001:360::3, icmp_seq=3 hlim=58 time=24.281 ms
--- vee-six.telstra.net ping6 statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 23.465/24.670/25.874 ms
electra:~ michaeldale$ traceroute6 vee-six.telstra.net
traceroute6 to vee-six.telstra.net (2001:360::3) from 2001:388:c148:1:211:24ff:fe2a:f1b3, 30 hops max, 12 byte packets
1 2001:388:c148:1:207:eff:fe80:5cc0 2.565 ms 1.756 ms 1.422 ms
2 2001:388:f000::246 25.438 ms 17.068 ms 19.847 ms
3 gigether0-2-0.bb1.a.syd.aarnet.net.au 37.864 ms 27.464 ms 22.706 ms
4 gigabitethernet3-0.bb3.a.syd.aarnet.net.au 28.522 ms 19.571 ms 17.456 ms
5 eth0.ipv6.broadway.aarnet.net.au 25.852 ms 16.863 ms 19.326 ms
6 2001:388:200:4::2 25.896 ms 23.23 ms 25.435 ms
7 2001:388:200:4::2 26.875 ms !P 23.721 ms !P 27.306 ms !P
And a trace to my mac (the second last hop is my cisco router) from here
traceroute6 to 2001:388:c148:1:211:24ff:fe2a:f1b3 (2001:388:c148:1:211:24ff:fe2a:f1b3) from 2001:1888:0:1:290:27ff:fe9a:4b0b, 64 hops max, 12 byte packets
1 puaiohi-fe1-0-1 1.761 ms 1.923 ms 1.961 ms
2 akepa-e0-0-7 2.737 ms 2.865 ms 2.922 ms
3 tunnel-henet-ca-us 62.519 ms 62.382 ms 62.737 ms
4 3ffe:81d0:ffff:1::1 61.172 ms 61.049 ms 61.039 ms
5 3ffe:80a::b1 63.145 ms 61.613 ms 63.022 ms
6 10gigether0-0-0.bb1.a.syd.aarnet.net.au 237.385 ms 227.818 ms 254.435 ms
7 broker1.a.syd.aarnet.net.au 222.550 ms 222.128 ms 223.146 ms
8 2001:388:f000::247 240.004 ms 238.553 ms 240.206 ms
9 2001:388:c148:1:211:24ff:fe2a:f1b3 241.638 ms 240.077 ms 239.622 m
I have setup an IPv6 tunnel through AARNET
Tracing route to vee-six.telstra.net [2001:360::3] over a maximum of 30 hops:
1 22 ms 19 ms 18 ms 2001:388:f000::246
2 39 ms 53 ms 40 ms gigether0-2-0.bb1.a.syd.aarnet.net.au [2001:388:1:5001:204:e0ff:fe00:1022]
3 19 ms 17 ms 19 ms gigabitethernet2.7304.syd.aarnet.net.au [2001:388:1:5006:20f:23ff:fea3:ef02]
4 26 ms 26 ms 39 ms 2001:388:200:4::2
5 26 ms 24 ms 26 ms vee-six.telstra.net [2001:360::3]
I'll have a play around with it some more later. :)
When I installed FreeBSD onto my server it setup an IPv6 address, funky I thought although I'm never going to use it. Anyway my Mac is also built on BSD and it too has an IPv6 address. So I tried a normal ping but it only supports IPv4 so I tried typing ping6 and it worked! Cool!
So anyway I now have two computers talking to each other with IPv6.
electra:~ michaeldale$ ping6 -I en1 fe80::200:e8ff:fe6c:557b
PING6(56=40+8+8 bytes) fe80::211:24ff:fe2a:f1b3 --> fe80::200:e8ff:fe6c:557b
16 bytes from fe80::200:e8ff:fe6c:557b, icmp_seq=0 hlim=64 time=1.365 ms
16 bytes from fe80::200:e8ff:fe6c:557b, icmp_seq=1 hlim=64 time=1.338 ms
16 bytes from fe80::200:e8ff:fe6c:557b, icmp_seq=2 hlim=64 time=1.382 ms
16 bytes from fe80::200:e8ff:fe6c:557b, icmp_seq=3 hlim=64 time=2.111 ms
16 bytes from fe80::200:e8ff:fe6c:557b, icmp_seq=4 hlim=64 time=1.433 ms
16 bytes from fe80::200:e8ff:fe6c:557b, icmp_seq=5 hlim=64 time=1.379 ms
16 bytes from fe80::200:e8ff:fe6c:557b, icmp_seq=6 hlim=64 time=1.346 ms
16 bytes from fe80::200:e8ff:fe6c:557b, icmp_seq=7 hlim=64 time=1.354 ms
--- fe80::200:e8ff:fe6c:557b ping6 statistics ---
8 packets transmitted, 8 packets received, 0% packet loss
round-trip min/avg/max = 1.338/1.463/2.111 ms
Also that connection is running over my wireless, pretty fast I thought. :)