Thanks for the additional detail. I missed the packet filter applied in the original configs.
I think you might be misinterpreting these filters as firewall rules. they are not really the firewall functionality of the SRX but legacy packet filters. This could work as done, but you would need to either put the SRX into packet mode as a standard router or create the necessary zone and security policy allow all firewall rules to get the flows active.
Default is flow mode with a stateful firewall table.
For a flow mode standard deploy you would remove these firewall filters.
Original Message:
Sent: 02-12-2021 19:37
From: BEN WALTER
Subject: SRX210HE2: IPv6 Routing
Original Message:
Sent: 02-12-2021 18:43
From: BEN WALTER
Subject: SRX210HE2: IPv6 Routing
So, my problem is the filter... 🤦♂️
If I drop the filter completely, then I get:
bwalter@SRX210HE2> ping 2405:0800:0003:0001:0000:0000:0000:0001 source 2405:0800:0003:0001:0000:0000:0000:0002 interface ge-0/0/1 count 3PING6(56=40+8+8 bytes) 2405:800:3:1::2 --> 2405:800:3:1::116 bytes from 2405:800:3:1::1, icmp_seq=0 hlim=64 time=9.100 ms16 bytes from 2405:800:3:1::1, icmp_seq=1 hlim=64 time=5.580 ms16 bytes from 2405:800:3:1::1, icmp_seq=2 hlim=64 time=6.630 ms--- 2405:0800:0003:0001:0000:0000:0000:0001 ping6 statistics ---3 packets transmitted, 3 packets received, 0% packet lossround-trip min/avg/max/std-dev = 5.580/7.103/9.100/1.475 ms
bwalter@SRX210HE2> ping 2405:0800:0003:0001:0000:0000:0000:0001 source 2404:bf40:a420:0400:ffff:ffff:ffff:ffff interface ge-0/0/0 count 3PING6(56=40+8+8 bytes) 2404:bf40:a420:400:ffff:ffff:ffff:ffff --> 2405:800:3:1::116 bytes from 2405:800:3:1::1, icmp_seq=0 hlim=64 time=13.146 ms16 bytes from 2405:800:3:1::1, icmp_seq=1 hlim=64 time=11.860 ms16 bytes from 2405:800:3:1::1, icmp_seq=2 hlim=64 time=8.483 ms--- 2405:0800:0003:0001:0000:0000:0000:0001 ping6 statistics ---3 packets transmitted, 3 packets received, 0% packet lossround-trip min/avg/max/std-dev = 8.483/11.163/13.146/1.966 ms
So, I guess my understanding of what is "IN", what is "OUT" and what is required for "allowing" on a firewall filter... ??
Original Message:
Sent: 02-12-2021 18:10
From: BEN WALTER
Subject: SRX210HE2: IPv6 Routing
Okay, so was finally able to get some time with a bypass-srx test, which worked.
:~ # ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever2: enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 30:65:ec:2b:65:12 brd ff:ff:ff:ff:ff:ff4: enp1s0f0.100@enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 30:65:ec:2b:65:12 brd ff:ff:ff:ff:ff:ff inet x.x.x.x/x brd x.x.x.x scope global noprefixroute enp1s0f0.100 valid_lft forever preferred_lft forever inet6 2405:800:3:1::2/126 scope global noprefixroute valid_lft forever preferred_lft forever inet6 fe80::e955:e52b:6fb1:25d1/64 scope link noprefixroute valid_lft forever preferred_lft forever
IPv4 Interface Ping:
:~ # ping -4 -c 3 x.x.x.xPING x.x.x.x (x.x.x.x) 56(84) bytes of data.64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=0.153 ms64 bytes from x.x.x.x: icmp_seq=2 ttl=64 time=0.170 ms64 bytes from x.x.x.x: icmp_seq=3 ttl=64 time=0.169 ms--- x.x.x.x ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2038msrtt min/avg/max/mdev = 0.153/0.164/0.170/0.007 ms
IPv4 Gateway Ping:
:~ # ping -4 -c 3 x.x.x.xPING x.x.x.x (x.x.x.x) 56(84) bytes of data.64 bytes from x.x.x.x: icmp_seq=1 ttl=255 time=3.58 ms64 bytes from x.x.x.x: icmp_seq=2 ttl=255 time=3.48 ms64 bytes from x.x.x.x: icmp_seq=3 ttl=255 time=4.33 ms--- x.x.x.x ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2003msrtt min/avg/max/mdev = 3.483/3.799/4.334/0.380 ms
IPv6 Interface Ping:
:~ # ping -6 -c 3 2405:800:3:1::2PING 2405:800:3:1::2(2405:800:3:1::2) 56 data bytes64 bytes from 2405:800:3:1::2: icmp_seq=1 ttl=64 time=0.197 ms64 bytes from 2405:800:3:1::2: icmp_seq=2 ttl=64 time=0.194 ms64 bytes from 2405:800:3:1::2: icmp_seq=3 ttl=64 time=0.194 ms--- 2405:800:3:1::2 ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2045msrtt min/avg/max/mdev = 0.194/0.195/0.197/0.001 ms
IPv6 Gateway Ping:
:~ # ping -6 -c 3 2405:800:3:1::1PING 2405:800:3:1::1(2405:800:3:1::1) 56 data bytes64 bytes from 2405:800:3:1::1: icmp_seq=1 ttl=64 time=3.75 ms64 bytes from 2405:800:3:1::1: icmp_seq=2 ttl=64 time=3.22 ms64 bytes from 2405:800:3:1::1: icmp_seq=3 ttl=64 time=3.45 ms--- 2405:800:3:1::1 ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2003msrtt min/avg/max/mdev = 3.223/3.471/3.745/0.213 ms
So, pretty sure problem is with SRX/JunosOS/Config
Original Message:
Sent: 02-07-2021 19:49
From: STEVE PULUKA
Subject: SRX210HE2: IPv6 Routing
The addressing all looks correct to me.
Could you disconnect the SRX and plug a laptop right into the ge-0/0/1 upstream port.
Use the ip information directly on the laptop and confirm the service is working on these addresses.
Did you ISP give you a static /126 on that port?
This is an unusual assignment given the current state of the standards for ipv6 deploy. I have used these on p-2-p links but all customer facing interfaces generally follow the /64 link allocations set out as current ipv6 deploy methods.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 02-05-2021 20:03
From: BEN WALTER
Subject: SRX210HE2: IPv6 Routing
Hi,
I can't seem to get IPv6 to route properly. I am, by far, not a networking person. IPv4 routing is fine.
Version: 12.3X48-D105
Internal Interface: ge-0/0/0.0
External Interface: ge-0/0/1.0
ge-0/0/0 { speed 1g; link-mode full-duplex; gigether-options { no-auto-negotiation; } unit 0 { family inet { sampling { input; output; } address x.x.x.x/x; } family inet6 { sampling { input; output; } address 2404:bf40:a420:0400:ffff:ffff:ffff:ffff/56; } }}ge-0/0/1 { vlan-tagging; speed 1g; link-mode full-duplex; gigether-options { auto-negotiation; } unit 0 { vlan-id 100; family inet { address x.x.x.x/x; sampling { input; output; } } family inet6 { dad-disable; address 2405:0800:0003:0001:0000:0000:0000:0002/126; filter { input INBOUND-SERVICES; output OUTBOUND-SERVICES; } sampling { input; output; } } }}
rib inet6.0 { static { route ::/0 { qualified-next-hop 2405:0800:0003:0001:0000:0000:0000:0001 { interface ge-0/0/1.0; } } }}
bwalter@SRX210HE2> show route table inet6.0inet6.0: 10 destinations, 11 routes (9 active, 0 holddown, 1 hidden)+ = Active Route, - = Last Active, * = Both::/0 *[Static/5] 4d 15:55:41 > to 2405:800:3:1::1 via ge-0/0/1.02404:bf40:a420:400::/56 *[Direct/0] 4d 16:20:14 > via ge-0/0/0.02404:bf40:a420:400:ffff:ffff:ffff:ffff/128 *[Local/0] 4d 16:20:14 Local via ge-0/0/0.02405:800:3:1::/126 *[Direct/0] 4d 14:28:57 > via ge-0/0/1.02405:800:3:1::2/128*[Local/0] 4d 14:28:57 Local via ge-0/0/1.0fe80::/64 *[Direct/0] 4d 16:20:14 > via ge-0/0/0.0 [Direct/0] 4d 14:28:57 > via ge-0/0/1.0fe80::86b5:9c00:64a6:581/128 *[Local/0] 4d 14:28:57 Local via ge-0/0/1.0fe80::86b5:9c0f:fca6:580/128 *[Direct/0] 4d 17:09:04 > via lo0.0fe80::86b5:9cff:fea6:580/128 *[Local/0] 4d 16:20:14 Local via ge-0/0/0.0
bwalter@SRX210HE2> show route protocol static ::/0inet6.0: 10 destinations, 11 routes (9 active, 0 holddown, 1 hidden)+ = Active Route, - = Last Active, * = Both::/0 *[Static/5] 4d 15:59:18 > to 2405:800:3:1::1 via ge-0/0/1.0
bwalter@SRX210HE2> show security flow status Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: flow based MPLS forwarding mode: drop ISO forwarding mode: drop Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based Flow ipsec performance acceleration: off Flow packet ordering Ordering mode: Hardware
bwalter@SRX210HE2> show security flow session summary family inet6Valid sessions: 7Pending sessions: 0Invalidated sessions: 54Sessions in other states: 0Total sessions: 61
bwalter@SRX210HE2> ping 2405:0800:0003:0001:0000:0000:0000:0002 interface ge-0/0/1 count 3PING6(56=40+8+8 bytes) 2405:800:3:1::2 --> 2405:800:3:1::216 bytes from 2405:800:3:1::2, icmp_seq=0 hlim=64 time=1.245 ms16 bytes from 2405:800:3:1::2, icmp_seq=1 hlim=64 time=1.397 ms16 bytes from 2405:800:3:1::2, icmp_seq=2 hlim=64 time=1.496 ms--- 2405:0800:0003:0001:0000:0000:0000:0002 ping6 statistics ---3 packets transmitted, 3 packets received, 0% packet lossround-trip min/avg/max/std-dev = 1.245/1.379/1.496/0.103 ms
bwalter@SRX210HE2> ping 2405:0800:0003:0001:0000:0000:0000:0001 source 2405:0800:0003:0001:0000:0000:0000:0002 interface ge-0/0/1 count 3PING6(56=40+8+8 bytes) 2405:800:3:1::2 --> 2405:800:3:1::164 bytes from 2405:800:3:1::2: Destination Host UnreachableVr TC Flow Plen Nxt Hlim 6 00 00000 0010 3a 402405:800:3:1::2->2405:800:3:1::1ICMP6: type = 128, code = 0--- 2405:0800:0003:0001:0000:0000:0000:0001 ping6 statistics ---3 packets transmitted, 0 packets received, 100% packet loss
Trying to ping from Windows machine also has problems:
C:\>ping -n 3 -6 2404:bf40:a420:400:ffff:ffff:ffff:ffffPinging 2404:bf40:a420:400:ffff:ffff:ffff:ffff with 32 bytes of data:Reply from 2404:bf40:a420:400:ffff:ffff:ffff:ffff: time=3msReply from 2404:bf40:a420:400:ffff:ffff:ffff:ffff: time=3msReply from 2404:bf40:a420:400:ffff:ffff:ffff:ffff: time=3msPing statistics for 2404:bf40:a420:400:ffff:ffff:ffff:ffff: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 3ms, Maximum = 3ms, Average = 3msC:\>ping -n 3 -6 2405:0800:0003:0001:0000:0000:0000:0002Pinging 2405:800:3:1::2 with 32 bytes of data:Request timed out.Request timed out.Request timed out.Ping statistics for 2405:800:3:1::2: Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),C:\>ping -n 3 -6 2405:0800:0003:0001:0000:0000:0000:0001Pinging 2405:800:3:1::1 with 32 bytes of data:Request timed out.Request timed out.Destination net unreachable.Ping statistics for 2405:800:3:1::1: Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Any assistance with working out what I've done wrong would be appreciated.