SRX

 View Only
last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX210HE2: IPv6 Routing

    Posted 02-05-2021 20:04
    Edited by BEN WALTER 02-06-2021 03:49
    Hi,

    I can't seem to get IPv6 to route properly. I am, by far, not a networking person. IPv4 routing is fine.

    Version: 12.3X48-D105
    Internal Interface: ge-0/0/0.0
    External Interface: ge-0/0/1.0

    ge-0/0/0 {
    	speed 1g;
    	link-mode full-duplex;
    	gigether-options {
    		no-auto-negotiation;
    	}
    	unit 0 {
    		family inet {
    			sampling {
    				input;
    				output;
    			}
    			address x.x.x.x/x;
    		}
    		family inet6 {
    			sampling {
    				input;
    				output;
    			}
    			address 2404:bf40:a420:0400:ffff:ffff:ffff:ffff/56;
    		}
    	}
    }
    ge-0/0/1 {
    	vlan-tagging;
    	speed 1g;
    	link-mode full-duplex;
    	gigether-options {
    		auto-negotiation;
    	}
    	unit 0 {
    		vlan-id 100;
    		family inet {
    			address x.x.x.x/x;
    			sampling {
    				input;
    				output;
    			}
    		}
    		family inet6 {
    			dad-disable;
    			address 2405:0800:0003:0001:0000:0000:0000:0002/126;
    			filter {
    				input INBOUND-SERVICES;
    				output OUTBOUND-SERVICES;
    			}
    			sampling {
    				input;
    				output;
    			}
    		}
    	}
    }​

    rib inet6.0 {
    	static {
    		route ::/0 {
    			qualified-next-hop 2405:0800:0003:0001:0000:0000:0000:0001 {
    				interface ge-0/0/1.0;
    			}
    		}
    	}
    }

    bwalter@SRX210HE2> show route table inet6.0
    
    inet6.0: 10 destinations, 11 routes (9 active, 0 holddown, 1 hidden)
    + = Active Route, - = Last Active, * = Both
    
    ::/0               *[Static/5] 4d 15:55:41
                        > to 2405:800:3:1::1 via ge-0/0/1.0
    2404:bf40:a420:400::/56
                       *[Direct/0] 4d 16:20:14
                        > via ge-0/0/0.0
    2404:bf40:a420:400:ffff:ffff:ffff:ffff/128
                       *[Local/0] 4d 16:20:14
                          Local via ge-0/0/0.0
    2405:800:3:1::/126 *[Direct/0] 4d 14:28:57
                        > via ge-0/0/1.0
    2405:800:3:1::2/128*[Local/0] 4d 14:28:57
                          Local via ge-0/0/1.0
    fe80::/64          *[Direct/0] 4d 16:20:14
                        > via ge-0/0/0.0
                        [Direct/0] 4d 14:28:57
                        > via ge-0/0/1.0
    fe80::86b5:9c00:64a6:581/128
                       *[Local/0] 4d 14:28:57
                          Local via ge-0/0/1.0
    fe80::86b5:9c0f:fca6:580/128
                       *[Direct/0] 4d 17:09:04
                        > via lo0.0
    fe80::86b5:9cff:fea6:580/128
                       *[Local/0] 4d 16:20:14
                          Local via ge-0/0/0.0
    
    ​

    bwalter@SRX210HE2> show route protocol static ::/0
    
    inet6.0: 10 destinations, 11 routes (9 active, 0 holddown, 1 hidden)
    + = Active Route, - = Last Active, * = Both
    
    ::/0               *[Static/5] 4d 15:59:18
                        > to 2405:800:3:1::1 via ge-0/0/1.0
    
    ​

    bwalter@SRX210HE2> show security flow status
      Flow forwarding mode:
        Inet forwarding mode: flow based
        Inet6 forwarding mode: flow based
        MPLS forwarding mode: drop
        ISO forwarding mode: drop
      Flow trace status
        Flow tracing status: off
      Flow session distribution
        Distribution mode: RR-based
      Flow ipsec performance acceleration: off
      Flow packet ordering
        Ordering mode: Hardware
    
    ​

    bwalter@SRX210HE2> show security flow session summary family inet6
    Valid sessions: 7
    Pending sessions: 0
    Invalidated sessions: 54
    Sessions in other states: 0
    Total sessions: 61
    
    ​

    bwalter@SRX210HE2> ping 2405:0800:0003:0001:0000:0000:0000:0002 interface ge-0/0/1 count 3
    PING6(56=40+8+8 bytes) 2405:800:3:1::2 --> 2405:800:3:1::2
    16 bytes from 2405:800:3:1::2, icmp_seq=0 hlim=64 time=1.245 ms
    16 bytes from 2405:800:3:1::2, icmp_seq=1 hlim=64 time=1.397 ms
    16 bytes from 2405:800:3:1::2, icmp_seq=2 hlim=64 time=1.496 ms
    
    --- 2405:0800:0003:0001:0000:0000:0000:0002 ping6 statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max/std-dev = 1.245/1.379/1.496/0.103 ms
    
    ​

    bwalter@SRX210HE2> ping 2405:0800:0003:0001:0000:0000:0000:0001 source 2405:0800:0003:0001:0000:0000:0000:0002 interface ge-0/0/1 count 3
    PING6(56=40+8+8 bytes) 2405:800:3:1::2 --> 2405:800:3:1::1
    64 bytes from 2405:800:3:1::2: Destination Host Unreachable
    Vr TC  Flow Plen Nxt Hlim
     6 00 00000 0010  3a   40
    2405:800:3:1::2->2405:800:3:1::1
    ICMP6: type = 128, code = 0
    
    
    --- 2405:0800:0003:0001:0000:0000:0000:0001 ping6 statistics ---
    3 packets transmitted, 0 packets received, 100% packet loss
    
    ​


    Trying to ping from Windows machine also has problems:

    C:\>ping -n 3 -6 2404:bf40:a420:400:ffff:ffff:ffff:ffff
    
    Pinging 2404:bf40:a420:400:ffff:ffff:ffff:ffff with 32 bytes of data:
    Reply from 2404:bf40:a420:400:ffff:ffff:ffff:ffff: time=3ms
    Reply from 2404:bf40:a420:400:ffff:ffff:ffff:ffff: time=3ms
    Reply from 2404:bf40:a420:400:ffff:ffff:ffff:ffff: time=3ms
    
    Ping statistics for 2404:bf40:a420:400:ffff:ffff:ffff:ffff:
        Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 3ms, Maximum = 3ms, Average = 3ms
    
    C:\>ping -n 3 -6 2405:0800:0003:0001:0000:0000:0000:0002
    
    Pinging 2405:800:3:1::2 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    
    Ping statistics for 2405:800:3:1::2:
        Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
    
    C:\>ping -n 3 -6 2405:0800:0003:0001:0000:0000:0000:0001
    
    Pinging 2405:800:3:1::1 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Destination net unreachable.
    
    Ping statistics for 2405:800:3:1::1:
        Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),


    Any assistance with working out what I've done wrong would be appreciated.



  • 2.  RE: SRX210HE2: IPv6 Routing

    Posted 02-07-2021 19:50
    The addressing all looks correct to me.

    Could you disconnect the SRX and plug a laptop right into the ge-0/0/1 upstream port.
    Use the ip information directly on the laptop and confirm the service is working on these addresses.

    Did you ISP give you a static /126 on that port? 
    This is an unusual assignment given the current state of the standards for ipv6 deploy.  I have used these on p-2-p links but all customer facing interfaces generally follow the /64 link allocations set out as current ipv6 deploy methods.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX210HE2: IPv6 Routing

    Posted 02-08-2021 01:58
    What they've done is given a public /56 for internally, then a /126 for the external interface and gateway (avoiding ppoe over the national broadband).

    They've confirmed things from their end (I still need to try your suggestion):

    I can confirm that the IPv6 Gateway is reachable from our suppliers looking glass:
    Tracing the route to 2405:800:3:1::1
    
      1  *  *  * 
      2  *  *  * 
      3 2407:8800:BF00:63::1 [AS 7545] 0 msec *  0 msec
      4  * 
        2407:8800:BF00:3B:76A2:E6FF:FE9D:BA09 0 msec * 
      5 2407:8800:BF00:1D0::2 [AS 7545] 28 msec *  * 
      6 2407:8800:BF00:17B::1 [AS 7545] 12 msec
        2407:8800:BF00:17D::1 12 msec
        2407:8800:BF00:17B::1 20 msec
      7 2407:8800:BF00:18:269E:ABFF:FE9A:6A98 [AS 7545] 12 msec 12 msec 12 msec
      8 2405:800:3:1::1 [AS 7545] 12 msec 12 msec 12 msec
    
    It can also be reached from a separate connection:
    Tracing route to 2405:800:3:1::1 over a maximum of 30 hops
    
      1     *        *        *     Request timed out.
      2     *        *        *     Request timed out.
      3    55 ms    55 ms    55 ms  2407:8800:bf00:18c::1
      4    55 ms    55 ms    55 ms  2407:8800:bf00:178:aec:f5ff:fe59:6022
      5    57 ms    60 ms    61 ms  2407:8800:bf00:17d::1
      6    55 ms    56 ms    55 ms  2407:8800:bf00:18:269e:abff:fe9a:6a98
      7    57 ms    57 ms    57 ms  2405:800:3:1::1​



  • 4.  RE: SRX210HE2: IPv6 Routing

    Posted 02-12-2021 18:10
    Okay, so was finally able to get some time with a bypass-srx test, which worked.

    :~ # ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
        link/ether 30:65:ec:2b:65:12 brd ff:ff:ff:ff:ff:ff
    4: enp1s0f0.100@enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
        link/ether 30:65:ec:2b:65:12 brd ff:ff:ff:ff:ff:ff
        inet x.x.x.x/x brd x.x.x.x scope global noprefixroute enp1s0f0.100
           valid_lft forever preferred_lft forever
        inet6 2405:800:3:1::2/126 scope global noprefixroute 
           valid_lft forever preferred_lft forever
        inet6 fe80::e955:e52b:6fb1:25d1/64 scope link noprefixroute 
           valid_lft forever preferred_lft forever​

    IPv4 Interface Ping:

    :~ # ping -4 -c 3 x.x.x.x
    PING x.x.x.x (x.x.x.x) 56(84) bytes of data.
    64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=0.153 ms
    64 bytes from x.x.x.x: icmp_seq=2 ttl=64 time=0.170 ms
    64 bytes from x.x.x.x: icmp_seq=3 ttl=64 time=0.169 ms
    
    --- x.x.x.x ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2038ms
    rtt min/avg/max/mdev = 0.153/0.164/0.170/0.007 ms
    ​

    IPv4 Gateway Ping:

    :~ # ping -4 -c 3 x.x.x.x
    PING x.x.x.x (x.x.x.x) 56(84) bytes of data.
    64 bytes from x.x.x.x: icmp_seq=1 ttl=255 time=3.58 ms
    64 bytes from x.x.x.x: icmp_seq=2 ttl=255 time=3.48 ms
    64 bytes from x.x.x.x: icmp_seq=3 ttl=255 time=4.33 ms
    
    --- x.x.x.x ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2003ms
    rtt min/avg/max/mdev = 3.483/3.799/4.334/0.380 ms
    ​

    IPv6 Interface Ping:

    :~ # ping -6 -c 3 2405:800:3:1::2
    PING 2405:800:3:1::2(2405:800:3:1::2) 56 data bytes
    64 bytes from 2405:800:3:1::2: icmp_seq=1 ttl=64 time=0.197 ms
    64 bytes from 2405:800:3:1::2: icmp_seq=2 ttl=64 time=0.194 ms
    64 bytes from 2405:800:3:1::2: icmp_seq=3 ttl=64 time=0.194 ms
    
    --- 2405:800:3:1::2 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2045ms
    rtt min/avg/max/mdev = 0.194/0.195/0.197/0.001 ms


    IPv6 Gateway Ping:

    :~ # ping -6 -c 3 2405:800:3:1::1
    PING 2405:800:3:1::1(2405:800:3:1::1) 56 data bytes
    64 bytes from 2405:800:3:1::1: icmp_seq=1 ttl=64 time=3.75 ms
    64 bytes from 2405:800:3:1::1: icmp_seq=2 ttl=64 time=3.22 ms
    64 bytes from 2405:800:3:1::1: icmp_seq=3 ttl=64 time=3.45 ms
    
    --- 2405:800:3:1::1 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2003ms
    rtt min/avg/max/mdev = 3.223/3.471/3.745/0.213 ms
    


    So, pretty sure problem is with SRX/JunosOS/Config




  • 5.  RE: SRX210HE2: IPv6 Routing

    Posted 02-12-2021 18:43

    So, my problem is the filter... 🤦‍♂️

    If I drop the filter completely, then I get:

    bwalter@SRX210HE2> ping 2405:0800:0003:0001:0000:0000:0000:0001 source 2405:0800:0003:0001:0000:0000:0000:0002 interface ge-0/0/1 count 3
    PING6(56=40+8+8 bytes) 2405:800:3:1::2 --> 2405:800:3:1::1
    16 bytes from 2405:800:3:1::1, icmp_seq=0 hlim=64 time=9.100 ms
    16 bytes from 2405:800:3:1::1, icmp_seq=1 hlim=64 time=5.580 ms
    16 bytes from 2405:800:3:1::1, icmp_seq=2 hlim=64 time=6.630 ms
    
    --- 2405:0800:0003:0001:0000:0000:0000:0001 ping6 statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max/std-dev = 5.580/7.103/9.100/1.475 ms

    bwalter@SRX210HE2> ping 2405:0800:0003:0001:0000:0000:0000:0001 source 2404:bf40:a420:0400:ffff:ffff:ffff:ffff interface ge-0/0/0 count 3
    PING6(56=40+8+8 bytes) 2404:bf40:a420:400:ffff:ffff:ffff:ffff --> 2405:800:3:1::1
    16 bytes from 2405:800:3:1::1, icmp_seq=0 hlim=64 time=13.146 ms
    16 bytes from 2405:800:3:1::1, icmp_seq=1 hlim=64 time=11.860 ms
    16 bytes from 2405:800:3:1::1, icmp_seq=2 hlim=64 time=8.483 ms
    
    --- 2405:0800:0003:0001:0000:0000:0000:0001 ping6 statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max/std-dev = 8.483/11.163/13.146/1.966 ms


    So, I guess my understanding of what is "IN", what is "OUT" and what is required for "allowing" on a firewall filter... ??




  • 6.  RE: SRX210HE2: IPv6 Routing

    Posted 02-12-2021 19:38
    So, if I wanted to do something like this:


    I would have thought something like this would work:
    interfaces {
        ge-0/0/0 {
            speed 1g;
            link-mode full-duplex;
            gigether-options {
                no-auto-negotiation;
            }
            unit 0 {
                family inet6 {
                    sampling {
                        input;
                        output;
                    }
                    address 2404:bf40:a420:0400:ffff:ffff:ffff:ffff/56;
                }
            }
        }
        ge-0/0/1 {
            vlan-tagging;
            speed 1g;
            link-mode full-duplex;
            gigether-options {
                auto-negotiation;
            }
            unit 0 {
                vlan-id 100;
                family inet6 {
                    dad-disable;
                    address 2405:0800:0003:0001:0000:0000:0000:0002/126;
                    filter {
                        input INBOUND-SERVICES;
                        output OUTBOUND-SERVICES;
                    }
                    sampling {
                        input;
                        output;
                    }
                }
            }
        }
        fe-0/0/2 {
            disable;
        }
        fe-0/0/3 {
            disable;
        }
        fe-0/0/4 {
            disable;
        }
        fe-0/0/5 {
            disable;
        }
        fe-0/0/6 {
            disable;
        }
        fe-0/0/7 {
            disable;
        }
        cm-1/0/0 {
            disable;
        }
        lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/8;
                }
                family inet6 {
                    address ::1/128;
                }
            }
        }
    }
    policy-options {
        prefix-list intToOut {
            2404:bf40:a420:400::xxxx/128;
        }
        prefix-list OutToDNS {
            aaaa::aaaa/128;
            aaaa::bbbb/128;
        }
        prefix-list OutToHTTPS {
            nnnn::aaaa/128;
            nnnn::bbbb/128;
        }
    }
    firewall {
        family inet6 {
            filter OUTBOUND-SERVICES {
                term allow-OUT {
                    from {
                        source-prefix-list {
                            intToOut;
                        }
                        destination-address {
                            ::/0;
                        }
                    }
                    then {
                        count accept-OUT;
                        log;
                        accept;
                    }
                }
                term deny-all {
                    then {
                        count deny-all;
                        log;
                        discard;
                    }
                }
            }
            filter INBOUND-SERVICES {
                term allow-DNS {
                    from {
                        source-prefix-list {
                            OutToDNS;
                        }
                        destination-address {
                            2404:bf40:a420:400::yyyy/128;
                        }
                        destination-port [ 53 ];
                    }
                    then {
                        count accept-DNS;
                        log;
                        accept;
                    }
                }
                term allow-HTTPS {
                    from {
                        protocol tcp;
                        source-prefix-list {
                            OutToHTTPS;
                        }
                        destination-address {
                            2404:bf40:a420:400::zzzz/128;
                        }
                        destination-port [ 443 ];
                    }
                    then {
                        count accept-HTTPS;
                        log;
                        accept;
                    }
                }
                term deny-all {
                    then {
                        count deny-all;
                        log;
                        discard;
                    }
                }
            }
        }
    }
    ​



  • 7.  RE: SRX210HE2: IPv6 Routing

    Posted 02-13-2021 20:10
    Thanks for the additional detail.  I missed the packet filter applied in the original configs.

    I think you might be misinterpreting these filters as firewall rules.  they are not really the firewall functionality of the SRX but legacy packet filters.  This could work as done, but you would need to either put the SRX into packet mode as a standard router or create the necessary zone and security policy allow all firewall rules to get the flows active.

    SRX had two modes:
    Default is flow mode with a stateful firewall table.
    Packet mode removes all the firewall features and makes the SRX a router

    For a flow mode standard deploy you would remove these firewall filters.
    Place the interfaces into security zones (default would be untrust and trust)
    Write security policies from zone to zone in the direction of flow initiator

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16553

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 8.  RE: SRX210HE2: IPv6 Routing

    Posted 02-13-2021 22:44

    Thank you so much.

    I've dropped the filter and duplicated/extended the secuirty zones for IPv6 (already used for NAT'ed IPv4, so lots of copy/paste), and now get a nice outbound: