Splynx IPv6 support

Starting from 3.0 version, Splynx has native IPv6 support. In this topic we will cover 3 main areas of IPv6 deployment:
1. IPv6 address management in Splynx;
2. Activation of IPv6 in ISP infrastructure;
3. IPv6 assignments to end-users.

If you want to know more about Mikrotik IPv6 configuration or Home router IPv6 configuration, please read following articles :
https://splynx.com/5684/mikrotik-ipv6-configuration/
https://splynx.com/5747/ipv6-cpe-and-home-routers-support/

IPv6 address management
In Splynx IPv6 management is similar to IPv4 network management. Under Networking there is an IPv6 networks submenu with the ability to add network, show available networks and display detail of usage of each network.

 

 

In the selected example, we have added a /32 IPv6 network. It is the network that is usually assigned to the ISP company by the local registry.

From the /32 network we can choose /48 networks to route them on certain site or PPPoE concentrator. In total, /32 network consists of 65536 /48 networks. It means that we can have up to 65k different high-sites or PPPoE/DHCP NAS routers. Each NAS or PPPoE server or DHCP server (depends on your topology and authentication method), can connect up to 65k subscribers. Always /64 network is delegated to end user’s LAN network or his CPE. Inside one /48 IPv6 network there are 65536 /64 networks.

This basic IPv6 topology design we recommend to use inside small and medium size ISP networks. Of course, there are plenty of other IPv6 planning options that can be found on the Internet, but all these IP plans are quite complicated and just bring more complexity to IPv6 address deployment.

In our example, we have received a network 2a0f:f041::/32 from RIPE NCC.
We decided to dedicate one /48 network to Infrastructure needs – 2a0f:f041:f::/48
PPPoE concentrators will assign IPs from the ranges : 2a0f:f041:1000::/48 and 2a0f:f041:2000::/48.
In case when we have more PPPoE servers, we can use IP networks like 2a0f:f041:1100::/48 or 2a0f:f041:1011::/48 or 2a0f:f041:3050::/48. Actually we used 4-5 /48 IPv6 networks to cover all our NAS routers and infrastructure. And there are still over 65k IPv6 /48 networks left.

As was mentioned above – customers receive /64 prefixes. From these prefixes CPE/home router device creates a pool (similar to IP lan pools in IPv4 world) and IPs from this pool will be assigned to end devices.

Below is an example, how IPv6 appears in Splynx IPv6 networks when a CPE got /64 prefix delegated :

 

Activation of IPv6 in infrastructure
Okay, we have designed a simple IPv6 address plan, let’s recap what should be done during the first phase of IPv6 deployment :
1. BGP peering configured on IPv6 addresses
2. IPv6 network announced to BGP and BGP filters configured
3. Internal connections between infrastructure routers is established on subnetworks from

2a0f:f041:f::/48. Actually all traffic can be routed between routers using Link-local IPv6 addresses, but we have enabled IPs from range 2a0f:f041:f::/48 on our routers to check IPv6 visibility to and from outside.
4. Static routes to 2a0f:f041:1000::/48 and 2a0f:f041:2000::/48 created from BGP infrastructure to PPPoE routers.

IPv6 assignments to the end users
When all above is working, we can start with the most tricky part of IPv6 deployment – assignments of IPv6 to the end users.
Mostly everywhere, end users have own wireless router that connects their devices to the Internet.
Below is the topology of connection of advanced home user, that have one router and two access-point bridges with many devices, such as PCs and phones.

As we can see in this topology, SOHO router has one public IPv4 on it’s WAN interface and one IPv4 from LAN range 192.168.0.0/24 that is used as a default gateway for all devices at home. It’s obvious that a router acts as a NAT server in this scenario, when all customers from home are leaving LAN network and connect to Internet from one public IP and all traffic is sent back to the network via this one single public IP address.

IPv6 world has no NAT. It means that CPE or SOHO/Home router should route public IPv6 network instead of private range. How small home office router will know what IPv6 network it should use and route? This is the job of ISP’s equipment to tell it to CPE/Home router.
In general, ISP router assignes IPv6 address to WAN interface in the same way as it did with IPv4 address, but also it should assign a “LAN” network. This is called Delegated IPv6 network and it’s the network of mask /64. Below is an example.

In our example, Home router received one single IPv6 address 2a0f:f041:a:1::1 on pppoe-client tunnel and additionally it got a prefix, that is automatically configured on LAN interface 2a0f:f041:1000:1::/64. All IPv6 end devices will receive the IP address with ND (Neighbor discover) technology that is called SLAAC. This is a technology of stateless automatic IPv6 address configuration for end users that should be used in local area networks.

In Splynx each customer has Internet service, under settings of this service there are options to assign IPv4 and IPv6 addresses.
The first option “IPv6 network” is for IPv6 assignment to the WAN interface and the second “Delegated IPv6 network” is for the network, that should be used by CPE/Home router inside LAN network.

You can also check the Mikrotik IPv6 configuration example by following this link. Should you have any questions about IPv6 support in Splynx or want to try it in action feel free to contact us.

Juniper Radius configuration with variables

This article is the second part of the Juniper MX Radius configuration tutorial – https://splynx.com/4873/radius-juniper-mx-configuration/

In the first article, speed limitations were set by two Juniper Radius attributes

ERX-Ingress-Policy-Name = “{{ tariff_name }}”
ERX-Egress-Policy-Name = “{{ tariff_name }}”

These attributes matched the Juniper firewall filter/policy to tariff name in Splynx.

We can set up an advanced option when tariff names and firewall filters matching is not involved. The setup is quite advanced, but also elegant, variables are used to define policies and speed.

RADIUS
Let’s start again with basic Radius configuration :


profile RAD {
authentication-order radius;
domain-name-server {
8.8.4.4;
8.8.8.8;
}
radius {
authentication-server 192.168.1.5;
accounting-server 192.168.1.5;
options {
nas-identifier JUN;
accounting-session-id-format decimal;
}
}
radius-server {
192.168.1.5 {
secret "$9$bLYJUjHqPTz7-UiHqQzRhcSvW"; ## SECRET-DATA
source-address 192.168.1.6;
}
}
accounting {
order radius;
immediate-update;
coa-immediate-update;
address-change-immediate-update;
update-interval 10;
statistics volume-time;
}
}

 

Important is to apply the access profile in global configuration :
access-profile RAD

DYNAMIC PROFILE
Second part is defining dynamic profiles using variables.

svc-local-pppoe {
variables {
var-bw-download;
var-bw-upload;
var-ff-out-download {
equals "'INET-' ## $var-bw-download ## '-CLIENT-DOWNLOAD'";
uid;
}
var-ff-in-upload {
equals "'INET-' ## $var-bw-upload ## '-CLIENT-UPLOAD'";
uid;
}
var-plr-download {
equals "'plr-' ## $var-bw-download";
uid;
}
var-plr-upload {
equals "'plr-' ## $var-bw-upload";
uid;
}
}
interfaces {
pp0 {
unit "$junos-interface-unit" {
family inet {
filter {
input "$var-ff-out-download" precedence 100;
output "$var-ff-in-upload" precedence 100;
}
}
family inet6 {
filter {
input "$var-ff-out-download" precedence 100;
output "$var-ff-in-upload" precedence 100;
}
}
}
}
}

As you can see we can define policies for IPv4 and IPv6 customers.
Juniper Radius attribute that Splynx should send to Juniper MX router is

RADIUS ATTRIBUTE :

ERX-Service-Activate:1 = “svc-local-pppoe(3072000,2048000)”
where 3072000 is download speed and 2048000 is upload speed.
It means that Juniper will set var-bw-download = 3072000 and var-bw-upload = 2048000. Then it will var-ff-out-download and var-ff-in-upload variables and set it to input and output filter names on the pp0 interface.

SETTING FIREWALL
The last step is to define Filter rules


firewall {
family inet {
filter "$var-ff-in-upload" {
interface-specific;
term POLICE {
then {
policer "$var-plr-upload";
service-accounting;
service-filter-hit;
accept;
}
}
term SERVICE-FILTER-HIT {
from {
service-filter-hit;
}
then accept;
}
}
filter "$var-ff-out-download" {
interface-specific;
term POLICE {
then {
policer "$var-plr-download";
service-accounting;
service-filter-hit;
accept;
}
}
term SERVICE-FILTER-HIT {
from {
service-filter-hit;
}
then accept;
}
}
}
policer "$var-plr-download" {
logical-interface-policer;
if-exceeding {
bandwidth-limit "$var-bw-download";
burst-size-limit 1m;
}
then discard;
}
policer "$var-plr-upload" {
logical-interface-policer;
if-exceeding {
bandwidth-limit "$var-bw-upload";
burst-size-limit 1m;
}
then discard;
}
}
}

$var-plr-download and $var-plr-upload were created using values from Juniper Radius attribute ERX-Service-Activate:1. We create dynamic policers using these values and then apply them in dynamic filters.

If you have any questions regarding Juniper Radius configuration, please feel free to ask us at support@splynx.com

Radius Juniper MX configuration

Juniper Networks is one of leading vendors producing networking equipment. Together with Cisco, Juniper defines where networks are moving. The company sells different solutions starting from routers, switches and up to software-defined products such as Open Contrail.

In Internet provider’s network, Juniper is mainly used as a BRAS equipment (broadband remote access server). The MX series routers ideally fit as BRAS with the ability to process gigabits and hundreds of gigabits of traffic together with providing such access services as PPPoE, bandwidth limitation, policing and NAT.

We have deployed Splynx in different networks running on Juniper MX80, MX104 and MX960 routers. JunOS versions from 14 to 18.
The configuration below should work on any MX router and is based on a combination of Dynamic profiles and Policy names.

1. RADIUS SERVER definition
In the first step we should define the Access and describe Radius configuration. Radius server IP is 192.168.1.5 and Juniper router IPs is 192.168.1.6.

access {
profile Splynx {
accounting-order radius;
authentication-order radius;
radius {
authentication-server 192.168.1.5;
accounting-server 192.168.1.5;
options {
nas-identifier JUN;
accounting-session-id-format decimal;
}
}
radius-server {
192.168.1.5 {
secret "$9$TFCuIEyMWxO1hSrlMWJGUHP5TQ3/ApmPO1Rcle"; ## SECRET-DATA
timeout 300;
retry 3;
max-outstanding-requests 1000;
source-address 192.168.1.6;
}
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
immediate-update;
coa-immediate-update;
update-interval 10;
statistics volume-time;
}
}
}

The next line in configuration should be setting the access profile Splynx to Juniper MX router up level configuration:

access-profile Splynx;

2. DYNAMIC PROFILES
The next step is to define Dynamic profiles. This configuration can be a bit tricky and complex. Depends on how complex is your overall setup, how VLANs are organized, if there are Port Aggregations or PPPoE services are running directly on Gigabit and 10G Ethernet interfaces. The example below shows the PPPoE profile that is ready for dynamic VLANs that are running on Aggregated interface ae0.

dynamic-profiles {
PPPOE {
interfaces {
demux0 {
interface-mib;
unit "$junos-interface-unit" {
vlan-id "$junos-vlan-id";
family pppoe {
duplicate-protection;
dynamic-profile ppp-profile;
max-sessions 16000;
}
}
}
}
}
ppp-profile {
interfaces {
pp0 {
interface-mib;
unit "$junos-interface-unit" {
no-traps;
ppp-options {
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
keepalives interval 30;
family inet {
rpf-check;
filter {
input "$junos-input-filter";
output "$junos-output-filter";
}
unnumbered-address lo0.0;
}
}
}
}
}
}

Few words to the configuration above – as you can see dynamic profile ppp-profile is encapsulated into other dynamic profile PPPoE. The speed limitation filters are set in dynamic ppp-profile interface pp0.
When dynamic profiles are defined, we apply the profile PPPOE on AE0 interface :

ae0 {
description "PPPOE LINK aggregation ";
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile PPPOE {
accept pppoe;
ranges {
100-200;
}
}
}
remove-when-no-subscribers;
}
mtu 4000;
encapsulation flexible-ethernet-services;
aggregated-ether-options {
lacp {
active;
}
}
}

3. SPEED LIMITATIONS
The last step in configuration is to define the Firewall filter and policers to control subscriber’s bandwidth.
Here is the example of filter and policer for 10 Mbps plan :

firewall {
family inet {
filter 10Mbps {
interface-specific;
term 1 {
then policer p_10Mbps_limit;
accept;
}
}
}
policer p_10Mbps_limit {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 1m;
}
then discard;
}

4. JUNIPER RADIUS ATTRIBUTES
The attributes that are used to set the Filter name in Radius Access accept are :

ERX-Ingress-Policy-Name = "{{ tariff_name }}"
ERX-Egress-Policy-Name = "{{ tariff_name }}"

These attributes are configured in Splynx -> Config -> Radius -> Selection of NAS type -> Juniper -> Rate-limit attributes

Tariff name should be set in Splynx “10Mbps” as on picture below :

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Should you have any questions regarding Juniper MX configuration or further information is needed, please contact us or schedule a call with our engineer.

Case study – Fitel Network S.L.

Fitel Networks is a company from Catalunya, Spain. The company has had its own wireless network for 2 years with over 1,000 subscribers connected.

 At the end of 2017, the Fitel team started to deploy fibre optics. Fibre was installed in the main urban locations of the city of Lloret de Mar. The topology that the technical management team decided to use is FTTH and FTTB, with GPON technology. Currently, the network is designed to connect over 10,000 fibre ONT devices. Services that are provided to end-users include VOIP and Mobile connections. The company connects companies and residential customers that pay on a monthly basis (recurring) and has a number of customers who come to Lloret de Mar for a vacation and pay for services in a prepaid mode.

 The Fitel Network was optimized by deploying the Splynx ISP billing system, redesigning the core network to allow 10G throughput, registering AS and IPv4 address space and deploying BGP services for their customers.

 

“Many hours of work, some days without sleep, all efforts are rewarded by the core of Fitel Network, which is prepared to compete with the big operators in IP traffic of 10G, implementation of BGP, OSPF, PPPOE servers, routing, implementation of security policies, and also the implementation of the software for ISP. A special thanks to SPLYNX team, Alex Vishnyakov and Paul Gerhardt for their dedication and for believing in this great project.”Erwin Cárdenas Barrera – General Director & CEO of Fitel Network S.L.

 

Let us describe how it started and the whole process

In the middle of 2018, Fitel Networks requested our team to install and deploy Splynx billing software. During installation and implementation, we noticed that the main MikroTik CCR router was having some strange issues. PPPoE users were continuously disconnecting, packets were lost and router behavior was unstable. Fitel’s technical officer Paul Gerhardt asked us to investigate if the problem was caused by the Splynx software, but we knew that Splynx can reconnect PPPoE sessions only in one case – when an administrator sends COA or the ‘kill session’ command. Our engineers were aware of this and started to analyze the network design.

 The company had Huawei MA5608 OLT equipment installed, which worked in bridge mode, terminating all PPPoE connections on a MikroTik CCR1036 router. This router was performing the role of PPPoE concentrator and NAT server. When the network had only wireless customers at around 800 Mbps, the router was performing well, but when the first few hundred GPON customers were connected, the router’s traffic reached 1.4 Gbps and the issues started.

 The main issue was that once a day at around 4pm, several customers reconnected their PPPoE sessions, which caused the CPU activity to jump from 30% to 100%, and, as a result, the router stopped responding to new PPPoE requests. Also, it started to disconnect dozens of already-connected PPPoE customers.

 A short investigation from our team showed that NAT connections tracking together with a large number of PPPoE connections and hence high traffic gives this issue. We offered Fitel Networks our service of network redesign and optimization.

 The initial topology looked as in the picture provided below:

  1. Wireless network. All users connect through the network on L2 bridges up to a CCR router. Customers have UBNT or MikroTik CPE equipment that works as a transparent bridge. Each customer has a TP-Link or MikroTik router installed on the premises which establish a PPPoE connection and also connects end users’ devices to their home Wi-Fi networks.
  2. Fibre network. A Huawei MA5608 router is connected to a MikroTik CCR router with two Gigabit interfaces. Interfaces are bonded using LACP. The company planned to migrate to 10G interfaces and was waiting for the module car
  3. MikroTik CCR1036. The router was connected via a 10G port to the uplink with PPPoE and NAT server running on it.

 

Our team has experience with designing ISP networks for over 10G loads. We have built and optimized several wireless and fibre networks and it is one of the services that a customer can get from us when deploying Splynx ISP software. The main point of the whole optimization was to move out the load from one main MikroTik router and share it between different equipment. There was also another reason – to change the MikroTik router that is CPU routing-based to some hardware accelerated router, for example, Juniper, Alcatel or Cisco.

Fitel Network’s IT team has MikroTik knowledge and, as such, changing the platform was very painless. We decided to take more than one MikroTik router, add switches to have L2 redundant topology, and share the load between different equipment.

The result of the redesign and optimization is presented in the picture below:

Logical topology created in visualization software:

 

Equipment that was installed

A MikroTik CCR1036 router acts as the BGP and NAT router

MikroTik CRS317 16 ports SFP+ – core switch, are connected to uplink 10G ports, a BGP router and all three PPPoE routers are also connected via 10G ports. Please note that one same switch is installed just close to the first one. The second switch acts as a cold backup. This means it has exactly the same configuration as the core switch and the same amount of ports, ready to swap in case of failure of the first switch.

3x MikroTik CCR1036 routers which work as PPPoE servers where fibre and wireless clients are connected.

MikroTik CRS328 24 ports + 4 SFP ports, which acts as a distribution switch. To this switch are connected GPON OLT and links coming from wireless towers. Also, PPPoE router downlinks are plugged-in to this switch.

A BGP router announces public prefixes to the Internet and routes traffic between two Internet providers. Uplinks are 10GB lines. Each PPPoE router has its own private 172.16.x.x network from which we assign IP addresses to private and prepaid customers. It means that on the BGP router there are three installed static routes to these networks – each network to a proper PPPoE router.

PPPoE servers are connected to the same switch on the same VLANs, which means that users from fibre and wireless networks can connect to one of three PPPoE servers at the same time. The advantage of this approach is scalability and failover. If one router fails, customers can automatically reconnect to the two remaining PPPoE routers.

PPPoE routers are linked with Splynx Radius server. When a customer connects to router1, he gets the IP from the pool, which is dedicated for this certain router.

Another story is with public IP addresses. In this case, customers have the static IP address, which means that physically they can connect to any PPPoE server.

To know where the BGP router should send traffic, we have activated OSPF on three links – between each PPPoE concentrator and the BGP router. PPPoE customers IPs are redistributed to OSPF as connected routes as soon as they connect to the Internet. It is important to set the routing filters correctly – allowing only public IPs in a routing table with /32 routes, and all private IPs are not redistributed to the OSPF.

Download case study Fitel Network&Splynx case study

HTTPS/SSL installation

Here in Splynx we are working very intensively on configuration part of the system. Many things that were available for configuration over CLI we have put to the Splynx GUI configuration. One of such examples is HTTLS activation and SSL certificate installation.

You should always protect Splynx server with HTTPS, even if it’s used inside the ISP network. HTTPS and SSL provides critical security and data integrity your server and your user’s personal information.

From Splynx release 2.1,the HTTPS/SSL option can be found under Config -> Main -> HTTPS / SSL

Splynx allows you to import your existing certificate, that was verified by official authority. In this case administrator should upload the SSL private key and Certificate.

In case when you don’t have certificate, you can request the Let’s encrypt free certificate via Splynx configuration. Click on the Let’s Enrypt and save. Important is to enter the domain name or subdomain name that is linked to your Splynx server (point A entry in domain settings to Splynx server IP address)

Now you are two steps far from getting SSL ready and running – click Validate to obtain SSL certificate and then Activate to run the HTTPS. As a result you should see all status messages with green highlighting :

From now, Splynx runs on Secure connection. Let’s Encypt is a trusted free, automated, and open Certificate Authority.


Should you have any questions regarding SSL/HTTPS installation or further information is needed, please contact us or schedule a call with our engineer.