Category: Network management

IPv6 CPE and Home routers support

Alexander Vishnyakov

The configuration of PPPoE servers and introduction to IPv6 is described in two articles, please read them if you want to configure the ISP part first – https://splynx.com/5665/splynx-ipv6-support/ and https://splynx.com/5684/mikrotik-ipv6-configuration/

In this article are shown examples of configuration of 3 different CPEs from 3 different vendors. We have selected IPv6 routers that are used in networks of Splynx customers. Models of the home routers IPv6 are : TP Link 450, Nucom 8800AC and Mikrotik any RouterOS based router.
Below is a typical scheme of CPE or Home router connection to the ISP with PPPoE and IPv6 enabled

Let’s take a look on the setup. There are two interfaces configured – one is WAN that connects to uplink and second is a LAN interface, that usually works as a bridge, that units all physical LAN interfaces – Ethernet and WiFi.

1. WAN connection
The uplink interface is configured with PPPoE client. PPPoE client connects to PPPoE server and communication between Home router and ISP router works on IPv6 Link Local addresses. It’s also possible to assign a public IPv6 address to Home router, we don’t use it in our configs to not make it too complicated. Public IPv6 on router will be available on LAN interface and this IP can be used to access the router.

When PPPoE Client connection is established, our home router receives IPv6 LAN prefix, that is called Delegated IPv6 prefix. Home router should configure IPv6 address on it’s LAN interface, that will work as gefault gateway for all our devices.
When IPv6 on LAN is configured, our router should start announcing IPv6 to the LAN network (similar what DHCP does in IPv4 world). In LAN environment is almost always used IPv6 Stateless auto configuration that is called SLAAC and is based on IPv6 Neighbor Discovery protocol (ND).

In picture above, router has established a pppoe connection and received a /64 IPv6 pool 2a0f:f041:1000:1::/64. This pool will be used for LAN devices and all devices will create own IPv6 addresses from that pool.

As you remember, while IPv4 is a 32 bit IP address, that is split into 4 octets, IPv6 address is 128 bits and is split into 8 parts, each contains 16 bits of information. 16 bit parts that contain only zeros can be merged with :: symbols. It means that the network, 2a0f:f041:1000:1::/64 that is allocated to router is equal to 2a0f:f041:1000:1:0:0:0:0:/64, but we cut last 4 zero parts and make view of IP network shorter.

2. LAN connection.
In our example, home router uses first IP from received /64 pool. It means that automatically it assigns IP ::1 to it’s LAN interface. This setup is available in Mikrotik routers, other routers will generate automatically IP on their LAN interfaces. So, in case of Mikrotik IP 2a0f:f041:1000:1::1 is used on LAN interface and this IP will become a default gateway for all home devices.
Home devices with IPv6 support have SLAAC enable on their Internet interfaces, get the IPv6 ND information and create own IPv6 address.The following example shows configuration on Mikrotik RouterOS. Window on left side shows PPPoE client interface configuration – we say that it’s needed to get a prefix from PPPoE server. The received prefix is called LAN and is stored in IPv6 pools. Second window shows that IPv6 address is configured on LAN Interface from the prefix LAN, and EUI64 will be used to create IPv6 LAN address. Important is flag “Advertise”, that enables SLAAC and ND on interface, so end devices will be able to get IPv6.

If we want to use IP 2a0f:f041:1000:1::1 on LAN interface instead of ugly generated IP, then just disable EUI64, and setup IP as on example below

Now, Mikrotik CPE/Home router is configured and devices will get access to IPv6 internet.

Let’s check configuration of TP Link. Configuration is much simpler, comparing to Mikrotik. We must be sure that Firmware supports Ipv6, many older TP link devices don’t have ability to work with IPv6. But the devices that support IPv6 are confiured similar way as Mikrotik – enable IPv6 on PPPoE interface, and it will create IPv6 address on LAN with SLAAC enabled.

Nucom 8800AC Fiber ONT router has also similar one step configuration, PPPoE with IPv6 enabled and then IPv6 is configured on LAN and SLAAC enabled to connect end user devices.

And the configuration of NUCOM is shown below

 

Should you have any questions regarding IPv6 and CPE management in Splynx feel free to contact us! If you decide to try Splynx in action, just click the button below!

 

Free Demo

Mikrotik IPv6 configuration

Alexander Vishnyakov

In this topic, it is described how to configure Mikrotik router to act as PPPoE server with IPv6 enabled. The configuration of IPv6 in general is described in article – https://splynx.com/5665/splynx-ipv6-support/ and IPv6 Home routers configuration you can find here – https://splynx.com/5747/ipv6-cpe-and-home-routers-support/

The first tests were started with ROUTER OS Version 6.42.6, however, unfortunately, version prior to 6.43 doesn’t support Radius Delegated IPv6 attribute at all, in 6.43 it doesn’t support DHCPv6 accounting, so please upgrade at least to 6.46.1 or later RouterOS version.

When the router is upgraded, we can work on PPPoE server configuration.

As the first step, Mikrotik PPPoE server with Radius authentication should be created. Below is the screenshot of PPPoE server configuration on RouterOS.

Please note, that IPv6 pool should be selected and this is important. It is an IPv6 network that we use on PPPoE server. Customers should receive IPv6 delegated prefixes from this pool. At the moment (version 6.46 of Mikrotik), Radius server is not able to assign Delegated-IPv6 network to the PPPoE customer.
That’s why it’s needed to define the pool in IPv6 pool and then, when the customer is online, Splynx grabs used IPv6 network from Radius accounting packets and stores information in own database.

Below is a link to petition that asks Mikrotik to support Delegated-IPv6-Prefix correctly.
Currently, the attribute can be sent from Radius to Mikrotik PPPoE server in the Access accept message, but it is ignored by the router.
In case, when IPv6 prefix is delegated by the IP pool inside Mikrotik PPPoE settings, then attribute Delegated-IPv6-Prefix is sent back to Radius in Accounting packets, informing that customer got certain IPv6 delegated pool.

https://www.change.org/p/wisp-the-implementation-of-radius-delegated-ipv6-prefix-for-mikrotik-pppoe-servers

Unfortunately, there is no way to assign public IPv6 to WAN PPPoE interface of the customer via Radius server. Lack of this feature is not that crucial, because PPPoE works well on local link addresses, but we think that it should be also available on Mikrotik Radius implementation.

Regarding Splynx configuration – the Internet service of customer should be configured with empty IPv6 and Delegated IPv6 fields. The IPv6 appears in online session of customers and is stored to the logs and statistics. Radius based simple queues are applied to the pppoe tunnel and there is no additional queue needed for IPv6 traffic. Below is a screenshot of such sessions

 

 

Another option how to check IPv6 prefixes that were assigned to CPE devices – check the DHCPv6 server leases in Mikrotik.
Below is an example of DHCPv6 active leases

Next question is – how to block IPv6 traffic? Usually, IPv4 traffic is blocked when customer’s IP address is put to the address list and traffic is redirected. The other option is to assign to customer the IP address from special pool for blocked subscribers. This configuration cannot be achieved with IPv6, because currently Radius cannot assign the special pool or manipulate anyhow with IPv6 of the end user.

The only possible option is to have several Profiles configured in Mikrotik PPPoE server. Profile can be sent from Radius to Mikrotik PPPoE router via attribute Mikrotik-Group. Here is a description of the attribute from Mikrotik website :
Mikrotik-Group – Router local user group name (defines in /user group) for local users; HotSpot default profile for HotSpot users; PPP default profile name for PPP users.

In this case, we will define two profiles – default and block, with two different IPv6 pools. Default profile is used for authenticated users and block profile we assign to locked or non-authenticated customers.
These two profiles should be defined in Splynx Radius blocking attributes, please follow the screenshot below.

Second option how to block customers, is to use Mikrotik-Delegated-IPv6-Pool attribute, instead of choosing and configuring the different profiles, it’s possible to set name of Pool that should be used for blocked customer. For example, customer that is active will get IP from pool “default” and in case of blocking – he will get IPv6 from pool “blocked”

 

Mikrotik as CPE or home router with IPv6
Mikrotik can act as a home router or CPE with IPv6 support enabled. First of all, we need to activate IPv6 package that is always disabled by default.

Let’s imagine that we have one WAN interface with pppoe-client and Bridge configured for LAN interfaces.
After the activation of pppoe interface and setting user/password there, we should enable DHCPv6 client on pppoe-client interface. DHCPv6 client should receive the delegated prefix from PPPoE router (yes, it sounds weird, but there is a DHCP client running over PPPOE client for IPv6, because natively there is no way to provide to home router delegated prefix).
Please don’t forget to configure the pool name and then create IP address assignment with SLAAC on LAN interface. Better is just to copy and paste configuration shown on the screenshot below 🙂

 

Should you have any questions related to IPv6 configuration or you want to try Splynx in action, feel free to contact us.

Splynx IPv6 support

Alexander Vishnyakov

Starting from 3.0 version, Splynx has native IPv6 support. In this topic we will cover 3 main areas of IPv6 deployment:
1. IPv6 address management in Splynx;
2. Activation of IPv6 in ISP infrastructure;
3. IPv6 assignments to end-users.

If you want to know more about Mikrotik IPv6 configuration or Home router IPv6 configuration, please read following articles :
https://splynx.com/5684/mikrotik-ipv6-configuration/
https://splynx.com/5747/ipv6-cpe-and-home-routers-support/

IPv6 address management
In Splynx IPv6 management is similar to IPv4 network management. Under Networking there is an IPv6 networks submenu with the ability to add network, show available networks and display detail of usage of each network.

 

 

In the selected example, we have added a /32 IPv6 network. It is the network that is usually assigned to the ISP company by the local registry.

From the /32 network we can choose /48 networks to route them on certain site or PPPoE concentrator. In total, /32 network consists of 65536 /48 networks. It means that we can have up to 65k different high-sites or PPPoE/DHCP NAS routers. Each NAS or PPPoE server or DHCP server (depends on your topology and authentication method), can connect up to 65k subscribers. Always /64 network is delegated to end user’s LAN network or his CPE. Inside one /48 IPv6 network there are 65536 /64 networks.

This basic IPv6 topology design we recommend to use inside small and medium size ISP networks. Of course, there are plenty of other IPv6 planning options that can be found on the Internet, but all these IP plans are quite complicated and just bring more complexity to IPv6 address deployment.

In our example, we have received a network 2a0f:f041::/32 from RIPE NCC.
We decided to dedicate one /48 network to Infrastructure needs – 2a0f:f041:f::/48
PPPoE concentrators will assign IPs from the ranges : 2a0f:f041:1000::/48 and 2a0f:f041:2000::/48.
In case when we have more PPPoE servers, we can use IP networks like 2a0f:f041:1100::/48 or 2a0f:f041:1011::/48 or 2a0f:f041:3050::/48. Actually we used 4-5 /48 IPv6 networks to cover all our NAS routers and infrastructure. And there are still over 65k IPv6 /48 networks left.

As was mentioned above – customers receive /64 prefixes. From these prefixes CPE/home router device creates a pool (similar to IP lan pools in IPv4 world) and IPs from this pool will be assigned to end devices.

Below is an example, how IPv6 appears in Splynx IPv6 networks when a CPE got /64 prefix delegated :

 

Activation of IPv6 in infrastructure
Okay, we have designed a simple IPv6 address plan, let’s recap what should be done during the first phase of IPv6 deployment :
1. BGP peering configured on IPv6 addresses
2. IPv6 network announced to BGP and BGP filters configured
3. Internal connections between infrastructure routers is established on subnetworks from

2a0f:f041:f::/48. Actually all traffic can be routed between routers using Link-local IPv6 addresses, but we have enabled IPs from range 2a0f:f041:f::/48 on our routers to check IPv6 visibility to and from outside.
4. Static routes to 2a0f:f041:1000::/48 and 2a0f:f041:2000::/48 created from BGP infrastructure to PPPoE routers.

IPv6 assignments to the end users
When all above is working, we can start with the most tricky part of IPv6 deployment – assignments of IPv6 to the end users.
Mostly everywhere, end users have own wireless router that connects their devices to the Internet.
Below is the topology of connection of advanced home user, that have one router and two access-point bridges with many devices, such as PCs and phones.

As we can see in this topology, SOHO router has one public IPv4 on it’s WAN interface and one IPv4 from LAN range 192.168.0.0/24 that is used as a default gateway for all devices at home. It’s obvious that a router acts as a NAT server in this scenario, when all customers from home are leaving LAN network and connect to Internet from one public IP and all traffic is sent back to the network via this one single public IP address.

IPv6 world has no NAT. It means that CPE or SOHO/Home router should route public IPv6 network instead of private range. How small home office router will know what IPv6 network it should use and route? This is the job of ISP’s equipment to tell it to CPE/Home router.
In general, ISP router assignes IPv6 address to WAN interface in the same way as it did with IPv4 address, but also it should assign a “LAN” network. This is called Delegated IPv6 network and it’s the network of mask /64. Below is an example.

In our example, Home router received one single IPv6 address 2a0f:f041:a:1::1 on pppoe-client tunnel and additionally it got a prefix, that is automatically configured on LAN interface 2a0f:f041:1000:1::/64. All IPv6 end devices will receive the IP address with ND (Neighbor discover) technology that is called SLAAC. This is a technology of stateless automatic IPv6 address configuration for end users that should be used in local area networks.

In Splynx each customer has Internet service, under settings of this service there are options to assign IPv4 and IPv6 addresses.
The first option “IPv6 network” is for IPv6 assignment to the WAN interface and the second “Delegated IPv6 network” is for the network, that should be used by CPE/Home router inside LAN network.

You can also check the Mikrotik IPv6 configuration example by following this link. Should you have any questions about IPv6 support in Splynx or want to try it in action feel free to contact us.

Juniper Radius configuration with variables

Alexander Vishnyakov

This article is the second part of the Juniper MX Radius configuration tutorial – https://splynx.com/4873/radius-juniper-mx-configuration/

In the first article, speed limitations were set by two Juniper Radius attributes

ERX-Ingress-Policy-Name = “{{ tariff_name }}”
ERX-Egress-Policy-Name = “{{ tariff_name }}”

These attributes matched the Juniper firewall filter/policy to tariff name in Splynx.

We can set up an advanced option when tariff names and firewall filters matching is not involved. The setup is quite advanced, but also elegant, variables are used to define policies and speed.

RADIUS
Let’s start again with basic Radius configuration :


profile RAD {
authentication-order radius;
domain-name-server {
8.8.4.4;
8.8.8.8;
}
radius {
authentication-server 192.168.1.5;
accounting-server 192.168.1.5;
options {
nas-identifier JUN;
accounting-session-id-format decimal;
}
}
radius-server {
192.168.1.5 {
secret "$9$bLYJUjHqPTz7-UiHqQzRhcSvW"; ## SECRET-DATA
source-address 192.168.1.6;
}
}
accounting {
order radius;
immediate-update;
coa-immediate-update;
address-change-immediate-update;
update-interval 10;
statistics volume-time;
}
}

 

Important is to apply the access profile in global configuration :
access-profile RAD

DYNAMIC PROFILE
Second part is defining dynamic profiles using variables.

svc-local-pppoe {
variables {
var-bw-download;
var-bw-upload;
var-ff-out-download {
equals "'INET-' ## $var-bw-download ## '-CLIENT-DOWNLOAD'";
uid;
}
var-ff-in-upload {
equals "'INET-' ## $var-bw-upload ## '-CLIENT-UPLOAD'";
uid;
}
var-plr-download {
equals "'plr-' ## $var-bw-download";
uid;
}
var-plr-upload {
equals "'plr-' ## $var-bw-upload";
uid;
}
}
interfaces {
pp0 {
unit "$junos-interface-unit" {
family inet {
filter {
input "$var-ff-out-download" precedence 100;
output "$var-ff-in-upload" precedence 100;
}
}
family inet6 {
filter {
input "$var-ff-out-download" precedence 100;
output "$var-ff-in-upload" precedence 100;
}
}
}
}
}

As you can see we can define policies for IPv4 and IPv6 customers.
Juniper Radius attribute that Splynx should send to Juniper MX router is

RADIUS ATTRIBUTE :

ERX-Service-Activate:1 = “svc-local-pppoe(3072000,2048000)”
where 3072000 is download speed and 2048000 is upload speed.
It means that Juniper will set var-bw-download = 3072000 and var-bw-upload = 2048000. Then it will var-ff-out-download and var-ff-in-upload variables and set it to input and output filter names on the pp0 interface.

SETTING FIREWALL
The last step is to define Filter rules


firewall {
family inet {
filter "$var-ff-in-upload" {
interface-specific;
term POLICE {
then {
policer "$var-plr-upload";
service-accounting;
service-filter-hit;
accept;
}
}
term SERVICE-FILTER-HIT {
from {
service-filter-hit;
}
then accept;
}
}
filter "$var-ff-out-download" {
interface-specific;
term POLICE {
then {
policer "$var-plr-download";
service-accounting;
service-filter-hit;
accept;
}
}
term SERVICE-FILTER-HIT {
from {
service-filter-hit;
}
then accept;
}
}
}
policer "$var-plr-download" {
logical-interface-policer;
if-exceeding {
bandwidth-limit "$var-bw-download";
burst-size-limit 1m;
}
then discard;
}
policer "$var-plr-upload" {
logical-interface-policer;
if-exceeding {
bandwidth-limit "$var-bw-upload";
burst-size-limit 1m;
}
then discard;
}
}
}

$var-plr-download and $var-plr-upload were created using values from Juniper Radius attribute ERX-Service-Activate:1. We create dynamic policers using these values and then apply them in dynamic filters.

If you have any questions regarding Juniper Radius configuration, please feel free to ask us at support@splynx.com

Radius Juniper MX configuration

Alexander Vishnyakov

Juniper Networks is one of leading vendors producing networking equipment. Together with Cisco, Juniper defines where networks are moving. The company sells different solutions starting from routers, switches and up to software-defined products such as Open Contrail.

In Internet provider’s network, Juniper is mainly used as a BRAS equipment (broadband remote access server). The MX series routers ideally fit as BRAS with the ability to process gigabits and hundreds of gigabits of traffic together with providing such access services as PPPoE, bandwidth limitation, policing and NAT.

We have deployed Splynx in different networks running on Juniper MX80, MX104 and MX960 routers. JunOS versions from 14 to 18.
The configuration below should work on any MX router and is based on a combination of Dynamic profiles and Policy names.

1. RADIUS SERVER definition
In the first step we should define the Access and describe Radius configuration. Radius server IP is 192.168.1.5 and Juniper router IPs is 192.168.1.6.

access {
profile Splynx {
accounting-order radius;
authentication-order radius;
radius {
authentication-server 192.168.1.5;
accounting-server 192.168.1.5;
options {
nas-identifier JUN;
accounting-session-id-format decimal;
}
}
radius-server {
192.168.1.5 {
secret "$9$TFCuIEyMWxO1hSrlMWJGUHP5TQ3/ApmPO1Rcle"; ## SECRET-DATA
timeout 300;
retry 3;
max-outstanding-requests 1000;
source-address 192.168.1.6;
}
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
immediate-update;
coa-immediate-update;
update-interval 10;
statistics volume-time;
}
}
}

The next line in configuration should be setting the access profile Splynx to Juniper MX router up level configuration:

access-profile Splynx;

2. DYNAMIC PROFILES
The next step is to define Dynamic profiles. This configuration can be a bit tricky and complex. Depends on how complex is your overall setup, how VLANs are organized, if there are Port Aggregations or PPPoE services are running directly on Gigabit and 10G Ethernet interfaces. The example below shows the PPPoE profile that is ready for dynamic VLANs that are running on Aggregated interface ae0.

dynamic-profiles {
PPPOE {
interfaces {
demux0 {
interface-mib;
unit "$junos-interface-unit" {
vlan-id "$junos-vlan-id";
family pppoe {
duplicate-protection;
dynamic-profile ppp-profile;
max-sessions 16000;
}
}
}
}
}
ppp-profile {
interfaces {
pp0 {
interface-mib;
unit "$junos-interface-unit" {
no-traps;
ppp-options {
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
keepalives interval 30;
family inet {
rpf-check;
filter {
input "$junos-input-filter";
output "$junos-output-filter";
}
unnumbered-address lo0.0;
}
}
}
}
}
}

Few words to the configuration above – as you can see dynamic profile ppp-profile is encapsulated into other dynamic profile PPPoE. The speed limitation filters are set in dynamic ppp-profile interface pp0.
When dynamic profiles are defined, we apply the profile PPPOE on AE0 interface :

ae0 {
description "PPPOE LINK aggregation ";
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile PPPOE {
accept pppoe;
ranges {
100-200;
}
}
}
remove-when-no-subscribers;
}
mtu 4000;
encapsulation flexible-ethernet-services;
aggregated-ether-options {
lacp {
active;
}
}
}

3. SPEED LIMITATIONS
The last step in configuration is to define the Firewall filter and policers to control subscriber’s bandwidth.
Here is the example of filter and policer for 10 Mbps plan :

firewall {
family inet {
filter 10Mbps {
interface-specific;
term 1 {
then policer p_10Mbps_limit;
accept;
}
}
}
policer p_10Mbps_limit {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 1m;
}
then discard;
}

4. JUNIPER RADIUS ATTRIBUTES
The attributes that are used to set the Filter name in Radius Access accept are :

ERX-Ingress-Policy-Name = "{{ tariff_name }}"
ERX-Egress-Policy-Name = "{{ tariff_name }}"

These attributes are configured in Splynx -> Config -> Radius -> Selection of NAS type -> Juniper -> Rate-limit attributes

Tariff name should be set in Splynx “10Mbps” as on picture below :

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Should you have any questions regarding Juniper MX configuration or further information is needed, please contact us or schedule a call with our engineer.