Mikrotik IPv6 configuration

In this topic, it is described how to configure Mikrotik router to act as PPPoE server with IPv6 enabled. The configuration of IPv6 in general is described in article – https://splynx.com/5665/splynx-ipv6-support/ and IPv6 Home routers configuration you can find here – https://splynx.com/5747/ipv6-cpe-and-home-routers-support/

The first tests were started with ROUTER OS Version 6.42.6, however, unfortunately, version prior to 6.43 doesn’t support Radius Delegated IPv6 attribute at all, in 6.43 it doesn’t support DHCPv6 accounting, so please upgrade at least to 6.46.1 or later RouterOS version.

When the router is upgraded, we can work on PPPoE server configuration.

As the first step, Mikrotik PPPoE server with Radius authentication should be created. Below is the screenshot of PPPoE server configuration on RouterOS.

Please note, that IPv6 pool should be selected and this is important. It is an IPv6 network that we use on PPPoE server. Customers should receive IPv6 delegated prefixes from this pool. At the moment (version 6.46 of Mikrotik), Radius server is not able to assign Delegated-IPv6 network to the PPPoE customer.
That’s why it’s needed to define the pool in IPv6 pool and then, when the customer is online, Splynx grabs used IPv6 network from Radius accounting packets and stores information in own database.

Below is a link to petition that asks Mikrotik to support Delegated-IPv6-Prefix correctly.
Currently, the attribute can be sent from Radius to Mikrotik PPPoE server in the Access accept message, but it is ignored by the router.
In case, when IPv6 prefix is delegated by the IP pool inside Mikrotik PPPoE settings, then attribute Delegated-IPv6-Prefix is sent back to Radius in Accounting packets, informing that customer got certain IPv6 delegated pool.

https://www.change.org/p/wisp-the-implementation-of-radius-delegated-ipv6-prefix-for-mikrotik-pppoe-servers

Unfortunately, there is no way to assign public IPv6 to WAN PPPoE interface of the customer via Radius server. Lack of this feature is not that crucial, because PPPoE works well on local link addresses, but we think that it should be also available on Mikrotik Radius implementation.

Regarding Splynx configuration – the Internet service of customer should be configured with empty IPv6 and Delegated IPv6 fields. The IPv6 appears in online session of customers and is stored to the logs and statistics. Radius based simple queues are applied to the pppoe tunnel and there is no additional queue needed for IPv6 traffic. Below is a screenshot of such sessions

 

 

Another option how to check IPv6 prefixes that were assigned to CPE devices – check the DHCPv6 server leases in Mikrotik.
Below is an example of DHCPv6 active leases

 

Next question is – how to block IPv6 traffic? Usually, IPv4 traffic is blocked when customer’s IP address is put to the address list and traffic is redirected. The other option is to assign to customer the IP address from special pool for blocked subscribers. This configuration cannot be achieved with IPv6, because currently Radius cannot assign the special pool or manipulate anyhow with IPv6 of the end user.

The only possible option is to have several Profiles configured in Mikrotik PPPoE server. Profile can be sent from Radius to Mikrotik PPPoE router via attribute Mikrotik-Group. Here is a description of the attribute from Mikrotik website :
Mikrotik-Group – Router local user group name (defines in /user group) for local users; HotSpot default profile for HotSpot users; PPP default profile name for PPP users.

In this case, we will define two profiles – default and block, with two different IPv6 pools. Default profile is used for authenticated users and block profile we assign to locked or non-authenticated customers.
These two profiles should be defined in Splynx Radius blocking attributes, please follow the screenshot below.

 

Second option how to block customers, is to use Mikrotik-Delegated-IPv6-Pool attribute, instead of choosing and configuring the different profiles, it’s possible to set name of Pool that should be used for blocked customer. For example, customer that is active will get IP from pool “default” and in case of blocking – he will get IPv6 from pool “blocked”

 

Mikrotik as CPE or home router with IPv6
Mikrotik can act as a home router or CPE with IPv6 support enabled. First of all, we need to activate IPv6 package that is always disabled by default.

Let’s imagine that we have one WAN interface with pppoe-client and Bridge configured for LAN interfaces.
After the activation of pppoe interface and setting user/password there, we should enable DHCPv6 client on pppoe-client interface. DHCPv6 client should receive the delegated prefix from PPPoE router (yes, it sounds weird, but there is a DHCP client running over PPPOE client for IPv6, because natively there is no way to provide to home router delegated prefix).
Please don’t forget to configure the pool name and then create IP address assignment with SLAAC on LAN interface. Better is just to copy and paste configuration shown on the screenshot below 🙂

 

Should you have any questions related to IPv6 configuration or you want to try Splynx in action, feel free to contact us.

Splynx IPv6 support

Starting from 3.0 version, Splynx has native IPv6 support. In this topic we will cover 3 main areas of IPv6 deployment:
1. IPv6 address management in Splynx;
2. Activation of IPv6 in ISP infrastructure;
3. IPv6 assignments to end-users.

If you want to know more about Mikrotik IPv6 configuration or Home router IPv6 configuration, please read following articles :
https://splynx.com/5684/mikrotik-ipv6-configuration/
https://splynx.com/5747/ipv6-cpe-and-home-routers-support/

IPv6 address management
In Splynx IPv6 management is similar to IPv4 network management. Under Networking there is an IPv6 networks submenu with the ability to add network, show available networks and display detail of usage of each network.

 

 

In the selected example, we have added a /32 IPv6 network. It is the network that is usually assigned to the ISP company by the local registry.

From the /32 network we can choose /48 networks to route them on certain site or PPPoE concentrator. In total, /32 network consists of 65536 /48 networks. It means that we can have up to 65k different high-sites or PPPoE/DHCP NAS routers. Each NAS or PPPoE server or DHCP server (depends on your topology and authentication method), can connect up to 65k subscribers. Always /64 network is delegated to end user’s LAN network or his CPE. Inside one /48 IPv6 network there are 65536 /64 networks.

This basic IPv6 topology design we recommend to use inside small and medium size ISP networks. Of course, there are plenty of other IPv6 planning options that can be found on the Internet, but all these IP plans are quite complicated and just bring more complexity to IPv6 address deployment.

In our example, we have received a network 2a0f:f041::/32 from RIPE NCC.
We decided to dedicate one /48 network to Infrastructure needs – 2a0f:f041:f::/48
PPPoE concentrators will assign IPs from the ranges : 2a0f:f041:1000::/48 and 2a0f:f041:2000::/48.
In case when we have more PPPoE servers, we can use IP networks like 2a0f:f041:1100::/48 or 2a0f:f041:1011::/48 or 2a0f:f041:3050::/48. Actually we used 4-5 /48 IPv6 networks to cover all our NAS routers and infrastructure. And there are still over 65k IPv6 /48 networks left.

As was mentioned above – customers receive /64 prefixes. From these prefixes CPE/home router device creates a pool (similar to IP lan pools in IPv4 world) and IPs from this pool will be assigned to end devices.

Below is an example, how IPv6 appears in Splynx IPv6 networks when a CPE got /64 prefix delegated :

 

Activation of IPv6 in infrastructure
Okay, we have designed a simple IPv6 address plan, let’s recap what should be done during the first phase of IPv6 deployment :
1. BGP peering configured on IPv6 addresses
2. IPv6 network announced to BGP and BGP filters configured
3. Internal connections between infrastructure routers is established on subnetworks from

2a0f:f041:f::/48. Actually all traffic can be routed between routers using Link-local IPv6 addresses, but we have enabled IPs from range 2a0f:f041:f::/48 on our routers to check IPv6 visibility to and from outside.
4. Static routes to 2a0f:f041:1000::/48 and 2a0f:f041:2000::/48 created from BGP infrastructure to PPPoE routers.

IPv6 assignments to the end users
When all above is working, we can start with the most tricky part of IPv6 deployment – assignments of IPv6 to the end users.
Mostly everywhere, end users have own wireless router that connects their devices to the Internet.
Below is the topology of connection of advanced home user, that have one router and two access-point bridges with many devices, such as PCs and phones.

As we can see in this topology, SOHO router has one public IPv4 on it’s WAN interface and one IPv4 from LAN range 192.168.0.0/24 that is used as a default gateway for all devices at home. It’s obvious that a router acts as a NAT server in this scenario, when all customers from home are leaving LAN network and connect to Internet from one public IP and all traffic is sent back to the network via this one single public IP address.

IPv6 world has no NAT. It means that CPE or SOHO/Home router should route public IPv6 network instead of private range. How small home office router will know what IPv6 network it should use and route? This is the job of ISP’s equipment to tell it to CPE/Home router.
In general, ISP router assignes IPv6 address to WAN interface in the same way as it did with IPv4 address, but also it should assign a “LAN” network. This is called Delegated IPv6 network and it’s the network of mask /64. Below is an example.

In our example, Home router received one single IPv6 address 2a0f:f041:a:1::1 on pppoe-client tunnel and additionally it got a prefix, that is automatically configured on LAN interface 2a0f:f041:1000:1::/64. All IPv6 end devices will receive the IP address with ND (Neighbor discover) technology that is called SLAAC. This is a technology of stateless automatic IPv6 address configuration for end users that should be used in local area networks.

In Splynx each customer has Internet service, under settings of this service there are options to assign IPv4 and IPv6 addresses.
The first option “IPv6 network” is for IPv6 assignment to the WAN interface and the second “Delegated IPv6 network” is for the network, that should be used by CPE/Home router inside LAN network.

You can also check the Mikrotik IPv6 configuration example by following this link. Should you have any questions about IPv6 support in Splynx or want to try it in action feel free to contact us.

Juniper Radius configuration with variables

This article is the second part of the Juniper MX Radius configuration tutorial – https://splynx.com/4873/radius-juniper-mx-configuration/

In the first article, speed limitations were set by two Juniper Radius attributes

ERX-Ingress-Policy-Name = “{{ tariff_name }}”
ERX-Egress-Policy-Name = “{{ tariff_name }}”

These attributes matched the Juniper firewall filter/policy to tariff name in Splynx.

We can set up an advanced option when tariff names and firewall filters matching is not involved. The setup is quite advanced, but also elegant, variables are used to define policies and speed.

RADIUS
Let’s start again with basic Radius configuration :


profile RAD {
authentication-order radius;
domain-name-server {
8.8.4.4;
8.8.8.8;
}
radius {
authentication-server 192.168.1.5;
accounting-server 192.168.1.5;
options {
nas-identifier JUN;
accounting-session-id-format decimal;
}
}
radius-server {
192.168.1.5 {
secret "$9$bLYJUjHqPTz7-UiHqQzRhcSvW"; ## SECRET-DATA
source-address 192.168.1.6;
}
}
accounting {
order radius;
immediate-update;
coa-immediate-update;
address-change-immediate-update;
update-interval 10;
statistics volume-time;
}
}

 

Important is to apply the access profile in global configuration :
access-profile RAD

DYNAMIC PROFILE
Second part is defining dynamic profiles using variables.

svc-local-pppoe {
variables {
var-bw-download;
var-bw-upload;
var-ff-out-download {
equals "'INET-' ## $var-bw-download ## '-CLIENT-DOWNLOAD'";
uid;
}
var-ff-in-upload {
equals "'INET-' ## $var-bw-upload ## '-CLIENT-UPLOAD'";
uid;
}
var-plr-download {
equals "'plr-' ## $var-bw-download";
uid;
}
var-plr-upload {
equals "'plr-' ## $var-bw-upload";
uid;
}
}
interfaces {
pp0 {
unit "$junos-interface-unit" {
family inet {
filter {
input "$var-ff-out-download" precedence 100;
output "$var-ff-in-upload" precedence 100;
}
}
family inet6 {
filter {
input "$var-ff-out-download" precedence 100;
output "$var-ff-in-upload" precedence 100;
}
}
}
}
}

As you can see we can define policies for IPv4 and IPv6 customers.
Juniper Radius attribute that Splynx should send to Juniper MX router is

RADIUS ATTRIBUTE :

ERX-Service-Activate:1 = “svc-local-pppoe(3072000,2048000)”
where 3072000 is download speed and 2048000 is upload speed.
It means that Juniper will set var-bw-download = 3072000 and var-bw-upload = 2048000. Then it will var-ff-out-download and var-ff-in-upload variables and set it to input and output filter names on the pp0 interface.

SETTING FIREWALL
The last step is to define Filter rules


firewall {
family inet {
filter "$var-ff-in-upload" {
interface-specific;
term POLICE {
then {
policer "$var-plr-upload";
service-accounting;
service-filter-hit;
accept;
}
}
term SERVICE-FILTER-HIT {
from {
service-filter-hit;
}
then accept;
}
}
filter "$var-ff-out-download" {
interface-specific;
term POLICE {
then {
policer "$var-plr-download";
service-accounting;
service-filter-hit;
accept;
}
}
term SERVICE-FILTER-HIT {
from {
service-filter-hit;
}
then accept;
}
}
}
policer "$var-plr-download" {
logical-interface-policer;
if-exceeding {
bandwidth-limit "$var-bw-download";
burst-size-limit 1m;
}
then discard;
}
policer "$var-plr-upload" {
logical-interface-policer;
if-exceeding {
bandwidth-limit "$var-bw-upload";
burst-size-limit 1m;
}
then discard;
}
}
}

$var-plr-download and $var-plr-upload were created using values from Juniper Radius attribute ERX-Service-Activate:1. We create dynamic policers using these values and then apply them in dynamic filters.

If you have any questions regarding Juniper Radius configuration, please feel free to ask us at support@splynx.com

Radius Juniper MX configuration

Juniper Networks is one of leading vendors producing networking equipment. Together with Cisco, Juniper defines where networks are moving. The company sells different solutions starting from routers, switches and up to software-defined products such as Open Contrail.

In Internet provider’s network, Juniper is mainly used as a BRAS equipment (broadband remote access server). The MX series routers ideally fit as BRAS with the ability to process gigabits and hundreds of gigabits of traffic together with providing such access services as PPPoE, bandwidth limitation, policing and NAT.

We have deployed Splynx in different networks running on Juniper MX80, MX104 and MX960 routers. JunOS versions from 14 to 18.
The configuration below should work on any MX router and is based on a combination of Dynamic profiles and Policy names.

1. RADIUS SERVER definition
In the first step we should define the Access and describe Radius configuration. Radius server IP is 192.168.1.5 and Juniper router IPs is 192.168.1.6.

access {
profile Splynx {
accounting-order radius;
authentication-order radius;
radius {
authentication-server 192.168.1.5;
accounting-server 192.168.1.5;
options {
nas-identifier JUN;
accounting-session-id-format decimal;
}
}
radius-server {
192.168.1.5 {
secret "$9$TFCuIEyMWxO1hSrlMWJGUHP5TQ3/ApmPO1Rcle"; ## SECRET-DATA
timeout 300;
retry 3;
max-outstanding-requests 1000;
source-address 192.168.1.6;
}
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
immediate-update;
coa-immediate-update;
update-interval 10;
statistics volume-time;
}
}
}

The next line in configuration should be setting the access profile Splynx to Juniper MX router up level configuration:

access-profile Splynx;

2. DYNAMIC PROFILES
The next step is to define Dynamic profiles. This configuration can be a bit tricky and complex. Depends on how complex is your overall setup, how VLANs are organized, if there are Port Aggregations or PPPoE services are running directly on Gigabit and 10G Ethernet interfaces. The example below shows the PPPoE profile that is ready for dynamic VLANs that are running on Aggregated interface ae0.

dynamic-profiles {
PPPOE {
interfaces {
demux0 {
interface-mib;
unit "$junos-interface-unit" {
vlan-id "$junos-vlan-id";
family pppoe {
duplicate-protection;
dynamic-profile ppp-profile;
max-sessions 16000;
}
}
}
}
}
ppp-profile {
interfaces {
pp0 {
interface-mib;
unit "$junos-interface-unit" {
no-traps;
ppp-options {
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
keepalives interval 30;
family inet {
rpf-check;
filter {
input "$junos-input-filter";
output "$junos-output-filter";
}
unnumbered-address lo0.0;
}
}
}
}
}
}

Few words to the configuration above – as you can see dynamic profile ppp-profile is encapsulated into other dynamic profile PPPoE. The speed limitation filters are set in dynamic ppp-profile interface pp0.
When dynamic profiles are defined, we apply the profile PPPOE on AE0 interface :

ae0 {
description "PPPOE LINK aggregation ";
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile PPPOE {
accept pppoe;
ranges {
100-200;
}
}
}
remove-when-no-subscribers;
}
mtu 4000;
encapsulation flexible-ethernet-services;
aggregated-ether-options {
lacp {
active;
}
}
}

3. SPEED LIMITATIONS
The last step in configuration is to define the Firewall filter and policers to control subscriber’s bandwidth.
Here is the example of filter and policer for 10 Mbps plan :

firewall {
family inet {
filter 10Mbps {
interface-specific;
term 1 {
then policer p_10Mbps_limit;
accept;
}
}
}
policer p_10Mbps_limit {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 1m;
}
then discard;
}

4. JUNIPER RADIUS ATTRIBUTES
The attributes that are used to set the Filter name in Radius Access accept are :

ERX-Ingress-Policy-Name = "{{ tariff_name }}"
ERX-Egress-Policy-Name = "{{ tariff_name }}"

These attributes are configured in Splynx -> Config -> Radius -> Selection of NAS type -> Juniper -> Rate-limit attributes

Tariff name should be set in Splynx “10Mbps” as on picture below :

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Should you have any questions regarding Juniper MX configuration or further information is needed, please contact us or schedule a call with our engineer.

Splynx Radius server

Splynx ISP framework consists of different sub-systems. One of the main and most important parts of the framework is Splynx Radius server. PPPoE, DHCP, IPoE, Hotspot, Wireless or Static IP/MAC authentication. Splynx solution also provides smart bandwidth management, billing other useful features.

Splynx Radius server is used to perform AAA tasks.
Authentication – Networking equipment perform check over Radius server if login/password of connecting device or user is correct. If it matches with an entry in Radius server, device or user is able to access the equipment or get the service.
Authorization – defines which actions are allowed for user or device and it’s privilege level.
Accounting – statistics of the usage of Internet or information about what was done on equipment.

1. Administrative AAA.
Authentication: With Splynx you can setup that when administrator accesses equipment, his credentials will be checked over Radius server database.
If his username/password is correct, he will be able to login to equipment. If not, he will not get access. This is very convenient approach comparing to local login.
Imagine when you hire a new administrator and you need to update hundreds of routers, APs and switches to create him local login everywhere.
Or you can give him one common login/password, but when a person leaves the company, you should change that credentials everywhere.
Better is to connect all networking devices to Radius server and verify administrator login using Radius protocol.
Authorization: means that different levels of access can be implemented. Some administrators can change the configurations, some can only view and read config.
Accounting: Splynx stores information of when the network unit was accessed by an administrator and what was done there.

Below are tutorials showing how to configure admin login using Radius Splynx server on different platforms :

Mikrotik: Radius admin login to Mikrotik routers

Administrative login to Cisco devices

2. Customer’s AAA.
Splynx Radius server supports different ways of customers’ central authentication in the network of Internet provider. It always depends on the topology of an ISP and technology that he decides to use. Access technologies are widely used and their advantages and disadvantages are described below:

PPPoE – easy to maintain and implement. Customer on CPE device setups username and password and all networking settings CPE receives from PPPoE NAS (Network Access Server). Also provides encryption if needed and accounting for getting statistics of usage. Had issues with MTU in the past, but in last years these issues were fixed by main vendors.

IPoE (or DHCP) – DHCP is based on MAC address of the client. Also can be linked to the port of switch were a customer is connected (DHCP option 82). In several vendors don’t provide accounting capability (Mikrotik routers).

Wireless Authentication – when ISP has a wireless network, he needs to maintain access of CPE devices to his Access Points. For this purpose, several wireless authentication methods are used, such as a password inside TDMA protocols or wireless access-lists.

Hotspot – customer has to enter his username and password on the webpage before using the Internet. Many hotspot networks allow free limited access and then charge customers for additional usage or advanced plans.

Static IP addressing – some ISPs don’t have central management of authentication and set up static IP addresses to CPE devices. With the Mikrotik RouterOS platform, Splynx can manage even customers who’ve got static IPs in Vlan per customer or plain IPv4 connection. Also, Splynx can grab statistics from Mikrotik routers for such customers.

Below are manuals for different types of user authentication in Splynx ISP Framework :

Mikrotik: DHCP using Radius

Mikrotik: PPPoE and other PPP tunnels using Radius

Mikrotik: Hotstpot with Radius

Mikrotik: OpenVPN, Radius

Mikrotik: Static IP addressing with API authentication/accounting

Mikrotik: Local DHCP with Mikrotik API

Ubiquiti: Wireless authentication with Radius

Ubiquiti: PPPoE authentication on Edge Routers

Cisco: PPPoE with Radius

Cambium: Wireless Authentication via Radius

Juniper: PPPoE with Radius server

 


Should you have any questions regarding Splynx RADIUS server or further information is needed, please contact us or schedule a call with our engineer.