Previously I ran an OpenBSD firewall and IPv6 gateway using the tspc client from go6.net previously freenet6.net.  When my SUN Ultra10 died I no longer had this great OpenBSD firewall/gateway.  Since we started supporting Juniper Netscreens on the job I figured I'd try to get one for the home firewall role.  I got lucky with a NS-5GT for $150 and proceeded to install it.  However, I was still without IPv6 support on the firewall so one of the NetBSD XEN DOMUs became this gateway.

Wednesday one of my colleagues had a open case with Juniper and was able to obtain the latest code for the my model which upgraded me from 5.4r10 to 6.2r1.  Along with that upgrade came IPv6 support and more importantly 6in4 tunnel using IP Protocol 41.  Now this was real exciting so I immediately signed into the Juniper support site and start looking for docs describing the 6in4 tunneling syntax and options.  Once I had this I couldn't wait to get home so I sshd into my home network and started the config.

First I scp'd the new code over and rebooted, but once I logged back in I was unable to find the ipv6 commands in the context-sensitive help.  Yeah, frustrating is barely scratching the surface.  But back to the Juniper suport site to find that I must first issue the 'set envar ipv6=yes' first and reboot.  Once back in it was all clear now and I could start the 6in4 tunnel broker config - right?

Not so fast buddy, you're running a software client that uses a username/password and can't transfer that to a hardware appliance, right?  That is correct so what do I do now?  Luckily I remembered while working on my IPv6 certification from Hurricane Electric Internet Services that they offered tunneling services without a software client.  These guys are smart allowing one to use any hardware appliance and even provided examples for Cisco IOS, JunOS, BSDs, etc.  Without an example for ScreenOS I had my work cut out for me, but I'm a network engineer and enjoy learning something new.

After some config typing I now had both my internal and dmz interfaces with a /64 (performing ra) from the /48 allocated to me and a 6in4 tunnel interface that I could ping across to the next-hop at HE's pop.  Below is snapshot of the config used to get the 6in4 tunnel interface up and running.

set interface tunnel.3 ipv6 mode host
set interface tunnel.3 ipv6 ip 2001:470:1f06:b6b::2/64
set interface tunnel.3 ipv6 enable
set interface tunnel.3 tunnel encap ip6in4 manual
set interface tunnel.3 tunnel local-if untrust dst-ip 209.51.161.14
unset interface tunnel.3 ipv6 nd nud
set interface tunnel.3 ipv6 nd dad-count 0
set route ::/0 interface tunnel.3 gateway 2001:470:1f06:b6b::1

-> ping 2001:470:1f06:b6b::1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 2001:470:1f06:b6b::1, timeout is 1 seconds
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=28/28/31 ms

 Have fun and happy ipv6'n!