The Juniper ScreenOS firewall is one of the seldom firewalls that implements DHCPv6 Prefix Delegation (DHCPv6-PD). It therefore fits for testing my dual stack ISP connection from Deutsche Telekom, Germany. (Refer to this post for details about this dual stack procedure.)
It was *really* hard to get the correct configuration in place. I was not able to do this by myself at all. Also Google did not help that much. Finally, I opened a case by Juniper to help me finding the configuration error. After four weeks of the opened case, I was told which command was wrong. Now it’s working. 
Here we go.
Note that I will not explain how DHCPv6 prefix delegation works at all. I will only go into details on how to configure it on a Juniper ScreenOS SSG firewall. My Google results for this case brought me to this and that page. But none of them correctly revealed the working configuration commands.
The basic idea is to receive a /56 IPv6 prefix from the ISP and to hand out /64 subnets/prefixes to the client networks.
Configuration
This picture shows the main parts on how the SSG should be configured:
This involves the following steps:
- Enable IPv6 on upstream interface (mode “Host”, accept router advertisement).
- Enable IPv6 on client interfaces (mode “Router”, send router advertisements).
- Configure DHCPv6 server on client interfaces (for delivering DNS entries).
- Configure DHCPv6 client on upstream interface (to receive and delegated prefix).
These are the configuration steps in the GUI. Read the descriptions under the screenshots for more information:
One special note on the prefix distribution settings: There are two field called “SLA” and “SLA length”. It took me a while to catch what this means:
- SLA: This is the subnet ID in decimal notation (WTF?). For example, if you want to use the IPv6 subnet “42”, you must convert this value to decimal, which is “66”.
- SLA length: This is the length of the subnet ID. In my case, since I am getting a /56 but want to hand out /64 prefixes, its 8 bit in length.
The following listing presents all relevant CLI commands for the just configured DHCPv6-PD scenario (especially lines 30-32):
set interface "ethernet0/0" ipv6 mode "host" set interface "ethernet0/0" ipv6 enable set interface ethernet0/0 route set interface "wireless0/2" ipv6 mode "router" set interface "wireless0/2" ipv6 enable set interface wireless0/2 route set interface "bgroup1" ipv6 mode "router" set interface "bgroup1" ipv6 enable set interface bgroup1 route set interface ethernet0/0 ipv6 ra accept set interface wireless0/2 ipv6 ra link-address set interface wireless0/2 ipv6 ra transmit set interface bgroup1 ipv6 ra link-address set interface bgroup1 ipv6 ra transmit set interface ethernet0/0 ipv6 nd nud set interface wireless0/2 ipv6 nd nud set interface bgroup1 ipv6 nd nud set interface wireless0/2 dhcp6 server set interface wireless0/2 dhcp6 server options dns dns1 2003:180:2:8000:0:1:0:53 set interface wireless0/2 dhcp6 server options dns dns2 2003:180:2:8100:0:1:0:53 set interface wireless0/2 dhcp6 server enable set interface bgroup1 dhcp6 server set interface bgroup1 dhcp6 server options dns dns1 2003:180:2:8000:0:1:0:53 set interface bgroup1 dhcp6 server options dns dns2 2003:180:2:8100:0:1:0:53 set interface bgroup1 dhcp6 server enable set interface ethernet0/0 dhcp6 client set interface ethernet0/0 dhcp6 client options rapid-commit set interface ethernet0/0 dhcp6 client options request dns set interface ethernet0/0 dhcp6 client options request search-list set interface ethernet0/0 dhcp6 client options request pd set interface ethernet0/0 dhcp6 client pd ra-interface bgroup1 set interface ethernet0/0 dhcp6 client pd ra-interface wireless0/2 sla-id 66 sla-len 8 set interface ethernet0/0 dhcp6 client enable
Monitoring
This is how the GUI looks like after a received and delegated prefix:
I tested the two configured subnets with my mobile devices, one in the bgroup1 network, while the other one in the wireless0/2 network. (Called my http://ip.webernetz.net script that shows the IP, refer to here.)
And, of course, the SSG can list many details of the learned/delegated prefixes via the CLI:
fd-we-fw01-> get interface ethernet0/0 dhcp6 client pd
DHCPv6 on interface ethernet0/0: Interface config : -
--------------------------------------------------------------------------------
IAPD-ID: 0, type: PD
Prefix distribution list:
ra interface: bgroup1 sla id: 0 sla len: 0
ra interface: wireless0/2 sla id: 66 sla len: 8
suggested prefix data:
-IPv6 Prefix: ::/0
Valid Life Time : 00h00m00s
Preferred Life Time : 00h00m00s
Delegated Prefix Information:
t1: 900 t2: 1440
state: 0
server: 00:03:00:01:44:2b:03:19:03:00
Delegated-Prefix list:
prefix: 2003:50:aa10:3300::/56
Prefix distribution list:
ra interface: bgroup1 sla id: 0 sla len: 0
ra interface: wireless0/2 sla id: 66 sla len: 8
fd-we-fw01->
fd-we-fw01->
fd-we-fw01-> get interface bgroup1 ipv6 ra
Router advertisement configuration info for interface bgroup1
--------------------------------------------------------------------------------
transmit :on
accept :off
hop-limit :64
default-life-time :1800
retransmit-time :off
reachable-time :off
link-mtu :off
link-address :on
other :off
managed :off
min-adv-int :200
max-adv-int :600
next-send-time :448
Prefix list on interface bgroup1 to be advertised via RA
Adv Prefix Flags (PF): O On Link, A Autonomous
State (St): O On Link, D Detached
--------------------------------------------------------------------------------
IPv6 Prefix:2003:50:aa10:3300:: Len:64 PF:OA St:O
Valid Life Time :30d00h00m
Preferred Life Time :07d00h00m
--------------------------------------------------------------------------------
fd-we-fw01->
fd-we-fw01->
fd-we-fw01-> get interface wireless0/2 ipv6 ra
Router advertisement configuration info for interface wireless0/2
--------------------------------------------------------------------------------
transmit :on
accept :off
hop-limit :64
default-life-time :1800
retransmit-time :off
reachable-time :off
link-mtu :off
link-address :on
other :off
managed :off
min-adv-int :200
max-adv-int :600
next-send-time :155
Prefix list on interface wireless0/2 to be advertised via RA
Adv Prefix Flags (PF): O On Link, A Autonomous
State (St): O On Link, D Detached
--------------------------------------------------------------------------------
IPv6 Prefix:2003:50:aa10:3342:: Len:64 PF:OA St:O
Valid Life Time :30d00h00m
Preferred Life Time :07d00h00m
--------------------------------------------------------------------------------
fd-we-fw01->
fd-we-fw01->
fd-we-fw01-> get route v6
IPv6 Dest-Routes for <untrust-vr><span></span> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route
IPv6 Dest-Routes for <trust-vr><span></span> (7 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface
Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 1 ::/0 eth0/0
fe80::462b:3ff:fe19:300 D 252 1 Root
* 2 2003:50:aa7f:9033::/64 eth0/0
:: C 0 0 Root
* 3 2003:50:aa7f:9033:b2c6:9aff:fefd:ca80/128 eth0/0
:: H 0 0 Root
* 5 2003:50:aa10:3300:b2c6:9aff:fefd:ca8c/128 bgroup1
:: H 0 0 Root
* 6 2003:50:aa10:3342::/64 wireless0/2
:: C 0 0 Root
* 7 2003:50:aa10:3342:b2c6:9aff:fefd:ca97/128 wireless0/2
:: H 0 0 Root
* 4 2003:50:aa10:3300::/64 bgroup1
:: C 0 0 Root
fd-we-fw01->
fd-we-fw01->
Any questions?