IPv6 over FTTC on the Juniper SRX110

Last year my home ISP Zen Internet started offering IPv6 over their broadband network. I immediately requested for my account to be IPv6 enabled. Having run IPv6 over a HE tunnel since 2009 I was excited at finally having native IPv6 on my connection.

Zen Internet and maybe other ISPs provide a /64 on the PPPoE connection via Router Advertisements and provide a /48 via DHCPv6 to be used on the internal network.

The SRX doesn’t support RAs and DHCPv6 on the same interface, this means that the PPPoE interface will only have a link local address and not a global IPv6 address, while this will cause problems for traffic sourced from the SRX itself over IPv6 it doesn’t stop the SRX routing traffic from the /48. A loopback interface with an address from the /48 can be used for source address for IPv6 VPNs, etc

Firstly we will enable IPv6 forwarding.

security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
}

 

Then we enable DHCPv6 on the PPPoE interface

interfaces {
    pp0 {
        unit 0 {
            family inet6 {
                dad-disable;
                dhcpv6-client {
                    client-type statefull;
                    client-ia-type ia-pd;
                    client-identifier duid-type duid-ll;
                    update-server;
                    retransmission-attempt 9;
                }
            }
        }
    }
}

Set up a static route pointing out towards the ISP and a static route for the /48 to discard traffic for unused subnets with in the /48. This stops routing loops between the ISP and the SRX, If you have used the whole /48 or forwarding it on to another device then the discard route isn’t needed.

routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop pp0.0;
            route XXXX:XXXX:XXXX::/48 {
                discard;
                preference 254;
            }
        }
    }
}

Finally we need to allow DHCPv6 on the PPPoE interface.

security {
      security-zone untrust {
            interfaces {
                pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcpv6;
                        }
                    }
                }
            }
        }
}

Once the configuration has been applied the SRX should send a DHCPv6 request and get an IPv6 range from the DHCPv6 server.

> show dhcpv6 client binding detail

Client Interface: pp0.0
Hardware Address: 10:0e:7e:fd:89:e0
State: BOUND(DHCPV6_CLIENT_STATE_BOUND)
ClientType: STATEFUL
Lease Expires: 2016-05-09 19:48:31 UTC
Lease Expires in: 78765 seconds
Lease Start: 2016-05-08 19:48:31 UTC
Bind Type: IA_PD
Client DUID: LL0x29-10:0e:7e:fd:89:e0
Rapid Commit: Off
Server Ip Address: fe80::230:88ff:fe16:5eff
Update Server Yes
Client IP Prefix: xxxx:xxxx:xxxx::/48

DHCP options:
Name: server-identifier, Value: LL_TIME0x1-0x1cd3af3d-00:30:88:16:5e:ff
Name: dns-recursive-server, Value: xxxx:xxxx::x

 

I did come across one issue. When the PPPoE session dropped the DHCPv6 client would get stuck in an init state and I would have to manually request a client renew for IPv6 to start working again.
Speaking with JTAC and they advised that  DHCPv6 client wasn’t supported over the PPPoE interface and PR request would need to made to add the feature. My support provider advised that the SRX110H2-VA will be end of life soon and mostly wouldn’t get resolved.
While it may not get resolved there is a work around which means that IPv6 connectivity is restored when the PPPoE session reconnects.

Using the event options we can run the renew command when the pp0.0 interface comes up.

 

event-options {
    policy DHCPv6fix {
        events SNMP_TRAP_LINK_UP;
        attributes-match {
            SNMP_TRAP_LINK_UP.interface-name matches pp0.0;
        }
        then {
            execute-commands {
                commands {
                    "request dhcpv6 client renew all";
                }
                user-name admin;
            }
        }
    }
}

Change the user name from admin to match a local user and then commit.
You can test to make sure it working by clearing the PPPoE session with “clear pppoe sessions pp0.0” and then check the DHCPv6 client bindings.

This setup may work on other models of the SRX and with other ISPs who use the Broadband Forum Standard TR187

 

Minepeon security issue

If you use Minepeon for your Raspberry Pi based Bitcoin mining rig then you might be a risk of someone changing your pool settings and sealing your mining power!

The Minepeon web interface uses the API to get the stats from the mining software. It seems the default setting on Minepeon is to have the miners API accessible to all IPs and without a password!
This means if your mining rig is on a public IP or someone gets on to your network then they could connect to that IP and point your rig at another mining pool/user so that they get the hashes you have generated.

Below is how to change the configuration so that the API is only listening on the local host and therefore securing it from anything accessing it which isn’t running on the Raspberry Pi.

1) SSH on to the Raspberry Pi.
2) Put in the following command to edit the miner config files.


nano /opt/minepeon/etc/miner.conf /opt/minepeon/etc/miner.conf.donate /opt/minepeon/etc/miner.user.conf

3) Edit the following line from

"api-allow": "W:0\/0",

To

"api-allow": "127.0.0.1",

4) Press CRTL + X This will then ask you if you want to save the changes, Press y
5) After saving the changes the next file will open, make the same changes you did in step 3. This will be done 3 times to change all the files.
6) Login to the Minepeon web interface and restart the miner.

To check to make sure the changes are working you can try to connect to the API at the following URL, change <ip> to be the IP of your Pi.
http://<ip>:4028/

You should get an error message, Something like Connection reset or no data received depending on your browser.
If you get a page which looks like the following then API access is still open and you should check the changes have been saved, if they have save then try restarting the Pi.

STATUS=E,When=1390150582,Code=14,Msg=Invalid command,Description=bfgminer 3.4.0

A fix has been pushed to the Minepeon Git repo, so this should be fixed in the next version. I believe Minepeon version 0.2.4 and lower are vulnerable to this issue.

End of the world or not?

A lot has been said about the end of the world and that it will be happening tomorrow (21/12/2012), lots of people have been disproving it even NASA has been involved and they even have a part of the site dedicated to this – Beyond 2012 and had a Google+ Hangout about it which is available on YouTube for people to watch.
So it seems that nothing is going to hit earth, we aren’t going to be sucked in a black hole, the polar poles aren’t going to swap any time soon, etc, etc. Which means nothing to worry about.

Then I came across this on the “What’s Hot” section of Google+ which talks about us begin in a Matrix style simulation, Which I think would be pretty cool but I don’t think we likely to ever find out unless we get the offer of a “red pill” and see how deep the rabbit hole goes.
It would be fun if it was true and the end of the world on 21/12/2012 was linked in that the world ending was actually the end of the simulation and we just get “turned off”, I guess we will find out in the morning, In the mean time lets count to the possible end of the world.

Some tools

Recently I have had a bit of spare time so thought I would add a couple of projects I found interesting to my web site.

IPv6 Stats

This tool allows you to get some stats on people visiting websites which have a small image included in the page. The image is used to collect the stats.

You can view the stats I have collected on my own sites at http://ipv6stats.noroutetohost.net/

Feel free to add the collector image to the your own site to help build up the stats, this will work even if your site is only running on IPv4. Use the following code on your site.

The stats tool was created by Eric Vyncke, you can see the stats that Eric has collected at his website. Eric also has some interesting IPv6 deployment stats

DNS Check

This tool runs various DNS checks and lets you know of any errors, checks include IPv6 checking and DNSSEC. You can also enter in name servers to run the check against, which is useful if you are changing DNS servers and want to make sure that things are setup correctly before you change servers.

You can check your domains at http://dnscheck.noroutetohost.net

DNS check was created by the guys at http://iis.se and the source code can be downloaded from https://github.com/dotse/dnscheck

At some point I will get around to updating the themes on the above tools so that they blend in a bit more with the rest of the site.

MoDaCo – Charitable Projects – 10K for £10k for Childhood Leukemia

MoDaCo are trying to rise £10,000 for Cancer Research, to help with the donations people have donated items for people to win. Everyone that donates to Cancer Research has a chance to win something.

The following details are from the MoDaCo post.

10K for £10K for Childhood Leukaemia

Help us raise £10,000 for Cancer Research and be in with the chance to win something cool for yourself!

If every follower donates just £1 on the Cancer Research site, we’ll hit the £10k target!

What is the ’10K for £10K for Childhood Leukaemia’ campaign?

Since the very early days of MoDaCo back in 2002, we have been involved with raising money for Cancer Research. When we’ve held our face-to-face events over the years proceeds have always been donated to CR and other fundraising efforts since have always contributed to this extremely worthy cause. Just recently I noticed that my follower count on Twitter was heading towards 10,000 and this got me thinking about whether I could use this following to do some good. This in turn led me to wonder if we could raise £10,000 for the MoDaCo Cancer Research ‘My Project’ in aid of Childhood Leukaemia, which equates to a donation of £1 per Twitter follower.

Of course, the best reward of donating to such a worthy cause is the knowledge that your are contributing to helping the most vulnerable of Cancer sufferers, but there’s no reason there can’t be an extra carrot of a gadget or two up for grabs is there…, hence we have a prize pool, the recipients of which will be chosen at random the end of the donation effort from those who have donated.

What are the prizes?

I have started the ball rolling by donating some of my personal tech to the prize pool and I have also invited some friends of MoDaCo to offer prizes too. I hope that the list below will grow as the effort gets publicised.

Donated by @paulobrien: The winner’s choice of either my personal Dell Streak or my personal Apple iPad

Donated by Clove Technology: 1 x Samsung WEP210 Bluetooth Headset, 2 x Samsung GT-E11080 Mobile Phones, 2 x £10 Voucher off ANY Clove order
Donated by DSL Developments: 1 x Brodit passive holder and the corresponding ProClip / Windscreen mount
Donated by HTC: 1 x HTC HD Mini
Donated by HTCCode: 5 x SIM unlocks
Donated by Mobiles.co.uk: 1 x Blackberry 8520
Donated by MoDaCo member Mysterious Stranger: 1 x HTC Smart
Donated by ALK: 5 x CoPilot Live 8 (Pan Europe Maps Edition) for Android / Windows Mobile

……..

More details here

Bournemouth datacentre complete

Bournemouth datacentre build is complete and is starting to take on customers.

The datacentre is located at C4L’s head office in westbourne.

The datecentre has the usual stuff, UPS and generator backup,man trap, multiple fibres in to the building, etc. what this datacentre has that none of the ones that I have been in to has and I have been in quite a few in various  places (London, M25 Orbital, Manchester and Leeds) is that the bournemouth one use’s cold isle containment, this makes sure that only cold air is available to be sucked in to the front of the servers and not a mixture of hot and cold air.

A picture of a bock of racks below.

Racks in the DC

Another thing that has been done at the Bournemouth datacentre is to have Blue lights under the floor showing through the grills to remind you which is the cold isle :)

Here is the same picture as above but with the lights off.

Racks at night

I would highly recommend booking a tour. The site is ideal if you live closer to Bournemouth than London or hate getting stuck in London traffic or as a disaster recovery site .

If you are interested in seeing how the datacentre was built you can details and pictures of the build at the C4L blog, also more details on the datacentre can be found at the Bournemouth datacentre’s website

a couple more photo’s of the datacentre below.

Man Trap

Cold isle containment at the top of the racks.

Night Shot with the blue lights

Another night shot

Looks like we all wrong about IRC

I went to the Irssi website to grab the latest copy and saw this on the home page. It seems people who use and know what IRC is got it all wrong.

I was shocked at how wrong numb3rs go it. While people who know about IRC will laugh at how wrong it is, anyone watching it who doesnt know what IRC is now has completely the wrong idea about IRC.

I think this video response says it all.

TinEye – reverse image search engine

I was browsing the internet the other day and I came across this site and thought it was very useful so I thought I would post it up here

TinEye – http://www.tineye.com

its search engine however instead of typing text of what you want to search for you upload or provide a link to an image you want to look for and it will find images based on that image

for example you see someone has posted a picture of their desktop that you like the back ground image to however it has icons, etc on it, you can upload it to TinEye and if an image that looks the same is in its database then it will show you list of results.

so say I saw this and wanted to to find the original image.

withclock

I could upload it to TinEye and get the original image

376897623l

or put this in

AbbeyRoad

and get this

nogriffin

its also useful if you have an image and want to see if you can get it in a higher resolution.

From the TinEye website

    What is TinEye?

TinEye is a reverse image search engine. You can submit an image to TinEye to find out where it came from, how it is being used, if modified versions of the image exist, or to find higher resolution versions. TinEye is the first image search engine on the web to use image identification technology rather than keywords, metadata or watermarks.

Bournemouth Datacentre

Bournemouth’s datacentre build has started, If you are interested in seeing how a datacentre is built or want to see the progress of the build then go to bournemouthdatacentre.co.uk where you can view a live stream from 2 onsite IP cameras of the build.

oh and of course the stream is in IPV4 and IPV6 :)

    Update: 24th November 2009

The Datacentre build is going nicely, its starting to look more like a datacentre now.
The floor, Aircon, fire suppression and other bits are now installed, there is also a blog of the build with pictures so if you cant spend all day looking at the web feeds you can visit the C4L blog of the build.

The blog is located at http://blog.c4l.co.uk