This has been updated and tested working with JunOS 12.3X48-D35.7
The last time I moved, I went through the unfortunate bit of having to change Hurricane Electric tunnel servers.
I lost my previous IPv6 block that I’d been using for my home network. I had the option to simply re-ip all the devices at the house, but frankly, that’s more of a PITA than I wanted. I thought about my options and decided that I would take the opportunity to learn about doing NAT66 on my SRX. This would allow me to setup the home network with a private block of IPv6 that won’t ever need to change, while still allowing me to have the IPv6 Hurricane Electric tunnel (regardless of whether I continue using a tunnel, or if I get native IPv6 from my ISP).
Hurricane Electric’s tunnel suggestion
It took a bit of trial and error, a fair bit of googling, and some back and forth with the O’Reilly Juniper SRX Series book. I finally arrived at the following: I need to put the allocation from Hurricane Electric on my public interface. The tunnel is setup as per their docs. Hurricane Electric offers this bit as a starting point (this is for their SEA server):
1set interfaces ip-0/0/0 description "HE Tunnel"
2set interfaces ip-0/0/0 unit 0 tunnel source 67.42.3.9
3set interfaces ip-0/0/0 unit 0 tunnel destination 184.105.253.10
4set interfaces ip-0/0/0 unit 0 family inet6 mtu 1280
5set interfaces ip-0/0/0 unit 0 family inet6 address 2001:db8:1f0e:512::2/64
6set routing-options rib inet6.0 static route ::/0 next-hop 2001:db8:1f0e::1
7set forwarding-options family inet6 mode flow-based
The private block is on my private interface. This will get you going, provided you want to use your publicly routable block internally on your network. All you need to do after this is get the block allocated, assign an IP to the uplink interface, and allocate IPs on your network. Easy day.
1louisk@srx.cmhome# run ping count 3 ipv6.google.com
2PING6(56=40+8+8 bytes) 2001:db8:1f0e:512::2 --> 2607:f8b0:4002:c08::66
316 bytes from 2607:f8b0:4002:c08::66, icmp_seq=0 hlim=57 time=46.371 ms
416 bytes from 2607:f8b0:4002:c08::66, icmp_seq=1 hlim=57 time=57.399 ms
516 bytes from 2607:f8b0:4002:c08::66, icmp_seq=2 hlim=57 time=88.405 ms
6
7--- 2607:f8b0:4002:c08::66 ping6 statistics ---
83 packets transmitted, 3 packets received, 0% packet loss
9round-trip min/avg/max/std-dev = 46.371/64.058/88.405/17.795 ms
10
11[edit]
12louisk@srx.cmhome#
NAT66
I didn’t want to stop here. I needed to use private IPs on the network and NAT them. The O’Reilly Juniper SRX Series book has a good section on NAT that covers IPv6, and specifically NAT66. A little more trial and error and I had a working configuration. The whole section of related config follows.
1set interfaces ge-0/0/0 description "Uplink to EX4200"
2set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.1/30
3set interfaces ge-0/0/0 unit 0 family inet6 address 2001:db8:ca7::1/64
4set interfaces ip-0/0/0 description "HE Tunnel"
5set interfaces ip-0/0/0 unit 0 tunnel source 67.42.3.9
6set interfaces ip-0/0/0 unit 0 tunnel destination 184.105.253.10
7set interfaces ip-0/0/0 unit 0 family inet6 mtu 1280
8set interfaces ip-0/0/0 unit 0 family inet6 address 2001:db8:1f0e:512::2/64
9set interfaces ip-0/0/0 unit 0 family inet6 address 2001:db8:b9de::1/48
10set interfaces ge-0/0/15 description "Century Link"
11set interfaces ge-0/0/15 unit 0 family inet address 67.42.3.9/29
12set routing-options rib inet6.0 static route ::/0 next-hop 2001:db8:1f0e:512::1
13set routing-options rib inet6.0 static route 2001:db8:ca7::/48 next-hop 2001:db8:ca7::2
14set security forwarding-options family inet6 mode flow-based
15set security nat static rule-set house_v6 from zone untrust
16set security nat static rule-set house_v6 rule 2001_db8_b9de__48 match destination-address 2001:db8:b9de::/48
17set security nat static rule-set house_v6 rule 2001_db8_b9de__48 then static-nat prefix 2001:db8:ca7::/48
18set security nat proxy-ndp interface ip-0/0/15.0 address 2001:db8:b9de::2/128 to 2001:db8:b9de:ffff:ffff:ffff:ffff:ffff
19set security zones security-zone untrust interfaces ip-0/0/0.0 host-inbound-traffic system-services ping
20set security zones security-zone untrust interfaces ip-0/0/0.0 host-inbound-traffic protocols router-discovery
Now, if I login to my switch, I can run the same ping, and if things are setup properly, I’ll get responses.
1louisk@switch0.cmhome> ping count 3 ipv6.google.com
2PING6(56=40+8+8 bytes) 2001:db8:ca7::2 --> 2607:f8b0:4002:c08::66
316 bytes from 2607:f8b0:4002:c08::66, icmp_seq=0 hlim=56 time=60.641 ms
416 bytes from 2607:f8b0:4002:c08::66, icmp_seq=1 hlim=56 time=60.975 ms
516 bytes from 2607:f8b0:4002:c08::66, icmp_seq=2 hlim=56 time=46.828 ms
6
7--- ipv6.l.google.com ping6 statistics ---
83 packets transmitted, 3 packets received, 0% packet loss
9round-trip min/avg/max/std-dev = 46.828/56.148/60.975/6.592 ms
10
11{master:0}
12louisk@switch0.cmhome>
Now I can start carving up netblocks (not smaller than a /64, many things break if use a smaller block. It is the intent of the IETF that a /64 be the smallest block for anything other than a point-to-point link) on the switch and do pretty much anything I need to do.
Comments