This has been updated and tested working with JunOS 12.3X48-D35.7

The last time I moved, I went through the unfortunate bit of having to change Hurricane Electric tunnel servers.

I lost my previous IPv6 block that I’d been using for my home network. I had the option to simply re-ip all the devices at the house, but frankly, that’s more of a PITA than I wanted. I thought about my options and decided that I would take the opportunity to learn about doing NAT66 on my SRX. This would allow me to setup the home network with a private block of IPv6 that won’t ever need to change, while still allowing me to have the IPv6 Hurricane Electric tunnel (regardless of whether I continue using a tunnel, or if I get native IPv6 from my ISP).

Hurricane Electric’s tunnel suggestion

It took a bit of trial and error, a fair bit of googling, and some back and forth with the O’Reilly Juniper SRX Series book. I finally arrived at the following: I need to put the allocation from Hurricane Electric on my public interface. The tunnel is setup as per their docs. Hurricane Electric offers this bit as a starting point (this is for their SEA server):

set interfaces ip-0/0/0 description "HE Tunnel"
set interfaces ip-0/0/0 unit 0 tunnel source 67.42.3.9
set interfaces ip-0/0/0 unit 0 tunnel destination 184.105.253.10
set interfaces ip-0/0/0 unit 0 family inet6 mtu 1280
set interfaces ip-0/0/0 unit 0 family inet6 address 2001:db8:1f0e:512::2/64
set routing-options rib inet6.0 static route ::/0 next-hop 2001:db8:1f0e::1
set forwarding-options family inet6 mode flow-based

The private block is on my private interface. This will get you going, provided you want to use your publicly routable block internally on your network. All you need to do after this is get the block allocated, assign an IP to the uplink interface, and allocate IPs on your network. Easy day.

louisk@srx.cmhome# run ping count 3 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:db8:1f0e:512::2 --> 2607:f8b0:4002:c08::66
16 bytes from 2607:f8b0:4002:c08::66, icmp_seq=0 hlim=57 time=46.371 ms
16 bytes from 2607:f8b0:4002:c08::66, icmp_seq=1 hlim=57 time=57.399 ms
16 bytes from 2607:f8b0:4002:c08::66, icmp_seq=2 hlim=57 time=88.405 ms

--- 2607:f8b0:4002:c08::66 ping6 statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 46.371/64.058/88.405/17.795 ms

[edit]
louisk@srx.cmhome#

NAT66

I didn’t want to stop here. I needed to use private IPs on the network and NAT them. The O’Reilly Juniper SRX Series book has a good section on NAT that covers IPv6, and specifically NAT66. A little more trial and error and I had a working configuration. The whole section of related config follows.

set interfaces ge-0/0/0 description "Uplink to EX4200"
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.1/30
set interfaces ge-0/0/0 unit 0 family inet6 address 2001:db8:ca7::1/64
set interfaces ip-0/0/0 description "HE Tunnel"
set interfaces ip-0/0/0 unit 0 tunnel source 67.42.3.9
set interfaces ip-0/0/0 unit 0 tunnel destination 184.105.253.10
set interfaces ip-0/0/0 unit 0 family inet6 mtu 1280
set interfaces ip-0/0/0 unit 0 family inet6 address 2001:db8:1f0e:512::2/64
set interfaces ip-0/0/0 unit 0 family inet6 address 2001:db8:b9de::1/48
set interfaces ge-0/0/15 description "Century Link"
set interfaces ge-0/0/15 unit 0 family inet address 67.42.3.9/29
set routing-options rib inet6.0 static route ::/0 next-hop 2001:db8:1f0e:512::1
set routing-options rib inet6.0 static route 2001:db8:ca7::/48 next-hop 2001:db8:ca7::2
set security forwarding-options family inet6 mode flow-based
set security nat static rule-set house_v6 from zone untrust
set security nat static rule-set house_v6 rule 2001_db8_b9de__48 match destination-address 2001:db8:b9de::/48
set security nat static rule-set house_v6 rule 2001_db8_b9de__48 then static-nat prefix 2001:db8:ca7::/48
set security nat proxy-ndp interface ip-0/0/15.0 address 2001:db8:b9de::2/128 to 2001:db8:b9de:ffff:ffff:ffff:ffff:ffff
set security zones security-zone untrust interfaces ip-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ip-0/0/0.0 host-inbound-traffic protocols router-discovery

Now, if I login to my switch, I can run the same ping, and if things are setup properly, I’ll get responses.

louisk@switch0.cmhome> ping count 3 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:db8:ca7::2 --> 2607:f8b0:4002:c08::66
16 bytes from 2607:f8b0:4002:c08::66, icmp_seq=0 hlim=56 time=60.641 ms
16 bytes from 2607:f8b0:4002:c08::66, icmp_seq=1 hlim=56 time=60.975 ms
16 bytes from 2607:f8b0:4002:c08::66, icmp_seq=2 hlim=56 time=46.828 ms

--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 46.828/56.148/60.975/6.592 ms

{master:0}
louisk@switch0.cmhome>

Now I can start carving up netblocks (not smaller than a /64, many things break if use a smaller block. It is the intent of the IETF that a /64 be the smallest block for anything other than a point-to-point link) on the switch and do pretty much anything I need to do.


Footnotes and References