I have a Comcast cable modem that is providing a IPv6 address that my Juniper SRX300 is binding to its outside interface. From the SRX I can successfully ping and ssh to various IPv6 devices on the Internet. Unfortunately I have not been able to get a routeable /64 address block to use on the “inside” of my firewall. This may be because Comcast is not currently providing that – or – it may be because I have not put together the correct set of commands to make that work.

To work around this problem, I bound a /64 private IPv6 address range to my inside network and set up IPv6 nat. Now devices (Linux, Windows, and others) on my “inside” network can access IPv6 addresses on the Internet. The following documents how I set this up. Please note that I know there are differences on the Comcast network depending on where you are at in the US so YMMV.

First – interface connected to Comcast. I am using irb.20

set interfaces irb unit 20 description COMCAST
# I have a set of static ipv4 addresses from Comcast
set interfaces irb unit 20 family inet address x.x.x.x/28
# ipv6 configuration on the interface
set interfaces irb unit 20 family inet6 dhcpv6-client client-type stateful
set interfaces irb unit 20 family inet6 dhcpv6-client client-ia-type ia-na
set interfaces irb unit 20 family inet6 dhcpv6-client client-identifier duid-type duid-ll
set interfaces irb unit 20 family inet6 dhcpv6-client retransmission-attempt 6
set interfaces irb unit 20 family inet6 dhcpv6-client update-server

we need to set up router advertisement on my inside network – my inside network is connected to irb.80

set protocols router-advertisement interface irb.80 min-advertisement-interval 5
set protocols router-advertisement interface irb.80 managed-configuration
# I am using private ipv6 address block fd00:80::/64
set protocols router-advertisement interface irb.80 prefix fd00:80::/64

I am using 10.128.80.1/24 as the ipv4 address on this interface and fd00:80::1/64 as the ipv6 interface on the SRX

set interfaces irb unit 80 family inet address 10.128.80.1/24
set interfaces irb unit 80 family inet6 address fd00:80::1/64

I named the inside zone SECURE

set security zones security-zone SECURE host-inbound-traffic system-services all
set security zones security-zone SECURE host-inbound-traffic protocols all
set security zones security-zone SECURE interfaces irb.80 host-inbound-traffic system-services all
set security zones security-zone SECURE interfaces irb.80 host-inbound-traffic protocols all

COMCAST is the name of the security zone for my Comcast connection

set security policies from-zone SECURE to-zone SECURE policy SECURE-TO-SECURE match source-address any
set security policies from-zone SECURE to-zone SECURE policy SECURE-TO-SECURE match destination-address any
set security policies from-zone SECURE to-zone SECURE policy SECURE-TO-SECURE match application any
set security policies from-zone SECURE to-zone SECURE policy SECURE-TO-SECURE then permit
set security policies from-zone SECURE to-zone COMCAST policy SECURE-COMCAST match source-address any
set security policies from-zone SECURE to-zone COMCAST policy SECURE-COMCAST match destination-address any
set security policies from-zone SECURE to-zone COMCAST policy SECURE-COMCAST match application any
set security policies from-zone SECURE to-zone COMCAST policy SECURE-COMCAST then permit

and finally – the nat

set security nat source rule-set SECURE-to-COMCAST from zone SECURE
set security nat source rule-set SECURE-to-COMCAST to zone COMCAST
set security nat source rule-set SECURE-to-COMCAST rule SECURE-NAT-COMCAST match source-address 0.0.0.0/0
set security nat source rule-set SECURE-to-COMCAST rule SECURE-NAT-COMCAST then source-nat interface
set security nat source rule-set SECURE-to-COMCAST rule SECURE-NAT-COMCAST6 match source-address ::/0
set security nat source rule-set SECURE-to-COMCAST rule SECURE-NAT-COMCAST6 then source-nat interface

I am not bothering to set up DHCPv6 at this time (may change that later – at which I will update this document)