This sounds like the return route for the ipv6 internal range may not be on your upstream provider. If the traffic only works with nat on the SRX interface it would seem that the device ipv6 address prefix is not being sent to your SRX by the ISP.
Is the subnet used provided by this ISP or your own addresses?
How is the routing for the SRX subnet handled by the ISP?
To confirm the outbound traffic is working check the session table data when the nat is turned off. You can use zone and ip restrictions on the command to reduce the return size.
show security flow session
Likewise run this after nat is turned on and confirm the nat change in the session table shows from the interface ip address as expected.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home------------------------------
Original Message:
Sent: 10-11-2023 04:33
From: CHAYNE CHILES
Subject: SRX300 IPV6
Good Morning Spuluka
Thank you for taking the time to look over my issue.
I added the router advertisement to see if that would help but no change
DHCP is not the issue we are experiencing. we did loosely set it up, but currently we are inputting IPV6 address manually into our test devices.
However I found if i add this config the IPV6 internet works.
I disable IPv4 and ping and browse internet address via IPv6.
[edit security nat source rule-set Workshop-to-untrust]- rule source_to_nat_v6 {- match {- source-address ::/0;- }- then {- source-nat {- interface;- }- }- }
We do not want to use NAT with our IPv6 range, we have more than enough address to not have to use NAT.
Why does it work with the above and not without.
thank you again for you time
Addition:
from SRX i can ping ipv6.google.com via my ipv6 external address
from the SRX i can ping my laptop connected via Wifi with manual IPv6 inputted
From Laptop i can ping SRX IRB IP(irb gateway)
from laptop i cannot ping SRX External IPV6 address
From Laptop i have no internet access
------------------------------
CHAYNE CHILES
Original Message:
Sent: 10-09-2023 19:57
From: spuluka
Subject: SRX300 IPV6
You appear to be missing the router advertisment under protocols to get the ipv6 default gateway out to the clients. The full example is here.
https://supportportal.juniper.net/s/article/SRX-Configuration-example-Configuring-SRX-as-a-DHCPv6-Server?language=en_US
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 10-09-2023 12:27
From: CHAYNE CHILES
Subject: SRX300 IPV6
Hi All
A bit of advice if you could
I have a srx300 running 21.4R3.15
We have started implementing IPV6
onto a test SRX connected to a mikrotik router
We have IPV4 working great. DHCP, internet, Zones, Policies
I have now added an IPV6 gateway address
and added an IPV6 address to the interfaces
and a rib inet6.0 static route
But
from my laptop i can ping the srx via IPV6
from the SRX i can ping cloudflare DNS via IPV6
But my laptop cannot see the internet via ipv6
Any idea what i need to add?
I wondered about NAT but the whole point of IPV6 was to take away the need for NAT
## Last changed: 2023-10-09 14:56:37 UTCversion 21.4R3.15;system { host-name WEB-GUEST-FW01; root-authentication { encrypted-password " } login { user net-admin { uid 2003; class super-user; authentication { encrypted-password } } } services { ssh { root-login deny; } netconf { ssh; } dhcp-local-server { group jdhcp-group { interface irb.16; interface irb.18; } } web-management { https { pki-local-certificate WEB-WIFI-FW01; } } } name-server { 1.1.1.1; 1.0.0.1; } syslog { archive size 100k files 3; user * { any emergency; } file interactive-commands { interactive-commands any; } file messages { any notice; authorization info; } } max-configurations-on-flash 20; max-configuration-rollbacks 20; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } phone-home { server https://redirect.juniper.net; rfc-compliant; }}security { address-book { global { } } } forwarding-options { family { inet6 { mode flow-based; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set Guest-to-untrust { from zone Guest-Wifi; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set Workshop-to-untrust { from zone Workshop; to zone untrust; rule source_to_nat { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone Guest-Wifi to-zone Guest-Wifi { policy Guest-to-Guest { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Guest-Wifi to-zone untrust { policy Guest-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone junos-host { policy support-access { match { source-address ****; destination-address any; application any; } then { permit; log { session-close; } } } policy block-remote-admin { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } from-zone Workshop to-zone untrust { policy workshop-to-untrust { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } } } } from-zone Workshop to-zone Workshop { policy workshop-to-workshop { match { source-address any; destination-address any; application any; } then { permit; } } } global { policy Global-Deny { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } default-policy { deny-all; } pre-id-default-policy { then { log { session-close; } } } } zones { security-zone Guest-Wifi { host-inbound-traffic { system-services { ping; traceroute; dhcp; } } interfaces { irb.16; } } security-zone untrust { screen untrust-screen; host-inbound-traffic { system-services { https; snmp; ssh; dns; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { https; ssh; ping; traceroute; snmp; } } } } } security-zone Workshop { host-inbound-traffic { system-services { ping; traceroute; dhcp; } } interfaces { irb.18; } } }}interfaces { ge-0/0/0 { unit 0 { family inet { address *.*.*.* { primary; } } family inet6 { address ipv6 address } } } ge-0/0/1 { native-vlan-id 18; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ Vlan16 Vlan18 ]; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan { members Vlan18; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members Vlan18; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { vlan { members Vlan16; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { vlan { members Vlan16; } } } } irb { unit 16 { family inet { address 192.168.16.222/24; } family inet6 { address :16::1/64; } } unit 18 { family inet { address 192.168.18.222/24; } family inet6 { address :18::1/64; } } }} }}access { address-assignment { pool Workshop-Range-v6 { family inet6 { prefix 18::/64; range ipv6 { low 18::2/64; high 500/64; } dhcp-attributes { dns-server { 2606:4700:4700::1111; 2606:4700:4700::1001; } propagate-settings irb.18; } } } pool Guest-Wifi-Range { family inet { network 192.168.16.0/24; range 16-Range { low 192.168.16.11; high 192.168.16.198; } dhcp-attributes { name-server { 1.1.1.1; 8.8.8.8; } router { 192.168.16.222; } propagate-settings irb.16; } } } pool Guest-Wifi-Range-v6 { family inet6 { prefix 16::1/64; range ipv6 { low 16::1/64; high 16::500/64; } dhcp-attributes { dns-server { 2606:4700:4700::1111; 2606:4700:4700::1001; } propagate-settings irb.16; } } } pool Workshop-Range { family inet { network 192.168.18.0/24; range 18-Range { low 192.168.18.10; high 192.168.18.198; } dhcp-attributes { name-server { 1.1.1.1; 8.8.8.8; } router { 192.168.18.222; } propagate-settings irb.18; } } } }}vlans { Vlan16 { vlan-id 16; l3-interface irb.16; } Vlan18 { vlan-id 18; l3-interface irb.18; }}protocols { l2-learning { global-mode switching; } rstp { interface all; }}routing-options { rib inet6.0 { static { route ::/0 next-hop ::1; } } static { route 0.0.0.0/0 next-hop 1; }}
------------------------------
CHAYNE CHILES
------------------------------