IPv6 over FTTC on the Juniper SRX110

Last year my home ISP Zen Internet started offering IPv6 over their broadband network. I immediately requested for my account to be IPv6 enabled. Having run IPv6 over a HE tunnel since 2009 I was excited at finally having native IPv6 on my connection.

Zen Internet and maybe other ISPs provide a /64 on the PPPoE connection via Router Advertisements and provide a /48 via DHCPv6 to be used on the internal network.

The SRX doesn’t support RAs and DHCPv6 on the same interface, this means that the PPPoE interface will only have a link local address and not a global IPv6 address, while this will cause problems for traffic sourced from the SRX itself over IPv6 it doesn’t stop the SRX routing traffic from the /48. A loopback interface with an address from the /48 can be used for source address for IPv6 VPNs, etc

Firstly we will enable IPv6 forwarding.

security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;


Then we enable DHCPv6 on the PPPoE interface

interfaces {
    pp0 {
        unit 0 {
            family inet6 {
                dhcpv6-client {
                    client-type statefull;
                    client-ia-type ia-pd;
                    client-identifier duid-type duid-ll;
                    retransmission-attempt 9;

Set up a static route pointing out towards the ISP and a static route for the /48 to discard traffic for unused subnets with in the /48. This stops routing loops between the ISP and the SRX, If you have used the whole /48 or forwarding it on to another device then the discard route isn’t needed.

routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop pp0.0;
            route XXXX:XXXX:XXXX::/48 {
                preference 254;

Finally we need to allow DHCPv6 on the PPPoE interface.

security {
      security-zone untrust {
            interfaces {
                pp0.0 {
                    host-inbound-traffic {
                        system-services {

Once the configuration has been applied the SRX should send a DHCPv6 request and get an IPv6 range from the DHCPv6 server.

> show dhcpv6 client binding detail

Client Interface: pp0.0
Hardware Address: 10:0e:7e:fd:89:e0
ClientType: STATEFUL
Lease Expires: 2016-05-09 19:48:31 UTC
Lease Expires in: 78765 seconds
Lease Start: 2016-05-08 19:48:31 UTC
Bind Type: IA_PD
Client DUID: LL0x29-10:0e:7e:fd:89:e0
Rapid Commit: Off
Server Ip Address: fe80::230:88ff:fe16:5eff
Update Server Yes
Client IP Prefix: xxxx:xxxx:xxxx::/48

DHCP options:
Name: server-identifier, Value: LL_TIME0x1-0x1cd3af3d-00:30:88:16:5e:ff
Name: dns-recursive-server, Value: xxxx:xxxx::x


I did come across one issue. When the PPPoE session dropped the DHCPv6 client would get stuck in an init state and I would have to manually request a client renew for IPv6 to start working again.
Speaking with JTAC and they advised that  DHCPv6 client wasn’t supported over the PPPoE interface and PR request would need to made to add the feature. My support provider advised that the SRX110H2-VA will be end of life soon and mostly wouldn’t get resolved.
While it may not get resolved there is a work around which means that IPv6 connectivity is restored when the PPPoE session reconnects.

Using the event options we can run the renew command when the pp0.0 interface comes up.


event-options {
    policy DHCPv6fix {
        events SNMP_TRAP_LINK_UP;
        attributes-match {
            SNMP_TRAP_LINK_UP.interface-name matches pp0.0;
        then {
            execute-commands {
                commands {
                    "request dhcpv6 client renew all";
                user-name admin;

Change the user name from admin to match a local user and then commit.
You can test to make sure it working by clearing the PPPoE session with “clear pppoe sessions pp0.0” and then check the DHCPv6 client bindings.

This setup may work on other models of the SRX and with other ISPs who use the Broadband Forum Standard TR187


Bournemouth Datacentre

Bournemouth’s datacentre build has started, If you are interested in seeing how a datacentre is built or want to see the progress of the build then go to bournemouthdatacentre.co.uk where you can view a live stream from 2 onsite IP cameras of the build.

oh and of course the stream is in IPV4 and IPV6 :)

    Update: 24th November 2009

The Datacentre build is going nicely, its starting to look more like a datacentre now.
The floor, Aircon, fire suppression and other bits are now installed, there is also a blog of the build with pictures so if you cant spend all day looking at the web feeds you can visit the C4L blog of the build.

The blog is located at http://blog.c4l.co.uk