Hello,
In your config, sp-1/3/0.142 is assigned to 2 different service-sets.
Please remove sp-1/3/0.142 from interface-style service-set and try again.
Also, your routing appears incorrect, you don't need 0/0 route pointing to outside sp-* interface, there should be a NAT pool route installed automatically and pointing to outside sp-* interface.

It would be highly beneficial to everyone if you care to draw a diagram and post it here.

Thanks

Alex

Thank you for your reply.

The sp-1/3/0.142 interface is used by one service-set at once. Indeed I don't configure concurrently the interface-style and NH-style translation.

Please find joint a summary of both configurations.

For the NH style, the static route in the routing instance of the IPv6 domain, points to the sp-1/3/0.142 interface.

Regards,

Hello,

When I remove source from nat rule, things go better.

However, such impelmentation may be not be enough in a VPN context.

Does M10i or MX series support provider specific prefix?

Does anyone have an idea about scalability figures when NAT64 is active on the router (delay, packet loss under heavy load, etc.?)

Thank you and best regards,

Hello,

I labbed your setup and it is working for me on M7i+JUNOS 11.4R2.

There is an error (probably typo) in Your NAT rule config:

# show services nat rule nat64
match-direction input;
term t1 {
    from {
        source-address {
            2001:db8::0/96; <=== it matches on 1 IPv6 address only!
        } 
        destination-address {
            64:ff9b::/96;
        }
    }

When I change it to:

aarseniev@stannis# show 
from {
    source-address {
        2001:db8:0:1::/96; <== exact source prefix as in your PDF
    }
    destination-address {
        64:ff9b::/96;
    }
}

- then it works just fine:

[edit services nat rule nat64 term t1]
aarseniev@stannis# run show services stateful-firewall flows extensive 
Interface: sp-1/2/0, Service set: nat64-ss
Flow                                                State    Dir       Frm count
ICMP    192.168.140.10       ->  192.168.142.1       Watch    O             165
    NAT source  192.168.140.10         -> 64:ff9b::c0a8:8c0a
    NAT dest     192.168.142.1         -> 2001:db8:0:1::c0a8:8d01
  Byte count: 9240
  Flow role: Responder, Timeout: 29
ICMPV62001:db8:0:1::c0a8:8d01->64:ff9b::c0a8:8c0a    Watch    I             165
    NAT source 2001:db8:0:1::c0a8:8d01 ->   192.168.142.1
    NAT dest   64:ff9b::c0a8:8c0a      ->  192.168.140.10
  Byte count: 5940
  Flow role: Master, Timeout: 29

 HTH

Rgds

Alex

Hello,y

I have one more issue with NAT64 deployment in a DS context.

Indeed, I want to setup the network such that the IPv6 domain is a DS domain.

Some applications will be using NAT64 to reach IPv4-only domain. The others will use native IPv4.

Conceptually, the idea is simple:

- create a service-set for nat64 as discussed previously,

- create another service set that calls a simple stateful firewall rule, to forward traffic between IPv4 vlans: the one in the DS domain, and the one in the IPv4 domain.

You'll find a summary of the encountred issue, as one logical or physical interface cannot be attached to many service-sets. I want to avoid any impact on IPv4-only domain, i.e.,

- traffic towards NAT64 prefix is intercepted by sp-1/3/0.142 and NATTED to IPv4 traffic, towards .140 IPv4-only vlan.

- traffic towards IPv4 .140 vlan is forwarded to that IPv4 vlan.

Unfortunalely, the router doesn't commit service-set that uses logical interface referenced in other service sets.

Please find joint the logical design of my conf.

Do you have any idea about how to avoid modification on IPv4-only domain?

Thank you,

Best Regards,

Hello,

I am not sure what exactly your issue is this time, but one can use SFW rule and NAT rule in the same service-set.

SFW rule and NAT rule don't have to match on same header fields.

Also, RFC 6144 gives some guidance on what should work and what should be avoided.

IPv4 network to IPv6 Internet, IPv4 internet to IPv6 network and IPv4 network to IPv6 network are considered hard cases and no rock-solid solution exists.

HTH

Rgds
Alex 

Hi Alex,

Thank you for your advise. Indeed, I tried having as next-hop the same service interface sp-1/3/0.142 to process IP (v4 and v6) traffic and it works;

My error was to think that we can't have the same next-hop for both ipv4 and ipv6 routes.

# show routing-instances SFW-vr-142
instance-type virtual-router;
interface ge-1/1/0.141;
interface sp-1/3/0.142;
routing-options {
    rib SFW-vr-nj-142.inet6.0 {
        static {
            route ::/0 next-hop sp-1/3/0.142;
        }
    }
    static {
        route 0.0.0.0/0 next-hop sp-1/3/0.142;
    }
}

As far as it concerns communications from IPv4 network to IPv6 network, I thought that NAT-PT could be used, as

 RFC 6144 precises that:

Regards,

Hi,

I have a strange issue with service-set that handles translation:

Below I can see that there is something wrong with my DNS and NTP services which forward traffic to outside.

As soon as the traffic count reaches a certain value, my service-set becomes saturated and handles no more traffic.

As soon as I reboot the router, flow table is purged and traffic is correctly handled.

1°/ Does this means that we have a limit on traffic that could be handled by a service-set in Junos (in general and independently of nat64)?

# run show services stateful-firewall flows
Interface: sp-1/3/0, Service set: nat64_nh
Flow                                                State    Dir       Frm count
UDP      192.168.109.2:53    ->192.168.140.100:42867 Forward  O               0
UDP      192.168.109.2:53    ->192.168.140.100:42867 Forward  I               0
UDP    192.168.140.100:42867 ->  192.168.109.2:53    Forward  I         110754845
UDP    192.168.140.100:42867 ->  192.168.109.2:53    Forward  O         110754694
UDP    192.168.254.170:123   -> 213.186.55.204:123   Forward  O         727355355
UDP    192.168.254.170:123   -> 213.186.55.204:123   Forward  I         727633920
UDP    192.168.140.100:40028 ->  192.168.109.2:53    Forward  I         110430343
UDP    192.168.140.100:40028 ->  192.168.109.2:53    Forward  O         110432677
UDP      192.168.109.2:53    ->192.168.140.100:40028 Forward  O               0
UDP      192.168.109.2:53    ->192.168.140.100:40028 Forward  I               0
UDP    192.168.254.170:123   ->  87.106.98.153:123   Forward  O         197721267
UDP    192.168.254.170:123   ->  87.106.98.153:123   Forward  I         197722038
UDP     213.186.55.204:123   ->192.168.254.170:123   Forward  I               0
UDP     213.186.55.204:123   ->192.168.254.170:123   Forward  O               0
UDP      88.190.19.201:123   ->192.168.254.170:123   Forward  I               0
UDP      88.190.19.201:123   ->192.168.254.170:123   Forward  O               0
UDP    192.168.254.170:123   ->  88.190.19.201:123   Forward  O         197993326
UDP    192.168.254.170:123   ->  88.190.19.201:123   Forward  I         197987159
UDP    192.168.254.170:123   ->  88.191.120.99:123   Forward  O         386199729
UDP    192.168.254.170:123   ->  88.191.120.99:123   Forward  I         386277742
UDP      87.106.98.153:123   ->192.168.254.170:123   Forward  I               0
UDP      87.106.98.153:123   ->192.168.254.170:123   Forward  O               0
UDP      88.191.120.99:123   ->192.168.254.170:123   Forward  I               0
UDP      88.191.120.99:123   ->192.168.254.170:123   Forward  O               0

Thank you for you reply,

Regards,