Category Archives: Junos OS

Juniper SRX as a DHCPv6 PD Client on a PPPoE Interface

Recently my ISP fixed the compatibility issues between their Huawei BRAS and my Junos router. After some digging, I managed to get some IPv6 address allocation for all my client devices. Here’s how I achieved it.

Disclaimer: This article assumes you have basic understanding on IPv6 as we are not going to dig into the very details of the IPv6 standards.

Continue reading

What the Flow: Reverse Route Modes on Juniper SRX

A SRX is a “security device”, or as we call it conventionally, a firewall. Modern layer-3 firewalls route packets just like a router, but unlike a router, a firewall can organize packets into connections (flows) and run ACLs on the entire flow. This unique functionality is the fundamental building block of every “advanced” security feature offered by a firewall: dynamic NAT (PAT/NPT), zone-based firewall (ZBFW), ACLs for in or out connections only, L7 filtering, etc. For the connection (flow) tracking to work, all the packets in a connection must go through the same device, and the 5-tuple of all the packets in a connection must be of expected values, which usually means:

  • The packets from A to B and the packets from B to A must all go through the firewall at some point
  • There shouldn’t be single-sided stateless NAT happening on the route

This was never an issue when everyone was single-homed and all the routers had only one routing table. But not today. SRXs now have built-in support for virtual routers which can create an asymmetric flow easily. Let’s look at this simplified topology:

Continue reading