Recently my ISP fixed the compatibility issues between their Huawei BRAS and my Junos router. After some digging, I managed to get some IPv6 address allocation for all my client devices. Here’s how I achieved it.
Disclaimer: This article assumes you have basic understanding on IPv6 as we are not going to dig into the very details of the IPv6 standards.
This article provides everything you need to setup a local DHCP server on a SRX security device.
A SRX is a “security device”, or as we call it conventionally, a firewall. Modern layer-3 firewalls route packets just like a router, but unlike a router, a firewall can organize packets into connections (flows) and run ACLs on the entire flow. This unique functionality is the fundamental building block of every “advanced” security feature offered by a firewall: dynamic NAT (PAT/NPT), zone-based firewall (ZBFW), ACLs for in or out connections only, L7 filtering, etc. For the connection (flow) tracking to work, all the packets in a connection must go through the same device, and the 5-tuple of all the packets in a connection must be of expected values, which usually means:
- The packets from A to B and the packets from B to A must all go through the firewall at some point
- There shouldn’t be single-sided stateless NAT happening on the route
This was never an issue when everyone was single-homed and all the routers had only one routing table. But not today. SRXs now have built-in support for virtual routers which can create an asymmetric flow easily. Let’s look at this simplified topology: