version 12.1X46-D10.2; groups { node0 { system { host-name XXX-FIW001; } interfaces { fxp0 { unit 0 { family inet { address 2.2.2.1/24; } } } } } node1 { system { host-name XXX-FIW002; } interfaces { fxp0 { unit 0 { family inet { address 2.2.2.2/24; } } } } } } apply-groups "${node}"; system { root-authentication { encrypted-password "$h/6V1Hz4v2Y4/k8wSmTIX0"; ## SECRET-DATA } services { telnet xnm-clear-text; netconf syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } chassis { cluster { reth-count 3; } redundancy-group 0 { node 0 priority 200; node 1 priority 100; } redundancy-group 1 { node 0 priority 200; node 1 priority 100; gratuitous-arp-count 5; interface-monitor { fe-0/0/0 weight 255; fe-0/0/1 weight 255; fe-1/0/0 weight 255; fe-1/0/1 weight 255; } } } } interfaces { fe-0/0/0 { fastether-options { redundant-parent reth0; } } fe-0/0/1 { fastether-options { redundant-parent reth1; } } fe-0/0/4 { fastether-options { redundant-parent reth2; } } fe-1/0/0 { fastether-options { redundant-parent reth0; } } fe-1/0/1 { fastether-options { redundant-parent reth1; } } fe-1/0/4 { fastether-options { redundant-parent reth2; } } fab0 { fabric-options { member-interfaces { fe-0/0/5; } } } fab1 { fabric-options { member-interfaces { fe-1/0/5; } } } reth0 { description "Uplink to ISP"; redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 1.1.1.1/24; } } } reth1 { description "Uplink to Internal Network"; redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 192.168.1.1/24; } } } reth2 { description "Uplink to WLAN Client Network"; redundant-ether-options { redundancy-group 1; } unit 0 { family inet { address 192.168.10.1/25; } } } } routing-options { static { route 0.0.0.0/0 next-hop 1.1.1.2; } } nat { source { rule-set trust-to-untrust { from zone trust; to zone Untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set wifi_Client-to-untrust { from zone wlan_client; to zone Untrust; rule wifi-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone wlan_client to-zone Untrust { policy WLAN-to-Untrust { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } } } } from-zone trust to-zone Untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { deny; } } } zones { security-zone trust { interfaces { reth1.0 { host-inbound-traffic { system-services { dhcp; ping; traceroute; ssh; } } } } } security-zone Untrust { interfaces { reth0.0 { host-inbound-traffic { system-services { ssh; ping; traceroute; } } } } } security-zone wlan_client host-inbound-traffic { system-services { all; } } interfaces { reth2.0; } } } }