******************************************************************************** interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.1.196/24; } } } ge-0/0/1 { unit 0 { family inet { address 192.168.23.11/24; } } } fe-0/0/2 { unit 0 { family inet { filter { input FILTER2; } address 192.168.100.10/24; } } } ge-0/0/2 { unit 0 { family inet; } } fe-0/0/3 { unit 0 { family inet { filter { input FILTER3; } address 172.10.1.10/24; } } } ge-0/0/3 { unit 0 { family inet; } } fe-0/0/4 { unit 0; } fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/6 { unit 0 { family inet { filter { input FILTER0; } address 40.0.0.1/24; } } } fe-0/0/7 { unit 0 { family inet { filter { input FILTER1; } address 11.11.11.1/24; } } } vlan { unit 0 { family inet { address 192.168.40.1/24; } } } } routing-options { interface-routes { rib-group inet IMPORT-PHY; } static { route 0.0.0.0/0 next-hop [ 192.168.1.1 192.168.23.10 ]; } rib-groups { IMPORT-PHY { import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ]; } } } ******************************************************************************** nat { source { rule-set trust1SNATisp1 { from zone TRUST1; to zone ISP1; rule trust1SourceNAT { match { source-address 40.0.0.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set trust1SNATisp2 { from zone TRUST1; to zone ISP2; rule Trust1SOURCENAT { match { source-address 40.0.0.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set trust2SNATisp2 { from zone TRUST2; to zone ISP2; rule Trust2SOURCENAT { match { source-address 11.11.11.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set trust2SNATisp1 { from zone TRUST2; to zone ISP1; rule TRUST2SourceNAT { match { source-address 11.11.11.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone ISP1 to-zone ISP2 { policy ISP1toISP1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone ISP2 to-zone ISP1 { policy ISP2toISP1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone TRUST1 to-zone ISP1 { policy TRUST1toISP1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone TRUST1 to-zone ISP2 { policy TRUST1toISP2 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone TRUST2 to-zone ISP2 { policy TRUST2toISP2 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone TRUST2 to-zone ISP1 { policy TRUST2toISP1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone TRUST1 to-zone TRUST2 { policy TRUST1toTRUST2 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone TRUST2 to-zone TRUST1 { policy TRUST2toTRUST1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone PublicISP1 to-zone ISP1 { policy PublicISP1toISP1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone ISP1 to-zone PublicISP1 { policy ISP1toPublicISP1 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } from-zone PublicISP2 to-zone ISP2 { policy PublicISP2toISP2 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone ISP2 to-zone PublicISP2 { policy ISP2toPublicISP2 { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; } } security-zone untrust; security-zone ISP1 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; } } security-zone ISP2 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0; } } security-zone TRUST1 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/6.0; } } security-zone TRUST2 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/7.0; } } security-zone PublicISP1 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/2.0; } } security-zone PublicISP2 { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { fe-0/0/3.0; } } } } firewall { filter FILTER0 { term TERM1 { from { source-address { 40.0.0.0/24; } } then { routing-instance routing-table-ISP1; } } term default { then { routing-instance routing-table-ISP2; } } } filter FILTER1 { term TERM1 { from { source-address { 11.11.11.0/24; } } then { routing-instance routing-table-ISP2; } } term default { then { routing-instance routing-table-ISP1; } } } filter FILTER2 { term TERM1 { from { source-address { 192.168.100.0/24; } } then { routing-instance routing-table-ISP1; } } term TERM2 { then accept; } } filter FILTER3 { term TERM1 { from { source-address { 172.10.1.0/24; } } then { routing-instance routing-table-ISP2; } } term TERM2 { then accept; } } } routing-instances { routing-table-ISP1 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop 192.168.1.1; qualified-next-hop 192.168.23.10 { preference 10; } } } } } routing-table-ISP2 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 { next-hop 192.168.23.10; qualified-next-hop 192.168.1.1 { preference 10; } } } } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }