version 12.3R6.6;
dynamic-profiles {
    PPPoE {
        routing-instances {
            "$junos-routing-instance" {
                interface "$junos-interface-name";
            }
        }
        interfaces {
            pp0 {
                unit "$junos-interface-unit" {
                    ppp-options {
                        chap;
                        pap;
                    }
                    pppoe-options {
                        underlying-interface "$junos-underlying-interface";
                        server;
                    }
                    keepalives interval 10;
                    family inet {
                        filter {
                            input divert-to-nat-PPPoE-L2TP precedence 100;
                        }
                        unnumbered-address "$junos-loopback-interface";
                    }
                    family inet6 {
                        address $junos-ipv6-address;
                    }
                }
            }
        }
        protocols {
            router-advertisement {
                interface "$junos-interface-name" {
                    max-advertisement-interval 60;
                    min-advertisement-interval 10;
                    default-lifetime 3600;
                    prefix $junos-ipv6-ndra-prefix;
                }
            }
        }
    }
    IPoE-DHCP {
        interfaces {
            demux0 {
                unit "$junos-interface-unit" {
                    demux-options {
                        underlying-interface "$junos-underlying-interface";
                    }
                    family inet {
                        demux-source {
                            $junos-subscriber-ip-address;
                        }
                        filter {
                            input divert-to-nat-IPoE precedence 100;
                        }
                        unnumbered-address lo0.0 preferred-source-address 192.168.202.1;
                    }
                }
            }
        }
    }
    RATE-LIMIT {
        variables {
            var-interface mandatory;
            var-bw mandatory;
            var-burst equals "round($var-bw/8)";
            var-ff-in equals "'ff-in-' ## $var-bw";
            var-ff-out equals "'ff-out-' ## $var-bw";
            var-plr equals "'plr-' ## $var-bw";
        }
        interfaces {
            "$var-interface" {
                unit "$junos-interface-unit" {
                    family inet {
                        filter {
                            input "$var-ff-in" precedence 50;
                            output "$var-ff-out" precedence 50;
                        }
                    }
                }
            }
        }
        firewall {
            family inet {
                filter "$var-ff-in" {
                    interface-specific;
                    term 1 {
                        then {
                            policer "$var-plr";
                            accept;
                        }
                    }
                }
                filter "$var-ff-out" {
                    interface-specific;
                    term 1 {
                        then {
                            policer "$var-plr";
                            accept;
                        }
                    }
                }
            }
            policer "$var-plr" {
                logical-interface-policer;
                if-exceeding {
                    bandwidth-limit "$var-bw";
                    burst-size-limit "$var-burst";
                }
                then discard;
            }
        }
    }
    L2TP {
        routing-instances {
            "$junos-routing-instance" {
                interface "$junos-interface-name";
                routing-options {
                    access-internal {
                        route $junos-subscriber-ip-address {
                            qualified-next-hop "$junos-interface-name";
                        }
                    }
                }
            }
        }
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-interface-unit" {
                    dial-options {
                        l2tp-interface-id l2tp-encapsulation;
                        dedicated;
                    }
                    family inet {
                        filter {
                            input divert-to-nat-PPPoE-L2TP precedence 100;
                        }
                        unnumbered-address "$junos-loopback-interface";
                    }
                }
            }
        }
    }
    VLAN-DEMUX-202 {
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-interface-unit" {
                    demux-source inet;
                    vlan-id "$junos-vlan-id";
                    family inet {
                        unnumbered-address lo0.0 preferred-source-address 192.168.202.1;
                    }
                    family inet6 {
                        address $junos-ipv6-address;
                    }
                }
            }
        }
        protocols {
            router-advertisement {
                interface "$junos-interface-name" {
                    max-advertisement-interval 60;
                    min-advertisement-interval 10;
                    default-lifetime 3600;
                    prefix $junos-ipv6-ndra-prefix;
                }
            }
        }
    }
}
system {
    host-name MX480;
    root-authentication {
        encrypted-password "$1$am29UvIB$o7sjSsMNi3MSasBD8z5ui1"; ## SECRET-DATA
    }
    dynamic-profile-options {
        versioning;
    }
    login {
        user warrior {
            uid 2005;
            class super-user;
            authentication {
                encrypted-password "$1$F/hYxupX$HLSjwJ8tvROZRzw6qi4AF/"; ## SECRET-DATA
            }
        }
    }
    services {
        telnet;
        dhcp-local-server {
            pool-match-order {
                ip-address-first;
            }
            authentication {
                password 123;
                username-include {
                    mac-address;
                }
            }
            group 1 {
                dynamic-profile IPoE-DHCP;
                interface xe-1/2/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
            interactive-commands none;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    fpc 1 {
        pic 0 {
            inline-services {
                bandwidth 1g;
            }
        }
    }
    fpc 5 {
        pic 0 {
            adaptive-services {
                service-package layer-3;
            }
        }
        pic 1 {
            adaptive-services {
                service-package {
                    extension-provider {
                        control-cores 1;
                        data-cores 7;
                        object-cache-size 1024;
                        policy-db-size 64;
                        package jservices-cpcd;
                        syslog {
                            daemon any;
                            external any;
                        }
                    }
                }
            }
        }
    }
    network-services enhanced-ip;
}
services {
    captive-portal-content-delivery {
        rule redirect-rule {
            match-direction input;
            term 1 {
                then {
                    redirect "http://10.10.209.2:80?=%dest-url%";
                }
            }
        }
        profile my-redirect {
            cpcd-rules redirect-rule;
        }
        traceoptions {
            file cpcd.log size 1m files 2 world-readable;
            flag all;
        }
    }
    service-set NAT-SERVICE {
        nat-rules nat-rule-1;
        next-hop-service {
            inside-service-interface sp-5/0/0.10;
            outside-service-interface sp-5/0/0.20;
        }
    }
    service-set sset-redirect {
        captive-portal-content-delivery-profile my-redirect;
        interface-service {
            service-interface ms-5/1/0;
        }
    }
    nat {
        pool public-ipv4-pool {
            address 195.34.49.110/32;
            port {
                automatic;
            }
        }
        rule nat-rule-1 {
            match-direction input;
            term 1 {
                from {
                    source-address {
                        192.168.200.0/22;
                    }
                }
                then {
                    translated {
                        source-pool public-ipv4-pool;
                        translation-type {
                            napt-44;
                        }
                    }
                }
            }
        }
    }
    l2tp {
        tunnel-group tunnel-group-1 {
            l2tp-access-profile l2tp-lns-profile;
            local-gateway {
                address 1.1.1.1;
            }
            service-interface si-1/0/0;
            dynamic-profile L2TP;
        }
    }
}
access-profile Access-Profile-1;
interfaces {
    xe-0/0/0 {
        description "-- iXia";
        mtu 9192;
        gigether-options {
            no-flow-control;
        }
    }
    si-1/0/0 {
        description "-- Inline service for L2TP";
        hierarchical-scheduler maximum-hierarchy-levels 2;
        encapsulation generic-services;
        unit 0 {
            family inet;
        }
    }
    xe-1/2/0 {
        description "-- Cisco L2 Te1/3";
        flexible-vlan-tagging;
        auto-configure {
            vlan-ranges {
                dynamic-profile VLAN-DEMUX-202 {
                    accept dhcp-v4;
                    ranges {
                        202-202;
                    }
                }
            }
            remove-when-no-subscribers;
        }
        mtu 9192;
        encapsulation flexible-ethernet-services;
        gigether-options {
            no-flow-control;
        }
        unit 106 {
            description "-- Internet Uplink";
            proxy-arp restricted;
            vlan-id 106;
            family inet {
                address 10.99.99.110/28 {
                    arp 10.99.99.97 mac 00:18:74:2f:73:c0;
                }
                inactive: address 195.34.49.110/28;
            }
        }
        unit 110 {
            description "-- L3 connected";
            vlan-id 110;
            family inet {
                address 192.168.0.2/24;
            }
        }
        unit 111 {
            description "-- Radius Proxy";
            vlan-id 111;
            family inet {
                address 192.168.2.2/24;
            }
        }
        unit 201 {
            description "-- PPPoE access";
            vlan-id 201;
            family pppoe {
                access-concentrator MX480;
                duplicate-protection;
                dynamic-profile PPPoE;
                max-sessions 32000;
            }
        }
        unit 203 {
            description "-- L2TP access";
            vlan-id 203;
            family inet {
                address 10.10.203.1/24;
            }
        }
        unit 204 {
            vlan-id 204;
            family inet {
                address 10.10.204.1/24;
            }
        }
        unit 205 {
            description "-- test static client";
            vlan-id 205;
            family inet {
                service {
                    input {
                        service-set sset-redirect service-filter walled;
                    }
                    output {
                        service-set sset-redirect service-filter skip;
                    }
                }
                address 10.10.205.1/24;
            }
        }
        unit 206 {
            vlan-id 206;
            family inet {
                address 10.10.206.1/24;
            }
        }
        unit 207 {
            vlan-id 207;
            family inet {
                address 10.10.207.1/24;
            }
        }
        unit 208 {
            description "-- WEB Portal";
            vlan-id 208;
            family inet {
                address 10.10.208.1/24;
            }
        }
        unit 209 {
            description "-- FreeBSD Server (VM)";
            vlan-id 209;
            family inet {
                address 10.10.209.1/24;
            }
        }
        unit 210 {
            vlan-id 210;
            family inet {
                address 10.10.210.1/24;
            }
        }
    }
    xe-1/2/1 {
        disable;
    }
    xe-1/3/0 {
        disable;
    }
    xe-1/3/1 {
        disable;
    }
    sp-5/0/0 {
        description "-- Service interface for NAT";
        services-options {
            cgn-pic;
        }
        unit 10 {
            family inet;
            service-domain inside;
        }
        unit 20 {
            family inet;
            service-domain outside;
        }
    }
    ms-5/1/0 {
        description "-- Service interface for HTTP redirect";
        unit 0 {
            family inet;
        }
    }
    fxp0 {
        description "-- management";
        unit 0 {
            family inet {
                address 10.10.0.2/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 1.1.1.1/32 {
                    primary;
                    preferred;
                }
                address 192.168.202.1/32;
            }
        }
    }
}
forwarding-options {
    enhanced-hash-key {
        services-loadbalancing {
            family inet {
                layer-3-services {
                    source-address;
                }
            }
        }
    }
}
routing-options {
    static {
        route 172.16.1.0/24 {
            next-hop 192.168.0.1;
            no-readvertise;
        }
        route 0.0.0.0/0 {
            next-hop 10.99.99.97;
            no-readvertise;
        }
    }
    forwarding-table {
        export lb;
    }
}
policy-options {
    policy-statement lb {
        then {
            load-balance per-packet;
        }
    }
}
firewall {
    family inet {
        filter divert-to-nat-IPoE {
            interface-specific;
            term DHCP {
                from {
                    protocol udp;
                    source-port bootpc;
                }
                then {
                    count dhcp-counter;
                    accept;
                }
            }
            term LOCAL {
                from {
                    source-address {
                        192.168.202.0/24;
                    }
                    destination-address {
                        192.168.202.1/32;
                    }
                }
                then {
                    count local-counter;
                    accept;
                }
            }
            term NAT {
                then {
                    count nat-counter;
                    routing-instance INSIDE;
                }
            }
        }
        filter divert-to-nat-PPPoE-L2TP {
            interface-specific;
            term LOCAL {
                from {
                    source-address {
                        192.168.201.0/24;
                    }
                    destination-address {
                        1.1.1.1/32;
                    }
                }
                then {
                    count local-counter;
                    accept;
                }
            }
            term NAT {
                then {
                    count nat-counter;
                    routing-instance INSIDE;
                }
            }
        }
        service-filter walled {
            term portal {
                from {
                    destination-address {
                        10.10.209.2/32;
                    }
                }
                then {
                    count portal-counter;
                    skip;
                }
            }
            term redirect {
                from {
                    protocol tcp;
                    destination-port 80;
                }
                then {
                    count redirect-counter;
                    service;
                }
            }
            term skip {
                then {
                    count skip-counter;
                    skip;
                }
            }
        }
        service-filter skip {
            term 1 {
                then skip;
            }
        }
    }
}
access {
    group-profile ce-l2tp-group-profile {
        ppp {
            idle-timeout 3600;
            ppp-options {
                pap;
                chap;
            }
            keepalive 30;
        }
    }
    profile Access-Profile-1 {
        accounting-order radius;
        authentication-order radius;
        radius {
            authentication-server 10.10.209.2;
            accounting-server 10.10.209.2;
            options {
                nas-port-id-delimiter :;
                accounting-session-id-format decimal;
                revert-interval 60;
                client-authentication-algorithm round-robin;
                client-accounting-algorithm direct;
                coa-dynamic-variable-validation;
            }
        }
        radius-server {
            10.10.209.2 {
                secret "$9$45Zi.Qz6AtOQFCu0Byr"; ## SECRET-DATA
                timeout 2;
                retry 3;
                max-outstanding-requests 200;
                source-address 10.10.209.1;
            }
        }
        accounting {
            order radius;
            immediate-update;
            coa-immediate-update;
            update-interval 10;
            statistics volume-time;
        }
    }
    profile l2tp-lns-profile {
        client default {
            l2tp {
                maximum-sessions-per-tunnel 10;
                interface-id l2tp-encapsulation;
                lcp-renegotiation;
            }
            user-group-profile ce-l2tp-group-profile;
        }
    }
    address-assignment {
        neighbor-discovery-router-advertisement ipv6-NDRA-pool;
        pool ipv4-PPPoE-L2TP-pool {
            family inet {
                network 192.168.201.0/24;
                range R201 {
                    low 192.168.201.2;
                    high 192.168.201.254;
                }
                xauth-attributes {
                    primary-dns 8.8.8.8/32;
                    secondary-dns 8.8.4.4/32;
                }
            }
        }
        pool ipv4-IPoE-pool {
            family inet {
                network 192.168.202.0/24;
                range R202 {
                    low 192.168.202.2;
                    high 192.168.202.254;
                }
                dhcp-attributes {
                    maximum-lease-time 3600;
                    name-server {
                        8.8.4.4;
                    }
                    router {
                        192.168.202.1;
                    }
                }
            }
        }
        pool ipv6-NDRA-pool {
            family inet6 {
                prefix 2001:aaaa::/32;
                range R6 prefix-length 64;
            }
        }
    }
    address-protection;
    radius-options {
        request-rate 500;
    }
}
routing-instances {
    INSIDE {
        instance-type virtual-router;
        interface sp-5/0/0.10;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop sp-5/0/0.10;
                route 192.168.200.0/22 next-table inet.0;
            }
        }
    }
}
