version 13.3R4.6;
groups {
    re0 {
        system {
            host-name MX104-RE0;
        }
        interfaces {
            fxp0 {
                description "-- out-of-band management interface";
                unit 0 {
                    family inet {
                        address 192.168.3.74/24;
                    }
                }
            }
        }
    }
    re1 {
        system {
            host-name MX104-RE1;
        }
        interfaces {
            fxp0 {
                description "-- out-of-band management interface";
                unit 0 {
                    family inet {
                        address 192.168.3.75/24;
                    }
                }
            }
        }
    }
    interface-standard {
        interfaces {
            <*> {
                mtu 9100;
                hold-time up 1000 down 0;
                gigether-options {
                    no-flow-control;
                }
            }
        }
    }
}
apply-groups [ re0 re1 ];
dynamic-profiles {
    IP-DHCP-PROFILE-2 {
        interfaces {
            demux0 {
                unit "$junos-interface-unit" {
                    demux-options {
                        underlying-interface "$junos-underlying-interface";
                    }
                    family inet {
                        demux-source {
                            $junos-subscriber-ip-address;
                        }
                        unnumbered-address lo0.0 preferred-source-address 192.168.0.1;
                    }
                }
            }
        }
    }
    VLAN-PROFILE-2 {
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-interface-unit" {
                    description "-- Service IFL";
                    demux-source inet;
                    vlan-id "$junos-vlan-id";
                    family inet {
                        unnumbered-address lo0.0 preferred-source-address 192.168.0.1;
                    }
                }
            }
        }
    }
    REDIRECT {
        interfaces {
            demux0 {
                unit "$junos-interface-unit" {
                    family inet {
                        filter {
                            input REDIRECT-IN precedence 50;
                        }
                    }
                }
            }
        }
        firewall {
            family inet {
                filter REDIRECT-IN {
                    interface-specific;
                    term SERVICE-FILTER-HIT {
                        from {
                            service-filter-hit;
                        }
                        then {
                            count SERVICE-FILTER-HIT;
                            accept;
                        }
                    }
                    term PORTAL {
                        from {
                            destination-address {
                                192.168.12.2/32;
                            }
                            protocol tcp;
                            destination-port 80;
                        }
                        then {
                            count PORTAL;
                            service-filter-hit;
                            accept;
                        }
                    }
                    term REDIRECT-HTTP {
                        from {
                            protocol tcp;
                            destination-port 80;
                        }
                        then {
                            count REDIRECT-HTTP;
                            service-filter-hit;
                            routing-instance REDIRECT-SERVER;
                        }
                    }
                    term default {
                        then accept;
                    }
                }
            }
        }
    }
}
system {
    time-zone Europe/Moscow;
    arp {
        aging-timer 240;
        purging;
        gratuitous-arp-on-ifup;
        gratuitous-arp-delay 3;
    }
    root-authentication {
        encrypted-password "$1$UVQ1EG6U$tqUwtI0IcS4PueWRlSKlD."; ## SECRET-DATA
    }
    dynamic-profile-options {
        versioning;
    }
    login {
        user va {
            full-name "-- Vladislav Abramov @Juniper";
            uid 2003;
            class super-user;
            authentication {
                encrypted-password "$1$sUJQDKAW$p8i2/fpLPFX9pSRoK11Ff1"; ## SECRET-DATA
            }
        }
        user warrior {
            full-name "-- Matvey Alexandrov @Juniper";
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$1$uhOE97qw$oYrsgslCll5p/gtJtJsIt1"; ## SECRET-DATA
            }
        }
    }
    services {
        ftp;
        ssh;
        telnet;
        dhcp-local-server {
            pool-match-order {
                ip-address-first;
            }
            authentication {
                password 123;
                username-include {
                    mac-address;
                }
            }
            group 1 {
                dynamic-profile IP-DHCP-PROFILE-2;
                interface xe-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
            interactive-commands none;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    commit synchronize;
}
chassis {
    redundancy {
        graceful-switchover;
    }
    alarm {
        management-ethernet {
            link-down ignore;
        }
        ethernet {
            link-down ignore;
        }
    }
    network-services enhanced-ip;
}
access-profile AP1;
interfaces {
    xe-0/0/0 {
        apply-groups interface-standard;
        description "-- L2 access network";
        flexible-vlan-tagging;
        auto-configure {
            vlan-ranges {
                dynamic-profile VLAN-PROFILE-2 {
                    accept dhcp-v4;
                    ranges {
                        any;
                    }
                }
            }
            inactive: remove-when-no-subscribers;
        }
        encapsulation flexible-ethernet-services;
    }
    ge-1/0/0 {
        apply-groups interface-standard;
        description "-- TG 10/12";
        flexible-vlan-tagging;
        encapsulation flexible-ethernet-services;
    }
    ge-1/0/5 {
        apply-groups interface-standard;
        description "-- EX4300-48T 0/0/43";
        vlan-tagging;
        encapsulation flexible-ethernet-services;
        unit 12 {
            description "-- Internet GW";
            vlan-id 12;
            family inet {
                address 192.168.12.1/24;
            }
        }
        unit 13 {
            description "-- Redirect Server (Virtual Router)";
            vlan-id 13;
            family inet {
                address 192.168.13.1/30;
            }
        }
    }
    lo0 {
        unit 0 {
            description "-- loopback";
            family inet {
                address 3.3.3.3/32 {
                    primary;
                }
                address 192.168.0.1/32;
            }
            family iso {
                address 49.0001.0030.0300.3003.00;
            }
        }
    }
}
routing-options {
    static {
        /* -- to Radius server */
        route 172.17.0.20/32 {
            next-hop 192.168.3.3;
            no-readvertise;
        }
    }
    router-id 3.3.3.3;
    forwarding-table {
        export pp-balance;
    }
}
protocols {
    lldp {
        interface all;
    }
}
policy-options {
    policy-statement nhs {
        term 1 {
            then {
                next-hop self;
            }
        }
    }
    policy-statement pp-balance {
        then {
            load-balance per-packet;
        }
    }
}
access {
    radius-server {
        172.17.0.20 {
            port 1812;
            accounting-port 1813;
            secret "$9$aVUkPF39pu1FntOBIle"; ## SECRET-DATA
            timeout 5;
            retry 3;
            max-outstanding-requests 100;
        }
    }
    profile AP1 {
        accounting-order radius;
        authentication-order radius;
        radius {
            authentication-server 172.17.0.20;
            accounting-server 172.17.0.20;
            options {
                nas-port-id-delimiter :;
                calling-station-id-delimiter :;
                calling-station-id-format {
                    nas-identifier;
                    interface-description;
                }
                accounting-session-id-format decimal;
                coa-dynamic-variable-validation;
            }
        }
        accounting {
            order radius;
            immediate-update;
            coa-immediate-update;
            update-interval 10;
            statistics volume-time;
        }
    }
    address-assignment {
        pool Pool-1 {
            family inet {
                network 192.168.0.0/24;
                range Range-1 {
                    low 192.168.0.101;
                    high 192.168.0.200;
                }
                dhcp-attributes {
                    maximum-lease-time 3600;
                    domain-name matvey.juniper.net;
                    name-server {
                        77.88.8.1;
                    }
                    router {
                        192.168.0.1;
                    }
                }
            }
        }
    }
    report-interface-descriptions;
}
routing-instances {
    REDIRECT-SERVER {
        instance-type virtual-router;
        interface ge-1/0/5.13;
        routing-options {
            static {
                /* -- route to Redirect Server */
                route 0.0.0.0/0 {
                    next-hop 192.168.13.2;
                    no-readvertise;
                }
                /* -- route to subscribers, for return traffic */
                route 192.168.0.0/24 {
                    next-table inet.0;
                    no-readvertise;
                }
            }
        }
    }
}
