diff options
Diffstat (limited to 'examples/tg23/templates/natfw1.tele.conf')
| -rw-r--r-- | examples/tg23/templates/natfw1.tele.conf | 610 |
1 files changed, 610 insertions, 0 deletions
diff --git a/examples/tg23/templates/natfw1.tele.conf b/examples/tg23/templates/natfw1.tele.conf new file mode 100644 index 0000000..35dd635 --- /dev/null +++ b/examples/tg23/templates/natfw1.tele.conf @@ -0,0 +1,610 @@ +{# Query parameters: ?switch=e1-1 #} + +{%- if options["switch"] %} +{%- set switch_name = options["switch"] %} + +{%- import "vars-natfw1.tele.conf" as v with context %} + +{# holds the management prefixes, used for statefull firewall policies #} +{%- import "vars-mgmt-nets.conf" as mgmt_nets -%} + + +{# Add management nets to address-book #} +security { + address-book { + global { + {% for address_family in mgmt_nets %} + {% for net, annotation in address_family %} + address NET-MGMT-{{ net }} { + {{ net }}; + description "{{ annotation }}"; + } + {% endfor %} + {% endfor %} + + address-set GRP-MGMT { + {% for address_family in mgmt_nets %} + {% for net, annotation in address_family %} + address NET-MGMT-{{ net }}; + {% endfor %} + {% endfor %} + } + } + } +} + +groups { + node0 { + system { + host-name node0-natfw1.tele; + } + } + node1 { + system { + host-name node1-natfw1.tele; + } + } + log-session-init-close { + security { + policies { + from-zone <*> to-zone <*> { + policy <*> { + then { + log { + session-init; + session-close; + } + } + } + } + } + } + } +} + +apply-groups "${node}"; + + +chassis { + cluster { + control-link-recovery; + reth-count 1; + redundancy-group 0 { + node 0 priority 100; + node 1 priority 1; + } + redundancy-group 1 { + node 0 priority 100; + node 1 priority 1; + preempt { + delay 300; + } + interface-monitor { + et-1/0/0 weight 255; + et-8/0/0 weight 255; + } + } + } +} + +security { + nat { + source { + pool NAT-WIFI-POOL { + address { + 185.110.150.0/25; + } + } + pool NAT-LAN-POOL { + address { + 185.110.150.128/25; + } + } + rule-set NAT-WIFI-TO-INET { + from zone NAT-WIFI; + to zone INET; + rule NAT-WIFI-TO-INET-RULE { + match { + source-address 0.0.0.0/0; + destination-address 0.0.0.0/0; + application any; + } + then { + source-nat { + pool { + NAT-WIFI-POOL; + } + } + } + } + } + rule-set NAT-LAN-TO-INET { + from zone NAT-LAN; + to zone INET; + rule NAT-LAN-TO-INET-RULE { + match { + source-address 0.0.0.0/0; + destination-address 0.0.0.0/0; + application any; + } + then { + source-nat { + pool { + NAT-LAN-POOL; + } + } + } + } + } + } + } + policies { + apply-groups log-session-init-close; + from-zone NAT-WIFI to-zone INET { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone NAT-LAN to-zone INET { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone INET to-zone NAT-LAN { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone INET to-zone NAT-WIFI { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone NAT-LAN to-zone NAT-WIFI { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + from-zone NAT-WIFI to-zone NAT-LAN { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + /* Fordi ellers naar man ikke lo0 fra internetttttz */ + from-zone INET to-zone LOOPBACK { + policy YESMAN { + match { + source-address any; + destination-address any; + application any; + } + then { + permit; + } + } + } + global { + policy PING { + match { + source-address any; + destination-address any; + application junos-ping; + } + then { + permit; + } + } + } + } + zones { + security-zone INET { + host-inbound-traffic { + system-services { + ping; + traceroute; + ssh; + netconf; + } + protocols { + ospf3; + } + } + interfaces { + reth0.10; + } + } + security-zone NAT-WIFI { + host-inbound-traffic { + system-services { + ssh; + netconf; + ping; + traceroute; + } + protocols { + ospf3; + } + } + interfaces { + reth0.20; + } + } + security-zone NAT-LAN { + host-inbound-traffic { + system-services { + ssh; + ping; + netconf; + traceroute; + } + protocols { + ospf3; + } + } + interfaces { + reth0.30; + } + } + security-zone LOOPBACK { + host-inbound-traffic { + system-services { + ssh; + netconf; + ping; + snmp; + } + } + interfaces { + lo0.0; + } + } + } +} +interfaces { + xe-0/0/2 { + description "X: fab0"; + } + xe-0/0/3 { + description "X: fab0"; + } + et-1/0/0 { + description "G: r1.tele et-4/1/0 (reth0)"; + gigether-options { + redundant-parent reth0; + } + } + xe-7/0/2 { + description "X: fab1"; + } + xe-7/0/3 { + description "X: fab1"; + } + et-8/0/0 { + description "G: r1.tele et-5/1/0 (reth0)"; + gigether-options { + redundant-parent reth0; + } + } + fab0 { + fabric-options { + member-interfaces { + xe-0/0/2; + xe-0/0/3; + } + } + } + fab1 { + fabric-options { + member-interfaces { + xe-7/0/2; + xe-7/0/3; + } + } + } + lo0 { + description "X: Loopback"; + unit 0 { + family inet { + address 127.0.0.1/32; + address 185.110.148.2/32 { + primary; + } + } + family inet6 { + address ::1/128; + address 2a06:5841:f:a::2/128 { + primary; + } + } + } + } + reth0 { + description "B: r1.tele ae5"; + vlan-tagging; + redundant-ether-options { + redundancy-group 1; + lacp { + active; + periodic fast; + } + } + unit 10 { + description INET; + vlan-id 10; + family inet { + address 185.110.148.163/31; + } + family inet6 { + address 2a06:5841:f:101::1/127; + } + } + unit 20 { + description NAT-WIFI; + vlan-id 20; + family inet { + address 185.110.148.165/31; + } + family inet6 { + address 2a06:5841:f:101::3/127; + } + } + unit 30 { + description NAT-LAN; + vlan-id 30; + family inet { + address 185.110.148.167/31; + } + family inet6 { + address 2a06:5841:f:101::5/127; + } + } + } +} +snmp { + contact "<removed>"; + community {{ v.snmp_community }} { + authorization read-only; + client-list-name mgmt; + } +} +protocols { + ospf3 { + realm ipv4-unicast { + area 0.0.0.0 { + interface reth0.10; + interface reth0.20; + interface reth0.30; + interface lo0.0 { + passive; + } + } + reference-bandwidth 1000g; + } + area 0.0.0.0 { + interface reth0.10; + interface reth0.20; + interface reth0.30; + interface lo0.0 { + passive; + } + } + } + lldp { + port-id-subtype interface-name; + port-description-type interface-description; + interface all; + } +} + + + + +{# Static interfaces #} + +interfaces { + xe-0/0/2 { + description "X: fab0"; + } + xe-0/0/3 { + description "X: fab0"; + } + et-1/0/0 { + description "G: r1.tele et-4/1/0 (reth0)"; + gigether-options { + redundant-parent reth0; + } + } + xe-7/0/2 { + description "X: fab1"; + } + xe-7/0/3 { + description "X: fab1"; + } + et-8/0/0 { + description "G: r1.tele et-5/1/0 (reth0)"; + gigether-options { + redundant-parent reth0; + } + } + fab0 { + fabric-options { + member-interfaces { + xe-0/0/2; + xe-0/0/3; + } + } + } + fab1 { + fabric-options { + member-interfaces { + xe-7/0/2; + xe-7/0/3; + } + } + } + lo0 { + description "X: Loopback"; + unit 0 { + family inet { + filter { + input mgmt-v4; + } + address 185.110.148.2/32; + } + family inet6 { + filter { + input mgmt-v6; + } + address 2a06:5841:f:a::2/128; + } + } + } + reth0 { + description "B: r1.tele ae5"; + vlan-tagging; + redundant-ether-options { + redundancy-group 1; + lacp { + active; + periodic fast; + } + } + unit 10 { + description INET; + vlan-id 10; + family inet { + address 185.110.148.163/31; + } + family inet6 { + address 2a06:5841:f:101::1/127; + } + } + unit 20 { + description NAT-WIFI; + vlan-id 20; + family inet { + address 185.110.148.165/31; + } + family inet6 { + address 2a06:5841:f:101::3/127; + } + } + unit 30 { + description NAT-LAN; + vlan-id 30; + family inet { + address 185.110.148.167/31; + } + family inet6 { + address 2a06:5841:f:101::5/127; + } + } + } +} + +policy-options { + prefix-list mgmt-v4 { + } + prefix-list mgmt-v6 { + } + /* Merged separate v4- og v6-lister */ + prefix-list mgmt { + apply-path "policy-options prefix-list <mgmt-v*> <*>"; + } +} + +firewall { + family inet { + filter mgmt-v4 { + term accept-ssh { + from { + source-prefix-list { + mgmt-v4; + } + destination-port 22; + } + then accept; + } + term discard-ssh { + from { + destination-port 22; + } + then { + discard; + } + } + term accept-all { + then accept; + } + } + } + family inet6 { + filter mgmt-v6 { + term accept-ssh { + from { + source-prefix-list { + mgmt-v6; + } + destination-port 22; + } + then accept; + } + term discard-ssh { + from { + destination-port 22; + } + then discard; + } + term accept-all { + then accept; + } + } + } +} + +{% else %} +Unsupported option. Please use +"?switch=switch_name" +{% endif %} |