Настройка JuniperMX v2

Версия билинга должна быть не ниже 2.12.5


Сервер NAS:

nolink&|


Системные опции:

nolink&|

Сервисы: имя сервиса передаваемое BRAS при авторизации абонента.

вкл Пул IPoE: если в атрибуте User-Name придет тег NOIP, абоненту в место IP адреса выдаст имя пула IPoE.

пул для неизвестных абонентов: позволяет проходить авторизацию тем, кого нету в базе абонентов. При авторизации им будет выдан сервис/пул IPoE не известных.

Настройки на Juniper

Возможные комбинации поля User-Name:

OPT82.MACONU - авторизация по MAC ONU, IP выдает билинг.
OPT82NOIP.MACONU - авторизация по MAC ONU, IP выдает juniper.
OPT82.PORT.SWITCH_MAC - авторизация по Switch + port выдает билинг.
OPT82NOIP.PORT.SWITCH_MAC - авторизация по Switch + port выдает juniper.
SERIAL.CODE - авторизация по Serial Number, IP выдает билинг.
SERIALNOIP.CODE - авторизация по Serial Number, IP выдает juniper.
SERIAL.VLAN.CODE - авторизация по Serial Number, IP выдает билинг. (в логи DHCP записывает VLAN)
SERIALNOIP.VLAN.CODE - авторизация по Serial Number, IP выдает juniper. (в логи DHCP записывает VLAN)

конфиг для "Для Дай Денег"

set dynamic-profiles svc-nomoney-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter input svc-filter-in-nomoney
set policy-options prefix-list NoMoneyHosts 10.0.0.0/8
set policy-options prefix-list NoMoneyHosts 172.20.0.0/12
set policy-options prefix-list NoMoneyHosts 192.168.0.0/16
set policy-options prefix-list NoMoneyHosts Ваши Белые IP-адреса всего что выдем людям
set policy-options prefix-list WhiteListHosts ( Список IP адресов куда можно ходить при минусовом балансе Платежки/банки и тд)
set policy-options prefix-list WhiteListHosts  8.8.8.8/32 (DNS-1)
set policy-options prefix-list WhiteListHosts  8.8.4.4/32 (DNS-2)
set policy-options prefix-list WhiteListHosts  IP_ADDRESS_СТРАНИЦЫ_ЗАГЛУШКИ
set policy-options prefix-list WhiteListHosts  КАБИНЕТА_АБОНЕНТА
set policy-options prefix-list WhiteListHosts  Сайт_Оператора
set policy-options prefix-list DynamicWhiteListHosts 8.8.8.8/32
set firewall family inet filter svc-filter-in-nomoney interface-specific
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-prefix-list WhiteListHosts 
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-prefix-list DynamicWhiteListHosts
set firewall family inet filter svc-filter-in-nomoney term 1 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 1 from protocol tcp
set firewall family inet filter svc-filter-in-nomoney term 1 from protocol udp
set firewall family inet filter svc-filter-in-nomoney term 1 from protocol icmp
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 80 (разрешаем 80й порт http)
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 443 (разрешаем 443й порт https)
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 53 (разрешаем 53 порт dns)
set firewall family inet filter svc-filter-in-nomoney term 1 then accept
set firewall family inet filter svc-filter-in-nomoney term 2 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 2 from protocol tcp
set firewall family inet filter svc-filter-in-nomoney term 2 from protocol udp
set firewall family inet filter svc-filter-in-nomoney term 2 from protocol icmp
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 80
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 443
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 53
set firewall family inet filter svc-filter-in-nomoney term 2 then routing-instance neg_dep
set firewall family inet filter svc-filter-in-nomoney term 3 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 3 then discard
set firewall family inet filter svc-filter-in-nomoney term default then accept
set routing-instances neg_dep routing-options static route 0.0.0.0/0 next-hop IP_ADDRESS_СТРАНИЦЫ_ЗАГЛУШКИ

пример конфига:

set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" proxy-arp
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" family inet demux-source $junos-subscriber-ip-address
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address preferred-source-address 1.1.2.1
set dynamic-profiles svc-global-ipoe variables SPEED_IN mandatory
set dynamic-profiles svc-global-ipoe variables SPEED_OUT mandatory
set dynamic-profiles svc-global-ipoe variables INET_IN uid
set dynamic-profiles svc-global-ipoe variables INET_OUT uid
set dynamic-profiles svc-global-ipoe variables POLICER_IN uid
set dynamic-profiles svc-global-ipoe variables POLICER_OUT uid
set dynamic-profiles svc-global-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter input "$INET_IN"
set dynamic-profiles svc-global-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter input precedence 50
set dynamic-profiles svc-global-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter output "$INET_OUT"
set dynamic-profiles svc-global-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter output precedence 50
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_IN" interface-specific
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_IN" term 1 then policer "$POLICER_IN"
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_IN" term 1 then service-accounting
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_IN" term 1 then accept
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_OUT" interface-specific
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_OUT" term 1 then policer "$POLICER_OUT"
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_OUT" term 1 then service-accounting
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_OUT" term 1 then accept
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_IN" filter-specific
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_IN" if-exceeding bandwidth-limit "$SPEED_IN"
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_IN" if-exceeding burst-size-limit 512k
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_IN" then discard
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_OUT" filter-specific
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_OUT" if-exceeding bandwidth-limit "$SPEED_OUT"
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_OUT" if-exceeding burst-size-limit 512k
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_OUT" then discard
set dynamic-profiles VLAN-PPPoE interfaces demux0 unit "$junos-interface-unit" vlan-id "$junos-vlan-id"
set dynamic-profiles VLAN-PPPoE interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-interface-ifd-name"
set dynamic-profiles VLAN-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe access-concentrator PPPoE
set dynamic-profiles VLAN-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe duplicate-protection
set dynamic-profiles VLAN-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe dynamic-profile PP0
set dynamic-profiles CLIENTS-PPPoE interfaces demux0 unit "$junos-interface-unit" proxy-arp
set dynamic-profiles CLIENTS-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe access-concentrator PPPoE
set dynamic-profiles CLIENTS-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe duplicate-protection
set dynamic-profiles CLIENTS-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe dynamic-profile PP0
set dynamic-profiles PP0 interfaces pp0 unit "$junos-interface-unit" ppp-options chap
set dynamic-profiles PP0 interfaces pp0 unit "$junos-interface-unit" ppp-options pap
set dynamic-profiles PP0 interfaces pp0 unit "$junos-interface-unit" pppoe-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles PP0 interfaces pp0 unit "$junos-interface-unit" pppoe-options server
set dynamic-profiles PP0 interfaces pp0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0
set dynamic-profiles svc-nomoney-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter input svc-filter-in-nomoney
set system time-zone Europe/Moscow
set system services dhcp-local-server pool-match-order external-authority
set system services dhcp-local-server pool-match-order option-82
set system services dhcp-local-server forward-snooped-clients configured-interfaces
set system services dhcp-local-server group IPoE-Pool authentication password IPoE-Pool
set system services dhcp-local-server group IPoE-Pool authentication username-include user-prefix OPT82NOIP
set system services dhcp-local-server group IPoE-Pool authentication username-include option-82 circuit-id
set system services dhcp-local-server group IPoE-Pool authentication username-include option-82 remote-id
set system services dhcp-local-server group IPoE-Pool dynamic-profile CLIENTS-IPoE
set system services dhcp-local-server group IPoE-Pool interface demux0.3551
set system services dhcp-local-server group IPoE-Serial authentication password IPoE-Serial
set system services dhcp-local-server group IPoE-Serial authentication username-include user-prefix SERIALNOIP
set system services dhcp-local-server group IPoE-Serial authentication username-include option-82 circuit-id
set system services dhcp-local-server group IPoE-Serial authentication username-include option-82 remote-id
set system services dhcp-local-server group IPoE-Serial dynamic-profile CLIENTS-IPoE
set system services dhcp-local-server group IPoE-Serial interface demux0.3550
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system ntp server 46.254.216.9
set system ntp server 46.254.216.12
set access-profile CLIENTS
set interfaces ge-1/1/0 flexible-vlan-tagging
set interfaces ge-1/1/0 encapsulation flexible-ethernet-services
set interfaces ge-1/1/0 unit 5 vlan-id 5
set interfaces ge-1/1/0 unit 5 family inet address 1.1.1.1/24
set interfaces ge-1/1/0 unit 111 encapsulation vlan-bridge
set interfaces ge-1/1/0 unit 111 vlan-id 111
set interfaces ge-1/1/1 description CLIENTS
set interfaces ge-1/1/1 flexible-vlan-tagging
set interfaces ge-1/1/1 auto-configure vlan-ranges dynamic-profile VLAN-PPPoE accept pppoe
set interfaces ge-1/1/1 auto-configure vlan-ranges dynamic-profile VLAN-PPPoE ranges 112-113
set interfaces ge-1/1/1 auto-configure remove-when-no-subscribers
set interfaces ge-1/1/1 encapsulation flexible-ethernet-services
set interfaces ge-1/1/1 unit 111 encapsulation vlan-bridge
set interfaces ge-1/1/1 unit 111 vlan-id 111
set interfaces demux0 unit 3550 demux-source inet
set interfaces demux0 unit 3550 proxy-arp
set interfaces demux0 unit 3550 vlan-id 3550
set interfaces demux0 unit 3550 demux-options underlying-interface ge-1/1/1
set interfaces demux0 unit 3550 family inet unnumbered-address lo0.0
set interfaces demux0 unit 3550 family inet unnumbered-address preferred-source-address 1.1.2.1
set interfaces demux0 unit 3551 demux-source inet
set interfaces demux0 unit 3551 proxy-arp
set interfaces demux0 unit 3551 vlan-id 3551
set interfaces demux0 unit 3551 demux-options underlying-interface ge-1/1/1
set interfaces demux0 unit 3551 family inet unnumbered-address lo0.0
set interfaces demux0 unit 3551 family inet unnumbered-address preferred-source-address 1.1.2.1
set interfaces irb unit 111 family inet address 10.100.100.225/21
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces lo0 unit 0 family inet address 10.0.255.1/32 primary
set interfaces lo0 unit 0 family inet address 10.0.255.1/32 preferred
set interfaces lo0 unit 0 family inet address 1.1.2.1/32
set routing-options static route 0.0.0.0/0 next-hop 92.38.127.1
set policy-options prefix-list NoMoneyHosts 172.28.0.0/20
set firewall family inet filter svc-filter-in-nomoney interface-specific
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-address 1.1.1.13/32
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-address 1.1.1.15/32
set firewall family inet filter svc-filter-in-nomoney term 1 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 1 from protocol tcp
set firewall family inet filter svc-filter-in-nomoney term 1 from protocol udp
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 80
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 443
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 53
set firewall family inet filter svc-filter-in-nomoney term 1 then accept
set firewall family inet filter svc-filter-in-nomoney term 2 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 2 from protocol tcp
set firewall family inet filter svc-filter-in-nomoney term 2 from protocol udp
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 80
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 443
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 53
set firewall family inet filter svc-filter-in-nomoney term 2 then routing-instance neg_dep
set firewall family inet filter svc-filter-in-nomoney term 3 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 3 then discard
set firewall family inet filter svc-filter-in-nomoney term default then accept
set access radius-server X.X.X.X port 1812
set access radius-server X.X.X.X accounting-port 1813
set access radius-server X.X.X.X secret "secret"
set access radius-server X.X.X.X timeout 10
set access radius-server X.X.X.X retry 5
set access radius-server X.X.X.X max-outstanding-requests 1500
set access radius-server X.X.X.X source-address 1.1.1.3
set access profile CLIENTS authentication-order radius
set access profile CLIENTS radius authentication-server X.X.X.X
set access profile CLIENTS radius accounting-server X.X.X.X
set access profile CLIENTS accounting order radius
set access profile CLIENTS accounting immediate-update
set access profile CLIENTS accounting update-interval 10
set access profile CLIENTS accounting statistics volume-time
set access address-assignment pool IPoE-Pool family inet network 1.1.2.0/24
set access address-assignment pool IPoE-Pool family inet range IPoE-Pool low 1.1.2.2
set access address-assignment pool IPoE-Pool family inet range IPoE-Pool high 1.1.2.254
set access address-assignment pool IPoE-Pool family inet dhcp-attributes option-match option-82 circuit-id circuit-id range IPoE-Pool
set access address-assignment pool IPoE-Pool family inet dhcp-attributes option-match option-82 remote-id remote-id range IPoE-Pool
set access address-assignment pool IPoE-Pool family inet dhcp-attributes maximum-lease-time 600
set access address-assignment pool IPoE-Pool family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool IPoE-Pool family inet dhcp-attributes router 1.1.2.1
set access address-assignment pool IPoE-Pool family inet xauth-attributes primary-dns 8.8.8.8/32
set access address-assignment pool IPoE-Pool family inet xauth-attributes secondary-dns 8.8.4.4/32
set access address-assignment pool PPP-Pool family inet network 1.1.3.0/24
set access address-assignment pool PPP-Pool family inet range PPP-Pool low 1.1.3.2
set access address-assignment pool PPP-Pool family inet range PPP-Pool high 1.1.3.254
set access address-assignment pool PPP-Pool family inet dhcp-attributes option-match option-82 circuit-id circuit-id range PPP-Pool
set access address-assignment pool PPP-Pool family inet dhcp-attributes option-match option-82 remote-id remote-id range PPP-Pool
set access address-assignment pool PPP-Pool family inet dhcp-attributes maximum-lease-time 600
set access address-assignment pool PPP-Pool family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool PPP-Pool family inet dhcp-attributes router 1.1.3.1
set access address-assignment pool PPP-Pool family inet xauth-attributes primary-dns 8.8.8.8/32
set access address-assignment pool PPP-Pool family inet xauth-attributes secondary-dns 8.8.4.4/32
set access address-assignment pool NoMoney-POOL family inet network 172.28.0.0/20
set access address-assignment pool NoMoney-POOL family inet range 1st low 172.28.0.2
set access address-assignment pool NoMoney-POOL family inet range 1st high 172.28.3.255
set access address-assignment pool NoMoney-POOL family inet dhcp-attributes option-match option-82 circuit-id circuit-id range NoMoney-POOL
set access address-assignment pool NoMoney-POOL family inet dhcp-attributes option-match option-82 remote-id remote-id range NoMoney-POOL
set access address-assignment pool NoMoney-POOL family inet dhcp-attributes maximum-lease-time 300
set access address-assignment pool NoMoney-POOL family inet xauth-attributes primary-dns 1.1.1.13/32
set access address-assignment pool NoMoney-POOL family inet xauth-attributes secondary-dns 1.1.1.15/32
set routing-instances neg_dep routing-options static route 0.0.0.0/0 next-hop 1.1.1.15
  • billing/nas_access_server/junipermx_v2.txt
  • Последние изменения: 15 месяц (-ев) назад
  • — Алексей Ларюшкин