====== Настройка JuniperMX v2 ======
Версия билинга должна быть **не ниже 2.12.5**
===== Настройки в билинге =====
Сервер NAS: \\
{{:billing:nas_access_server:junipermx_nas.jpg?nolink&|}}
\\
Системные опции:\\
{{:billing:nas_access_server:junipermx_sys_opt.jpg?nolink&|}}
**Сервисы**: имя сервиса передаваемое BRAS при авторизации абонента.\\
\\
**вкл Пул IPoE**: если в атрибуте **User-Name** придет тег **NOIP**, абоненту в место IP адреса выдаст имя пула IPoE.\\
\\
**пул для неизвестных абонентов**: позволяет проходить авторизацию тем, кого нету в базе абонентов. При авторизации им будет выдан сервис/пул IPoE не известных.
===== Настройки на Juniper =====
Возможные комбинации поля **User-Name**:\\
==== Авторизация по MAC ====
IP выдает билинг, шаблон: User-Name=MAC
User-Name=E1E2.E3E4.E5E6
Вариант №2, шаблон: User-Name=MAC.MAC
User-Name=MAC.E1E2.E3E4.E5E6
----
IP выдает juniper, шаблон: User-Name=MACNOIP.MAC
User-Name=MACNOIP.E1E2.E3E4.E5E6
==== Авторизация по MAC ONU ====
IP выдает билинг, шаблон: User-Name=OPT82.MACONU
OPT82.A1B2C3D4E5F6
IP выдает juniper, шаблон: User-Name=OPT82NOIP.MACONU
OPT82NOIP.A1B2C3D4E5F6
==== Авторизация по Switch + Port ====
IP выдает билинг, шаблон: User-Name=OPT82.PORT.SWTCHMAC
OPT82.22.CCAB33221100
IP выдает juniper, шаблон: User-Name=OPT82NOIP.PORT.SWTCHMAC
OPT82NOIP.22.CCAB33221100
==== Авторизация по Serial Number ====
IP выдает билинг, шаблон: User-Name=SERIAL.CODE или User-Name=OPT82.CODE
SERIAL.DDR27521JJ95TWHJT8820
OPT82.DDR27521JJ95TWHJT8820
IP выдает juniper, шаблон: User-Name=SERIALNOIP.CODE или User-Name=OPT82NOIP.CODE
SERIALNOIP.DDR27521JJ95TWHJT8820
OPT82NOIP.DDR27521JJ95TWHJT8820
==== Авторизация по Serial Number + VLAN ====
IP выдает билинг, шаблон: User-Name=SERIAL.VLAN.CODE
SERIAL.108.DDR27521JJ95TWHJT8820
IP выдает juniper, шаблон: User-Name=SERIALNOIP.VLAN.CODE
SERIALNOIP.108.DDR27521JJ95TWHJT8820
==== Авторизация по QinQ ====
IP выдает билинг, шаблон: User-Name=QINQ.INTERFACE:SVLAN-CVLAN
QINQ.ge-1/1/7:517-201
==== Авторизация по Option82 ====
IP выдает билинг, шаблон: User-Name=OPT82.CIRCUIT-ID.REMOTE-ID
OPT82.2/15:1.BDCM62F7AE32
IP выдает juniper, шаблон: User-Name=OPT82NOIP.CIRCUIT-ID.REMOTE-ID
OPT82NOIP.2/15:1.BDCM62F7AE32
==== Дополнительно ====
Парсинг MAC ONU из строк:
OPT82.0 0/0/0:0.0 143e.bfb6.a22a/1/1/3/0/8/0000000000007CA7B08B04BA EP
OPT82.0 0/0/0:0.0 143e.bfb6.a22a/1/1/3/0/8/0000000000007CA7B08B04BA EP.ZTE_C300-ep_1/3/8:1.v3508
OPT82.xxxxxxxxxxxxx/0000000000007CA7B08B04BA EP
====== конфиг для "Дай Денег" ======
set dynamic-profiles svc-nomoney-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter input svc-filter-in-nomoney
set policy-options prefix-list NoMoneyHosts 10.0.0.0/8
set policy-options prefix-list NoMoneyHosts 172.20.0.0/12
set policy-options prefix-list NoMoneyHosts 192.168.0.0/16
set policy-options prefix-list NoMoneyHosts Ваши Белые IP-адреса всего что выдем людям
set policy-options prefix-list WhiteListHosts ( Список IP адресов куда можно ходить при минусовом балансе Платежки/банки и тд)
set policy-options prefix-list WhiteListHosts 8.8.8.8/32 (DNS-1)
set policy-options prefix-list WhiteListHosts 8.8.4.4/32 (DNS-2)
set policy-options prefix-list WhiteListHosts IP_ADDRESS_СТРАНИЦЫ_ЗАГЛУШКИ
set policy-options prefix-list WhiteListHosts КАБИНЕТА_АБОНЕНТА
set policy-options prefix-list WhiteListHosts Сайт_Оператора
set policy-options prefix-list DynamicWhiteListHosts 8.8.8.8/32
set firewall family inet filter svc-filter-in-nomoney interface-specific
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-prefix-list WhiteListHosts
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-prefix-list DynamicWhiteListHosts
set firewall family inet filter svc-filter-in-nomoney term 1 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 1 from protocol tcp
set firewall family inet filter svc-filter-in-nomoney term 1 from protocol udp
set firewall family inet filter svc-filter-in-nomoney term 1 from protocol icmp
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 80 (разрешаем 80й порт http)
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 443 (разрешаем 443й порт https)
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 53 (разрешаем 53 порт dns)
set firewall family inet filter svc-filter-in-nomoney term 1 then accept
set firewall family inet filter svc-filter-in-nomoney term 2 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 2 from protocol tcp
set firewall family inet filter svc-filter-in-nomoney term 2 from protocol udp
set firewall family inet filter svc-filter-in-nomoney term 2 from protocol icmp
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 80
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 443
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 53
set firewall family inet filter svc-filter-in-nomoney term 2 then routing-instance neg_dep
set firewall family inet filter svc-filter-in-nomoney term 3 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 3 then discard
set firewall family inet filter svc-filter-in-nomoney term default then accept
set routing-instances neg_dep routing-options static route 0.0.0.0/0 next-hop IP_ADDRESS_СТРАНИЦЫ_ЗАГЛУШКИ
set routing-instances neg_dep instance-type forwarding
====== пример конфига: ======
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" proxy-arp
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" family inet demux-source $junos-subscriber-ip-address
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address preferred-source-address 1.1.2.1
set dynamic-profiles svc-global-ipoe variables SPEED_IN mandatory
set dynamic-profiles svc-global-ipoe variables SPEED_OUT mandatory
set dynamic-profiles svc-global-ipoe variables INET_IN uid
set dynamic-profiles svc-global-ipoe variables INET_OUT uid
set dynamic-profiles svc-global-ipoe variables POLICER_IN uid
set dynamic-profiles svc-global-ipoe variables POLICER_OUT uid
set dynamic-profiles svc-global-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter input "$INET_IN"
set dynamic-profiles svc-global-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter input precedence 50
set dynamic-profiles svc-global-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter output "$INET_OUT"
set dynamic-profiles svc-global-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter output precedence 50
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_IN" interface-specific
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_IN" term 1 then policer "$POLICER_IN"
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_IN" term 1 then service-accounting
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_IN" term 1 then accept
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_OUT" interface-specific
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_OUT" term 1 then policer "$POLICER_OUT"
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_OUT" term 1 then service-accounting
set dynamic-profiles svc-global-ipoe firewall family inet filter "$INET_OUT" term 1 then accept
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_IN" filter-specific
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_IN" if-exceeding bandwidth-limit "$SPEED_IN"
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_IN" if-exceeding burst-size-limit 512k
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_IN" then discard
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_OUT" filter-specific
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_OUT" if-exceeding bandwidth-limit "$SPEED_OUT"
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_OUT" if-exceeding burst-size-limit 512k
set dynamic-profiles svc-global-ipoe firewall policer "$POLICER_OUT" then discard
set dynamic-profiles VLAN-PPPoE interfaces demux0 unit "$junos-interface-unit" vlan-id "$junos-vlan-id"
set dynamic-profiles VLAN-PPPoE interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-interface-ifd-name"
set dynamic-profiles VLAN-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe access-concentrator PPPoE
set dynamic-profiles VLAN-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe duplicate-protection
set dynamic-profiles VLAN-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe dynamic-profile PP0
set dynamic-profiles CLIENTS-PPPoE interfaces demux0 unit "$junos-interface-unit" proxy-arp
set dynamic-profiles CLIENTS-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe access-concentrator PPPoE
set dynamic-profiles CLIENTS-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe duplicate-protection
set dynamic-profiles CLIENTS-PPPoE interfaces demux0 unit "$junos-interface-unit" family pppoe dynamic-profile PP0
set dynamic-profiles PP0 interfaces pp0 unit "$junos-interface-unit" ppp-options chap
set dynamic-profiles PP0 interfaces pp0 unit "$junos-interface-unit" ppp-options pap
set dynamic-profiles PP0 interfaces pp0 unit "$junos-interface-unit" pppoe-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles PP0 interfaces pp0 unit "$junos-interface-unit" pppoe-options server
set dynamic-profiles PP0 interfaces pp0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0
set dynamic-profiles svc-nomoney-ipoe interfaces demux0 unit "$junos-interface-unit" family inet filter input svc-filter-in-nomoney
set system time-zone Europe/Moscow
set system services dhcp-local-server pool-match-order external-authority
set system services dhcp-local-server pool-match-order option-82
set system services dhcp-local-server forward-snooped-clients configured-interfaces
set system services dhcp-local-server group IPoE-Pool authentication password IPoE-Pool
set system services dhcp-local-server group IPoE-Pool authentication username-include user-prefix OPT82NOIP
set system services dhcp-local-server group IPoE-Pool authentication username-include option-82 circuit-id
set system services dhcp-local-server group IPoE-Pool authentication username-include option-82 remote-id
set system services dhcp-local-server group IPoE-Pool dynamic-profile CLIENTS-IPoE
set system services dhcp-local-server group IPoE-Pool interface demux0.3551
set system services dhcp-local-server group IPoE-Serial authentication password IPoE-Serial
set system services dhcp-local-server group IPoE-Serial authentication username-include user-prefix SERIALNOIP
set system services dhcp-local-server group IPoE-Serial authentication username-include option-82 circuit-id
set system services dhcp-local-server group IPoE-Serial authentication username-include option-82 remote-id
set system services dhcp-local-server group IPoE-Serial dynamic-profile CLIENTS-IPoE
set system services dhcp-local-server group IPoE-Serial interface demux0.3550
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system ntp server 46.254.216.9
set system ntp server 46.254.216.12
set access-profile CLIENTS
set interfaces ge-1/1/0 flexible-vlan-tagging
set interfaces ge-1/1/0 encapsulation flexible-ethernet-services
set interfaces ge-1/1/0 unit 5 vlan-id 5
set interfaces ge-1/1/0 unit 5 family inet address 1.1.1.1/24
set interfaces ge-1/1/0 unit 111 encapsulation vlan-bridge
set interfaces ge-1/1/0 unit 111 vlan-id 111
set interfaces ge-1/1/1 description CLIENTS
set interfaces ge-1/1/1 flexible-vlan-tagging
set interfaces ge-1/1/1 auto-configure vlan-ranges dynamic-profile VLAN-PPPoE accept pppoe
set interfaces ge-1/1/1 auto-configure vlan-ranges dynamic-profile VLAN-PPPoE ranges 112-113
set interfaces ge-1/1/1 auto-configure remove-when-no-subscribers
set interfaces ge-1/1/1 encapsulation flexible-ethernet-services
set interfaces ge-1/1/1 unit 111 encapsulation vlan-bridge
set interfaces ge-1/1/1 unit 111 vlan-id 111
set interfaces demux0 unit 3550 demux-source inet
set interfaces demux0 unit 3550 proxy-arp
set interfaces demux0 unit 3550 vlan-id 3550
set interfaces demux0 unit 3550 demux-options underlying-interface ge-1/1/1
set interfaces demux0 unit 3550 family inet unnumbered-address lo0.0
set interfaces demux0 unit 3550 family inet unnumbered-address preferred-source-address 1.1.2.1
set interfaces demux0 unit 3551 demux-source inet
set interfaces demux0 unit 3551 proxy-arp
set interfaces demux0 unit 3551 vlan-id 3551
set interfaces demux0 unit 3551 demux-options underlying-interface ge-1/1/1
set interfaces demux0 unit 3551 family inet unnumbered-address lo0.0
set interfaces demux0 unit 3551 family inet unnumbered-address preferred-source-address 1.1.2.1
set interfaces irb unit 111 family inet address 10.100.100.225/21
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces lo0 unit 0 family inet address 10.0.255.1/32 primary
set interfaces lo0 unit 0 family inet address 10.0.255.1/32 preferred
set interfaces lo0 unit 0 family inet address 1.1.2.1/32
set routing-options static route 0.0.0.0/0 next-hop 92.38.127.1
set policy-options prefix-list NoMoneyHosts 172.28.0.0/20
set firewall family inet filter svc-filter-in-nomoney interface-specific
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-address 1.1.1.13/32
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-address 1.1.1.15/32
set firewall family inet filter svc-filter-in-nomoney term 1 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 1 from protocol tcp
set firewall family inet filter svc-filter-in-nomoney term 1 from protocol udp
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 80
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 443
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port 53
set firewall family inet filter svc-filter-in-nomoney term 1 then accept
set firewall family inet filter svc-filter-in-nomoney term 2 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 2 from protocol tcp
set firewall family inet filter svc-filter-in-nomoney term 2 from protocol udp
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 80
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 443
set firewall family inet filter svc-filter-in-nomoney term 2 from destination-port 53
set firewall family inet filter svc-filter-in-nomoney term 2 then routing-instance neg_dep
set firewall family inet filter svc-filter-in-nomoney term 3 from source-prefix-list NoMoneyHosts
set firewall family inet filter svc-filter-in-nomoney term 3 then discard
set firewall family inet filter svc-filter-in-nomoney term default then accept
set access radius-server X.X.X.X port 1812
set access radius-server X.X.X.X accounting-port 1813
set access radius-server X.X.X.X secret "secret"
set access radius-server X.X.X.X timeout 10
set access radius-server X.X.X.X retry 5
set access radius-server X.X.X.X max-outstanding-requests 1500
set access radius-server X.X.X.X source-address 1.1.1.3
set access profile CLIENTS authentication-order radius
set access profile CLIENTS radius authentication-server X.X.X.X
set access profile CLIENTS radius accounting-server X.X.X.X
set access profile CLIENTS accounting order radius
set access profile CLIENTS accounting immediate-update
set access profile CLIENTS accounting update-interval 10
set access profile CLIENTS accounting statistics volume-time
set access address-assignment pool IPoE-Pool family inet network 1.1.2.0/24
set access address-assignment pool IPoE-Pool family inet range IPoE-Pool low 1.1.2.2
set access address-assignment pool IPoE-Pool family inet range IPoE-Pool high 1.1.2.254
set access address-assignment pool IPoE-Pool family inet dhcp-attributes option-match option-82 circuit-id circuit-id range IPoE-Pool
set access address-assignment pool IPoE-Pool family inet dhcp-attributes option-match option-82 remote-id remote-id range IPoE-Pool
set access address-assignment pool IPoE-Pool family inet dhcp-attributes maximum-lease-time 600
set access address-assignment pool IPoE-Pool family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool IPoE-Pool family inet dhcp-attributes router 1.1.2.1
set access address-assignment pool IPoE-Pool family inet xauth-attributes primary-dns 8.8.8.8/32
set access address-assignment pool IPoE-Pool family inet xauth-attributes secondary-dns 8.8.4.4/32
set access address-assignment pool PPP-Pool family inet network 1.1.3.0/24
set access address-assignment pool PPP-Pool family inet range PPP-Pool low 1.1.3.2
set access address-assignment pool PPP-Pool family inet range PPP-Pool high 1.1.3.254
set access address-assignment pool PPP-Pool family inet dhcp-attributes option-match option-82 circuit-id circuit-id range PPP-Pool
set access address-assignment pool PPP-Pool family inet dhcp-attributes option-match option-82 remote-id remote-id range PPP-Pool
set access address-assignment pool PPP-Pool family inet dhcp-attributes maximum-lease-time 600
set access address-assignment pool PPP-Pool family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool PPP-Pool family inet dhcp-attributes router 1.1.3.1
set access address-assignment pool PPP-Pool family inet xauth-attributes primary-dns 8.8.8.8/32
set access address-assignment pool PPP-Pool family inet xauth-attributes secondary-dns 8.8.4.4/32
set access address-assignment pool NoMoney-POOL family inet network 172.28.0.0/20
set access address-assignment pool NoMoney-POOL family inet range 1st low 172.28.0.2
set access address-assignment pool NoMoney-POOL family inet range 1st high 172.28.3.255
set access address-assignment pool NoMoney-POOL family inet dhcp-attributes option-match option-82 circuit-id circuit-id range NoMoney-POOL
set access address-assignment pool NoMoney-POOL family inet dhcp-attributes option-match option-82 remote-id remote-id range NoMoney-POOL
set access address-assignment pool NoMoney-POOL family inet dhcp-attributes maximum-lease-time 300
set access address-assignment pool NoMoney-POOL family inet xauth-attributes primary-dns 1.1.1.13/32
set access address-assignment pool NoMoney-POOL family inet xauth-attributes secondary-dns 1.1.1.15/32
set routing-instances neg_dep routing-options static route 0.0.0.0/0 next-hop 1.1.1.15
set routing-instances neg_dep instance-type forwarding