security { log { mode stream; report; source-interface ge-0/0/1.0; } nat { source { rule-set interface-nat { from zone trust; to zone untrust; rule rule1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone untrust { policy Allow_Internet { match { source-address any; destination-address any; application [ junos-http junos-http-ext junos-https ]; } then { permit; log { session-init; session-close; } } } } default-policy { deny-all; } } zones { security-zone untrust { interfaces { ge-0/0/0.0; } } security-zone trust { interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } ge-0/0/1.10 { host-inbound-traffic { system-services { all; } protocols { all; } } } ge-0/0/1.20 { host-inbound-traffic { system-services { all; } protocols { all; } } } ge-0/0/1.30 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } } } interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.250.5/24; } } } ge-0/0/1 { vlan-tagging; unit 0 { vlan-id 1; family inet { address 172.16.0.1/24; } } unit 10 { vlan-id 10; family inet { address 172.16.10.254/24; } } unit 20 { vlan-id 20; family inet { address 172.16.20.254/24; } } unit 30 { vlan-id 30; family inet { address 172.16.30.254/24; } } } ge-0/0/2 { disable; } ge-0/0/3 { disable; } ge-0/0/4 { disable; } ge-0/0/5 { disable; } ge-0/0/6 { disable; } ge-0/0/7 { disable; } } routing-options { static { route 0.0.0.0/0 next-hop 192.168.250.2; route 172.16.10.0/24 next-hop 172.16.10.254; route 172.16.20.0/24 next-hop 172.16.20.254; route 172.16.30.0/24 next-hop 172.16.30.254; } } [edit]