SRX:
version 12.1X44-D40.2;
system {
root-authentication {
encrypted-password "$1$wC0UZD2C$pnhZvVdU5Ux1Bmr2wD81y."; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
domain-name poc.local;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
192.168.88.1;
}
pool 192.168.88.0/24 {
address-range low 192.168.88.101 high 192.168.88.200;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url
https://ae1.juniper.net/junos/key_retrieval; }
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.0.102/24;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
st0 {
unit 0 {
family inet;
}
}
vlan {
unit 0 {
family inet {
address 192.168.88.1/24;
}
}
}
}
routing-options {
static {
route 192.168.77.0/24 next-hop st0.0;
}
}
protocols {
stp;
}
security {
ike {
policy ike-policy-cfgr {
mode main;
proposal-set compatible;
pre-shared-key ascii-text "$9$Q4Th3Cp0OREcl.P1hSlLX7-V"; ## SECRET-DATA
}
gateway ike-gate-cfgr {
ike-policy ike-policy-cfgr;
address 10.0.0.101;
external-interface ge-0/0/0;
version v1-only;
}
}
ipsec {
proposal ipsec-proposal-cfgr {
protocol esp;
}
policy ipsec-policy-cfgr {
proposals ipsec-proposal-cfgr;
}
vpn ipsec-vpn-cfgr {
bind-interface st0.0;
ike {
gateway ike-gate-cfgr;
ipsec-policy ipsec-policy-cfgr;
}
establish-tunnels immediately;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone vpn {
policy trust-vpn-cfgr {
match {
source-address net-cfgr_192-168-88-0--24;
destination-address net-cfgr_192-168-77-0--24;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-trust-cfgr {
match {
source-address net-cfgr_192-168-77-0--24;
destination-address net-cfgr_192-168-88-0--24;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address net-cfgr_192-168-88-0--24 192.168.88.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
security-zone untrust {
address-book {
}
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ping;
}
}
}
}
}
security-zone vpn {
address-book {
address net-cfgr_192-168-77-0--24 192.168.77.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.0;
}
}
}
}
poe {
interface all;
}
vlans {
default;
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 10.0.0.102/24
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16
10.0.0.6 --> 0/0
128.0.0.1 --> 128.0.1.16
128.0.0.6 --> 0/0
ge-0/0/1 up down
ge-0/0/1.0 up down eth-switch
fe-0/0/2 up down
fe-0/0/2.0 up down eth-switch
fe-0/0/3 up down
fe-0/0/3.0 up down eth-switch
fe-0/0/4 up down
fe-0/0/4.0 up down eth-switch
fe-0/0/5 up down
fe-0/0/5.0 up down eth-switch
fe-0/0/6 up down
fe-0/0/6.0 up down eth-switch
fe-0/0/7 up down
fe-0/0/7.0 up down eth-switch
fxp2 up up
fxp2.0 up up tnp 0x1
gre up up
ipip up up
irb up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet 10.0.0.1 --> 0/0
10.0.0.16 --> 0/0
128.0.0.1 --> 0/0
128.0.0.4 --> 0/0
128.0.1.16 --> 0/0
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
ppd0 up up
ppe0 up up
st0 up up
st0.0 up down inet
tap up up
vlan up up
vlan.0 up down inet 192.168.88.1/24
> show route
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.0.0/24 *[Direct/0] 06:55:45
> via ge-0/0/0.0
10.0.0.102/32 *[Local/0] 06:55:45
Local via ge-0/0/0.0
192.168.88.1/32 *[Local/0] 07:05:44
Reject
Mikrotik:
[admin@MikroTik] > export
/interface bridge
add admin-mac=D4:CA:6D:62:1A:8B auto-mac=no name=bridge-local
/interface lte
set [ find ] mac-address=1C:4B:D6:B5:17:A2 name=lte1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors hide-ssid=yes l2mtu=2290 mode=ap-bridge preamble-mode=long \
ssid=mikrotik
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys wpa2-pre-shared-key=password
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
add auth-algorithms=md5 enc-algorithms=3des name=juniper
/ip pool
add name=default-dhcp ranges=192.168.77.101-192.168.77.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/system logging action
set 2 remember=yes
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.77.1/24 comment="default configuration" interface=bridge-local network=192.168.77.0
add address=10.0.0.101/24 interface=ether1-gateway network=10.0.0.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=192.168.77.0/24 comment="default configuration" dns-server=192.168.77.1 gateway=192.168.77.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.77.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
/ip ipsec peer
add address=10.0.0.102/32 dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des hash-algorithm=md5 nat-traversal=no secret=Rahasia
/ip ipsec policy
add dst-address=192.168.88.0/24 sa-dst-address=10.0.0.102 sa-src-address=10.0.0.101 src-address=192.168.77.0/24 tunnel=yes
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=10.0.0.102
/ip upnp
set allow-disable-external-interface=no
/snmp
set trap-community=public
/system leds
set 5 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
add interface=lte1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
add interface=lte1