What switches or routers are you planning to use? Most switches support virtual routers (not the EX2300 and the EX3400 needs EFL or Advanced License (flex)), so you could put the public WiFi in a VR of it's own. If you don't want to use a VR, you can apply an input filter on the IRB unit that is the the L3 interface of that VLAN as you mentioned.
set policy-options prefix-list RFC1918 10.0.0.0/8
set policy-options prefix-list RFC1918 172.16.0.0/12
set policy-options prefix-list RFC1918 192.168.0.0/16
set policy-options prefix-list LocalPublicSubnets 5.6.7.0/24
set policy-options prefix-list LocalPublicSubnets 6.7.8.0/24
set firewall family inet filter BlockGuestToAll term RFC1918 from destination-prefix-list RFC1918
set firewall family inet filter BlockGuestToAll term RFC1918 then count GuestToRFC1918
set firewall family inet filter BlockGuestToAll term RFC1918 then reject
set firewall family inet filter BlockGuestToAll term BlockLocalPublic from destination-prefix-list LocalPublicSubnets
set firewall family inet filter BlockGuestToAll term BlockLocalPublic then count GuestToLocalPublicIP
set firewall family inet filter BlockGuestToAll term BlockLocalPublic then reject
set firewall family inet filter BlockGuestToAll term AllowInternetAccess then accept
set interfaces irb unit 11 family inet filter input BlockGuestToAll
or
set routing-instances GuestWiFi instance-type virtual-router
set routing-instances GuestWiFi interface irb.123 (WiFi subnet)
set routing-instances GuestWiFi interface irb.124 (Link net to firewall for public WiFi)
set routing-instances GuestWiFi routing-options static route 0.0.0.0/0 next-hop [IP of firewall interface]
There are more ways of doing it, like Filter Based Forwarding, but it all depends on the rest of the setup.
Original Message:
Sent: 11-03-2022 08:55
From: Will Bryant
Subject: Cisco ACL to Junos firewall filter
We are in the process of moving from Cisco to Juniper and need some help with ACL's. We have a Public WiFi network (192.168.66.0/23) that is on a separate VLAN and we do not want it to be able to communicate/access with any of our other VLANs. What is the best way to setup a firewall filter or is there a better way to accomplish this? Thanks!
------------------------------
WILL
------------------------------