Cisco gurus: transparent firewall w/ redirection

S

scoob8000

2[H]4U
Joined
May 4, 2002
Messages
2,832
I'm currently doing this with a bridge interface and ebtables on a linux box. But we would like to replicate this using some old Cisco hardware we have laying around. (Thinking 2651)
Mind you I'm not really that knowledgeable with IOS, and I don't even know if this is possible.


I've got a transparent bridge (firewall) set up blocking specific traffic, but where the magic lies is that we redirect all web traffic to an outside website that displays a message stating that their service has been suspended and for them to call into the billing dept.


Basically it's a captive portal with no exit.


Hopefully that makes sense. This is a tool we use for soft-disconnecting users for nonpayment. They normally live in a vlan which is public internet. When we cut them off we move them to a vlan that sits behind this transparent firewall.
 
Well a router can VLAN so that could provide what you want through policy based routing. Thing is do you have access to the right IOS because these are features you need to have in the IOS.

For the rest I kind of have the idea you don't really firewall on the linux box rather redirect. for many basic firewalling you can just use ACL's not as flexible but for the larger stuff they get the job done.

But honestly sounds like you want alot of "complicated" features and not being strong with IOS might make this challenging to accomplish.
 
A router can VLAN? huh? You mean create sub-interfaces? PBR might have worked if you can base your policy to match a customer subnet that you own, but it doesn't sound like you want to do this as you say its based off specific traffic. If you are just looking for a solution to redirect traffic to a seperate destination then PBR is what you are looking for, but its going to be based upon a give set of values and NOT content(ex. user subnet, protocol, QoS values, etc).

What it sounds like you're wanting to do is content based switching, which isn't supported in IOS as there are separate devices for this purpose(ACE, CSS, CSM, etc).
 
Moving users from their normal VLAN to the "nonpay" VLAN isn't an issue. Everyone sitting behind this bridge has been suspended. (I'll see if I can make a quick diagram in a few)..

Currently I allow: DHCP, ICMP, and DNS. And redirect all http to a specific server.
Thats really the specifics of it.

I'm allowing ping and DNS so they can troubleshoot a little but, and DHCP to keep the transition from normal>nonpay>normal status smooth without making the user reboot or renew their ip. (FWIW, I could't get that to work with relay hence doing this all on a bridge)

From the little reading I was doing, I was thinking of setting up bridge group with a bvi. I think we could allow what we want but the redirection stumps us. Could WCCP be the answer?
 
Again, I think that you need to be far more clear with the requirements. If you are looking to simply forward ALL user traffic to a specific traffic filtering solution PBR or WCCP would get you that assuming that you control the interface that this user traffic will traverse(so you can place your policy or WCCP configuration there), which it sounds like you do.

If you are looking to send traffic to the same filtering solution based upon content then its most likely not an option, as you're looking for content switching.

you *may* be able to come up with a policy that leverages NBAR to match content strings in URL's and forwards based upon what you define, but this is no small task for someone just taking up IOS.
 
I think I'm just having a hard time explaining my application.. I know, it doesn't make sense because it's so specific to our business.

This change between two networks gets made manually. So the only time they are ever behind the bridge/router/whatever is when they are suspended.

Normal path:
Internet ---> soho router (customer)

During suspension:
Internet ---> filtering bridge ---> soho router (customer)

When connected like this the customer should be able to ping out, resolve DNS, and have their router keep it's (public) DHCP lease. But when they try to browse, we want to display a message explaining they have been cut off.


I hope that explains it better, otherwise I give up. :)
 
So basically, once a user violates your terms of service (or whatever the infraction is) you kick them into a walled garden.
 
Afaik it can't be done like that with Cisco. Basically, you have 3 options:
- give clients temp. ip and redirect all web traffic from there to portal (can be rfc1918)
- set up nat for every walled client ip (assuming you already have scripts that handle vlan assignement)
- get a proper solution like (b)ras ($$$)

Anyway, what's wrong with current setup?
 
x.sci said:
Afaik it can't be done like that with Cisco. Basically, you have 3 options:
- give clients temp. ip and redirect all web traffic from there to portal (can be rfc1918)
- set up nat for every walled client ip (assuming you already have scripts that handle vlan assignement)
- get a proper solution like (b)ras ($$$)

Anyway, what's wrong with current setup?
Click to expand...

Well basically this was a proof of concept I built with a old PC, couple of NIC's and iptables.

Their concern is using a PC for something like this. We've given up on going in the Cisco direction. I'm recommending an embedded (Think Alix or Wrap board) solution that I can continue with the linux based approach on.
 
You must log in or register to reply here.
Back
Top