Answer the question
In order to leave comments, you need to log in
Neighborhood scheme?
Good afternoon!
could you please tell me the optimal scheme for next. tasks. and the pros and cons of mine.
there is: a microdistrict, there are a lot of stupid access switches in it, let it be 3750 for aggregation. then
the link to the 65th. a shaper and nat are twisted to it. as well as users with white and gray IP.
needed: users with gray IPs went as expected according to the scheme user>shaper>nat>inet.
white user>shaper>int.
but I want to make it so that with a negative balance, the user gets to the DNS, where he was given a default
page and an offer to pay the bill
, they thought about VRF. create a vrf pair, for white and gray users. but how to make it go to dns first...
Answer the question
In order to leave comments, you need to log in
Well, then it is possible for non-paying users to redirect port 53 to their dns.
You can transfer users to a separate isolated vlan, in which to make a virtual machine with the addresses of all gateways and redirect any requests on ports 80 and 443 to a page asking you to pay for the Internet.
How did you manage to raise the shaper to 6500 if it does not support shaping?
but how to make it go to dns first...
At 6500 we used one UBRL time for shaping.
In general, the option with a separate vlan is just right. Unless, of course, you have subscribers who sit in "stupid" switches.
And then with a simple route-map we throw it on the page “Give me the dough”.
You better redirect traffic. Apparently, your main router is a separate server, which, probably, also plays the role of billing. Then you need to do a route-map on the server, in linux this can be implemented through ip rule. In general, if there was a path router, one could consider options with L4 redirects, ordinary route-maps.
DNS is not very good, because people do not necessarily use your DNS, and they may even have their own caching server within the network. There is a bypass.
Because unmanaged switches are used, moving blocked clients to a separate vlan will not work.
What remains is filtering at the Internet gateway.
On the example of FreeBSD and ipfw, it looks something like this:
# table 1 = enabled clients..
ipfw add 5000 allow all from 'table(1)' to any
ipfw add 5000 allow all from any to 'table(1)'
# local port 81 = "no money" http microserver..
lan_nic="em0"
ipfw add 5100 fwd 127.0.0.1,81 tcp from any to any 80 via "$lan_nic" in
ipfw add 5100 allow tcp from any 80 to any via "$lan_nic" out
# disable all remaining forwarding..
ipfw add 9999 deny all from any to any
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question