From owner-freebsd-isp@FreeBSD.ORG Wed Mar 22 13:24:10 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2265416A41F for ; Wed, 22 Mar 2006 13:24:10 +0000 (UTC) (envelope-from lannygodsey@yahoo.com) Received: from web33304.mail.mud.yahoo.com (web33304.mail.mud.yahoo.com [68.142.206.119]) by mx1.FreeBSD.org (Postfix) with SMTP id B513F43D49 for ; Wed, 22 Mar 2006 13:24:09 +0000 (GMT) (envelope-from lannygodsey@yahoo.com) Received: (qmail 14129 invoked by uid 60001); 22 Mar 2006 13:24:09 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ZZutNP66PYmBplBuuzUGfdYD9GxD5llzakKUg5VNF11QbB30tfDqkTT8IA1tsTbWR1H6nbXw/QCpa55jp5P/KkjU7tAdadEKHxBTkTCemmTWP4loVDC92PqV3jF0b18P/q7H9HNN2+UwvxVO/FvgHvr7fEA9fOYEexikdmypfUE= ; Message-ID: <20060322132409.14127.qmail@web33304.mail.mud.yahoo.com> Received: from [24.58.65.110] by web33304.mail.mud.yahoo.com via HTTP; Wed, 22 Mar 2006 05:24:09 PST Date: Wed, 22 Mar 2006 05:24:09 -0800 (PST) From: "L. Jason Godsey" To: Odhiambo Washington , freebsd-isp@freebsd.org In-Reply-To: <20060217162927.GA23261@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: walled garden concept X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: lannygodsey@yahoo.com List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Mar 2006 13:24:10 -0000 Starting in 1995, I have done this using private ips. I assign the dial in user a 10.1.x.x/16 ip. I have their gateway set to 10.1.1.1 which is a Linux/FreeBSD machine. The 10.1.1.1 also acts as a DNS server. 10.1.1.1 also runs squid in transparent proxy mode. Squid acts as a walled garden, only allowing access to hosts which we want non-paying users to see. Most systems require the user to reconnect in order to escape the walled garden. My method simply changes the firewall rules, I insert a rule to simply nat the 10.1.4.242 ip out to the net after payment. When radius either gets a disconnect or auth attempt on the same port, I clear that fw entry and the next user has to pay. After they pay, they get a public ip address and go about their business. If you wanted, you could have your main router be FreeBSD/linux and when the users account expires, wall them real time w/ a firewall rule instead of setting maximum session time. We elected to just kick them offline to avoid shoving all traffic through the unix machines. In order to hand out the 10.1.x.x ips, you don't use the NAS ip pool, instead we just let radius hand out static ips from a database pool. p.s. I prefer top posting. --- Odhiambo Washington wrote: > Does anyone know of any tutorials for setting up a "walled garden"? > I work for an ISP and we'd like to allow a specific dialup account > Free Access via our RADIUS, but we want to limit this user to access > just three or so urls: Our customer > {registration|renewal|webselfcare} > interfaces only.