Date: Sat, 18 Feb 2006 16:15:38 +0000 From: Brian Candler <B.Candler@pobox.com> To: Odhiambo Washington <wash@wananchi.com> Cc: freebsd-isp@freebsd.org Subject: Re: walled garden concept Message-ID: <20060218161538.GA43836@uk.tiscali.com> In-Reply-To: <20060217200318.GC10377@ns2.wananchi.com> References: <20060217162927.GA23261@ns2.wananchi.com> <d20e2c140602170907w11ff00dag@mail.gmail.com> <20060217200318.GC10377@ns2.wananchi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 17, 2006 at 11:03:18PM +0300, Odhiambo Washington wrote: > I am foreseeing a situation where I have a new 'customer' or one whose > service expired. I want these two to be able to dialin to my NASes for > free, but only get access to site1, site2 or site3. Everything else is > blocked, until they dialin with the name they are paying for. I will > give them a common userid/passwd pair for this purpose. > > Now what I learnt was that the concept is called "walled garden". A more sophisticated 'walled garden' will transparently redirect all web accesses to your payment page. That is, if a user tries to go to www.cnn.com, instead of just getting a blank screen followed after a few minutes by a timeout, they immediately get a page of your choosing. Typical way to implement this is with a FreeBSD box running as a router which forwards port 80 to a squid cache, configured to serve the same page regardless of the incoming URL. In order to select which users are "inside the walled garden" and which have full Internet access, you can create two IP address pools on your NAS, and select (via RADIUS) which pool the user is assigned an address from. The firewall rules match on the source IP address, so that one pool is unfiltered, and the other pool has everything blocked except DNS (UDP port 53) to/from your DNS caches, and port 80 redirected to your squid. For very large installations, you'd use L2TP from your NASes to your LNS, and then either have separate pools on each LNS, or forward the L2TP session to another LNS which is inside your walled garden. HTH, Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060218161538.GA43836>