From owner-freebsd-isp@FreeBSD.ORG Sat Feb 18 16:15:45 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAF1A16A420 for ; Sat, 18 Feb 2006 16:15:45 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5695C43D46 for ; Sat, 18 Feb 2006 16:15:43 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id 8AF54B4; Sat, 18 Feb 2006 11:16:04 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id 30AC1E6B8; Sat, 18 Feb 2006 11:16:03 -0500 (EST) Received: from lists by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1FAUkF-000BPY-0Y; Sat, 18 Feb 2006 16:15:39 +0000 Date: Sat, 18 Feb 2006 16:15:38 +0000 From: Brian Candler To: Odhiambo Washington Message-ID: <20060218161538.GA43836@uk.tiscali.com> References: <20060217162927.GA23261@ns2.wananchi.com> <20060217200318.GC10377@ns2.wananchi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060217200318.GC10377@ns2.wananchi.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-isp@freebsd.org Subject: Re: walled garden concept X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2006 16:15:45 -0000 On Fri, Feb 17, 2006 at 11:03:18PM +0300, Odhiambo Washington wrote: > I am foreseeing a situation where I have a new 'customer' or one whose > service expired. I want these two to be able to dialin to my NASes for > free, but only get access to site1, site2 or site3. Everything else is > blocked, until they dialin with the name they are paying for. I will > give them a common userid/passwd pair for this purpose. > > Now what I learnt was that the concept is called "walled garden". A more sophisticated 'walled garden' will transparently redirect all web accesses to your payment page. That is, if a user tries to go to www.cnn.com, instead of just getting a blank screen followed after a few minutes by a timeout, they immediately get a page of your choosing. Typical way to implement this is with a FreeBSD box running as a router which forwards port 80 to a squid cache, configured to serve the same page regardless of the incoming URL. In order to select which users are "inside the walled garden" and which have full Internet access, you can create two IP address pools on your NAS, and select (via RADIUS) which pool the user is assigned an address from. The firewall rules match on the source IP address, so that one pool is unfiltered, and the other pool has everything blocked except DNS (UDP port 53) to/from your DNS caches, and port 80 redirected to your squid. For very large installations, you'd use L2TP from your NASes to your LNS, and then either have separate pools on each LNS, or forward the L2TP session to another LNS which is inside your walled garden. HTH, Brian.