Redirecting Traffic

Hello Guys,
Before going toward the wrong direction, I'd like to have some advices:

I in charge of a Wireless LAN at my university. The administration
wants that every day when a Wireless Client open his/her browser the
first time of the day, instead of going to where he/she wants to go, be
presented with a sponsored Welcome page and a button to continue to
where the browser intented to go in first place.


I know that a product like BBSM of Cisco can do the job. Except that
the one donated to us can't do its work because according to the
manufacturer my Network is not 100% Cisco based.
So, here I am trying to workaround.

My idea is to use Squid as a transparent proxy and keep a small
database (file based, or mysql, whatever fits the purpose). I don't
know if I have to modify Squid to push always the same page when the
client is the first time to attempt to browse, or Squid already has
provision for this kind of situation.
I don't know if there is another product, already customized for this
simple job. I don't know if I have to do it my self.

In any case, any comments could be very helpful,
Thanks a lot,
Andres

(E-Mail Removed) wrote:
> Hello Guys,
> Before going toward the wrong direction, I'd like to have some advices:
>
> I in charge of a Wireless LAN at my university. The administration
> wants that every day when a Wireless Client open his/her browser the
> first time of the day, instead of going to where he/she wants to go, be
> presented with a sponsored Welcome page and a button to continue to
> where the browser intented to go in first place.
>
>
> I know that a product like BBSM of Cisco can do the job. Except that
> the one donated to us can't do its work because according to the
> manufacturer my Network is not 100% Cisco based.
> So, here I am trying to workaround.
>
> My idea is to use Squid as a transparent proxy and keep a small
> database (file based, or mysql, whatever fits the purpose). I don't
> know if I have to modify Squid to push always the same page when the
> client is the first time to attempt to browse, or Squid already has
> provision for this kind of situation.
> I don't know if there is another product, already customized for this
> simple job. I don't know if I have to do it my self.
>
> In any case, any comments could be very helpful,
> Thanks a lot,
> Andres
>
I am aiming to do the same, havent found anything yet.

How will you know if it's a new client? By IP address, or by MAC? Are
there predefined clients, or can anyone come and connect?

My welcome page will be more account oriented and will identify clients
by their MAC address.

I have seen a coffee shop that does something like this, in town. Will
try to visit them today and see what they use... but I think it's a
custom java-based application, last time I asked. Sound stupid that it'd
be java..

Be sure to keep us posted if you find/write something...

Coenraad

On Wed, 26 Apr 2005 (E-Mail Removed) wrote:

> Hello Guys,

Well you can address the female network gurus among us as well ;-)
OK. Off topic, but I couldn't resist ... (still looking for one)

> Before going toward the wrong direction, I'd like to have some advices:
>
> I in charge of a Wireless LAN at my university. The administration
> wants that every day when a Wireless Client open his/her browser the
> first time of the day, instead of going to where he/she wants to go, be
> presented with a sponsored Welcome page and a button to continue to
> where the browser intented to go in first place.

Yep. Usual service selection gateway stuff.

> I know that a product like BBSM of Cisco can do the job. Except that
> the one donated to us can't do its work because according to the
> manufacturer my Network is not 100% Cisco based.
> So, here I am trying to workaround.

Did the experience two years ago. the couple BBSM+SSG was not stable at
that time altough I heard they improved a lot. Indeed, it worked well at
Cisco's networkers event : I guess they were 100% Cisco there ;-)

> My idea is to use Squid as a transparent proxy and keep a small
> database (file based, or mysql, whatever fits the purpose). I don't
> know if I have to modify Squid to push always the same page when the
> client is the first time to attempt to browse, or Squid already has
> provision for this kind of situation.
> I don't know if there is another product, already customized for this
> simple job. I don't know if I have to do it my self.

Redirection is quite a complex tasks... but is already implemented in
several linux-based devices (f.i. ADSL routers) so I guess you have a good
platform here.

My advice : study the iptables functionnality as well and parse the DHCP
server logs file to detect connections/disconnections from the network.

Basically, I would do like this :
1. allocate a private IP address via DHCP to your users.
2a. default rule in iptables is to intercept traffic from those IP and
redirect to a transparent proxy. Squid can do the work, but I guess using
the proxy module of Apache can be more flexible.
2b. default rule can also deny non-web traffic, but keep in mind DNS
packets should flow through in that case (otherwise, the client browser
will never send the HTTP request).
3. the rule in your proxy will be like this : for any request, rewrite the
request to a redirect page. This redirect page just redirects the client
browser to the login page. You can even keep track of the original URL.
4. once the customer logs in, insert a rule in the iptables to allow his
IP to surf the web without interception.
5. scan DHCP logs to detect when the customer logs off. When he does,
remove the rule from the iptables.

> In any case, any comments could be very helpful,
> Thanks a lot,
> Andres

Hope this helps.
If you succeed in setting it up, it would be interesting to write a little
howto and publish it on the web.

--
Jean-Francois "Jef" Stenuit

I have already a Radius Server controlling access to the Wireless Lan
based on Active Directory. So, yes, there are predefined clients.
I am using PEAP and MS-CHAP v2 for authentication.
The DHCP server gives 1 day lease IP addresses, so I can assume that 2
IP addresses in the same day will never belong to the same client.
I am going to look the idea of Jean-Francois and for sure I will give
feedback.

What about your visit to the coffee shop ? Did you find anything useful
?

Regards,
Andres

I am so sorry. Never again I will forget the ladies, you are so right.
I will take a look to the Apache module (proxy), I did not know about
it. And your idea of updating iptable dynamically sounds very nice to
me,
One thing concerns me though, would a very high number of entries in
the iptable will have an effect on performance on the box ? I've seen
checkpoint (NG) slow down traffic when too many policies were
configured (to be honest to true, I saw it one, and it was related to
the use of domains, and groups, maybe it was related to dns issue, but
I did not think about it at that moment, I just simplify the policies
and everything went back to normal).


And, DHCP logs will tell you when the lease expire or when it was
renew, but it will not reflect a client that just left the network, Is
that right ?

Thanks a lot, and be sure I will post my findings,

Regards,
Andres

On Fri, 28 Apr 2005, andres wrote:

> One thing concerns me though, would a very high number of entries in
> the iptable will have an effect on performance on the box ? I've seen
> checkpoint (NG) slow down traffic when too many policies were
> configured (to be honest to true, I saw it one, and it was related to
> the use of domains, and groups, maybe it was related to dns issue, but
> I did not think about it at that moment, I just simplify the policies
> and everything went back to normal).

The nice thing about linux iptables is that you can chain them. I.e. you
can create a chain to handle one particular /24 and make all your
allow/denies in that chain : this will be only one check in the list if
the source IP is in another range.

That's the reason why we moved from CheckPoint to Linux native iptables a
long time ago with my former employer. Where Checkpoint has a linear
rule list, iptables can give you a "tree of rules", which is much more
efficient.

> And, DHCP logs will tell you when the lease expire or when it was
> renew, but it will not reflect a client that just left the network, Is
> that right ?

You're right. I think the only workaround is to use a small brower window
on the customer screen that keep the line open. As soon as this little
window is closed, you can consider the customer disconnected.

That was the "standard" way of working one year ago. Now I guess the
modern access points have 802.1x authentication and should be able to
detect when a customer goes off-line, but my experience in that field is
nihil.

--
Jean-Francois "Jef" Stenuit

I just found that squid has already a prevision for this kind of thing.
You can define your own redirection program inside squid.conf. Squid
will call you when ever a client request an Http page.
The idea is very simple: squid sends the program a line wiht 4
arguments, the requested http, the source IP (client), the method
(GET,CONNECT) and an ident field...which I don't understand yet.
the redirect program takes that arguments from stdin and its output is
written in stdout (with the redirected page). Squid takes the output
and sends it to the client.

Keep you posted with more news.
Thanks

Ok, I just did, and as I promised here are the results: (I havent put
it to real life test but at least it works at home





#!/usr/bin/perl -T -w
#

use File::Basename;
use URI::URL;
use DB_File;
$| = 1;
$welcometime=60; #after 60 seconds I give you a welcome back
#of course this is testing only :-)
while (<>) {

my ($url, $addr, $fqdn, $ident, $method) = m\S*) (\S*)/(\S*)
(\S*) (\S
*):;
$url = url ($url);
if ( $url->scheme eq "http") { #I only do redirection for
http.
#I don't know why
it gives me errors
#with https (can't
locate object 'host' kind of errors')

tie my %db, 'DB_File','/tmp/httpaccess.db' or die $!;

if ($lastseen=$db{$addr}) {
if (time-$lastseen>$welcometime) {
$db{$addr}=(time); #Start counting time again
untie %db;
$url->host('192.168.0.102'); #Redirection page
$url->path('');
}

-------------------

That is the program I have as redirect_program for squid.

192.168.0.102 is a local web server where I have the Welcome/marketing
page.

I am using DB as the database for keeping IP,time that squid processes.
In the test if you were presented the Welcome page more than 60 seconds
ago, then you will be presented again with it. If you are not in the
database then you are presented the welcome page and your record
IP,time is created for next time.

Now I need to see how this will perform in a real life scenario with
more than 100 browsers.

Ok, I just did, and as I promised here are the results: (I havent put
it to real life test but at least it works at home





#!/usr/bin/perl -T -w
#

use File::Basename;
use URI::URL;
use DB_File;
$| = 1;
$welcometime=60; #after 60 seconds I give you a welcome back
#of course this is testing only :-)
while (<>) {

my ($url, $addr, $fqdn, $ident, $method) = m\S*) (\S*)/(\S*)
(\S*) (\S
*):;
$url = url ($url);
if ( $url->scheme eq "http") { #I only do redirection for
http.
#I don't know why
it gives me errors
#with https (can't
locate object 'host' kind of errors')

tie my %db, 'DB_File','/tmp/httpaccess.db' or die $!;

if ($lastseen=$db{$addr}) {
if (time-$lastseen>$welcometime) {
$db{$addr}=(time); #Start counting time again
untie %db;
$url->host('192.168.0.102'); #Redirection page
$url->path('');
}

-------------------

That is the program I have as redirect_program for squid.

192.168.0.102 is a local web server where I have the Welcome/marketing
page.

I am using DB as the database for keeping IP,time that squid processes.
In the test if you were presented the Welcome page more than 60 seconds
ago, then you will be presented again with it. If you are not in the
database then you are presented the welcome page and your record
IP,time is created for next time.

Now I need to see how this will perform in a real life scenario with
more than 100 browsers.