Hello. Need some help!
After doing a lots os searchs I did not find a solution for this question:
The scenario:
USER <--> RB 1 <--> RB 2 <--> INTERNET
RB1 = PPPoE server with Radius
RB2 = HotSpot
Is it possible to MARK packages from USER into RB1 and these maked packages be bypassed into RB2´s HotSpot?
In other words: Can I do some firewall rules into RB2 to bypass some users that came from other RB? I cannot use IP BINDINGS in this case because only RB1 is a Radius NAS, not RB2.
Thanks very much
Fabricio
-
-
fabricioviana
just joined
- Posts: 16
- Joined:
- Contact:
Re: Packet Mark to bypass Hotspot
Not directly. Here some thoughts.
Normal marks (connection marks or packet marks) aren't transmitted on the wire, so they are lost when a packet leaves the router that applied them. You can use DSCP to apply marks in the packet header that do go on the wire, but the Hotspot doesn't have any hooks that allow you to accept packets with certain DSCP marks (or even packets with certain connection or packet marks, with which you could remark based on DSCP in prerouting) - it can only allow stuff based on MAC addresses, IP addresses, protocols, and ports.
So the only way to signal something is to use IP addresses. You can't change the destination IP addresses because that'd change where the packets goes, which isn't what you want. So all that's left is the source IP address. The source IP address is changed in postrouting, and the packet would be dropped in forward.
The only way I can think of is making a loopback interface on RB1 and source NATing only the traffic that is to be bypassed to that loopback IP. Then use the walled garden IP function on RB2 to unconditionally accept all traffic from that loopback IP.
That said, the best solution would be to buy a third router and connect RB1 and RB2 to RB3, and connect RB3 to the Internet. That would be clean. There no longer would be a Hotspot between RB1 and the Internet, and you wouldn't have to come up with some convoluted, complicated, ugly ass hack. It'll break less, and be easier to support. Alternatively use VLANs or two connections between RB1 and RB2, and run the Hotspot only on the interface that connects the users that should go through the Hotspot, and leave the other interface alone. Same result - clean solution, not an ugly hack.
Normal marks (connection marks or packet marks) aren't transmitted on the wire, so they are lost when a packet leaves the router that applied them. You can use DSCP to apply marks in the packet header that do go on the wire, but the Hotspot doesn't have any hooks that allow you to accept packets with certain DSCP marks (or even packets with certain connection or packet marks, with which you could remark based on DSCP in prerouting) - it can only allow stuff based on MAC addresses, IP addresses, protocols, and ports.
So the only way to signal something is to use IP addresses. You can't change the destination IP addresses because that'd change where the packets goes, which isn't what you want. So all that's left is the source IP address. The source IP address is changed in postrouting, and the packet would be dropped in forward.
The only way I can think of is making a loopback interface on RB1 and source NATing only the traffic that is to be bypassed to that loopback IP. Then use the walled garden IP function on RB2 to unconditionally accept all traffic from that loopback IP.
That said, the best solution would be to buy a third router and connect RB1 and RB2 to RB3, and connect RB3 to the Internet. That would be clean. There no longer would be a Hotspot between RB1 and the Internet, and you wouldn't have to come up with some convoluted, complicated, ugly ass hack. It'll break less, and be easier to support. Alternatively use VLANs or two connections between RB1 and RB2, and run the Hotspot only on the interface that connects the users that should go through the Hotspot, and leave the other interface alone. Same result - clean solution, not an ugly hack.
-
-
fabricioviana
just joined
- Posts: 16
- Joined:
- Contact:
Re: Packet Mark to bypass Hotspot
Thanks Fewi! I'll try to make it work here!!
Regards
Fabricio
Regards
Fabricio
Who is online
Users browsing this forum: No registered users and 5 guests