www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

captive portal for one vlan with Cisco router as a gateway

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
ZeroDriver



Joined: 15 Oct 2014
Posts: 5

PostPosted: Wed Oct 15, 2014 8:08 am    Post subject: captive portal for one vlan with Cisco router as a gateway Reply with quote

Hello,
I'd like to use Zeroshell in my environment and would like to ask if is it possible to connect it like in the picture below. I just need to control internet access by using transparent proxy and/or captive portal on Zeroshell. I don't want to point gateway in all computers to a Zeroshell server, because the machine on which it will be running need to be very often restarted. I'm thinking is it possible to redirect on Cisco router all web traffic via Zeroshell server.

I can use Web Cache Communication Protocol but I'm looking for a simple solution.

Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 88

PostPosted: Wed Oct 15, 2014 2:20 pm    Post subject: You might need to make ZS the gateway for VLAN 10 Reply with quote

Do you already have a 802.1Q trunk between your 2960 switch and your ESXi host? If not, see if you can do that. This way you can put the ZS router on VLAN 1 and VLAN 10, and have it be the gateway for hosts in VLAN 10.

I have plenty of experience with that sort of networking. The ESXi host can have several virtual switches; one for each VLAN.

(I'll elaborate on this post later on.)
--
Back to top
View user's profile Send private message
ZeroDriver



Joined: 15 Oct 2014
Posts: 5

PostPosted: Wed Oct 15, 2014 4:53 pm    Post subject: Reply with quote

Yes, I have a 802.1Q trunk and everything that is on the picture except ZS router. But I don't want to change the gateway on any computer - it must be the Cisco router.
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 88

PostPosted: Thu Oct 16, 2014 11:31 pm    Post subject: Reply with quote

Sorry, but a ZS captive portal might not be feasible in this example without a lot of re-working.

So the idea is to insert the ZS between VLAN 10 clients and the 1921 router and use as a transparent proxy... were this a physical PC one would do that with a dual NIC PC and insert it between your 2960 and 1921 router, but with a separate cable, something like:

[Let's pretend the 1921 has a 4-port switch card in it for a moment]
Code:
[1921 fa2] ------ [ZS appliance PC] ------- [2960 VLAN 10]
[1921 fa3] ---------------------------------[2960 VLAN  1]


OK, so we don't have a spare PC we can use as an appliance, and we don't have a 4-port switch card in the 1921. But if we create another VLAN to put in between the 1921 and ZS we might be able to simulate it:

Code:
[1921 fa0.110 (VLAN 110)] -------- [ZS VM] ------- [2960 VLAN 10]
[1921 fa0       (VLAN 1)] ------------------------ [2960 VLAN  1]


I'm using a hypothetical VLAN 110 that only the 1921 and ZS would see. If you got the transparent part of ZS working normally, this should behave like a physical ZS appliance doing a bridge would. fa0.110 would replace fa0.10 but would otherwise have its IP configuration including DHCP.

Here's a more complete example:

Code:
[1921 fa0.110 (VLAN 110)] --- [2960 VLAN 110] --- [ESXi vSwitch 110] --- [ZS VM] --- [ESXi vSwitch 10] --- [2960 VLAN 10]
[1921 fa0       (VLAN 1)] -------------------------------------------------------------------------------- [2960 VLAN  1]



Now, I never got a ZS virtual machine on ESXi to transparently pass packets between its interfaces successfully. I wanted to try this approach once, but following the Bridging FAQ didn't produce the intended result. Maybe you'd have better luck.
Back to top
View user's profile Send private message
ZeroDriver



Joined: 15 Oct 2014
Posts: 5

PostPosted: Fri Oct 17, 2014 9:10 am    Post subject: Reply with quote

Ok, thank you for these examples. Could I ask you to modify my diagram for the last example? I'm not sure how the traffic would go through ZS. Will it be necessary to connect ESXi with tho physical cables with the 2960 switch?
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 88

PostPosted: Fri Oct 17, 2014 7:59 pm    Post subject: Physical vs logical cabling Reply with quote

I'll take a moment to draw something other than in ASCII art over this weekend, then update this reply with it.

If you had a Dot1Q trunk between the 2960 and ESXi host, you could do it with a single cable between the two, and three standard vSwitches; one for each VLAN. The ESXi host would do the Dot1Q tagging for you. If your ESXi host had multiple Ethernet jacks, you could do it with one physical cable per VLAN, and it might help to imagine it that way at first. It's a waste of good copper though, once you have Dot1Q mastered.

This post is unfinished; again, I'll come back with a drawing over the weekend.
--
Back to top
View user's profile Send private message
ZeroDriver



Joined: 15 Oct 2014
Posts: 5

PostPosted: Thu Oct 23, 2014 10:28 pm    Post subject: Reply with quote

Thank you for your answer. I'm waiting for your update. Rolling Eyes
I'd like to use your suggestions in my enviornment.
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 88

PostPosted: Wed Nov 05, 2014 7:40 pm    Post subject: Been rather busy Reply with quote

So two weekends later and I haven't drawn anything yet. Sorry about that. Work is getting nuts.
--
Back to top
View user's profile Send private message
ZeroDriver



Joined: 15 Oct 2014
Posts: 5

PostPosted: Mon Sep 14, 2015 1:14 pm    Post subject: Reply with quote

Can anybody help regarding this?
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 88

PostPosted: Thu Sep 17, 2015 6:03 pm    Post subject: Reply with quote

Let's see if this helps:



To force traffic from VLAN 10 through the ZS transparent proxy, the ZS router must be the default gateway for hosts on VLAN 10. This will mean either changing the gateway setting on the hosts, or changing the ZS VLAN 10 connection's IPv4 address to match the original gateway setting.

Next you make a virtual interface on your Cisco 1921. I don't remember the syntax, but the end result is you end up with an interface named 'fe0.110' for a hypothetical VLAN 110. Give this a unique IPv4 address, and change the default gateway setting on the ZS VM to use it.

This makes traffic from VLAN 10 pass through the ZS VM, get filtered, then directed out VLAN 110 to the 1921 router and out to the net. No one but the 1921 and ZS would see VLAN 110 as long as you don't assign any access switchports to it.

The VLAN 1 connection to the ZS VM is optional, it appears. You could keep it if you wanted to, I suppose, for administering the ZS installation.

(Has it really been ten months? Wow, I'm slow.)
--
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group