Saturday, March 15, 2008

Setup Load Balanced PPPoE Servers with OSPF

This tutorial is about how to setup multiple PPPoE Servers accessible from LAN as a load balanced system, all servers connected to the same router.

Content
-----------
1. Introduction: purpose of the project
2. The simplest setup for a PPPoE Server
3. Network Topology for Load Balanced PPPoE Servers
4. Technologies we used
5. Setting up the Router
6. Setup the PPPoE servers
7. Setup Radius and MySQL
8. Setup Router and PPPoE servers to work with OSPF
9. Firewalls and Traffic Shaping
10. Testing


1. Introduction: purpose of the project
----------------------------------------------------

On medium or large networks an easy way to offer Internet access to private users or to companies is to use PPPoE servers. This allows customers to authenticate using a username and a password, then to login to PPPoE server and have an Internet connection.

PPPoE stands for Point to Point over Ethernet. This technology can be used to authenticate users connected to your own ISP using ADSL, Cable Modem infrastructure or even on Ethernet. So it is possible to offer Internet connection to users from local Ethernet networks, using PPPoE.


2. The simplest setup for a PPPoE server
--------------------------------------------------------
To learn how to setup a PPPoE server go to Setup a PPPoE Server with MPD tutorial . You will find there the basics of setting up a PPPoE server.


 

3. Network Topology for Load Balanced PPPoE Servers
--------------------------------------------------------------------------

The previous example will work for a small network, still it does not have any firewall or traffic shaping. It is useful to understand how to setup a FreeBSD PPPoE server. From this section a real case example will be presented, with complete configuration files.

Next picture shows a network topology for a small or medium size ISP that will use PPPoE servers for their customers:
 

ISP Network Topology PPPoE Servers FreeBSD, Load Balancing

This is an example, in real world setup, topology might be different in complexity.


4. Technologies we used
----------------------------------
- Operating System: FreeBSD 6.x (on Router and on PPPoE Servers)
- Firewall and traffic shaper on Router: OpenBSD's PF (packet filter)
- Firewall and traffic shaper on PPPoE Servers: IPFW
- MPD for PPPoE Server - mpd-4.3
- OSPF routing protocol (with quagga) - quagga-0.99.8_2
- radius server - freeradius-1.1.4_1
- all users from LAN have asigned public IPs, routed to Routers's public IP. Also we have a small public subnet that we used for Router and PPPoE servers

The purpose of this setup is to asign public IPs to lan computers and to load balance PPPoE servers. If you do not have public IPs for every user, you do not need to use OSPF routing protocol, just asign a private subnet for every pppoe server and it will work.

PPPoE server respond to requests from clients on LAN interfaces in a round robin way, and asign IP to lan clients. If you reboot one server all connected users to that server will be disconnected and then they will reconnect to other server from pool.

 

PPPoE server pools, load balancing freebsd




If you've read previous version you noticed network topology. For our tutorial we simplified previous picture so our network topology is presented in the next picture:


Asuming that our config informations are:

Router
---------
Public IP of router (fxp0): 80.10.10.2 gateway 80.10.0.1 netmask 255.255.255.0 (this is the line that comes from our ISP)
Public IP 2 of router (fxp1): 80.80.0.1 netmask 255.255.255.224 (this is connected to PPPoE servers)
Hostname: router.example.com

PPPoE Server 1
---------------------
Public IP (fxp0) 80.80.0.2 netmask 255.255.255.224 (this is interface conected to Router and other PPPoE servers)
No IP for LAN interface (fxp1)

PPPoE Server 2
---------------------
Public IP (fxp0) 80.80.0.3 netmask 255.255.255.224 (this is interface conected to Router and other PPPoE servers)
No IP for LAN interface (fxp1)

PPPoE Server 3
---------------------
Public IP (fxp0) 80.80.0.4 netmask 255.255.255.224 (this is interface conected to Router and other PPPoE servers)
No IP for LAN interface (fxp1)


5. Setting up the Router
--------------------------------
Config files will be presented next for Router.

# ----------- rc.conf file ----------------------
defaultrouter="80.10.10.1"
gateway_enable="YES"
hostname="router.example.com"
ifconfig_fxp0="inet 80.10.10.2  netmask 255.255.255.0"
ifconfig_fxp1="inet 80.80.0.1  netmask 255.255.255.224"
sshd_enable="YES"
usbd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
# -----------------end rc.conf------------------
 


# ------------- pf.conf file --------------------
ext_if="fxp0"
int_if="fxp1"
pass quick all
# ----------------end pf.conf------------------

6. Setup the PPPoE servers
-------------------------------------

We will show you the config files for PPPoE 1. You will have to config the rest of your PPPoE servers in similar way, changing only IP of PPPoE server, according to diagram (or of course to your particular setup).

# ----------- rc.conf file PPPoE 1 ----------------------
defaultrouter="80.80.0.1"
gateway_enable="YES"
hostname="pppoe.example.com"
ifconfig_fxp0="inet 80.80.0.2  netmask 255.255.255.0"
ifconfig_fxp1="inet 10.0.0.1  netmask 255.255.255.0"
sshd_enable="YES"
usbd_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
quagga_enable="YES"
quagga_flags="-d"
quagga_daemons="zebra ospfd"
watchquagga_enable="YES"

# -----------------end rc.conf------------------
 

# -------------- mpd.conf file -----------------

default:
 log auth iface

 load s0
 load s1
 load s2
 load s3
 

s0:
 new -i ng0 s0 ppplink0
 load generic

s1:
 new -i ng1 s1 ppplink1
 load generic

s2:
 new -i ng2 s2 ppplink2
 load generic

s3:
 new -i ng3 s3 ppplink3
 load generic
 

generic:
    set iface enable proxy-arp
    set pppoe iface fxp1
    set iface idle 0
    set iface mtu 1462
    set iface enable tcpmssfix
    set link accmap 0
    set link enable pap
    set link enable chap
    set link accept chap-msv2
    set link max-redial -1
    set link keep-alive 10 80
    set link no acfcomp
    set link no protocomp
    set ipcp no vjcomp
    set ipcp dns 80.20.0.1 80.20.0.2
    set bundle enable noretry
    set bundle enable multilink
    set auth max-logins 1
    set pptp disable windowing
    set pptp enable always-ack
    set iface up-script /usr/local/etc/mpd4/addclient.sh
    set iface down-script /usr/local/etc/mpd4/removeclient.sh
    set auth enable radius-auth
    set auth enable radius-acct
    set radius server 80.80.0.5 secret_password
    set radius timeout 7
    set radius retries 5
 

# ---------------- end mpd.conf file ----------

# --------------- mpd.links file ----------------

ppplink0:
 set link type pppoe
 set pppoe iface fxp1
 set pppoe service "*"
 set pppoe enable incoming

ppplink1:
 set link type pppoe
 set pppoe iface fxp1
 set pppoe service "*"
 set pppoe enable incoming

ppplink2:
 set link type pppoe
 set pppoe iface fxp1
 set pppoe service "*"
 set pppoe enable incoming

ppplink3:
 set link type pppoe
 set pppoe iface fxp1
 set pppoe service "*"
 set pppoe enable incoming

# --------------end mpd.links file -------------

 7. Setup Radius and MySQL
------------------------------------
 

# ------------------- /usr/local/etc/raddb/clients.conf ----------

client 80.80.0.2 {
        secret          = secret_password
        shortname       = pppoe1
        nastype     = other     # localhost isn't usually a NAS...
}

client 80.80.0.3 {
        secret          = secret_password
        shortname       = pppoe2
        nastype     = other     # localhost isn't usually a NAS...
}


client 80.80.0.4 {
        secret          = secret_password
        shortname       = pppoe3
        nastype     = other     # localhost isn't usually a NAS...
}
 

 # ------------------- end clients.conf ---------------------------

Edit in /usr/local/etc/raddb/sql.conf the following:

        # Connect info
        server = "localhost"
        login = "raduser"
        password = "password"

        # Database table configuration
        radius_db = "radius"
 

 Use your database information instead.

 Modify radius.conf file. The configuration file is quite large so you can view it here

Create a new database for radius with clients information with the following structure:

radacct -table used for logging purposes
radcheck - table that keeps usernames and passwords
radgroupcheck - configurations for groups
radgroupreply - configurations for groups
radpostauth - table used for logging purposes
radreply - table that keeps the ips of the users
usergroup - shows the group each user belongs to
 

create database radius;

use radius; 

-- ------------- Table structure for table `radacct` -------------------

CREATE TABLE `radacct` (
  `RadAcctId` bigint(21) NOT NULL auto_increment,
  `AcctSessionId` varchar(32) NOT NULL default '',
  `AcctUniqueId` varchar(32) NOT NULL default '',
  `UserName` varchar(64) NOT NULL default '',
  `Realm` varchar(64) default '',
  `NASIPAddress` varchar(15) NOT NULL default '',
  `NASPortId` int(12) default NULL,
  `NASPortType` varchar(32) default NULL,
  `AcctStartTime` datetime NOT NULL default '0000-00-00 00:00:00',
  `AcctStopTime` datetime NOT NULL default '0000-00-00 00:00:00',
  `AcctSessionTime` int(12) default NULL,
  `AcctAuthentic` varchar(32) default NULL,
  `ConnectInfo_start` varchar(32) default NULL,
  `ConnectInfo_stop` varchar(32) default NULL,
  `AcctInputOctets` bigint(12) default NULL,
  `AcctOutputOctets` bigint(12) default NULL,
  `CalledStationId` varchar(50) NOT NULL default '',
  `CallingStationId` varchar(50) NOT NULL default '',
  `AcctTerminateCause` varchar(32) NOT NULL default '',
  `ServiceType` varchar(32) default NULL,
  `FramedProtocol` varchar(32) default NULL,
  `FramedIPAddress` varchar(15) NOT NULL default '',
  `AcctStartDelay` int(12) default NULL,
  `AcctStopDelay` int(12) default NULL,
  PRIMARY KEY  (`RadAcctId`),
  KEY `UserName` (`UserName`),
  KEY `FramedIPAddress` (`FramedIPAddress`),
  KEY `AcctSessionId` (`AcctSessionId`),
  KEY `AcctUniqueId` (`AcctUniqueId`),
  KEY `AcctStartTime` (`AcctStartTime`),
  KEY `AcctStopTime` (`AcctStopTime`),
  KEY `NASIPAddress` (`NASIPAddress`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=1214869 ;

 

-- ----------------- Table structure for table `radcheck` --------------------------

CREATE TABLE `radcheck` (
  `id` int(11) unsigned NOT NULL auto_increment,
  `UserName` varchar(64) NOT NULL default '',
  `Attribute` varchar(32) NOT NULL default '',
  `op` char(2) NOT NULL default '==',
  `Value` varchar(253) NOT NULL default '',
  PRIMARY KEY  (`id`),
  KEY `UserName` (`UserName`(32))
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=5811 ;

-- ---------------  Table structure for table `radgroupcheck` ------------------

CREATE TABLE `radgroupcheck` (
  `id` int(11) unsigned NOT NULL auto_increment,
  `GroupName` varchar(64) NOT NULL default '',
  `Attribute` varchar(32) NOT NULL default '',
  `op` char(2) NOT NULL default '==',
  `Value` varchar(253) NOT NULL default '',
  PRIMARY KEY  (`id`),
  KEY `GroupName` (`GroupName`(32))
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

-- ----------------- Table structure for table `radgroupreply` ---------------

CREATE TABLE `radgroupreply` (
  `id` int(11) unsigned NOT NULL auto_increment,
  `GroupName` varchar(64) NOT NULL default '',
  `Attribute` varchar(32) NOT NULL default '',
  `op` char(2) NOT NULL default '=',
  `Value` varchar(253) NOT NULL default '',
  `prio` int(10) unsigned NOT NULL default '0',
  PRIMARY KEY  (`id`),
  KEY `GroupName` (`GroupName`(32))
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=9 ;

-- ------------------ Table structure for table `radpostauth` ------------

CREATE TABLE `radpostauth` (
  `id` int(11) NOT NULL auto_increment,
  `user` varchar(64) NOT NULL default '',
  `pass` varchar(64) NOT NULL default '',
  `reply` varchar(32) NOT NULL default '',
  `date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
  PRIMARY KEY  (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=1203292 ;

-- ------------  Table structure for table `radreply` ----------------

CREATE TABLE `radreply` (
  `id` int(11) unsigned NOT NULL auto_increment,
  `UserName` varchar(64) NOT NULL default '',
  `Attribute` varchar(32) NOT NULL default '',
  `op` char(2) NOT NULL default '=',
  `Value` varchar(253) NOT NULL default '',
  PRIMARY KEY  (`id`),
  KEY `UserName` (`UserName`(32))
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=6283 ;

-- ----------- Table structure for table `usergroup` -------------

CREATE TABLE `usergroup` (
  `id` int(11) unsigned NOT NULL auto_increment,
  `UserName` varchar(64) NOT NULL default '',
  `GroupName` varchar(64) NOT NULL default '',
  `priority` int(11) NOT NULL default '1',
  PRIMARY KEY  (`id`),
  KEY `UserName` (`UserName`(32))
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=7505 ;
 

Create one group for all users, we'll call it dynamic:

INSERT INTO `radgroupcheck` (`id`, `GroupName`, `Attribute`, `op`, `Value`) VALUES
(2, 'dynamic', 'Simultaneous-Use', ':=', '1'),
(1, 'dynamic', 'Auth-Type', '==', 'Local');
 

INSERT INTO `radgroupreply` (`id`, `GroupName`, `Attribute`, `op`, `Value`, `prio`) VALUES
(1, 'dynamic', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP', 0),
(2, 'dynamic', 'Framed-Protocol', ':=', 'PPP', 0),
(3, 'dynamic', 'Service-Type', ':=', 'Framed-User', 0),
(4, 'dynamic', 'Framed-MTU', ':=', '1500', 0),
(5, 'dynamic', 'X-Ascend-Assign-IP-Pool', ':=', '0', 0),
(6, 'dynamic', 'X-Ascend-Maximum-Time', ':=', '7200', 0),
(8, 'dynamic', 'Idle-Timeout', ':=', '1800', 0);
 

 

Add a users to the database. To add a user you need to enter the following data into the database:
 

insert into radcheck values ("", "customer1", "Password","==","password");
insert into radreply values ("", "customer1", "Framed-IP-Address",":=","80.0.0.20");
insert into usergroup values('', 'customer1', 'dynamic', 1);

 

8. Setup Router and PPPoE servers to work with OSPF
-------------------------------------------------------------------------
Add following to rc.conf

quagga_enable="YES"
quagga_flags="-d"
quagga_daemons="zebra ospfd"
 

Edit the file /usr/local/etc/rc.d/quagga and replace the line:

 : ${quagga_enable="NO"}

to

: ${quagga_enable="YES"} 

And then start quagga.

/usr/local/etc/quagga start 

Here are the configuration files needed to setup OSPF. You need to make similar configuration files for each PPPOE server and for router.
 

# ------------------------- zebra.conf ---------------------- 

hostname PPPOE1-zebra
password zebra_password
enable password zebra_enable_password
!log file /var/log/zebra.log
interface fxp0
!
interface fxp1
!
interface lo0
!
ip forwarding
ipv6 forwarding
!
line vty
 

# ------------------------- end zebra.conf ----------------------

# ------------------------- ospfd.conf ----------------------

hostname PPPOE1-ospf
password ospfd_password
enable password ospfd_enable_password
log file /var/log/ospf.log
!
interface fxp0
!
interface fxp1
!
interface lo0
!
router ospf
 ospf router-id 80.80.0.2
 redistribute connected
 passive-interface ng0
 passive-interface ng1
 passive-interface ng2
 passive-interface ng3
 network 80.80.0.0/27 area 0.0.0.0
neighbor 80.80.0.3 
!
line vty
!
 

# ------------------------- end ospfd.conf ----------------------


9. Firewalls and Traffic Shaping
------------------------------------------

# ------------------------- rc.firewall ----------------------

#!/bin/sh
cmd="/sbin/ipfw -q"
lif="fxp1"
lif_ng="ng*"
pif="fxp0"
 

# we have 2 types of subscriptions which will have different bandwidth setups
ab500="80.80.0.0/25"
ab350="80.80.0.128/25"
net="80.80.0.128/24"

# bandwidth extern
down500_extern="8000kbits/s"
up500_extern="2000kbits/s"
down350_extern="4000kbits/s"
up350_extern="2000kbits/s"

# metropolitan bandwidth
down500_metro="20000kbits/s"
up500_metro="10000kbits/s"
down350_metro="10000kbits/s"
up350_metro="10000kbits/s"


queue="64"
gred="0.02/6/18/0.1"

#flush rules
$cmd flush
$cmd pipe flush

# table for allow fixed ip users
#$cmd table 1 flush

#table for warned users (clients that did not paid in time)
$cmd table 2 flush

#table for metropolitan networks
#$cmd table 3 flush

# load metro networks
/etc/rc.tables

# pipe 1 --> internet pipe (35M)
# pipe 10 --> metropolitan pipe (90M)
# ------------------- extern ---------------------
# pipe 2 --> pipe download ab500 - mask 0x0000ffff 4096K
# pipe 3 --> pipe download ab350 - mask 0x0000ffff 1024K
# pipe 4 --> pipe upload ab500 - mask 0x0000ffff 512K
# pipe 5 --> pipe upload ab350 - mask 0x0000ffff 256K
# queue 1 --> down prioritized traffic - mask 0x0000ffff weight 15
# queue 2 --> down not prioritized traffic - mask 0x0000ffff weight 10

# ------------------- metropolitan ---------------------
# pipe 12 --> pipe download ab500 - mask 0x0000ffff 10240K
# pipe 13 --> pipe download ab350 - mask 0x0000ffff 10240K
# pipe 14 --> pipe upload ab500 - mask 0x0000ffff 4096K
# pipe 15 --> pipe upload ab350 - mask 0x0000ffff 4096K

# queue 10 --> down prioritized traffic - mask 0x0000ffff weight 15
# queue 11 --> down not prioritized traffic - mask 0x0000ffff weight 10

# --------------------- EXTERN---------------------
$cmd pipe 1 config bw 45000Kbit/s

#queues download
$cmd queue 1 config weight 15 pipe 1 queue 100 mask dst-ip 0xffffffff
$cmd queue 2 config weight 10 pipe 1 queue 50  mask dst-ip 0xffffffff

# pipe for download ab500
$cmd pipe 2 config bw $down500_extern mask dst-ip 0xffffffff queue $queue gred $gred
#upload ab500
$cmd pipe 4 config bw $up500_extern mask src-ip 0xffffffff queue $queue gred $gred

# pipe for download ab350
$cmd pipe 3 config bw $down350_extern mask dst-ip 0xffffffff queue $queue gred $gred
#upload ab350
$cmd pipe 5 config bw $up350_extern mask src-ip 0xffffffff queue $queue gred $gred

# --------------------- METROPOLITAN---------------------
$cmd pipe 10 config bw 120000Kbit/s

#queues download
$cmd queue 10 config weight 15 pipe 10 queue 100 mask dst-ip 0xffffffff
$cmd queue 11 config weight 10 pipe 10 queue 50  mask dst-ip 0xffffffff

# pipe for download ab500
$cmd pipe 12 config bw $down500_metro mask dst-ip 0xffffffff queue $queue gred $gred
#upload ab500
$cmd pipe 14 config bw $up500_metro mask src-ip 0xffffffff queue $queue gred $gred

# pipe for download ab350
$cmd pipe 13 config bw $down350_metro mask dst-ip 0xffffffff queue $queue gred $gred
#upload ab350
$cmd pipe 15 config bw $up350_metro mask src-ip 0xffffffff queue $queue gred $gred


#permit localhost
$cmd add 10 allow ip from any to any via lo0
$cmd add 20 deny ip from any to 127.0.0.1

$cmd add 7 allow ip from any to me
$cmd add 8 allow ip from me to any

#  allow multicast for ospf
$cmd add 130 allow ip from any to 224.0.0.0/29
 

# antispoof
$cmd add 45 deny all from 172.16.0.0/12 to any via $lif
$cmd add 45 deny all from 192.168.0.0/16 to any via $lif
#$cmd add 50 deny ip from any to any not verrevpath in

#redirect warned clients
$cmd add 60 forward 127.0.0.1,8010 ip from "table(2)" to any dst-port 80

# fixed ips allow
$cmd add 100 allow ip from any to "table(1)" out xmit $lif
$cmd add 110 allow ip from "table(1)" to any in recv $lif
$cmd add 120 skipto 60000 ip from "table(1)" to any in recv $lif


# antivirus
$cmd add 3600 deny ip from any 135-139,445,1080,2283,2745,2745,3127-3198,5554,8866,10080,65506 to any in
# block mirc
$cmd add 3700 deny ip from any to any dst-port 6666, 6667, 6668, 6669, 7000, 9000

# deny all except ng* on lan
$cmd add 3800 deny ip from any to any in recv $lif
 

# ---------------- EXTERN TRAFFIC --------------------

# download clients ab500
$cmd add 4100 pipe 2 ip from not "table(3)" 80,443,53 to $ab500 in recv $pif
$cmd add 4200 queue 1 ip from not "table(3)" 80,443,53 to $ab500 in recv $pif
$cmd add 4300 skipto 60000 ip from not "table(3)" 80,443,53 to $ab500 in recv $pif

# default traffic
$cmd add 4400 pipe 2 ip from not "table(3)" to $ab500 in recv $pif
$cmd add 4500 queue 2 ip from not "table(3)" to $ab500 in recv $pif

# upload clients ab500
$cmd add 5200 pipe 4 ip from $ab500 to not "table(3)" out xmit $pif

#download clients ab350
$cmd add 6000 pipe 3 ip from not "table(3)" 80,443,53 to $ab350 in recv $pif
$cmd add 6100 queue 1 ip from not "table(3)" 80,443,53 to $ab350 in recv $pif
$cmd add 6200 skipto 60000 ip from not "table(3)" 80,443,53 to $ab350 in recv $pif
# default traffic
$cmd add 6300 pipe 3 ip from not "table(3)" to $ab350 in recv $pif
$cmd add 6400 queue 2 ip from not "table(3)" to $ab350 in recv $pif

#upload clients ab350
$cmd add 6500 pipe 5 ip from $ab350 to not "table(3)" out xmit $pif

# ---------------- METROPOLITAN TRAFFIC --------------------

# download clients ab500
$cmd add 7100 pipe 12 ip from "table(3)" 80,443,53 to $ab500 in recv $pif
$cmd add 7200 queue 10 ip from "table(3)" 80,443,53 to $ab500 in recv $pif
$cmd add 7300 skipto 60000 ip from "table(3)" 80,443,53 to $ab500 in recv $pif

# default traffic
$cmd add 7400 pipe 12 ip from "table(3)" to $ab500 in recv $pif
$cmd add 7500 queue 11 ip from "table(3)" to $ab500 in recv $pif

# upload clients ab500
$cmd add 7600 pipe 14 ip from $ab500 to "table(3)" out xmit $pif

#download clients ab350
$cmd add 8000 pipe 13 ip from "table(3)" 80,443,53 to $ab350 in recv $pif
$cmd add 8100 queue 10 ip from "table(3)" 80,443,53 to $ab350 in recv $pif
$cmd add 8200 skipto 60000 ip from "table(3)" 80,443,53 to $ab350 in recv $pif
# default traffic
$cmd add 8300 pipe 13 ip from "table(3)" to $ab350 in recv $pif
$cmd add 8400 queue 11 ip from "table(3)" to $ab350 in recv $pif

#upload clients ab350
$cmd add 8500 pipe 15 ip from $ab350 to "table(3)" out xmit $pif

# allow traffic on ng*
$cmd add 60000 allow ip from any to $net out xmit $lif_ng
$cmd add 60100 allow ip from $net to any in recv $lif_ng

$cmd add 60200 allow ip from any to $net in recv $pif
$cmd add 60300 allow ip from $net to any out xmit $pif

$cmd add 61000 deny ip from any to any
 

# ------------------------- end rc.firewall ----------------------

# ----------------------- rc.tables ---------------------- 

#!/bin/sh
cmd="/sbin/ipfw -q"

# fixed ips allowed
$cmd table 1 flush

#table for metropolitan networks
$cmd table 3 flush

#se definesc table cu ip-uri permise
$cmd table 1 add 80.80.0.10
$cmd table 1 add 80.80.0.11

#metro
$cmd table 3 add 80.10.0.1/24
$cmd table 3 add 80.15.0.1/24

# ----------------------- end rc.tables ----------------------

10. Testing
---------------

Command to see connected users:

/usr/local/bin/mysql --password=mysql_password --exec='use radius; select username from radacct where AcctStopTime=0;'

 This setup uses mysql information to check if the user is still connected. If you want to use radzap script to remove a connected user from radius server, the default script will not update the mysql database, so radius will think it is still connected. To change the script to update mysql database you can add the following line at the end of the script:

 `/usr/local/bin/mysql --password=mysql_password --exec='use radius; update radacct set AcctStopTime=AcctStartTime where AcctStopTime=0 and UserName like "'$user'";'`

 

 This script executes radzap for all connected users. If you want it to run at boot time place it it /usr/local/etc/rc.d folder.

# --------------------- radzap-all.sh script -----------------------

#!/bin/sh

for i in `radwho | grep -v "Login" | cut -d" " -f1`
do
        `/usr/local/bin/radzap -u $i localhost secret_password`
done

`/usr/local/bin/mysql --password=mysql_password --exec='use radius; update radacct set AcctStopTime=AcctStartTime where AcctStopTime=0;'`

 # --------------------- radzap-all.sh script -----------------------
Posted by at

1 comment:

Blogger said...

Have used Kaspersky protection for a couple of years now, I'd recommend this solution to all of you.

December 3, 2016 at 7:00 AM

Post a Comment

Subscribe to: Post Comments (Atom)