captive portal for one vlan with Cisco router as a gateway

Home Page Forums Network Management ZeroShell captive portal for one vlan with Cisco router as a gateway

This topic contains 8 replies, has 0 voices, and was last updated by  ZeroDriver 3 years, 2 months ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #44078

    ZeroDriver
    Member

    Hello,
    I’d like to use Zeroshell in my environment and would like to ask if is it possible to connect it like in the picture below. I just need to control internet access by using transparent proxy and/or captive portal on Zeroshell. I don’t want to point gateway in all computers to a Zeroshell server, because the machine on which it will be running need to be very often restarted. I’m thinking is it possible to redirect on Cisco router all web traffic via Zeroshell server.

    I can use Web Cache Communication Protocol but I’m looking for a simple solution.

    #53523

    gordonf
    Member

    Do you already have a 802.1Q trunk between your 2960 switch and your ESXi host? If not, see if you can do that. This way you can put the ZS router on VLAN 1 and VLAN 10, and have it be the gateway for hosts in VLAN 10.

    I have plenty of experience with that sort of networking. The ESXi host can have several virtual switches; one for each VLAN.

    (I’ll elaborate on this post later on.)

    #53524

    ZeroDriver
    Member

    Yes, I have a 802.1Q trunk and everything that is on the picture except ZS router. But I don’t want to change the gateway on any computer – it must be the Cisco router.

    #53525

    gordonf
    Member

    Sorry, but a ZS captive portal might not be feasible in this example without a lot of re-working.

    So the idea is to insert the ZS between VLAN 10 clients and the 1921 router and use as a transparent proxy… were this a physical PC one would do that with a dual NIC PC and insert it between your 2960 and 1921 router, but with a separate cable, something like:

    [Let’s pretend the 1921 has a 4-port switch card in it for a moment]

    [1921 fa2]
    
    [ZS appliance PC]
    [2960 VLAN 10]
    [1921 fa3]
    [2960 VLAN 1]

    OK, so we don’t have a spare PC we can use as an appliance, and we don’t have a 4-port switch card in the 1921. But if we create another VLAN to put in between the 1921 and ZS we might be able to simulate it:

    [1921 fa0.110 (VLAN 110)]
    
    [ZS VM]
    [2960 VLAN 10]
    [1921 fa0 (VLAN 1)]
    [2960 VLAN 1]

    I’m using a hypothetical VLAN 110 that only the 1921 and ZS would see. If you got the transparent part of ZS working normally, this should behave like a physical ZS appliance doing a bridge would. fa0.110 would replace fa0.10 but would otherwise have its IP configuration including DHCP.

    Here’s a more complete example:

    [1921 fa0.110 (VLAN 110)] --- [2960 VLAN 110] --- [ESXi vSwitch 110] --- [ZS VM] --- [ESXi vSwitch 10] --- [2960 VLAN 10]
    [1921 fa0 (VLAN 1)]
    [2960 VLAN 1]

    Now, I never got a ZS virtual machine on ESXi to transparently pass packets between its interfaces successfully. I wanted to try this approach once, but following the Bridging FAQ didn’t produce the intended result. Maybe you’d have better luck.

    #53526

    ZeroDriver
    Member

    Ok, thank you for these examples. Could I ask you to modify my diagram for the last example? I’m not sure how the traffic would go through ZS. Will it be necessary to connect ESXi with tho physical cables with the 2960 switch?

    #53527

    gordonf
    Member

    I’ll take a moment to draw something other than in ASCII art over this weekend, then update this reply with it.

    If you had a Dot1Q trunk between the 2960 and ESXi host, you could do it with a single cable between the two, and three standard vSwitches; one for each VLAN. The ESXi host would do the Dot1Q tagging for you. If your ESXi host had multiple Ethernet jacks, you could do it with one physical cable per VLAN, and it might help to imagine it that way at first. It’s a waste of good copper though, once you have Dot1Q mastered.

    This post is unfinished; again, I’ll come back with a drawing over the weekend.

    #53528

    ZeroDriver
    Member

    Thank you for your answer. I’m waiting for your update. 🙄
    I’d like to use your suggestions in my enviornment.

    #53529

    gordonf
    Member

    So two weekends later and I haven’t drawn anything yet. Sorry about that. Work is getting nuts.

    #53530

    ZeroDriver
    Member

    Can anybody help regarding this?

    #53531

    gordonf
    Member

    Let’s see if this helps:

    To force traffic from VLAN 10 through the ZS transparent proxy, the ZS router must be the default gateway for hosts on VLAN 10. This will mean either changing the gateway setting on the hosts, or changing the ZS VLAN 10 connection’s IPv4 address to match the original gateway setting.

    Next you make a virtual interface on your Cisco 1921. I don’t remember the syntax, but the end result is you end up with an interface named ‘fe0.110’ for a hypothetical VLAN 110. Give this a unique IPv4 address, and change the default gateway setting on the ZS VM to use it.

    This makes traffic from VLAN 10 pass through the ZS VM, get filtered, then directed out VLAN 110 to the 1921 router and out to the net. No one but the 1921 and ZS would see VLAN 110 as long as you don’t assign any access switchports to it.

    The VLAN 1 connection to the ZS VM is optional, it appears. You could keep it if you wanted to, I suppose, for administering the ZS installation.

    (Has it really been ten months? Wow, I’m slow.)

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.