Bridging vlans w/firewall and selective HTTP redirect?

Kevin Schmidt kps at ucsb.edu
Tue Sep 28 10:10:28 PDT 2004 

Hi all,

I'm interested in placing an FBSD box (prefer 4.x since it's production, 
though I've also used 5.2) inline on a link with 802.1Q-tagged vlans with 
firewalling and selective HTTP redirects.  Bridging a couple of ethernets 
isn't a problem, and it appears I can enable ipf or ipfw (but not pf; too 
bad, ALTQ and pfsync would be nice).  What does not appear viable is the 
interception and transparent redirect of HTTP traffic in this bridged 
environment.  Anyone know of a good way to do this?

The purpose of the above is to support a wireless network where users may be 
associated with various vlans, some of which will require selective traffic 
filtering and transparent http redirects.  For example, there might be an 
SSID for a "readme" vlan network where people could log in to a web page and 
download an 802.1X supplicant.  The supplicant would be preconfigured to join 
another SSID, e.g. "campus wireless", which would allow authenticated users 
full Internet access.  If a particular user is known to have a 
compromised/infected system, they'd be mapped to a quanantine vlan, which 
ideally would block most traffic and redirect them to a web page with 
additional information and remediation tools.  Similar techniques would be 
used to support an https login process that would selectively open the 
firewall for authenticated users.  I'm sure someone reading this is 
wondering, "why not do the web redirects on a routed interface instead of 
with an inline bridge, since redirects at an L3 interface work?"  The answer 
is scalability and roaming:  I'd like routing to be done at a couple of 
upstream Cisco boxes, with two or more FBSD boxes inline on the downstream 
vlans supporting wireless and (ultimately) some wired ports.  I'll do it 
routed if I must, but it would be great if I could redirect locally at the 
bridge.

I'm looking at Linux/OpenBSD/NetBSD, too, though I've always preferred FBSD 
(still have my 1.x CDs) and have happily used it for DNS, web, ftp, etc. 
servers for years.

Any suggestions/comments/questions welcome.

Cheers,

-- 
Kevin Schmidt
Campus Network Programmer
Office of Information Technology
University of California, Santa Barbara
North Hall 2124
Santa Barbara, CA 93106-3201
805-893-7779
805-893-5051 FAX
kps at ucsb.edu

More information about the freebsd-net mailing list