walled garden concept

[L. Jason Godsey]

Starting in 1995, I have done this using private ips.

I assign the dial in user a 10.1.x.x/16 ip.  I have their gateway set
to 10.1.1.1 which is a Linux/FreeBSD machine.

The 10.1.1.1 also acts as a DNS server.  10.1.1.1 also runs squid in
transparent proxy mode.  Squid acts as a walled garden, only allowing
access to hosts which we want non-paying users to see.

Most systems require the user to reconnect in order to escape the
walled garden.  My method simply changes the firewall rules, I insert a
rule to simply nat the 10.1.4.242 ip out to the net after payment. 
When radius either gets a disconnect or auth attempt on the same port,
I clear that fw entry and the next user has to pay.

After they pay, they get a public ip address and go about their
business.

If you wanted, you could have your main router be FreeBSD/linux and
when the users account expires, wall them real time w/ a firewall rule
instead of setting maximum session time.  We elected to just kick them
offline to avoid shoving all traffic through the unix machines.

In order to hand out the 10.1.x.x ips, you don't use the NAS ip pool,
instead we just let radius hand out static ips from a database pool.

p.s. I prefer top posting.

--- Odhiambo Washington <wash at wananchi.com> wrote:
> Does anyone know of any tutorials for setting up a "walled garden"?
> I work for an ISP and we'd like to allow a specific dialup account
> Free Access via our RADIUS, but we want to limit this user to access
> just three or so urls: Our customer
> {registration|renewal|webselfcare}
> interfaces only.