Erik Norgaard
2004-05-04 11:22:17 UTC
Hi,
I was wondering if it is posible to route based on source. The
problem is:
I have a network with with an OpenBSD box acting as a gateway.
On the internal network are students and non-students. The stu-
dents may use the internet connection provided by the university
for free while the non-students must be routed to some commercial
provider (and pay).
I could do this by setting up dhcp to assign ip stattically based
on the mac address, assign two different default gateways and then
set up an extra firewall acting as the second gateway.
But it would be nicer to add an extra nic to the firewall and set
up source based routing. However, what I have read and understood
about route(8) is that it controls routes based on destination.
Is there a solution to this?
Second, since this opens for the motive of spoofing ip address to
get free access then I'd like to know if there is a way of filter-
ing based on mac address.
(I know that mac addresses can also be spoofed, and ideally I
should use pfauth. But, it appears that people don't hessitate to
share passwords. Really, I need to identify the user by ip, mac,
username and password and make sure that everything matches cor-
rectly before allowing traffic, and even then I cannot be sure...)
Best regards, Erik
GnuPG Key: http://www.locolomo.org/home/norgaard/norgaard.gpg.asc
pub 1024D/B02CC311 2004-04-05 Erik Norgaard <***@locolomo.org>
Key fingerprint = 6C11 B9B1 52BD F16D 34AD 9893 D3EC E6DB B02C C311
I was wondering if it is posible to route based on source. The
problem is:
I have a network with with an OpenBSD box acting as a gateway.
On the internal network are students and non-students. The stu-
dents may use the internet connection provided by the university
for free while the non-students must be routed to some commercial
provider (and pay).
I could do this by setting up dhcp to assign ip stattically based
on the mac address, assign two different default gateways and then
set up an extra firewall acting as the second gateway.
But it would be nicer to add an extra nic to the firewall and set
up source based routing. However, what I have read and understood
about route(8) is that it controls routes based on destination.
Is there a solution to this?
Second, since this opens for the motive of spoofing ip address to
get free access then I'd like to know if there is a way of filter-
ing based on mac address.
(I know that mac addresses can also be spoofed, and ideally I
should use pfauth. But, it appears that people don't hessitate to
share passwords. Really, I need to identify the user by ip, mac,
username and password and make sure that everything matches cor-
rectly before allowing traffic, and even then I cannot be sure...)
Best regards, Erik
GnuPG Key: http://www.locolomo.org/home/norgaard/norgaard.gpg.asc
pub 1024D/B02CC311 2004-04-05 Erik Norgaard <***@locolomo.org>
Key fingerprint = 6C11 B9B1 52BD F16D 34AD 9893 D3EC E6DB B02C C311