[RP-PPPoE] rp-pppoe and squid

[Insane Laughing Clown]

On 02/05/2012 08:31 AM, Tiago wrote:
> Hello,
> I'm having an initial experience with rp-pppoe, squid and freeradius.
>
> Anyone could tell me if there is a way to define which squid server
> (from 3 squid servers) my authenticated ppp user will be using based
> on pppoe-server configs? Or how can I define something like that to my
> users?
>
> Thanks for any tips that could enlight me.
>

Hi,

There are a few ways to skin this cat, but pppoe-server by itself 
doesn't have the hooks or features to implement that feature. What you 
will need is linux iptables or ip policy routing support, and some 
scripting, to get what you want.

I use the radattr.so plugin in pppd so that returned radius attributes 
are written to a file. This lets me stuff some attribute values in the 
returned radius response, which can then be read by a script invoked by 
ppp's 'ip-up', to do the job. So the combination then is 1: attributes 
in radius, 2: a modified /etc/ppp/ip-up script, and 3: iptables support 
to install specific nat rules per user. What you would do is to put 
something in the customer radius config like 'Filter-Id' that has some 
string you want to key off of, for this example it could be 'squid1', 
'squid2' or 'squid3'. Then, you write a little script and put it where 
ppp will find it like /etc/ppp/ip-up and put something such as the 
following (perl) script in it:

#!/usr/bin/perl
open(ATTR,"</tmp/radattr.$ENV{IFNAME}"); 
 
 
 
 
 

`ip rule del dev $ENV{IFNAME}`; 
 

while(<ATTR>) { 
 

$_ =~ /(.+) (.+)/; 
 

$attribute = $1; 
 

$value = $2; 
 

 
 

if ( $attribute eq "Filter-Id" ) { 
 

if ( $value eq "squid1" ) { `ip rule add from $ENV{IFNAME} table 10`;  } 
 

elsif ( $value eq "squid2" ) { `ip rule add from $ENV{IFNAME} table 20`; 
}
elsif ( $value eq "squid3" ) { `ip rule add from $ENV{IFNAME} table 30`; 
}
  } 
 

}


Lastly, you would also need to populate the routing tables with the 
addresses of your squid servers (one time setup):

ip route add default via squid1.ip.address table 10
ip route add default via squid2.ip.address table 10
ip route add default via squid3.ip.address table 10


You then installed Filter-Id radius attributes for each affected user 
and give it a value of squid1, squid2 or squid3, and upon authentication 
you should be able to do:

ip rule show

and see your users.


Please note this is just one example, it may not scale well for you and 
depending on the number of users and other goals you have, a more tuned 
model using iptables may be a better choice. The tuning would consist 
largely of decterming what the majority of users would have, and have 
that as a default, in order to reduce the number of specfic rules added 
to the tables. Other methods could also using nfmark on the http packets 
alone while leaving all else untouched, with a mangle rule or a nat rule 
to treat those specially.

Would love to hear your feedback.

-ILC