> Hello
>
> I want to create a captive portal able to deal with users that are behind
> a NAT.
> The network diagram is :
>
>
> userA1---(priv subnet)---[NAT gateway A]---(pub subnet)---|
> userA2---(priv subnet)---[NAT gateway A]---(pub subnet)---|
> ... |
> userB1---(priv subnet)---[NAT gateway B]---(pub subnet)---|
> userB2---(priv subnet)---[NAT gateway B]---(pub subnet)---|
> ... |
> .. |---(squid)transparent web proxy)--- Internet
>
>
> The login/password is common to everyone but changes every 30 minutes.
> People connected can access the web during 30 minutes from the time they
> initiated the connection.
>
> Of course, if userA1 connects, it should not automatically grant access to
> userA2.
>
> We do not have control over NAT gateways.
> Can Squid be the "transparent web proxy"? Will it be able to differentiate
> NATed users?
> If it can't, do you know any software that does this?
Not without control of the NAT gateways. If you don't control NAT you
don't have the basic information to identify and authenticate the original
source. This is why so many ISP people hate NAT, despite its uses.
Transparent interception is done by direct lookups into the gateway NAT
tables or gateways routing packets unaltered to a separate box for NAT
handling and lookups there.
Either way you need some control to add rules into the gateway NAT routers.
I see three choices here for you:
1) adding a squid box on each subnet to handle transparency for that
subnet and peering them to a public gateway squid.
2) implementing semi-explicit proxy config via (WPAD) and authenticating
each user request.
3) doing away with NAT. That may mean moving from 192.168.0.0/16 to
10.0.0.0/8 or IPv6
Amos
Received on Fri May 30 2008 - 03:42:59 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:14 MDT