Allied Telesis AT-AR300 manual Further Examples, Firewall and IPsec Tunnel

redirection any web traffic from the user’s PC or laptop can be redirected to the ISP's web server. This forces the user to arrange payment for using the service before being able to browse to any other site. With appropriate supporting “deny” rules, all other traffic types from the user’s PC can be blocked until payment has been made.

The following gives a simple example of how a system such as this would be configured. The ISP has a switch configured with a firewall. The switch’s VLANs, vlan1 and vlan2, are private and public interfaces respectively. The ISP’s web server has the IP address 205.1.28.6. The following rules perform the web redirection and the blocking of all non-web traffic:

ADD FIREWALL POLICY=ISP RULE=298 INTERFACE=vlan1 ACTION=NAT

NATTYPE=REVERSE PROTOCOL=TCP PORT=80 GBLREMOTE=205.1.28.6

ADD FIREWALL POLICY=ISP RULE=299 INTERFACE=vlan1 ACTION=DENY

PROTOCOL=ALL

Once a user has arranged payment, a rule can be added that specifies the IP address that the ISP has assigned to the user, allowing the user full access to the service. The following is an example of such a rule. The user has been allocated the IP address 10.8.0.172. It is important that the rule number is lower than the blocking and redirecting rules, because rules are tried in order from the lowest rule number until a match is found. A low number will ensure that the allow rule will be applied if appropriate, rather than any of the other rules.

ADD FIREWALL POLICY=ISP RULE=5 INTERFACE=vlan1 ACTION=ALLOW

IP=10.8.0.172 PROTOCOL=ALL

If the ISP wishes to take advantage of the time limited rules feature, allowing the user to have access for 30 minutes, the following rule would be used instead.

ADD FIREWALL POLICY=ISP RULE=5 INTERFACE=vlan1 ACTION=ALLOW

IP=10.8.0.172 PROTOCOL=ALL TTL=0:30

Further Examples

Firewall and IPsec Tunnel

Enhanced NAT can facilitate routing across an IPsec tunnel, when one end of the tunnel has separate IPsec and default gateways (Figure 5 on page 20). In the following example, the router at the LAN 1 end of the tunnel has an IP address of 192.168.2.100, and the LAN 2 end of the tunnel has an IP address range of 192.168.1.1-192.168.1.100. The IP address of traffic originated by LAN 1 hosts is translated to 192.168.1.53, using the command (applied to the private eth0 interface of the LAN 1 gateway router):

ADD FIREWALL POLICY=zone1 RULE=7 ACTION=NAT NATTYPE=ENHANCED

INT=eth0 PROTOCOL=all IP=192.168.2.0-192.168.2.255

REMOTEIP=192.168.1.1-192.168.1.100 GBLIP=192.168.1.53

The traffic will appear to devices on LAN 2 to originate locally. When a PC in the subnet 192.168.1.1-192.168.1.100 tries to reply to a packet from a host in LAN 1 (subnet 192.168.2.0), the IPsec gateway will reply to the PC’s ARP request with proxy ARP. The packet will be successfully routed through the tunnel instead of through the default gateway.

Software Release 2.3.1 C613-10325-00 REV B