Re: [vpp-dev] Question regarding captive portal
Hi,
Could you please provide packet trace?
Matus
-Original Message-
From: Carlito Nueno
Sent: Friday, January 4, 2019 10:34 PM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco)
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] Question regarding captive portal
Hi Matus,
Thanks for the info. But I am not able to get it working. tcp 80 packets are
not reaching the http server on tap-interface.
Only way it's working is if I rewrite DNS to point all domains requests to
192.168.2.2.
I am running nat-plugin in endpoint-dependent mode.
All tcp 80 packets from clients connected to GigabitEthernet4/0/0.4 should be
sent to tap4.
Here are my configs:
startup.conf:
unix {
nodaemon
log /var/log/vpp/vpp.log
full-coredump
cli-listen /run/vpp/cli.sock
gid vpp
startup-config /home/test/vpp.conf
}
api-trace {
on
}
api-segment {
gid vpp
}
cpu {
main-core 2
corelist-workers 3
}
nat {
endpoint-dependent
}
dpdk {
num-mbufs 32768
uio-driver auto
}
vpp.conf:
set int state GigabitEthernet2/0/0 up
...
...
set int state GigabitEthernet4/0/0 up
...
...
create loopback interface instance 4
set int l2 bridge loop4 4 bvi
set int ip address loop4 192.168.2.1/24
set int state loop4 up
create sub GigabitEthernet4/0/0 4
set int l2 bridge GigabitEthernet4/0/0.4 4 set int l2 tag-rewrite
GigabitEthernet4/0/0.4 pop 1 set int state GigabitEthernet4/0/0.4 up create tap
id 4 host-ip4-addr 192.168.2.2/24 host-if-name guest set int l2 bridge tap4 4
set int state tap4 up
set interface nat44 in tap4 out GigabitEthernet4/0/0.4
nat44 add static mapping tcp local 192.168.2.2 80 external
GigabitEthernet4/0/0.4 80 out2in-only
nat44 add interface address GigabitEthernet2/0/0 set interface nat44 in loop1
in loop2 in loop3 in loop4 out GigabitEthernet2/0/0
Thank you and Happy New Year!
On Tue, Jan 1, 2019 at 10:23 PM Matus Fabian -X (matfabia - PANTHEON
TECHNOLOGIES at Cisco) wrote:
>
> Hi,
>
>
>
> Run NAT plugin in endpoint-dependent mode (add following to startup config
> “nat { endpoint-dependent }”), enable NAT feature “set interface nat44 in
> tap3 out GigabitEthernet4/0/0” and create static mapping “nat44 add static
> mapping tcp local 192.168.1.2 80 external GigabitEthernet4/0/0 80
> out2in-only”.
>
>
>
> Matus
>
>
>
>
>
> From: vpp-dev@lists.fd.io On Behalf Of carlito
> nueno
> Sent: Friday, December 28, 2018 10:52 PM
> To: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] Question regarding captive portal
>
>
>
> NAT might be the right way to achieve this.
>
> This is the command I used with iptables:
> iptables -t nat -A eth0 -p tcp --dport 80 -j DNAT --to-destination
> 192.168.1.2
>
> What is a similar command on VPP-NAT when I am trying to send port 80 traffic
> from main interface to tap-device:
> main interface: GigabitEthernet4/0/0
> tap id: 3 (tap3) with address 192.168.1.2 and host-if-name tapcap
>
> Thanks
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11848): https://lists.fd.io/g/vpp-dev/message/11848
Mute This Topic: https://lists.fd.io/mt/28506160/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Question regarding captive portal
Hi Matus,
Thanks for the info. But I am not able to get it working. tcp 80
packets are not reaching the http server on tap-interface.
Only way it's working is if I rewrite DNS to point all domains
requests to 192.168.2.2.
I am running nat-plugin in endpoint-dependent mode.
All tcp 80 packets from clients connected to GigabitEthernet4/0/0.4
should be sent to tap4.
Here are my configs:
startup.conf:
unix {
nodaemon
log /var/log/vpp/vpp.log
full-coredump
cli-listen /run/vpp/cli.sock
gid vpp
startup-config /home/test/vpp.conf
}
api-trace {
on
}
api-segment {
gid vpp
}
cpu {
main-core 2
corelist-workers 3
}
nat {
endpoint-dependent
}
dpdk {
num-mbufs 32768
uio-driver auto
}
vpp.conf:
set int state GigabitEthernet2/0/0 up
...
...
set int state GigabitEthernet4/0/0 up
...
...
create loopback interface instance 4
set int l2 bridge loop4 4 bvi
set int ip address loop4 192.168.2.1/24
set int state loop4 up
create sub GigabitEthernet4/0/0 4
set int l2 bridge GigabitEthernet4/0/0.4 4
set int l2 tag-rewrite GigabitEthernet4/0/0.4 pop 1
set int state GigabitEthernet4/0/0.4 up
create tap id 4 host-ip4-addr 192.168.2.2/24 host-if-name guest
set int l2 bridge tap4 4
set int state tap4 up
set interface nat44 in tap4 out GigabitEthernet4/0/0.4
nat44 add static mapping tcp local 192.168.2.2 80 external
GigabitEthernet4/0/0.4 80 out2in-only
nat44 add interface address GigabitEthernet2/0/0
set interface nat44 in loop1 in loop2 in loop3 in loop4 out GigabitEthernet2/0/0
Thank you and Happy New Year!
On Tue, Jan 1, 2019 at 10:23 PM Matus Fabian -X (matfabia - PANTHEON
TECHNOLOGIES at Cisco) wrote:
>
> Hi,
>
>
>
> Run NAT plugin in endpoint-dependent mode (add following to startup config
> “nat { endpoint-dependent }”), enable NAT feature “set interface nat44 in
> tap3 out GigabitEthernet4/0/0” and create static mapping “nat44 add static
> mapping tcp local 192.168.1.2 80 external GigabitEthernet4/0/0 80
> out2in-only”.
>
>
>
> Matus
>
>
>
>
>
> From: vpp-dev@lists.fd.io On Behalf Of carlito nueno
> Sent: Friday, December 28, 2018 10:52 PM
> To: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] Question regarding captive portal
>
>
>
> NAT might be the right way to achieve this.
>
> This is the command I used with iptables:
> iptables -t nat -A eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2
>
> What is a similar command on VPP-NAT when I am trying to send port 80 traffic
> from main interface to tap-device:
> main interface: GigabitEthernet4/0/0
> tap id: 3 (tap3) with address 192.168.1.2 and host-if-name tapcap
>
> Thanks
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11842): https://lists.fd.io/g/vpp-dev/message/11842
Mute This Topic: https://lists.fd.io/mt/28506160/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Question regarding captive portal
Hi,
Run NAT plugin in endpoint-dependent mode (add following to startup config “nat
{ endpoint-dependent }”), enable NAT feature “set interface nat44 in tap3 out
GigabitEthernet4/0/0” and create static mapping “nat44 add static mapping tcp
local 192.168.1.2 80 external GigabitEthernet4/0/0 80 out2in-only”.
Matus
From: vpp-dev@lists.fd.io On Behalf Of carlito nueno
Sent: Friday, December 28, 2018 10:52 PM
To: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] Question regarding captive portal
NAT might be the right way to achieve this.
This is the command I used with iptables:
iptables -t nat -A eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2
What is a similar command on VPP-NAT when I am trying to send port 80 traffic
from main interface to tap-device:
main interface: GigabitEthernet4/0/0
tap id: 3 (tap3) with address 192.168.1.2 and host-if-name tapcap
Thanks
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11814): https://lists.fd.io/g/vpp-dev/message/11814
Mute This Topic: https://lists.fd.io/mt/28506160/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Question regarding captive portal
I couldn't find anything under NAT to make this work. I tried the following: set int state GigabitEthernet4/0/0 up ... ... loopback create set int l2 bridge loop4 4 bvi set int ip address loop4 192.168.2.1/24 set int state loop4 up create sub GigabitEthernet4/0/0 4 set int l2 bridge GigabitEthernet4/0/0.4 4 set int l2 tag-rewrite GigabitEthernet4/0/0.4 pop 1 set int state GigabitEthernet4/0/0.4 up set punt tcp 80 create tap id 4 host-ip4-addr 192.168.2.2/24 host-if-name lguest set int l2 bridge tap4 4 set int state tap4 up ip punt redirect add rx GigabitEthernet4/0/0.4 via tap4 I am trying to send tcp port 80 traffic from GigabitEthernet4/0/0.4 (VLAN 4 interface) to tap-device tap4 where a server is listening. But I am receiving this message: vnet_punt_add_del: punt TCP/SCTP ports is not supported yet I am using: VPP version: v18.10-rc2~16 Thank you. On Fri, Dec 28, 2018 at 1:52 PM carlito nueno via Lists.Fd.Io wrote: > > NAT might be the right way to achieve this. > > This is the command I used with iptables: > iptables -t nat -A eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2 > > What is a similar command on VPP-NAT when I am trying to send port 80 traffic > from main interface to tap-device: > main interface: GigabitEthernet4/0/0 > tap id: 3 (tap3) with address 192.168.1.2 and host-if-name tapcap > > Thanks -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > > View/Reply Online (#11790): https://lists.fd.io/g/vpp-dev/message/11790 > Mute This Topic: https://lists.fd.io/mt/28506160/675621 > Group Owner: vpp-dev+ow...@lists.fd.io > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [carlitonu...@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11806): https://lists.fd.io/g/vpp-dev/message/11806 Mute This Topic: https://lists.fd.io/mt/28506160/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Question regarding captive portal
NAT might be the right way to achieve this. This is the command I used with iptables: iptables -t nat -A eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2 What is a similar command on VPP-NAT when I am trying to send port 80 traffic from main interface to tap-device: main interface: GigabitEthernet4/0/0 tap id: 3 (tap3) with address 192.168.1.2 and host-if-name tapcap Thanks -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11790): https://lists.fd.io/g/vpp-dev/message/11790 Mute This Topic: https://lists.fd.io/mt/28506160/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Question regarding captive portal
In this case, you can consider to use vpp nat. https://wiki.fd.io/view/VPP/NAT I have not verified it. Please update me if it works. ☺ Ping From: vpp-dev@lists.fd.io [mailto:vpp-dev@lists.fd.io] On Behalf Of carlito nueno Sent: Friday, December 28, 2018 12:36 PM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Question regarding captive portal Sorry I wasn't clear: VPP is the gateway in my case. So when a request comes from client to VPP, how can I get redirect that request (in VPP) to an application on the linux host? Application is listening on a tap device on port 80. Thanks -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11784): https://lists.fd.io/g/vpp-dev/message/11784 Mute This Topic: https://lists.fd.io/mt/28506160/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Question regarding captive portal
Sorry I wasn't clear: VPP is the gateway in my case. So when a request comes from client to VPP, how can I get redirect that request (in VPP) to an application on the linux host? Application is listening on a tap device on port 80. Thanks -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11783): https://lists.fd.io/g/vpp-dev/message/11783 Mute This Topic: https://lists.fd.io/mt/28506160/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Question regarding captive portal
Hi Yu, Option 2: Can you help understand how I can simulate man in the middle. The request from client to gateway, which is VPP in my case. How can I use VPP to do this? Thanks. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11782): https://lists.fd.io/g/vpp-dev/message/11782 Mute This Topic: https://lists.fd.io/mt/28506160/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Question regarding captive portal
There are two solutions. 1) DNS level: Set your own DNS server, and hijiak all DNS and point to your server. 2) IP and http: When gateway gets request from client to google.com, and you can simulate “man in the middle” to syn/ack to client, and talk with client to provide 302 redirect to client. You can either use VPP host stack to get the http request. From: vpp-dev@lists.fd.io [mailto:vpp-dev@lists.fd.io] On Behalf Of carlito nueno Sent: Friday, December 28, 2018 8:59 AM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Question regarding captive portal Hi all, After more research, I found that most devices test connectivity by issuing an HTTP GET request, e.g. to captive.apple.com or connectivitycheck.gstatic.com/generate_204. How do I catch this http request and respond with 302 redirect that redirects user to lan ip address: 192.168.1.2:80/index.html. thanks! Happy holidays :) -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11781): https://lists.fd.io/g/vpp-dev/message/11781 Mute This Topic: https://lists.fd.io/mt/28506160/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Question regarding captive portal
Hi all, After more research, I found that most devices test connectivity by issuing an HTTP GET request, e.g. to captive.apple.com or connectivitycheck.gstatic.com/generate_204. How do I catch this http request and respond with 302 redirect that redirects user to lan ip address: 192.168.1.2:80/index.html. thanks! Happy holidays :) -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11780): https://lists.fd.io/g/vpp-dev/message/11780 Mute This Topic: https://lists.fd.io/mt/28506160/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] Question regarding captive portal
Hi all, GigabitEthernet4/0/0 = LAN interface - 192.168.1.1 Tap1 = tap interface - 192.168.1.2 Clients connected to LAN interface - 192.168.1.100 - 200 GigabitEthernet5/0/0 = WAN interface I want to redirect any traffic (tcp or udp) from clients (192.168.1.100 - 200) to a server running locally on the tap1 interface (192.168.1.2:80). This local server is a captive portal server. Example: Client visits google.com in a browser Instead of the browser showing google.com, it is shown 192.168.1.2:80/index.html How do I accomplish this? I came across ip punt redirect, but I am not familiar with it. Thanks for the help. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11466): https://lists.fd.io/g/vpp-dev/message/11466 Mute This Topic: https://lists.fd.io/mt/28506160/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
