-
Notifications
You must be signed in to change notification settings - Fork 5
mod_iptraffic
- RADIUS authentication
- Realtime traffic calculation using Netflow v5 as a traffic source
- Flexible tariffs (subnet rules, time rules)
- Using PostgreSQL database for the storing users, tariff plans, RADIUS attributes and sessions
- It's easy to add your own backends
The following modules should be added to the netspire.conf file:
{mod_iptraffic, [{tariffs, "tariffs.conf"}, {session_timeout, 60}, {delay_stop, 5}, {disconnect_on_shutdown, yes}]}
The default value of the session_timeout option is 60 seconds and may be ommited.
The delay_stop option is used to delay stopping of the session to receive all data from netflow sensor after the session closing (After receiving Accounting-Stop packet).
The default value of the delay_stop option is 5 seconds and and may be ommited.
The disconnect_on_shutdown option is used to specify is need to disconnect clients from NAS in case of application shutdown.
The default value of the disconnect_on_shutdown option is yes and may be ommited.
You MUST set Acct-Interim-Interval RADIUS attribute for client.
This attribute is required to prolong session and it's value MUST be significantly less than session_timeout. Note that if Netspire does not receiving interim updates from NAS via RADIUS, sessions will be marked as expired and closed, regardless of real state on NAS.
Be aware about Acct-Interim-Interval radius attribute limitation for Linux pppd. It should be no less then 60 seconds.
Also you need to load SQL schema objects from schema.sql file to the already created database.
To compose the tariffs plans you need to edit the tariffs.conf file that is handled by the netspire-iptraffic module.
The tariffs.conf file is devided into three sections:
- Plans - includes a plan name, a list of classes and a price for every type of the traffic
- Classes - includes description of conditions to match data from netflow stream to detect if data is in a range of condition
- Periods - includes the time periods to define time range of the class availability
Example of the plans section that describes Standard tariff plan:
{plans, [
{"Standard", [
{"Local Network", 0},
{"Internet Incomming", 0.05},
{"Internet Outgoing", 0.05}
]}]}.Example of three classes that included in the Standard tariff plan:
{classes, [
{"Local Network", "All Day", [
[{src, [{net, "192.168.1.0/24"}]},
{dst, [{net, "192.168.1.0/24"}]}]]},
{"Internet Incomming", "All Day", [
[{src, [{net, "0.0.0.0/0"}]},
{dst, [{net, "192.168.1.0/24"}]}]]},
{"Internet Outgoing", "All Day", [
[{src, [{net, "192.168.1.0/24"}]},
{dst, [{net, "0.0.0.0/0"}]}]]}
]}.The classes section is allow to use the following conditions:
- {src, [{net, network}]}
To specify source address
- {dst, [{net, network}]}
To specify destination address
- {port, 80}
May be used in src or dst conditions to devide traffic by source or destination port accordingly.
- {proto,tcp}
May be used to specify protocol. Supported by tcp, udp and icmp protocols.
If you want to specify not supported protocol you need to use numeric value of protocol instead of symbolic name.
For example to write condition to catch GRE protocol use number 47 as a protocol code: {proto, 47}
Be aware that traffic matching works in the order of the classes definitions.
Example of the periods which used in classes definitions:
{periods,
[{"All Day", "00:00:00-23-59:59"}]
}.Also you can specify the list of the days for appropriate period:
{periods,
[{"Weekend", [6, 7], "00:00:00-23:59:59"}]
}.After editing the tariffs you need to ask netspire to reload tariffs to use a new ones.
To perform this action you need to connect to the Netspire node and execute the below command:
iptraffic_tariffs:reload("tariffs.conf").You can find complex example of tariffs plans with several classes and periods in tariffs.conf.sample file.