5 Replies Latest reply: Dec 27, 2010 12:07 PM by David L. Huxtable
David L. Huxtable Level 1 Level 1 (35 points)
I have a set of Mac OS X 10.6.5 client systems that are connected to both ethernet and wireless networks. I need to restrict internet access while the clients are connected to the ethernet connection and allow unrestricted access while on the wireless network.

I currently ask that the users turn on/off AirPort (highest priority network) to change to the ethernet network, but they obviously forget

I do not have total control over the networks themselves, but it occurred to me that I may be able to use a local Mac OS X 10.6.5 server as a DNS server that could be used in the ethernet configuration on the client machines; and perhaps THAT could redirect traffic to any other domains to an error page.

I only want the clients (while connected to the ethernet network) to be able to visit "http://approved-domain.com" or any of the various "http://*.approved-domain.com sub-domains that exist.

Again, I know it would be easier with control of the network/router itself, but I don't and am hoping for a workable solution without it.

A whitelist through a DNS server seemed like a good idea. Is it possible? How might I set it up?

Mac OS X (10.6.5)
  • Camelot Level 8 Level 8 (46,315 points)
    That's an unusual configuration, so this might take some iterating to get right.

    However, I think the answer relies largely on how you, as the server, determine which connection the clients are using.

    If you have a specific set of IP addresses assigned to wired clients, and a different set for wireless clients, then that might be a viable approach, otherwise how are you supposed to know which interface any given user is accessing?

    That said, the missing part of your information relates to whether approved-domain.com should be accessible via the wireless network or not?

    Depending on the answer to that question I can see a couple of options. DNS might be an option, but there is no way, via DNS to "... redirect traffic to any other domains to an error page". DNS deals purely in mapping IP addresses to hostnames (and vice versa). There is no concept of 'redirecting' or 'error pages' in DNS since the lookup of any hostname is far removed from whatever service you might want to access on the resulting IP address.

    One other option might be a proxy server - the proxy server can have access control rules that dictate who can access which sites (including at what times of day if you so desire). It can also ask for authentication so you can track which valid users are using it.
    In this way you might be able to say that certain clients are able to access approved-domain.com, while other clients can access any site, but this is largely limited to web traffic (e.g. there's no simple control for email services, file services, etc.)

    So if you can provide a little more detail I'm sure we can work through these options.
  • David L. Huxtable Level 1 Level 1 (35 points)
    Ok, so the wired and wireless networks are completely different/distinct networks, so they certainly have different IP addresses assigned to the client based on which interface (network) is being used.

    The wired connection has static IPs assigned. The wireless connection uses DHCP to assign IPs.

    Access to http://approved-domain.com does not need to restricted as part of this effort, as the wireless network already prevents access to http://approved-domain.com.

    I would only need to limit web traffic, so perhaps the proxy server would suffice?
  • David L. Huxtable Level 1 Level 1 (35 points)
    My real goal is more about limiting bandwidth usage over the ethernet network. I tried using ipfw on the clients, but that limited throughput on all networks ports.

    I know it seems backwards, but the managed ethernet connection has far less bandwidth than the wireless connection. When clients use the ethernet connection for streaming media or large file downloads, the wired networks comes to a crawl for everyone. The wired network only really needs to access http://aproved-domain.com and all other types of traffic are fine for the wireless network.

    If I can set up a proxy service that effectively makes a whitelist for the wired connection that only permits access to http://approved-domain.com and its sub-domains, I'd be set. Even if the wired connection does not redirect, the users would at least know to turn on the airport connection at that point.

    Or, if I could find a way to limit throughput for only the wired connection while leaving the wireless wide-open, that could work as well.
  • Camelot Level 8 Level 8 (46,315 points)
    The wired network only really needs to access http://aproved-domain.com and all other types of traffic are fine for the wireless network


    Oh, well that's radically easier - there may be no need to go to huge lengths here, and users can leave both links active if it's setup correctly - the OS will automatically choose the wired link for approved-domain.com and the wireless link for everything else.

    The simplest solution is just DNS - assuming that the approved-domain.com addresses are on the same LAN subnet as the client's ethernet port all you need to do is setup DNS such that it hands out the LAN address of those services and you're done.

    You see, whenever the client tries to access a server it looks at the destination IP address to work out how to get there. The first thing it checks is whether the IP address is on the same subnet as a link on the client itself. if it is, then the connection uses that link. If it isn't then it checks to see if it has a static route for the target IP address, and if that fails it sends it to the default gateway address (that's why it's called the default gateway - all traffic that doesn't have a more direct route will take that path).

    So as long as your DNS server hands out the LAN address for approved-domain.com there shouldn't be anything more you need to do. Do you have any control over the DNS server for your LAN? or can you change your LAN clients to use a different DNS server that you do control? Those will be important elements in using DNS to manage this setup.
  • David L. Huxtable Level 1 Level 1 (35 points)
    While I do not have control over the existing DNS server, I can change the DNS server the client uses and have access to Mac OS X 10.6.5 servers on the local network.

    Will wild cards be an option for routing traffic? All the traffic on the wired connection for http://approved-domain.com will have a common IP address in the format of XX.XX.. where the "XX" represents the actual IP number and the "*" represents any other combination. I imagine it would be an easier setup with less troubleshooting if I can use the wildcards.