ricocode
September 12th, 2008, 10:49 AM
I'm trying to develop a program similar to the Captive Portals that are in common use for wireless networks, but this one is for a LAN.
The idea is that there is a gateway computer. On one side of the gateway is the internet, and on the other side is the LAN.
The LAN computers must be authenticated to access the internet, and there are various forms of authentication, including browser-based logins etc. Just ignore this authentication issue for now and assume that some LAN ip addresses (or MAC addresses) are allowed to access the internet and some are not.
Here's how I plan to go about this:
1) I wrote a small DHCP server that gives IP addresses to the LAN computers and sets their default gateway to the GATEWAY computer.
2) I am using WinPCap to capture packets on the gateway computer. If the packets come from an authenticated IP/MAC address, then the packet is forwarded on to the destination using WinPCap to send the packet.
3) I am using network address translation (NAT) to route the packets from LAN computers to the internet and vice-versa, just as a router would.
So I have a few questions and some problems.
1) Is this the right way to do things (e.g. using winPCap and NAT) or is there a simpler way to instruct the operating system to forward only the packets from authenticated computers?
2) It seems that the microsoft operating system will not allow me to route TCP packets in this manner, because the operating system will make automatic replies to internet computers. (see this article: http://www.codeguru.com/forum/showthread.php?t=320739)
So it appears that I need to filter packets at a lower level, where I can intercept them before they hit the TCP/IP stack.
If anyone has any suggestions or answers, please let me know.
Thanks so much for taking the time to read all this!!
The idea is that there is a gateway computer. On one side of the gateway is the internet, and on the other side is the LAN.
The LAN computers must be authenticated to access the internet, and there are various forms of authentication, including browser-based logins etc. Just ignore this authentication issue for now and assume that some LAN ip addresses (or MAC addresses) are allowed to access the internet and some are not.
Here's how I plan to go about this:
1) I wrote a small DHCP server that gives IP addresses to the LAN computers and sets their default gateway to the GATEWAY computer.
2) I am using WinPCap to capture packets on the gateway computer. If the packets come from an authenticated IP/MAC address, then the packet is forwarded on to the destination using WinPCap to send the packet.
3) I am using network address translation (NAT) to route the packets from LAN computers to the internet and vice-versa, just as a router would.
So I have a few questions and some problems.
1) Is this the right way to do things (e.g. using winPCap and NAT) or is there a simpler way to instruct the operating system to forward only the packets from authenticated computers?
2) It seems that the microsoft operating system will not allow me to route TCP packets in this manner, because the operating system will make automatic replies to internet computers. (see this article: http://www.codeguru.com/forum/showthread.php?t=320739)
So it appears that I need to filter packets at a lower level, where I can intercept them before they hit the TCP/IP stack.
If anyone has any suggestions or answers, please let me know.
Thanks so much for taking the time to read all this!!