Developers guide

Chapter 5

Configuration 27

[192.168.3.0]

netmask=255.255.255.0

gateway=192.168.3.1

next_hop=

domain-name=isolation.example.com

dns=192.168.3.1

dhcp_start=192.168.3.10

dhcp_end=192.168.3.200

dhcp_default_lease_time=300

dhcp_max_lease_time=600

type=vlan-isolation

named=enabled

dhcpd=enabled

[192.168.20.0]

netmask=255.255.255.0

gateway=192.168.20.254

next_hop=192.168.2.254

domain-name=registration.example.com

dns=192.168.2.1

dhcp_start=192.168.20.10

dhcp_end=192.168.20.200

dhcp_default_lease_time=300

dhcp_max_lease_time=600

type=vlan-registration

named=enabled

dhcpd=enabled

[192.168.30.0]

netmask=255.255.255.0

gateway=192.168.30.254

next_hop=192.168.3.254

domain-name=isolation.example.com

dns=192.168.3.1

dhcp_start=192.168.30.10

dhcp_end=192.168.30.200

dhcp_default_lease_time=300

dhcp_max_lease_time=600

type=vlan-isolation

named=enabled

dhcpd=enabled

DHCP clients on the registration and isolation networks receive the PF server IP as their DNS server

(dns=x.x.x.x), and PF spoofs DNS responses to force clients via the portal. However, clients could manually

configure their DNS settings to escape the portal. To prevent this you will need to apply an ACL on the

access router nearest the clients, permitting access only to the PF server and local DHCP broadcast traffic.

For example, for the VLAN 20 remote registration network: