FEC Onlineservices
 
Cobion Orange Content Filter for more than one LAN interface
This FAQ describes how to activate the Cobion Orange Content Filter for more then one LAN interface.
In this example a bintec R3000 with software version 7.8.4 patch 1 was used.


In this example there are 2 physical splitted networks specified:
  • Network A 192.168.0.0 / 24
  • Network B 192.168.1.0 / 24
To assign the Cobion Orange Filter to more than one ethernet interface it is neccessary to create some additional entries in the ipExtRtTable. All traffic from additional interface to tcp port 80 has to be routed to the internal interface 'local' (DstIfIndex 1)

In this case already exists an entry for the interface en1-0 (SrcIfIndex 1000), because the Cobion Orange Filter  was already activated via Setup Tool.

r3000lm:> ipextrtTable

inx Protocol(*rw)     SrcIfIndex(rw)    SrcAddr(rw)       SrcMask(rw)
    SrcPort(rw)       SrcPortRange(rw)  DstAddr(rw)       DstMask(rw)
    DstPort(rw)       DstPortRange(rw)  Tos(rw)           TosMask(rw)
    DstIfMode(rw)     DstIfIndex(rw)    NextHop(rw)       Type(-rw)
    Metric1(rw)       Metric2(rw)       Metric3(rw)       Metric4(rw)
    Metric5(rw)       Proto(rw)         Age(rw)

  0 tcp               1000              0.0.0.0           0.0.0.0
    -1                -1                0.0.0.0           0.0.0.0
    80                -1                0                 0
    always            1                 0.0.0.0           direct
    0                 0                 0                 0
    0                 local             0 02:56:39.96

r3000lm:ipExtRtTable>
The same entry has to be created for the interface en1-1 (SrcIfIndex 1100), as well as for every another interface that should be filtered.

r3000lm:ipExtRtTable> protocol=tcp srcifindex=1100 dstport=80 dstifmode=always dstifindex=1 type=direct
  1: ipExtRtProtocol.6.2( rw):         tcp
  1: ipExtRtSrcIfIndex.6.2( rw):       1100
  1: ipExtRtDstPort.6.2( rw):          80
  1: ipExtRtDstIfMode.6.2( rw):        always
  1: ipExtRtDstIfIndex.6.2( rw):       1
  1: ipExtRtType.6.2(-rw):             direct
r3000lm:ipExtRtTable>

r3000lm:ipExtRtTable> ipextrtTable

inx Protocol(*rw)     SrcIfIndex(rw)    SrcAddr(rw)       SrcMask(rw)
    SrcPort(rw)       SrcPortRange(rw)  DstAddr(rw)       DstMask(rw)
    DstPort(rw)       DstPortRange(rw)  Tos(rw)           TosMask(rw)
    DstIfMode(rw)     DstIfIndex(rw)    NextHop(rw)       Type(-rw)
    Metric1(rw)       Metric2(rw)       Metric3(rw)       Metric4(rw)
    Metric5(rw)       Proto(rw)         Age(rw)

  0 tcp               1000              0.0.0.0           0.0.0.0
    -1                -1                0.0.0.0           0.0.0.0
    80                -1                0                 0
    always            1                 0.0.0.0           direct
    0                 0                 0                 0
    0                 local             0 03:00:34.41

  1 tcp               1100              0.0.0.0           0.0.0.0
    -1                -1                0.0.0.0           0.0.0.0
    80                -1                0                 0
    always            1                 0.0.0.0           direct
    0                 0                 0                 0
    0                 netmgmt           0 03:00:34.72

r3000lm:ipExtRtTable>

On access of a blocked URL a debug message like the following is printed at the debug output (debug all&):
09:06:32 DEBUG/INET: COF: block URL(100100) http:www.bintec.de/


lm

© 2013 bintec elmeg GmbH