Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring HTTP Redirect Services Using an Interface-Specific Filter and Attaching It to a Static Interface

    This example shows how to configure HTTP redirect services using an interface-specific filter and attaching it to a static interface.

    Requirements

    This example uses the following hardware and software components:

    • MX240, MX480, or MX960 3D Universal Edge Router with a Multiservices Modular PIC Concentrator (MS-MPC) and Multiservices Modular Interfaces Card (MS-MIC) installed.
    • Junos OS Release 15.1 or later.

    Before you begin:

    • Configure the connection between the redirect server and the MS Series router.
    • Define the source address (203.0.113.0/24 is used in this example).
    • Define the one or more interfaces used for subscriber traffic.

    Overview

    HTTP redirect and rewrite services are supported for both IPv4 and IPv6. You can attach an HTTP redirect service or service set to either a static or dynamic interface. For dynamic subscriber management, you can attach HTTP services or service sets dynamically at subscriber login or by using a change of authorization (CoA). Using an interface-specific filter method, you can configure HTTP redirect services and attach it to a static interface.

    Configuration

    To configure HTTP redirect services using an interface-specific filter and attach it to a static interface, perform these tasks:

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, and then copy and paste the commands into the CLI.

    [edit]set chassis fpc 1 pic 0 adaptive-services service-packageset chassis fpc 1 pic 0 adaptive-services service-package extension-provideredit chassis fpc 1 pic 0 adaptive-services service-package extension-providerset package jservices-cpcdset syslog daemon anyset syslog external any
    [edit]set interfaces ge-0/0/1 vlan-taggingset interfaces ge-0/0/1 unit 900 vlan-id 900set interfaces ge-0/0/1 unit 900 vlan-id 900 family inetedit interfaces ge-0/0/1 unit 900 vlan-id 900 family inet serviceset input service-set http-redirect-sset service-filter http-redirect-sfilterset output service-set http-redirect-sset
    [edit]edit firewall family inetedit filter redirect-in interface-specificset term DNSset term DNS from destination-port 53set term DNS then acceptset term Wall-Gardenset term Wall-Garden from destination-address 192.168.220.1/24set term Wall-Garden from destination-address 192.168.220.2/24set term Wall-Garden from destination-address 192.168.14.1/32set term Wall-Garden from destination-address 192.168.18.1/32set term Wall-Garden then count Wall-Gardenset term Wall-Garden then acceptset term HTTPset term HTTP from protocol tcpset term HTTP from destination-port httpset term HTTP then count HTTPset term HTTP then acceptset term DROP_ALLset term DROP_ALL then discardedit service-filter http-redirect-sfilterset term 1set term 1 from source-address 203.0.113.0/24set term 1 from destination-address 192.168.11.1/32set term 1 then skipset term 2set term 2 from source-address 203.0.113.0/24set term 2 from protocol tcpset term 2 from destination-port 8080set term 2 then count SVC-HTTPset term 2 then serviceset term 3 then discard
    [edit]edit services captive-portal-content-deliveryedit rule redirectset match-direction inputset term 1 then redirect http://redirection-portal/redirection/edit services captive-portal-content-deliveryedit profile http-redirectset cpcd-rules redirectedit services service-set http-redirect-ssetset captive-portal-content-delivery-profile http-redirectset interface-service service-interface ms-11/0/0

    Configuring the Package and Installation for Captive Portal Content Delivery

    Step-by-Step Procedure

    The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

    1. Configure Junos OS to support a service package on an adaptive services interface on a MX Series 3D Universal Edge Router with MS-MPCs/MS-MICs.

      [edit chassis]
      user@host# set fpc 1 pic 0 adaptive-services service-package

    2. Configure an application on a PIC. When the extension-provider statement is first configured, the PIC reboots.

      [edit chassis fpc 1 pic 0 adaptive-services service-package]
      user@host# set extension-provider

    3. Install and configure the captive portal content delivery package on the PIC.

      [edit chassis fpc 1 pic 0 adaptive-services service-package extension-provider]
      user@host# set package jservices-cpcd

      Note: Up to eight packages can be installed on a PIC; however, only one data package can be on a PIC.

    4. Enable PIC system logging to record or view system log messages on a specific PIC by including all daemons and external processes.

      [edit chassis fpc 1 pic 0 adaptive-services service-package extension-provider]
      user@host# set syslog daemon any
      user@host# set syslog external any

    Results

    From configuration mode, confirm your configuration by entering the show chassis command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]root@host# show chassis
    fpc 1 {pic 0 {adaptive-services {service-package {extension-provider {package jservices-cpcd;syslog {daemon any;external any;}}}}}}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring the Static Interface and HTTP Redirect Filters

    Step-by-Step Procedure

    The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

    1. Configure a Gigabit Ethernet interface and enable the reception and transmission of 802.1Q VLAN-tagged frames on the interface.

      [edit interfaces]
      user@host# set ge-0/0/1 vlan-tagging

    2. Configure a unit and assign a VLAN ID to the logical interface.

      [edit interfaces ge-0/0/1]
      user@host# set unit 900 vlan-id 900

    3. Configure an IPv4 family.

      [edit interfaces ge-0/0/1 unit 900 vlan-id 900]
      user@host# set family inet

    4. Configure input and output service sets and filters to apply to the interface.

      [edit interfaces ge-0/0/1 unit 900 vlan-id 900 family inet service]
      user@host# set input service-set http-redirect-sset service-filter http-redirect-sfilter
      user@host# set output service-set http-redirect-sset

    Results

    From configuration mode, confirm your configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]root@host# show interfaces
    ge-0/0/1 {unit 900 {vlan-id 900;family inet {service {input {service-set http-redirect-sset service-filter http-redirect-sfilter;}output {service-set http-redirect-sset;}}}}}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring the Service Options, the Interface-Specific Filter, and the Service Filter

    Step-by-Step Procedure

    The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

    1. Create a family for the service filter under the [edit firewall] hierarchy.

      [edit firewall]
      user@host# set family inet

    2. Create an interface-specific filter for redirecting traffic for the walled garden.

      [edit firewall family inet]
      user@host# set filter redirect-in interface-specific

    3. Create the first of four filter terms for the interface-specific filter for the walled garden.

      [edit firewall family inet filter redirect-in interface-specific]
      user@host# set term DNS

    4. Specify match conditions for the walled garden’s filter by setting a destination port.

      [edit firewall family inet filter redirect-in interface-specific term DNS]
      user@host# set from destination-port 53

    5. Specify the action to take for all other DNS traffic.

      [edit firewall family inet filter redirect-in interface-specific term DNS]
      user@host# set then accept

    6. Create a second filter term for the interface-specific filter for the walled garden.

      [edit firewall family inet filter redirect-in interface-specific]
      user@host# set term Wall-Garden

    7. Specify match conditions for the walled garden’s filter by setting four destination addresses.

      [edit firewall family inet filter redirect-in interface-specific term Wall-Garden]
      user@host# set from destination-address 192.168.220.1/24
      user@host# set from destination-address 192.168.220.2/24
      user@host# set from destination-address 192.168.14.1/32
      user@host# set from destination-address 192.168.18.1/32

    8. Specify the action to take for all other destination address traffic.

      [edit firewall family inet filter redirect-in interface-specific term Wall-Garden]
      user@host# set then count Wall-Garden
      user@host# set then accept

    9. Create a third filter term for the interface-specific filter for the walled garden.

      [edit firewall family inet filter redirect-in interface-specific]
      user@host# set term HTTP

    10. Specify match conditions for the walled garden’s filter by setting the protocol and destination port.

      [edit firewall family inet filter redirect-in interface-specific term HTTP]
      user@host# set from protocol tcp
      user@host# set from destination-port http

    11. Specify the action to take for all other HTTP traffic destined to flow outside of the walled garden.

      [edit firewall family inet filter redirect-in interface-specific term HTTP]
      user@host# set then count HTTP
      user@host# set then accept

    12. Create the last filter term for the interface-specific filter for the walled garden.

      [edit firewall family inet filter redirect-in interface-specific]
      user@host# set term DROP_ALL

    13. Specify the action to take for all remaining HTTP traffic.

      [edit firewall family inet filter redirect-in interface-specific term DROP_ALL]
      user@host# set then discard

    14. Create a service filter for redirecting HTTP traffic for the walled garden.

      [edit firewall family inet]
      user@host# set service-filter http-redirect-sfilter

    15. Create the first of three filter terms for the service filter for the walled garden.

      [edit firewall family inet service-filter http-redirect-sfilter]
      user@host# set term 1

    16. Specify match conditions for the walled garden’s filter by setting a source and destination address.

      [edit firewall family inet service-filter http-redirect-sfilter term 1]
      user@host# set from source-address 203.0.113.0/24
      user@host# set from destination-address 192.168.11.1/32

    17. Specify the action to take for all other source and destination addresses.

      [edit firewall family inet service-filter http-redirect-sfilter term 1]
      user@host# set then skip

    18. Create a second filter term for the service filter for the walled garden.

      [edit firewall family inet service-filter http-redirect-sfilter]
      user@host# set term 2

    19. Specify match conditions for the walled garden’s filter by setting the source address, and protocol and destination port.

      [edit firewall family inet service-filter http-redirect-sfilter term 2]
      user@host# set from source-address 203.0.113.0/24
      user@host# set from protocol tcp
      user@host# set from destination-port 8080

    20. Specify the action to take for all other HTTP traffic.

      [edit firewall family inet service-filter http-redirect-sfilter term 2]
      user@host# set then count SVC-HTTP
      user@host# set then service

    21. Create the final filter term for the service filter for the walled garden.

      [edit firewall family inet service-filter http-redirect-sfilter]
      user@host# set term 3

    22. Specify the action to drop the remaining traffic.

      [edit firewall family inet service-filter http-redirect-sfilter term 3]
      user@host# set then discard

    Results

    From configuration mode, confirm your configuration by entering the show firewall command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]root@host# show firewall
    family inet {filter redirect-in {interface-specific;term DNS {from {destination-port 53;}then {accept;}}term Wall-Garden {from {destination-address {192.168.220.1/24;192.168.220.2/24;192.168.14.1/32;192.168.18.1/32;}}then {count Wall-Garden;accept;}}term HTTP {from {protocol tcp;destination-port http;}then {count HTTP;accept;}}term DROP_ALL { then {discard;}}}
    service-filter http-redirect-sfilter {term 1 {from {source-address {203.0.113.0/24;}destination-address {192.168.11.1/32; }}then skip;}term 2 {from {source-address {203.0.113.0/24;}protocol tcp;destination-port 8080;}then {count SVC-HTTP;service;}}term 3 {then discard;}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring the Captive Portal Content Delivery Services and Attaching Service Set to Static Interface

    Step-by-Step Procedure

    The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

    1. Configure the HTTP redirect service by specifying the location to which a subscriber's initial Web browser session is redirected, enabling initial provisioning and service selection for the subscriber.

      [edit services]
      user@host# set captive-portal-content-delivery

    2. Configure the service filter as a walled garden by defining the rule the router references when applying this HTTP service.

      [edit services captive-portal-content-delivery]
      user@host# set rule redirect

    3. Specify the direction in which the rule match is applied for the HTTP service.

      [edit services captive-portal-content-delivery rule redirect]
      user@host# match-direction input

    4. Create the term match and action properties for the captive portal content delivery rule for the HTTP service.

      [edit services captive-portal-content-delivery rule redirect]
      user@host# set term 1 then redirect http://redirection-portal/redirection/

    5. Specify the captive portal content delivery profile for the IP destination address to redirect the HTTP service.

      [edit services captive-portal-content-delivery]
      user@host# set profile http-redirect

    6. Specify the captive portal content delivery rule for the HTTP service.

      [edit services captive-portal-content-delivery profile http-redirect]
      user@host# set cpcd-rules redirect

    7. Specify the service set for the captive portal content delivery services.

      [edit services service-set]
      user@host# set http-redirect-sset

    8. Specify the captive portal content delivery profile for the service set.

      [edit services service-set http-redirect-sset]
      user@host# set captive-portal-content-delivery-profile http-redirect

    9. Specify the interface name for the interface service to attach to the static interface.

      [edit services service-set http-redirect-sset]
      user@host# set interface-service service-interface ms-11/0/0

    Results

    From configuration mode, confirm your configuration by entering the show services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]root@host# show services
    captive-portal-content-delivery {rule redirect {match-direction input;term 1 {then {redirect http://redirection-portal/redirection/;}}}profile http-redirect {cpcd-rules redirect;}}service-set http-redirect-sset {captive-portal-content-delivery-profile http-redirect;interface-service {service-interface ms-11/1/0;}}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that HTTP redirect services has been configured correctly within a service set, perform these tasks:

    Verifying the Configured Service Set for Captive Portal Content Delivery Services

    Purpose

    Display the configured captive portal content delivery service set.

    Action

    From operational mode, enter the show services captive-portal-content-delivery service-set http-redirect-sset detail command.

    user@host> show services captive-portal-content-delivery service-set http-redirect-sset detail
    Service Set             Id       Profile         Compiled Rules 
    http-redirect-sset       1        http-redirect     1                        
         

    Meaning

    The output lists the service set configured for captive portal content delivery services.

    Verifying Details for a Configured HTTP Service Rule for a Walled Garden

    Purpose

    Display details for a specific configured HTTP service rule for a walled garden.

    Action

    From operational mode, enter the show services captive-portal-content-delivery rule redirect term 1 command.

    user@host> show services captive-portal-content-delivery rule redirect term 1
    Rule name: redirect
    Rule match direction: input
    Term name: term 1
    Term action: redirect
    Term action option: http://redirection-portal/redirection/

    Meaning

    The output lists rule and term details for a specific HTTP service rule configured for the walled garden.

    Modified: 2017-04-26