EdgeRouter - Suspend Feature


Overview


This article lists the configuration options to block all traffic to the Internet for a client while redirecting all traffic to a specific site using the simplified suspend feature included in EdgeOS.

NOTES & REQUIREMENTS: This article requires EdgeOS firmware 1.10.7 or later. Products used in this article:

Table of Contents


  1. Introduction
  2. Network Diagram
  3. Steps: How to Enable Suspend Feature
  4. Testing & Verification
  5. Related Articles

Introduction


Back to Top

This feature allows the suspension of clients identified by their IP, preventing them from accessing the Internet, while redirecting to a specific IP and Port such as UCRM's Suspension page and still allowing DNS and specific IPs such as a UNMS server.

The suspend feature can be useful in many scenarios, however, it is designed for operators to easily block Internet access for clients who have not paid for service or other reasons. Ultimately, the three simple commands below create a more complex, behind-the-scenes configuration on the EdgeRouter.


Network Diagram


Back to Top

In the diagram below we show that an operator is distributing Internet to a client using UFiber. When the suspend feature is enabled on the EdgeRouter Infinity, the client with IP 10.0.200.10 will have all Web traffic redirected to the suspension page running on the UCRM Server. The operator still has UNMS access to the customer supplied router (in this example, a UFiber ONU in router mode).

EdgeRouter-Suspend_Feature_Diagram.png


Steps: How to Enable Suspend Feature


Back to Top 

Step 1: Add Redirect

When a suspended client attempts to access any website, other than IPs entered as an option in step 3, they will be redirected to the forward-to address and port. This is configured by using the following command:

set service suspend forward-to address <x.x.x.x>
set service suspend forward-to port <xx>

In this example we have a UCRM server at 10.0.10.49 with a suspend page on port 81. 

NOTE: UCRM is not a requirement, this feature will redirect to any IP and port specified.

Step 2: Add User to the Suspended IP List

The following command adds a user's IP address to the suspend feature to limit and re-direct traffic based on step 1 above.

set service suspend user-ip <x.x.x.x>

 Step 3: Allow Access to Specific Device(s) for Suspended Clients 

When a user IP address is added in step 2, that suspended user will only have access to the gateway IP address (if firewall permits access), and the IP address and port specified in the forward-to address in step 1. The command below will allow access to other specific devices. Some useful examples would be to allow the IP address  of a DNS, DHCP, or UNMS server. 

set service suspend allow-ip <x.x.x.x>

In this example, we will create a suspend rule that also allows DNS and DHCP servers running on EdgeRouter at 10.0.10.1 and a server running UCRM and UNMS on a local server at 10.0.10.49. This ensures that the client receives all necessary services, but will not have access to the Internet. The forward-to IP will automatically be allowed, it is only necessary to specify IPs of other devices with a different address than the forward-to IP.


Testing & Verification


Back to Top

Verify Configuration:

admin@er4# show service suspend 
 allow-ip 10.0.10.1
 forward-to {
     address 10.0.10.49
     port 81
 }
 user-ip 10.0.200.10

Verify Suspend Page:

The redirect IP and port must be accessible from all client devices.

Connecting from a client with an IP that is listed under 'user-ip' and redirecting to a UCRM Suspend page as in the example above will show the screen below when the client attempts to access any webpage. For testing, this site will also be available from clients that are not suspended by manually going to <serverip>:<port>.

 

UCRMSuspend.png


Related Articles


Back to Top

EdgeRouter - How to Access the EdgeRouter

UNMS - Getting Started

UCRM - How to Setup Network, Client Services and Suspension

UCRM - Setting up Network Devices & Suspend Feature


We're sorry to hear that!