Overview

This article lists the configuration options to block all traffic to the Internet for a client while redirecting all traffic to a specific site using the simplified suspend feature included in EdgeOS.

NOTES & REQUIREMENTS: This article requires EdgeOS firmware 1.10.7 or later. Products used in this article:

Introduction
Network Diagram
Steps: How to Enable Suspend Feature
Testing & Verification
Related Articles

Introduction

This feature allows the suspension of clients identified by their IP, preventing them from accessing the Internet, while redirecting to a specific IP and Port such as UCRM's Suspension page and still allowing DNS and specific IPs such as a UNMS server.

The suspend feature can be useful in many scenarios, however, it is designed for operators to easily block Internet access for clients who have not paid for service or other reasons. Ultimately, the three simple commands below create a more complex, behind-the-scenes configuration on the EdgeRouter.

Network Diagram

In the diagram below we show that an operator is distributing Internet to a client using UFiber. When the suspend feature is enabled on the EdgeRouter Infinity, the client with IP 10.0.200.10 will have all Web traffic redirected to the suspension page running on the UCRM Server. The operator still has UNMS access to the customer supplied router (in this example, a UFiber ONU in router mode).

Steps: How to Enable Suspend Feature

Step 1: Add Redirect

When a suspended client attempts to access any website, other than IPs entered as an option in step 3, they will be redirected to the forward-to address and port. This is configured by using the following command:

set service suspend forward-to address <x.x.x.x>
set service suspend forward-to http-port <xx>
set service suspend forward-to https-port <xxx>

In this example we have a UCRM server at 10.0.10.49 with a suspend page on port 81.

NOTE: UCRM is not a requirement, this feature will redirect to any IP and port specified.

Step 2: Add User to the Suspended IP List

The following command adds a user's IP address to the suspend feature to limit and re-direct traffic based on step 1 above.

set service suspend user-ip <x.x.x.x>

Step 3: Allow Access to Specific Device(s) for Suspended Clients

When a user IP address is added in step 2, that suspended user will only have access to the gateway IP address (if firewall permits access), and the IP address and port specified in the forward-to address in step 1. The command below will allow access to other specific devices. Some useful examples would be to allow the IP address of a DNS, DHCP, or UNMS server.

set service suspend allow-ip <x.x.x.x>

In this example, we will create a suspend rule that also allows DNS and DHCP servers running on EdgeRouter at 10.0.10.1 and a server running UCRM and UNMS on a local server at 10.0.10.49. This ensures that the client receives all necessary services, but will not have access to the Internet. The forward-to IP will automatically be allowed, it is only necessary to specify IPs of other devices with a different address than the forward-to IP.

Testing & Verification

Verify Configuration:

admin@er4# show service suspend 
 allow-ip 10.0.10.1
 forward-to {
     address 10.0.10.49
     http-port 81
     https-port 443
 }
 user-ip 10.0.200.10

Verify Suspend Page:

The redirect IP and port must be accessible from all client devices.

Connecting from a client with an IP that is listed under 'user-ip' and redirecting to a UCRM Suspend page as in the example above will show the screen below when the client attempts to access any webpage. For testing, this site will also be available from clients that are not suspended by manually going to <serverip>:<port>.