EcoNAT Documentation

Policies and services EcoNAT Documentation / BRAS functionality / Policies and services

Services
Policies

To limit the speed of transmission and reception of data and for redirection to a portal for subscriber account refilling in BRAS functionality are used policies and services. Service is a set of activities carried out in the case of certain conditions - the source or destination of session matchs to the specified ACL. Politics can combine multiple services together.

Services

To create a service, execute the command create service <service name>. When creating a service, its name is formed in the same way as described in the section "Creating a new pool".

After the service is created, it is necessary to go into the configuration mode of this service with goto bras services <service name> and set the parameters of its parameters using context commands.

The available service parameters are described in the table below.

Parameter	Description
enable \| disable	Enabled or disabled service
name	Service name
action	The action that the service performs: pass – traffic passes, but is subject to speed limits (default); drop – the traffic is discarded; block – redirects to the portal, for example, to replenish the account. The address of the portal is specified by the parameter redirect_url; redirect – used when the periodic redirection feature is enabled (see "Periodic forwarding setup"). When this action is specified, HTTP traffic is redirected (HTTPS passes). To work correctly in the parameters of the dpilist that is bound to this service, one must specify redirect_use_interval on
acl	The list of access by which packets fall into this service
redirect_url	The address to which the client will redirect if action redirect is used. Typically, here you specify the address of the portal of the telecom operator, where the client is redirected in case of need to replenish the account, you can also specify other resources. EcoSGE is capable to add some client specificators to the address string. It helps to personalize the redirection site. Used specificators: %c - send to redirect_url the callback-id received from the RADIUS server; %m - give to redirect_url the client MAC address; %i - give to redirect_url the client IP address; %v1 - give to redirect_url the first (upper) client vlan tag; %v2 - give to redirect_url the second (lower) client vlan tag; %u - give to redirect_url the URL which was addressed by the client. The redirect_url parameter format: <URL>/?<VAR_NAME1>=<SPEC1>&<VAR_NAME2>= <SPEC2>..<VAR_NAMEN>=<SPECN> where URL -redirection sites address, VAR_NAME1 .. VAR_NAMEN - variable name, SPEC1 .. SPECN - specificator. For example, http://example.com/?var1=%u&ip=%i&qwe=%v2. In this case if client will try to address to forbidden.com, it will be redirected to: http://example.com/?var1= forbidden.com&ip=10.1.1.10&qwe=0
egress_speed	Maximum egress speed (Kb/s)
ingress_speed	Maximum ingress speed (Kb/s)
egress_tos	The value to be set in the type of service field in the outbound packet header is specified in decimal format. In order not to mark traffic, you need to leave the value: nochange
ingress_tos	The value that will be set in the type of service field in the header of the incoming packet is specified in decimal format. In order not to mark traffic, you need to leave the value: nochange
time_start daily HH:MM	Service start time. If you specify the value, this service is activated daily at the specified time. Time (UTC) is indicated in the format HH:MM, where HH is the hour, MM is the minute
time_end daily HH:MM	The end time of the service. If you specify the value, this service is turned off daily at the specified time. Time (UTC) is indicated in the format HH:MM, where HH is the hour, MM is the minute
always_pass	Dst IP addresses to which the rules of this service will not be applied
no_shape	External global IP addresses, for which speed is not limited. Here you can enter the IP addresses of game servers, IPTV servers and other resources that must be available to subscribers at maximum speed
dpilists	The number of the list of sites to implement the URL filtering is indicated (see section "URL Filtering functionality (DPI)"). If the site does not satisfy the list requirement, the redirect_url is redirected to the resource specified. The parameter is available only when the URL filtering module is installed

Example of creating and configuring the service:

MyEcoNAT:1:system.bras.services# create service 1

MyEcoNAT:2:system.bras.services# service1

MyEcoNAT:3:system.bras.services.service1# enable

MyEcoNAT:4:system.bras.services.service1# action redirect

MyEcoNAT:5:system.bras.services.service1# redirect_url "http://redirect.domen.ru"

MyEcoNAT:6:system.bras.services.service1# egress_speed 56

MyEcoNAT:7:system.bras.services.service1# ingress_speed 56

MyEcoNAT:8:system.bras.services.service1# time_start daily 03:00

MyEcoNAT:9:system.bras.services.service1# time_end daily 21:00

MyEcoNAT:10:system.bras.services.service1# show

  enable

  name "service1"

  action redirect

  acl none

  redirect_url "http://redirect.domen.ru"

  egress_speed 56

  ingress_speed 56

  egress_tos nochange

  ingress_tos nochange
  time_start daily 03:00:00
  time_end daily 21:00:00

  always_pass ( )

  no_shape ( )

  dpilists ( )

To enable and disable the service, the context mode commands enable and disable, which must be run in the service branch.

MyEcoNAT:5:system.bras.services.service1# enable

MyEcoNAT:6:system.bars.services.service1# disable

Edited configuration will be applied only after apply command.

Policies

To create a policy, you must run the create policy <policy name> command. When creating a policy, its name is formed in a similar manner to that described in the section "Create a new pool".
After you create a new policy, go to the configuration mode of the policy with goto policy<policy name> command and using the context commands to set the values of its parameters.
The available policy options are described in the table below.

Parameter	Description
enable disable	Policy is enabled or disabled
priority	Priority of policies applying. The less value - higher priority. By default the first created policy has priority 100, the next one - 200, the third one - 300 and so on
local_ip ( )	Specify IPv4 addresses or subnets of clients binded with this policy
local_ip_v6 ( )	Specify IPv6 addresses or subnets of clients binded with this policy
type	Type may be one of the following: static – the services specified by policy configuration will be applyed for clients, dynamic – abonents authorization is performed via the RADIUS protocol (RADIUS server must be configured)
session_timeout	Time (in seconds) to the automatically finalizing the session. When the time expires the session wiil be deleted and a new one will be created. Default value 86400
idle_timeout	Time (in seconds) to the automatically finalizing the session because of inactivity. Default value 28800
interim_interval	Time (in seconds) to the finalizing of the accaunting inteerval. Is used with enabled Radius. Default value 15
ingress_auth	Allow (on) / deny (off) client authorization by the ingress packet with the client IP address in DST field. Is used only for the clients in static and fake pools
services ( )	Specifies the name of the service that is bound to the policy. You can specify up to 6 services using space as delimiter. The order defines the priority of services from the highest to the lowest. Parameters that can be set in the case of type dynamic, described in the section "RADIUS server settings"
Dynamic policy parameters
auth	Authorization options. The name of the connection to the RADIUS server or group of RADIUS servers, or the keyword none
reauthorization_timeout	The time (in seconds) through which the client's authorization will be retried if there is no response from the RADIUS server (the BRAS client session is in the Error status). The default value is 180 seconds
acct	Accounting options. The name of the connection to the RADIUS server or group of RADIUS servers, or the keyword none

ATTENTION! Before applying the changes, the value of the auth parameter should not be none, otherwise the apply command will end with an error.

Example of creating and configurating policy:

MyEcoNAT:1:system.bras.policies# create policy 1
MyEcoNAT:2:system.bras.policies# policy1
MyEcoNAT:3:system.bras.policies# enable
MyEcoNAT:4:system.bras.policies# type static
MyEcoNAT:5:system.bras.policies# services service1
MyEcoNAT:6:system.bras.policies.policy1# show
MyEcoNAT:7:system.bras.policies.policy1# 
  priority 100
  enable
  local_ip ( )
  local_ip_v6 ( )
  type static
  session_timeout 86400
  idle_timeout 28800
  interim_interval 15
  services (service1)

Use the context enable and disable commands in policies branch to turn the policy on or off.

MyEcoNAT:5:system.bras.policies.policy1# enable
MyEcoNAT:6:system.bras.policies.policy1# disable

Edited configuration will be applied only after apply command.

Configured policies will be processed in order of their priority. In addition, each policy can be assigned to multiple services. Then within the same policy services will be processed in the order in which they appear in the policies configuration.