Redirect PPPoE traffic to webserver

Hi all,

I’m searching info about the possibility of redirect traffic based on origin IP to a webserver.

I have tried with PBR, like this:

ip access-list extended ClientesBloqueados
permit ip host CUSTOMER_IP any

route-map RedireccionPortal
match ip address ClientesBloqueados
set ip next-hop WEBSERVER_IP

interface virtual-template33
ip policy route-map RedireccionPortal

But it seems that not work.

Any idea?
The main purpose is send the web traffic from blocked PPPoE customers to a customized web page.


Hello Vicent

Policy-based routing is used to cause IP traffic to take a different route to the destination. Policy-based routing however will not change the destination to which the IP packet is going. So in your PBR solution, your traffic is reaching the web server, but the webserver sees a destination IP address different from its own, so it drops the traffic. What you need to do is create a captive portal, a web page to which users are sent if a customer is blocked. This is often used in WiFi implementations but it is not limited to them.

In order to redirect web traffic, there are several solutions:

HTTP redirect is one option, and both Cisco wireless controllers as well as the Cisco ASA support this feature. A second option is to use DNS redirect. When a client requests a WWW resource, the local DNS returns a different IP address (that of your web server) so that it will see your server rather than the intended site. This can be configured by simply providing a local DNS server to your client. Since you have control of the server, you can manipulate the records so that the desired redirect occurs.

Hopefully, this will give you some insight into researching these topics more deeply to find the solution that will be best for your situation. If you have any more questions, please let us know!

I hope this has been helpful!


I hope this has been

Thank you for the reply Lagapides,

To avoid customers changing manually DNS and working without restriccion, I think the best option will be http redirect.

I have checked ISG in Cisco web after post this but I have discard due policy-map has not working (by the same way that in this scenario).

Anyway, maybe the most simply way to do this is configuring the Radius with:

Cisco-AVPair = “ip:l4redirect=redirect to {group server-group-name | ip server-ip-address [port port-number]} [duration seconds] [frequency seconds]”

I will try and post the results.


Hello Vicent

Thanks for sharing your progress. Let us know how this works out.

Looking forward to hearing from you!