> Hello > > I want to create a captive portal able to deal with users that are behind > a NAT. > The network diagram is : > > > userA1---(priv subnet)---[NAT gateway A]---(pub subnet)---| > userA2---(priv subnet)---[NAT gateway A]---(pub subnet)---| > ... | > userB1---(priv subnet)---[NAT gateway B]---(pub subnet)---| > userB2---(priv subnet)---[NAT gateway B]---(pub subnet)---| > ... | > .. |---(squid)transparent web proxy)--- Internet > > > The login/password is common to everyone but changes every 30 minutes. > People connected can access the web during 30 minutes from the time they > initiated the connection. > > Of course, if userA1 connects, it should not automatically grant access to > userA2. > > We do not have control over NAT gateways. > Can Squid be the "transparent web proxy"? Will it be able to differentiate > NATed users? > If it can't, do you know any software that does this? Not without control of the NAT gateways. If you don't control NAT you don't have the basic information to identify and authenticate the original source. This is why so many ISP people hate NAT, despite its uses. Transparent interception is done by direct lookups into the gateway NAT tables or gateways routing packets unaltered to a separate box for NAT handling and lookups there. Either way you need some control to add rules into the gateway NAT routers. I see three choices here for you: 1) adding a squid box on each subnet to handle transparency for that subnet and peering them to a public gateway squid. 2) implementing semi-explicit proxy config via (WPAD) and authenticating each user request. 3) doing away with NAT. That may mean moving from 192.168.0.0/16 to 10.0.0.0/8 or IPv6 Amos