Help needed for providing internet access to a refugee camp .
-
Hi there ,
I am volunteering to help my community provide help for some 250 refugees who arrived last summer to our small community in northern Sweden . Now i have a degree in software development but i never had any practical experience dealing with networks .
we are trying to provide basic internet access to the 250 refugees at the refugee camp where they are now temporarily accommodated .
I have managed to get my hands on some basic equipment from a couple of people who donated for us there old equipment .
here is what i have got :20 Cisco Aironet AIR-LAP1242AG-A-K9 Wireless Access Points
Cisco Ethernet Switch - ESW520-24P-K9
Cisco 4400 Series Wireless LAN Controller Air-WLC4402-25-K9
100 Mbps symmetric inernet connection .
and some old computers that i am(can) using to run pfsense for routing and fire-walling .We want to be able to provide basic internet access to all of them through the wireless network , but there are some laws and regulations that we have to abide to .
we have to implement a very strict policy for content filtering ,among the users there are a lot of minors so i need to find how can i block sites ( violence , pornography , drugs , etc.. ) , ( I have tried opendns and squid to do the content filtering but lately i have been told that some users are using Hotspot shield and other similar software to bypass the proxy ) .torrents have been a major issue for us to block and it is consuming all the available bandwidth preventing other users from being able to make a simple voip call .
and last we need to be able to log the users traffic for at least 6 month .I would really appreciate any help regarding how to tackle the hotspot shield problem , and if there is any reliable way to block p2p traffic , and if is it possible to log the traffic .
-
how to tackle the hotspot shield problem
how can i block sites ( violence , pornography , drugs , etc.. )
Squid, squidGuard + blacklist will do this. pfBlocker will also help in this area.
is any reliable way to block p2p traffic
Not really. Your best bet is to use traffic shaping to prioritize all other commonly-used protocols and let the rest (including p2p) fall into the penalty box.
if is it possible to log the traffic
Squid logs all HTTP/S traffic. Do you mean just that type of traffic or every single packet, NSA-style??
-
Many thanks for your tips ,
I have been using squid+squid guard blacklists for content filtering , but so far this method has not been effective as it is very easy to go to the app store and get any free vpn software and tunnel through the proxy server . I tried to block the service ports and ip addresses that are used to connect to the outside but after a couple of hours i ended with hundreds of ip addresses ,and a list that need to be maintained daily . Do you know of other solutions ?About logging the traffic not exactly NSA style but since all the traffic is passing through our connection , we need to be able to protect our selfs in case of copyright infrigments and be able to point the finger at who did what and when ! now Squid will log http but that is only 20% of the traffic going through the server .
-
Do you know of other solutions ?
Sure thing. Cut them off the internet if they cannot behave. Or send them back home. Protect yourself? From illegal immigrants' illegal actions? Absurd. Get a better government.
-
Now while i agree with you that we need a better government (obviously not for the same reasons ) , this is not the topic of this discussion !! so if you have any constructive suggestions you are welcomed to post them , else let us just keep our opinions out of this thread.
-
Now while i agree with you that we need a better government (obviously not for the same reasons ) , this is not the topic of this discussion !! so if you have any constructive suggestions you are welcomed to post them , else let us just keep our opinions out of this thread.
Yes, please keep your political opinions to yourselves, this isn't the place. Thanks for the sensible response, sleepyhead100.
To the original question, it's pretty much impossible to completely eliminate ways around content filtering where you don't control all the devices on the network. If you do control them, lock down the systems so they can't install things or change any settings, and it sounds like you should be about as good as you can get. You probably don't control all the systems though, so you're limited in what you can do. Restricting your LAN firewall rules as much as possible and forcing all HTTP and HTTPS through proxy will help some, but it'd still be possible to get a VPN out in a variety of ways.
-
You could use limiters to proportionally share traffic among the clients/IPs, each getting a fair minumum while sharing excess bandwidth. I think limiters are currently incompat with squid, though.
You mighy benefit from this tutorial; http://www.linksysinfo.org/index.php?threads/qos-tutorial.68795/
Aside from being my favorite QoS tutorial, I think you will find it useful since the asuthor also must admin large networks of uncooperative users.
