Help - Pfsense deployment



  • Good night sir.

    I would like your opinion.

    I need a tool to work as a firewall and proxy, from what I saw, the pfsense will meet my need, but I have no experience with the solution.

    I will explain my environment:

    I need to control the Internet in a school, they have about 40 computers, and 15 of them are connected to the network by a Wifi card. They have about 500 students (primary education).

    Students use mobile phones to access internet.

    They have about 8 wifi routers throughout the school.

    They also have a server with active directory and Wifi is free to all.

    I'm testing the pfsense but I have some doubts. I thank everyone who can help me.

    What is the best form of authentication in squid in this case?

    What is the best way to control the Wifi?

    I've read some things about transparent authentication, captive portal, radius, but I don't know which solutions will work best in this environment.


  • LAYER 8 Global Moderator

    Control wifi how?  So you have just home wifi routers (what make and model - running native firmware or 3rd party) I hope they are in AP mode atleast or prob all natting all using the same default 192.168 network behind them, etc..

    What do you plan on running pfsense on?  how many of these students have wifi phones? over only 8 wifi connections?  How big is the school, what is the internet connection?  Primary education, so little kids?  What is the age or grade ranges?

    So this AD they run, this is for school admins/teachers network?

    What do you use for proxy or filtering now?  So how do you auth the wifi connections now just completely open and no filtering?  So these kids can just access p0rn if they want?

    Is this nightmare something you got throw on you, or did you build it?



  • @Vfisher:

    about 40 computers, and 15 of them are connected to the network by a Wifi card. They have about 500 students

    They have about 8 wifi routers throughout the school.

    So you have at least 515 wireless devices on 8 access points (not including staff devices for now).
    That's approx. 65 users on each AP if connected evenly. Usually that's not the case so think of 100 users on each AP.
    You need professional grade hardware for that AND good WIFI planning (coverage and channel selection) to just get all these users to your firewall!

    In the Portuguese forum you posted about virtualization of pfSense. Are you sure you can handle all that at once?
    Start small if you want your project to be successful! All-at-once is more of a task for a well-practiced team…

    Maybe get an old PC, install a second network cards into it and use it as your home router just to get familiar with pfSense?


  • LAYER 8 Global Moderator

    Maybe only like 1/10 of these students have phones?

    Primary education in the US normally refers to little kids, elementary so your talking kindergarten through like 8th grade max..  So wouldn't think the younger kids have phones, etc and only the last few grades maybe?

    I am more than willing to discuss options all the way from doing it with millions of dollars to spend, to have no budget at all how can I get stuff donated what is cheapest possible option to get this to work, etc.

    You could get parents to maybe donate their old wifi routers and if you can put the right 3rd party firmware on them, etc. etc.  You could prob put something together that works, etc.  Your going to need a solid core to work with.  So at min a decent switch, and sure pfsense could be the firewall/router on an older PC say donated by a parent..

    But yeah 500 users an 8 AP not going to be fast by any means..  What is the internet pipe we are working with?  If its 2mbps for example then no internet over wifi is just not going to happen for the user base as a whole.  You could maybe let your staff have internet over wifi, etc.

    But unless we are talking somewhere in the middle of nowhere where edge is the fast cell data connection I would think everyone would just use their own data connection, etc.

    There are countless ways to skin the cat, but you need to know what breed of cat before you can even discuss how to best skin it..



  • Thanks all for your answers!

    Sorry, but when i wrote the first post i still didnt have all the information to explain my cenario (I started working in this project about fifteen days ago).

    They have a outsourced company that rent all the wifi structure. How i still dont have administration rights, I called then and now i have more information.

    • Wan arrives at a Routerboard Microtik 850, that control the routers 17 Microtiks , model RB951, all of then working in bridge mode. When i called they told me there were 105 connected equipaments.

    It is funny, but they have no firewall or proxy today, wifi still don´t have a password  :)

    Today they have just one IP range, what is not for security, my intentions is to use Pfsense as a firewall and proxy to control this cenario.

    What do you think is the best way to use Pfsense?

    Best Regards,
    Henrique



  • well, you probably need a vlan-capable switch.

    • create seperate vlans for: students / staff / administration / (whatever else you need)
    • broadcast seperate SSID's for staff & students

    on the use of proxy's for filtering:
    -it's useless unless you do man-in-the-middle for ssl.

    • It's plain evil todo man-in-the-middle.
    • man-in-the-middle only works for devices owned & configured by the school. (otherwise you get a bunch of warnings every time you visit a website)

    conclusion: i wouldn't bother with internet filtering based on proxy. I think you'd better get  some ip-blocklist & dns blocklist … it's not as affective, but it works.


  • LAYER 8 Global Moderator

    So again how many network devices - 500 kids doesn't tell us much..

    So 17 AP, I assume those are rb951-2n devices so 2012 time frame.. They are only 2.4ghz N devices..  They are very cheap even when they came out.. You rented them for how long?  And they are just 1 large layer 2 all as AP on the same network?  With possible client count of 500?

    As to proxy you can still filter on url with proxy without having to mitm the ssl traffic..

    So are you going to deploy new wifi or use those old 2.4ghz N 1x1 - max wifi bandwdith is 72 PHY.. That is shared with all the clients on the AP… who that must freaking scream performance with all the broadcast traffic going on as well if 500 nodes are all on at the same time on the same layer 2..

    What is the internet speed?


Log in to reply