Small university network security design with pfSense 2.0.1



  • Hello! I am planning to design my network  with pfsense router/firewall  and I'd like to implement next  function of the router:
    -NAT,DHCP,DNS,DNS Forwarder,DMZ,Captive Portal,SSH,VLAN
    -Squid+Squidlight+SquidGuard+HAVP
    I have one public IP (WAN) and I am planning  to share Internet via  LAN  on 4 x Ethernet cards with 4 subnets
    So, is it possible? I mean is it  enough or  I must to enable  more function ? does these functions work in one system?
    My system configuration: CPU Dual core  2Ghz,RAM 1GB,HDD80 SATA,4x 1000mb NICs

    Waiting for your comments !! Thanks



  • Since you asked for comments:

    I noticed in your DMZ you plan to put multiple virtualized Debian servers in VMs on a single physical server running Win2008R2 with Hyper-V. Since in your picture all those VMs will be running Debian Linux, I would use an operating system-level virtualization technology (check http://en.wikipedia.org/wiki/Operating_system-level_virtualization ) which offers practically native performance, instead of Hyper-V (or KVM, Xen etc).

    Also, depending on the number of clients you expect to serve, I'd put squid+… on a different system than pfsense itself, probably another "container" on the server in the DMZ.

    Finally, depending on your physical netwok topology and the area you'd like to cover with Wifi, I'd consider having both wireless access-points serve both guests & staff/students, using two SSIDs and corresponding VLANs.



  • Thanks for advise  So, you mean to design all under Linux solutions?) I agree,I will think about it!!

    Reasons to turn to Unix/linux systems:
    -Educational organization has limited financial possiblities (Why should I pay when avalible different free solutions?)
    -Network is Windows based network infected with viruses,
    -Network OS s  are Win Server 2003-buying licences for Client/Server OSs.
    -Licences for Office packs,Firewall.antivirus soft and etc.
    I know it is difficult to to implement Linux based solutions:knowledge and expearenses and etc.
    and the otherwise  students and personal adapted on Windows systems

    An idea is so:
    Access to:  to Web, LMS+SQL,Web-conferencing,Corporate Mail-for 600-700 members (70% Web,20%LMS 10%other) existing Internet connection is 3mb/s (Fibre optic connection between University and ISP 1GB, also connection between faculties are realised by fibre-optic connection)
    Technology: VLAN,Server Virtualization,Captive Portal(wi-fi), traffic filtering and controling and monitoring

    A problem is that some of our 'network engineers'  have not any expearence on linux, there are windows administrators and I need to find 'easy solutions' for them with GUI (Webmin,Iptabamin,pfsense)

    Need your comments ! Thanks a lot!




  • Dansguardian can do content analyse as well antivirus and is free for non comercial use.




Log in to reply