Some (basic) questions



  • I use pfsense in a school network (150 clients, not simultaneous). Because we generated more traffic than we are allowed (120gb a month) I decided to use pfsense with squid for throttling and caching.
    The main problem was streaming (youtube hd movies), downloaders and windows updates.

    For now it's a standard installation with squid.
    The squid is used for Per-host throttling (set at 500).

    I do have some thoughts/questions;

    • Am I correct that a scheduled reboot isn't possible through the web-gui? Only with cron jobs?
    • SOLVED - - We do not block anything (for now) but we would like to scan ALL network traffic for virusses. The only package I can find, is HAVP antivirus. But this is also a proxy. Can I have HAVP antivirus AND Squid installed at the same time?
    • It would be a nice feature if I can see the used traffic in gigabytes. This counter should be reset on the 4th of the month.
    • We do not have a WSUS server. It would be nice if pfsense could cache our windows updates. I use this command line for now:
    refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*\.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims;range_offset_limit -1;
    

    But how can I check if this really works? What else would be nice to cache? We use various virusscanners on our clients: Security essentials, AVG, Panda,…

    When all goes well, we will purchase a new, decent, server for pfsense.

    Some system info:
    Hp server P4 3.2ghz
    Cache mgmt: 4000 hard disk cache size, memory cache 64, maximum object size 512000, maximum object size in ram 32,




  • To many questions in one topic? Do I need to split this up?

    Thx!


  • Rebel Alliance Global Moderator

    For starters with 150 machines - why are you not running a wsus server for your updates!  Now you don't have to worry about any caching, and actually have some idea if your machines are updated or not ;)

    This is my first suggestion to save bandwidth.

    2nd – how and the hell are you in a school and not doing any filtering??  Yeah you need to get filtering going NOW, so surfing porn is open currently?  First thing to block would be streaming media!  Bam -- huge bw savingings!

    Why do you need a scheduled reboot?  But install the cron package, and then you could schedule your reboot using the gui.  But still not understanding why you think you need to reboot on a schedule?

    As to havp and squid -- right in the package description "It can be used with squid or standalone."


  • Netgate Administrator

    @johnpoz:

    how and the hell are you in a school and not doing any filtering??

    An interesting question.
    I realise it's a bit radical but perhaps they trust their students.  ;)

    I'd probably do some filtering though if only to block massive time sinks. Even the most trustworthy student isn't going to resist to mighty pull of FB!

    Steve



  • The only sites we should block are porn related. Everything else is needed by teachers (youtube, social networking,…) for the lessons. In the past I used Smoothwall (& dansguardian) to block sites (porn, audio & video streaming,..). But teachers were complaining all the time they couldn't access websites...

    Sheduled reboot would be a precautionary measure. Don't know if necessary.


  • Rebel Alliance Global Moderator

    And it is quite simple to allow teachers access to stuff, while students can not watch the latest HD virual video..

    What grade level is this school? If Univ level, ok with limited filtering I guess.  But there are lots of categories that if opened could really get the school into some hot water.

    What school district?  Is this not a public school, are you not in the US? I know for sure that many states mandate some form of filtering.

    example
    http://www.ncsl.org/issues-research/telecom/state-internet-filtering-laws.aspx

    Overview of State Laws
    Twenty-five states have Internet filtering laws that apply to publicly funded schools or libraries. The majority of these states simply require school boards or public libraries to adopt Internet use policies to prevent minors from gaining access to sexually explicit, obscene or harmful materials. However, some states also require publicly funded institutions to install filtering software on library terminals or school computers.

    Federal Children’s Internet Protection Act (CIPA)
    Congress in 2000 enacted the Children’s Internet Protection Act (CIPA) as part of the Consolidated Appropriations Act. The act provides three different types of funding: 1) aid to elementary and secondary schools; 2) Library Services and Technology Act (LSTA) grants to states for support of public libraries; and 3) the E-rate program that provides technology discounts to schools and public libraries.

    Students machines clearly do not need unfiltered access to many categories - and if they hit a site that is blocked, and should be open.. Click and they can report it and you could open it.

    Filtering will be a huge bw savings for sure.

    I am curious what kind of connection your on that limits you to 150GB for 150 clients?  For $50 a month, I have 250GB a month limit.  You might want to look to changing providers?



  • It's in Belgium. Didn't you noticed it in my writing? :-)

    Anyway, pfsense supports caching, so why not use it?



  • caching is good for a "static" trafic, as some newspaper sites if your students read those, but for windows updates WSUS rules



  • We do not have a domain controller on the students network, so implementing this would be a huge hassle knowing that I only have 8 hours a week to maintain these pc's.
    Anyway, thx allready!

    maybe a additional question? :)
    If a package states "beta", does that mean ot really isn't ready for a production server?


  • Netgate Administrator

    Not necessarily.
    It probably means simply that the package maintainer/author doesn't feel 100% confident about declaring it finished. Or has simply forgotten to change the status.
    Looking at the list there are loads that are marked beta but are in use by hundreds or thousands of users.
    It's the responsibility of the maintainer to change it.

    Steve



  • You have a 150 host network set up peer-to-peer? Ouch, I feel for you. I'd start pushing for some form of central management. It would mean some up front time and effort, but on the back end your life would become much easier.
    Perhaps block streaming sites for student computers, and less restrictive access to the teachers. Set up some form of request system to have a site unblocked with advance notice if the teacher needs it for a lesson. Teachers should know in advance when they have need for multimedia sites, it's why they keep lesson plans.
    Me, i'm a little more hard boiled, I wouldn't bother with hearing complaints about streaming sites without a very good justification for needing them. I'd want to see a lesson plan requiring it.
    Train your teachers how to download a youtube video so they can present it offline.
    I'm harping on youtube and streaming media because they are total bandwidth hogs. Doing some back of the envelope calculations, consider youtube's minimum bandwidth requirements of 500 kbps and you are looking at 25 megabytes per minute. multiply that by a class size of 33 students and you are looking at 750 megabytes for just one minute of video. This is just for youtubes minimum video settings. That would eat up your bandwidth very quickly.

    As for patches, you can get all of them from microsoft's support website, it's a pain to do so, but one download and a trip around the campus would cost you footwork, but gain you some bandwidth savings.

    My thoughts, get centrally managed as soon as you can, so you can push updates out from a central server, and block media streaming websites as strictly as can be allowed.


Locked