Feasibility of pfSense + Squid + SquidGuard

  • Hi,

    First time poster here with no prior experience in pfSense and Linux.

    We are planning to deploy pfSense on a network with around 75 people, single server environment with Windows 2008 R2 as PDC. Currently we are using WatchGuard but not satisfied with it at all.

    We have a spare Core i3 computer with 120 GB HDD and 4 GB RAM; can upgrade the RAM and HDD if required.

    We are planning for a non-transparent proxy which will be configured via DHCP (on Win2k8 server mentioned above).

    Is the following setup feasible:

    1. Authentication using LDAP
    We have three primary OU in our AD (1 for owners, 1 for managers, 1 for junior staff). Can the users be automatically authenticated by pulling AD data from server? I read that it is possible, but what happens when a new user is added to any of the OU? Will it require re-sync or the data is pulled automatically?

    2. Category based filtering using SquidGuard
    Though not absolutely necessary, we would like to provide filtering based on OU e.g. users in "Owners" OU will get full access, users in "Managers" OU can get less restricted access and users in "Junior" OU get more restricted access.

    3. Bandwidth throttling based on OU
    Similar to above, we would like to provision varying level of bandwidth for different OU.

    4. Access to smartphone via wifi without any authentication
    Owners would like their smartphones to connect to wifi via a WAP and get unrestricted access. Is there a way to bypass certain MAC addresses so that they get full access without any authentication?

    If OU based authentication is not feasible, we can even go for something based on IP. For example, we can change our DHCP scope so that owners' and managers' systems get a specific range of IP based on their MAC addresses and other users get dynamic IP from a specific range i.e. we can reserve: to for junior staff to for manager to for owners

    Keen to know your thoughts…are we targeting something that is not possible?