1

OK, like all college IT departments, we've been battling P2P abuse and trying to figure out how to effectively mitigate it's impact on our network infrastructure....

And then we find out TODAY that we're leasing space in two of OUR dormitories to students from a university located across the street. ( 100 students total, 50 in each building in question. )

Our budget: Free. (We've got a few Pentium 3 and 4 desktops around for use. )

We're only obligated to provide HTTP traffic support to the dorm room RJ-45 jack. No VOIP considerations, nothing. Each building's on a distinct VLAN.

Is it feasible, in theory, to use something like pfSense running on a PIII or Pentium IV-class box with 2 NICs to restrict HTTP traffic/packet shaping/etc? This is not a permanent thing-- they're only leasing dorms for one semester-- but never having done this before, I'm looking for any guidance the community here can offer.

( I'm thinking one box per building that's being leased... )

EDIT: Outside connection to internet at large: 12mbits. All dorms are on a subset of IPs that are in a separate 'lane' that can't exceed 30% of total.

Bill B
  • 399
  • 5
  • 12

5 Answers5

2

Ah, but to allow web browsing I'm sure the students would enjoy the use of DNS to resolve their web site URLs. Then they'll want HTTPS support of course, so they can do secure logins to their courseware site or bank. Oh then....a slippery slope you have here my friend! But there's nothing to be done about that is there?

Depending on how the network is set up, you can either have each box be the gateway router for each dorm, or for performance sake (if you can) just have each box set up as a transparent bridging firewall and let your (I assume) better already installed router do the routing. Of course, all this depends on the way the network is laid out. Without additional info there's not a lot of advice I can give.

I'd recommend openbsd and pf, especially considering the older hardware you will be deploying. That said, if you're not technically minded enough to set this up on your own there are distros like pfsense, you'll just have to deal with a little sluggishness in the web interface.

Brad
  • 295
  • 1
  • 2
  • 9
2

There are lots of variables in question. Including but not limited to:

  • Throughput in Mbps.
    This is obvious.

  • Throughput in PPS.
    This is less obvious and often more important than the above item. A large quantity of small packets will strain a router/firewall more than a smaller quantity of large packets. This is because each packet will produce a system interrupt and must be individually evaluated for firewalling, routing or deeper filtering.

  • Quality of NICs and PCI bus.
    Buy the best you can. A good NIC will perform as much processing onboard as possible without upsetting the system. Whereas a cheap NIC will push processing back onto the CPU, creating system load and slowing down the process. Whereas

  • Quantity of traffic inspection and processing.
    The more firewall rules you have the longer evaluation will take. You could perform some clever things like transparent proxying and caching, but this will bring some extra overheads.

Off the cuff though, I would say that what you're trying to achieve is perfectly possible. If you can tear yourself away from the GUI-ness of Pfsense then I'd fully recommend installing OpenBSD on the machines. It's pretty simple to do what you want and you'll unlock a lot of power.

You'll probably want to configure the machines as transparent bridges. This will enable you to slot them straight in with your current setup. You could use this as the first test to see whether they're up to the job - drop them in as plain old bridges with no filtering and see if they cope. If for some reason you find that they don't, then you can pull them out with reasonably little disruption.

Then the next step would be to introduce filtering with PF. Then rate limiting with ALTQ. I'd then suggest throwing NET-SNMP (with PF MIBs) and a monitoring package like Cacti to keep an eye on the utilisation and performance.

Dan Carley
  • 25,189
  • 5
  • 52
  • 70
0

Why not use a firewall on a cd like Sentry or redwall? Then allow only outgoing connections to port 80 (or whatever you want). These solutions are usually pretty easy to use, with a web interface.

Ernie
  • 5,324
  • 6
  • 30
  • 37
0

You can use untangle: http://www.untangle.com/ it's open source, free, and provides the features you seem to need and more.

As far as blocking things go, I'd be careful in college dorms, and check regulation to ensure that you can do this before implementing anything.

IceMage
  • 1,336
  • 7
  • 12
  • You can also power an Untangle server using a spare Pentium 4 box, it might run slower than you'd like, but it'll work until you can budget a dedicated box later / if you need it at all. – IceMage Aug 11 '09 at 21:24
0

SmoothWall

is an option that would work well. Its one of the older custom linux distros for firewalling.

djangofan
  • 4,172
  • 10
  • 45
  • 59