Please save me from my own stupidity .......

[seedubya]

So, I got this new client. I posted about her before, small student accommodation campus, about 35 apartments approxiimately 100 users.

She would not spring for a full refit so we agreed to work with the budget she had. She genuinely could not get more from the management committee.

Big mistake...

We installed a number of outdoor APs (Ubiquiti) around the grounds to improve coverage. She had 150Mb cable installed. Her Fortigate 50 died and we replaced it with a used Zyxel 5 that we had lying around. She had and still has a piece of software called ccProxy handling access to the wifi using a combination of mac filtering to keep off and individual user passwords.

We have a number of issues
1) the ccProxy situation is completely unsatisfactory - all it really does is prevent access via password and mac filtering - surely there is a better way to do this. It's also a bottleneck.
2) We'd like to be able to limit download speed and file sizes on a per client basis
3)The Zywall 5 is a real bottleneck. The firewall through put is only 65Mbps - on a 150\15 pipe.

End result required is that everyone can access the internet at a reasonable speed and that

I'd like to go open source or similar if possible as funds are seriously limited.

yeah, yeah I know......

 

[BrentfromZulu]

Perhaps replace the Zyxel 5 with a Untangle Firewall. There shouldn't be a bottleneck on that provided you have GB ports. I think you can also limit bandwidth through Untangle (someone will have to confirm as I don't know).

I don't know anything about the ccProxy, but my guess is it is in place to prevent outsiders from connecting. If that is the case wouldn't a secure wpa2 with a good password sufficient? Or, is it so guests connect as well (on the Mac Filtering)? Does the Ubiquiti interface have something along the lines of that?

A lot of this is off the cuff, so I might need other people to vouch for me, but I hope I helped.

 

[seedubya]

Perhaps replace the Zyxel 5 with a Untangle Firewall. There shouldn't be a bottleneck on that provided you have GB ports. I think you can also limit bandwidth through Untangle (someone will have to confirm as I don't know).

I don't know anything about the ccProxy, but my guess is it is in place to prevent outsiders from connecting. If that is the case wouldn't a secure wpa2 with a good password sufficient? Or, is it so guests connect as well (on the Mac Filtering)? Does the Ubiquiti interface have something along the lines of that?

A lot of this is off the cuff, so I might need other people to vouch for me, but I hope I helped.

I'll check out Untangle. Haven't used it for a while and had kinda forgotten about it!

You're right about ccProxy but the issue with just setting a WiFi password is that they will share it with their friends and so fsck everything up for everyone else. A per user password with MAC filtering keeps this crap to a minimum. Ubiquiti does not support MAC filtering

 

[BrentfromZulu]

Ubiquiti does not support MAC filtering

That I did not know. That is surprising to me.

 

[KompuKare]

As well as the usual open source router firmware (dd-wrt, openwrt, tomato) there is one project which specialises in this stuff:

http://www.gargoyle-router.com/

I mean I guess (in theory) any Linux kernel router should be able to if you are an iptables wizard but this is specially built for this. Think there is a tomato built which has similar aims (Toastman and some other developer?).

Mind you, for a lot of users it may be hard to find a powerful enough off the shelf router. While MIPS CPUs are very power-efficient the GHz and multi-core race seems to have left them behind. So it may be worth considering an actual PC running a full x86 Linux router distro. Cheap low power (Atom, Celeron or Jaguar) machine to handle the policies and then cheap routers set to only handle the wireless perhaps?

 

[EvolutionElectronics]

what about using a radius server?

 

[BrentfromZulu]

http://wiki.untangle.com/index.php/Captive_Portal

This will bring up a login screen for the users. I haven't found MAC Filtering, but that will get them to require credentials. I haven't found "allow user 1 session" but it's a start.

 

[Frick]

What ubiquiti devices did you install? Their Unifi control software may do all you are needing.

 

[seedubya]

What ubiquiti devices did you install? Their Unifi control software may do all you are needing.

Unifi AP Outdoor - and no the software doesn't do what I need, unfortunately. Otherwise I wouldn't be asking you fine people for recommendations.

 

[seedubya]

what about using a radius server?

Never used one before. Happy to use if it can do what I need which is to allow pre-defined users and/or devices on the wifi, prevent unauthorised users and some traffic shaping (bandwidth limits). Will it?

 

[YeOldeStonecat]

Lots of good *nix firewall distros out there which can do much of this stuff. Immediately since many of those are free or have a free version....people rush to keep the budget down by throwing it on an old x86 computer. Which can be fine, if you do it right. Use a good higher end business grade small form factor, with an enterprise grade (reliable) hard drive like a WD RE series, good Intel NICs..and keep an identical model nearby for spare parts (like a power supply).

Untangle has a captive portal module, and it has a very good bandwidth control module (not free)...which can do much of what you're looking for.

I don't know what you can do to limit download sizes. But you can certainly penalize the bandwidth consumed by large downloads.

There are other excellent distros available, such as Endian, and ClearOS. ClearOS may actually do more of what you're looking for, since you're looking more into "authentication". Think of ClearOS as an open source version of Small Business Server PREMIUM edition. PFSense is another alternative...but I'd rather have more UTM features and PFSense lacks in doing those well.

 

[Omnicef]

Take a look at PfSense. I use it all the time with clients and bandwidth shaping is built in.

 

[seedubya]

Just built a pfSense box! All I can say is WOW! The feature set is amazing.

 

[altrenda]

Lots of good *nix firewall distros out there which can do much of this stuff. Immediately since many of those are free or have a free version....people rush to keep the budget down by throwing it on an old x86 computer. Which can be fine, if you do it right. Use a good higher end business grade small form factor, with an enterprise grade (reliable) hard drive like a WD RE series, good Intel NICs..and keep an identical model nearby for spare parts (like a power supply).

This. just because you can run it on an old PC doesn't mean you should do it in a business environment. Reliability is a factor to consider.

And a good backup plan is essential for when your router dies and everything is down, since you can't just run to the store and buy another one.

 

[brandonkick]

Many of the people here have summed this up pretty well, but just offering an outside "view" on the information given by the op and those who offered solutions.


I think the untangle box would be a must, and if you install it on your own hardware it can be really affordable. I don't know much about it, or the QoS module that StoneCat mentioned but I think a UTM is really necessary these days.

Secondly I agree with turning a PC into a router. Your going to get away far cheaper (IMO) doing it this way then you would to buy an appliance to suit these needs and this many users. I could be wrong about that though.

I don't know how much if any money she has left to spend in getting this done right but I'd imagine your going to be in at least another grand to get this done right with reliable stuff.

 

[seedubya]

It's on a recon Core2Duo with 2Gb RAM. It's not a mission critical setup so they won't pay for redundancy. If the PC dies then they buy another one. We always have this type of PC in stock. I am keeping a backup of their config file so that if I have to rebuild then all I need do is load that. I have it down to about 40 minutes now. Very, very simple but far more feature than most mid-level routers. Oh yeah, throughput - they have 150Mbps cable. I could not find a router anywhere for less than €600 that could handle the throughput never mind even half the feature set.

I have it set up as follows NIC1 - WAN (DHCP via ISP modem in bridge mode); NIC2 - LAN with DHCP for 2 office clients in 192.96.48.x range; NIC3 - LAN2 with DHCP for wireless clients including local user authentication via captive portal and MAC address filtering. This includes things like max bandwidth per client, max speed per client, max connections per user, dynamic traffic shaping etc. etc. I didn't bother with RADIUS as there was no advantage to doing so and using it increased complexity.

The features this thing has you would normally only find on very high level routers costing thousands.

With regard to the UTM aspect. Untangle would be good but its requirements to handle the possible number of users was too high IMO and its routing feature set was too low. The residents are getting this FOC so the client is not worried about providing edge security and her own office clients are only switched on a couple of hours a day.

 

[knc]

Meraki AP's would have fit the bill, albeit VERY expensive. It has centralized management and the ability to throttle bandwidth back for certain clients.

 

[altrenda]

PfSense can do rudimentary UTM, nothing like the paid Untangle, but worth looking into. Lots of articles on smallnetbuilder and other places on the web.

 

[pcpickup]

I have put together a PFsense box for this purpose for a school with 250+ devices. The captive portal on PFsense works great and is fairly easy to configure.