Free Untangle Alternative For School Environment?

[ElectroPulse]

Hello, all!

I am spending a year teaching computers and managing the network at a school (outside the U.S.).

The network isn't in that great of a condition... 130-140 students at the school, and their is no active directory. So, whenever students log in on a computer, they are using a shared account. I really do not like this, and am planning on overhauling the network in the next month or two.

They do, however, have an Untangle server setup here that they have been using for site blocking.

I had never had any contact with Untangle before arriving here a couple of weeks ago, but it looks like a very promising and capable management system... So far everything that I can think of that would be needed is included in the standard education package (except for the Bandwidth Control and Web Cache, unfortunately... Yes, it's about $200 extra for Premium, which compared to buying the extra add-ons individually is a steal, but hitting that $1k/year mark will probably be a rather difficult mental barrier for getting funding). However, the school here isn't rolling in money, so I am looking around to see if there are any free, or cheaper, alternatives that have what we need.

So, let me list some of the requirements:
1. Bandwidth management (we only have a 32KB/s connection, so don't want students downloading a bunch of crap whenever they have internet)
2. Policy manager, so that students will have different website restrictions than teachers
3. Web Caching (not a requirement, but would be really nice) (I understand this doesn't help with most websites, however I've read that Untangle's Web Caching will cache Windows Updates, which would be REALLY nice)
4. Some sort of active directory connection (I intend to set up an active directory here, so would like the internet management software to interface with Windows Server's AD so I don't need to manage two separate user lists)
5. Web filtering

Anyway, if there are any free/less expensive alternatives, please let me know!

Thanks!
ElectroPulse

 

[Brak710]

I recommend giving pfSense a look.

It's not really the same type of solution, as pfSense is a bit more manual for configuration, and Untangle is a lot more plug-and-play with features.

That said, I would think you'd be able to get all the functions you need out of pfSense for free. You can route/firewall, plus run any filtering/caching you need for the students. Considering your really low bandwidth, I would think caching is of high-importance to you.

I've done plenty of installs with these, and if Untangle isn't within budget - pfSense can be more than capable of pulling it off for free, it just requires more setup.

 

[calvinj]

You could do a combo of both. Put pfsense first as the main firewall, caching, bandwidth control, and then put untangle web filter and application control behind it in bridge mode.

I've always thought pfsense was the stronger firewall, but in the end untangle has nicer features for point, click and check.

 

[ElectroPulse]

Hey guys, thank you so much for the answers!

I had heard of Pfsense, but had been under the impression that it was a fairly simple router/firewall OS... Now I'm thinking that I need to look into it more.

Now, I'm wondering... How would it differ with having behind Untangle running the web filter and application control behind Pfsense, rather than having Pfsense running all of it? Would it just be for the nicer UI? If so, I would probably prefer to go with just Pfsense in that case... We actually only have one spare computer (currently the one running Untangle), and I am planning on trying to source another couple for running an AD here as well, but am not sure how difficult that will be.

Also, how light-weight is Pfsense vs. Untangle? Our "server" (just a computer that happened to be lying around, from the looks of it) isn't that beefy, so am wanting to make sure Pfsense won't be any more taxing than Untangle.

 

[Brak710]

Well, don't forget you can run them virtually, that may help you maximize resources and only need one computer for them all.

It wouldn't be hard at all to run pfSense as the firewall/router and just Untangle as a filter, but pfSense can do pretty much anything thanks to the packages. pfSense seems like a simple firewall/router, but it's usable up to 10GbE+ of traffic, and is expandable. It can quickly become fully featured and as complex as you want it.

My only complaint with pfSense is doing caching+Antivirus+filtering requires proxy chaining which seems a bit clumsy to setup - but it WILL work once it does.

 

[InorganicMatter]

Almost all of these content filter systems use DansGuardian or some fork of it. You absolutely can install it from source and try to set it up yourself, but both DG and Squid (it's dependency) are far from a walk in the park to configure from scratch.

I've never used Untangle, but if it's like any other Linux based router, it should be easy to set up DG on a Debian box, and then use iptables it to force all traffic thru it.

 

[Nate7311]

You might also look at Endian Community Firewall. It's almost a feature for feature competitor to Untangle. Not quite as polished, but the majority of features for free. The 2.5 version has really polished the interface.

 

[ElectroPulse]

Well, don't forget you can run them virtually, that may help you maximize resources and only need one computer for them all.

Hey, I'm wondering... How beefy of a computer is required in order to do virtualization? Where I worked in IT before, that was all handled by someone else, but whenever they mentioned it they mentioned it required quite a nice server (I believe they were running 16-32gb of ram, and I forget what processors... I believe there were two of them, and had a total like 16 threads between them).

Hmm.... May not be as wimpy as I initially thought. I had looked in the Untangle WebUI, and it said it had ~3.3gb of RAM. I thought this strange, since there were two sticks of RAM in the thing, so went over and craned my neck around inside it for a while, and it appears that there may be two 4gb sticks in there... But not sure. I can't see the whole sticker, but it appears that the end of the serial number is something like "4GK," which leads me to believe they're 4gb. (There was a power outage earlier today, so should've taken the opportunity to yank the RAM to see how much it's got). I went and looked, and sure enough, the Untangle installed is 32-bit... So, it looks like they've been running a 32-bit OS on a computer with 8gb of RAM in it. As for the processor, it's got a Pentium D @3.2ghz.

Would this be enough to run Windows Server 2008 R2 + Pfsense for probably a maximum of 50 simultaneous users? (though I don't know of a situation where this would happen, since we've only got 20 computer lab computers, and only the dorm students are permitted to have access to the wifi, and even then only during specific times of the day).

Thanks!

Also, I'll go check out Endian... I think I'll start a couple of these options downloading tonight, then fire up Virtualbox sometime in the next day or two to check out what they have to offer, and see how difficult they are to work with.

 

[RocketTech]

pfSense is a dimension above any consumer class router (only openWRT or DD-WRT would be close) and is simple depending on your meaning. Definitely flexible, affordable, customizable, and best of all, a huge support base. You can find pro appliances with paid support contracts to free software installed on Pentium Pro machines held together with bubblegum.

I would strongly suggest familiarizing yourself more with virtualization and pfSense separately before jumping in the deep end. Implementing pfSense in Hyper-V 2012 is not a beginner topic (not all that hard, but a lot of choices, compromises, etc).

The specs you mention would handle Server 2k8r2 and pfSense just fine, but what else will you run on the Server? I would strongly suggest a 64-bit OS, and Server 2k12 over 2k8r2. ESXi Might be the best choice on that box, for your stated plans.

Drop me a line if you run into trouble, I've deployed very similar and am working on some budget virtualized pfSense/VoIP server boxes.

 

[wizdum]

pfSense is a dimension above any consumer class router (only openWRT or DD-WRT would be close) and is simple depending on your meaning. Definitely flexible, affordable, customizable, and best of all, a huge support base. You can find pro appliances with paid support contracts to free software installed on Pentium Pro machines held together with bubblegum.

I would strongly suggest familiarizing yourself more with virtualization and pfSense separately before jumping in the deep end. Implementing pfSense in Hyper-V 2012 is not a beginner topic (not all that hard, but a lot of choices, compromises, etc).

The specs you mention would handle Server 2k8r2 and pfSense just fine, but what else will you run on the Server? I would strongly suggest a 64-bit OS, and Server 2k12 over 2k8r2. ESXi Might be the best choice on that box, for your stated plans.

Drop me a line if you run into trouble, I've deployed very similar and am working on some budget virtualized pfSense/VoIP server boxes.

I've had good luck running pfSense in a Proxmox VM. Had to use Intel NICs though, I tried using the Realtek one that was built in and it was just dropping packets like mad.

 

[koolaidkitten]

I've used both Untangle and PFsense. Both were good, but PFsene is better imo.

 

[diizzy]

You're probably better off running a plain OS than trying to make pfsense and/or untangle do all this...
If you're prepared to do some research and trial 'n error here's a few suggestions...

I'd personally go for a FreeBSD box and following software based on personal experience and preference
1. pf and altq - Pretty simple syntax and does what you want
2. Squid Web Proxy with possibly some kind of addon
3. Squid, I can already tell you that trying to cache Windows Updates using Squid which I presume Untangle does works poorly a bit and you're much better off running WSUS instead but that requires a Windows machine.
4. Samba AD and possible some connection to OpenDJ/OpenLDAP
5. Squid

I'm looking into the Samba AD thing myself but I haven't found the time yet to try it out.
Running ESXi or any type or virtualisation may/may not give you interesting issues on its own so its not always a good solution.
//Danne

 

[parityboy]

@OP

+1 for pfSense. Test it in a VM first to familiarise yourself with it; VMware Player or VirtualBox will do. I use it as a DHCP & DNS server so I have it in a Virtual Box VM on my desktop. When I get a proper setup, I'll put it on its own hardware (bare metal).

 

[MrGuvernment]

I've used both Untangle and PFsense. Both were good, but PFsene is better imo.

same here but untangle is fare easier to use, monitor and configure for a workstation environment. PFSense is still .."clumsy" and many plug-in's are beta or not well supported

there is little to no reason o run PFsense infront of untangle, they both do the same thing, but UT is more purdy GUI.

i use pfsense on servers and untangle for our workstations / employee's.