How Would You Do This - Guest Wireless Access and Filtering For Small School

R

rosco

Gawd
Joined
Jun 22, 2000
Messages
722
I'm working with a high school that has about 90 computers. They currently have several wireless access points that have WPA2 enabled.

For web filtering, they are using a combination of the free version of Untangle and OpenDNS. Why you ask.....because they are free.

We have two goals we want to accomplish:
1) Better content filtering as our current solution allows kids to bypass the filtering just by going to httpS://facebook.com etc. We also want to be able to allow teachers to access certain sites while still blocking it for students.

2) Guest wireless access that is open but has content filtering enabled and does NOT allow them to access our server etc. We would also like these APs to allow access to all network resources if the device authenticates, via WPA2 for example.

So, how would you guys tackle this? We have a budget of about $5000 to accomplish these goals.
 
First...you are able to stop https://facebook right now.
But moving onto the upgrade and your needs...I'd upgrade Untangle to the Education Premium bundle.

Dunno which hardware you have Untangle on...but I'd get a unit with multiple interfaces...and create a different network for the open guests...have a rack policy just for them....yes to their own APs.
And then great some policies for the internal users...also utilizing the directory connector to allow more open policies for those users allows to have less restrictive filtering.
 
1) whatever solution you go with do not buy M86. They are the worst web filter company ever. Websense is too expensive for you. Maybe look at something like ScanSafe from Cisco. Its a cloud based filter that might be within your budget for the number of machines you have.

2) RADIUS server combined with EAP-TLS and a dash of group policy for the wireless authentication. Then setup a WEP SSID for guests and rotate wep keys. Setup an ACL on your router to prevent anything except DHCP and HTTP/HTTPS traffic from the guest network entering your private network. And even then only allow the DHCP traffic to your DHCP server, and the HTTP/HTTPS to your content filter. That should be secure enough with your limited budget.
 
For the guest access, I would get AP's that support multiple SSID's and VLANs (Ubiquiti makes some that are cheap, there are others) have a VLAN specifically for the guest network (ours is VLAN 666), and dump that VLAN to a gateway device on a separate internet connection (cheap DSL). That way they have their own DNS, DHCP, WAN, etc, and never need to communicate with your internal network at all.

Letting them on to your network even for just DHCP and HTTP is a bad idea. Either separate them physically, or dump them in the DMZ outside of your firewall.

For filtering, at that price point I have no experience other than free options so I can't offer any personal recommendations.

*Also, EAP-TLS in this scenario is probably more configuration headache than they want to deal with. But a centrally managed authentication method would be much better than having a single WPA2 key that never changes. PEAP would be much easier to implement and provides good security.
 
@eickst - What Ubiquiti allows multiple SSIDs? I have used their stuff before and I was trying to set one up with multiple SSIDs and their support told me they couldn't do that. Maybe they can with the newer firmware? That was about 6 months ago.

@yeoldstonecat - I guess I was trying to avoid having to have two sets of APs, one for open and one for internal.
 
Their Unifi can. That's how I have mine setup. Guest network which gets vlanned back to a different interface on my router on a different subnet. Works great, keeps my internal wireless secure from the guests.
 
Eickst said:
Letting them on to your network even for just DHCP and HTTP is a bad idea. Either separate them physically, or dump them in the DMZ outside of your firewall.
Click to expand...
You don't manage enterprise do you?
How is a client going to get an IP address? Are you going to manage multiple DHCP servers on each access point? Are you going to ask users to statically assign an IP?

And you should read the OP's first post. He asks for web filtering of guest web traffic. You can't get that if you dump them into a DMZ.
You must pass the HTTP/HTTPS traffic from the guest network through the filter which is behind the firewall.

Also, how is configuring an ACL for those 2 protocols going to only specific servers a bad idea? In fact, that would be best practice given the OP's requirements.
It's also how I have my own enterprise network configured for our schools.
 
cyr0n_k0r said:
You don't manage enterprise do you?
How is a client going to get an IP address? Are you going to manage multiple DHCP servers on each access point? Are you going to ask users to statically assign an IP?

And you should read the OP's first post. He asks for web filtering of guest web traffic. You can't get that if you dump them into a DMZ.
You must pass the HTTP/HTTPS traffic from the guest network through the filter which is behind the firewall.

Also, how is configuring an ACL for those 2 protocols going to only specific servers a bad idea? In fact, that would be best practice given the OP's requirements.
It's also how I have my own enterprise network configured for our schools.
Click to expand...

Apparently you don't manage enterprise or you would know what a VLAN is. How is a client going to get an IP address? Did you even read my post before responding?

How many AP's do you manage in your environment, may I ask?
 
rosco said:
@eickst - What Ubiquiti allows multiple SSIDs? I have used their stuff before and I was trying to set one up with multiple SSIDs and their support told me they couldn't do that. Maybe they can with the newer firmware? That was about 6 months ago.

@yeoldstonecat - I guess I was trying to avoid having to have two sets of APs, one for open and one for internal.
Click to expand...

The Unifi AP's from ubiquiti will do it, 3-pack will set you back $200 so not bad at all. I have personally never deployed them in a large environment but everyone I know that has used it, and everyone on these forums, raves about them due to cost benefit.

If you don't trust them there are plenty of AP's out there that would do what you need. The main question is if your network infrastructure can be set up to support VLANs. What kind of switches are in your network?
 
Eickst said:
Apparently you don't manage enterprise or you would know what a VLAN is. How is a client going to get an IP address? Did you even read my post before responding?

How many AP's do you manage in your environment, may I ask?
Click to expand...
100+
And I'm adding another 150 within 6 months.
Yes, I know exactly what a vlan is and I didn't know I had to spell out that the separate guest SSID that I recommended the OP setup would be on a separate vlan. :rolleyes:
He is going to get an IP address by configuring the ip-helper address.
Your suggestion makes no sense. Don't allow DHCP? Separate them physically? What kind of ass backwards logic is that?
So let me be more clear for you.

OP, put your guest SSID on a separate vlan THEN setup an ACL to restrict everything except DHCP traffic to your DHCP server, and HTTP/HTTPS to your web filter.

Restricting traffic on your guest network to only allow those 2 protocols AND only sending them to the appropriate servers is certainly adequate security for his needs.

I'm also assuming his equipment is capable of that level of configuration. The fact he's running Ubiquity with Untangle however leads me to believe he might not have real enterprise equipment in his environment. OP sounds like he is at a Charter school with the low number of workstations.
 
Forget it, don't want to derail this thread any more than it already has.
 
Last edited:
An example of how mine is setup.

I have two internal interfaces on my Mikrotik. One on the 10.0.0.0/8 subnet and one for internal on 192.168.1.1/24 subnet. The router does DHCP on both interfaces and I have rules in place to block them from accessing each other. On my internal I have a transparent bridge on Untangle that goes between the mikrotik interface and a managed switch. All my internal stuff is off that switch. On that same switch I plugged in my Unifi AP and set it up in the internal VLAN and setup a different SSID on a second VLAN. I then ran a second cable from the guest interface on my Mikrotik to a port on the same managed switch. I then took that port and unassigned it from the internal VLAN and only to the guest VLAN. It works really well. I could also then put another untangle gateway on the guest network or add another NIC to my untangle to filter both.
 
cyr0n_k0r said:
You don't manage enterprise do you?
How is a client going to get an IP address? Are you going to manage multiple DHCP servers on each access point? Are you going to ask users to statically assign an IP?

And you should read the OP's first post. He asks for web filtering of guest web traffic. You can't get that if you dump them into a DMZ.
You must pass the HTTP/HTTPS traffic from the guest network through the filter which is behind the firewall.

Also, how is configuring an ACL for those 2 protocols going to only specific servers a bad idea? In fact, that would be best practice given the OP's requirements.
It's also how I have my own enterprise network configured for our schools.
Click to expand...

Untangle doesn't support or do Vlan's so it would have to be a managed layer 3 switch..
 
We do all our filtering (aside from second level at the LA) using Squid & Dansguardian, which are both free and only require an old Linux box. In terms of wireless guest access, I'd use a second SSID on it's own VLAN, going out via our backup WAN connection, assuming you have a Layer3/managed switch available to you.
 
Thanks for all the input.

We have a HP Procurve 1800-24G that I'm almost positive can do vlans.

If I get a Unifi AP, it would connect back to the HP switch and I get the concept of a vlan, at least sort of. How does the VLAN allow traffic from the Unifi AP to BOTH networks? If someone connects to guest wireless, then then traffic could only go to the internet. If they authenticate to the secured wireless, they have access to network resources. How would the vlan know what to do since traffic from both wireless networks is coming into the same switch port?

Otherwise, I was wondering if I could have a DMZ switch that all the access points plug into and then also connects to a third interface on the untangle box. Then, configure vpn so that someone from the third interface on the untangle box could vpn into the private network.

We are most likely going to go with the standard or premium edu package from untangle as I doubt we'll find much else for pricing that's even close.

This is for a private grade school by the way. So, no lucrative public tax money available to us. Our parents pay taxes into the public school system AND pay tuition for their kids to go to this school. So, we have a pretty tight budget.
 
rosco said:
How would the vlan know what to do since traffic from both wireless networks is coming into the same switch port?
Click to expand...
That is what ACL's are for.
rosco said:
This is for a private grade school by the way. So, no lucrative public tax money available to us. Our parents pay taxes into the public school system AND pay tuition for their kids to go to this school. So, we have a pretty tight budget.
Click to expand...
Yup, thought so.
 
cyr0n - Would you mind getting a little more specific into how the ACL would work? I think our HP switch is capable of all this but I have never setup a vlan before. No time like the present to learn. In your prior post, you said to setup an ACL on the router. Can I do that with Untangle? I don't have any other router in place. Or, would I just do that at the switch level?

So, if I use a Unifi AP with each with the two wireless networks, what device would be the DHCP server? We currently have our Windows server doing that.

I'll be honest, your prior post with needing a radius server....... was over my head. I'm hoping I can figure out the way you're explaining because having one AP provide access to both networks would be awesome.

Otherwise, our fallback plan is what I mentioned above, a DMZ switch to a third interface on the Untangle at least providing filtering for the open network.
 
@/usr/home - Your way sounds pretty interesting. I would need to get a mikrotik and the Unifi APs, but that would be it and the pricing is reasonable for those.

I'm not sure I totally grasp the whole setup though. Any way you could possibly diagram it out for me? I may just need to re-read your post a few more times.
 
I dont have your specific equipment and from what others have said your stuff doesn't supported vlans and multiple SSID's.

However here is an example of our ACL.
Code: 
Extended IP access list 100
    10 deny ip 10.129.0.0 0.0.255.255 10.128.0.0 0.0.255.255 log
    20 deny ip 10.129.0.0 0.0.255.255 any
Extended IP access list 129
    10 permit udp any host 10.128.2.10 eq bootps
    20 permit udp any host 10.128.2.10 eq domain
    30 deny ip any 10.128.0.0 0.0.255.255
    40 deny ip any 10.130.0.0 0.0.255.255
    50 permit ip any any
 
I think they said they weren't sure because they didn't know what I had.

Our HP switch will do VLANs. If the ACL has to be on our Untangle box (not on the switch) then that is probably and issue.

Thanks for posting your example of your ACL.

I understand that there is a difference between what the 10.129.0.0 and the 10.128.0.0 etc will be able to access. However, how is the client device assigned the correct ip address based on whether or not they authenticated?
 
As an alternative to using untangle premium or standard.

Check out the Zyxel USG 300 with the Total security package. http://www.zyxelguard.com/ZyWALL-USG300.asp?gclid=CJaH3KKb6a0CFUKFQAod_Xja6w

Most of the features are better than what you get in the untangle standard. The premium Untangle package gives you more features and better performance, but it also costs more.

Turning on IDS will really slow down the Zyxel unit, but turning on everything else you will still see 50+mbps WAN to LAN throughput.

Just something to consider. Lastly the Zyxel USG line is supported, the UTM line is way outdated.

I would also endorse using the Ubiquiti Unfi's for APs They do support multiple SSDs
 
Mackintire said:
As an alternative to using untangle premium or standard.

Check out the Zyxel USG 300 with the Total security package. http://www.zyxelguard.com/ZyWALL-USG300.asp?gclid=CJaH3KKb6a0CFUKFQAod_Xja6w

Most of the features are better than what you get in the untangle standard. The premium Untangle package gives you more features and better performance, but it also costs more.

Turning on IDS will really slow down the Zyxel unit, but turning on everything else you will still see 50+mbps WAN to LAN throughput.

Just something to consider. Lastly the Zyxel USG line is supported, the UTM line is way outdated.

I would also endorse using the Ubiquiti Unfi's for APs They do support multiple SSDs
Click to expand...

the subscriptions for those are SOOOOOOOOOOO MUCH $$$$$$$$$$$$$$$$$$$
 
rosco said:
I understand that there is a difference between what the 10.129.0.0 and the 10.128.0.0 etc will be able to access. However, how is the client device assigned the correct ip address based on whether or not they authenticated?
Click to expand...
Are you referred to DHCP?
That would be done by the vlan that the DHCP request came in on. (ip helper-address)
You would setup multiple DHCP scopes.
 
dashpuppy said:
the subscriptions for those are SOOOOOOOOOOO MUCH $$$$$$$$$$$$$$$$$$$
Click to expand...

Zyxel subscription is $552 yearly.

Untangle Standard $846 per year

Untangle Premium $1080 per year.

The pricing statistics below does not include the hardware costs for Untangle.

The Zyxel give you more/better features for your money and breaks even at 32 months compared to Untangle Standard.

Zyxel is less expensive than Untangle premium after 24 months.
 
I'm a little leery of Zyxel. I just don't know much about them. When web filtering technology are they using? I doubt they wrote their own.

@cyr0n - Yes, I was referring to DHCP. In your setup, which device contains the logic to know that the wireless device authenticated to the secure wlan so it gets an IP in that ip scheme?
 
The content filtering is by bluecoat.


I can't speak for all their products, but I can say that they are a competitor to Sonicwall, and that I replaced a Cisco RV082 Rev 2 with a Zyxel USG 200 and couldn't be happier.

It runs on a custom BSD OS, so reliability is not in question.

If you do go with Zyxel, make sure you CALL support, do not bother to e-mail them. They 're known for taking their time when you e-mail for support. My experience was a good one, we're on FIOS 30/30 Mbps with about 50 active users and about 70 terminals.
The USG also has LDAP authentication and supports Radius. It also supports VLAN, multiple DHCPs and static routing. The only limitation is CPU resources. The inter LAN speed on the Gigabit ports is about 300Mbps. Also it can not run all its features at once and maintain that speed. I think with everything on the WAN to LAN drops to 14Mbps. Turn off IDP and the performance comes up to about 35Mbps. Turn off AV and your up to 70Mbps.

The 50-300 models have the same CPU. The model 1000 and higher have Pentium CPUs and are significantly faster and more expensive.
 
Last edited:
Mackintire said:
The Zyxel give you more/better features for your money and breaks even at 32 months compared to Untangle Standard. .
Click to expand...

Have you actually compared the 2 side by side...each individual feature..and produced a list of pros/cons of each...to make a claim that the Zyxel has "more" features and "better" features?
 
Honestly, I would just toss an untangle box up. 4 network cards
1-DMZ
2-general filtered access
3-More general filtered access
4- Super filtered wireless (Seperate vlan/ip range)

Can be easily done under a grand- Is VERY easy to setup
 
@ChRoNo16 - I agree, that way is simple. However, what I am trying to do is make it so that each access point is actually two wireless network, one open network that provides filtered internet access for guests, and one secured network that allows them to access our internal network resources.

So, the dual wireless networks is the extra wrinkle I am trying to figure out.
 
I would assume you would have to use more than one access point at each interval then.
 
You must log in or register to reply here.
Back
Top