Need to Achieve the impossible

Lunas

Lunas

[H]F Junkie
Joined
Jul 22, 2001
Messages
10,048
My motel i work in needs a firewall that fits the following requirements.

  1. users up to 50 expect about 30
  2. deep packet inspection with intentions of blocking p2p
  3. needs to not lockup every 2-3 days
  4. no subscriptions for the content filter
  5. max budget 150
  6. I have 5 wireless ap 2 are directly connected to current router 3 are connected to 2 switches off that router.

now when you guys pull yourselves off the floor from laughing im dead serious 150 not a dime more it is not my money.
Also the space i have is not a real wiring closet maybe 3 foot wide chase with a shelf and power so no pc running a *nix firewall.
 
I unfortunately don't have a cheap/amazing solution to your question. I however will be watching this post to see if anyone can even suggest something in this area with the requirements listed.

My only suggestion would be to possibly work a deal out with a local ISP/tech company to setup the equipment and advertise that this company donated the equipment for use.
 
I'm interested as well because I'm pretty stumped at the needs for the price and space ruling any third-party builds out. Probably not impossible, but damn it's asking a lot for so little.

The only thing I can think of that's out there right now is an Edge Router Lite ($99) and Mikrotik devices (upwards of $150) that could possibly do all that. I'm not experienced well enough with either to know of their capabilities as far as DPI (IDP/IPS) goes and or any subscriptions required.
 
the closest i saw was ZyWALL USG20 but it uses a subscription based service for the content filtering
 
Lunas said:
Also the space i have is not a real wiring closet maybe 3 foot wide chase with a shelf and power so no pc running a *nix firewall.
Click to expand...

If there is no power then how do you plan to use anything at all, including any switch or anything. You cant filter packets and block p2p with magic fairy dust.
 
bds1904 said:
If there is no power then how do you plan to use anything at all, including any switch or anything. You cant filter packets and block p2p with magic fairy dust.
Click to expand...

all i have is a small 6 inch wide shelf and a ups that the battery probably is long dead. That is where the cable modem is there is about 900 ft of building made with brick and cinder blocks that the 5 ap cover the current router has locked up on us every 3-6 days and we have had 2 copyright notices from our provider...

i just need to block p2p some how and make the router so it doesn't lock up. i suppose i could fit a pc there but the space is awfully small and i would need a pc and a router that would not lock up.
 
Why do you need a PC AND a router? A PC can be a router...

but good luck finding a decent no subscription content filter.

It's real simple, tell them it can't be done for $150 then walk away lol how much money will it cost them if they do nothing?

Your best bet would be a small linux box but how effective it will be is questionable.
 
Alix board and pfsense is the closes I can come. $170-$200 but it'll do what you need, low power and silent. Small as hell too.

How much traffic we talking?

Another option is to re-purpose a thin-client that has a pci slot. I've done that before with great success.

Also could try something like this, runs a FULL install which means it'll literally do everything you want.
 
As an eBay Associate, HardForum may earn from qualifying purchases.
Lunas said:
now when you guys pull yourselves off the floor from laughing im dead serious 150 not a dime more it is not my money.
Click to expand...

My suggestion. Personally I think you should not offer public internet service until you get a realistic budget, anything you try to manage at that cost meet your requirements.


Untangle or pfsense can both do protocol control to block the P2P traffic, but you need a reliable piece of hardware to put it on, which if it needs to sit on a 6 inch shelf likely will not be under 150.
 
Well there might be a little more give than 150 as for traffic I have a 100mb down / 15 up connection with 28-32 users the traffic expected is anything from gaming to business web surfing Netflix on half those users.
 
I think you can put pfsense on some older watchguards, snag one off ebay and load it up. That's going to be your best bet.
 
Maybe pfsense on a Raspberry Pi? lol.

For 150 you're pretty much looking at a Linksys or Dlink router. :D
 
everything I can think of has subscription for content...

except for *nix stuff, ex. pfsense
 
I know it is out of the price range i quoted but then again getting a 10k+ fine is a good motivator for him to chuck in an extra 50-70 for the right setup

i was recommended a sonic wall for 214
 
Sonicwalls are subscription based and limited throughput when filtering is used, it must be sized appropriatly and the correct licenses purchased.
 
goodcooper said:
what's wrong with this?

http://www.ebay.com/itm/Pfsense-2-1...t=US_Firewall_VPN_Devices&hash=item4ad245c32d

mentioned earlier.... at $109.95 it seems to meet your budget and with some tweaking will do what you want... but pushing 100mbps while doing that might be tough...
Click to expand...


Space available apparently. Even if the budget was bumped up we haven't even got into the discussion of throughput yet. A pfSense box would probably be the only decent way to get high throughput for the lowest cost.

All them subscription (free or not) based services just destroy throughput, especially with 30+ users.
 
As an eBay Associate, HardForum may earn from qualifying purchases.
With that kind of budget, your best best as a previous poster mentioned is OpenDNS for free content filtering. Create a free account and you'll have a little more control over the categories you want to block.

Then spend the $150 on the best off the shelf router possible. Most higher end consumer router these days should have options to block certain ports or applications.

Doesn't pfsense and Untangle need two NICS? With limited space, I don't think any SFF PC will have two NICS onboard.
 
grendel19 said:
With that kind of budget, your best best as a previous poster mentioned is OpenDNS for free content filtering. Create a free account and you'll have a little more control over the categories you want to block.

Then spend the $150 on the best off the shelf router possible. Most higher end consumer router these days should have options to block certain ports or applications.

Doesn't pfsense and Untangle need two NICS? With limited space, I don't think any SFF PC will have two NICS onboard.
Click to expand...

There are plenty of cheap mini-itx boards with 2 gigabit nics
 
Nothing worth bothering with for that budget.

Tell them to lower their expectations, cause for $150 they won't get much at all.

My vote would be a Meraki MX60, but that requires an investment and support contract. Have fun jerking with whatever janky setup they end up buying. Time is money and it is finite, and you cannot get it back.
 
Could be worse he used to have a wireless link that was 30mb down 5mb up we talked my boss into upgrading to this current setup took 3 years. Right now my main issue is with piracy and getting notices from the ISP. I hooked it up to the open DNS option mentioned and I have already hit over 300 requests.
 
Invest in a a pfsense appliance or captive portal appliance and set up captive portal and charge 5$ for the access with time vouchers. The appliance is paid in the first month I garantee it.

Tutorial
 
Know what, I joked about the Raspberry Pi a while ago, but maybe this could work, get a Pi and a USB ethernet adapter that is known to be compatible with a Linux distro that runs on the Pi. (may require some research).

Get a very plain Linux distro going on it, and use Ip tables to do port blocking. You'll probably have to do NAT as well though it would be easier if you just put the existing router in front of it, then connect the switch to the Pi. So it would look like this:


Internet modem -> Existing router -> Raspberry Pi -> Ethernet switch feeding clients

The Pi would basically act as a router, between the existing router and the Pi would be say, 192.168.0.x range and then the other side would be 192.168.1.x. The Pi, through iptables would be setup to reject outgoing packets from the 192.168.1.x network if the destination port is above 1024. Or you could be more granular and block everything but port 80 and 443 if it's strictly web you want, and that's it.

I'm not sure how good a Pi would be at doing this sort of packet routing but as far as I know packet routing does not require much resources so it would probably do half decent.

I think $1,000 would be a better budget, it would buy the parts needed to build a proper pfsense box in a 1U rackmount case. Would end up costing a bit less than that actually. Could probably even do it for about 600 bucks.

Don't use any of that garbage that requires subscription though. It will cost more in the long run.
 
Lunas said:
Could be worse he used to have a wireless link that was 30mb down 5mb up we talked my boss into upgrading to this current setup took 3 years. Right now my main issue is with piracy and getting notices from the ISP. I hooked it up to the open DNS option mentioned and I have already hit over 300 requests.
Click to expand...


Are these employees? Might be easier checking each machine under the companies control manually to find out the culprit. If something isn't written, then there should be a written clause every employee signs immediately stating that using the network for anything other than work is grounds for immediate termination and possible legal action. Read it aloud to all of them so they get it through their heads.

Monitoring the network is a more tedious method, but it isn't too difficult if the organization is small. You'll see a flood of one internal address making a ton of UDP connections which you could probably filter by.
 
Ima half to agree with a firewall being a openbsd or other pfsense box.
Gonna be manual shit nonstop but with that budget, no clue.
 
Liger88 said:
Are these employees? Might be easier checking each machine under the companies control manually to find out the culprit. If something isn't written, then there should be a written clause every employee signs immediately stating that using the network for anything other than work is grounds for immediate termination and possible legal action. Read it aloud to all of them so they get it through their heads.

Monitoring the network is a more tedious method, but it isn't too difficult if the organization is small. You'll see a flood of one internal address making a ton of UDP connections which you could probably filter by.
Click to expand...

Customers/tenants any given time there is only 1-3 employees on the job. A housekeeper a maintenance guy and desk clerk only one who has time to do such things is the desk clerk but that is me. The only thing i can do is narrow down where exactly they are and adjust the speed they get right now.
 
An 8 year old core2 machine with 2 nics and pfsense could do this no problem.

There are a world of options to make that work, cases, mods, whatever..

If you can't make that fit into your space, that's your problem.
 
humm found an issue for the open dns solution it is easy to bypass all you do to fix that is assign your own dns to your pc.
 
You must log in or register to reply here.
Back
Top