There is a fine line between useful access and too little access in a campus environment. I've had pretty good luck in the MDUs I've put pfsense boxes in. Doing direct comparison to other products like L7-filter based linux boxes and some commercial solutions the pfsense box does what it does and does it well. What I normally do is run the shaping wizard (which is pretty darned good out of the box) and make tweaks to it as needed while running dnsmasq, squid and NAT. I run pfflowd on all boxes and ntop on a few, exporting flow data to a collector that I can go and look to glean use/abuse. The problems I've run into is that blocking stuff all together is almost more trouble than it's worth. There will always be some political reason to unblock something and when it boils down to it it's my opinion that default deny in a [historically open] campus environment is trying to solve a user education issue with technology. I like to educate my users by shutting their port off if they are overly abusive. It's going to be nearly impossible to curb file sharing in an environment such as that, I've had better luck teaching reasonable limits. There are also some pretty cool custom things you can do with flow data and QoS to automate tier based access if you want to do a little coding.
nb On 6/22/07, Mikael Syska <[EMAIL PROTECTED]> wrote:
Hi Greg, Greg Hennessy wrote: >> Hi ... >> >> I'm just got the "duty" to find possible solutions for a kollegium >> network(where alot of young people uses p2p programs) >> > > How many users ? > We are only talking about 100 max, small kollegium in denmark. > >> with a new router/firewall ... considering pfsense in a soekris box or >> > maybe even > >> a computer. >> > > If you're talking about a typical college campus sized network with hundreds > of active > users, something like a soekris is not going to be able to handle the packet > rate or have enough grunt/memory for shaping IMHO. > Guess you are talking about a much bigger amount of users ... hence that there are only 100 here. > >> Since the primary goal is to stop p2p traffic, >> > > There are a number of ways of doing this, all dependent on budget & the > political will to tell freeloaders to go forth and multiply. > > The quickest and easiest way to achieve that goal is to run a default block > policy, > combined with proxied access to those subset of services which are deemed > operationally essential. > > There is no reason for students to have routed egress access to the internet > over your campus network. > There is even less reason to grant fully routed ingress access from the > internet. > > Especially when the result is severely degraded service for the vast > majority who need campus facilities for real work. > > If a default block policy is politically unacceptable, only allow out > specific services < port 1024. > Its not acceptable to block all ports over 1024 ... > Proxy http and other services to kill p2p tunnelling out over them and shape > all locally initiated traffic to ports > 1024 down to say 10% of your > internet pipe size. > k, the more i read, this seems to be the right way to go ... > Implement strict demarcation between student and campus network > infrastructure using vlans, one than then use QoS on the core to shape > traffic appropriately. > yep > > > Gre Mikael Syska
