Hi folks, I have inherited about a dozen schools with internet connections between 2Mbit and 10Mbit. Each school has a PFSense box (standard PC, hard disk, 1GB ram, 3 nics).
Each PFSense is configured as WAN, LAN, and OPT1 where OPT1 has connected several unsecured access points to provide wireless service. OPT1 is configured with the Captive Portal which authenticates to a school specific radius server hosting account information just for that school's users. Most resources are located on the LAN (a handful of printers, a few NAS boxes, etc), and for devices that regularly need wireless access, a MAC address entry is entered on the Captive Portal so those users can bypass it on a regular basis (say a teacher who lives in a laptop). For students who need wireless, we force them to authenticate to the Captive Portal. OPT1 (once authenticated or has MAC entry) has access to LAN and to WAN over those wide open access points. I need to deploy a network operating system, so need to tie together all schools with site to site VPN. No big deal, I've already put a few together on the bench. What I would like to have is centralized control of wireless at each site, and for wireless entering the wired network I would like at least some VPN functionality. Because there are several teachers and administrators that on a regular basis move from school to school, the way we are set up right now is to have to make individual MAC entries on each of the Captive Portals on each of the schools that they might visit. This is labor intensive and seems kind of lame. I tried setting up an entire second parallel set of PFSense boxes, and did a site to site for all the wireless traffic, and then have a single captive portal at one end of the chain of PFSense boxen. This addressed the single point to control the MAC entries over the entire district. But then to VPN across to the wired network, I will need to set up OpenVPN connections on every device that is wireless. Using OpenVPN is a bit of a pain (say 100+ devices). I was thinking about using PPTP and doing authentication against AD using IAS, which would make it easier (i.e. no vpn client install, just use the build in windows VPN dialer), but then all traffic would have to be routed across those site to site links to the point where the actual VPN connection was physically being made. Keeping in mind some schools are only 2Mbit circuits, this could be a pretty terrible end user experience depending on which school you were physically located in. Tonight I was thinking about the possibility of leaving the MAC address entries at each schools firewall, and then scripting a MAC address entry out to each firewall. This way the clients could VPN in at the school they were physically located in, and access the local network resources at close to native wireless speed. So my questions are: 1. Can you script copying the MAC's across multiple PFSense boxes from any location (assuming doing from the wired side of any of the site to site vpn'd links). 2. Is there a better way for me to achieve a uniform wireless experience with centralized administrative control? 3. The only reason I'm considering PPTP is because of the pain it is to generate OpenVPN keys,,, is there an easier way to deal with road warriors (like Zerina for IPCop)? 4. I've read a bit about CARP, but seems to be mostly related to multi-wan,,, any chance CARP might fit into this solution? Thanks very much for reading this! With kindest regards,,, Tim --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org