Thanks for the reply Chris. On Wed, Apr 1, 2009 at 5:15 PM, Chris Buechler <c...@pfsense.org> wrote: > On Mon, Mar 30, 2009 at 11:32 PM, Tim Dressel <tjdres...@gmail.com> wrote: >> Hi folks, >> >> I have inherited about a dozen schools with internet connections >> between 2Mbit and 10Mbit. Each school has a PFSense box (standard PC, >> hard disk, 1GB ram, 3 nics). >> >> Each PFSense is configured as WAN, LAN, and OPT1 where OPT1 has >> connected several unsecured access points to provide wireless service. >> OPT1 is configured with the Captive Portal which authenticates to a >> school specific radius server hosting account information just for >> that school's users. Most resources are located on the LAN (a handful >> of printers, a few NAS boxes, etc), and for devices that regularly >> need wireless access, a MAC address entry is entered on the Captive >> Portal so those users can bypass it on a regular basis (say a teacher >> who lives in a laptop). For students who need wireless, we force them >> to authenticate to the Captive Portal. OPT1 (once authenticated or has >> MAC entry) has access to LAN and to WAN over those wide open access >> points. >> >> I need to deploy a network operating system, so need to tie together >> all schools with site to site VPN. No big deal, I've already put a few >> together on the bench. >> >> What I would like to have is centralized control of wireless at each >> site, and for wireless entering the wired network I would like at >> least some VPN functionality. Because there are several teachers and >> administrators that on a regular basis move from school to school, the >> way we are set up right now is to have to make individual MAC entries >> on each of the Captive Portals on each of the schools that they might >> visit. This is labor intensive and seems kind of lame. >> >> I tried setting up an entire second parallel set of PFSense boxes, and >> did a site to site for all the wireless traffic, and then have a >> single captive portal at one end of the chain of PFSense boxen. This >> addressed the single point to control the MAC entries over the entire >> district. But then to VPN across to the wired network, I will need to >> set up OpenVPN connections on every device that is wireless. Using >> OpenVPN is a bit of a pain (say 100+ devices). I was thinking about >> using PPTP and doing authentication against AD using IAS, which would >> make it easier (i.e. no vpn client install, just use the build in >> windows VPN dialer), but then all traffic would have to be routed >> across those site to site links to the point where the actual VPN >> connection was physically being made. Keeping in mind some schools are >> only 2Mbit circuits, this could be a pretty terrible end user >> experience depending on which school you were physically located in. >> >> Tonight I was thinking about the possibility of leaving the MAC >> address entries at each schools firewall, and then scripting a MAC >> address entry out to each firewall. This way the clients could VPN in >> at the school they were physically located in, and access the local >> network resources at close to native wireless speed. >> >> So my questions are: >> >> 1. Can you script copying the MAC's across multiple PFSense boxes from >> any location (assuming doing from the wired side of any of the site to >> site vpn'd links). >> > > Should be able to do so with curl. > > >> 2. Is there a better way for me to achieve a uniform wireless >> experience with centralized administrative control? >> > > Not really, there may be some sort of centralized management interface > in the future that will accommodate things of this nature, but there > are no definite plans for that. > > >> 3. The only reason I'm considering PPTP is because of the pain it is >> to generate OpenVPN keys,,, is there an easier way to deal with road >> warriors (like Zerina for IPCop)? >> > > In 2.0 yes, in 1.2.x easyrsa is the way to go. Some info here on how > to run it on your firewall, though that's not necessarily the best > place to put it. > http://doc.pfsense.org/index.php/Easyrsa_for_pfSense > > >> 4. I've read a bit about CARP, but seems to be mostly related to >> multi-wan,,, any chance CARP might fit into this solution? >> > > It's for hardware redundancy, and will sync the config to the backup > firewall, but not in the manner you desire. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
--------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org