> Hi ... > > I'm just got the "duty" to find possible solutions for a kollegium > network(where alot of young people uses p2p programs)
How many users ? > with a new router/firewall ... considering pfsense in a soekris box or maybe even > a computer. If you're talking about a typical college campus sized network with hundreds of active users, something like a soekris is not going to be able to handle the packet rate or have enough grunt/memory for shaping IMHO. > Since the primary goal is to stop p2p traffic, There are a number of ways of doing this, all dependent on budget & the political will to tell freeloaders to go forth and multiply. The quickest and easiest way to achieve that goal is to run a default block policy, combined with proxied access to those subset of services which are deemed operationally essential. There is no reason for students to have routed egress access to the internet over your campus network. There is even less reason to grant fully routed ingress access from the internet. Especially when the result is severely degraded service for the vast majority who need campus facilities for real work. If a default block policy is politically unacceptable, only allow out specific services < port 1024. Proxy http and other services to kill p2p tunnelling out over them and shape all locally initiated traffic to ports > 1024 down to say 10% of your internet pipe size. Implement strict demarcation between student and campus network infrastructure using vlans, one than then use QoS on the core to shape traffic appropriately. Greg
