Hi Greg,
Greg Hennessy wrote:
Hi ...
I'm just got the "duty" to find possible solutions for a kollegium
network(where alot of young people uses p2p programs)
How many users ?
We are only talking about 100 max, small kollegium in denmark.
with a new router/firewall ... considering pfsense in a soekris box or
maybe even
a computer.
If you're talking about a typical college campus sized network with hundreds
of active
users, something like a soekris is not going to be able to handle the packet
rate or have enough grunt/memory for shaping IMHO.
Guess you are talking about a much bigger amount of users ... hence that
there are only 100 here.
Since the primary goal is to stop p2p traffic,
There are a number of ways of doing this, all dependent on budget & the
political will to tell freeloaders to go forth and multiply.
The quickest and easiest way to achieve that goal is to run a default block
policy,
combined with proxied access to those subset of services which are deemed
operationally essential.
There is no reason for students to have routed egress access to the internet
over your campus network.
There is even less reason to grant fully routed ingress access from the
internet.
Especially when the result is severely degraded service for the vast
majority who need campus facilities for real work.
If a default block policy is politically unacceptable, only allow out
specific services < port 1024.
Its not acceptable to block all ports over 1024 ...
Proxy http and other services to kill p2p tunnelling out over them and shape
all locally initiated traffic to ports > 1024 down to say 10% of your
internet pipe size.
k, the more i read, this seems to be the right way to go ...
Implement strict demarcation between student and campus network
infrastructure using vlans, one than then use QoS on the core to shape
traffic appropriately.
yep
Gre
Mikael Syska
