On 14-07-31 07:44 PM, Kenward Vaughan wrote:
In my quest to set up a computational lab at my school, the IT
department has offered us the freedom to create this specialized lab
as long as we aren't hooked up to the school's network--we are to be
completely isolated. They have no one to maintain it software-wise
(we will be doing that), and (I believe) fear security breaches, etc,
emanating from there.
They would allow us to go outside through the Wifi spots, though, as
long as it is through the open (insecure) side. There is an
accessible secure (internal) network as well.
Is there a way to set up pfSense either on the internal server or a
separate Internet side box to control outbound traffic by having it
sign into that network then having the other machines have access?
I'm not any sort of network person (self-taught in Linux/computers in
general), so please accept my apology up front if this is an idiotic
question.
Thanks!
Kenward
Short answer: Yes, this can be done. Please have someone with
networking experience set this up, unless you want to spend the next few
months learning networking! This isn't really a pfSense-related issue
at this point.
Easiest, surest (but not cheapest) way: get a separate DSL or Cable
connection for your lab, and connect to the internet through that link
(possibly using pfSense). Don't connect to the existing school [wired]
network or WiFi [network] at all, not even the public wifi.
Cheaper (and still secure): if the school has a firewall (it most likely
does), ask if you can be connected to a dedicated interface on that
firewall. That way, IT still has control over what you can and can't
access, and they can protect themselves from you.
Also cheaper (and still secure): the school's WAN provider may allow you
to connect more than one device to the WAN connection. This might
require adding a switch between the service provider's equipment and the
school's firewall, if the service provider doesn't give you a multi-port
device of some sort. Either way, you plug your dedicated (possibly
pfSense) firewall into another port on the WAN device. Many DSL & Cable
providers install a "modem" that includes a 4- or 5-port switch built
right in.
Most difficult to get working: install your firewall (possibly running
pfSense) as a client on the school's public wireless network. I'm not
sure if pfSense even supports this natively; you may have to use an
external ethernet-to-wireless bridge (but these are fairly common
devices now, anything sold as a "travel router" can probably do it, most
SoHo routers & APs can do it, too). There are many variables here, and
many things to get wrong. On the other hand, this requires relatively
little (i.e. possibly even zero) effort from the existing IT group, and
doesn't cost much.
If you have to "sign in" to the public WiFi network, especially through
some sort of login web page (like you do at public hotspots) then
connecting a firewall to it is probably not going to work well, if at all...
--
-Adam Thompson
athom...@athompso.net
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
