On Mon, Mar 30, 2009 at 11:32 PM, Tim Dressel <[email protected]> wrote: > Hi folks, > > I have inherited about a dozen schools with internet connections > between 2Mbit and 10Mbit. Each school has a PFSense box (standard PC, > hard disk, 1GB ram, 3 nics). > > Each PFSense is configured as WAN, LAN, and OPT1 where OPT1 has > connected several unsecured access points to provide wireless service. > OPT1 is configured with the Captive Portal which authenticates to a > school specific radius server hosting account information just for > that school's users. Most resources are located on the LAN (a handful > of printers, a few NAS boxes, etc), and for devices that regularly > need wireless access, a MAC address entry is entered on the Captive > Portal so those users can bypass it on a regular basis (say a teacher > who lives in a laptop). For students who need wireless, we force them > to authenticate to the Captive Portal. OPT1 (once authenticated or has > MAC entry) has access to LAN and to WAN over those wide open access > points. > > I need to deploy a network operating system, so need to tie together > all schools with site to site VPN. No big deal, I've already put a few > together on the bench. > > What I would like to have is centralized control of wireless at each > site, and for wireless entering the wired network I would like at > least some VPN functionality. Because there are several teachers and > administrators that on a regular basis move from school to school, the > way we are set up right now is to have to make individual MAC entries > on each of the Captive Portals on each of the schools that they might > visit. This is labor intensive and seems kind of lame. > > I tried setting up an entire second parallel set of PFSense boxes, and > did a site to site for all the wireless traffic, and then have a > single captive portal at one end of the chain of PFSense boxen. This > addressed the single point to control the MAC entries over the entire > district. But then to VPN across to the wired network, I will need to > set up OpenVPN connections on every device that is wireless. Using > OpenVPN is a bit of a pain (say 100+ devices). I was thinking about > using PPTP and doing authentication against AD using IAS, which would > make it easier (i.e. no vpn client install, just use the build in > windows VPN dialer), but then all traffic would have to be routed > across those site to site links to the point where the actual VPN > connection was physically being made. Keeping in mind some schools are > only 2Mbit circuits, this could be a pretty terrible end user > experience depending on which school you were physically located in. > > Tonight I was thinking about the possibility of leaving the MAC > address entries at each schools firewall, and then scripting a MAC > address entry out to each firewall. This way the clients could VPN in > at the school they were physically located in, and access the local > network resources at close to native wireless speed. > > So my questions are: > > 1. Can you script copying the MAC's across multiple PFSense boxes from > any location (assuming doing from the wired side of any of the site to > site vpn'd links). >
Should be able to do so with curl. > 2. Is there a better way for me to achieve a uniform wireless > experience with centralized administrative control? > Not really, there may be some sort of centralized management interface in the future that will accommodate things of this nature, but there are no definite plans for that. > 3. The only reason I'm considering PPTP is because of the pain it is > to generate OpenVPN keys,,, is there an easier way to deal with road > warriors (like Zerina for IPCop)? > In 2.0 yes, in 1.2.x easyrsa is the way to go. Some info here on how to run it on your firewall, though that's not necessarily the best place to put it. http://doc.pfsense.org/index.php/Easyrsa_for_pfSense > 4. I've read a bit about CARP, but seems to be mostly related to > multi-wan,,, any chance CARP might fit into this solution? > It's for hardware redundancy, and will sync the config to the backup firewall, but not in the manner you desire. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
