Solved

router/firewall

Posted on 2013-11-16
5
347 Views
Last Modified: 2014-03-01
Hello,

I have a network with more than 150 users,
its a school,

since the school was opened we notice that the internet is running very slow, so I ran a scan on the network to see whose on it.

well I find a set students online with they iphon, ipad etc......
we have password on the wifi but the teachers gives out the password.
I would like your recommendation for a router\firewall that I can use to restrict these students from getting on to the network,

im looking for something that when I see the students device on the network, I want to be able to block them by mac address,
also I would like to block websites, such as facebook, porn, etc......

thanks in advance for your help
0
Comment
Question by:MVGtechnology
5 Comments
 
LVL 1

Expert Comment

by:cambo84
Comment Utility
Use http://www.opendns.com/ to block all content types you want (it's free).  You can set that up on your router/firewall.

Any of the higher end Netgear or Linksys wireless routers can block Mac addresses.  If you have a decent budget to work with I would highly recommend going with a more industrial solution like Aerohive or Ruckus.
0
 
LVL 44

Expert Comment

by:Darr247
Comment Utility
What brand/model[s] of APs are you running now?
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 250 total points
Comment Utility
Examine the objectives.  
- You started on this path because the internet connection was "slow".
- Then you discovered users that had been OK up to that point but, now that you know, you've decided to do something about them.  Part of this is to let them continue to connect??
- What good is porn filtering if the MAC addresses are blocked?  (I'm not suggesting there is none).

At this point it appears that you intend to continue to allow the traffic (within some limits) and somehow expect the speed to improve.  How is that going to happen?

So, the first decision should be to either stop the traffic or not.
If the decision is to stop the traffic then direct measures should be taken rather than peripheral measures like web site filtering (which admits the unwanted traffic WILL exist).

If the teachers are giving out the wireless passphrase then there's an employee discipline problem.  I would probably just shut off the wireless or the entire internet just before lunch whenever a rogue MAC address showed up.  Then explain that the password had been compromised and issue a new one.  That should be enough trouble to hamper the behavior.  You'd probably get some peer pressure going.... assuming you "package" your own behavior reasonably.  :-)

If you will allow the traffic, perhaps set up a "public" wireless network with QoS throttling and maybe web filtering.  
NOTE: Web filtering of a mainstream connection is a maintenance PITA.  Are you ready for that?  Yes, after a time it will settle down.  I have one in service now for 5 months with a new web filtering method and I'm still chasing requests for changes because some web site or service is needed and can't be accessed.  And that comes after rather careful planning of which categories would be permitted and blocked.  Thus, I would filter the public network only (if at all possible).  Then if things don't work for some it's "caveat user", i.e. too bad.

If you decide to stop the traffic then a MAC filter should be good enough for all except the most clever rogue users.  And, an IP filter might also be useful for this type of blocking.  It's a bit more work to set up reserved IP addresses per allowed MAC address and a bit of maintenance when computers change permanently in and out over time.  While wireless routers will do this, many wired routers won't.  So, having one that will might be useful if you want to do this.
0
 
LVL 17

Accepted Solution

by:
BudDurland earned 250 total points
Comment Utility
You really should consider installing a firewall/router/proxy server.  When I worked in the school system, we deployed SmoothWall (open source version) http://www.smoothwall.org.  It's very easy to manage, has good community support, and will help you with all the issues you've mentioned.

At our school, we configured DHCP leases for the "approved" computers & devices.  These IP addresses were in a range that was allowed out to the internet (configured at the firewall/proxy).  Any others got a 'generic' Ip address that did not get out to the world.  Sure, some really clever kid may eventually figure it out, but it'll be a while coming.
0
 

Expert Comment

by:iKaruS_Bungle
Comment Utility
You could consider a squid proxy for caching of web content, and squidguard for content filtering based on categories.  Both are open source.

MAC address filtering may not be effective if you use network segmentation.

You could restrict internet access based on user agent string (ie: limit what types of browser access the internet).
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now