[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now



Posted on 2013-11-16
Medium Priority
Last Modified: 2014-03-01

I have a network with more than 150 users,
its a school,

since the school was opened we notice that the internet is running very slow, so I ran a scan on the network to see whose on it.

well I find a set students online with they iphon, ipad etc......
we have password on the wifi but the teachers gives out the password.
I would like your recommendation for a router\firewall that I can use to restrict these students from getting on to the network,

im looking for something that when I see the students device on the network, I want to be able to block them by mac address,
also I would like to block websites, such as facebook, porn, etc......

thanks in advance for your help
Question by:MVGtechnology
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 39653421
Use http://www.opendns.com/ to block all content types you want (it's free).  You can set that up on your router/firewall.

Any of the higher end Netgear or Linksys wireless routers can block Mac addresses.  If you have a decent budget to work with I would highly recommend going with a more industrial solution like Aerohive or Ruckus.
LVL 44

Expert Comment

ID: 39653486
What brand/model[s] of APs are you running now?
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 1000 total points
ID: 39653495
Examine the objectives.  
- You started on this path because the internet connection was "slow".
- Then you discovered users that had been OK up to that point but, now that you know, you've decided to do something about them.  Part of this is to let them continue to connect??
- What good is porn filtering if the MAC addresses are blocked?  (I'm not suggesting there is none).

At this point it appears that you intend to continue to allow the traffic (within some limits) and somehow expect the speed to improve.  How is that going to happen?

So, the first decision should be to either stop the traffic or not.
If the decision is to stop the traffic then direct measures should be taken rather than peripheral measures like web site filtering (which admits the unwanted traffic WILL exist).

If the teachers are giving out the wireless passphrase then there's an employee discipline problem.  I would probably just shut off the wireless or the entire internet just before lunch whenever a rogue MAC address showed up.  Then explain that the password had been compromised and issue a new one.  That should be enough trouble to hamper the behavior.  You'd probably get some peer pressure going.... assuming you "package" your own behavior reasonably.  :-)

If you will allow the traffic, perhaps set up a "public" wireless network with QoS throttling and maybe web filtering.  
NOTE: Web filtering of a mainstream connection is a maintenance PITA.  Are you ready for that?  Yes, after a time it will settle down.  I have one in service now for 5 months with a new web filtering method and I'm still chasing requests for changes because some web site or service is needed and can't be accessed.  And that comes after rather careful planning of which categories would be permitted and blocked.  Thus, I would filter the public network only (if at all possible).  Then if things don't work for some it's "caveat user", i.e. too bad.

If you decide to stop the traffic then a MAC filter should be good enough for all except the most clever rogue users.  And, an IP filter might also be useful for this type of blocking.  It's a bit more work to set up reserved IP addresses per allowed MAC address and a bit of maintenance when computers change permanently in and out over time.  While wireless routers will do this, many wired routers won't.  So, having one that will might be useful if you want to do this.
LVL 17

Accepted Solution

BudDurland earned 1000 total points
ID: 39653642
You really should consider installing a firewall/router/proxy server.  When I worked in the school system, we deployed SmoothWall (open source version) http://www.smoothwall.org.  It's very easy to manage, has good community support, and will help you with all the issues you've mentioned.

At our school, we configured DHCP leases for the "approved" computers & devices.  These IP addresses were in a range that was allowed out to the internet (configured at the firewall/proxy).  Any others got a 'generic' Ip address that did not get out to the world.  Sure, some really clever kid may eventually figure it out, but it'll be a while coming.

Expert Comment

ID: 39897149
You could consider a squid proxy for caching of web content, and squidguard for content filtering based on categories.  Both are open source.

MAC address filtering may not be effective if you use network segmentation.

You could restrict internet access based on user agent string (ie: limit what types of browser access the internet).

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question