[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pfsense-support
Subject:    [pfSense Support] Wireless segregation and integration question
From:       Tim Dressel <tjdressel () gmail ! com>
Date:       2009-03-31 3:32:53
Message-ID: 2cc231d90903302032u69f77c86t1c93846403aaccbd () mail ! gmail ! com
[Download RAW message or body]

Hi folks,

I have inherited about a dozen schools with internet connections
between 2Mbit and 10Mbit. Each school has a PFSense box (standard PC,
hard disk, 1GB ram, 3 nics).

Each PFSense is configured as WAN, LAN, and OPT1 where OPT1 has
connected several unsecured access points to provide wireless service.
OPT1 is configured with the Captive Portal which authenticates to a
school specific radius server hosting account information just for
that school's users. Most resources are located on the LAN (a handful
of printers, a few NAS boxes, etc), and for devices that regularly
need wireless access, a MAC address entry is entered on the Captive
Portal so those users can bypass it on a regular basis (say a teacher
who lives in a laptop). For students who need wireless, we force them
to authenticate to the Captive Portal. OPT1 (once authenticated or has
MAC entry) has access to LAN and to WAN over those wide open access
points.

I need to deploy a network operating system, so need to tie together
all schools with site to site VPN. No big deal, I've already put a few
together on the bench.

What I would like to have is centralized control of wireless at each
site, and for wireless entering the wired network I would like at
least some VPN functionality. Because there are several teachers and
administrators that on a regular basis move from school to school, the
way we are set up right now is to have to make individual MAC entries
on each of the Captive Portals on each of the schools that they might
visit. This is labor intensive and seems kind of lame.

I tried setting up an entire second parallel set of PFSense boxes, and
did a site to site for all the wireless traffic, and then have a
single captive portal at one end of the chain of PFSense boxen. This
addressed the single point to control the MAC entries over the entire
district. But then to VPN across to the wired network, I will need to
set up OpenVPN connections on every device that is wireless. Using
OpenVPN is a bit of a pain (say 100+ devices). I was thinking about
using PPTP and doing authentication against AD using IAS, which would
make it easier (i.e. no vpn client install, just use the build in
windows VPN dialer), but then all traffic would have to be routed
across those site to site links to the point where the actual VPN
connection was physically being made. Keeping in mind some schools are
only 2Mbit circuits, this could be a pretty terrible end user
experience depending on which school you were physically located in.

Tonight I was thinking about the possibility of leaving the MAC
address entries at each schools firewall, and then scripting a MAC
address entry out to each firewall. This way the clients could VPN in
at the school they were physically located in, and access the local
network resources at close to native wireless speed.

So my questions are:

1. Can you script copying the MAC's across multiple PFSense boxes from
any location (assuming doing from the wired side of any of the site to
site vpn'd links).

2. Is there a better way for me to achieve a uniform wireless
experience with centralized administrative control?

3. The only reason I'm considering PPTP is because of the pain it is
to generate OpenVPN keys,,, is there an easier way to deal with road
warriors (like Zerina for IPCop)?

4. I've read a bit about CARP, but seems to be mostly related to
multi-wan,,, any chance CARP might fit into this solution?

Thanks very much for reading this!

With kindest regards,,,

Tim

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe@pfsense.com
For additional commands, e-mail: support-help@pfsense.com

Commercial support available - https://portal.pfsense.org

[prev in list] [next in list] [prev in thread] [next in thread]