[OPLINTECH] Changing the libraries wireless

Chad Neeper cneeper at level9networks.com
Fri Apr 11 16:10:08 EDT 2014


I use the network perimeter firewall to isolate each network segment from
the other. One segment each for:
WAN (OPLIN-provided)
LAN1 (library-owned staff computers)
LAN2 (library-owned patron computers)
WLAN (wireless access points for transient WiFi devices)
DMZ (for any on-site web servers)

I assign a full class C (/24) subnet to each network segment. Example:
WAN:  (OPLIN-provided IP address(es) )
LAN1:  10.30.1.x
LAN2:  10.30.2.x
WLAN:  10.30.3.x
DMZ:   10.30.4.x

By default there is no communication between the segments. Any necessary
communication between segments is handled at the firewall with
rules/exceptions.

This also facilitates a common point for http caching and content controls
(filtering). The network perimeter firewall transparently redirects all
outbound HTTP requests through the content filter (dans guardian) and then
to the HTTP cache (squid) to locally cache common content, including such
large bandwidth eaters like Windows Updates, and other common updates from
other vendors. All network segments (except WAN and DMZ) benefit from the
transparent caching, so even John/Jane Doe bringing their laptop in to do
300 Microsoft Windows Updates will mostly pull from the cache rather than
sucking up half the library's Internet bandwidth.

Any captive portal you want to configure for the transient WLAN users, you
can just slip into place between your access points and the network
perimeter firewall. Or, with pfSense (the firewall I've been using lately),
there is a captive portal available in the firewall. I haven't tried it
yet, though, so can't yet speak to it's
capabilities/limitations/effectiveness/etc.

Depending on the capabilities of your PIX or Zeroshell box, you could maybe
leverage either of them in a similar way. I don't know much about the PIX
and I don't know anything about Zeroshell, but a quick glance at its
(Zeroshell) feature list makes it look somewhat similar in capabilities to
pfSense or IPCop...or Smoothwall...or...(insert your favorite FOSS or
semi-FOSS firewall here). With the appropriate configuration, it could
probably handle the job.

HTH,
Chad

______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*


On Fri, Apr 11, 2014 at 2:43 PM, Fred Miller Jr. <millerfr at oplin.org> wrote:

> Good Afternoon,
>
> Wanted to reach out to other IT people on a new way of setting up our
> wireless.  I would like to know the best way to separate our traffic
> (wireless vs. internal). Right now we have a cisco pix box that needs to
> stay in place due to our ILS and a linux program known as Zeroshell. Would
> like to get rid of the Zeroshell software, but still separate the traffic
> so patrons using wireless wouldn't be able to get into our internal
> network. Any kind of information will be helpful.
>
>
>
>
>
> *Fred Miller Jr                               *
>
> IT Service Manager
>
> Auglaize County Public District Library
>
> (419)738-2921 ext.1011
>
> millerfr at oplin.org
>
>
>
> *Visit our Library Website! <http://auglaize.oplin.org/>*
>
>
>
>
>
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20140411/2d23e05c/attachment.html>


More information about the OPLINTECH mailing list