Author Topic: [SOLVED] bandwith management and fiters: what to use firewall or proxy  (Read 10363 times)

highjo

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +1/-0
    • View Profile
Hello All,

Sorry for this trivial kind of question newbie here. I must admit that zentyal made me understand certain part of networking easily and made me achieve lots of things faster than I thought and Kudos for that. However what is left for me to do is something I feel like I lack information and knowledge about.

I would like to have 30k bandwidth for all machines connected to zentyal and allow 2 or 3 machines full access to any site besides porn sites(porn blocked 24/7). The rest of the machines would have social networking and video streaming available only 12 PM to 1PM and from 7 PM to the following 8 AM and porn blocked 24/7.

I thought I should have 2 objects say "full_access_group" and "partial_access_group". When adding the objects by IP address I realized that since I enabled zentyal DHCP server, IPs can change , I will need the DHCP to always give the same IPs the same machines. my questions are resumed below:

Question 1: How to set bandwidth to 30k for all connecting device to zentyal

Question 2: How to apply filters on connection for the range to time explained earlier

Question 3: How to configure DHCP to always give the same IPs to the same devices

Question 4: I am currently using a Wireless Router for the internal network where I DHCP functionality is disabled and forwarded to zentyal PC IP. if I change the wifi router to a switch do I have to do anything on the switch for the devices connected to find the zentyal DHCP server?

Thanks for reading this and for helping out :D
« Last Edit: October 18, 2013, 05:32:16 pm by highjo »

robb

  • Guest
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #1 on: October 14, 2013, 09:20:46 am »
-> moved to Server section

BrettonWoods

  • Guest
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #2 on: October 14, 2013, 09:23:46 am »
Firstly with the title the answer is both as you will find that proxy for http and http filtering is the place to go.

Then you have all the protocols and applications that might be direct.

If you want static ip's then its a matter of defining them as network objects with mac addresses so that the dhcp will hand out static addresses.

I would love to be able to apply traffic rules by vlan or subnet actually you can in a way.
Its how you plan your network objects.

With the router just plug and play
« Last Edit: October 14, 2013, 09:28:31 am by BrettonWoods »

highjo

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +1/-0
    • View Profile
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #3 on: October 14, 2013, 09:34:42 am »
Apologies for posting in the wrong sub-forum. sorry.

Hi BrettonWoods, the thing is my IP range is from 100 to 254. it's not like I wanted static IPs per se. I have static IPs for servers only and they are bellow 100. I was just wondering how possible it can be done with zentyal because there was a Windows server 2008 attempt to the same thing I am trying achieve by someone else (temporarily). The DHCP server always on the windows gives the same IPs for all machines not having static IPs.

I am not sure I understood the quoted part below.
 
Quote
I would love to be able to apply traffic rules by vlan of subnet put vanilla Zentyal you can't.

Thanks for this blazing fast answer

BrettonWoods

  • Guest
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #4 on: October 14, 2013, 09:43:31 am »
if you have it setup right with dedicated switches or vlans then you can create different object groups.

I have never done it and you would have to provide routing or bridges so that each subnet or vlan could talk to each other.

Because you can set polices via network objects then objects that are on switch1 get treated in a different way than objects on switch two.

vlans are probably easier to work with.

That way you wouldn't have to define all the mac addresses and management could take place at the patch panel.

Christian is more up on the networking as I am saying it could be done but have not myself.
« Last Edit: October 14, 2013, 11:35:00 am by BrettonWoods »

robb

  • Guest
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #5 on: October 14, 2013, 09:44:07 am »
You can simulate static IP's by extending DHCP leasetimes to <pick a VERY long time>
Or do it as you would do it on a Windows DHCP server: bind mac address to an IP address. Once you have all devices listed, the work should be manageable.
The Zentyal way would be to create network objects and add them as reservations in DHCP.

VLAN's (or separated physical switches) will need multiple internal interfaces and introduce extra routing, but you will be certain that a device will be in a specific VLAN. However, wireless clients will be another challenge to maintain.
« Last Edit: October 14, 2013, 09:49:20 am by robb »

christian

  • Guest
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #6 on: October 14, 2013, 09:54:58 am »
I was just wondering how possible it can be done with zentyal because there was a Windows server 2008 attempt to the same thing I am trying achieve by someone else (temporarily). The DHCP server always on the windows gives the same IPs for all machines not having static IPs.

I'm not 100% sure I understand what you mean but it looks like there is an urban legend those days that makes people thinking that Microsoft DHCP server is both dynamic and static at same time, allocating always same IP to machines. What's an improvement  ;D ;D

This doesn't exist (AKAK)

As described in DHCP protocol (have a look at this RFC and pay attention to T1 & T2), at 50% of lease duration, client will contact DHCP server and extend his lease, which means that unless lease already expired (very unlikely at 50% of the duration  ;)) every client, whatever DHCP server brand, will keep its already acquired IP address.

My $0.02

christian

  • Guest
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #7 on: October 14, 2013, 10:05:57 am »
I would like to have 30k bandwidth for all machines connected to zentyal and allow 2 or 3 machines full access to any site besides porn sites(porn blocked 24/7). The rest of the machines would have social networking and video streaming available only 12 PM to 1PM and from 7 PM to the following 8 AM and porn blocked 24/7.

I thought I should have 2 objects say "full_access_group" and "partial_access_group". When adding the objects by IP address I realized that since I enabled zentyal DHCP server, IPs can change , I will need the DHCP to always give the same IPs the same machines. my questions are resumed below:

Bandwidth management and HTTP content filtering are 2 different concepts. You may apply both or only one but these are not linked (although both exposed through "HTTP proxy" interface)

If, for some reason, you want DHCP to always allocate same address to same machine, the only way is to "reserve" IP per MAC address using network object group.

Quote
Question 1: How to set bandwidth to 30k for all connecting device to zentyal
Reading and applying this.

Quote
Question 2: How to apply filters on connection for the range to time explained earlier
Reading and applying this and this.

Quote
Question 3: How to configure DHCP to always give the same IPs to the same devices
Reading and applying this.


Quote
Question 4: I am currently using a Wireless Router for the internal network where I DHCP functionality is disabled and forwarded to zentyal PC IP. if I change the wifi router to a switch do I have to do anything on the switch for the devices connected to find the zentyal DHCP server?
1 - If you change Wifi access point for a switch, how will Wifi devices connect ?
2 - Switches are (most of the time) unmanaged. You can see it as panel connecting cables (unless you start dealing with VLAN or other very specific stuff

robb

  • Guest
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #8 on: October 14, 2013, 10:06:54 am »
[picky mode] IP addresses stay the same unless there comes a new device and there is not an unassigned IP address in the pool available[/picky mode]

explanation:
suppose you have a pool of 5 IP's and set a leasetime of.... 1 month
first device that connects gets IP 1
5th device that connects gets IP 5

Next day, all 5 devices connect again but not in same order. They still get same IP address since DHCP has leasetime of 1 month and in DHCP table the macaddresses of day before are still stored.

Day 3 a 6th device tries to connect while none of the others are connected: Device gets IP 1 since not all IP's are active. 4 other devices can connect and will be provided _if possible_ their previous IP with a max of 5 devices total.
« Last Edit: October 14, 2013, 10:13:31 am by robb »

christian

  • Guest
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #9 on: October 14, 2013, 10:10:22 am »
Very good point + you're perfectly right.

Valid lease but disconnected device + DHCP pool fully "allocated" will end up with IP address change.
This is not nitpicking but accuracy  8)  My fault for having been lazy  :-[ :-[ and thank you for maintaining clever reading  :-*

BrettonWoods

  • Guest
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #10 on: October 14, 2013, 12:15:45 pm »
I was trying to keep things in a similar mode to my mind which is unfortunately simple.

A lot of the zentyal network management involves the usuage of network objects.
The simplest is a single declared IP with it partnering mac address.

Its a bit of a catch-22 scenario when it comes to simple minds and lazy sysadmins such as this one.

If I dont want to do it by defining mac addresses then there is the next level of ranges or scopes.

The next level of object is a network scope where you don't assign all the mac's
So either you have a separate nic interface with its own dhcp and own subnet and the network object is that range.
You have one of these for each specific network object range.

Its sort of plug and play range grouping at the patch panel, where you patching will result in different network access rights.

Probably the easiest way is to get a vlan capable switch that way you can use a single nic but segregate by vlan.
Each vlan has a dhcp server scope and its own subnet and its own network object range.

That bit is fairly easy as you can have several network object ranges in which zentyal can apply various rules for in various modules.

Then you need to start thinking of shared resources and back at the server apply the routing to get these subnets to talk to each other.

Being simple I have never tried it out, but keep meaning to as it does allow much control over the network based on the owner of a desktop.

I have to say I wish Zentyal had a further level of abstraction from IP to users and groups, as maybe this would make things more digestible for my simple brain.

If your wireless router or lan is connected to a vlan compatible switch all should work as its the switch, that will do all the clever work.

So really I would say use vlans and the switch manufactures software for grouping and aggregation. I have a lovely cisco 2970 catalyst and from experience, 3com are much easier to use. Maybe one day when I am suicidaly bored I might read the cisco documentation and do it. :)

There are ways to do it with out a vlan capable switch and I guess you could virtualise http://openvswitch.org/ and as long as you have the nic logistics correct it should work.

« Last Edit: October 14, 2013, 01:02:31 pm by BrettonWoods »

highjo

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +1/-0
    • View Profile
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #11 on: October 15, 2013, 01:07:47 pm »
Thanks so much for all insight exposed here .Sorry I had to step out yesterday and couldn't have time to access the forum. Honestly I was delighted reading each one the posters opinion and all information exchanged here are just like tutorials for me. This community is really knowledgeable and warm. I am glad I chose zentyal for my first trial to replace windows server. I will read link suggested by Christian and revert on how it goes for me.

Thanks for all the input

highjo

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +1/-0
    • View Profile
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #12 on: October 16, 2013, 10:08:51 pm »
Hello Good People.

Let me bother you a little again.

About Question 1 : what does Maximum unlimited size per client means?

About Question 3: I have developers objects which members are added using both IP and Mac addresses . Supposing I have 4 PCs , I have added the IPs 101,102,103,104. Now In DHCP > Interface (eth1) > configuration, in the Fixed address section I have chosen the object "developers".  Because I needed to copy their MAC addresses , I initially set the range from 150 to 254 so they were having IPs above 150. After adding the members to developers object , I set the range from 100 to 254. I applied the change and restarted the client (linux) network-manager service but the machines didn't get the IPs I thought would be attached to their MAC addresses.

Is there anything am doing wrong ?

Question 4 : In response to Christian, I wanted to use the wifi as Access Point(AP) and pick the connection from the switch which would then be connected to the zentyal on the internal network interface. Apparently That didn't work so I put the wifi (still acting like AP) back into the Internal network Interface and put the Switch inside the Wifi port (using it as a switch). it's looks like this way. internal network machines > swicth > switch(wifi) > zentyal > (2 ISPs Gateway) > internet . This seems to work but don't know yet the implication on speed etc.


Thanks very much in advance

BrettonWoods

  • Guest
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #13 on: October 16, 2013, 11:13:21 pm »
Question 1 is that the proxy?

That it means the max file size in one download if I remember correctly.

Its always easier when you are in front of a working machine.

Question 3

static ips need to be out of the range of dhcp scopes. Fell for that one myself until christian told me.

Question 4.
I am just back from the pub :) think I might have to wait to answer it.

But from first glance not that much

highjo

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +1/-0
    • View Profile
Re: bandwith management and fiters: what to use firewall or proxy
« Reply #14 on: October 18, 2013, 05:31:46 pm »
Hello, most of my concerns are being answered here. There could be a lot more discussion about the question 4 or about what I did which doesn't look so conventional to me but as far as everything is working . I am cool .Special thanks to Christian and BrettonWoods