Tag Archives: firewall

Mitigating Bandwidth Problems on a Budget

Some schools have it good. I toured ASDubai last year and saw their server room, where they aggregated 10 x 100Mbps internet lines to provide wicked fast service for their campus. I’ve heard that ASBombay has phenomenal internet.

The American International School of Bamako – located in the capital of one of the poorest countries in the world – is not quite there. We’ve got 2.5Mbps of bandwidth. But that doesn’t mean I’m not trying to create an environment where teachers can effortlessly integrate technology into learning.

Spoiler alert: we chose pfSense to provide firewall services, WAN aggregation, bandwidth throttling, and captive portal. The price? Gratis.

Since August, I’ve wanted to open up access to our network as much as possible to encourage students to bring their own devices. Our school is still using dedicated computer labs to give students access to technology. While we have a favorable ratio of computers to students, it’s still too hard for teachers to integrate technology into their practice when it’s a pull-out activity that requires transition time to and from the labs. The layout of the labs isn’t conducive to collaborative learning, either. The whole setup implies that technology is something that happens apart from everyday learning, not embedded in it.

At the same time, I faced very real constraints in the level of service I wanted to offer. Our school has 2.5Mbits of available bandwidth that we pay dearly for, and it’s very easy for just two small classes to consume that when doing web searches or any Web 2.0 activity; Google Drive is unusable. So I had to be creative in how I managed our limited resources.

I wanted to:

  • Manage access to the network. I wanted each student to be able to access the network, but not to abuse it by connecting two or more devices. I was concerned that the automatic updates and push notifications of smartphones and tablets would slow down everyone. At the same time, I wanted to prioritize internet access for the finance and front offices and teachers over that for students.
  • Manage bandwidth and enforce fair use policies. I wanted to prioritize Skype traffic (used by our director for interviews) over web browsing, which in turn should receive priority over p2p. I also wanted to make sure that one user couldn’t hog all the bandwidth with large downloads.
  • Improve reliability and speed.¬†With such limited bandwidth I wanted a robust caching solution. We had a bandwidth manager called NetEqualizer that very cleverly penalized the heaviest network users, but it sat between the squid proxy and the network, which meant that even cached downloads were throttled. Reversing the situation would remove the ability to enforce fair use policies, since all web traffic would look like it was coming from the proxy server. Furthermore, I needed to aggregate our two internet connections (a 2Mbit dedicated line and 512Kbps line) and load balance and ensure failover between them.
  • Minimize manual labor for the IT department. The Wifi system in place required us to manually register the MAC addresses of students and parents who wanted to get on the network. Even with a small user base it was cumbersome to register fill out paperwork, record the MAC, and register it with our firewall, and it was a process that wouldn’t scale well.

We looked at three solutions we felt were affordable:

  • IPCop (free)
  • Untangle (~$1500 annually for our user base)
  • pfSense (free)

We decided to implement pfSense since it met nearly all of our requirements. It was also free, compared to a lot of commercial appliances like NetEqualizer, Bluecoat, iBoss, and CyberRoam that run from $5000 to tens of thousands of dollars. Our new setup lets us:

  • Balance traffic between our two connections
  • Prioritize/block internet traffic the way we want, and block inappropriate sites. p2p is severely limited, and I could block it if I wanted
  • Guarantee Skype QoS so that the director can do Skype interviews even at peak hours
  • Throttle web traffic on a per-user basis to ensure fair use in a way that lets casual/research-based web browsing function normally while penalizing heavy downloaders

By December, it will also create an authenticated campus-wide Wifi network that lets students log on with their OpenDirectory credentials (limiting them to one device per person) and lets parents log in using a voucher system – even though our WiFi is basically a consumer-grade network with individually managed access points (although I’m working on fixing that, too).

More detail – almost step-by-step – after the break.

Continue reading Mitigating Bandwidth Problems on a Budget