I initially posted this over on networking@lemmy.ml, but that community is more dead than some of the animals in my freezer. So you may have seen it over there in the last few hours.
TLDR: While I know that the following will work, I’m looking for feedback on my proposed solution in regards to best practices and possibly an idea about establishing logging. If you think I’m way off target, then by all means tell me so and what you propose instead.
With all that said, I present you with the following wall of text, read at your own peril but thanks if you lend me the time to answer my post :-)
I have a classroom that doubles as a lab for my soon to be IT-supporters, devops, and operations specialist apprentices. My main subject is CCNA introduction to networking and some Windows Server configuration. And while I’ve been teaching for 10 years, I fear my real world IT experience has slipped.
The classroom is equipped with about 16 tables, and preferably a single student pr table – depending on the number of applications, some tables can host 2 students for the first month or two. So, the infrastructure must fit at least 32 students and a teacher.
Currently the setup is an extremely old cisco 1812 router running a NAT, and routing between the school’s network, and an internal classroom LAN. Each student has a /24 scope on a /16 net and is instructed to create their own LANs using SoHo-equipment. There’s no routing setup internally in the classroom, other than the students individual SoHo router/switch/AP.
It really is just a 1812 with a single fastethernet connection to a 24port 2950 (yes, that was a 5 not a 6 in there) and some extra switches daisy chained together to reach a row of tables going down the middle of the room.
We have a literal van-load of ancient cisco gear for use in our labs. This is also the gear we’re using for the current classroom infrastructure. It works, not great, but it gets the job done.
What is changing? We have arranged to have a public IPv4 routed to a gigabitethernet port in the classroom. That port will be the only wired link out of the room. There will be no change in the service on the school administered WLANs. They are still usable for staff and students, both with school administered equipment and BYOD.
While we do have a lot of gear, the newest bit of kit is some 1941 routers, that we got at auction and don’t have any service agreements on, so no updates for them – and we’re not switching to newer cisco gear for obvious reasons that rhyme with money, DNAC and supply chain woes. I don’t know about you, but I don’t really feel like exposing the existing equipment to the wild west of a the internet.
All this boils down to the following conclusions:
- I have to build something new and
- Most likely make a purchase recommendation for my admin.
Requirements:
- 33 clients must be able to connect to the internet.
- 33 clients must be able to connect to each other.
- All traffic going to and from the internet must be filtered.
- Filtering must be relatively simple to configure.
- Filtering must be able to stop the most common p2p-protocols and workarounds. I want to teach, not have to deal with DMCA letters all the time.
- Both external and internal traffic should be monitored and logged to help hunt down individuals that somehow bypass the filtering. Speed degradation is not too much of a concern – We can live with 100Mbps or less, if we can have metadata logged, but faster would be nice.
- Silent equipment would be nice to have, as it will most likely be positioned about a meter from my ear when sitting at the desk in the classroom, on account of the internet-connected port.
What I’m considering presently is a MikroTik solution consisting of
- 1x CCR2004-16G-2S+PC, running individual networks for 12 students and the teacher, as well as being the gateway out.
- 1x CRS326-24G-2S+IN, a managed L3 switch, which will route the remaining 20 student networks and connect to the CCR2004 with a 10G fiber.
- 2x S+85DLC03D, one in each of the above, and a bit of multimode LC-LC fiber.
All in all I’ve sourced this from a single vendor for about 700USD with a week’s lead time. But I’ve got nothing in regard to logging.
You know those moments where your own ignorance amazes you? That just happened to me. Of course, you’re right. I don’t care about individual packets, I care about logging connections. If I can show connections by each user coupled with some metadata like port numbers and dst IP address, then I will be able to investigate any complaints.
That may just have reduced the requirements of the rsyslog server, enough for shaving 30 or 50% off the cost of that machine.