From owner-freebsd-net@FreeBSD.ORG Wed Feb 6 19:29:50 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D1477485 for ; Wed, 6 Feb 2013 19:29:50 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from mail-ea0-f170.google.com (mail-ea0-f170.google.com [209.85.215.170]) by mx1.freebsd.org (Postfix) with ESMTP id 6CDDB307 for ; Wed, 6 Feb 2013 19:29:50 +0000 (UTC) Received: by mail-ea0-f170.google.com with SMTP id a11so790007eaa.29 for ; Wed, 06 Feb 2013 11:29:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=1+jog4FtciTdrgTzDVQ8YQxC3b8ECpBCxc2RrQGQ2i8=; b=GtH1xL3DBH72m+D4mRJu7jwZZUPu1BJg1HJ42YnLSx3+b7tpqe+rkyGQGpYc0OwX0W amHxczjyZtRvlxsV2G7/6wDdpW97rJrBlNwkxOfj7Dfas4BHY0j8VaC4iE3ZIEoPSNqY duWde1V7Rer+HNfUfIvT4qnl8wOeJQ5XROGlakQWoj3ookSELNew+5nPGzjNRd7vNofW lQOA77VDyAtHgkzPrGQ1bOvwCuwcw1NtTvs5ctMSy9A2ksFww3f0W51XkrCVJlPgbZzW ib/Ahw3Dk7PN53xQ+tXT6ijaP7VRGoySouQf05lTN4hrNFOW9fiJ3fjXSXKoQAZswuWR dTMQ== MIME-Version: 1.0 X-Received: by 10.14.203.3 with SMTP id e3mr100454591eeo.9.1360178989122; Wed, 06 Feb 2013 11:29:49 -0800 (PST) Received: by 10.14.124.79 with HTTP; Wed, 6 Feb 2013 11:29:48 -0800 (PST) Date: Wed, 6 Feb 2013 11:29:48 -0800 Message-ID: Subject: Guest network on corporate LAN - options for security From: Kurt Buff To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Feb 2013 19:29:50 -0000 All, If this isn't the right list for this, please let me know. Quite some time ago, I set up an unsecured guest VLAN in our network, providing wireless access to all of the sundry devices that staff and visitors carry. I set up a small FreeBSD machine to serve IP addresses via DHCP, and that was dead simple. However, there are now other tenants in our building, and the subnet is getting too much bandwidth and address consumption - the range I set up is completely filled, and the VLAN is consuming about half of our Internet pipe, which is far too much for my comfort. I suspect the other tenants are leeching. Does anyone have ideas on how I can leverage that FreeBSD box to control this? It's not the firewall for the VLAN - it's simple a machine sitting on the subnet. What I've read of captive portals seems to indicate that the portal is part of the firewall, which will not be the case here, as the corporate firewall will not be allowed to be part of this solution. The only other alternative I see right now is to set up a password on the SSID, and have the front desk hand it out to guests, after mailing it to staff, and I'm getting pushback on that from my manager. Thanks, Kurt