Re: [squid-users] Slightly OT: Configuring a router for Squid. from Jose Ildefonso Camargo Tolosa on 2010-05-05 (squid-users)

From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo_at_gmail.com>
Date: Wed, 5 May 2010 22:08:27 -0430

Ok.

What I understood:

1. You are using the same Wireless link for both: your office and your
guests <--- if so, that's a bad idea.
2. You have no Domain Controller on your network.
3. You have no DNS on your network.
4. You need to implement access restrictions for you internal network,
but not for you guests (so, you have an "open wireless AP" that is
used for your customers).

I would suggest:

Internet ---- DLink ADSL router ------ Linux box with 2 network cards
------- Your internal network ------ maybe a second wireless ap.

This way, you will allow your guests to access Internet (direct), but
not to your internal network (which is always a bad idea: virus and
stuff). Also, you will be able to enforce access restrictions for
your internal network. The "second wireless ap" is needed only if you
need wireless access to your internal network, and that one should, at
least, have WPA2-PSK with a long key, and that key should be changed
at least once every two months, and ideally should be configured with
WPA2 with RADIUS.

In the Linux box you put:

+ Squid.
+ Linux firewall.
+ DHCP
+ Internal DNS
+ Web server for wpad.

Maybe, other interesting services for your internal network, but that
would be really off-topic. This is not the only option, there are
several others, but I find this one more "secure", because it
separates your guests from your internal network.

I hope this helps,

Ildefonso Camargo

On Wed, May 5, 2010 at 1:14 PM, Dave Coventry <dgcoventry_at_gmail.com> wrote:
> Thanks for the help, Jose.
>
> On 5 May 2010 18:46, Jose Ildefonso Camargo Tolosa
> <ildefonso.camargo_at_gmail.com> wrote:
>> Ok, so, you could, in theory, add an internal DNS zone, right?
>> (because is doesn't currently exists). Now, and off-topic question:
>> do you have a "domain" on your network, or just have a "workgroup"
>> (I'm assuming you have Windows computers for your staff).
>
> Yes. I'm sure I can set up t DNS on the Debian box.
>
> I'm not sure what a Domain is, but, yes, I have a windows 'Workgroup'.
> All computers (except mine) are windows machines. There is a chance
> that the Guest computers might have Linux (or Mac), but I would
> imagine that the bulk would be Windows.
>
>> Ok, guests=clients ie, persons not part of the company, right?
>
> Correct.
>
>> Yeah, all the bosses like their gadgets........
> :)
>
Received on Thu May 06 2010 - 02:38:35 MDT

This archive was generated by hypermail 2.2.0 : Thu May 06 2010 - 12:00:08 MDT