Help with server for a non-profit school


(Mamo) #1

Hi,
I’m a volunteer for a elementary school. We have a very simple network configuration (a DMZ and a couple of internal subnets) provided by a Windows Server (routing and remote access services).
We’d like to move to Nethserver because:

  1. we’d like to avoid paying licenses (we are on a very short budget, it’s a non-profit school)
  2. we’d like to set some basic traffic shaping rules

We have an average internet connections and are using only cloud services for collaboration (Office 365), so I’d like to set all of the traffic toward Office365 as High Priority and limit the rest.
So the plan is setting Nethserver as transparent proxy but how to obtain the desired traffic shaping? As long as I’ve seen, I can’t set rule based on the destination address.

Please, any help very appreciated.
Mauro


Moving from office365 to NethServer at school
Building the Education Team
Moving from office365 to NethServer at school
(Artem Fedai) #2

Dear @tramamo Thanks for helping people, we really appreciate your contribution.

Here you can find some usefull information :
http://docs.nethserver.org/en/latest/firewall.html

BR


(Alessio Fattorini) #3

We have also many school experts here who can help you @apradoc @robb @rothere @syntaxerrormmm


(Rob Bosch) #4

Welcome to the nethserver community @tramamo. I hope you will not only find here a great project, but also a great community.
I have been involved with ict at a primary- and a secondary school. We have a few engaged educational orientated members in our community. Although my NS knowledge is still limited, i do have experience with several educational applications like Moodle, Chamilo, Xerte online Toolkits etc…
It would be awesome if we can create modules for educational applications. It could save you another BUNDLE on license fees.

Feel free to join the discussion and add suggestions.


(Alessio Fattorini) #5

15 posts were merged into an existing topic: Moving from office365 to NethServer at school


(Alessio Fattorini) #6

EDIT:
Topic has taken a slightly offtopic direction, I have splt it
@tramamo I keen to know if you have resolved your problem


(Mamo) #7

Thank you so much Ale, it was getting kind of a flame…
To be true, I don’t think that I can achive my objective.
I hoped I could set rules like “set www.myprivilegedurl.com as high priority”.

With the traffic shaping feature I can set a priority according protocols or source IP (neither so usefull in my case).

Anyway, thank you all.
Mauro


(Stéphane de Labrusse) #8

no … it is just a lively forum and personally I like the contradictory debates


(Rob Bosch) #9

@tramamo: this is exactly why the discussion was split off. Don’t feel personally attacked! That is by no means the intention.
Maybe the more experienced NS firewall guru’s can focus on your question and try to make your goal possible.
@Nas @Ctek any brilliant ideas?


(Bogdan Costin) #10

Hi Guys,
At the moment there is no option to prioritize the traffic depending on destination.
If you require this, you will probably need to have a box to do this QoS before NS red interface.
A small box with pfSense or OPNSense can do the trick.


Moving from office365 to NethServer at school
(Rob Bosch) #11

Just brainstorming a bit out loud. The goal is to make sure the office365 environment gets enough bandwidth so the experience for the enduser is that it works smoothly. The idea @tramamo came up with is by prioritizing the connection to office365. Would that be the only option to get to the goal?
Is the traffic towards office365 strictly http or https? Or are other protocols used? Then the protocol could get prioritized instead of the destination address.
Another option could be to create a site-site VPN and prioritize the traffic that goes through the VPN connection.

Any other bright ideas on this?


(Artem Fedai) #12

@robb
According http://shorewall.net/traffic_shaping.htm

We can gave specific Outgoinf IP range more priority than others. because ifyou gave all HTTP traffic high priority it would not be helpfull so much.

Our lovely @filippo_carletti he is a Shorewall Guru.
Please imlement in TrafficShaping#!TrafficShaping_Ip_create field for outgoing ip range.


(Rob Bosch) #13

Grazi @nas :wink:
I confess I have absolutely no clue about traffic shaping, but love to see and hear that others in this community do know what they are talking about.
I am the pragmatician in this: what I don’t know, I ask. And sometimes I don’t even know what I should ask for so start thinking out loud… maybe I come up with some clues that others can use to do the real work.
How I love brainstorm sessions… :smiley:


(Alessio Fattorini) #14

A post was merged into an existing topic: Moving from office365 to NethServer at school


Moving from office365 to NethServer at school
(Filippo Carletti) #15

@Nas, unfortunately we are using the simple traffic shaping which doesn’t support priority for destination:
http://shorewall.net/simple_traffic_shaping.html

Given that simple tc uses iptables MARKs we could try to build something as custom templates.

Or we could evaluate the idea of switching to complex traffic shaping.


(Rob Bosch) #16

@filippo_carletti How difficult would that be? And what would be the impact for endusers (=sysadmins)? Will the configuration get more complex?


(Mamo) #17

Now the discussion is getting awesome: lot of ideas and a problem solving attitude.
Sadly Office365 is strictly HTTP(S), so no luck with regards to prioritizing the TCP ports.
I hope some Shorewall black belt could shed some light.

Let me argument a little bit with regards to the O365 discussion: my full time job consists of managing a group of 15 sysadmins as IT Manager. I’m very experienced in Windows and most of Microsoft products but, since half of the colleagues I coordinate are Unix / Linux experts and all of our services run on heterogeneous systems, I appreciate both closed source with bold support policies and open source and community driven products.
I strive to pursue the correct balance between these two worlds avoiding fanboys prejudices and haters. My philosophy is “If you have more money than time, buy, if you have more time than money, make” and most of the open source solutions, to me, happen to fall in the latter category.
Just my two cents.


Moving from office365 to NethServer at school
(Artem Fedai) #18

I suppose we should, because as Zentyal became surcharge app , we need more flexibility to catch all Zentyal users. :smile:


(Mamo) #19

Maybe I’ve found something interesting.
The kind of shaping I’m looking for (URL based) is mostly a proxy feature and not a firewall feature.

I’ve read about Squid Delay Pools and the corresponding rules which may be based upon regex.
Here is an excerpt:
URL, keyword based bandwidth restriction
This will limit the bandwidth for the following keywords video.domain.com mail cricket
acl group1 url_regex -i video.domain.com mail cricke
delay_pools 1
delay_class 1 1
delay_parameters 1 32000/128000
delay_access 1 allow group1

The idea is to limiti all the sites except O365 ones or limiting specific sites (i.e. update.microsoft.com).
At the moment I’m on holiday and I have no access to my virtual lab. As soon as I’ll be back home I’ll give it a try.
If in the meanwhile anyone can add any thought, very appreciated.
Managing these settings through NS interface would be great.
Mauro


(Alessio Fattorini) #20

Ehi how are you? Did you give it a try?