Divide and rule!

[parasharenator]

Guys,am new to these forums.And need some help on optimising Internet Sharing.
Our hostel gets internet thru optical fibres laid between the Central Networking server and the gateway(in our hostel)
Due to excessive use of torrents ,Each user(of 100 so) has been restricted maximum 15 connections thru some software running on Windows XP SP3 Internet gateway(hostel server)
But this has a flipside..the maximum connections are independent of network usage.so in effect many connections sit idle..when few users are using the net.

Now My basic call is.
IS there any 'FREEWARE' software available on Windows Vista or XP which enables efficient usage of network(giving each user minimum 15 connections whenver he connections,and max would be depending on the no. of users accessing) for the Gateway.

P.S.-all conections are routed thru gateway as the proxy server

[bilbus]

are you use your not using ISA on server 2003?

What software are you using ... get the name and get back to us.

The best solution would to put in a box that blocks access to BT files via layer 7 filtering.

packeteer is one such brand

[parasharenator]

are you use your not using ISA on server 2003?

What software are you using ... get the name and get back to us.

The best solution would to put in a box that blocks access to BT files via layer 7 filtering.

packeteer is one such brand

DOn't want to block BT files...rather restrict it's throughput.
the filter used in the institute is something called sonic filter,,(that just blocks porn sites)
but the main thing is The proxy server software on the hostel gateway.
it caps max no. of connections per user to 15.
want some software which gives minimum 15 or so no of connections to each user when wants.But the proxy server software could also limit the bandwidth available to each user,and application wise restrictions,ability to override and provide grants(if bandwidth usage is less) ..etc.and various such features.

I dont know the proxy server software,coz anyway it's very ineffiecient. while am keying this Iam getting around 300-400KBPS of DL speed(torrents)
and even without the proxy settings,I can do all stuff(probably because my comp is connected thru the same hub(switch) onto which gateway also connects.

AND THIS causes the single threaded downloading speed to suck(browsing is slow,a bit) and am missing Xbox Live action!!!!!!

[YeOldeStonecat]

You'll have a problem managing connection speeds to each user...and a bigger problem finding a means to allow unrestrained full speeds to any user when all other traffic is busy.

IMO the best shot you have at this for a friendly budget (free) is a distro that is strong in QoS/Traffic Shaping features....PFSense. It's designed to run as your primary router, on a dedicated machine with 2x NICs.

You can cap certain types of traffic, so that other types of traffic are not impacted. You can cap a certain user in overall traffic also.

[bilbus]

I would not count on traffic shaper in pfsense to much, it detects my BT traffic as Edonkey, even when the BT que is empty.

I heard they are improving the shaper in V2.0

[YeOldeStonecat]

I never worry under what name it classifies that bad traffic..as long as it's deprioritized and important traffic is allowed to flow without impact.

[parasharenator]

ISA,,is microsoft's Internet Security & Acceleration (ISA) Server
and since it's M$ experiment,,,so I wont be using it,most probably
gone thru pfsense's URL,,it seemed pretty systematic..
HOW MUCH RAM would pfsense use thru VMWare(rite?) on a Windows XP/Windows 7 based server having 4GBs of RAM(would it be better to go for 64 bit OS,since it would be able to "USE" full 4GB of memory)
BTW when's version 2.0 of pfsense gonna hit???
IS packeteer free,,and which one's better...

[YeOldeStonecat]

I
HOW MUCH RAM would pfsense use thru VMWare(rite?) on a Windows XP/Windows 7 based server having 4GBs of RAM

PFSense doesn't need a lot of power...depends on how many users you have, and how fast the internet pipe is....but most can get away with a P3 with 256 megs or 512 megs. Go with a full gig if you feel like going crazy.

[parasharenator]

but which OS impletation of windows xp/windows 7(32 bit or 64 bit) is preferred for the server(4GB RAM),,assuminh it's used for Hardcore gaming along with being used as a Gateway!

[YeOldeStonecat]

For optimal performance of a router...I'd not want it hosted in a virtual machine, PFSense installs on the workstation directly..it's its own operating system.

[parasharenator]

that's why I was asking what will be it's ram obligations with vmware,,,on the gateway,,while gaming continues..
BTW ,,what's the flipside to hosting it on a virtual machine
and in case if pfsense is installed on the workstation directly(using it's own OS),,does that mean no other work could be done ,,since pfsense would be running on it's own OS,,and the workstation would work just as a gateway,,nothing else..no other apps rite

[YeOldeStonecat]

that's why I was asking what will be it's ram obligations with vmware,,,on the gateway,,while gaming continues..

It's resources. Gaming pushes your system, you want a top notch running system for gaming.

A router with light loads could run in a VMWare session OK...but you want a router to run heavy loads (I see torrents up there)..and provide good performance for lots of online gamers? Should have the router run dedicated for this.

Just pickup an old P3 box, get 2x good NICs in it, 512 megs of RAM or so..and try PFSense.
Actually seeing that you have 100 or so users....may want a higher P3 or even a P4..and maybe a gig of RAM or two.

[bilbus]

pfsense does not require much to route, but once you start adding packages you need that extra ram.

Like snort and ntop. If you want both you should have 4gb +

Ntop is a must! lets you see what hosts are using bandwidth in real time. It also shows where and what users are doing and going.

[parasharenator]

Basically my personal computer would be used as the defacto gateway.
It's config is Intel C2D E82400(3GHz,6MB L2 Cache,1333MHz FSB) and 4GB of DDR2 RAM-800MHz
And gaming won't be like 24x7,it would be like 2-3 hours a day,at max ..If at all!

And mostly I would be using Windows XP 32bit(or maybe WIndows 7 32bit)OR DO YOU guys suggest 64bit OS.

Now I have got various suggestions:
I need to finalise,
Checked the features of Pfsense(found it descent enough)
but "bilbus" recommends to use ntop along with this
And Also snort,,seemed more like to be a standalone software,so Won't it be kinda renundant.
And is stuff like Nmap also needed.

EDIT-Iam looking for only free software based solutions.

Please guys,esp. "YeOldStoneCat" please make the thin lines clear and suggest which combo should I use...

[YeOldeStonecat]

Summary....you want a router that will provide maximum QoS to a large number of computers that give your internet connection a very high load. Lots of gaming and torrents. And you want this to be free.

My answer..would be a dedicated box with 2x quality network cards...running PFSense. No "running inside of vmware". I am not a fan of hosting your edge device in a virtual session on a Windows computer. I prefer a dedicated edge device...red NIC to the untrusted internet, green NIC to the LAN/switch. There's just something about having my Windows box with a NIC facing the internet. I know VMWare virtualizes the NICs and technically the Windows outside NIC isnt "alive" on the internet, but it's software, there have already been exploits against VMWare, and there will continue to be so. In addition to the above reason, the other one is "resouces". You're serving a large network...you mention a lot of computers...like 100. You want a dedicated router for this, not a router hosted in some virtual session on a Windows rig that is bound to be unstable due to torrent stuff, worms, trojans, and gaming. Every time you reboot this Windows host, your internet goes down. A dedicated router that sits in the corner and does nothing but manage your internet connection....running rock stable 24x7. No reboots required, constant uptime.

Snort is different from nTop, Snort is an add-on package that many *nix router distros use for increased intrusion prevention.

Open sourced *nix router distros usually share many of the same components and/or add-on packages, such as Snort.

nTop, or the one I use more...BandwidthD, allow you to monitor your nodes behind your router...and see what they're doing traffic wise. Dunno how useful that would really be for you. I find BandwidthD gives you more of the basic, yet pertinent information in a brief summary about clients behind your router. nTop allows much deeper inspection.

[parasharenator]

Summary....you want a router that will provide maximum QoS to a large number of computers that give your internet connection a very high load. Lots of gaming and torrents. And you want this to be free.

My answer..would be a dedicated box with 2x quality network cards...running PFSense. No "running inside of vmware". I am not a fan of hosting your edge device in a virtual session on a Windows computer. I prefer a dedicated edge device...red NIC to the untrusted internet, green NIC to the LAN/switch. There's just something about having my Windows box with a NIC facing the internet. I know VMWare virtualizes the NICs and technically the Windows outside NIC isnt "alive" on the internet, but it's software, there have already been exploits against VMWare, and there will continue to be so. In addition to the above reason, the other one is "resouces". You're serving a large network...you mention a lot of computers...like 100. You want a dedicated router for this, not a router hosted in some virtual session on a Windows rig that is bound to be unstable due to torrent stuff, worms, trojans, and gaming. Every time you reboot this Windows host, your internet goes down. A dedicated router that sits in the corner and does nothing but manage your internet connection....running rock stable 24x7. No reboots required, constant uptime.

Snort is different from nTop, Snort is an add-on package that many *nix router distros use for increased intrusion prevention.

Open sourced *nix router distros usually share many of the same components and/or add-on packages, such as Snort.

nTop, or the one I use more...BandwidthD, allow you to monitor your nodes behind your router...and see what they're doing traffic wise. Dunno how useful that would really be for you. I find BandwidthD gives you more of the basic, yet pertinent information in a brief summary about clients behind your router. nTop allows much deeper inspection.

LEt's put it this way,
I want to divide the bandwidth between single threaded applications,using tcp,udp..basically browsing,Xbox live,normal web applications and messengers
AND
the peer to peer applications..wiz. BT file sharing(torrents) and private -server based P2P gaming
(instead of the broad lined segregation you had specified)

Now,I completely understand your point about standalone gateway device..
But I need to continue with this setup(virtual machine) for a few weeks before the dedicated edge device is ready.

SO,
How do I ensure a proper firewall,so that the routing(wiz. torrents,WORMS,TROJANS,gaming) doesn't interfere with the OS and it's security(do you recommend windows 7 over XP SP3 here???)

APART FROM THESE I DIDN'T Understand a few bits:
1.What are 'Red' and 'Green" NICs,,is this some technical spec or just your nomenclature.

2.Intrusion detection is against bots sent within the network(assuming there are hackers in the hostel:thumb
OR
is it from preventing attacks from the internet(AND PLEASE also,make your point about the"EXPLOITS" against VMWARE(for overriding it,again is this affected by the LAN or net??)

3.regarding BandwidthD used for monitoring,doesn't Pfsense inherently provides these features,I mean what are the add-ons of this component over Pfsense(specifically)..

P.S.- I KNOW THIS IS LONG LIST,BUT I GUESS THAT"S WHY THESE FORUMS ARE FOR

[bilbus]

if you have not used ntop ... it is so much more detailed then bandwithD.

You should install it to try it ... it can help you track down who is using bandwidth.

1. Red/green is just how he was exampling out unprotected / protected interface.
2 Thats what snort is.
3. Pfsense does not provide any kind of monitoring outside the basic logs and graphs. Ntop is what is needed for that. BandwithD will give you basic information ... ntop will give you much greater detail .. and even netflow.

You can run ntop as a standalone app.

I have no problem using vmware ESX / ESXi as a host for a router. It is not windows based, its it own os. (no its not linux ... the service console is but not vmware it self.)

Use vlans to protect the interfaces.