School network, advice needed

i would like to ask for your advice and ideas for this post, please. i am helping the local public school with their archaic installation for the network to expand coverage for the rest of the classes. The school is divided into 4 sections, with 1 access point in each section, around 80 users on peak demand.
they have bought some non-managed switches and access points(TP-Link). i am thinking to get a PC with multi ethernet ports of a router and install OpenWRT into that.
Each section will connect to a switch and then straight to its corresponding ethernet port on the router. On the PC each ethernet port will be a VLAN. Apart from creating VLANs into the OpenWRT, installing nft-tables to allocate particular bandwidth to certain IPs, i would like to block offensive pages, facebook or other pages that the teaching staff will instruct.
Current Internet Access is a VDSL 100Mbps. i know it is limited, so they have to block a lot of unnecessary traffic.
So my questions are:
-how do i block certain pages
-how do i block offensive pages. Current DNS from ISP has free access
-anything else that you might suggest

There's an adblock package, you can block anything you want, based on DNS name, not only ads.

You'll also need the implement https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

I don't presume to know you level of network administration experience and knowledge , and I'm not trying to disparage you. But, based on your questions, I am assuming you haven't taken a project like this in the past.

With that in mind, personally, I would recommend that you don't take this project, or that you partner with someone who has experience administering networks in the educational space.

Administering a school's network is a complex thing... not only do you need to restrict access, filter content, and maintain security, you also need to create a reliable network that both teachers/staff and students can rely on to get their work done. Mistakes in any of this will probably make people very angry at you and put you in a really difficult situation to fix things under pressure. And students are smart and creative, and will work really hard to break the network or bypass filters/protections you put in place. You need to be a step ahead of them at all times.

Asking for advice here is great -- we are here to help. But keep in mind that this forum (and OpenWrt as a platform) may not be well suited to ensuring success in the really challenging area of educational networks.

6 Likes

i have done a couple similar projects, with a vendor specific hardware, but there i had to choose the HW/SW (costed a lot $$$$). Now there is a lack of budget and i am not familiar with how to configure it in OpenWRT.

Is there a network already in place that you are supposed to expand or is it a new installation from scratch?

It is little late now but usually these projects are supposed to be theoretically planned first and then you buy the hardware needed.

And you haven’t mention what (ISP) speeds we talk about?

Now it seems to be a case where someone bought “some hardware” and said “good luck”?

Usually schools are build with corridors and classrooms. With more or less hard walls and not 10m up to the roof. So to get coverage expect one AP per 10-20m in the corridors and one AP per classroom.

You didn’t mention what TP-Link AP but usually you need PoE to drive these AP. PoE from either a PoE switch or PoE injectors that need ordinary power close by.

And a ethernet cable can be 100m. 100m is a very short length in long or big buildings like schools. So the switches is usually placed as repeaters. With opto you can have more than 100m between the router and switch.

But with “some non-managed” switches it sounds like your hands are pretty tied behind your back already before beginning the project. Especially since you already mentions VLAN’s. And usually the AP need at least two VLAN’s to protect them from access, a management VLAN and at least one data VLAN.

To install the network in a star formation from the connectors in the router is normally a very ineffective and expensive installation (cables cost money also, both in installation cost and the alu/copper) in big buildings/business.

the speed is there, in the 1st post.

1 Like

Ohh, I see now. I got tied up a while so the post got expanded while I did my answer. @psherman also pretty much said what I thought while I went offline for a while.

Thanks for the reply.
the adblock will help me with the block certain sites, that i have to manually enter. How about the offensive material? is there a free DNS service or a package that blocks xxx, violence, etc?

i know it is a difficult project and we have to work with whatever we have. The current network consists of:

  • ISP's router that has onboard wifi
  • 5 port switch

There are adblock lists out there, most of them on github, you simply add them to the adblock config, and the FQDNs will be added to the local adblock list.
Whether they're covering "everything", or not, no one knows ... trial and error, unfortunately.

There's the free and paid AdGuardHome (AGH), the 2nd one can be customized, and create a more fitting block profile, you could then use the service as an upstream DNS provider.

Other free (and paid) DNS services offer "kid safe" DNSes too, AGH is just one of them, here's another https://www.opendns.com/setupguide/#familyshield

3 Likes

There is no way to filter out 'offensive' material, not without getting you into hot waters with privacy and data protection laws (proxy and custom man-in-the-middle certificates) on one side and concerned parents on the other, once you realize that wikipedia and your local newspaper might be classified as such. Don't touch such a project with a 10ft pole without a commercial contract and detailed requirements in writing and signed by the responsible parties.

As mentioned before, managed switches and PoE are pretty much a must, fibre is probably very beneficial.

3 Likes

Totally agree. It is not a paid project, not supported. I am just giving a hand and ideas. Since they do not have the budget, i could not support such an installation.
At the moment we work only with what we have and since money is out of the question, we have to use the minimum of the equipment.

Thank you all for your replies.

The clean adguard dns works well, filters adult material and malware sites, plus a lot of torrent and other file sharing - an easy solution once you have dns redirecting in place to stop the kids going around it.

2 Likes

So currently they have no blocking or filtering?

that would give you control on the router and allow for exceptions for teacher machines. (you would have to whitelist the teacher pcs and force any new devices to use the most restrictive profile aka kid safe search etc) It can also block services like TikTok etc.

You would also have to enforce dns redirection to AGH and also block/deny any other encrypted dns from passing to the internet (requires firewall rules).

that would reduce things down and make it harder but it is not a filtering firewall solution would would block ip address bypasses. Ideally for a situation like this you want a proxy cache with proper filtering with a restricted/filtered dns. That would reduce the load on the VDSL and provide a much better filtering solution.

That being said. I will repeat what others have said. This is a legal minefield and I'd be insisting on written authorisation and a clear definition of roles/responsibilities.

1 Like

A simple thing you can do that will drastically improve performance of a heavily shared DSL line would be a router that runs SQM on the overall WAN connection. Per-room SQM is also possible using VLANs and that would prevent one room from hogging up all the bandwidth.

If they want site blocking / content filtering that really needs to be done with a commercial appliance. Don't touch that on a DIY basis.

1 Like

I would suggest one Open WRT router, protecting as all said above, then connect powerline ethernet points with wifi at certain points to create a single wifi coverage area. That makes managing the network easy.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.