Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Dec 2019
    Posts
    2

    Default Solution for church

    Hi Everyone,

    New to the forums here. I am looking at Untangle for my church and seeking a little technical advice and clarification of the subscription we should choose, and how that will fit our needs.

    The main goals are to achieve a strong firewall, segregated VLANs and also I like very much the idea of content filtering, for protection of our people and the church. We exist in a time and a government where this is a very critical issue - legislation is heavy, as are the penalties for any breaches.

    I have a nice machine (Xeon, 4GB RAM - same type of machine as our Windows server) set aside with two NICs and this will act as primary firewall and potentially the DHCP server. Currently our Windows 2016 server is performing DHCP.

    We are embarking on a new building and with that will come a much larger network. I'll be pursuing a UniFi solution with primary WiFi locked down to select few devices (by MAC through CloudKey box) on an approval process.

    We will have a guest WiFi network also. The plan will be to limit this and use it *very* sparingly, for official guests only. At present we have the issue of a legacy WiFi network, to which everyone knows the password and therefore we have every adult and youth using our WiFi at every opportunity. As you'd imagine, our device count can be 150+ some weekends. We will have some UniFi IP cameras too.

    The base Non-Profit plan includes up to 50 devices. We have 25-30 computers/iPads which are regularly in use, so I can consider this our base network size. I would expect all of these devices to pass through the full gamut of firewall services.

    The burning questions:
    1. Should we shift DHCP over to Untangle?
    2. Can I segregate the guest VLAN so that guest clients do not contribute to the license count? Or is this likely not an issue? I would want to avoid a situation where the count is exceeded and an official computer ends up not filtered and a child is exposed to something they shouldn't see...
    3. Can we throttle the guest VLAN easily? I realise this may be a very easy question to answer by reading FAQ I don't want guests to potentially thrash the network at the expense of others (our link is 50/20 Mbps)
    4. I assume WiFi APs and IP Cameras would not contribute to the device count? - How actually are devices counted?
    5. We are TechSoup validated, I assume churches fall under the same NFP scheme?


    Thanks in advance for your guidance.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,795

    Default

    If you have Active Directory running, the AD server should be doing DNS and DHCP for the networks accessing AD.

    Wireless devices can have DHCP served from Untangle, Untangle simply needs configured to either allow, or bypass DNS resolution depending on what segment needs what access. Untangle can handle all of that, but it does require some planning and some homework.

    Untangle licenses are consumed by any device transiting the Untangle AND subject to the UVM's filters. You can create a VLAN for public wireless access, and then bypass everything from that network. This will allow Internet access, but disable all filters and controls, including content control and the firewall, but it also removes license consumption from that entire ip network.

    Throttling guest VLAN is trivial, if and only if you have a sane idea of what that means. If you mean some sort of hard limit on guests can only go this fast... be ready for some pain. But, if you mean guest access gets the lowest priority so everyone else kicks them off when needed, this is easy.

    WAPs and IP Cameras will consume licenses if they are not bypassed, and they transit the Untangle for any purpose.

    Churches can use Untangle NonProfit licenses. Churches are NOT eligible for Public Sector licenses... except in very specific circumstances where the church is the government... which is fun, because I've sold those to a few Catholic Diocese. But odds are you're like most typical nonprofits, though I am curious what legal loop holes you're trying to jump through... because this is the first I've heard of any special requirements for a church.
    Last edited by sky-knight; 12-04-2019 at 07:14 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Dec 2019
    Posts
    2

    Default

    Thanks for your reply!

    Not legal loopholes to navigate as such. Moreso operating in a heavily legislated world. We are located in Australia. Our state government (and Australian govt. in general) are cracking down very seriously on abuse of vulnerable people - partially or mostly by way of Royal Commissions into child abuses... Through this, there has been a steady strengthening of child-safe standards and our volunteers are required to undergo several checks. As a result, we have needed to develop very strong policies and guidelines to ensure we protect everyone involved.

    I would rather go whole hog than half-measured and suffer the consequences. We just don't know if the government will in the future introduce a standard of mandatory content filtering for all institutions working with children - other than schools. Schools already have strong standards and expectations around computer systems and access.

    On technical topic - I think I understand now and this gives me some peace of mind I can keep the budget reasonably low for the full capability. In theory I could manage all DHCP from Windows Server anyways and that might just be how it goes for a period of time.

    I plan to implement a basic UniFi network in our existing premises in January. New building expansion won't be complete until October 2020. Once I have the first phase in place I will bring Untangle into the equation. Then later on UniFi expansion should be a walk in the park.

    Thanks again!

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,795

    Default

    Untangle + Unifi + Good Planning = Meraki - Extortion Payments

    Every time I wright that equation, it works out to a smiley face!
    WestOfBen likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Oct 2018
    Location
    Upstate NY.
    Posts
    48

    Default

    My two cents.

    We opened a school(Pre-K-12) at our church many years ago, however we had limited funds, so I used the free version of Untangle(we have to protect the children, however there is no money), which is where I discovered that I liked the program. I had no MS Server to use, so all DNS and DHCP was done through Untangle. We had a mix of hard and wireless machines to serve, and severely limited who had access to the wifi network. Ultimately, when I stepped down, the new guy replaced the Untangle instance with PFSense.

    Going the Unifi route, with a couple of AP's and some camera's, to me, is a smart move. With the Unifi software, you can throttle the networks, whitelist/blacklist clients, segregate VLANS. If you are going to use a Cloudkey, I would recommend the UniFi Cloud Key G2+, and since you are also going to use some camera's, replacing the hardrive with a larger SSD unit.

    I would also look into if you have a Sunday school or youth program if you fall under the need to protect the children as a school. It might be one of those "gray" areas.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2