Setup Endian in small lan/company for "blocking"

[Guest]

[kabeza]

Hi
I've been asked to solve a problem in a small company.
Some employees can't work on extranet because others download porn, music, movies, msn, etc. etc.
I searched and read some articles, and found Endian could solve this.
I have a spare "old" PC which could use. I have basic -Ubuntu- linux knowledge

The actual company's lan diagram is similar to this:
ht_tp://imgur.com/T1lyf.png (remove _ from url)

I don't have a big network/ip/cisco knowledge, but would like to ask you some questions

1- How should I connect the old PC with Endian to the above diagram? It should have 2 nics right?

2- ISP would not provide modem/router's passwords (they also sent a quote for doing this "blocking" job) so I guess I'll have to reset these things and re-configure everything, right? Or maybe by knowing lan's configuration I could configure Endian for actual LAN settings?

3- Is there a way to block stuff without configuring each workstation browser with proxy settings?

4- Every client PC will share same "blocking" profile. There won't be higher privileges or so

5- Actually there's no domain nor any kind of server. All are workstations/clients

6- Any additional stuff I should have into account? Maybe some guide?

Thanks a lot in advance.
Hope someone can help me

[mrkroket]

1- How should I connect the old PC with Endian to the above diagram? It should have 2 nics right?

The best way is with 2 NIC's, and place between the modem and your switch.

2- ISP would not provide modem/router's passwords (they also sent a quote for doing this "blocking" job) so I guess I'll have to reset these things and re-configure everything, right? Or maybe by knowing lan's configuration I could configure Endian for actual LAN settings?

You don't really need it. If your router have DHCP, the NIC's will take the IP automagically. If not, set the IP manually and adjust the client's IP's manually too.

3- Is there a way to block stuff without configuring each workstation browser with proxy settings?

Yes, with transparent proxy. You can even define different profiles by IP or MAC address. You also can priorize traffic with QoS.

4- Every client PC will share same "blocking" profile. There won't be higher privileges or so

You just need one rule on HTTP Proxy then.

5- Actually there's no domain nor any kind of server. All are workstations/clients

Doesn't matter, transparent proxy doesn't use domain LDAP.

6- Any additional stuff I should have into account? Maybe some guide?

1- With the 2 NIC approach you'll probably need to enable the DHCP server role in Endian.
I suppose that your router have a DHCP server, and your clients are taking their IP's from this DHCP server.
When you add the firewall, now the router DHCP server will give only one IP address (to Endian Firewall, external interface = RED).
Clients will now take their IP from Endian DHCP server, not from the router. Clients can't reach router (=internet) directly, they must go through Endian Firewall.
2- Manually update the HTTP proxy blacklists. See forum posts about how to do it.
3- Enable Intrusion Prevention system if your CPU/memory is enough. It detects many things, specially P2P. By default it only warns you. If you want to block some traffic, click on yellow triangles of each ruleset.
4- Enable HTTP Proxy, set to transparent mode. Add a rule with content filtering, and define the content filtering to your needs.