Answer the question
In order to leave comments, you need to log in
Should I use pptp on the local network to account for traffic and distribute access rights?
The current situation is this. There is a LAN of 200+ machines. At the moment, access to the Internet is logged and delimited by ip addresses of machines. But this approach is not entirely correct, since several users can work on the same machine at different times (using their own AD account). There is Mikrotik equipment, followed by a transparent squid for filtering and caching ..
There is an idea to organize a tunnel to mikrotik from each Windows machine using standard pptp tools and thus identify a specific user, and then assign the necessary network access policies (on squid) to each user.
The question, in general, is this. Doesn't this approach seem like some kind of "overhead", when there is already a working gigabit LAN for internal needs, and separately from each machine, also raise a tunnel for Internet access. I have some doubts, it seems that "butter oil".
Well, one more interface on the client's machine. From the side of the router - only benefit. You can keep any account for any user, as well as set policies. Maybe someone has already implemented something similar and can describe the pros and cons. I see a lot of advantages in this approach, but confuses additional. tunnels from each machine to the router.
Thanks in advance for adequate answers and your feedback, based on experience, on the implementation of this scheme.
Answer the question
In order to leave comments, you need to log in
To keep 200 tunnels - you need a powerful piece of iron and still there will be different problems.
It is better to authorize by AD + radius (NPS role in Windows servers)
I had a similar case, I solved it like this:
1. Mikrotik was the gateway for all traffic, there were policies and tydes.
2. Part of the traffic, including http, https, was wrapped on squid
3. On the squid (pfsense build) there was authorization through the Windows implementation of Raduis - the role of NPS, plus all sorts of content cutters, antivirus, etc.
4. The squid had a gateway - mikrotik, which let the traffic go.
Those. The squid was not like a middle ground between clients and Mikrotik, but was "on the side" and I wrapped the traffic there, it's easier and more manageable and the squid can be restarted if something happens.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question