The following text is for readers with a technical understanding, who are interested in the setup K-Net is running.
There are around 2500 users on K-Net. They are all connected via ethernet equipment. We have the public IPv4 subnet 220.127.116.11/19 (8192 addresses). We do not have any IPv6 addresses yet.
Would you like to be part of improving our exciting setup? Read more about volunteering.
This setup was created in 2011-2012 because of scalability issues with the Authpf based solution, and the user demand to not have to authenticate via SSH.
When the setup is fully deployed, all edge switches in the dorms are set up so that each port leading to a room tags traffic with a seperate VLAN. All traffic must then go through a firewall server running Linux, where a VLAN interface is set up for each user. This enables true layer 3 seperation between all users.
WiFi users are handled by a RADIUS server which supplies a VLAN ID that the access point must tag traffic from the wireless client with.
The following diagram illustrates the architecture of the VLAN based transparent firewall setup: