Really not sure if this is the place to be asking this, but here goes..
Our company has grown exponentially in the last year. As such, our internet connection needs some serious managing and limiting to not only ban facebook and other stupification sites, but also to limit the bandwidth that is dedicated to certain services like youtube.
Setting up new firmware and limits on every single one of our routers is, naturally, out of the question, and I would now like to know if there is some kind of hardware device that would offer me this functionality (both limiting and throttling the bandwidth to and from certain resources) without fail. I would install this device between our ISP's line and our building switch, in order to control the entire company's bandwidth allocation.
Googling revealed nothing useful, except some software solutions which are inadequate for our situation.
Update:
We are in one building. The building has two entry point connections on the ground floor, which connect to the building switch. That is, we have two synchronous (up = down) ADSL connections, once for each floor basically. This switch then branches out and connects to each of the two current floors we own (that is, to each of the several routers on each floor). 99% of the company works on Macs (I know…), and those Macs are connected wirelessly to the aforementioned routers. The WANs themselves are not interconnected in any way other than the fact that they all go back to the same building switch eventually.
I had originally thought about flashing every router with new firmware and then putting some serious limiting on those, but not only is that not very safe for the routers, it is also tedious – especially if I need to change a condition later on. This would require me to run around again and deal with each one. What I'm basically aiming for here is a single device able to both limit the bandwidth to some sites (i.e. limit Youtube to 100kb/s) and block others completely (facebook), preferably by subnet (for example, 192.168.3.x would have only bandwidth throttling, while 192.168.2.x would have a complete blockade on facebook). If you could just point to such a device if it exists, we will pay up to $5,000 for it, this is how important it is to us to do this instantly and hassle free for an indefinite amount of time.
Update 2:
Info on current routers:
Right now we use LinkSys WRT54GL for our routers. There are 5 in total, three on the ground floor and two on the first floor.
Update 3:
We are in a rented building. The building has a master rack to which I have no access, and must hunt down the network admin of the building. We are a part of a university campus, and we occupied 50% of a building, for now. The structure is as follows – there is a floor rack on the ground floor, into which our internet connection is plugged. From there, we branch it out to VoIP and internet access for users, in the following manner: the ground floor gets one channel, which makes a total of 3 of those SOHO routers. The ground floor rack is connected to the main building rack, which in turn spreads this connection out among the first floor rooms, of which each has its own router. So, basically, I have no control over or access to the main building rack.
Bart suggested we replace those SOHOs. What would be the optimal setup? Should I just get one strong access point for each floor? How is this usually done, what kind of hardware/software combo would you suggest? I am open to everything, even completely restructuring the entire company network if need be. I would like to learn how to do this properly from the get-go.
Best Answer
What kind of routers are you using? It sounds like you're just using SOHO type routers? You might want to look at getting better routers and switches with management built in and monitorable through SNMP.
That said I'd also put in a proxy server that can log activity and block certain traffic. Proxying can help some of your speed woes, blocking can limit others.
Upgraded routers can also handle traffic shaping and limiting, as well as QoS. If you must do it on the "cheap", you could start using a Linux box (there are several turnkey solutions) to do the traffic monitoring and shaping. Install, configure, set it as the gateway for everyone's system to route through. An inexpensive box can also do the proxying work for you, and you could have options for VPN access.
We ran a SquidGuard box for awhile to filter and proxy traffic. Turned out it was also pretty good at helping track down certain malware on the network when we filtered for certain broadcasts that were scattering through the routing tables from a particular (infected) client. It was also great for getting browsing activity reports.
Just make sure any filtering or whatnot is allowed in your policies and employees are made aware of network monitoring. Sometimes it's the law, other times it's just a nice courtesy to your users to be reminded they're using company resources, not personal resources.