Student-Teacher Segmentation in School Networks: Content Filtering and 5651 Compliance
Summary: Separating student, teacher, and admin networks in schools and education institutions — content filtering policy, classroom Wi-Fi design, and 5651 compliance.
Summary: The network design in a school or educational institution must satisfy four concurrent needs: separating student, teacher, and admin traffic with VLANs; an age-appropriate content filtering policy; classroom- and lab-level Wi-Fi coverage; and retaining access logs for two years under Law 5651. In a correctly designed school network, the student reaches course material instead of social media; the teacher gets a stable connection to curriculum content; the administration processes student data in a KVKK-compliant way.
In a school the Wi-Fi password circulates among students; with no content filter, social media and game sites get opened during class; because the institution runs teachers, students, and administrative work on the same network, each slows down the others. That scene plays out in thousands of schools across Türkiye.
In this article we cover student-teacher network separation, content filtering policy, and 5651 legal compliance, aimed at school principals, IT leads, and education institution owners. Our target scale is private and public-private schools, courses, and language schools with 100-2,000 students.
Four Different User Profiles in an Education Institution
A standard school network has four different user groups, each with different priorities.
1. Students
- Access to curriculum resources
- Social media, games, video streaming limited/blocked
- Content policy varies by age group
- BYOD (bring-your-own-device) is common
2. Teachers
- Curriculum material, video sharing, exam portals
- Email, institutional software
- Broader access, but still within policy
3. Administrative Staff
- Student records, finance, KVKK-scope data
- The broadest access, the strictest security
- Historical data archives, audit reports
4. Guest / Parent
- Parent meetings, institutional visits
- Internet only, no access to internal network
- 5651-compliant logging
Sharing these four groups on the same flat network is unacceptable for both security and performance reasons.
Recommended VLAN Structure
A typical VLAN scheme at school scale:
| VLAN | Purpose | Content Filter |
|---|---|---|
| 10 | Management (switches, APs, servers) | — |
| 20 | Administrative staff | Light |
| 30 | Teachers | Medium |
| 40 | Primary students (grades 1-4) | Very strict |
| 50 | Middle-school students (grades 5-8) | Strict |
| 60 | High-school students (grades 9-12) | Medium-strict |
| 70 | Labs (control room) | Strict + research exceptions |
| 80 | Library Wi-Fi | Strict, social media blocked |
| 90 | IP cameras + security system | No internet |
| 100 | Guest / parent | Internet only |
Age-based VLAN separation ensures content filters are applied age-appropriately.
Content Filtering Policy
Content filtering is the "heart" of a school network. A badly built filter is either too strict (the teacher cannot search for curriculum content) or too loose (the student is on social media).
Policy by Age Group
| Age Group | Blocked | Limited | Allowed |
|---|---|---|---|
| 6-10 (grades 1-4) | Social media, games, adult content, violence | YouTube (educational lists), search | Educational sites, course portal |
| 11-14 (grades 5-8) | Social media, adult, violence | Games (lunch/break), YouTube | Education, news, research |
| 15-18 (grades 9-12) | Adult, gambling, violence | Social media (time-based), games | Broad research, academic |
| Teacher | Adult, gambling | — | Broad + curriculum |
| Admin | Adult, gambling | — | Broad + KVKK-compliant |
Filtering Solutions
Filtering solutions appropriate at SME scale:
- OPNsense / pfSense + pfBlockerNG — Open source, SME budget
- Cisco Umbrella (formerly OpenDNS) — Cloud-based, easy management
- Sophos UTM / XG Firewall — Integrated filter + firewall
- Fortinet FortiGuard Web Filtering — Category-based, comprehensive
- MEB-approved local providers — Türkiye-specific categorization, local support
Enforcing SafeSearch
SafeSearch should be forced on Google, Bing, and YouTube:
- Google SafeSearch — via DNS redirection or HTTPS proxy
- YouTube Restricted Mode — DNS or HTTP-header enforcement
- Bing SafeSearch strict mode
This is an additional layer that prevents content not blocked directly by the filter but still inappropriate.
Classroom and Lab Wi-Fi Design
A typical school Wi-Fi challenge: 30 students in a classroom use tablets/laptops at the same time, hallways carry heavy traffic, lab devices add extra load.
Coverage Design Rules
- At least 1 AP per classroom (2 APs in classrooms with 40+ students)
- Prefer ceiling mount (signal flows unobstructed by walls)
- An AP every 15-20 meters in the hallway — for class-to-class roaming
- Outdoor APs for the schoolyard (if Wi-Fi during breaks is expected)
- High-capacity APs in libraries and study rooms
Density Management
A classroom of 40 students watching video simultaneously can generate 200 Mbps of traffic. A single AP may not be enough.
- Prefer Wi-Fi 6 (802.11ax) — high efficiency in dense environments via OFDMA
- 5 GHz primary use, 2.4 GHz fallback
- Student-teacher-guest split over the same SSID via VLANs (the VLAN assigned to a device is determined by 802.1X / RADIUS)
Exam-Day Mode
Some schools cut internet access entirely on exam day (so students cannot search) or keep it open only to the exam system.
- One-click "exam mode" switch from the management panel
- Wi-Fi SSIDs temporarily changed
- Only whitelisted exam sites are reachable
- Automatic or manual return to normal after the exam ends
5651 Compliance for Schools
Law 5651 imposes log retention obligations on all hosting providers offering internet access (hotels, cafés, schools included).
Two-Year Retention
- All student, teacher, admin, and guest traffic is logged
- Which user (MAC, IP, account) visited which page and when
- Logs are timestamped, signed, tamper-proof
- Must be able to produce records within 30 minutes on audit request
Logger Solutions
- TIB-approved local logger appliances (hardware, one-time investment)
- Cloud 5651 services (monthly subscription, no physical device)
- Open-source solution + third-party signing (requires technical know-how)
Parental Notification
Under KVKK, parental consent may be required when processing children's data. Privacy notice and, where needed, explicit consent:
- Which data is collected (device MAC, access records, camera footage)
- How long it is retained
- What purposes it is used for (5651 obligation, security)
- Parent/student rights
Parent Portal and Communication Systems
In a modern school, parent communication should move from a WhatsApp group into a central system.
Parent Portal Contents
- The student's attendance
- Exam results, report card
- Class schedule, event calendar
- Payment and installment status
- Parent-teacher messaging
- Monthly payment and installment tracking
- Push notifications (mobile app) or SMS
KVKK Compliance
The parent portal processes parent and student data; special-category data (e.g., health reports) requires extra protection.
- Process the minimum necessary data without explicit consent
- Role-based access: parents see only their own child
- MFA recommended (especially if payment data is present)
- Deleting alumni data when the retention period expires
IP Cameras and Security
School camera system: corridors, schoolyard, entrance, cafeteria, parking.
Design Principles
- The camera network on its own VLAN (we recommend VLAN 90)
- No internet access (limited only for cloud backup)
- The recorder (NVR) is not reachable from the office VLAN — only security staff
- Camera angles must not look into classrooms (KVKK risk; not forbidden but sensitive)
KVKK and Camera Notices
- A "recording in progress" sign at the school entrance
- Camera information in the privacy notice
- Recordings deleted after a defined period (e.g., 30-90 days)
- Limited access: only post-incident, for evidence
What Yamanlar Bilişim Offers
Support areas sized to your education institution:
- Site survey and classroom-level Wi-Fi coverage design
- Age-appropriate content filtering policy
- VLAN segmentation and 802.1X authentication
- 5651-compliant logger selection and deployment
- Parent-portal infrastructure and KVKK notices
- IP camera network design and privacy alignment
- Exam-day network mode and automation
- Annual security and compliance audit
Frequently Asked Questions
Conclusion
A correctly built school network is one where the student does not reach social media during class hours, the teacher gets stable access to curriculum material, the administration processes student data in a KVKK-compliant way, and the 5651 obligation is met by producing records within 30 minutes. Age-appropriate content filtering, classroom-level Wi-Fi coverage, and correct VLAN separation are the foundations of that structure.
At Yamanlar Bilişim, we deliver network designs, content-filtering policies, and 5651-compliance solutions sized to your school's scale and existing infrastructure — bringing your education institution to its pedagogical and legal goals on the same network.
Frequently Asked Questions
Students bring their own devices (BYOD) — how do I manage that?
In BYOD environments, independent 802.1X authentication on the student device is recommended: the student connects with their personal username/password, the system assigns them to the student VLAN, and the content filter is applied. MDM (mobile device management) can apply additional policies on the device, but enforcing MDM in BYOD is hard — as an alternative, control is provided via Wi-Fi policy only. While the device is off-network (at home), school policy does not apply.
YouTube Restricted Mode is not enough for teachers using videos in class — what do I do?
YouTube's Approved Content Only feature, or leaving Restricted Mode off for the teacher profile, are solutions. A more advanced approach: teachers add the videos they choose to a school YouTube playlist, and students can only access that playlist. Or use ad-free educational video platforms like Vimeo/EdPuzzle.
Does it make sense to move parent communication from WhatsApp to a portal?
Yes, for three reasons: (1) WhatsApp is a Meta service without a signed KVKK data-processor agreement — risky for official school communication, (2) teacher-parent messages on WhatsApp are not archived, with no audit evidence, (3) a student's private information can end up with the wrong recipient in a WhatsApp group. A portal offers a central, KVKK-compliant, documented structure.
What can I do on exam day besides cutting the internet?
An exam mode (white-list) is more practical: only the exam portal, the school home page, and the MEB exam system reachable, the rest blocked. For device control, lock exam apps in MDM (kiosk mode). This avoids the internet reset while guaranteeing student access to the exam portal.
A 5651 logger is financially heavy — is there an alternative?
Cloud 5651 services replace local hardware investment with a monthly subscription in the TRY 500-2,000 range. You buy no physical device; logs are written automatically to the cloud; the provider delivers the records during audits. With a TRY 6,000-24,000 annual cost, you meet the 5651 obligation. A hardware logger is TRY 50,000-150,000 one-time + maintenance.
What extra steps should I take when processing children's data?
Under KVKK Article 6 and especially the UN Convention on the Rights of the Child, children's data is under extra protection. Take explicit parental consent, process minimum data, and if special-category data (health, criminal record, etc.) about the child is to be processed, the consent must be in writing. Profiling and automated decision-making applications (e.g., AI-driven student success prediction ) should be approached with particular care.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Industry IT Solutions solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
Contract Archive and KVKK Architecture for Fleet-Leasing Companies
Contract archives, driver-data KVKK alignment, e-signature integration, and site-to-site VPN for branches in fleet and car-rental companies.
Endpoint Security on Doctor and Clinic Computers: An EDR Playbook
Choosing EDR for doctor workstations in clinics and private practices, extra controls for endpoints carrying patient data, and a USB policy.
IT Infrastructure for Residential Site Management: IP Cameras, Elevator IoT, and Dues Systems
An integrated IT infrastructure and KVKK compliance guide for IP cameras, elevator IoT, dues collection, and resident management systems in residential complexes.