Solved

Apartment Internet

Posted on 2009-07-07
8
670 Views
Last Modified: 2013-11-16
I have asked questions about this complex in the past, but now my questions are changing a bit.

Right now we have an apartment complex that has about 30 units that have the offering to get free high-speed internet through us.  We have a 20mb pipe from Comcast that comes in to one of their comcast business modems/routers.  What I was thinking about doing is getting each apartment their own router.  Then I would turn off DHCP on the Comcast router & assign each router a static IP address in its own subnet.  (ie - apartment 1 would be 192.168.1.1 with DHCP range of 192.168.1.10-20, apartment 2 would be 192.168.2.1 with DHCP range of 192.168.2.10-20).  I have a few questions:

1) Will that work to give each of them an internet connection that is separate?
2) Will traffic be allowed between routers? (ie if there is a virus or someone is being malicious)
3) Are there any downsides to doing this?

Secondly, the idea would be that I can control all of the individual routers from a computer that has a static IP address on the main Comcast router (ie 10.1.10.200) - will that be possible?  That will allow me to go in & remotely shut off someone's router settings if they are not paying their rent.

Thirdly, each of the individual routers will have WiFi too with their own SSID & WPA key, will I have issues doing that? (conflicts etc)

I know that it's a bit of work to set up from the get-go, but the primary reason we're looking to do this is to prevent users from getting their own router & plugging in whatever they want & however they want.  (ie - we had one user that plugged in their QWEST DSL modem with router into the network connection we provided in their apartment & voila, it became a secondary DHCP server that screwed everyone up)

I know that there are much more intricate ways to do this, but keep in mind that it has to be VERY budget restrained as it is just a free internet service, please stick with my general plan or something similar.

Thanks!
0
Comment
Question by:rustyrpage
  • 4
  • 4
8 Comments
 
LVL 2

Accepted Solution

by:
Ar3s earned 500 total points
Comment Utility
OK, this is a little complicated so I'll try to go through it piece by piece.

Part 1

1) Will that work to give each of them an internet connection that is separate?

Technically, no. You will not be able to give each of them a separate internet connection because the routers will have routes going between them to each apartment. But you could set some ACLs to not allow inbound traffic from other any other router except the comcast one.

2) Will traffic be allowed between routers? (ie if there is a virus or someone is being malicious)

Yes, unless you take the precaution that I mentioned in the first question. The ACL should block all traffic from the other routers, but a virus can still get to everyone from the main comcast router.

3) Are there any downsides to doing this?

The main downside I could see in doing this would be an unnecessary cost of equipment. What I would suggest would be to get a fairly good Cisco switch, install 2-4 RJ-45 jacks into each apartment (number of jacks depends on your preferance), then segregate those ports on the switch into VLANs and trunk the switch to a descent Cisco router.

By doing this, you put the responsibility of buying any additional equipment on the tenant, still have all the same control with ACL as you would with a router at each apt, and be able to simply shut down the port to each apartment that isn't paying rent from 1 location. You would also save money and time this way, but it might be a little bit more complex.

Also, since you only have 20mb to work with, you could set limits either on the switch by port or on the router so that 1 person does not bog down the network.

As for DHCP, I believe you should be able to set a DHCP range per VLAN depending on the model of the switch.

Part 2

Yes, you would be able to control the routers from a remote location, but with my above suggestion,   you would only have to go to 1 switch instead of 30 routers to administer access.

Part 3

I can see a lot of problems with this. I do not know how close the apartments are together, but there are bound to be signal conflicts with 30 wireless access points and only 11 or 12 channels to work with. What I would actually suggest is the best thing you could do here would be to run an Captive Portal server and use 4 or 5 heavy duty access points.

Captive Portal is the technology that you would most likely see at a hotel that either charges you or has free internet access. What it does is whenever you open a browser for the first time, you will be directed to a default page where you either put in your code, request authentication, or pay for access. Then you can go on the internet like normal. You can assign accounts per apartment and monitor activity this way.

Now, as for preventing someone from running a rogue DHCP server, your other method still would not solve that, but both suggestions would limit it to just affecting the tenant's apartment if you have the right ACLs in place. Since you can set the other VLANs or Routers to not accept incoming traffic from the other networks with ACLs, that should limit it to just the person trying to use the qwest router.

Well, I hope this helps you a bit.
0
 
LVL 6

Author Comment

by:rustyrpage
Comment Utility
I am not too concerned about the data going between the networks, so if that is the case, technically this will work & each apartment will have their own DHCP server, correct?

The main reason that I am doing it this route is that the hardware expense is practically nothing (20 dollars per router) compared to running additional cabling to the apartments.  I cannot allow each person to run their own router because of the problem above.....so conceptually does this plan work?

I don't think that we can get into the captive portal because of the size & age of the building (I honestly don't know if the signal would make it all over).  As mentioned, this is for a free internet connection, so spending even 1000 dollars is not a viable option.

We do have switches that allow up to 250 VLANs, so I was thinking about doing a VLAN for each apartment & I still may do that....but the only advantage would be that it prohibits connecting between computers.
0
 
LVL 2

Expert Comment

by:Ar3s
Comment Utility
Conceptually, your plan should work, but you would still need to control access between the routers because it is still possible to push a DHCP server over a small network like that.

Wireless might still be an issue there, but you can set up an SSID and encryption for each apt. The only other thing you would have to worry about is configuring the 30 routers.

My suggestion is going to cost a lot more money and time if you are working with a very low budget, but I would still advise against this for a long term solution.
0
 
LVL 6

Author Comment

by:rustyrpage
Comment Utility
If I were to set up VLANs for each apartment combined with the router approach, what do you think?

Also, how would I do that, do I just tag each port with a unique VLAN #?  Then how do they get internet access?

As far as the wireless, I think we'll just try it & see what happens...if someone isn't using wireless, we'll turn it off...but it's really no different than if they were to start all getting their own routers, right?

As far as the configuration goes....it's not too bad since we would only set them up one at a time (as we get people to move in or extend their current contract).....so it isn't a bunch of work.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 2

Expert Comment

by:Ar3s
Comment Utility
If you are going to have a router in each apartment that they will plug into, then there really shouldn't be a need to VLAN  them as well. Although I personally would not give them physical access to a router because if you use a $20 one, they can easy reset them and then use default settings to play around. I guess I need a better understanding of how you are going to get them from their apartment to the router for each apartment.

Depending on the switch (I've only trained on Cisco equipment), all you would need to do is define each port to be a certain VLAN # and that would work. Now what that does is essentially create its own little switch for that VLAN. In order for VLAN 1 to communicate with VLAN 2, you would need to physically connect the two VLANs to get them to communicate. Or logically connect them through a trunk to a router.

You're right, and I mentioned that it only really matters depending on how close the apartments are. What you need to avoid is overlapping wireless signals. If you know the range of the router's wireless signal, then you should be able to avoid overlapping signals.
0
 
LVL 6

Author Comment

by:rustyrpage
Comment Utility
They would need physical access to the router since each apartment will want their own wireless & each apartment will want multiple computers probably.  That said, if they reset it, they will lose all connectivity since it will not receive an IP address at all.  (since DHCP will be off on the main router/modem)  I am also looking at maybe putting DD-WRT on the router, which would allow me to turn off the reset button altogether.

I have a rather basic Netgear switch, but it is managed & allows VLANs - so if I were to tag ports 1-48 with their own VLAN number, how do those ports get the internet access that is being fed off the port that is plugged in to the router (or to the other switch that is daisychained).

Yeah, I think the wireless will be hit & miss - fortunately, the apartments are pretty spread out, so I may be able to do an alternation of channel 1, 6 & 11 to avoid overlapping.
0
 
LVL 2

Expert Comment

by:Ar3s
Comment Utility
I still personally believe that they should not have physical access to the router. If you can turn off factory reset, then that will help. But they can still damage it or steal it.

When you VLAN, you have to think like you are creating a completely new switch. If you have ports 1-10 as VLAN 1 and ports 11-20 as VLAN 2, and the Internet router is on VLAN 2, then you will have to connect the 2 VLANs by a port (like a daisychain). Or you can have ports 1-47 be on whatever VLAN you want and then have port 48 be a trunk directly to the router. The VLANs would then all reach the router.
0
 
LVL 6

Author Comment

by:rustyrpage
Comment Utility
So if I were to have port 1 on each of the switches be home-runned to the 4 port router with NO VLAN, then I can do VLANs on each of the other ports & it's good to go?  But there will not be any other traffic allowed between VLANs, right?  What if I want to have a management computer that can control ANY of the routers on ANY of the switches?

As far as the router, we'll just have to play off on it - they will sign an agreement to return it etc, but we'll see.  I just don't know how to cost-efficiently provide a few ports of internet AND wireless to each apartment that is seperately controlled.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now