Solved

Apartment Internet

Posted on 2009-07-07
8
675 Views
Last Modified: 2013-11-16
I have asked questions about this complex in the past, but now my questions are changing a bit.

Right now we have an apartment complex that has about 30 units that have the offering to get free high-speed internet through us.  We have a 20mb pipe from Comcast that comes in to one of their comcast business modems/routers.  What I was thinking about doing is getting each apartment their own router.  Then I would turn off DHCP on the Comcast router & assign each router a static IP address in its own subnet.  (ie - apartment 1 would be 192.168.1.1 with DHCP range of 192.168.1.10-20, apartment 2 would be 192.168.2.1 with DHCP range of 192.168.2.10-20).  I have a few questions:

1) Will that work to give each of them an internet connection that is separate?
2) Will traffic be allowed between routers? (ie if there is a virus or someone is being malicious)
3) Are there any downsides to doing this?

Secondly, the idea would be that I can control all of the individual routers from a computer that has a static IP address on the main Comcast router (ie 10.1.10.200) - will that be possible?  That will allow me to go in & remotely shut off someone's router settings if they are not paying their rent.

Thirdly, each of the individual routers will have WiFi too with their own SSID & WPA key, will I have issues doing that? (conflicts etc)

I know that it's a bit of work to set up from the get-go, but the primary reason we're looking to do this is to prevent users from getting their own router & plugging in whatever they want & however they want.  (ie - we had one user that plugged in their QWEST DSL modem with router into the network connection we provided in their apartment & voila, it became a secondary DHCP server that screwed everyone up)

I know that there are much more intricate ways to do this, but keep in mind that it has to be VERY budget restrained as it is just a free internet service, please stick with my general plan or something similar.

Thanks!
0
Comment
Question by:rustyrpage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 2

Accepted Solution

by:
Kyle Lambert earned 500 total points
ID: 24799199
OK, this is a little complicated so I'll try to go through it piece by piece.

Part 1

1) Will that work to give each of them an internet connection that is separate?

Technically, no. You will not be able to give each of them a separate internet connection because the routers will have routes going between them to each apartment. But you could set some ACLs to not allow inbound traffic from other any other router except the comcast one.

2) Will traffic be allowed between routers? (ie if there is a virus or someone is being malicious)

Yes, unless you take the precaution that I mentioned in the first question. The ACL should block all traffic from the other routers, but a virus can still get to everyone from the main comcast router.

3) Are there any downsides to doing this?

The main downside I could see in doing this would be an unnecessary cost of equipment. What I would suggest would be to get a fairly good Cisco switch, install 2-4 RJ-45 jacks into each apartment (number of jacks depends on your preferance), then segregate those ports on the switch into VLANs and trunk the switch to a descent Cisco router.

By doing this, you put the responsibility of buying any additional equipment on the tenant, still have all the same control with ACL as you would with a router at each apt, and be able to simply shut down the port to each apartment that isn't paying rent from 1 location. You would also save money and time this way, but it might be a little bit more complex.

Also, since you only have 20mb to work with, you could set limits either on the switch by port or on the router so that 1 person does not bog down the network.

As for DHCP, I believe you should be able to set a DHCP range per VLAN depending on the model of the switch.

Part 2

Yes, you would be able to control the routers from a remote location, but with my above suggestion,   you would only have to go to 1 switch instead of 30 routers to administer access.

Part 3

I can see a lot of problems with this. I do not know how close the apartments are together, but there are bound to be signal conflicts with 30 wireless access points and only 11 or 12 channels to work with. What I would actually suggest is the best thing you could do here would be to run an Captive Portal server and use 4 or 5 heavy duty access points.

Captive Portal is the technology that you would most likely see at a hotel that either charges you or has free internet access. What it does is whenever you open a browser for the first time, you will be directed to a default page where you either put in your code, request authentication, or pay for access. Then you can go on the internet like normal. You can assign accounts per apartment and monitor activity this way.

Now, as for preventing someone from running a rogue DHCP server, your other method still would not solve that, but both suggestions would limit it to just affecting the tenant's apartment if you have the right ACLs in place. Since you can set the other VLANs or Routers to not accept incoming traffic from the other networks with ACLs, that should limit it to just the person trying to use the qwest router.

Well, I hope this helps you a bit.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24799225
I am not too concerned about the data going between the networks, so if that is the case, technically this will work & each apartment will have their own DHCP server, correct?

The main reason that I am doing it this route is that the hardware expense is practically nothing (20 dollars per router) compared to running additional cabling to the apartments.  I cannot allow each person to run their own router because of the problem above.....so conceptually does this plan work?

I don't think that we can get into the captive portal because of the size & age of the building (I honestly don't know if the signal would make it all over).  As mentioned, this is for a free internet connection, so spending even 1000 dollars is not a viable option.

We do have switches that allow up to 250 VLANs, so I was thinking about doing a VLAN for each apartment & I still may do that....but the only advantage would be that it prohibits connecting between computers.
0
 
LVL 2

Expert Comment

by:Kyle Lambert
ID: 24799319
Conceptually, your plan should work, but you would still need to control access between the routers because it is still possible to push a DHCP server over a small network like that.

Wireless might still be an issue there, but you can set up an SSID and encryption for each apt. The only other thing you would have to worry about is configuring the 30 routers.

My suggestion is going to cost a lot more money and time if you are working with a very low budget, but I would still advise against this for a long term solution.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 6

Author Comment

by:rustyrpage
ID: 24799335
If I were to set up VLANs for each apartment combined with the router approach, what do you think?

Also, how would I do that, do I just tag each port with a unique VLAN #?  Then how do they get internet access?

As far as the wireless, I think we'll just try it & see what happens...if someone isn't using wireless, we'll turn it off...but it's really no different than if they were to start all getting their own routers, right?

As far as the configuration goes....it's not too bad since we would only set them up one at a time (as we get people to move in or extend their current contract).....so it isn't a bunch of work.
0
 
LVL 2

Expert Comment

by:Kyle Lambert
ID: 24799611
If you are going to have a router in each apartment that they will plug into, then there really shouldn't be a need to VLAN  them as well. Although I personally would not give them physical access to a router because if you use a $20 one, they can easy reset them and then use default settings to play around. I guess I need a better understanding of how you are going to get them from their apartment to the router for each apartment.

Depending on the switch (I've only trained on Cisco equipment), all you would need to do is define each port to be a certain VLAN # and that would work. Now what that does is essentially create its own little switch for that VLAN. In order for VLAN 1 to communicate with VLAN 2, you would need to physically connect the two VLANs to get them to communicate. Or logically connect them through a trunk to a router.

You're right, and I mentioned that it only really matters depending on how close the apartments are. What you need to avoid is overlapping wireless signals. If you know the range of the router's wireless signal, then you should be able to avoid overlapping signals.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24804256
They would need physical access to the router since each apartment will want their own wireless & each apartment will want multiple computers probably.  That said, if they reset it, they will lose all connectivity since it will not receive an IP address at all.  (since DHCP will be off on the main router/modem)  I am also looking at maybe putting DD-WRT on the router, which would allow me to turn off the reset button altogether.

I have a rather basic Netgear switch, but it is managed & allows VLANs - so if I were to tag ports 1-48 with their own VLAN number, how do those ports get the internet access that is being fed off the port that is plugged in to the router (or to the other switch that is daisychained).

Yeah, I think the wireless will be hit & miss - fortunately, the apartments are pretty spread out, so I may be able to do an alternation of channel 1, 6 & 11 to avoid overlapping.
0
 
LVL 2

Expert Comment

by:Kyle Lambert
ID: 24804380
I still personally believe that they should not have physical access to the router. If you can turn off factory reset, then that will help. But they can still damage it or steal it.

When you VLAN, you have to think like you are creating a completely new switch. If you have ports 1-10 as VLAN 1 and ports 11-20 as VLAN 2, and the Internet router is on VLAN 2, then you will have to connect the 2 VLANs by a port (like a daisychain). Or you can have ports 1-47 be on whatever VLAN you want and then have port 48 be a trunk directly to the router. The VLANs would then all reach the router.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24804449
So if I were to have port 1 on each of the switches be home-runned to the 4 port router with NO VLAN, then I can do VLANs on each of the other ports & it's good to go?  But there will not be any other traffic allowed between VLANs, right?  What if I want to have a management computer that can control ANY of the routers on ANY of the switches?

As far as the router, we'll just have to play off on it - they will sign an agreement to return it etc, but we'll see.  I just don't know how to cost-efficiently provide a few ports of internet AND wireless to each apartment that is seperately controlled.
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question