Apartment Internet

I have asked questions about this complex in the past, but now my questions are changing a bit.

Right now we have an apartment complex that has about 30 units that have the offering to get free high-speed internet through us.  We have a 20mb pipe from Comcast that comes in to one of their comcast business modems/routers.  What I was thinking about doing is getting each apartment their own router.  Then I would turn off DHCP on the Comcast router & assign each router a static IP address in its own subnet.  (ie - apartment 1 would be with DHCP range of, apartment 2 would be with DHCP range of  I have a few questions:

1) Will that work to give each of them an internet connection that is separate?
2) Will traffic be allowed between routers? (ie if there is a virus or someone is being malicious)
3) Are there any downsides to doing this?

Secondly, the idea would be that I can control all of the individual routers from a computer that has a static IP address on the main Comcast router (ie - will that be possible?  That will allow me to go in & remotely shut off someone's router settings if they are not paying their rent.

Thirdly, each of the individual routers will have WiFi too with their own SSID & WPA key, will I have issues doing that? (conflicts etc)

I know that it's a bit of work to set up from the get-go, but the primary reason we're looking to do this is to prevent users from getting their own router & plugging in whatever they want & however they want.  (ie - we had one user that plugged in their QWEST DSL modem with router into the network connection we provided in their apartment & voila, it became a secondary DHCP server that screwed everyone up)

I know that there are much more intricate ways to do this, but keep in mind that it has to be VERY budget restrained as it is just a free internet service, please stick with my general plan or something similar.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle LambertIT ManagerCommented:
OK, this is a little complicated so I'll try to go through it piece by piece.

Part 1

1) Will that work to give each of them an internet connection that is separate?

Technically, no. You will not be able to give each of them a separate internet connection because the routers will have routes going between them to each apartment. But you could set some ACLs to not allow inbound traffic from other any other router except the comcast one.

2) Will traffic be allowed between routers? (ie if there is a virus or someone is being malicious)

Yes, unless you take the precaution that I mentioned in the first question. The ACL should block all traffic from the other routers, but a virus can still get to everyone from the main comcast router.

3) Are there any downsides to doing this?

The main downside I could see in doing this would be an unnecessary cost of equipment. What I would suggest would be to get a fairly good Cisco switch, install 2-4 RJ-45 jacks into each apartment (number of jacks depends on your preferance), then segregate those ports on the switch into VLANs and trunk the switch to a descent Cisco router.

By doing this, you put the responsibility of buying any additional equipment on the tenant, still have all the same control with ACL as you would with a router at each apt, and be able to simply shut down the port to each apartment that isn't paying rent from 1 location. You would also save money and time this way, but it might be a little bit more complex.

Also, since you only have 20mb to work with, you could set limits either on the switch by port or on the router so that 1 person does not bog down the network.

As for DHCP, I believe you should be able to set a DHCP range per VLAN depending on the model of the switch.

Part 2

Yes, you would be able to control the routers from a remote location, but with my above suggestion,   you would only have to go to 1 switch instead of 30 routers to administer access.

Part 3

I can see a lot of problems with this. I do not know how close the apartments are together, but there are bound to be signal conflicts with 30 wireless access points and only 11 or 12 channels to work with. What I would actually suggest is the best thing you could do here would be to run an Captive Portal server and use 4 or 5 heavy duty access points.

Captive Portal is the technology that you would most likely see at a hotel that either charges you or has free internet access. What it does is whenever you open a browser for the first time, you will be directed to a default page where you either put in your code, request authentication, or pay for access. Then you can go on the internet like normal. You can assign accounts per apartment and monitor activity this way.

Now, as for preventing someone from running a rogue DHCP server, your other method still would not solve that, but both suggestions would limit it to just affecting the tenant's apartment if you have the right ACLs in place. Since you can set the other VLANs or Routers to not accept incoming traffic from the other networks with ACLs, that should limit it to just the person trying to use the qwest router.

Well, I hope this helps you a bit.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rustyrpageAuthor Commented:
I am not too concerned about the data going between the networks, so if that is the case, technically this will work & each apartment will have their own DHCP server, correct?

The main reason that I am doing it this route is that the hardware expense is practically nothing (20 dollars per router) compared to running additional cabling to the apartments.  I cannot allow each person to run their own router because of the problem above.....so conceptually does this plan work?

I don't think that we can get into the captive portal because of the size & age of the building (I honestly don't know if the signal would make it all over).  As mentioned, this is for a free internet connection, so spending even 1000 dollars is not a viable option.

We do have switches that allow up to 250 VLANs, so I was thinking about doing a VLAN for each apartment & I still may do that....but the only advantage would be that it prohibits connecting between computers.
Kyle LambertIT ManagerCommented:
Conceptually, your plan should work, but you would still need to control access between the routers because it is still possible to push a DHCP server over a small network like that.

Wireless might still be an issue there, but you can set up an SSID and encryption for each apt. The only other thing you would have to worry about is configuring the 30 routers.

My suggestion is going to cost a lot more money and time if you are working with a very low budget, but I would still advise against this for a long term solution.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

rustyrpageAuthor Commented:
If I were to set up VLANs for each apartment combined with the router approach, what do you think?

Also, how would I do that, do I just tag each port with a unique VLAN #?  Then how do they get internet access?

As far as the wireless, I think we'll just try it & see what happens...if someone isn't using wireless, we'll turn it off...but it's really no different than if they were to start all getting their own routers, right?

As far as the configuration goes....it's not too bad since we would only set them up one at a time (as we get people to move in or extend their current contract).....so it isn't a bunch of work.
Kyle LambertIT ManagerCommented:
If you are going to have a router in each apartment that they will plug into, then there really shouldn't be a need to VLAN  them as well. Although I personally would not give them physical access to a router because if you use a $20 one, they can easy reset them and then use default settings to play around. I guess I need a better understanding of how you are going to get them from their apartment to the router for each apartment.

Depending on the switch (I've only trained on Cisco equipment), all you would need to do is define each port to be a certain VLAN # and that would work. Now what that does is essentially create its own little switch for that VLAN. In order for VLAN 1 to communicate with VLAN 2, you would need to physically connect the two VLANs to get them to communicate. Or logically connect them through a trunk to a router.

You're right, and I mentioned that it only really matters depending on how close the apartments are. What you need to avoid is overlapping wireless signals. If you know the range of the router's wireless signal, then you should be able to avoid overlapping signals.
rustyrpageAuthor Commented:
They would need physical access to the router since each apartment will want their own wireless & each apartment will want multiple computers probably.  That said, if they reset it, they will lose all connectivity since it will not receive an IP address at all.  (since DHCP will be off on the main router/modem)  I am also looking at maybe putting DD-WRT on the router, which would allow me to turn off the reset button altogether.

I have a rather basic Netgear switch, but it is managed & allows VLANs - so if I were to tag ports 1-48 with their own VLAN number, how do those ports get the internet access that is being fed off the port that is plugged in to the router (or to the other switch that is daisychained).

Yeah, I think the wireless will be hit & miss - fortunately, the apartments are pretty spread out, so I may be able to do an alternation of channel 1, 6 & 11 to avoid overlapping.
Kyle LambertIT ManagerCommented:
I still personally believe that they should not have physical access to the router. If you can turn off factory reset, then that will help. But they can still damage it or steal it.

When you VLAN, you have to think like you are creating a completely new switch. If you have ports 1-10 as VLAN 1 and ports 11-20 as VLAN 2, and the Internet router is on VLAN 2, then you will have to connect the 2 VLANs by a port (like a daisychain). Or you can have ports 1-47 be on whatever VLAN you want and then have port 48 be a trunk directly to the router. The VLANs would then all reach the router.
rustyrpageAuthor Commented:
So if I were to have port 1 on each of the switches be home-runned to the 4 port router with NO VLAN, then I can do VLANs on each of the other ports & it's good to go?  But there will not be any other traffic allowed between VLANs, right?  What if I want to have a management computer that can control ANY of the routers on ANY of the switches?

As far as the router, we'll just have to play off on it - they will sign an agreement to return it etc, but we'll see.  I just don't know how to cost-efficiently provide a few ports of internet AND wireless to each apartment that is seperately controlled.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.