Need to make a large internet network

I need to create a few temporary internet networks.  I can get 100mb internet line with 1 public ip or a few public ip's.  i will have anywhere from a few hundred to 3000 internet clients, wifi and hard wired.  I'm not worried about wireless right now.  I am wondering what type of hardware i would need to make this all work.  Will i be able to NAT all of these to the public address or is there another way to set this up.  I heard that if i NAT all to the public IP, i would run out of ports?  
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskyDirector of Solutions ConsultingCommented:
Are any of them servers? Do you need to provide ssl websites? If not, then the number of ips doesn't matter.
I'd suggest looking at for super easy to setup gear that will also run your wifi.
kabrutusAuthor Commented:
No servers for this event only internet.  Not sure what do you mean by "provide ssl websites"? We are not hosting any webservers, but the network clients will need to access any website from their devices. I'm not worried about the wifi devices at the moment.. i am looking for more backend hardware to make sure the network can handle the internet request.  
you will be able to run these all off a single public ip address, using NAT.
From my understanding you are creating a giant LAN to function as an ISP (a very large version of a home style, linksys router/wifi network setup)
in order to do this, you will need the following:
1) dhcp server - hand out addresses to your clients
2) local dns server - save yourself some bandwidth by resolving dns names locally.
3) router(s)
4) switches

if you are looking for an all -in-one device, i suggest the FortiNet series of hardware. a 200B series FortiGate should provide all you need. it has the router, firewall, NAT, DHCP, and DNS all rolled into one box. it will also afford you the ability to expand easily into using wireless by adding a FortiAP, and you can log/monitor/webfilter all of your internet traffic onto an external log management server / SIEM

the 200B series will handle the bandwidth without great difficulty, even with 3000 users using NAT, but you will get better performance out of a slightly larger model (300C or 310/311B model) if you plan on using a lot of the UTM features (IPS, network antivirus, anti-spam, Data Leakage protection, web-filter) using a UTM device takes care of requirements 1, 2 and 3.

For requirement four, ive used HP procurve switches pretty effectively. using managed switches gives you the ability to create redundant pathing, so you arent dependant on a single network port anywhere (until you get to your internet connection). it also gives you the ability to separate out security zones using VLANs, right down to your users.

depending on your layout, you would probably be better off creating a few subnets and then running all your subnets up from your distroswitch via VLAN into your main router, instead of just having a monster 3000+ client network. Not saying that the monster-net isn't doable, but that you will save yourself a lot of headaches in the long run trying to troubleshoot 12 smaller 254client subnets as opposed to 1 giant 4094-client network.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Aaron TomoskyDirector of Solutions ConsultingCommented:
The reson I mentioned meraki is because their ease of setup for trade shows and things where people pay for access is super easy. Their gear runs quite a few convention centers. They don't do switches though. All their ap and wired equipment have layer 3 capabilities and connect to a web config panel for easy setup
Nayyar HH (CCIE RS)Network ArchitectCommented:
Theoretically 64K clients can be NATed behind 1 Public IP address

How much traffic are you expecting from each of the 3K users?

Will you be utilizing a seperate dedicated unit for Firewall services?
I forgot to mention, using VLAN's combined with some kind of access policy server gives you the ability to quarantine non-compliant users. Users with viruses, botnets, out of date antivirus and operating systems. they can all be sent to the quarantine where they are permitted to go to the various anti-virus updating sites, OS updates sites, and THAT IS IT. because you potentially have a few thousand people on a network at the same time, do you really trust them to keep their machiens clean? I sure dont. On an open network like this, 1 person gets infected, they all get infected. Splitting your network into subnets and segregating them will save you from having huge Bredolab/Conficker botnets and a network requiring nothing short than an exorcist to save.
kabrutusAuthor Commented:
Thank you all for your imput... i have a few questions
If 64k clients can be NATed, i shouldn't have an issue with say 5,000 clients?  i was told i would run out of ports or that my NATing box would die with the load...
Would i need 3 FortiGate boxes?  I have been recommend the Nomadix AG 5600... would this work in place of the FortiGate box?

It depends on how many active connections each user is establishing. You have 65,535 ports available for NAT. If each user is using 10 ports then you can only support 65,535/10 or 6553 users. Be careful.... I would have a few public IPs in the NAT pool.

Vyatta might be a good choice for the router if you want to go software Linux based. I have had good luck with it. Switching can be handled by just about any switch providing it can handle the bandwidth.
Aaron TomoskyDirector of Solutions ConsultingCommented:
Do these people need a LAN or is it just Internet access? If its just Internet you can do a walled garden. No one can talk to anyone else, just the Internet
Will your users be using any type of VPN Connection? If you attempt to use 1 NAT'ed address with clients that do not support NAT-T, then you are setting yourself up for a ton of complaints.

Nomadix is a great all in one box. I highly recommend it.
Syed_M_UsmanSystem AdministratorCommented:
Dear i think you need to consider below

LAN Subnet-----------------------A Class eg
DHCP Lease Time----------------30Minutes
Internet line bandwidth----------100MB or above

AP (WDS+IAPP protocol)--------Single SSID with WDS and IAPP
AP Controller (Recomended)---to manage all AP's

# of SPI Connections Support---1 Million or above
Router Total Memory--------------4 GB with atleat 512MB Flash
Router CPU's-----------------------Multicore, arleat 8 or above
H/A Device--------------------------shuld support H/A

Aaron TomoskyDirector of Solutions ConsultingCommented:
You can always look at the big guys and see what they do

kabrutusAuthor Commented:
When you say "

# of SPI Connections Support---1 Million or above
Router Total Memory--------------4 GB with atleat 512MB Flash
Router CPU's-----------------------Multicore, arleat 8 or above
H/A Device--------------------------shuld support H/A
What type of device are you talking about?  do you have something i can look up?
With the quantity of NAT sessions that you could have going through your firewall you are well into "enterprise" territory

I would suggest no more than 500 hosts per external IP address, so for 3k users you should have at least 6 external addresses in a NAT pool, more would be better.

The firewall also needs to make sure that connections are "sticky" in that multiple connections from one host originate from the same IP address.

For an open source firewall solution I would look at pfsense, which you can setup in a HA configuration so that in the event of a hardware issue you do not lose connectivity

You should run an internal caching DNS server and I would also suggest running a transparent proxy server for HTTP traffic.

If all of the traffic is direct outbound, then inter switch bandwidth is not an issue as your 100mb line will be the biggest bottleneck, however if you also have internal trafic, then you need to size your distribution switches and core to distribution links accordingly.

I would tend to look at something like HP Procurve 5412zl  switches for the distribution layer with eleven 24 port modules (264 ports, so you would need 12 switches) and a 10gb module for the link to the core which could be a HP 5406zl series switch two 8 port 10gb modules and a 24 port module for connections to your firewall etc

You have given no information about the applications that the 3k users will be running, if they are gaming then you might need to have one single subnet, however the broadcast traffic of 3k gaming machines can be quite significant, I would suggest splitting into VLANS of ~500 nodes, however this will restrict games that rel;y on broadcast to only run within those VLANS.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Syed_M_UsmanSystem AdministratorCommented:
Dear i was refring to sonicwall E10200

i was doing some test so it may take some time to finish. while testing i ran into many problems which include
Internet Bandwidth
Switch backbone
Router Memory

i dont have so many ap and wireless network  cards , so trying with LAN connection.  

Syed_M_UsmanSystem AdministratorCommented:
i would also agree with expert ArneLovius on " would suggest no more than 500 hosts per external IP address, so for 3k users you should have at least 6 external addresses in a NAT pool, more would be better"

i did one test in lab, in our LAB using virtual hosts 1 came to know that 100MB line is not sufficent for even 10xx hosts, since you will have 3000 users so each users should have atleast 128-256kb (in order to safely browse) so if you multiply 256*3000/1024=750MB or 375MB with 128kb. i would suggest you should have atleast 2-3 internet lines 512MB each from ISP with Load Balancing enabled  

i would also agree with expert xanandu and ArneLovius for DNS server.
from the test i came to know you should have atleat  2 DNS servers (1 Primary and 1 Secondary)for name resolution.

A part from above you have to make sure your Backbone (Switch to Switch Connectivity) should be on redundent fiber (10GB) and all AP should support 1GB backboone connection + single AP should not be connected to more then 108+ clients

i ran into a problem of DHCP issue with VLANS, you also need to consider that how you will manage DHCP in VLANS (in case of vlan you should have all switches locations, mgmt vlan ip and 3-5 administrator ready on centerlized location. event location can also play key role if the event will be in multistory building you can setup vlan based on floor and would be very easy to manage DHCP and other conflicts .

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.