Setting up multiple Internet connections for the same network
I have a customer that has 50+ computers on a network sharing a cable Internet connection. The customer is an apartment building so they are all residential computers that are not controlled from a central source or server with any policies in place. They have been complaining to their ISP that the speeds are sometimes very slow. The ISP’s solution was to add 2 additional cable modems, so that there could be a separate cable modem for each floor (3 total floors).
Each floor has 3 power over Ethernet (PoE) wireless access points that the residents connect to. Each access point has a cable run to it from a PoE managed switch in the basement of the building, that DOES support VLANs.
What they have asked us to do is set them up so that each floor can run off a single cable modem. The simplest solution would be to setup 2 additional routers (3 total routers) and separate each floor into a different VLAN. That will work but we would like to set something else up to monitor the traffic so that if they complain about speed issues we can look and see what was happening at that specific time. Also if it is a specific resident that was causing the problem, report that to the management so they can decide what to do about it.
My idea is to setup a Linux box to act as the router using iptables to route the traffic. I know I could do this using 6 separate NIC cards, one for each incoming connection and another for each outgoing connection. I am fairly confident I can eliminate 2 NIC cards as I can use the same NIC card with virtual interfaces for each VLAN (i.e. eth0:0, eth0:1, eth0:2). That would get me down to 4 NIC cards. The problem on the ISP side is that each cable modem requires a unique MAC address from the WAN interface of the router to assign IP addresses to, and those addresses are dynamic and not static.
My questions are:
1. Is this type of setup with a Linux box going to work at all?
2. How many NIC cards will I need?
3. Will the inbound NIC/interface (LAN) work with different virtual interfaces for each VLAN like I have described?
4. Is there a way to setup the outbound NIC/interface (WAN) to use virtual interfaces with each virtual interface using a dynamic IP address & having a unique MAC address?
5. Is there a better solution for this?
I am also wondering what the best way to monitor the traffic for historical analysis would be, but this is altogether a different question that I will ask separately.
2. 2 nics is more than enough.
3. No need for VLAN really, although I like to use it unless it complicates too much.
4. As mentioned, there is no need to use virtual interfaces. 1 physical for the WAN and 1 physical for the LAN will do the trick.
5. The key to this is to use traffic shaping. Iptables can be used for this, but it can be very complicated to setup, depending on your goals. You can restrict max traffic pr LAN IP, but if that means maximum 0,2 Mb for each user, it is probably useless. Then you have to make some dynamic rules (ie: if total traffic is not exceeding 10 Mb, then each LAN IP can use up to 1 Mb each, otherwise restricted to 0,2 Mb). Just an example.
Enterprise firewalls like Checkpoint and Juniper can also do this, or commercial traffic shaping appliances / software.