• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 436
  • Last Modified:

Wireless network for around 2000 users

Hello,

We are looking a way to setup a network for a mall. The target is to be able to connect to this network around 2000 clients ( customers of that mall).

We will cover the area with Ubiquinti AP-Pro. We are not sure on the network structure to be able to give ip's to at least 2000 concurrent clients that are expected to be in the mall in the peak hours.

If anyone knows or has experience in such a case, please assist.

Thank you
0
Comp_support
Asked:
Comp_support
3 Solutions
 
Zephyr ICTCloud ArchitectCommented:
Hi, what exactly do you mean with network structure?

First thing is to make sure you have the available IP's available, make your subnet large enough to provide the necessary amount of IP-addresses, for example 10.1.1.0/21 or 10.1.1.0/20, the /20 allows for expansion.

What DHCP service are you going to use? One thing you can do is make sure you don't set the lease time too high...
0
 
Comp_supportAuthor Commented:
Hello and thank you for your response.

We are planning to install a watchguard 3 series for that reason with lease no more than 6 hours.
0
 
Zephyr ICTCloud ArchitectCommented:
I can't say if the Watchguard will be able to cope managing about 2000 DHCP requests at peak hours, I would not set the DHCP leases to more than 1 to 2 hour tops, I can imagine that most people only browse their mobiles for short moments and for the few people that will be using the network extensively I don't feel like you should make an exception, it's a free service after all if I'm not mistaking?
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
Comp_supportAuthor Commented:
We are thinking of limiting the bandwidth of each connection. Also we calculated that an average visit time is 3-4 hours, (shopping, eating, recreational). It will be a free service. The clients will have to accept the terms of using free internet and then redirected to a landing page (mall's home page). We will block torrents and services like that, Also the home page will be installed on a web server running in the same network. Via the Ubiquinti management console i can block access to specific ip's so this will not be a problem. Did you have any "bad" experience with Watchguard? Series 3 is supposed to be able to handle 40.000 simultaneous connections accordingly to their specs.
0
 
Zephyr ICTCloud ArchitectCommented:
I used to support Watchguard Firewalls a while back, the only "bad" experience I had was mostly to do with clustering of the Watchguard Firewalls, besides that not any more "bad" then similar devices, I'm comparing apples with apples of course ... I'm sure most of the issues I encountered back then are taken care of by now.

3-4 hours, if you take into account that leasetime (not saying you will use it) I'd definitely choose for a big enough IP-range, just to make sure you have some room for expansion.
0
 
Comp_supportAuthor Commented:
We are considering to use the 10.1.1.0/20 range. Probably it will be more than enough. And since we are a Watchguard distributor, we will probably go for that.

Do you have any other concerns that should also be my concerns ?
0
 
Zephyr ICTCloud ArchitectCommented:
Besides security, which you probably already are taking into account (e.g DHCP snooping), you covered all bases pretty well. Avoid unnecessary services, block "dangerous" ports and software. Scan the network for rogue AP's regularly...

The /20 range gives you more than 4000 nodes/hosts/clients... So yeah, it'll probably be enough for your goals.

Since you're a Watchguard distributor, I wouldn't doubt using them.
0
 
nammit-manCommented:
I would VLAN this network into smaller segments, and route smaller blocks. 4000 nodes in one Layer2 Broadcast domains is going to land you in a whole heap of trouble.
0
 
Comp_supportAuthor Commented:
Dear Nammit,

The network will be only for giving internet access to the clients of the mall. Nothing else. We will use the XTM33 with dual wan / load balancing configuration. We will setup 2 x 50 MBPS lines.

Can you please be more specific on the troubles that we might get ?
0
 
Zephyr ICTCloud ArchitectCommented:
Hi,

Nammit is referring to the fact that DHCP is in itself a broadcast protocol, having many clients on the network can indeed cause network congestion.

This is something you can monitor and adjust for in a later stadium if it seems necessary.

I'd like to refer you to following paper, it's for Dell switches, but the prinicipal stays the same:
http://www.dell.com/downloads/global/products/pwcnt/en/app_note_5.pdf

It will give you an idea what to look out for.
0
 
Craig BeckCommented:
Although I've not done this with the kit you're wanting to use, I do lots of these installations.

In wireless land it's a little bit different when it comes to subnetting.  Cisco, for example, recommend a /21 or /22 in a densely-populated wifi deployment.  It's not a problem.

In reality you'll probably never see 2000 users on the network at the same time if they're just using it for general browsing while they're shopping or having something to eat.  I'd say it's usually somewhere around 20% of whatever you'd expect at most.

Also with wireless it's hard to accurately determine where the concentration of users will be if you decide to VLAN your wireless LAN, and some kit doesn't even allow you to use the same SSID while assigning different VLANs per area, for example.

As a guide I'd aim to do the following at the very least:

1] Use dual-band APs which allow you to use 2.4GHz and 5GHz simultaneously.
 - If they support band-steering, use it.  That will push your clients to the 5GHz band if they support it and will ultimately mean a better experience as at 5GHz there are more channels to play with and subsequently the ability to bond multiple channels to provide more throughput at 802.11n MCS rates.

2] Disable lower data-rates, such as everything less than 24Mbps.
- This will mean clients only connect to closer APs and they will require less air-time overall.  This will have a positive impact on client access.

3] Don't allow inter-client communication across the AP.
- Basically this stops communication between two or more clients on the same AP, thus blocking broadcast traffic amongst other things (only across the radio - not for services such as DHCP).  This will help to reduce unnecessary air-time for clients.

4] Use a short DHCP lease time - around 1 hour.
- Think of how many people may come to the mall during the day, and not just how many people might be in there at the same time.  If you use a 4 hour lease time that might mean you can only ever allow 4000 clients to use the network per working day (based on 8 hours in a working day).  If you use a 1 hour lease time though you could see up to 16000 clients per day.  Also, the AP or authentication server doesn't usually track a user's session by IP so even if the client has to lease a new IP address after a period of inactivity their session should continue without having to reauthenticate.

5] Use a shorter idle timeout, but a longer session timeout.
- If your APs support these settings, use a 5 minute idle timeout, for example, but a longer session timeout.  So if you expect the average client to be in the mall for 3 hours, set the session timeout to 3 hours.  This won't affect the DHCP lease time, which should be shorter than the session timeout.

6] Provide ample overlap between APs, but not too much.
- This will ensure that when you disable lower data-rates clients can still achieve an acceptable link which doesn't trigger unnecessary roaming.

One thing people do want sometimes is location-centric advertising or information delivery, especially where shops are close to the users.  Is this something you've thought about?  If so, that leads me to ask, are you wanting to send users to a login page before they get internet access?  If so, what are you thinking of using for this?
0
 
Zephyr ICTCloud ArchitectCommented:
] Use a short DHCP lease time - around 1 hour.
- Think of how many people may come to the mall during the day, and not just how many people might be in there at the same time.  If you use a 4 hour lease time that might mean you can only ever allow 4000 clients to use the network per working day (based on 8 hours in a working day).  If you use a 1 hour lease time though you could see up to 16000 clients per day.  Also, the AP or authentication server doesn't usually track a user's session by IP so even if the client has to lease a new IP address after a period of inactivity their session should continue without having to reauthenticate.


That's what I was thinking as well ...

Some extensive advice here!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now