Wireless network for around 2000 users

Hello and thank you for your response.

We are planning to install a watchguard 3 series for that reason with lease no more than 6 hours.

I can't say if the Watchguard will be able to cope managing about 2000 DHCP requests at peak hours, I would not set the DHCP leases to more than 1 to 2 hour tops, I can imagine that most people only browse their mobiles for short moments and for the few people that will be using the network extensively I don't feel like you should make an exception, it's a free service after all if I'm not mistaking?

We are thinking of limiting the bandwidth of each connection. Also we calculated that an average visit time is 3-4 hours, (shopping, eating, recreational). It will be a free service. The clients will have to accept the terms of using free internet and then redirected to a landing page (mall's home page). We will block torrents and services like that, Also the home page will be installed on a web server running in the same network. Via the Ubiquinti management console i can block access to specific ip's so this will not be a problem. Did you have any "bad" experience with Watchguard? Series 3 is supposed to be able to handle 40.000 simultaneous connections accordingly to their specs.

I used to support Watchguard Firewalls a while back, the only "bad" experience I had was mostly to do with clustering of the Watchguard Firewalls, besides that not any more "bad" then similar devices, I'm comparing apples with apples of course ... I'm sure most of the issues I encountered back then are taken care of by now.

3-4 hours, if you take into account that leasetime (not saying you will use it) I'd definitely choose for a big enough IP-range, just to make sure you have some room for expansion.

We are considering to use the 10.1.1.0/20 range. Probably it will be more than enough. And since we are a Watchguard distributor, we will probably go for that.

Do you have any other concerns that should also be my concerns ?

Besides security, which you probably already are taking into account (e.g DHCP snooping), you covered all bases pretty well. Avoid unnecessary services, block "dangerous" ports and software. Scan the network for rogue AP's regularly...

The /20 range gives you more than 4000 nodes/hosts/clients... So yeah, it'll probably be enough for your goals.

Since you're a Watchguard distributor, I wouldn't doubt using them.

Dear Nammit,

The network will be only for giving internet access to the clients of the mall. Nothing else. We will use the XTM33 with dual wan / load balancing configuration. We will setup 2 x 50 MBPS lines.

Can you please be more specific on the troubles that we might get ?

Hi,

Nammit is referring to the fact that DHCP is in itself a broadcast protocol, having many clients on the network can indeed cause network congestion.

This is something you can monitor and adjust for in a later stadium if it seems necessary.

I'd like to refer you to following paper, it's for Dell switches, but the prinicipal stays the same:
http://www.dell.com/downloads/global/products/pwcnt/en/app_note_5.pdf

It will give you an idea what to look out for.

] Use a short DHCP lease time - around 1 hour.
- Think of how many people may come to the mall during the day, and not just how many people might be in there at the same time.  If you use a 4 hour lease time that might mean you can only ever allow 4000 clients to use the network per working day (based on 8 hours in a working day).  If you use a 1 hour lease time though you could see up to 16000 clients per day.  Also, the AP or authentication server doesn't usually track a user's session by IP so even if the client has to lease a new IP address after a period of inactivity their session should continue without having to reauthenticate.

That's what I was thinking as well ...

Some extensive advice here!