Large scale internet sharing - e.g. student accommodation

[naimcohen]

Hi all

After you guys helping me find out about hotspot solutions I've come back for more help.

For small hotels/restaurants etc I have successfully used monowall as a voucher system for selling time on the internet. This works fine for the limited bandwidth the customers are expecting - around 1mbps and no serious complaints.

I have been thinking about how such a system would work on a larger scale, say for example in student accommodation and serviced flats/studio apartments.

I would first assume a T1 line (I believe called a leased line) would be needed to sustain the needs of 50-100+ people on the internet. If that assumption is wrong that would make my life easier but I can't imagine that many people even on a fibre line getting a decent enough speed shared.

Surely there is a system out there that can share the internet connection between a large amount of users whilst still providing a login screen for the users details and having each user private from the others (which I don't believe is a feature of monowall..). I have tried google'ing the question but I couldn't find much or I'm just searching the wrong terms.

So anyone know of such a system of how it could be made? This is in the UK if that makes much of a difference

Thanks!

 

[JoeMcJoe]

A single T1 line only has 1.54 Mbps bandwidth, barely enough for 2 people.

Look into PFsense, free, it is used commercially and very powerful.

 

[Fardringle]

Agreed. Your residents will hate you if you only give them a single T1 to share. At peak usage times, you will just barely have basic dial-up speed (33 kbps) for 40 people. If you're OK with that, go with the T1 line. If not, you should definitely look for faster options, and honestly even the fastest residential/affordable connections aren't going to be fast enough for 100+ people.

PFSense is good if you want to build your own router box. If not, Sonicwall makes some nice routers that aren't terribly expensive.

 

[Zap]

How big of a budget for the internet connection?

For keeping users private from each other, put a clause in the TOS that they need to have a firewall, or use a router.

 

[drebo]

How big of a budget for the internet connection?

For keeping users private from each other, put a clause in the TOS that they need to have a firewall, or use a router.

Or use proper switches and private VLANs.

 

[RadiclDreamer]

As long as you dont need a very critical SLA (service level agreement) then a cable or similar connection will be cheaper and provide more bandwidth.

 

[Carson Dyle]

I wouldn't expect to provide wireless service in such an environment. I would provide only wired ethernet, even if it means pulling cable to 50 units.

 

[Zap]

Or use proper switches and private VLANs.

Do switches normally support as many VLANs as there are ports?

 

[dave_the_nerd]

Do switches normally support as many VLANs as there are ports?

Depending on the switch, of course, but theoretically yes.

You'll need a nice router though.

Of course, Carson is bang on the money here, too.

 

[drebo]

Do switches normally support as many VLANs as there are ports?

Generally, yes, but that's not really to what I was referring.

Private VLANs are a certain type of VLAN that allow multiple ports to be "isolated" from other ports within the same VLAN. This would allow all clients within the VLAN to be able to talk to the gateway, but not to each other.

Also, a properly deployed wireless network would have no trouble working with 150 clients.

 

[gsaldivar]

T-1 is high-quality, low speed data. Not an ideal choice for a public access system. I would instead recommend one or more fat/cheap lines for this, possibly DSL depending on availability.

Surely there is a system out there that can share the internet connection between a large amount of users whilst still providing a login screen for the users details and having each user private from the others

The login system you are looking for is called a "captive portal", and it is a feature of most decent gateway/router platforms. However, you should know this type of system would provide only a cursory authentication, since it can be defeated by sniffing and spoofing the MAC address of any authorized user on the same network. So, you would also need "wireless client isolation" functioning on all your wireless routers, which prevents users from seeing the other users on the network.

I would set up something like PFsense as the main gateway. Next, do a site survey, find out if there are existing wireless routers in the area, which channels are free, how far you can expect each router to propagate a usable signal (given your building's unique structure), if there is AC power at each router location or if you need to use POE, cable distance limits, etc. Then, run an ethernet backbone to connect all your wireless routers together. At each drop, set the wireless router to a different, non-overlapping channel to avoid interference to its neighboring drops, then give it a static address, turn off DHCP, turn off uPnP, point it to your main gateway for DHCP/captive portal functions, etc.

If you want to get fancy there are many ways to improve upon this, for example you can do radius for centralized authentication instead of captive portal, but this is the basic framework for a wide area DIY shared internet system.

 

[naimcohen]

Hi all

Thanks for the replies!

In regards to the T1 line I got confused with the terms of what we call them but it will be a business grade line.

I have been doing research and it looks like VLANS as you guys have suggested is the way to go. Each room will have one ethernet port, but with the addition of a normal switch they can have their own network and only their own devices will be able to talk to one another. This way everyone stays private from one another.

I am new to smart switches and VLANS but am I right in saying that to do what I want, each room would need a direct link back to the switch. Therefore if I want 100 rooms to have access I would need 100 ports on my VLAN capable switch?

If this is the case can someone put a link to a suitable switch so I can get an idea of what I need?

Regarding the Capitave Portal feature - I use this when I set up monowall installs in hotels and they have been very happy with it. For this installation I believe they just want a simple username and password for each user so that should be simple enough.

Regarding wireless, If attached to this system how would it operate? Is wireless client isolation something from the access point of on the firewall itself?

Would monowall be ok for this or should I go for pfsense? lets assume the incoming speed will be around 100mbps, which I assume it will be for the time being.

Thanks for the help so far!

 

[drebo]

I wouldn't use either. I'd use something like a Palo Alto Networks firewall and some Cisco Catalyst switches with PVLANs.

 

[naimcohen]

Hi,

I did enquire about the Palo Alto firewall system and it seems it will do what I want. But is it worth the extra cost for that system rather than a pfsense box which would work out much cheaper? I was told their PA-200 series firewall would be fine for the job, at the price of around £1000

Thanks

 

[drebo]

If you have the time and money to tinker with pfsense, then use that.

If you want something with a support contract with a number you can call when something does work, then go with a commercial product.

 

[phobsi]

are private VLANs used frequently with wireless? I thought private VLANs were mostly for ISP to customer use.

 

[drebo]

are private VLANs used frequently with wireless? I thought private VLANs were mostly for ISP to customer use.

No. Wireless has client isolation as a feature. However, being that it's still a shared media connection (read: simplex), anyone who runs their stuff in promiscuous mode would be able to see everything regardless. It's a drawback of wireless. You could enable some of the more advanced forms of encryption and use smartcards, etc, to handle that, rather than a preshared key...but that's not going to happen in the type of environment in question here.

In regards to the use of Private VLANs, they're used anywhere you want to restrict traffic across a single L2 domain. Datacenters, server rooms, etc...but that's not the only place. You could use them in any sort of wireline network with a shared L2 domain. They'd be perfect for this sort of network because it's much lower maintenance than maintaining a separate L2 network for each port and it still restricts direct communication between "suites."

 

[phobsi]

ah missed the part about isolating suites...

 

[naimcohen]

Hi guys,

I must thank you for your replies as I have learnt a lot from them. I have been looking online but am getting slightly confused with the terms VLAN and VPN.

In complete laymans terms could someone give a definition of both and how they would be used?

and also, if I want every computer on the network to be 'hidden' from one another, do they each have to be plugged into a different port on the VLAN switch, or can I have it so no matter where its plugged into it will be hidden?

It doesn't seem possible to have that but some websites are talking about VLAN switches capable of many more VLANS than ports on the switch so that seems like the only logical way for that to make sense.

Thanks again guys this really is helpful and I'm sure others will find it useful too!

 

[naimcohen]

In regards to the number of VLAN's capable vs number of ports, having a look at something like this on ebay just for reference says it can support upto 64 port based VLANs but it only has 8 ports. How does that work?

http://www.ebay.co.uk/itm/HP-ProCur...puting_NetworkSwitches_RL&hash=item2a2007fa4e

And is the only difference between layer 2 and layer 3 switches that it utilizes mac addresses, where as layer 3 uses IP addresses?

Thanks again!

 

[naimcohen]

Hi guys,

Can anyone answer the above questions?

Thanks

 

[serpretetsky]

a vpn is a virtual private network. It allows you to create a tunnel over a public system, like the internet, joining two geographically separate networks together as if though they were directly connected, and ensuring the data stays private (encrypted) over the public system.

A VLAN allows to create separate networks within a single ethernet switch. Having separate VLANS is pretty much the same as having completely separate switches.

VLAN are a little more complex than that, as you have mentioned, there are switches with more vlan's than ports. This is useful when you combine multiple switches together, but you want them to still keep VLAN data separate on its own VLAN. Switches will often allow ports to be designated as "trunk" ports or "tagging" ports, where each packet can be tagged with a VLAN (so that different switches can keep track of which VLAN a packet belongs to). In such a system, you can allow multiple VLAN traffic through a single trunk port.

A layer 3 switch will, like you mentioned, be able to check ip information , unlike layer 2 switches. A layer3 switch is a like a basic router. They are useful because like i mentioned, when you create separate VLAN's, it's almost the same as having completely separate switches. But the funny thing is sometimes you need to create routes between the two separate networks, usually with the help of a router.

With two separate switches the solution is obvious and simple, both switches plug into the router.

But when you have a single switch (or group of switches) with multiple VLAN's, they cannot route information between the VLAN's without the help of a router (just like two separate switches). It creates a funny situation where data from VLAN1 must go to the router, and then BACK ONTO THE EXACT SAME SWITCH IT CAME FROM to get to VLAN2.

To avoid this strange bottlenecking issue, layer 3 switches were created, which can do their own basic routing internally, without having to send a packet out to a router just to get it back again.

 

[Mark R]

Have you considered how you are going to comply with the Digital Economy Act?

By offering a shared service, you are an ISP which means that you need to keep detailed logs of all traffic, including all IP addresses and URLs (where relevant) accessed and the *name* (or other identifier) of the person accessing them. Very small installations (like a coffee shop) have a lot of this requirement waived, but once you get past a certain number of users you must fully comply. In particular, students are more likely to engage in illegal behaviour on a high bandwidth residential connection than at a cafe/hotel. If a crime/civil infringement is committed using your connection, you are personally liable unless you can provide proof of ID of the infringer from your logs (or prove that the infringer was an unauthorised user AND that your system was properly secured).

You either need to implement a robust method of securing access, or you will need to heavily filter the connection to block malware, file sharing, potentially illegal sites (e.g. Sites with connection to copyright infringement, terrorism, etc.)

 

[drebo]

Have you considered how you are going to comply with the Digital Economy Act?

By offering a shared service, you are an ISP which means that you need to keep detailed logs of all traffic, including all IP addresses and URLs (where relevant) accessed and the *name* (or other identifier) of the person accessing them. Very small installations (like a coffee shop) have a lot of this requirement waived, but once you get past a certain number of users you must fully comply. In particular, students are more likely to engage in illegal behaviour on a high bandwidth residential connection than at a cafe/hotel. If a crime/civil infringement is committed using your connection, you are personally liable unless you can provide proof of ID of the infringer from your logs (or prove that the infringer was an unauthorised user AND that your system was properly secured).

You either need to implement a robust method of securing access, or you will need to heavily filter the connection to block malware, file sharing, potentially illegal sites (e.g. Sites with connection to copyright infringement, terrorism, etc.)

Actually, you don't need to keep track of any of that data. You only need to be able to offer an LEA the ability to monitor traffic to/from an IP address should they request to do so via warrant.

IP-to-user correlations do not need to be maintained in any way.

 

[Mark R]

The OP is in the UK. I did make a mistake citing the wrong law (it's the regulation of investigatory powers act).

User to IP mapping logging is mandatory with a retention period of 6 months minimum.
Traffic logging,while not mandatory is very strongly recommended, with a minimum retention of 4 days.

Such logs are to be handed over to an LEO upon production of a warrant.