Building a Wireless Network for an Apartment Complex? 309
itwerx asks: "I've been asked to design a wireless infrastructure for an apartment complex. Tenants will pay an 'access deposit' and a monthly surcharge to get a PCMCIA/PCI/USB network card along with free installation and, of course, wireless Internet access. The buildings are arranged such that 2 WAP's per building should cover all the tenants (one WAP per side, far enough away to get line-of-sight through the windows). I do have a few concerns, however. All help is appreciated and when we're done we'll put up a HOWTO!"
"My concerns are the following:
- Interference between WAP's (there's several buildings) - there are enough channels if we go 802.11a but cost is a concern.
- Management of 'hitchhikers' - we're planning on manual assignment via DHCP/MAC address for tenants with others having all their HTTP requests get directed to an info page. Anybody done something different?
- Interference from WAP's and other devices that may be owned by tenants! Should we just avoid the default channel and hope for the best?!?
interference.. (Score:5, Interesting)
The real issue is interference from other devices. I hope no one has a 2.4GHz phone.. or a microwave.. or X11.. or one of the other dozens of devices on the (unregulated) 2.4GHz band. It can knock your 11Mbit down to 1.
Re:interference.. (Score:3, Funny)
Re:interference.. (Score:2)
X10 And WAP (Score:3, Informative)
My father is a big Radio Shack Remote lighting finatic. (X10) Every Light is hooked up with a remote switch. All his laps have the plugin appliance system. Even his Cristmas lights are X10 enabled.
Well I needed to toss a cablle modem to me LAN which BTW was Wireless. And the only spot I had was down in the basement. Infact exactly 4 inches (yes I just mesured) away from the X10 modual controling the christmass lights.
My laptop is now on the third floor on the other side of the house. Almost the furthest point without going outside. Well on avarage I get about an 80% signal strength considering the amount of plaster and copper pipes between me and the basement. (For some reason tonight I have a 60% strength).
So, that being the case I'll go check the x-mass lights
. . .
Yup it worked... I'll place my bet that the interferance if any is not that big a deal!!!
Re:X10 And WAP (Score:2)
Re:X10 And WAP (Score:3, Informative)
First, the Entarasys drivers that we ran with windows sucked. After moving to the Linux 2.4 Orinoco drivers our upload was 5x better and download was 2x better. (antenna in the same location)
Second, we have a 2.4Ghz digital spread spectrum phone. Channels 1 and 2 of this phone knock out our connection completely.
We haven't noticed an AP side outage since switching to the linux drivers.
I have one suggestion: DO NOT OVERSUBSCRIBE YOUR NETWORK! We have sporradic port 80 (while other ports work fine) and DNS failures all over the place as well as storms of very high packetloss during prime time. Tennants will start buying cable modems or DSL... as we're about to do.
Re:interference.. (Score:2)
Exactly.
Went over to his place, and things were going ducky, except occasionally the signal would drop from 90% to about 3%. When I asked him, he said that it happened occasionally, but he didn't know what was causing it.
Turns out that it was his 2.4 GHz phone... his wife (who ran an at-home business) would be using the phone without him knowing it. The thing that twigged me was that Linksys was plastering the "2.4GHz" label all over the packaging of the WAP I just bought.
We messed around a bit with phone base station and WAP placement, and eventually got rid off the problem when he dug out his old 900 MHz phone.
No (Score:2)
MAC Address/DHCP (Score:5, Informative)
Re:MAC Address/DHCP (Score:2)
From what I know of the different solutions most were a central server that all the access points connected to, that would then proxy/forward all requests to the internet.
If you want to go for the extra evil points you could force ads to your clients with this type of solution as well.
Re:MAC Address/DHCP (Score:3, Informative)
-sirket
Re:MAC Address/DHCP (Score:2)
Re:MAC Address/DHCP (Score:4, Funny)
You need end to end encryption for the users. That is easy for the Unix crowd but for "what does this button do" level folks something like PoPTOP and getting them to use PPTP may work out easier (although early PPTP isnt terribly secure either)
Re:MAC Address/DHCP (Score:2, Insightful)
Basically the people that need/are concerened about encryption can set it up, but why enforce an extra level of difficulty on the everday users who are checking out cnn.com and pr0n?
Re:MAC Address/DHCP (Score:3, Insightful)
Re:MAC Address/DHCP (Score:2)
but most importantly, he doesnt want NONpaying customers on the network. He needs a way to authenticate a client, and prevent others from getting the mac address and spoofing etc.
The users may not care about their security, but thats their problem. he cares about people abusing the network
Re:MAC Address/DHCP (Score:2)
Re:University of FL authentication (Score:2, Informative)
Security is the biggest issue... (Score:2, Informative)
Re:Security is the biggest issue... (Score:4, Insightful)
See: AirSnort
Rather than worry about people having their sh*t sniffed, here are a couple other solutions:
#1. Set up a portal that uses HTTPS and fetches web pages for the user, then presents these pages to them.
Pros: Simple
Cons: Doesn't really work all that well with some sites
#2. Use IPSec
Pros: Damn secure.
Cons: CPU intensive, limited software support outside of the OSS crowd.
#3. Keep it insecure, but keep the users educated. Let them know their data may be sniffed easily, but also let them know what HTTPS is. Show them how to sign into their Yahoo mail so that their password won't get sent in the clear, etc etc.
Pros: Cheap
Cons: Depends on the intelligence of users. You never want to do that
Re:Security is the biggest issue... (Score:2)
Would you still leave your car doors unlocked if you had an engine immobilizer?
Re:Security is the biggest issue... (Score:3, Insightful)
#2. Use IPSec
Pros: Damn secure.
Cons: CPU intensive, limited software support outside of the OSS crowd.
OSS only? Win2k has support for it in its default configuration. I use this [ebootis.de] procedure to get win2k to connect to my frees/wan gateway using x.509 certificates. Piece of cake (it looks convoluted but it really easy once you do it once or twice) to set up, and lets anybody (linux, windows, mac, anyone with IPSec and x.509) on in a secure fashion.
CPU intensive? Not that I'm aware of. I'm pushing about half a T1 to another frees/wan server using a P100 on one side and a P200 on the other. Now I imagine this scales less than linearly for each client that connects, but I've been pleased with the throughput of this little computer.
Answers (Score:5, Informative)
- Other peoples' devices shouldn't interfere with yours unless there is a LOT of devices. If they do, too bad for them, they can choose a new channel. Or you can choose a new channel. But it shouldn't be a problem unless there's a ton of networks.
- I would suggest leaving your network entirely open (no WEP, etc.) then putting a router at the edge which authenticates MAC/IP addresses, provides DHCP, and only routes those who enter a password of some sort. This leaves the internal network open to hackers unfortunately, but WEP management for an apartment will be hell, and the alternate solutions all tend to be non-standardized.
Re:Answers (Score:3, Informative)
WEP management for an apartment will be hell
I don't think it should be too bad. After all, the network operators are handing out all of the cards; if they use cards that store the keys in firmware and they load up the keys before issuing the cards, then management is no problem at all.
If they decided to *change* the keys, then they'd have a problem, but the purpose of WEP in this case would be to provide a small additional hurdle to potential hitchhikers, not to provide real security, so I don't see a problem with a permanent key.
Re:Answers (Score:3, Informative)
I agree with the no security issue. You should make it clear that there is absolutely no security implied or promised. You'll shoot yourself in the foot as soon as someone's credit card number is sniffed after you told them it was all good. If you must setup security start with the assumption that every packet can and will be sniffed, with that in mind build VPN/IPSEC on top of that.
Wi-Fi (Score:5, Informative)
http://www.purdue.edu/ITaP/projects/wireless.shtm
Re:Wi-Fi (Score:2)
Re:Wi-Fi (Score:5, Funny)
I never thought a wireless project like this would happen to me. I was sitting in the study lounge in my dorm when this sexy coed network engineer walks up and asks, "I see you have a seven layer OSI model. That really turns me on..."
Re:Wi-Fi (Score:2, Informative)
I'm a network admin as well. I'm working on implementing a wireless network as well at my day job ( small campus ). We just completed testing our initial vendors, and basically enterasys got it's butt kicked by cisco and agere ( formally lucent wifi division ) orinoco.
Cisco came out to be the most powerful. No fair though since they transmit at 100w while the others come in about 30. But for value orinoco rose to the top. $75 nics, dual radio models for $600. checkout http://warehouse.com/ for some discent prices.
both agere and enterasys have removeable radios on their APs, in fact the radios are just wifi pcmcia cards. The enterasys pc cards are OEMed orinocos.
My recommendation is orinoco. But your findings might be different, so definately check it out for yourself
Concerns... (Score:2, Informative)
If you have WAP's on different sides of buildings they most likely won't interfere with each other. Just keep the WAPs with the same channel as far apart as possible. If you can get your hands on some a few to test with it would be worth while to mock up a few layouts and wander around with a laptop to measure single strength and interference.
- Management of 'hitchhikers'
In addition you could run WEP, it is breakable but its another layer or security. Sorta like the car theif will go for the car without the club.
- Interference from WAP's and other devices that may be owned by tenants!
Here could be your big problem. As someone else mentioned there are lots of 2.4Ghz devices. Most would only cause a local disturbence, but if I decided to set up a WAP in my apartment you have no grounds to stop me from doing so. Some WAPs are smart enough to work nicely together though so it might not be as big a deal as microwaves and cordless phones.
Can't you guys agree? (Score:5, Funny)
LowneWulf states:
To which MarkKomus replies: LowneWulf states: Which is rebutted by MarkKomus: I need to know who has more money or a bigger house so I can know who to believe!Re:Can't you guys agree? (Score:2, Informative)
Actually most wireless cards I saw will seemlessly switch channels to match a given SSID. So channel assignment usually is more based on local interference.
Hehhehheh (Score:2)
Screw It... (Score:2, Insightful)
Berkeley wireless LAN (Score:3, Interesting)
Hitchhikers (Score:3, Interesting)
If you are worried about data sniffing, IPSec / WEP is your answer. If however, as I assume, you are worried about "free rides" on your bandwidth, I'd suggest PPPoE. That way no one gets on the network unless they have an account. Seeing how it is a relatively small number pf tenants I assume (less than 500 or so) it should be simple to keep a list of names / logins so as to provide a tenant with two logins should he get a second PC. This method saves you the hassle of managing a bunch of fixed IPs and MAC addresses with everyone on the network.
Re:Hitchhikers (Score:3, Insightful)
Re:Hitchhikers (Score:2)
Anyone with more than 2-3 computers probably has the know-how to set up their own LAN with NAT/proxy.
S
Our experience (Score:5, Informative)
I hope this helps. Our wireless guys pulled this off in 130 buildings over a several square kilometer area. Good Luck!
PS. Cracks about Redneck Rocky Top and such ilk should be modded -1!
Re:Our experience (Score:2)
But what they didn't tell you is exactly how they managed to pulled it off. Let's just say that I'll be looking at a nice influx of WiFi-Tech talent in about 50-60 years. I think I'll start them off with a nice simple job at the Electronic CounterMeasures factory.
Signed,
Satan
Don't expect many replies for the next 45 minutes (Score:2, Funny)
Re:Don't expect many replies for the next 45 minut (Score:2)
cluge
Security matters. (Score:3, Interesting)
Back at my alma mater, one of the students (who thought he was clever) founded an ISP that provided 802.11b wireless access to apartments on campus. Inevitably, the WEP key he used was compromised, and student account passwords were sniffed and abused. Now, common sense would dictate that he shouldn't be responsible for what a criminal does with his network; but common sense does not reign supreme in the ivory tower of academia. What happened next was shocking: the student was disciplined, expelled, and sued for damages by the state college. Although he certainly could have won his case in front of a jury, he settled because he could not afford $15k to hire a good trial lawyer. Right now he has no degree, can't get into a good school, and is pumping gas for a living.
So, if you are considering rolling out a notoriously insecure network architecture (such as 802.11[ab]), consider the fact that you may be personally liable for anything bad that a crook does with your network. Be afraid.
df
Re:Security matters. (Score:4, Insightful)
Has it occurred that this may have been a SERIOUS breach of AUP?
Alex
Re:Security matters. (Score:2)
This is what Limited Liability Companies (LLC's) are for. You create an LLC to run the network, which can cost as little as $50 depending on what state you are in, and then the only thing anyone can go after for liability is the LLC and its assets, not you or yours.
Re:Security matters. (Score:2)
The people using L2TP or PPTP would slightly disagree.
Re:Security matters. (Score:2)
"Anybody not using IPSec is an idiot."
The people using L2TP or PPTP would slightly disagree. ;-)
The people using PPTP would be slightly wrong [counterpane.com].
Re:Security matters. (Score:2)
The people using PPTP would be slightly wrong [counterpane.com].
It would help you a lot if you understood the basic problem surrounding PPTP. It's not the protocol at all, it's Windows' allowing itself to be talked down to MSCHAPv1 encryption that causes the security problem.
There is absolutely no problem with security when running PoPToP and refusing MSCHAPv1 and enforcing MPPE stateless operation.
what is your job at the complex? (Score:5, Insightful)
if you are expected to stay in house and manage the thing once it is up, get ready for a lot of sleepless nights and angry users.
it is probably MUCH more cost effective for the complex to just pay for the DSL in all the buildings and keep them hooked up forever. ~$60 a month including a phone line and you have no hassles what-so-ever. then pass the cost onto the tennant
your month cost per tennant will probably be $20-30/month in hardware depreciation and bandwidth usage. plus you would have a HUGE (you didn't give building or unit numbers so i'll guess) setup fee of $10,000+ assuming you get a couple T1s and all the wireless hardware.
as a tenant i won't pay you more than $50 a month (standard DSL cost) so you have to figure out if you can provide all this service and not spend $20 a month per user of your time. i don't think you can.
Re:what is your job at the complex? (Score:2)
While amortization of assets is technically net worth lost, it's not cash outflow per se, and thus as long as the hardware keeps working, it's not applicable to the monthly cost. If you can keep it to the point it's worth nothing, I'd be quite surprised.
What I would go for is 9 megabit SDSL if it's offered by the telco, or multiple DSL lines if not. You can provide the same theoretical bandwidth as a T1 (downstream, anyway) with one DSL connection, and there's no point getting a hardcore-business class line for residential-class users. This is also a great place for FTTH to take hold - run a fibre line to an apartment complex, branch off gigabit fibre to the buildings, run 10/100 up the buildings and out along the floors, and voila, instant high-speed network. Run the lot of them through a caching proxy server, and whee.
That being said, how do the phone lines get into the building? A T1 is a great way to get a good 64 phone lines into a building. It's possible (to my limited knowledge) that they already have the equipment and technical expertese. Then again, I seriously doubt it.
Anyway, that's my uneducated input on the subject. I'm going to go pretend to know enough to give medical advice now.
--Dan
Re:what is your job at the complex? (Score:2)
A T1 is a great way to get a good 64 phone lines into a building.
Um, a DS1 provides 24 8-bit channels. These 8 bits can be totally clean but then they're not voice channels.
On security, ditch WEP, USE A VPN (Score:2, Interesting)
I would set up the wireless network ouside a firewall, and then probably hook up a couple of machines with FreeSWAN or poptop (linux vpn servers) that will connect to the access points.
See this paper [cigitallabs.com] for a good discussion on wireless security.
How I'd do it (Score:4, Insightful)
There's several ways to go about this.
Anyway, I'm rambling now, so hopefully this helps and makes sense. If you have questions, post 'em here.
Some real help (Score:3, Informative)
IPSEC (Score:5, Informative)
simply because 802.11a/b sniffing is trivial now and mac address spoofing is
even easier. Also, I would probably recommend against going with an
established commercial wap product, as they all almost definately aren't going
to have the flexibility you need in the future and are probably way too
expensive. I would roll a couple of OpenBSD boxes with wireless cards, that
way you have an all in one solution with lots of nifty stuff like traffic
shaping per mac, monthly bandwidth accounting capablities via pf, syslog, and
tons of other stuff that commercial vendors just don't offer. And I do mean,
don't offer, regardless of price. This page [uni-erlangen.de]
offers a good howto regarding ipsec on openbsd and this page [rt.fm]
give a pretty good read on replacing wep with ipsec on openbsd as well. Good
luck.
SealBeater
Re:IPSEC (Score:3, Informative)
I don't know if it's been mentioned, but I would use IPSEC if I were you, simply because 802.11a/b sniffing is trivial now and mac address spoofing is even easier.
Three points: First, "use IPSec" is easy to say, but have you ever actually set it up? It's far easier said than done. Installing the needed software on all of the users' machines would be a bitch. And key management would be far, far worse.
Second, using IPSec doesn't really solve your security problems, because every IPSec client has the secrets needed to access the network. That means a hacker only has to penetrate one host (and they're all hooked up to *radios*) and he's into the network as a whole. In addition to IPSec you also need firewalls on every machine to make sure that *only* IPSec traffic can get through to them.
Third, and most important, who gives a rat's ass? This guy doesn't need real security, he just needs to make it a little bit harder for hitchhikers to use his Internet connection. If someone does get on, so what? They can sniff? Big deal, anything you send unencrypted over the net can be sniffed at every hop. Do you have some particular reason to trust all of those admins between you and wherever you're going? Of course not. And what about all of your neighbors? So use SSL and ssh to protect important data like credit card numbers and passwords and don't sweat the rest. The biggest danger here is that someone will score some free net access. 128-bit WEP, MAC filtering, hardwired DCHP assignments and maybe a little auditing of the DHCP logs should do the trick just fine. And maybe toss in a router with QoS extensions to make sure that neither hitchhikers not legitimate users can hog the whole pipe.
The single most common mistake people make when discussing security is to forget to consider the level of security that is actually required before picking a solution. There's a reason that banks have armed security guards but self-pay boxes in parking lots don't.
Re:IPSEC (Score:2, Offtopic)
That's the problem, attitudes like yours. I could care less about sniffing
traffic, that's not the point, the point is to replace WEP with something
better, and the goal isn't to stop people from grabbing credit card details,
it's to prevent Joe Hacker from having an easy leap off point to lauch attacks
against others. In addition, you don't need firewalls on the machines to
prevent traffic sniffing, ipsec tunnels set up on the boxes that pass IP traffic though
the wireless link work just as well. here [microsoft.com]
and here [securityfocus.com].
It sounds like if you had your way, he should just put up a couple of apple
airports and forget about it. What myself and others are doing is trying to
implement a reasonable amount of security when it should be implemented, at the
beginning, and not as a duct tape fix after there is an incident and this guy
has to explain why attacks were launched from his network. At any rate, the
openbsd boxes with wireless cards is still the ideal solution, both from a cost
perspective and a security perspective. There have been attacks against all
the commercial wireless access points, ranging from expensive Ciscos to
Breezecom to Linksys. The point isn't to have a totally locked down B1 and
above security implementation, it's to make it the kid with the laptop decide
to move on to Joe User's unsecured Linksys and not this guys network. I also
assume that this guy is looking for a way to keep costs low, and this is the
best way to do it. Somebody earlier mentioned Cisco Catalysts, yea
right
SealBeater
Re:IPSEC (Score:3, Insightful)
Security doesn't have to be perfect. If you're protecting X, you just need to protect it slightly better than most other people with X. People interested in X will take it where it's easiest to get.
And I agree that IPSEC is a PITA. It's OK as a dedicated tunnel between endpoints with shared secrets, but cert management gets to be a big nightmare, really fast for client applications.
Re:IPSEC (Score:3)
Actually, I have never been the type to say "Throw a firewall at it" as I am far more an advocate of host hardening.
Of course. Because host hardening is en vogue.
Setting up IPSec is a trivial task as others have provided instructions in addition to my own.
Have you *ever* actually set up a large-scale IPSec network? Have you ever actually had to deal with the key management issues, or install client software on 300 machines ranging from Win95 to WinME to WinXP, with a smattering of Macs, Linux boxen and others running a huge variety of operating systems? Go do it, then come tell me how easy it is.
You obviously haven't been keeping up with wireless security. MAC address filtering, DHCP logs and WEP will stop a casual attacker for about 10 minutes.
Define "casual". I'm talking about the average, clueless person who happens to have a laptop with builtin 802.11b. I'm perfectly well aware of how difficult WEP is to crack; I've done it several times. Have you? How long, on average, do you have to spend collecting packets to break WEP on a WLAN with, say, 30 moderately active hosts (which is a good estimate for an apartment complex of 300 units)? Hmmm?
Parsing the DHCP logs will do nothing to a) provide the identity of the attacker b) do absolutely nothing for forensics.
No, but it will let you know when you have a problem you have to deal with. And *that* is when you have to deal with it, not before. Why? Because chances are very good it will never happen, given the safeguards I outlined.
Name one secure AP
I was agreeing with our suggestion of an OpenBSD box as an AP. My AP at home is pretty trustworthy, because it doesn't do anything. It connects to a very tightly locked-down Linux box. I never tried to argue that one should rely on the integrated firewall/AP appliances that are on the market.
IPSEC tunnel on host machines where ALL ip traffic gets routed though to the OBSD box, please tell me how attacker is going to comprimize box, minus trojans which aren't exactly precise tools
Apartment 3B has a Windows 2000 box running an unpatched IIS (and the owner doesn't even know it). I ignore the IPSEC entirely, connect to port 80 on that box and own it. Any other questions?
Do some reading and come back with something better.
Go build some *real* systems on *real* budgets and then *really* attack them yourself and then *really* monitor *real* attackers *really* trying to break in for a while, and then come back with something better.
Re:IPSEC (Score:3, Informative)
First, "use IPSec" is easy to say, but have you ever actually set it up? It's far easier said than done.
<cough>bullshit<cough>
I just went through it. Linux-Linux IPSec is literally a walk in the park. Linux-Win2k IPSec is proving more difficult but not by much. The trick is to use x.509 certificates and use Win2k/XP's built in IPSec. vpn.ebootis.de [ebootis.de] has a little package which wraps around Win2k/XP's MMC and makes setting up certificate-based IPSec a walk in the park. The best part is that your server doesn't change as you add clients; you just add their public keys to your ipsec.d directory and tell ipsec to reread the dir.
Re:IPSEC (Score:2)
802.11i, which will use TKIP, Temporal Key Integrity Protocol which is also
based on RC4, but implemented in a different way. AES as an encryption
algorithm, has yet to be finalized and since it involves hardware optimization,
is not backwards compatible. Basing a solution which relies on an unfinished
draft may not be the wisest course in a production enviroment. You can use AES
with older hardware but it will use weaker security. In addition, devices
which will utilize AES are not expected to ship until early 2003.
SealBeater
Re:IPSEC (Score:2)
SealBeater
NoCatAuth (Score:2, Informative)
We have a wireless network at our house... (Score:2, Insightful)
There's no way to prevent hitchhikers (Score:2, Informative)
I recently spoke to some keen fellows from Baylor University [baylor.edu] that have created an OpenBSD-based firewall/logging/authentication system that takes the poster's info page one step further. Everyone authenticates via an SSL-encrypted web site in order to join the network. DHCP leases are handed out in conjunction with a login session, so you can track who does what. Logging in also opens up your firewall to allow the newly-leased IP address through.
Re:There's no way to prevent hitchhikers (Score:2)
SealBeater
HomeRF 2 (Score:2, Informative)
We bought the USB adaptors (for around $80) from Provantage [provantage.com] for less than any USB 802.11b adaptors we could find at the time.
There are some limitations with HomeRF, (I don't think roaming between AP's is supported and only drivers for Windows and Mac are provided) but in our situation it was just what we needed and it's worked flawlessly. We've had no network downtime due to interference.
Don't bother with WiFi... (Score:5, Insightful)
Neither is the case here.
You also need to remember that the 11MB/s provided by WiFi is shared between all users. If you have 50 "dwelling units" and two WiFi access points, you'll be offering a service with less maximum bandwidth than bottom-of-the-range xDSL... and you'll be charging for $100 WiFi NICs instead of $10 PCI ethernet NICs (which many PCs now have as standard anyway)... and for a service subject to atmospheric outages (ever use a WiFi network during a thunderstorm) as well as interference from a multitude of other devices like microwaves, cordless headphones and DECT telephones...
I'd recommend taking a bit of up-front hit and running CAT5 to each apartment. Put a switch on each floor (unmanaged 16-port switches are less than $80), and run each floor-switch to a central switch, and from there to the T1 router, squid server and whatever other infrastructure you've going to value-add into the equation.
This is what business-class hotels now do - just provide an ethernet RJ-45 jack and a DHCP server... all a guest has to do is plug in, configure for DHCP, and reboot.
If nothing else, support costs for a wired network are trivial... but for a WiFi? How do you explain to a user that they can't get their mail because the guy in apartment 2B is listening to a CD?
Re:Don't bother with WiFi... (Score:4, Informative)
1) 11mbit/sec actually turns into about 5mbit/sec because of error correction. (if I remember correctly, the 802.11b standard does errorchecking in a manner where it sends 12 bits and half of that is check sum.)
2) The top speed of the wireless wan is affected by the number of people on it. Just because each client connects to the AP at 11mbit/sec, it doesn't mean that the 11mbit will be guaranteed speeds.
3) you'll most likely require more than a 'couple' of access points to achieve building-wide coverage. Even the number of people in the facility that you're trying to cover affects the cell coverage size. (water absorbs and reflects RF - make sure you keep that in mind if you have plenty of foliage in and around the buildings.)
4) load-balancing is possible, but I've only seen it with the higher-end gear (ie. ciscos, etc.) That'll help with multiple people.
5) RF is prone to SERIOUS interference and even the waves are affected by the structures. This is very evident when you are a few metersaway from a radio (not line of sight) and you get a strong signal, then suddenly you walk into a RF null. not fun.
6)Make sure you use decent antennae (and make sure that the radios can handle the power requirements of the antennae you're using.)
7)Make sure that your cables and the like are properly made if you're doing them youself. If your cables suck, your signal will go to hades.
tip: make sure you have secure authentication systems and xmission security. it's no fun when someone gets 'smart' and steals free bandwidth... or worse, account data.
tip: make sure you have something there that can protect your arse should something REALLY go wrong with the network. Hell hath no fury like a geek bereft of network access.
tip: take the time to do the surveys. If you do proper surveys, you will be a much happier person in the long run.
Anyhow -- There you go. I'm sure there's some more stuff I missed. Let's hear them.
Re:Don't bother with WiFi... (Score:3)
No. You want a really spiffy switch. It needs to a) be able to do mac-port mapping, b) be able to remotely enable-disable ports, and c) support rmon/snmp. Maybe you dont need c) if you have netflow configured/running correctly, but a) and b) will save you tons of time (and therefore labor costs) longrun by doing these two things. Unless you want to walk to the place at 3am because some dumbass got rooted and you need to go unplug him because he's pingflooding efnet (it's going to happen, trust me.)
Re:Don't bother with WiFi... (Score:4, Insightful)
No. You want a really spiffy switch. It needs to a) be able to do mac-port mapping, b) be able to remotely enable-disable ports, and c) support rmon/snmp. Maybe you dont need c) if you have netflow configured/running correctly, but a) and b) will save you tons of time (and therefore labor costs) longrun by doing these two things.
Um, no.
Nice 24-port unmanaged switches are best here. You will have a fat managed switch as the uplink for all of these floor-level switches, and you will have a decent router between that and your bandwidth provider. Use the managed switch to localize which floor the disturbance is coming from, then use the sniffer port to find out the IP. Finally, log in to the router and change the ACLs so that that user (or MAC addy) is simply not allowed to go anywhere. No need to blow enormous gobs of money on managed switches for every floor.
Re:Don't bother with WiFi... (Score:3)
"Um, no." Or, at least, "Um, maybe."
Sure, you can cut the bad box off at the router, but that's not going to help the other people in the building, or sharing the switch. One needs to decide whether the value of that functionality (being able to remotely turn off a particular node, w/o affecting anyone else) is worth the expense, or that need will be rare enough that you're willing to go the switch closet and physically unplug the node.
Re:Don't bother with WiFi... (Score:3, Interesting)
Wrong.
Ever heard of contention ratio? Contention ratio is the ration between the actual bandwidth and the bandwidth available to each user. In this case you are providing 11 Mb/s of backbone for 50 users. Assuming a contention ratio of 50:1, which is fairly normal entry level ADSL, this wireless system can provide for ~3-11 Mb/s each for about 50 users. Or ~1-3 Mb/s per user at a contention ratio of 20:1.
and you'll be charging for $100 WiFi NICs instead of $10 PCI ethernet NICs (which many PCs now have as standard anyway)... and for a service subject to atmospheric outages (ever use a WiFi network during a thunderstorm)
Plenty of people have used it over multi-km distances with no problem.
Re:Don't bother with WiFi... (Score:2)
Why not wired? (Score:2, Informative)
I assume that the units already have cable TV. If they do, you should be able to run a cat-5 cable beside the cable coax and replace the wall plates with one that includes both a coax port and cat-5 port. You then run the cables to a centralized 10base2 switch for each building, and thence to a central switch for the complex. You shouldn't skimp on these - get hubs with real VLANs. Commodity switches still leak information between the ports.
This will initially be more expensive than tossing up some WAPs, but it will probably save you a lot of headaches down the road because you don't need to worry about people running AirSnort, or interference from common household electronics, or any other crap like that. If people really want wireless access, let them set up their own WAP, but make sure they know their access will be cut off if it's abused.
Use IPSEC or Kerberos with *at least* 1024-bit key (Score:4, Informative)
I setup a small AP in my apartment, only used by me, so far ;)
I used an old 486 laptop running Linux 2.4.18 (RedHat base) with an Orinoco Silver card, using 40-bit WEP (which to a cracker, is slightly inconvenient at best) and IPTABLES, MAC filtering with IPSEC 3DES and 1024-bit keys.
Be sure to use some kind of encryption better than WEP (like Checkpoint VPN, IPSEC, etc.) otherwise, it's only a matter of time before your users' account info is stolen.
Also consider the kinds of antennas used on the AP. I actually bought the 3 dB loop antenna (size of a 10" plastic ruler) but I don't even need it within my own apartment (100' radius). I use both 2.4GHz phone and microwave with no major problems in my access. Mind you, I'm not using the link for heavy-use or Internet/media streaming. Here are some links to sites that helped me:
Good luck with it, please post a link to your HOWTO when you get it running!
Screw wireless try this : (Score:2, Interesting)
PLEBR10 - ethernet via powerline
Are the apartments all on the same side of the transformer?
Does the aprartment own the power lines in the complex?
Better solution IMO no new wires, 12meg of
data vs like 3-4 for 11.b stuff AND
you can move it from outlet to outlet....
No broadcasting via airwaves so people won't even think about checking the powerline for internet
(for awhile).
If the distance between the buildings is too great, or they are seperated by a transformer,
I would think about doing a cat 5 or fiber run
between the buidings. If not, the put
a couple 11.a points up to interconnect.
Im in a different boat (Score:2)
But the point of my post is this: just because you can go wireless does not mean you always SHOULD - there are times when a wired network makes a hell of a lot more sense.
Re:Im in a different boat (Score:2)
They have no conference room and are basically in a cubical environment
The funniest part is the lady fired one girl for running windows 2000 on a laptop because "it was so insecure" and the lady that got fired refused to buy win98 from this other consultant for $200. -- yet she wants wireless (and im sure she nor her consultant have not the first clue in how to secure such a network)
Think Security First! (Score:2, Informative)
University of Maryland Study: http://www.cs.umd.edu/~waa/wireless.pdf [umd.edu]
Fluhrer, Mantin and Shamir Study: http://www.eyetap.org/~rguerra/toronto2001/rc4_ksa proc.pdf [eyetap.org]
AT&T Labs and Rice University Study: http://www.cs.rice.edu/~astubble/wep/wep_attack.ht ml [rice.edu]
Things to consider (Score:2)
If you go with 802.11a for any reason though, be warned, the cell sizes are MUCH smaller. The slowest 802.11a speed of 5 Mbit/s gives you coverage to about the same distance as 802.11b does at 5.5 Mbit/s. At least with 802.11b you can go slower in areas where the coverage is marginal.
Antennas can make a big difference to your coverage pattern, and should not be underestimated. Using semi-directional antennas is also a good way to avoid or reduce outside coverage on a building, which makes it that little bit harder for carpark hackers to get in. If you have a lot of metal around, look at using diversity (2 antennas seperated by a small distance - each antennas signals are compared and the best signal is used), which will improve coverage and reduce dropouts.
You will also want to consider the number and type of client radio's connecting to your 802.11b network. While 2 AP's might provide coverage, you may find the density of users brings everything to a crawl. Decent AP/Client card combo's will load balance across multiple AP's if the signal strength is there. Some AP's (particularly Cisco's) have a real problem delivering speed to more than 2 clients from a single AP at the same time, as they don't load balance (internally) properly. You will find 2 clients will get almost all the bandwidth, and the rest will get a tiny amount (eg: 4-10Kbit/sec). This is totally unacceptable for high user densities.
As for security, there are a number of authentication systems out there that seem reasonable, such as EAP/TLS, and Kerberos based implementations, all implemented in the AP. Authenticating using DHCP and MAC addresses is not worth it, as you can fake MAC addresses easily, and you can always use a fixed IP. That said, if the AP has MAC level Access Lists, USE THEM where possible, with other security methods. Just makes it that little bit harder.
EAP/TLS is the newcomer on the market, and usually relies on a Radius server for it's back end authentication. This is OK, as long as your users don't roam about at all. If they roam from one AP to the next, you will get delays of ~300ms as the AP re-authenicates itself with the Radius server. This might be OK if your users don't move around much, but is totally unacceptable if they are mobile in any way. All the Kerberos authentication systems I have seen distribute details to all the AP's at authentication time, so that roaming is about 50ms or less.
With encryption, if you have WEP, enable it. Once again, like with MAC level ACL's, it's just one more thing for them to get through. Many AP's now support Dynamic WEP, or TKIP (Temporal Key Integrity Protocol). There are also some devices that support AES based encryption methods, and I wouldn't be surprised to see TKIP implemented with AES instead of WEP out there as well.
Of course, you could also use a VPN solution like IPSec. I'd also recommend to use large keysizes, simply because you can. If you do use a VPN, STILL use WEP/TKIP/AES and ACL's, as it'll make it just that little bit harder to try and get into.
Remember, the object is deter them from trying to break into your network. If they try long enough, they'd probably still eventually break in. But if they can break into another system in 1/100th of the time, then unless they have a major grudge or very specific reason, they'll go that way.
Good luck!
Apartment Designs in the future (Score:2, Insightful)
Run some Cat5 through the walls and build a telephone/wiring closet into each building.
Then raise the rent about $10 a month which will absorb the cost of a T-1 and a part-time techie. 25 buildings x 12 tenants x $10 = $3000. $1500 for the T-1 connection and $1500 to keep the techie happy.
Wireless would be great, but I'll agree with the person who posted up above and say there is way too much junk out there interfering with the 2.4 GHz spectrum.
Flame away....
Re:Apartment Designs in the future (Score:2)
The idea works if you have large-occupancy buildings, ie 100+, however doing internet connectivity to an apartment correctly is very hard. There's always going to be like 30 people with their kazaa [or thing like it] on at all times, that's going to make the connection unbearable. Then there's going to be the irc dumbass who is getting synflooded for insulting some 1337 h4x0ring group. Then there's
I spent over a month setting up the architure to actually do an apt building correctly. Accounting, bandwidth monitoring, priority queueing, rate limiting, etc. This required a rather large infrastructure upgrade. The cost of that plus my labor costs will put us at break-even with the proposal in two-years time. While not necessarily a bad investment, it's a lot worse than your typical insurance company that just wants email and a webpage with their t1.
Re:Apartment Designs in the future (Score:2)
Thanks!
Re:Apartment Designs in the future (Score:2)
Good idea, but your numbers are wrong. T1s btwn 25 buildings = 24 * (linecost of t1 between them). which is more then $3k already. Frame relay can get it a bit cheaper, but you're not gonna get it under the 1500 you need for profitability.
Why route a T1 to every building? If they're close enough you can do quick optical or even PTP wired links. If they're farther you could put unidirectional antennas on some 802.11 gear and do PTP links that way. You only need one T1 up to the bandwidth provider.
Hell for that matter you could run DSL or cable to each of the buildings and link them together over a VPN but that's increasing your problems (telco/cableco goes down, etc.)
The security solution is... (Score:2, Informative)
How I do it (for my apartment only) (Score:2)
I first chose a random WEP key. I don't consider this secure at all.
I have my ThinkPad play DHCP server (so anyone with the WEP key can get a DHCP addr), and firewall everything other than DHCP and PPTP from the wireless interface. I then use slirp with PoPToP to provide stateless 128-bit MPPE, and assign each windows box a unique password (this is where the security comes from). All real traffic is encrypted; all the user has to do is "dial-in". Of course, everything is NAT'ed; hope that's what you wanted anyways
Obviously this works with 2 APs and one computer behind them.
I only have one things to tell you. (Score:2)
Your abount to walk into support nightmare. Ever heard the term you touch it you own it. Never ever give your time away for free, period. Your free installation with become in a matter of days "you touched my computer and now the printer does not work". I am by no means telling you not to move forward with the idea, this has been pushed around a good bit by many people I know. I have even helped build out a full push for a new development. Pulls, switches, and the t's. All pre-wired, DHCP, and the price was included in the rent as a "plus" to moving into the new place. I wish you the best of luck, but figure out how to make your time worth it because once they get it for free and you have touched "their" system your going to get pointed at for all kinds of things.
re: WLAN for Apartment complex (Score:3, Informative)
Some Points (Score:3, Informative)
1. PPPoE
Yes its anoying to users, and I'm not to fond of it myself, but it is a hell of alot better than any other auth method, IMHO, and it allows me to do some cool stuff with radius.
2. Amps are your friend
Most interference can be weeded out just by drownding it out. Pick a channel, and stay with it, when and if you have problems with interference amp it. Other devices that don't need as much as a spectrum in the 2.4 range, such as phones will just look for another clearer channel. At the ITECH i beamed in a signal into the convension center from a nearby hotel and ran an IP phone over it, I found out the morning of the show that lots of other people were using wireless inside the building, i just ran up to the roof of the hotel and stuck on an amp, and bamo 11Mbs, nailed.
3. Channel Selection
Most devices i've played with will either defaul to channel 1 or 6, put your signal on a high number like 9 to avoid killing your clients internal wireless network.
4. Saturation
The one concern I had is saturation, with only 11Mbs on 802.11b several power users could suck up alot of that. I would expect that more technical clients will realize that they are on an ethernet segment together and start setting up shared folders for their buddy 2 doors down so he can get all of his mp3s/porn. with enough users it could turn into a problem. I am remiding this by creating a backbone of 802.11a and then distriuting it with 802.11b
just my $.02
Re:I would not hire you (Score:2, Insightful)
If I was given a choice between a professional who never asks for help and another one who is smart enough to tap in the potential of Slashdot guess who'd get the project!
Yeah (Score:3, Informative)
Spoofing (Score:2, Interesting)
Changing your MAC or using unsolicited ARP broadcasts to take over another IP address are exactly what IP spoofing is all about. It's more than just setting a new MAC through ifconfig or Device Manager, too. Usually, you're doing some kind of ARP poison routing to do man-in-the-middle attacks or sniffing.
So it really is spoofing, as such.
Re:Spoofing (Score:2)
Re:I'm no expert but.. (Score:3, Informative)
Re:Karlnet (Score:4, Informative)
I've worked with Karlnet's stuff. It does work as advertised, but in my opinion it is not at all worth the cost (something like $500 per base station *for the software* and $25 per client). In addition, I have never ever seen their Linux driver work. They supposedly came out with a new one recently, but I haven't heard good reports about it either.
Aside from all of that, Turbocell does do some neat stuff: bandwidth throttling on the client end, key-based authentication, and it supports hidden nodes on wireless networks. It seems more suited for "wireless ISP" type of arrangements than smaller rigs as described in the article.
To Karlnet's credit, they also now have a $75 version of their firmware that goes on an RG-1000 and allows for one or two wired ethernet devices. Still more than I prefer to pay for such things. And of course, your milage may vary.
Re:Karlnet (Score:4, Informative)
Having already gone through what you are attempting to do, here are a few tips.
1. Use a DHCP server. Otherwise, you will be getting calls all the time about how to set up DNS, IP's etc. It's a nightmare.
2. Line of site through a window doesn't always work well. The glass tends to refract some of the signal. If you can align the antenna parallel to the window it will work. Also, it doesn't necessarly have to go through a window. 2.4 GHz will also go through wood and sheetrock to a certian degree.
3. It works best when you can mount the antenna outside and point it straight at the tower. People are less likely to mess with it then.
4. You may think that you have three clear channels but many companies are using this spectrum now. If you are in an urban area, you will probably find that someone is already using some or all of these channels. Check before you spend a lot of money on equipment.
5. Keep your signal levels high. When we started, we would hook up customers with an 8 dB signal to noise ratio. As time went on, the noise floor came up and we had to devise new methods to keep customers online. If you can't get at least a 15 dB S/N ratio, don't even bother hooking them up.
6. Keep your antenna cables short (usually LMR-400). This is usually your bigest sorce of signal loss.
The company I worked for eventually came up with a design where the radio card was mounted on the back of the antenna outside the building. Cat 5 cable was run to the antenna with power injected onto the unused pairs. This design works well because the signal is converted directly to 10-BT at the antenna with minimal signal loss. Since the entire unit is outside the building, there is much less interference from microwave ovens and cordless phones.
Good luck.
External antenna (Score:2)
Thanks!
Re:question - multiple antennae per WAP? (Score:3, Informative)
Diversity actually is best used to reduce multipath signals, as the radio listens to both signals, and "picks" the best signal to use from the 2 it received. Since both antennas are in different physical locations (from a few inches to about 2 feet is best), each antenna gets a different signal. Do not place these antennas in largely disparate locations, or seperated by some interfering object (like a steel support beam), as diversity works best when it can see the signal at BOTH antennas.
There are a huge variety of antennas out there, that produce different polarisation and radiation patterns. Some antennas have receiving amplifiers that produce huge (30+ dB) gain on receive, while only producing about 7dB gain on transmit. Semi-directional (from 60 degree to 180 degree coverage) antennas are great for outside walls. Some have clockwise or counter-clockwise "Circular" polarisation patterns instead of the average horizontal or vertical (circular polarisation tends to be better for point to point applications, and your antennas should match each other - CW will talk to CCW).
Re:Just wire the buildings. (Score:5, Informative)
It really is the party-pooper solution, as it's so low-tech, but when we priced it out, for most buildings Cat5 wiring is cheaper.
Depending on what kind of walls you're working with, (drywall vs. brick, etc) i've gotten quotes from roughly $30-100 per drop in an apt. Add to that $40/port for a good switch, and you're looking at $140 per room. And good cat5 contractors will give you some ungodly long warranty, on the order of tens of years.
Contrast this with 802.11. You have to pay for multiple APs (500~2k each depending on what you want/need), then you either have to a) pay for the 802.11 card for each pc and have the tenants pay a deposit (which was ~150ish when i priced them out, 100ish if they had a laptop) or b) force the tenants to buy their own. From doing some informal surveys and asking around, the latter wont work.
Then you have the line-of-sight problem (the computer has to be kinda near the window for them to pick anything up), the rf interference issue, and other funky stuff rf physics stuff. Not to mention you're on most likely a 1yr warrenty, and have to deal with helping people get their wireless card working, which can be a huge pain in the ass as likely they'll be using one of those pcmcia-pci slot converter things.
Furthermore security-wise, you honestly cannot beat having a plugged vs. not-plugged-in port, thus you can assure people are not stealing your service... A good switch will tell you what mac addresses are coming from what port, so with some good accounting on the side, you can tell exactly which apt has a hub and is sharing with their neighbors, etc. It also makes catching troublemakers (and there will be some, trust me) a lot lot easier, as you can pinpoint it to the room, not just to a mac address.
I more or less planned/ran a campus apartment project like this, and we did at first also seriously consider the 802.11 alternative, but quickly threw it away as we realized that a) it was going to certainly cost more long-run in labor than cat5 would,and b) it most likely wouldnt save us money upfront either.