Setting Up Community Network - Help and Advice Please

[MacyBook]

Greetings from a newbie to the forum.

I'm looking up setting up a community based internet service for around 25 users living on a small site.

The delivery of the internet service is fine, what I'm after some pointers on is the deployment of the infrastructure, management and security.

The ISP will be provided by a fibre company at 300Mbps.

I would need to provide each of the users with an IP address with the option to limit bandwidth depending on the IP address.
Restrictions on website and ports is essential.
Data usage per user.
Landing page for the first logon on to the device each 24hrs.
File server (for storage)

Service needs to be delivered via 8 wifi hotspots as well as the option for ethernet.

All will need to be managed remotely.

Thanks in advance for such a huge question.

 

[brandonwh64]

PFsense with a 24 port managed switch and ruckus/unifi AP's is a good setup.

 

[jboydgolfer]

Greetings from a newbie to the forum.

I'm looking up setting up a community based internet service for around 25 users living on a small site.

The delivery of the internet service is fine, what I'm after some pointers on is the deployment of the infrastructure, management and security.

The ISP will be provided by a fibre company at 300Mbps.

I would need to provide each of the users with an IP address with the option to limit bandwidth depending on the IP address.
Restrictions on website and ports is essential.
Data usage per user.
Landing page for the first logon on to the device each 24hrs.
File server (for storage)

Service needs to be delivered via 8 wifi hotspots as well as the option for ethernet.

All will need to be managed remotely.

Thanks in advance for such a huge question.

Many of the requirements you mention would be provided by any residential level router. Aside from the 25 user thing pretty sure everything you've mentioned can be done with the residential grade router that's worth it's weight. So basically you really need to be focusing on the deployment of this physical network as in my opinion your requirements are minimal at best and certainly not difficult to reach

A few things you may want to consider adding.

Price range
Your location country
And any other specifics you can think of that would help other users answer your questions

 

[MacyBook]

Thanks for both replies..
Price range would be around $1000USD, we would be content with second user parts, this is a community project. This prices doesn't include cabling, we are able to complete that ourselves.
County - France

I suppose additional factors worthy of considering are:

1. Seemless exchange between AP's
2. Total site is only 900m2
3. Essential is the remote management of switch, AP's and file server.
4. POE for the AP's
5. File Server could be a simple NAS
6. Potential for token or paid for access to the network for visitors?

What would the residential router suggestions be? Isn't that going to make network management limited?

 

[brandonwh64]

I just mentioned PFsense is a firewall/router combo based on linux. Very powerful and flexible.

 

[MacyBook]

I just mentioned PFsense is a firewall/router combo based on linux. Very powerful and flexible.

Sorry should have answered that part in my previous post.
Looked at PFsense previously and the possibility of running it from a Firebox X700. I know it's old technology now but seems ideal for PFsense, only issue would perhaps be bandwidth.

 

[Kursah]

I would recommend something newer to run PFSense on, something that can better handle traffic management and bandwidth while still running at full WAN speeds. The X700 would probably be okay...but I decided against it overall. But it will get the job done and if you don't need or use the features I am...and keep it simple, you'll be fine most likely.

Many home grade routers will struggle once you get more than a few users connected, any extra services will kill the WAN bandwidth.

I agree with PFsense though, I run one at home...did a custom built mITX unit for around $250 that runs my network, VPN servers (OpenVPN) and IPSec site-to-site tunnels, bandwidth monitoring, transparent proxy web cache, and IDS/IPS security services. Works friggin' amazing. Mine was based around an Asus N3150-C board with quad core Celeron SoC. Has the encryption acceleration features that PFSense can take advantage of, keeps me running at full speed with extra stuff going on. I have over 20 connected devices both physical and virtual at any given time.

Each users having an IP is easy enough...I'd use the PFSense to create a VLAN for each location, giving each their own subnet range...limit it to a /30 if you want to be like an ISP. That way they can plug into the wall with their own router and run their own private networks or they can plug in their computer and be isolated from the other users...this keeps the security risks down especially if someone gets infected on the network.

Ubiquity has some very good and affordable wireless access points in their UniFi line, if you can, get the AC Pro's. Better range and speed. These devices are also easy to manage with the UniFi software. Using Guest services will allow for the login pages you seek over WiFi.

Depending on your switch needs, I actually prefer Netgear units under $150 with lifetime warranties if you need basic switching, if you go with VLANs you may want to consider going with a managed switch so you can manage each ports assignments though. Otherwise Cisco, Netgear, Ubiquity, HP/Aruba, etc. all make some good managed options...but expect to pay a few hundred bucks or more for a quality managed L3 switch.

You can restrict quite a bit with PFSense, but you can also force your gateway router (regardless if its PFSense or not) and all users via DHCP to be directed to a DNS filter service like OpenDNS. Create a free Home account and choose what content is blocked from access, add sites to whitelists and blacklists. Very effective way to handle your network and content filtering. You could also use Squid Proxy filtering as well as ClamAV on PFSense....would be a very effective combination.

This sounds like a fun project! I'm looking forward to seeing how it pans out and what you decide to go with!

 

[MacyBook]

I would recommend something newer to run PFSense on, something that can better handle traffic management and bandwidth while still running at full WAN speeds. The X700 would probably be okay...but I decided against it overall. But it will get the job done and if you don't need or use the features I am...and keep it simple, you'll be fine most likely.

Many home grade routers will struggle once you get more than a few users connected, any extra services will kill the WAN bandwidth.

I agree with PFsense though, I run one at home...did a custom built mITX unit for around $250 that runs my network, VPN servers (OpenVPN) and IPSec site-to-site tunnels, bandwidth monitoring, transparent proxy web cache, and IDS/IPS security services. Works friggin' amazing. Mine was based around an Asus N3150-C board with quad core Celeron SoC. Has the encryption acceleration features that PFSense can take advantage of, keeps me running at full speed with extra stuff going on. I have over 20 connected devices both physical and virtual at any given time.

Each users having an IP is easy enough...I'd use the PFSense to create a VLAN for each location, giving each their own subnet range...limit it to a /30 if you want to be like an ISP. That way they can plug into the wall with their own router and run their own private networks or they can plug in their computer and be isolated from the other users...this keeps the security risks down especially if someone gets infected on the network.

Ubiquity has some very good and affordable wireless access points in their UniFi line, if you can, get the AC Pro's. Better range and speed. These devices are also easy to manage with the UniFi software. Using Guest services will allow for the login pages you seek over WiFi.

Depending on your switch needs, I actually prefer Netgear units under $150 with lifetime warranties if you need basic switching, if you go with VLANs you may want to consider going with a managed switch so you can manage each ports assignments though. Otherwise Cisco, Netgear, Ubiquity, HP/Aruba, etc. all make some good managed options...but expect to pay a few hundred bucks or more for a quality managed L3 switch.

You can restrict quite a bit with PFSense, but you can also force your gateway router (regardless if its PFSense or not) and all users via DHCP to be directed to a DNS filter service like OpenDNS. Create a free Home account and choose what content is blocked from access, add sites to whitelists and blacklists. Very effective way to handle your network and content filtering. You could also use Squid Proxy filtering as well as ClamAV on PFSense....would be a very effective combination.

This sounds like a fun project! I'm looking forward to seeing how it pans out and what you decide to go with!

Excellent thanks for that.

In terms of bandwidth across the network would you suggest Gigabit necessary? Just to price out the switch.
Should have added the community intends to add 3 3MP IP cameras on the back of the network.

Glad this sounds fun, I'm really looking forward to the project. Certainly much to be learnt along the way!

Thanks

 

[Kursah]

Yes I would suggest gigabit is necessary, we're on the cusp of LAN's entering the 10-gig era in a decade or so I would imagine...infrastructure is happening. If you do CAT6 runs you'd likely be in compliance for the future too....not necessary though. But gigabit equates to about 100MB/s, the next option down, FAST Ethernet or 100 Megabit would equate to about 9MB/s. That's not fast enough if you have a file server, 25 users, and IP cameras in this day and age...sure there will be many times where the bandwidth won't be fully utilized, but when it is you'll be thankful you had gigabit.

I would also suggest with the file server you use NIC teaming if possible, and use 2-4 NIC's to allow for better bandwidth usage for more users without choking down along with failover capabilities should one NIC fail.

Look into Captive Portal for PF Sense, sorry I meant to bring that up before.

Also another thing to consider, with the IP cameras and Access Points you may choose...if you get them to meet a certain POE standard you could get a POE switch. Power and data over Ethernet is awfully nice to keep things simple.

I'd also recommend that you terminate all of your runs into a patch panel and use short jumpers to the switch. Makes changes, diagnostics, changeouts and clean wiring much easier to accomplish.

 

[cdawall]

Ubiquiti Edgerouter, 24 port managed switch and a couple unifi AP's. Off the shelf, cake setup for the network and it works.

 

[Kursah]

That is one thing I haven't done with an Edgerouter is setup an access portal like Captive Portal. Last I checked UBNT didn't support this on Edgerouters and some folks were using workarounds for it. Admittedly we sell far fewer UBNT routers anymore in favor of Netgate and PFSense (and now Sophos too...).

But agreed, an Edgerouter is a solid option...Ubiquity really makes good stuff.

This also comes down to comprehension of network configurations, but really depending on what you want to do for access this shouldn't be too bad. Though depending on how many different rooms/apartments there are, I'd still consider VLANs. Then tie an SSID to those VLAN's. Though wireless could be a little different...you're limited to 4 SSID's iirc correctly. But what you could do there is make the main SSID a guest network, and either use it's portal services or forward to the router's portal services.

If you use guest services on UBNT, it'll make sure each user is isolated and can only access the Internet and no other LAN resources...which might pose a problem IF you want them to have access to the file server. If that is the case...a few more AP's and tagging them for the corresponding VLAN(s) would be an option. You can setup bandwidth usage limitations also which is implemented nicely and super easy to use.

Do you have the infrastructure runs already in-place?

 

[MacyBook]

Do you have the infrastructure runs already in-place?

No not yet, that I suppose is the beauty of this early plan. It was hoped to tie users to the entire wifi network and provide those who need ethernet, some will for IPTV, directly.
In most cases the wide area wifi will be sufficient for most users, they just need internet for their tablets and laptops. Just use some way to differentiate between guest and registered user???

 

[Solaris17]

I'd use the PFSense to create a VLAN for each location

This VLANs are important here.

 

[Kursah]

No not yet, that I suppose is the beauty of this early plan. It was hoped to tie users to the entire wifi network and provide those who need ethernet, some will for IPTV, directly.
In most cases the wide area wifi will be sufficient for most users, they just need internet for their tablets and laptops. Just use some way to differentiate between guest and registered user???

Well you'll have the guest network which is and can be setup differently with/without portals that is separate from your internal network (even though they'll use the same subnet unless you specify VLAN's or otherwise). The nice thing when you choose guest network mode, no matter what, the users that connect to that are in isolation mode. Which is super useful...keeps them from doing anything on the LAN, as they can only access the WAN-side or Internet.

Each UBNT AP has a 4 SSID limitation, so depending on what and how you want to do it, I'd still have a dedicated wireless network for each user that uses a VLAN...using the main router to manage VLAN's, subnets, DHCP and DNS for those networks. You could spend some big money and go Ruckus AP's, but you'd max your budget pretty quick with 2 AP's....but damn are they epic for stuff like this. Especially if you manage with a ZoneDirector (not required).

Is this a complex that you're providing services for? If so you could make the SSID's related to that...give them each a predefined access and then have all AP's share the same guest network.

There's a lotta different ways to accomplish this. I am at work so I can't really expand more yet...but let's keep talking this out and get you a good gameplan. What is your experience with networking and VLANs?

 

[MacyBook]

Thanks, really do appreciate the idea, suggestions and help. VLANs - zero but hear to learn (if not steeply!)

Yes, it's a complex of properties located on a small footprint. There are streetlamp around the site which are helpfully ducted to a basement of each block of properties. There are 9 blocks in total + a pool area which should have wifi and two locations for IP camera.

UniFi kit seems a better price point option for what we need.

Thanks for the continued help.

 

[Kursah]

If you can't run wires underground, Ubiquity has some AirFiber gear that might be helpful for point-to-point. But having all those wireless broadcasts in a smaller area could lead to some serious issues as well...you'd want to run the wireless bridges up high if you need em.

Here's some VLAN material:

https://help.ubnt.com/hc/en-us/arti...ntroduction-to-Virtual-LANs-VLANs-and-Tagging

http://www.firewall.cx/networking-topics/vlan-networks/214-vlan-concept.html

https://networklessons.com/switching/introduction-to-vlans/

 

[stinger608]

I'll be picking your brain here soon as well @Kursah

 

[MacyBook]

Ok, so a minor set back in that we can't get the internet in at 300Mbps, we now are probably going to have to rely on a poor wimax/mesh system to deliver 2 or 3 40Mbps services in and carefully route from there.

I'm going to look at some reasonably prices kit, perhaps from a famous online auction site to set up on the bench so I can get my head around VLAN's, routing and delivery. Not intending to go Gigabit for this dry run just a cheap L3 POE switch... Suggestions? Ideally something with a web interface rather than command lines from a notepad.

Thanks for the reading material @Kursah, really informative. Trouble with search is you need to know what to search for in the first place.

 

[Kursah]

Well using a router capable of multiwan shouldn't be an issue. You can do some neat things with PFSense for failover and link aggregation that could be useful to maximize bandwidth usage and reliability.

Here's a good place to look for switch suggestions, the Reddit Homelab: https://www.reddit.com/r/homelab/comments/2zpncb/150_budget_best_managed_switch_for_homelab/

You shouldn't steer clear of CLI, many switches can do a lot in the GUI, but many also do it better in CLI. Also there's usually a lot of good documentation out there to help you and really any network admin should be able to do some command-line work. If not, you could really cause yourself some grief later on when you need those familiarity skills or ability to do so in the event of an outage, misconfiguration, corruption, failure, etc.

Putty, SSH, console cable (USB to serial), get to know them.

Not that you will have to in order to manage a network, but there's a chance at some point you'll need to.

Beyond that, you should be okay grabbing some cheaper gear to screw with on your bench and get familiar with VLAN tagging, untagging, inter-vlan routing, ACL's, etc.

 

[remixedcat]

This is a great starting point: 5 APs, A great firewall, a 8 Port PoE switch, and Cloud key to manage it all Under Budget and behind schedule... Easy to manage and lots of features.

Ubiquiti Unifi Ap-AC Long Range - Wireless Access Point - 802.11 B/A/G/n/AC (UAPACLR5US) *5 PACK*
https://www.amazon.com/dp/B018RIR02C/?tag=tec06d-20


Ubiquiti Networks 8-Port UniFi Switch, Managed PoE+ Gigabit Switch with SFP, 150W (US-8-150W)
https://www.amazon.com/dp/B01DKXT4CI/?tag=tec06d-20


Ubiquiti Unifi Cloud Key - Remote Control Device (UC-CK)
https://www.amazon.com/dp/B017T2QB22/?tag=tec06d-20


Ubiquiti Unifi Security Gateway (USG) <<these have more security features than the ERL/ER/X
https://www.amazon.com/dp/B00LV8YZLK/?tag=tec06d-20

900some USD total... Leaves you room to deploy another AP if you need to.

Reviews I did on the Unfi APs here: http://remixedcat.blogspot.com/2015/12/ubiquiti-unifi-ap-ac-lr-and-lite-review.html

 

[Delta6326]

This is a sweet AP from Ubiquiti I've been thinking of getting one to play with AP HD.
It can handle a lot of people, but it would send you over your budget you would probably want 3 for sure depending on the building's layout and materials.

Ubiquiti Unifi AP HD
https://unifi-hd.ubnt.com/

Can check out the new Unifi AC Mesh can come off of a AP.
https://unifi-mesh.ubnt.com/#products

I have a Edgerouter POE-5 --> Unifi LR, they work great, but I want to get a USG, AP HD, Unifi AC Mesh outdoor's for the farm and a Cloud Key.

 

[remixedcat]

I have a USG and a switch 8, and cloud key in addition to a AC-Lite and LR

 

[Kursah]

I have a USG and a switch 8, and cloud key in addition to a AC-Lite and LR

So I was under the impression that the USG's were failing to replace the EdgeRouter series as initially planned and weren't quite as capable. But you're saying they have more security features now? I'm interested in your comparison when you get some time.

 

[remixedcat]

I will review it when I can setup a entirely new staging physical network, which might be a while... Can't take my main MX64 offline for that test... so need to get a few things to run it isolated...

One note about the USG**More command line is needed for those features but it's easy enough...

 

[Rhyseh]

The USG's have some management issues, but Ubiquiti have been making some great advances with their Unifi controller software. For a unified management system it makes alot of sense