Building a Wireless Network for an Apartment Complex?

itwerx asks: "I've been asked to design a wireless infrastructure for an apartment complex. Tenants will pay an 'access deposit' and a monthly surcharge to get a PCMCIA/PCI/USB network card along with free installation and, of course, wireless Internet access. The buildings are arranged such that 2 WAP's per building should cover all the tenants (one WAP per side, far enough away to get line-of-sight through the windows). I do have a few concerns, however. All help is appreciated and when we're done we'll put up a HOWTO!"

"My concerns are the following:

• Interference between WAP's (there's several buildings) - there are enough channels if we go 802.11a but cost is a concern.
• Management of 'hitchhikers' - we're planning on manual assignment via DHCP/MAC address for tenants with others having all their HTTP requests get directed to an info page. Anybody done something different?
• Interference from WAP's and other devices that may be owned by tenants! Should we just avoid the default channel and hope for the best?!?

What other things might I need to worry about?"

interference..

[molo]

Interference between the two WAPs is not really what you have to worry about. Put them on different channels on opposite ends of the chunk of 802.11b spectrum and its done.

The real issue is interference from other devices. I hope no one has a 2.4GHz phone.. or a microwave.. or X11.. or one of the other dozens of devices on the (unregulated) 2.4GHz band. It can knock your 11Mbit down to 1.

Re:interference..

[molo]

er.. um.. I meant X10. Bad Geek!

Re:interference..

2 wireless access points? Good luck...I don't suppose that the tenants are prepared to give up their microwave ovens or their 2.4 GHz cordless phones.

Re:interference..

[BrookHarty]

I couldnt use 2.4ghz remote video (computer display in livingroom), because of all the 2.4ghz interferance. Thou my 2.4ghz phone seems to work perfectly. Neighbors have X11 stuff too. Good luck.

Re:interference..

http://www.goatse.cx

Re:interference..

Microwaves are strongly controlled and are only one single frequency, all of them. I would worry more about the phones or the X11's, which need to have different channels from each other to operate, and are therefore spread across a range of frequencies.

Re:interference..

[ergo98]

He's talking about 802.11a though, which operates at 5Ghz and is far less polluted (not to mention much faster, and with a comparable range in real life tests).

Offtopic: I have "s" as a nickname for Slashdot in Opera (so I enter s in the address bar and it brings me to Slashdot), but every now and then I forget to hit F2 and put "s" in Google (which happens to be my homepage). I find the first result (searching on the letter "s") rather hilarious given the context...conspiracy?

Re:interference..

Dude, I'm eating!!!

Re:interference..

[fmaxwell]

Dude, I'm eating!!!

Who?

Re:interference..

[nettdata]

I hope no one has a 2.4GHz phone..

Exactly. :) I was at a friends place last weekend doing some programming, and before I went over I asked if he had all the cabling I needed to "plug-in". He told me to "get with the 90's" and grab a wireless card as he was running a wireless network at his place. I figured it was about time to upgrade and get rid of some wires at my own place, so not only did I pick up a card, I also picked up a WAP.

Went over to his place, and things were going ducky, except occasionally the signal would drop from 90% to about 3%. When I asked him, he said that it happened occasionally, but he didn't know what was causing it.

Turns out that it was his 2.4 GHz phone... his wife (who ran an at-home business) would be using the phone without him knowing it. The thing that twigged me was that Linksys was plastering the "2.4GHz" label all over the packaging of the WAP I just bought.

We messed around a bit with phone base station and WAP placement, and eventually got rid off the problem when he dug out his old 900 MHz phone.

Re:interference..

[droid_rage]

Actually, most microwaves are pretty well shielded, even though they do run in the 2.4GHz range. While implementing Wireless at my company, I stood by the four microwaves in our kitchen at lunch time and watched for interference. I got good signal strength even when all four were running simultaneously.

Re:interference..

[sysadmn]

No, X Version 11 throttles bandwidth pretty well also...

Re:interference..

I think the poster meant X10's XCam and other wireless video products. These blast the entire 2.4MHz band indiscriminantly and blow away most of what's in its way -- quite a dirty signal frankly since it puts harmonics everywhere. The picture is beautiful until someone turns on an old microwave or a 2.4GHz phone, then you loose all semblance of reception. Cool thing was you could see stable bit patterns on the TV it was hooked up to if it was a phoen. I wouldn't expect those suckers would play nice with WAPs given how they react to other 2.4GHz creatures.

Strangely enough, a coworker with the expensive Siemens home-PBX-cordless bundle reports that those phones drop his 802.11 every time, but I'm surrounded by neighbors on 3 sides using the cheaper Vtech version of the product with nary a dropped bit! Go figure.

OT: These days I use a Recoton 900MHz video sending device that plays nice with my 900MHz phone even. The 2.4GHz video relays are VERY nice featurewise (clear picture, stereo baseband AV outputs on the receiver, and even passes IR remote signals in a single paperback-sized doodad). Unfortunately they don't work well in condos apartments or other high-density residences due to the neighbors' interference sources. You loose everything the first time someone picks up their cheap 2.4GHz phone.

Re:interference..

[baudbarf]

He told me to "get with the 90's" and grab a wireless card as he was running a wireless network at his place.

Tell your friend that the 90's ended a few years ago, the official new millenium ANSI standard phrase for telling someone that they are outdated is,"Join the rest of us here in the 21st century, dude" This standard will only be in effect until the year 2020, in which we will revert to the more familiar "Get with the 20's!"

Re:interference..

[richardlvance]

Amen. To get my 802.11 working I had to toss
the Panasonic 2.4GHz DSSS cordless phone and
the 2.4GHz X10 remote camera thingy. Both
kill 802.11b.

For an apartment I'd definitely go 802.11a
for building to building and use IP over power line within the building.

There is simply too much crud in the 12.4 GHz
unregulated band to take an apartment network
to the bank.

Re:interference..

him

Re:interference..

[matguy]

I'm working on a similar project (almost identical) and is ip over power line a reality right now? I never see them anywhere and what are the effects of the power grid? Can I just plug it to a building and feed the place or if I feed one building is it going to feed the neighborhood? Price is also an issue.

Of course our luck once we got it all set up they'd stretch the dsl that stops 1/4 mile down the road to us.

I'm no expert but..

[wbav]

I've heard of people being able to spoof mac addresses. I think you may need to watch out for that.

Also education of the tennets will be needed. You don't want them to come running to you because the hotmail server went down.

Re:I'm no expert but..

[mfos.org]

Pick up Hacker's Challenge. They detail 20 real life attack scenarios, many of them are attacks against a wireless network, and the detail the steps taken to prevent attacks of that nature.

Re:I'm no expert but..

[wbav]

How did I get redundent when I was the first to post this?

MAC Address/DHCP

[dbarry]

mac addresses are fairly easy to spoof (at least in OpenBSD), and any two-bit prism based sniffer can tell the mac addresses of other nodes on the network. It would probably be better to go with a different scheme, such as login/passphrase authentication, rather than MAC address. I know UC berkeley is using some sort of program like that check out Calnet

Re:MAC Address/DHCP

[MarkKomus]

There are some products on the market, possibly under the name of Virtual Community Network solutions. I know my old company (before we crashed and burned) was developing a product for just this type of situation and I was coming up against most of these security concerns.

From what I know of the different solutions most were a central server that all the access points connected to, that would then proxy/forward all requests to the internet.

If you want to go for the extra evil points you could force ads to your clients with this type of solution as well.

Re:MAC Address/DHCP

[sirket]

The poster mentioned 802.11a not b. As a result, the product will be operating in the 5 GHz spectrum instead of 2.4.

-sirket

Re:MAC Address/DHCP

[Alan+Cox]

WEP is worthless, MAC based authentication is worthless, basically treat the cards as a public shouting space no more.

You need end to end encryption for the users. That is easy for the Unix crowd but for "what does this button do" level folks something like PoPTOP and getting them to use PPTP may work out easier (although early PPTP isnt terribly secure either)

Re:MAC Address/DHCP

That point is debateable - this is a residential network. He will need stronger login security (maybe PPPoE would work for you - you'd just need a linux box somewhere acting as a radius server).

Basically the people that need/are concerened about encryption can set it up, but why enforce an extra level of difficulty on the everday users who are checking out cnn.com and pr0n?

Re:MAC Address/DHCP

[Kris_J]

Only as an "if".

Re:MAC Address/DHCP

[erc]

PPTP is garbage. SSH is your friend.

Re:MAC Address/DHCP

[Bishop]

Strong authentication is needed for this network. A VPN is a pretty good way to insure strong authentication. PPPoE is no easier to setup then a VPN really. PPP authentication has problems anyway. Besides I think people are warming up to the idea of protecting their privacy.

Re:MAC Address/DHCP

[fishebulb]

first off, email passwords could easily be sniffed, passwords of all kinds can be collected.

but most importantly, he doesnt want NONpaying customers on the network. He needs a way to authenticate a client, and prevent others from getting the mac address and spoofing etc.

The users may not care about their security, but thats their problem. he cares about people abusing the network

Re:MAC Address/DHCP

[Yottabyte84]

PPP over SSH even.....

Re:MAC Address/DHCP

[neilb78]

Don't waste your time figuring out how to make this 100% secure. Use MAC Addresses to determine who should be on the network. If someone spoofs an address then you'll likely have a resident compaining that they can't get online...so you'll investigate it. It's not like they are going to be able to spoof the address forever and get free internet for life.

Also, 95% of the people won't be attempting to do this anyway. You're goal here is to make money and provide reasonable service, not secure the network.

Re:MAC Address/DHCP

[GlassUser]

Hello, VPN?

Re:MAC Address/DHCP

[Oztun]

Are you joking? How can his clients use an SSH VPN easily?? I think his choices are PPTP or IPSec in this case.

Re:MAC Address/DHCP

[matguy]

Being you're in an apartment building you'll eventually find the problem people and either annoy them (by shutting off their hacks and blocking them when they annoy you)long enough that they'll finally jus pay for the service or if you as the service provider are part of the apartment management you could possibly evict them. I'd be more worried about neighboring residents outside the complex if there are any.

Could you use this.....

to build a Beowulf cluster?

Beer - it's not just for breakfast anymore!

Re:Could you use this.....

[Grassferry49]

I guess in theory that you probably could. It might not be the greatest beowulf cluster but it would be cool to have nodes all over a building. Be like and as we continue our tour you'll see my 2ghz Athlon proccessor based machine with 2 GB of RAM which yes is another node in my beowulf cluster.

Re:I would not hire you

Dear Slashdot:

What is the most effective way to kill trolls? PLZ K THX

Re:I would not hire you

[FCAdcock]

You wouldn't hire anyone who didn't know _exactly_ what they were doing? I'm sure you knew exactly what you were doing on the first day of every job you've ever had. Have you never done anything new and had to learn how to do it before?

Security is the biggest issue...

[sundip01]

once you are done with the physical layout you should consider a vpn-type solution along with WEP and an ACL to prevent passer-by's from hacking the tenant's machines...

Re:Security is the biggest issue...

WEP is weak. Especially in situations where there is a lot of use and lots of bits flying around. All that one needs to do to crack a WEP key is accumulate data sent using said key.

See: AirSnort

Rather than worry about people having their sh*t sniffed, here are a couple other solutions:

#1. Set up a portal that uses HTTPS and fetches web pages for the user, then presents these pages to them.

Pros: Simple
Cons: Doesn't really work all that well with some sites

#2. Use IPSec

Pros: Damn secure.
Cons: CPU intensive, limited software support outside of the OSS crowd.

#3. Keep it insecure, but keep the users educated. Let them know their data may be sniffed easily, but also let them know what HTTPS is. Show them how to sign into their Yahoo mail so that their password won't get sent in the clear, etc etc.

Pros: Cheap ;)
Cons: Depends on the intelligence of users. You never want to do that ;)

Re:Security is the biggest issue...

[erc]

#0 (and the prefered one by a *wide* margin) Use SSH.

Pros: Free, runs on *nix and Windows. Your data is secure. You can tunnel any tcp protocol through it. HTTP, IMAP, SMTP, etc.

Re:Security is the biggest issue...

[Cef]

I think you missed his original idea, which is that you should implement a VPN, and still turn on WEP and ACL matching. This way, they'll break the ACL match, break WEP, and then go "Ahh crap! A VPN!", which at that point they may decide it's just too much to break. A VPN by itself, makes the job to break it easier, (even if not too much easier).

Would you still leave your car doors unlocked if you had an engine immobilizer?

Re:Security is the biggest issue...

[tzanger]

#2. Use IPSec
Pros: Damn secure.
Cons: CPU intensive, limited software support outside of the OSS crowd.

OSS only? Win2k has support for it in its default configuration. I use this procedure to get win2k to connect to my frees/wan gateway using x.509 certificates. Piece of cake (it looks convoluted but it really easy once you do it once or twice) to set up, and lets anybody (linux, windows, mac, anyone with IPSec and x.509) on in a secure fashion.

CPU intensive? Not that I'm aware of. I'm pushing about half a T1 to another frees/wan server using a P100 on one side and a P200 on the other. Now I imagine this scales less than linearly for each client that connects, but I've been pleased with the throughput of this little computer.

Re:Security is the biggest issue...

Cons: A typical Windows user can't set it up. Education is necessary, and more support requests.

Re:Security is the biggest issue...

[Oztun]

You posted it twice so once again... How can the apartment tenants easily setup an SSH tunnel? With IPSec or PPTP the protocol is built into Windows.

Re:Security is the biggest issue...

[matguy]

I'm reletively sure you're going to want a fairly turnkey solution for the residents. The more you have to set up for them the more often you have to fix their other problems in the process and if it's something that they can set up themselves you can justify a higher personal install fee if they choose to have someone else do it. I'm sure that something as simple as a modem (be it internal or external) is what you're going to need to be really feasable, otherwise the labor cost benefit of not running the cables can be outweighed by support costs of setting people up and keeping them running.

In an apartment building the main benefit of running wireless is not having to run cables and install jacks in the individual apartments, but if you're spending 3 hours to set up individual people anyway you might as well just run a cable and get them a cheap nic. The other benefit (which is where I'm at) is when the apartment owners/managers have no interest in the project and you are doing it as a grassroots effort (ok, I'm looking for a reason to get a T1 and need to offset the cost.)

My advice is only if you can't do it with wires then go wireless, or use the wireless to just go point to point (something more directional and maybe non "standard" say on the roof or something) just to get the network to the building and then run cables to the individual apartments. I'm much more fond of the physical access granting method than software.

Now of course you would still have to worry about people doing their own grassroots efforts (or even people that don't know they're doing it) and setting up their own access points and sharing with their neighbors. Oh man... this wireless deal opens up a whole can of worms now doesn't it?

worries...

What other things might I need to worry about?"

Hmmm, maybe the fact that it's pretty easy to spoof a MAC address?

Re:worries...

[Jebus_the_spork]

yea, but who uses a mac?

aaa ha ha ha *pun*

Answers

[LowneWulf]

- 802.11 manages devices in a friendly way, and is designed specifically to play nice with lots of other 802.11 devices in the area. In fact, infrastructure networks assume it WILL work that way. Put your entire complex on one SSID and one channel - each WAP will form a BSS, and devices should seamlessly roam between them.
- Other peoples' devices shouldn't interfere with yours unless there is a LOT of devices. If they do, too bad for them, they can choose a new channel. Or you can choose a new channel. But it shouldn't be a problem unless there's a ton of networks.
- I would suggest leaving your network entirely open (no WEP, etc.) then putting a router at the edge which authenticates MAC/IP addresses, provides DHCP, and only routes those who enter a password of some sort. This leaves the internal network open to hackers unfortunately, but WEP management for an apartment will be hell, and the alternate solutions all tend to be non-standardized.

Re:Answers

[LowneWulf]

And may I say, this is some of the BASICS of 802.11 - you really should at least read a half-page intro to 802.11 before you Ask Slashdot, and actually learn some of the details before you start suggesting that you are able to wire a complex network infrastructure.

Re:Answers

[swillden]

WEP management for an apartment will be hell

I don't think it should be too bad. After all, the network operators are handing out all of the cards; if they use cards that store the keys in firmware and they load up the keys before issuing the cards, then management is no problem at all.

If they decided to *change* the keys, then they'd have a problem, but the purpose of WEP in this case would be to provide a small additional hurdle to potential hitchhikers, not to provide real security, so I don't see a problem with a permanent key.

Re:Answers

[essdodson]

You do _NOT_ want the entire complex running under the same channel. The proper way to set things up is to blanket the entire area, then set channels so that no two access points within range of each other will be on the same channel. This will provide for seamless movement from one zone to the other. Also if you need more bandwidth setup two access points in the same location on different channels and you instantly double the ammount of wireless bandwidth in that area. Keep in mind that payload for wireless is typically around 8Mbit/sec or so. The card will then determine which channel is least saturated and pick that.

I agree with the no security issue. You should make it clear that there is absolutely no security implied or promised. You'll shoot yourself in the foot as soon as someone's credit card number is sniffed after you told them it was all good. If you must setup security start with the assumption that every packet can and will be sniffed, with that in mind build VPN/IPSEC on top of that.

Re:Answers

[Oztun]

Your first suggestion about multiple channels is good. Wireless is easy to saturate.

However on your second suggestion, I think security from and Admin standpoint is critical. Without a VPN some kiddie will start hacking the FBI through your network. Guess who they start investigating and pointing fingers at first. You can still tell the apartment people they are responsible for their own security but, you must CYA unless you don't mind them banging on your door.

Wi-Fi

[dsmey]

I am an assistant network engineer at a large midwestern university. Currently, like you we're in the process of figuring out how to deploy wireless access points. Our campus's Engineering Computer Network let us borrow a mobile testing appratus that has a WAP and an Antenna on it (looks like a camera tripod). We take it to different parts of our residence halls and, with a laptop, we take SNR readings from different parts of the surrounding rooms and record our measurements on the building blueprints. We figure we need about 6 WAP's to sufficiently cover the lounge areas of the older dormitories (with their steel and concrete infrastructure), but for your sake 2 WAP's should sufficiently cover a medium-sized apartment building and more. We also plan to cover several large outdoor areas, a library, and our Union right off the bat. The equipment we are using is Enterasys Roamabouts ($1000 a pop), [link] and they are highly configurable and have a ton of management features. We figure each WAP will get connected to a switch port on the Cisco Catalysts in our buildings. So far, we haven't done much in terms of the deployment because it is a long process, where the Physical Facilities department has to do the actual installation of the equipment, data jacks, etc. I assume in your case you can better coordinate this without all the red tape. We figure that by the time these are all installed and our userbase is well-informed of the network, we will have a great system that will scale to thousands of students and staff in the future.
http://www.purdue.edu/ITaP/projects/wireless.shtml

Re:Wi-Fi

Hmm...I wonder which midwestern university...

Re:Wi-Fi

[dsmey]

Just couldn't resist a shameless plug at the end.

Re:Wi-Fi

[pirodude]

Sweet, I'm attending purdue in the fall (Computer Engineering). Gonna have to get me the hookup :)

Re:Wi-Fi

[dsmey]

As an addendum I should note that WAP stands for "Wireless Access Point" in this context, some anal reader below has pointed out that it refers to the protocol. Also, I meant 6 WAP's per res. hall, not per lounge. We originally intended to have a maximum of four WAP's per dorm, but it turns out the signal does not penetrate these buildings as well as we expected.

As for security concerns, WEP (not to be confused with WAP) encryption should be mandatory. Although it is easily compromised (and it's up to you whether you let people know this), but advanced users will know ways to secure their connections. Yeah, it's a major setback (Disclaimer: hey, here's this wireless apartment network, I am not responsible for someone sniffing your passwords...)

Re:Wi-Fi

[gmkeegan]

I am an assistant network engineer at a large midwestern university...

I never thought a wireless project like this would happen to me. I was sitting in the study lounge in my dorm when this sexy coed network engineer walks up and asks, "I see you have a seven layer OSI model. That really turns me on..."

Re:Wi-Fi

[Kunta+Kinte]

I'm a network admin as well. I'm working on implementing a wireless network as well at my day job ( small campus ). We just completed testing our initial vendors, and basically enterasys got it's butt kicked by cisco and agere ( formally lucent wifi division ) orinoco.

Cisco came out to be the most powerful. No fair though since they transmit at 100w while the others come in about 30. But for value orinoco rose to the top. $75 nics, dual radio models for $600. checkout http://warehouse.com/ for some discent prices.

both agere and enterasys have removeable radios on their APs, in fact the radios are just wifi pcmcia cards. The enterasys pc cards are OEMed orinocos.

My recommendation is orinoco. But your findings might be different, so definately check it out for yourself

Re:Wi-Fi

[rhost89]

Cisco/Aironet stuff have removeable pcmcia card radios on their APs, at least they do with thier older BR500 and AP4800's just take out 4 screws and their you go. Although getting the pcmcia card out of the clip is a pain. The newer BR350's might have the same card inside, but ive never opened one up to find out.

Re:Wi-Fi

[sysadmn]

If you've ever been to Purdue, you'd know your version is a lot more likely than the version that winds up in Penthouse Letters :-)
BSECE '84

Concerns...

[MarkKomus]

- Interference between WAP's

If you have WAP's on different sides of buildings they most likely won't interfere with each other. Just keep the WAPs with the same channel as far apart as possible. If you can get your hands on some a few to test with it would be worth while to mock up a few layouts and wander around with a laptop to measure single strength and interference.

- Management of 'hitchhikers'

In addition you could run WEP, it is breakable but its another layer or security. Sorta like the car theif will go for the car without the club.

- Interference from WAP's and other devices that may be owned by tenants!

Here could be your big problem. As someone else mentioned there are lots of 2.4Ghz devices. Most would only cause a local disturbence, but if I decided to set up a WAP in my apartment you have no grounds to stop me from doing so. Some WAPs are smart enough to work nicely together though so it might not be as big a deal as microwaves and cordless phones.

Re:I would not hire you

[aaandre]

There's _always_ a better way. And slashdot is one of the best places to learn about it.

If I was given a choice between a professional who never asks for help and another one who is smart enough to tap in the potential of Slashdot guess who'd get the project!

Screw It...

[mogrefy]

Just make it free (included in rent) and let everyone have internet... great for our communist society!

Re:Screw It...

Many apartments do have utilities included, so this really might not be such a bad idea. It's a nice perk if you live in a high-tech/wired area (San Francisco, Washington, etc)

Re:Screw It...

[Jonny+290]

Sure, but the differences in power consumption between the thriftiest and most greedy electricity customer isn't two orders of magnitude, like it is with Internet access.

Re:Screw It...

You wanna bet?! You should see my apartment, it's like a damn server room! And, these machines run hot, so that means lots of AC!

But... anyway, I imagine it's possible to put some sort of throttle on each connection. Sure, they could connect with multiple cards, but most people wouldn't go to that effort.

Berkeley wireless LAN

[minesweeper]

U.C. Berkeley has been working on implementing a wireless network around campus. You can read up on the project here. It mentions some of the technical issues they face like 2.4GHz cordless phones and even interference from old microwave ovens.

Re:Berkeley wireless LAN

Arizona State has had a network for a while, I'm suprised berkley hasn't done it yet. In places where the weather was nice, it was awesome to work outside. Funny thing about ASU was that the recreational fields (baseball, soccer, vollyball, etc.) combined with the rec center had the largest area of access???

well...

[ddent]

You have 3 channels with 802.11b, and you can pretend you have 4 if you have a little bit of overlap. Arrange things in a honeycomb. Also investigate the nocatauth portal. A small bit of googling will turn our lots of resources, you don't need to code this all yourself - lots of people are doing it.

Re:well...

3 Channels?? HMM ALL the equipment I have
(U.S.) has 11 channels, Europe has 14.

Been sitting a little too close to your
monitor again??

Re:well...

[matguy]

well, he(/she) could be talking about usable channels (remember all the interference questions/debates?) Say you've found 3 or 4 that seem to not have any interference, well since there's going to be 2 points per building (and I imagine the buildings aren't all that far appart) there could very well be points where 3 or 4 access points intersect, which could help if some interference cropps up you'll still have plenty of alternative channels. (now that I read back again, it doesn't look like that was the intended point, but it could bring up some help)

Karlnet

[Lokni]

Check out software available through Karlnet. They made the firmware for most 802.11 devices out there and have software that would allow control over who has access and who doesn't, bandwidth throttling, etc. Some of the stuff only works with specific APs and their own Turbocell drivers but it all looks pretty nifty.

Re:Karlnet

[Benley]

I've worked with Karlnet's stuff. It does work as advertised, but in my opinion it is not at all worth the cost (something like $500 per base station *for the software* and $25 per client). In addition, I have never ever seen their Linux driver work. They supposedly came out with a new one recently, but I haven't heard good reports about it either.

Aside from all of that, Turbocell does do some neat stuff: bandwidth throttling on the client end, key-based authentication, and it supports hidden nodes on wireless networks. It seems more suited for "wireless ISP" type of arrangements than smaller rigs as described in the article.

To Karlnet's credit, they also now have a $75 version of their firmware that goes on an RG-1000 and allows for one or two wired ethernet devices. Still more than I prefer to pay for such things. And of course, your milage may vary.

Re:Karlnet

[snoig]

Having used Karlnet quite a bit, I can say that they do offer products that work well for this application. I worked for a wireless ISP and we used Karlnet exclusivly.

Having already gone through what you are attempting to do, here are a few tips.

1. Use a DHCP server. Otherwise, you will be getting calls all the time about how to set up DNS, IP's etc. It's a nightmare.

2. Line of site through a window doesn't always work well. The glass tends to refract some of the signal. If you can align the antenna parallel to the window it will work. Also, it doesn't necessarly have to go through a window. 2.4 GHz will also go through wood and sheetrock to a certian degree.

3. It works best when you can mount the antenna outside and point it straight at the tower. People are less likely to mess with it then.

4. You may think that you have three clear channels but many companies are using this spectrum now. If you are in an urban area, you will probably find that someone is already using some or all of these channels. Check before you spend a lot of money on equipment.

5. Keep your signal levels high. When we started, we would hook up customers with an 8 dB signal to noise ratio. As time went on, the noise floor came up and we had to devise new methods to keep customers online. If you can't get at least a 15 dB S/N ratio, don't even bother hooking them up.

6. Keep your antenna cables short (usually LMR-400). This is usually your bigest sorce of signal loss.

The company I worked for eventually came up with a design where the radio card was mounted on the back of the antenna outside the building. Cat 5 cable was run to the antenna with power injected onto the unused pairs. This design works well because the signal is converted directly to 10-BT at the antenna with minimal signal loss. Since the entire unit is outside the building, there is much less interference from microwave ovens and cordless phones.

Good luck.

Re:Karlnet

I personally would recommend against Karlnet. We attempted a deployment of it and had nothing but problems. Here are a few of the problems that we had: System access pass phrases would change, rate limiters did not seem to function properly, tracert not working, vpn tunneling, licensing problems and more.

Depending on the hardware you are using, look for a linux solution. We are in the final stages of testing our client radios that will run linux and everything seems to be going smoothing. Plus you will not have to pay licensing fees.

Some ideas.

Before you full implement it, do some testing and see what works best. I don't think it matters wether you do DHCP or Static IP, just filter by MAC address and you should eliminate anyone who is not a subscriber from getting access. However, I am intersted in the project, and maybe for better help from others, you could give more details. Good luck...

Re:I would not hire you

[chairmanKAGA]

My first moderted "troll". And no, it wasn't a troll. I just think you should be enough of a professional where you don't have to ask how to do your job on a web site. Learn how to do it, then become a professional. Would you want a doctor posting questions like "how do I calcualte someones blood presure?"?

Hitchhikers

[brunes69]

If you are worried about data sniffing, IPSec / WEP is your answer. If however, as I assume, you are worried about "free rides" on your bandwidth, I'd suggest PPPoE. That way no one gets on the network unless they have an account. Seeing how it is a relatively small number pf tenants I assume (less than 500 or so) it should be simple to keep a list of names / logins so as to provide a tenant with two logins should he get a second PC. This method saves you the hassle of managing a bunch of fixed IPs and MAC addresses with everyone on the network.

Re:Hitchhikers

it should be simple to keep a list of names / logins so as to provide a tenant with two logins should he get a second PC.

I can't recommend this. I have 15 computers in my home, and constantly move some in/out. This is a little unusual, but many people have many computers, often > 4-5. These are the sort of people that might be attracted to the community.

Re:Hitchhikers

[elmegil]

dude, your sig is like so out of date.

Re:Hitchhikers

[brunes69]

So you give the guy like 5 logins. Its alot better than hardwiring a MAC to an IP as was suggested, as any PC can log in with any ID.

Re:Hitchhikers

You have 15 computers? That's too weird, man, I would hope people like you didn't live around me.

Re:Hitchhikers

[TheTomcat]

My ISP would give you ONE ip, and you'd have to NAT the rest. If I was setting up WiFi, acting as an ISP, I'd do the same (or maybe 2-3 IPs), unless you want to pay me for more IPs. (unless, of course, I'm already NATing the whole thing.. 1 layer of NAT is bad enough -- multi layers.. may the nastiness begin!)

Anyone with more than 2-3 computers probably has the know-how to set up their own LAN with NAT/proxy.

S

Re:Hitchhikers

[amlai]

Any poniters as to set up the PPPoE and the PPPoE server? Thanks.

Re:Hitchhikers

[H310iSe]

client pppOe support on windows really sucks. except. except I've found RASPPPoE has worked well for me.

Re:Hitchhikers

You seem scared and you should be. We're going to get your ass.

Our experience

[The+Ape+With+No+Name]

We deployed the largest campus wireless (to date) network here. Which involved a lot of the issues you bring up and then some. Was it a pain? Yup. Did we have to backtrack and reengineer (esp. security and client access)? Yup. Check out this stuff for some info:

• In General
  
• Scope of Wireless Project
  
• Progress
  
• Challenges
  
• Security -- Careful: Word Doc!
  

I hope this helps. Our wireless guys pulled this off in 130 buildings over a several square kilometer area. Good Luck!

PS. Cracks about Redneck Rocky Top and such ilk should be modded -1! ;-p

Re:Our experience

[jayhawk88]

Our wireless guys pulled this off in 130 buildings over a several square kilometer area.

But what they didn't tell you is exactly how they managed to pulled it off. Let's just say that I'll be looking at a nice influx of WiFi-Tech talent in about 50-60 years. I think I'll start them off with a nice simple job at the Electronic CounterMeasures factory.

Signed,
Satan

Re:Our experience

Redneck rockytop motherfucker.

-G
gvonk@uga.edu

Re:Our experience

Is this the same wireless network with no Mac OS X client? The same one which will be completely unencrypted in a few weeks (or is already, I don't remember; I don't need to keep up because I know not to trust it anyway) because security is just too hard and difficult to deal with? Is this the same network run by folks who just "lose" DNS entries and reserved DHCP addresses?

I'm happy that I graduated and moved away from Knoxville to get away from you. I'm sad that I won't be there to take advantage of the "free" wireless network you have (because we all know that MAC addresses can't be spoofed - oops! Didn't mean to spill your Super Top Secret Security Plan!).

Re:Our experience

Yes. Same one. There is no Mac OS X Client because Avaya refused to create one. Not our fault. Same with XP. I think that if you read up on the DHCP/DNS problems you'd find that the problems related to non-standards compliant clients not the servers. As for wireless security, it is really easy to spoof MACs on the wire too. What is the difference? Accessibility? You can roam anywhere on UT's wired network as well. Most likely you are a business major who couldn't cruise pr0n in Glocker Hall between How-to-hold-a-meeting 101 and Why-George-Bush-is-Great 423. And you probably could never remember your LDAP password (the No 1 reason people will never be able to use a VPN secured network). Remember that worthless degree you have isn't out fault...

Re:I would not hire you

At what point did he say he was a professional?


Isn't one of the best ways to learn asking questions?

Now if he said he was hired as a contractor for a big company, I would think diffrent, but here's a guy trying to do something that's new to him.

Don't expect many replies for the next 45 minutes

[notaspy]

Everybody must be watching celebrity boxing II (truly what television was invented for!)

Security matters.

[dfeldman]

I have just one word of advise here: don't do it.

Back at my alma mater, one of the students (who thought he was clever) founded an ISP that provided 802.11b wireless access to apartments on campus. Inevitably, the WEP key he used was compromised, and student account passwords were sniffed and abused. Now, common sense would dictate that he shouldn't be responsible for what a criminal does with his network; but common sense does not reign supreme in the ivory tower of academia. What happened next was shocking: the student was disciplined, expelled, and sued for damages by the state college. Although he certainly could have won his case in front of a jury, he settled because he could not afford $15k to hire a good trial lawyer. Right now he has no degree, can't get into a good school, and is pumping gas for a living.

So, if you are considering rolling out a notoriously insecure network architecture (such as 802.11[ab]), consider the fact that you may be personally liable for anything bad that a crook does with your network. Be afraid.

df

Re:Security matters.

[Alex]

I'll assume that he was running this ISP off of university bandwidth?

Has it occurred that this may have been a SERIOUS breach of AUP?

Alex

Re:Security matters.

Hasen't anybody ever heard of VPN? It involves end-to-end encryption over an insecure network (The Internet for instance). Anybody not using IPSec is an idiot.

Re:Security matters.

[Boulder+Geek]

So, if you are considering rolling out a notoriously insecure network architecture (such as 802.11[ab]), consider the fact that you may be personally liable for anything bad that a crook does with your network. Be afraid.

This is what Limited Liability Companies (LLC's) are for. You create an LLC to run the network, which can cost as little as $50 depending on what state you are in, and then the only thing anyone can go after for liability is the LLC and its assets, not you or yours.

Re:Security matters.

[demaria]

"Anybody not using IPSec is an idiot."

The people using L2TP or PPTP would slightly disagree. ;-)

Re:Security matters.

[swillden]

"Anybody not using IPSec is an idiot."

The people using L2TP or PPTP would slightly disagree. ;-)

The people using PPTP would be slightly wrong.

Re:Security matters.

And how do you propose that this would help our protagonist get his college degree back?

Re:Security matters.

[tzanger]

The people using PPTP would be slightly wrong [counterpane.com].

It would help you a lot if you understood the basic problem surrounding PPTP. It's not the protocol at all, it's Windows' allowing itself to be talked down to MSCHAPv1 encryption that causes the security problem.

There is absolutely no problem with security when running PoPToP and refusing MSCHAPv1 and enforcing MPPE stateless operation.

Re:Security matters.

idiot. corporate shields help against lawyers, not against employers, or in this case, schools. They fire LLCs as fast as private individuals. The cost of engagement is still $15k.

Re:Security matters.

[ptbarnett]

No, an LLC will only protect your assets if the business goes bankrupt -- and only if you did not personally guarantee repayment of debts. It's basically impossible to get credit at startup without a personal guarantee, until you have an established business.

But, an LLC will not protect you from professional liability. All the plaintiff has to do is name both the LLC and you as co-defendants.

Finally, An LLC won't stop the university from expelling the person it deems responsible, whether he is an owner/principal or an employee.

Re:Security matters.

[swillden]

Thanks for the information. I've pretty much just dismissed PPTP out of hand in the past, given the numerous papers published on v1 and v2 (not just by Schneier, either). I'll have to look into it some more.

Do you have a reference to a paper that analyzes PPTP running in this mode?

Re:Security matters.

[matguy]

Think of this: are we getting the whole story? Isn't it quite possible that he was re-selling the universities bandwidth and that's what he was expelled and found liable to pay back?

Figure maybe he was doing it for 6 months, I don't go to ao university at the moment, but some charge for access to the network/internet I'd imagine. So, if he was hosting for 50 people, say for $25 a month, that comes to $7,500. Yes, these are totally hypothetical numbers. Ok, they say it also got hacked, figure maybe the userbase doubled from people getting on with hacked accounts. There's $15,000 (another hypothetical number) of precieved loss by the university, now they don't need to prove it to bring it to court, but like the story says the person settled out of court because of the attourney fees.

Being kicked out for trying to make money by breaking the rules set up by a university is not a new thing.

Yeah

[brunes69]

Its not really spoofing as such. Anyone can change their MAC identification to anything they want with most cards. in linux you do it through ifconfig and in WindNT/2K/XP you can do it in the network control panel. This is another reason I would go with PPPoE or a VPN.

what is your job at the complex?

[edrugtrader]

are you just the fix-it guy that has computer knowledge, or a private contractor?

if you are expected to stay in house and manage the thing once it is up, get ready for a lot of sleepless nights and angry users.

it is probably MUCH more cost effective for the complex to just pay for the DSL in all the buildings and keep them hooked up forever. ~$60 a month including a phone line and you have no hassles what-so-ever. then pass the cost onto the tennant

your month cost per tennant will probably be $20-30/month in hardware depreciation and bandwidth usage. plus you would have a HUGE (you didn't give building or unit numbers so i'll guess) setup fee of $10,000+ assuming you get a couple T1s and all the wireless hardware.

as a tenant i won't pay you more than $50 a month (standard DSL cost) so you have to figure out if you can provide all this service and not spend $20 a month per user of your time. i don't think you can.

Re:what is your job at the complex?

[Black_Logic]

Your itemized bill...

- $100 electric
- $50 water
- $50 internet
- $30 using your toilet for (number 2) tax
etc.

Viola! $50 dollar internet bill!

Re:what is your job at the complex?

[Sentry21]

your month cost per tennant will probably be $20-30/month in hardware depreciation and bandwidth usage

While amortization of assets is technically net worth lost, it's not cash outflow per se, and thus as long as the hardware keeps working, it's not applicable to the monthly cost. If you can keep it to the point it's worth nothing, I'd be quite surprised.

What I would go for is 9 megabit SDSL if it's offered by the telco, or multiple DSL lines if not. You can provide the same theoretical bandwidth as a T1 (downstream, anyway) with one DSL connection, and there's no point getting a hardcore-business class line for residential-class users. This is also a great place for FTTH to take hold - run a fibre line to an apartment complex, branch off gigabit fibre to the buildings, run 10/100 up the buildings and out along the floors, and voila, instant high-speed network. Run the lot of them through a caching proxy server, and whee.

That being said, how do the phone lines get into the building? A T1 is a great way to get a good 64 phone lines into a building. It's possible (to my limited knowledge) that they already have the equipment and technical expertese. Then again, I seriously doubt it.

Anyway, that's my uneducated input on the subject. I'm going to go pretend to know enough to give medical advice now.

--Dan

Re:what is your job at the complex?

[tzanger]

A T1 is a great way to get a good 64 phone lines into a building.

Um, a DS1 provides 24 8-bit channels. These 8 bits can be totally clean but then they're not voice channels.

Re:what is your job at the complex?

[Jon_E]

you'd be much better off mixing wired and wireless on the apartment level - in other words - after a standard agreement with DSL/Cable provider to wire the units simply provide/lease WAPs for wireless access within the units .. this would then give you control through the WAP for bandwidth and DHCP resource management, and you could simply follow the cable companies model for checking for illegal access - periodic log checks, or some other form of periodic key checking .. I wouldn't recommend MAC filtering

Re:what is your job at the complex?

[swb]

Unless you're willing to live with 23 channels, in which case you can have your 8 bits clean and get voice.

Re:what is your job at the complex?

[matguy]

hmm, what do you think the odds are that they can't get dsl or cable there? if they could it wouldn't be as much of an issue, but contrary to some belief there are lots of places that can't get either, I happen to live in such an isolated area. That really is the only reason I'd be interested in making something like this work, mostly because it could be set up as a grassroots effort.

Think of it, Joe Resident get's a T1 and a few access points. He ends up selling the service to a few strategically located co-residents to set up the coverage, once that's up assemble the mass roll-out to the rest of the complex, as long as there's low number of problems then boom, Joe has a T1 shared with a number of residents and as long as it can trottled well there should be plenty of bandwidth for Joe and possibly make money on it.

I want to be Joe.

On security, ditch WEP, USE A VPN

[kbroom]

WEP is easily broken. There are several tools that make war driver's life really easy.

I would set up the wireless network ouside a firewall, and then probably hook up a couple of machines with FreeSWAN or poptop (linux vpn servers) that will connect to the access points.

See this paper for a good discussion on wireless security.

Re:On security, ditch WEP, USE A VPN

[erc]

Or use SSH. Much easier to set up. SSH is your friend.

How I'd do it

[Xenophon+Fenderson,]

There's several ways to go about this.

1. Buy CheckPoint FireWall-1 in addition to your access points. There are SOHO versions of FW1 on dedicated hardware (e.g. Nokia IP71) that retail for less than $1000 and can accomodate up to 50 users. Use its Session Authentication agent to arbitrate access to anything other than DHCP and don't bother with enabling WEP. Unfortunately, the agent seems to be only available for Windows 9X/ME/NT/2K/XP.
2. Buy Cisco access points and Cisco ACS software and enable LEAP. While non-standard, you are probably forcing them to buy a wireless card anyway, and Cisco's client devices aren't all that expensive. The Aironet device is supported in Windows and Windows CE, Linux, and MacOS 9.x and 10.x. My employer uses LEAP and it works great.
3. Hack your own. Set up Linux and Squid and Apache and transparent forwarding to redirect unauthenticated web traffic to a HTTPS login form. Have the form automatically add the necessary firewall rules to allow them out, and have a cron job remove them after a delay. Upside: A five banana problem once you've mirrored enough of CPAN to write the Perl scripts. Downside: Easily spoofed/hacked with a copy of AirSnort, Kismet, and Ettercap.

WEP key management sucks so hard that relying on it is stupid. I'd probably go the LEAP route just because it is so damn easy on both the client side and on the server side, even though I hate Cisco. The build-it-yourself solution would be a complete kludge and would be totally unsupportable except by the author, i.e. lots of work. The CheckPoint firewall is in between the Cisco (easy) and do-it-yourself (really hard) in terms of difficulty.

Anyway, I'm rambling now, so hopefully this helps and makes sense. If you have questions, post 'em here.

Re:How I'd do it

[wizman]

I run a wireless ISP, and we did option #3. It took me about 10 hours to get a simple version running, and I've done various upgrades since then (RADIUS auth, provision for public ip's, etc).

Here's what you need to roll your own:

* Linux box with iptables (we use ipchains, but just because we haven't upgraded to the 2.4 kernel).
* Apache (mod_rewrite a must)
* PHP (or scripting language of choice)
* Squid
* sudo (so that ipchains can be run as the web user)

Simply add a rule to redirect your entire private subnet to local port 80. You will need to have mod_rewrite change everything to /login.php or whatever so that they always go to your login page.

When someone auths, you need 2 rules - one to redirect port 80 to the squid port instead of local port 80, and one to NAT everything else. These should go at the top as to overcome the "redirect all to apache" rule.

We have a script that runs every 5 minutes. It goes through a sql table of people currently logged in, compares their ip to mac to make sure no one "hijaked" an IP when someone turned off their machine, does some other security checks for the same purpose. It also pings them, and removes the rules if they are no longer active. Be careful, this breaks when people use personal firewalls and stuff. Looking for a better solution to this actually - anyone?

If you need more help, let me know. I can't release our code as we have a product on it, but I'd be happy to help out. We also have an RF engineer on staff, I might be able to ask him a question or two.

net dot coastalwave at admin

(reverse, yadda yadda)

Some real help

[mrst3v3n]

Wireless network that spanned several different buildings, and required a few different AP's. Toughy, but not impossible. First, set each AP on its own channel. Second, enable MAC Address security for each Card on the network. Then instead of using DHCP to give out IPs you should assing each computer an IP and Subnet mask. Turn off DHCP server on the AP to try and stop any hitchhikers. The next thing you should do is enable WEP on the AP and the cards. Use the highest possible key. This should keep most of the standard users out of the network and force them to pay. As far as hardware, I suggest Linksys cards as they allow for the "any" SSID to be used allow each resident to use the best AP. Also, for desktops use USB so that you dont have to open up the computers. That could be a BIG liability for you and your employer. Only use PCI cards if they sign a letter releasing you from all liability. You can do this on 802.11b for the cost reasons. If you need further help with this project email me. If this works out please let me know.

Can't you guys agree?

[lycono]

Gotta love 'em.

LowneWulf states:

Put your entire complex on one SSID and one channel - each WAP will form a BSS, and devices should seamlessly roam between them.

To which MarkKomus replies:

If you have WAP's on different sides of buildings they most likely won't interfere with each other. Just keep the WAPs with the same channel as far apart as possible.

LowneWulf states:

Other peoples' devices shouldn't interfere with yours unless there is a LOT of devices.

Which is rebutted by MarkKomus:

Interference from WAP's and other devices that may be owned by tenants! Here could be your big problem.

I need to know who has more money or a bigger house so I can know who to believe!

Re:Can't you guys agree?

[MarkKomus]

Actually believe him, its been a while since I did this stuff. My brain forgot about the SSID stuff. You could still run into problems if I put my access point up on the same SSID as the main network. WEP can partly solve this. But as has been said before its breakable.

Actually most wireless cards I saw will seemlessly switch channels to match a given SSID. So channel assignment usually is more based on local interference.

Re:Can't you guys agree?

[amlutias]

you're right. if you put them all on the same channel, your throughput drops through the floor and sucks terrible ass.

University of FL authentication

The University of Florida is using some kind of authentication scheme. Basically, everything is automatic. Any attempt to access a valid network address takes me to the login page, where I can login using my UF gatorlink account info.

After that, everything just works. I don't know how secure the authentication stuff is. The configuration is dhcp, so real easy.

Re:University of FL authentication

[PotPieMan]

For more information on this system, check out the GatorLink homepage and the GatorLink project page. I just wish all campus services used GatorLink (*ahem* ISIS).

Terminology

[mishan]

WAP stands for Wireless Application Protocol. I think the acronym that you should use is AP, which would stand for Access Point, in this case. The wireless is assumed.

Re:Terminology

No, Access Point by itself has other meanings other than wireless in the networking world.

Re:Terminology

[Mazric]

WAP is also Wireless Application Protocal for Mobile phones

Re:Terminology

[Oztun]

Maybe in some scientific speak you are correct. However here in the real world WAP means Wireless Access Point. Maybe that goes against some RFC or geek code of ethic but checkout the Linksys website. You will notice all their "Wirless Access Points" are refered to as WAP...

Re:Terminology

What A Pedant

Just wire the buildings.

It may be cheaper to just run cat5 through the buildings. Definetly more secure.

I spent 4 years as a wiring contractor and know its not dirt cheap, but depending on how many takers you have for your bandwith, paying a hundred bucks or so per wireless nic isn't cheap either.

I'm not sure how many units you have in the apartment, but if it was mine, I'd have the place wired with at least a solid RG-6 coax and an ethernet cable to each apartment.

Re:Just wire the buildings.

[hogger]

I agree. CAT5 can be had for $50/1000 ft., wall plates are $10, routers are cheap, switches are cheap, etc... Plus, the bandwidth would be much higher, it would be much easier to secure, and would result in much fewer setup hassles. Wireless NICs are a huge pain in the ass to setup on desktops.

Whatever happened to KISS?

Re:Just wire the buildings.

[figment]

Yes.

It really is the party-pooper solution, as it's so low-tech, but when we priced it out, for most buildings Cat5 wiring is cheaper.

Depending on what kind of walls you're working with, (drywall vs. brick, etc) i've gotten quotes from roughly $30-100 per drop in an apt. Add to that $40/port for a good switch, and you're looking at $140 per room. And good cat5 contractors will give you some ungodly long warranty, on the order of tens of years.

Contrast this with 802.11. You have to pay for multiple APs (500~2k each depending on what you want/need), then you either have to a) pay for the 802.11 card for each pc and have the tenants pay a deposit (which was ~150ish when i priced them out, 100ish if they had a laptop) or b) force the tenants to buy their own. From doing some informal surveys and asking around, the latter wont work.
Then you have the line-of-sight problem (the computer has to be kinda near the window for them to pick anything up), the rf interference issue, and other funky stuff rf physics stuff. Not to mention you're on most likely a 1yr warrenty, and have to deal with helping people get their wireless card working, which can be a huge pain in the ass as likely they'll be using one of those pcmcia-pci slot converter things.

Furthermore security-wise, you honestly cannot beat having a plugged vs. not-plugged-in port, thus you can assure people are not stealing your service... A good switch will tell you what mac addresses are coming from what port, so with some good accounting on the side, you can tell exactly which apt has a hub and is sharing with their neighbors, etc. It also makes catching troublemakers (and there will be some, trust me) a lot lot easier, as you can pinpoint it to the room, not just to a mac address.

I more or less planned/ran a campus apartment project like this, and we did at first also seriously consider the 802.11 alternative, but quickly threw it away as we realized that a) it was going to certainly cost more long-run in labor than cat5 would,and b) it most likely wouldnt save us money upfront either.

Re:Just wire the buildings.

[Technician]

A good switch will tell you what mac addresses are coming from what port, so with some good accounting on the side, you can tell exactly which apt has a hub and is sharing with their neighbors, etc.
That works as long as they are not using a router or proxey macnine. This method of spreading out the service has long been popular with DSL and cable modems for a long time. Be sure to sniff the wireless traffic. Some tenants may put up a DSL router and WAP to share your service. If you get matching traffic, try "planned outages" of each port for about 10 minutes and see which port is feeding the wireless traffic. Extend the outage if you find the connection. When the tenant complains, provide the evidence of the violation of terms of service. (your TOS does prevent WAP of your service doesn't it?)

Spoofing

[Xenophon+Fenderson,]

Changing your MAC or using unsolicited ARP broadcasts to take over another IP address are exactly what IP spoofing is all about. It's more than just setting a new MAC through ifconfig or Device Manager, too. Usually, you're doing some kind of ARP poison routing to do man-in-the-middle attacks or sniffing.

So it really is spoofing, as such.

Re:Spoofing

[Phexro]

Yeah, unless you wait for someone to turn their computer off before stealing their MAC.

Re:Spoofing

[Craig+Davison]

Sort of OT, but you're describing IP spoofing on one network. Generally that's referred to as 'arp poisoning'.
IP spoofing across networks is a different game entirely that involves literally sending 'spoofed packets' with a fake IP address in the header (also predicting sequence numbers used by the host you're connecting to to make a successful handshake). You retain the same IP address and MAC addr the entire time.

VPN over wireless

[mikeumass]

I goto umass and we just setup a campus wide wireless network here, that is a good system because it isn't based on easily spoofable MAC addresses. What we do is to use not WEP key, but we assign unroutable IP addresses to network cards via DHCP. Then we have a VPN concentrator that has an address in that unroutable space and in routable space. To get out to the internet you need to authenticate youself via the VPN server>

Re:VPN over wireless

[crypton]

Yes, but this system relies on your users being able to use the Windows Cisco VPN software you supply or Redhat (at least if you're talking about the pilot system available in libraries like Physical Sciences). For someone like me with a Sharp Zaurus running Qtopia's Embedded Linux how do I hook up, Mike?

Re:VPN over wireless

[PoppaSmrf]

cryptonite, your "special" request is what makes something simple from being simple for all...instead of making a individual request, accept the configuration given and work with it...i am sure with the amount of money you have saved by only using a "Sharp Zaurus" you can buy a nice little el-cheapo winbloze pc/server and a wireless network card...then you can set that up in your spare closet/middle of living room floor, and initialize this unit to authenticate itself to the WAN, via VPN...then simply have your "Sharp Dinozaurus" talk to this machine , then it will be your problem again...go figure...

Kudos Mike on an excellent suggestion! Serve the masses, not the individuals...

Re:VPN over wireless

[Oztun]

He didn't say he was using Cisco which I believe is 802.x1. With 802.11a/b you should be able to use IPSec or PPTP no problem.

Re:VPN over wireless

[crypton]

I know he's using Cisco because I work here too. The whine was a joke!

IPSEC

[SealBeater]

I don't know if it's been mentioned, but I would use IPSEC if I were you,
simply because 802.11a/b sniffing is trivial now and mac address spoofing is
even easier. Also, I would probably recommend against going with an
established commercial wap product, as they all almost definately aren't going
to have the flexibility you need in the future and are probably way too
expensive. I would roll a couple of OpenBSD boxes with wireless cards, that
way you have an all in one solution with lots of nifty stuff like traffic
shaping per mac, monthly bandwidth accounting capablities via pf, syslog, and
tons of other stuff that commercial vendors just don't offer. And I do mean,
don't offer, regardless of price. This page
offers a good howto regarding ipsec on openbsd and this page
give a pretty good read on replacing wep with ipsec on openbsd as well. Good
luck.

SealBeater

Re:IPSEC

[jolan]

This is definitely the right track.

I currently use an OpenBSD machine with an orinoco silver card and an antennae to act as a wireless gateway. I've found that Orinoco's have the best range (probably since they're 5v, and most prism-based cards are 3.3v)

Security is two factor. First, all non-IPSec traffic is dropped immediately by the firewall (pf). The OpenBSD server is running isakmpd with a shared key. The client software is SSH Sentinel since it appears to be the best Windows software available that interacts properly with OpenSBD's implementation. (I've found that PGPnet doesn't work under Windows XP, and it sounds like it might be illegal to distribute PGPnet soon) Secondly, users must authenticate via authpf to have their traffic passed (NAT'd) to the world.

If you want to implement this wireless system, then please do it right, or else you'll be joining the scores of misconfigured, insecure wireless networks that exist.

Re:IPSEC

802.11a will typically use AES rather than RC4 as an encryption algorithm.

AES is not subject to the same attacks as RC4.
AES is the new *best* choice for IPSEC

therefore, you're wrong about sniffing on 802.11a.

Re:IPSEC

[SealBeater]

802.11a also uses WEP, I think what you are talking about is the draft for
802.11i, which will use TKIP, Temporal Key Integrity Protocol which is also
based on RC4, but implemented in a different way. AES as an encryption
algorithm, has yet to be finalized and since it involves hardware optimization,
is not backwards compatible. Basing a solution which relies on an unfinished
draft may not be the wisest course in a production enviroment. You can use AES
with older hardware but it will use weaker security. In addition, devices
which will utilize AES are not expected to ship until early 2003.

SealBeater

Re:IPSEC

[SealBeater]

Added point, anyone interested in wireless security should read this page.

SealBeater

Re:IPSEC

[swillden]

I don't know if it's been mentioned, but I would use IPSEC if I were you, simply because 802.11a/b sniffing is trivial now and mac address spoofing is even easier.

Three points: First, "use IPSec" is easy to say, but have you ever actually set it up? It's far easier said than done. Installing the needed software on all of the users' machines would be a bitch. And key management would be far, far worse.

Second, using IPSec doesn't really solve your security problems, because every IPSec client has the secrets needed to access the network. That means a hacker only has to penetrate one host (and they're all hooked up to *radios*) and he's into the network as a whole. In addition to IPSec you also need firewalls on every machine to make sure that *only* IPSec traffic can get through to them.

Third, and most important, who gives a rat's ass? This guy doesn't need real security, he just needs to make it a little bit harder for hitchhikers to use his Internet connection. If someone does get on, so what? They can sniff? Big deal, anything you send unencrypted over the net can be sniffed at every hop. Do you have some particular reason to trust all of those admins between you and wherever you're going? Of course not. And what about all of your neighbors? So use SSL and ssh to protect important data like credit card numbers and passwords and don't sweat the rest. The biggest danger here is that someone will score some free net access. 128-bit WEP, MAC filtering, hardwired DCHP assignments and maybe a little auditing of the DHCP logs should do the trick just fine. And maybe toss in a router with QoS extensions to make sure that neither hitchhikers not legitimate users can hog the whole pipe.

The single most common mistake people make when discussing security is to forget to consider the level of security that is actually required before picking a solution. There's a reason that banks have armed security guards but self-pay boxes in parking lots don't.

Re:IPSEC

[SealBeater]

This guy doesn't need real security

That's the problem, attitudes like yours. I could care less about sniffing
traffic, that's not the point, the point is to replace WEP with something
better, and the goal isn't to stop people from grabbing credit card details,
it's to prevent Joe Hacker from having an easy leap off point to lauch attacks
against others. In addition, you don't need firewalls on the machines to
prevent traffic sniffing, ipsec tunnels set up on the boxes that pass IP traffic though
the wireless link work just as well. here
and here.

It sounds like if you had your way, he should just put up a couple of apple
airports and forget about it. What myself and others are doing is trying to
implement a reasonable amount of security when it should be implemented, at the
beginning, and not as a duct tape fix after there is an incident and this guy
has to explain why attacks were launched from his network. At any rate, the
openbsd boxes with wireless cards is still the ideal solution, both from a cost
perspective and a security perspective. There have been attacks against all
the commercial wireless access points, ranging from expensive Ciscos to
Breezecom to Linksys. The point isn't to have a totally locked down B1 and
above security implementation, it's to make it the kid with the laptop decide
to move on to Joe User's unsecured Linksys and not this guys network. I also
assume that this guy is looking for a way to keep costs low, and this is the
best way to do it. Somebody earlier mentioned Cisco Catalysts, yea
right

SealBeater

Re:IPSEC

[tzanger]

First, "use IPSec" is easy to say, but have you ever actually set it up? It's far easier said than done.

<cough>bullshit<cough>

I just went through it. Linux-Linux IPSec is literally a walk in the park. Linux-Win2k IPSec is proving more difficult but not by much. The trick is to use x.509 certificates and use Win2k/XP's built in IPSec. vpn.ebootis.de has a little package which wraps around Win2k/XP's MMC and makes setting up certificate-based IPSec a walk in the park. The best part is that your server doesn't change as you add clients; you just add their public keys to your ipsec.d directory and tell ipsec to reread the dir.

Re:IPSEC

[swillden]

First, IPSEC wouldn't stop hackers from having a nice jump-off point. All they have to do under your scenario is find one box in one apartment that can be cracked easily (now *that's* gonna be hard, isn't it!) and he's in, IPSEC or no IPSEC. My point about firewalls on the clients had *nothing* whatsoever to do with traffic sniffing, and everything to do with sealing down those machines so that no one could break into them. Unless you can ensure that the clients will accept *only* IPSEC connections, using IPSEC to secure your WLAN does you almost no good.

I have no beef with the OpenBSD approach for cost reasons, and for the security of the APs, but you are proposing that he add a lot of work for himself, with no significant security benefit.

While it's true that "network sanitation", the basic securing of most boxes on the net so that hackers don't have easy access to boxes for DDoS attacks and others is a good goal, the ability of a hacker to get his own box onto this WLAN isn't really relevant. I suppose it might be worth a hacker's time to install DDoS clients on as many machines on the network as he can get to, but if the firewall/router is tight he'd have to physically go to the premises to control them. It's much easier to go after the cable modems.

Security engineering is all about risk/cost/benefit analysis. The sniffing risks here har irrelevant; there's no data that needs to be secured (we're agreed on that). IPSEC does very little to prevent compromise of individual hosts, without firewalls. With or without firewalls, IPSEC installation and administration will be a nightmare. Using a secure AP is a good idea, and a cost-effective one as well. Using WEP costs nearly nothing, and will stop casual attackers dead in their tracks. MAC filtering costs nearly nothing and, in combination with WEP and fixed DHCP will stop more attackers. The requirement that you have to be physically on-site will stop many more, particularly since there are easier ways to get zombies (like: run a web server, log NIMDA probes and jump to those conveniently rooted hosts). A little automated log analysis will be able to detect all but the most clever, or lucky, attackers, if you really think the other techniques are inadequate.

Be methodical about it. Construct yourself a threat model, decide who you're securing against, what their capabilities and motivations are, consider the possible countermeasures, evaluate their cost, complexity and effect, and make an informed decision, keeping in mind that your ultimate goal is not to build a Fort Knox ('cause you can't on a limited budget) but to (a) make it difficult enough that attackers will go elsewhere and (b) make it possible to detect when your security is no longer adequate. In other words, build it so it's *really* a little bit stronger than it needs to be, rather than throwing solutions out that (a) are way overpowered and overpriced and (b) don't solve the problem anyway.

The problem is attitudes like yours. You are the same type who, two years ago would have said "throw a firewall at it"! Knee-jerk application of the security technology du jour is *not* the way to do security.

Re:IPSEC

[swb]

Amen. Security geeks who don't appreciate the risk/cost/benefit analysis are all trying to build Fort Knox, often on shifting sand.

Security doesn't have to be perfect. If you're protecting X, you just need to protect it slightly better than most other people with X. People interested in X will take it where it's easiest to get.

And I agree that IPSEC is a PITA. It's OK as a dedicated tunnel between endpoints with shared secrets, but cert management gets to be a big nightmare, really fast for client applications.

Re:IPSEC

[SealBeater]

You are the same type who, two years ago would have said "throw a firewall at it"! Knee-jerk application of the security technology du jour is *not* the way to do security.

Actually, I have never been the type to say "Throw a firewall at it" as I am far more an advocate of host hardening. Setting up IPSec is a trivial task as others have provided instructions in addition to my own.

Using WEP costs nearly nothing, and will stop casual attackers dead in their tracks
You obviously haven't been keeping up with wireless security. MAC address filtering, DHCP logs and WEP will stop a casual attacker for about 10 minutes. Why is this the approach you advocate? Parsing the DHCP logs will do nothing to a) provide the identity of the attacker b) do absolutely nothing for forensics. You state "Using a secure AP is a good idea". Name one secure AP. Every one has had security problems, as was stated before. Another statement of yours "(a) make it difficult enough that attackers will go elsewhere" is exactly my point. The solutions you advocate do absolutely nothing to make things difficult. Have you not heard, or more importantly, tested the ease in which WEP can be broken? Break WEP, grab ips, arping said ips (hence, grabing MAC addresses), change mac address to match (or ideally, grab a bunch) come back later or wait a while, you're in. Attack or scan *.gov|*.mil to your hearts content, secure in the knowledge that you are not gonna get caught. Admin parses dhcp logs, sees MAC address foo had that ip (if he's not doing nat) and grandma gets busted. IPSEC tunnel on host machines where ALL ip traffic gets routed though to the OBSD box, please tell me how attacker is going to comprimize box, minus trojans which aren't exactly precise tools. Keep in mind also, that we aren't just trying to protect against outside forces, we are trying to keep people who live in the apartment complex from getting free access (if it's charged per apt.). Name one AP which has a decent IDS system and is anywhere close to reasonably priced. Ciscos suck, airports are too weak, and linksys has has several SNMP related vulnerablities. Its really sad that for someone who implies security knowledge in a public forum, that I have to lay out a example of methodolgy in order to bypass your "secure" implementation. Do some reading and come back with something better.

SealBeater

Re:IPSEC

[Oztun]

Point One: wrong, IPSec is built into windows, linux and I believe the BSD's have a port.

Point Two: wrong IPSec is an authentication system. Just because someone could get someones password doesn't stop ISP's from using radius now does it?

Point Three: Wrong As an admin you should give a rats ass. I have been running an ISP for several years and dealing with people in your network is a nightmare. The first time the FBI comes knocking on your door about your unsecure network is when you will learn to give a "rat's ass".

Re:IPSEC

[swillden]

Actually, I have never been the type to say "Throw a firewall at it" as I am far more an advocate of host hardening.

Of course. Because host hardening is en vogue.

Setting up IPSec is a trivial task as others have provided instructions in addition to my own.

Have you *ever* actually set up a large-scale IPSec network? Have you ever actually had to deal with the key management issues, or install client software on 300 machines ranging from Win95 to WinME to WinXP, with a smattering of Macs, Linux boxen and others running a huge variety of operating systems? Go do it, then come tell me how easy it is.

You obviously haven't been keeping up with wireless security. MAC address filtering, DHCP logs and WEP will stop a casual attacker for about 10 minutes.

Define "casual". I'm talking about the average, clueless person who happens to have a laptop with builtin 802.11b. I'm perfectly well aware of how difficult WEP is to crack; I've done it several times. Have you? How long, on average, do you have to spend collecting packets to break WEP on a WLAN with, say, 30 moderately active hosts (which is a good estimate for an apartment complex of 300 units)? Hmmm?

Parsing the DHCP logs will do nothing to a) provide the identity of the attacker b) do absolutely nothing for forensics.

No, but it will let you know when you have a problem you have to deal with. And *that* is when you have to deal with it, not before. Why? Because chances are very good it will never happen, given the safeguards I outlined.

Name one secure AP

I was agreeing with our suggestion of an OpenBSD box as an AP. My AP at home is pretty trustworthy, because it doesn't do anything. It connects to a very tightly locked-down Linux box. I never tried to argue that one should rely on the integrated firewall/AP appliances that are on the market.

IPSEC tunnel on host machines where ALL ip traffic gets routed though to the OBSD box, please tell me how attacker is going to comprimize box, minus trojans which aren't exactly precise tools

Apartment 3B has a Windows 2000 box running an unpatched IIS (and the owner doesn't even know it). I ignore the IPSEC entirely, connect to port 80 on that box and own it. Any other questions?

Do some reading and come back with something better.

Go build some *real* systems on *real* budgets and then *really* attack them yourself and then *really* monitor *real* attackers *really* trying to break in for a while, and then come back with something better.

Re:IPSEC

[swillden]

IPSec is built into windows

Windows 95? What about Mac OS 8?

IPSec is an authentication system.

Part of it is. And a good one. It also provides encrypted tunnels. What does this have to do with my point?

As an admin you should give a rats ass.

Absolutely you should care about security. But you should do it *intelligently* rather than just throwing the latest technology at it.

Re:IPSEC

[WolfWithoutAClause]

All they have to do under your scenario is find one box in one apartment that can be cracked easily (now *that's* gonna be hard, isn't it!) and he's in, IPSEC or no IPSEC. My point about firewalls on the clients had *nothing* whatsoever to do with traffic sniffing, and everything to do with sealing down those machines so that no one could break into them. Unless you can ensure that the clients will accept *only* IPSEC connections, using IPSEC to secure your WLAN does you almost no good.

That's partly true. Still, the aim of the IPSEC in this scenario needn't necessarily be to protect the inhabitants boxes from being owned. If you think about it, they are being connected to the internet and the internet is being connected to them. That's probably a bigger threat than the wireless leg.

Instead, a reasonable goal I would think would be to protect the bandwidth of the other inhabitants from being extensively shared and/or stolen. Why should hacker(s) from outside the apartment be able to connect to the network and take away all useful bandwidth?

I would think a combination of traffic shaping and IPSEC may be appropriate. If somebody's box gets owned- all that happens is that users bandwidth allowance gets borrowed- this has very different characteristics than if 100 people are bridging themselves into the network from outside and start downloading 100MB mpegs because they've cracked the WEP password and recorded the mac addresses for the whole apartment block.

Re:IPSEC

[ahfoo]

It's true, security is relative just like anything else.
Here's a real world example. I had three bikes ripped off from the front of my office on a busy street in a big city over the course of a year. I tried using bigger locks and heavier chains, but the bike thieves would still get my rides.
Thinking about the problem, I realized part of the problem was that my bikes stuck out like a sore thumb on that sidewalk as nobody else parked bikes there.
So, I started parking in the university campus across the street in the bike parking racks where there were thousands of other bikes to choose from. I still used my heavy lock and since there were so many others to choose from with smaller locks I have kept my ride all year where I lost three the previous year.
Having bikes stolen and getting freeriders on your wannabee wireless ISP are at about the same level of criminal activity in terms of the money damage they're going to cause. If this is the only net access available in your part of town the risks might be significant, but if there are other sources of access I wouldn't be so overly concerned about it. Use a bit of precaution and leave it at that till you see that there really is a problem. Why waste time solving problems that don't even exist yet?
What's to stop someone from jacking into your phone box and making long distance calls? It can and does happen, but you're not concerned about it are you?

Re:IPSEC

[swb]

What's to stop someone from jacking into your phone box and making long distance calls? It can and does happen, but you're not concerned about it are you?

Never thought about that. It's probably pretty simple to take a DSS phone (900Mhz or 2.4Ghz), ditch the plastic shell and mount it into a phone-company looking box with a line-powered charging system. Wire into an apartment building phone system, get free/untracable calls.

Better yet would be tagging onto a business analog trunk, local calls would never be found and most LD calls would be overlooked.

use phoneline to ethernet bridge from netgear

http://www.netgear.com/product_view.asp?xrp=9&yrp= 21&zrp=79

NoCatAuth

[ekalb]

NoCatAuth is a project that attempts to address the security concerns of running subscription based wireless services. AFAIK though, it's designed so that you must build linux boxes to act as access points, it would take some hacking to get it to work with existing access points (most of which can be administered through snmp).

Re:NoCatAuth

[captain+larry]

Not true, NocatAuth doesn't care in the slightest what you are using for network connectivity. It just acts as a gateway between two or more networks.

Personal Telco has many NoCat nodes setup and only a couple of them are using a Linux Access Point.

Adam.

We have a wireless network at our house...

[VistaBoy]

You probably do not want to use 802.11b wireless networking in an apartment complex, considering that a cordless phone can interfere with the signal and destroy all connections within. It happens all the time at my house.

There's no way to prevent hitchhikers

[slank]

If someone is determined enough, they can get on your WLAN. MAC addresses can be spoofed, WEP keys can be sniffed. All you can do is authenticate and log.

I recently spoke to some keen fellows from Baylor University that have created an OpenBSD-based firewall/logging/authentication system that takes the poster's info page one step further. Everyone authenticates via an SSL-encrypted web site in order to join the network. DHCP leases are handed out in conjunction with a login session, so you can track who does what. Logging in also opens up your firewall to allow the newly-leased IP address through.

Re:There's no way to prevent hitchhikers

[SealBeater]

More direct link to the project?

SealBeater

Re:There's no way to prevent hitchhikers

Interestingly enough, I'm the knucklehead who put the Baylor project together. It's all based off the NASA Wireless Firewall Gateway, but with lots and lots of customized accounting and reporting (a "hidden" admin site). There is no fancy website on the project yet ...

Well, I guess you could contact me at Baylor (I hate SPAM!!!!) at Jeff underscore Wilson at baylor dot edu.

HomeRF 2

We set up a small wireless network (5 hosts) at our apartment building to share internet. One of our biggest concerns was interference from other devices. On our limited budget we didn't have the luxury of buying signal testing equipment and AP's to see if 802.11b would be reliable in our building. So in the end, we went with HomeRF 2.0 equipment made by Proxim which has a better range and is much better at avoiding interference than 802.11b and transmits at a similar 10Mbps.

We bought the USB adaptors (for around $80) from Provantage for less than any USB 802.11b adaptors we could find at the time.

There are some limitations with HomeRF, (I don't think roaming between AP's is supported and only drivers for Windows and Mac are provided) but in our situation it was just what we needed and it's worked flawlessly. We've had no network downtime due to interference.

Re:HomeRF 2

And the fact you won't have to worry about perople hitchhikers and other undesirables due to using something other that 802.11b.

Don't bother with WiFi...

[YuppieScum]

The whole point about using wireless LANs is to enable environments where you either need to support roaming/migrant users or you have little/no control over the local infrastructure.

Neither is the case here.

You also need to remember that the 11MB/s provided by WiFi is shared between all users. If you have 50 "dwelling units" and two WiFi access points, you'll be offering a service with less maximum bandwidth than bottom-of-the-range xDSL... and you'll be charging for $100 WiFi NICs instead of $10 PCI ethernet NICs (which many PCs now have as standard anyway)... and for a service subject to atmospheric outages (ever use a WiFi network during a thunderstorm) as well as interference from a multitude of other devices like microwaves, cordless headphones and DECT telephones...

I'd recommend taking a bit of up-front hit and running CAT5 to each apartment. Put a switch on each floor (unmanaged 16-port switches are less than $80), and run each floor-switch to a central switch, and from there to the T1 router, squid server and whatever other infrastructure you've going to value-add into the equation.

This is what business-class hotels now do - just provide an ethernet RJ-45 jack and a DHCP server... all a guest has to do is plug in, configure for DHCP, and reboot.

If nothing else, support costs for a wired network are trivial... but for a WiFi? How do you explain to a user that they can't get their mail because the guy in apartment 2B is listening to a CD?

Re:Don't bother with WiFi...

[Kizeh]

The problem with this math is that not all users are using the net at the same time. That's the whole point behind statistical multiplexing. Both cable modem and DSL operators do this: The moment your traffic leaves a Telco's DSLAM, you end up sharing a T1 or other circuit with a whole pile of other people. You can rest guaranteed that this circuit couldn't support even close to all users using their maximum promised bandwidth at the same time.

That said, you won't get 11 Mbps out of 802.11b anyhow. And finally, you'll probably end up terminating all the units into something fairly smaller anyhow. Which brings me to two more points:

How are you connecting all the APs?

Security. The suggestion to DHCP out non-routable addresses, and provide a VPN concentrator as the only way out is a very good one, and I would seriously look at it. However, you still end up with maintenance and tech support needs.

Re:Don't bother with WiFi...

[insomniak1]

Here are a few truths about 802.11b gear (and a couple of tips):

1) 11mbit/sec actually turns into about 5mbit/sec because of error correction. (if I remember correctly, the 802.11b standard does errorchecking in a manner where it sends 12 bits and half of that is check sum.)

2) The top speed of the wireless wan is affected by the number of people on it. Just because each client connects to the AP at 11mbit/sec, it doesn't mean that the 11mbit will be guaranteed speeds.

3) you'll most likely require more than a 'couple' of access points to achieve building-wide coverage. Even the number of people in the facility that you're trying to cover affects the cell coverage size. (water absorbs and reflects RF - make sure you keep that in mind if you have plenty of foliage in and around the buildings.)

4) load-balancing is possible, but I've only seen it with the higher-end gear (ie. ciscos, etc.) That'll help with multiple people.

5) RF is prone to SERIOUS interference and even the waves are affected by the structures. This is very evident when you are a few metersaway from a radio (not line of sight) and you get a strong signal, then suddenly you walk into a RF null. not fun.

6)Make sure you use decent antennae (and make sure that the radios can handle the power requirements of the antennae you're using.)

7)Make sure that your cables and the like are properly made if you're doing them youself. If your cables suck, your signal will go to hades.

tip: make sure you have secure authentication systems and xmission security. it's no fun when someone gets 'smart' and steals free bandwidth... or worse, account data.

tip: make sure you have something there that can protect your arse should something REALLY go wrong with the network. Hell hath no fury like a geek bereft of network access.

tip: take the time to do the surveys. If you do proper surveys, you will be a much happier person in the long run.

Anyhow -- There you go. I'm sure there's some more stuff I missed. Let's hear them. :)

Re:Don't bother with WiFi...

[figment]

I agree with you mostly except for...

Put a switch on each floor (unmanaged 16-port switches are less than $80)

No. You want a really spiffy switch. It needs to a) be able to do mac-port mapping, b) be able to remotely enable-disable ports, and c) support rmon/snmp. Maybe you dont need c) if you have netflow configured/running correctly, but a) and b) will save you tons of time (and therefore labor costs) longrun by doing these two things. Unless you want to walk to the place at 3am because some dumbass got rooted and you need to go unplug him because he's pingflooding efnet (it's going to happen, trust me.)

Re:Don't bother with WiFi...

This is what business-class hotels now do - just provide an ethernet RJ-45 jack and a DHCP server... all a guest has to do is plug in, configure for DHCP, and reboot.

Reboot?

Re:Don't bother with WiFi...

Why would you reboot? All modern operating systems (linux, MacOS X, windowsXP ) and change IP address without rebooting

Re:Don't bother with WiFi...

[tzanger]

No. You want a really spiffy switch. It needs to a) be able to do mac-port mapping, b) be able to remotely enable-disable ports, and c) support rmon/snmp. Maybe you dont need c) if you have netflow configured/running correctly, but a) and b) will save you tons of time (and therefore labor costs) longrun by doing these two things.

Um, no.

Nice 24-port unmanaged switches are best here. You will have a fat managed switch as the uplink for all of these floor-level switches, and you will have a decent router between that and your bandwidth provider. Use the managed switch to localize which floor the disturbance is coming from, then use the sniffer port to find out the IP. Finally, log in to the router and change the ACLs so that that user (or MAC addy) is simply not allowed to go anywhere. No need to blow enormous gobs of money on managed switches for every floor.

Re:Don't bother with WiFi...

[YuppieScum]

Because corporate laptops generally don't run a modern operating system... mostly NT4, although you might get W2K if you're "lucky"...

Re:Don't bother with WiFi...

Ahhh...the smell of yet another anti-MS idiot...

Wonder why you don't have to reboot Win2K or WinXP to change IP configs....

Re:Don't bother with WiFi...

[cschieke]

The biggest difference between a wireless and wired solution in this type of scenerio is that the costs are shifted from the infrastructure provider, to the user.

In a wired scenerio, the infrastructure provider must outlay a significant amount of cash, upfront to provide service. In a wireless scenerio, the user must outlay the cash.

Personally, I'd rather over pay of the total amount is under $100.00 if I can get the service right away, vs. paying less and waiting.

later...
chad

Re:Don't bother with WiFi...

[WolfWithoutAClause]

You also need to remember that the 11MB/s provided by WiFi is shared between all users. If you have 50 "dwelling units" and two WiFi access points, you'll be offering a service with less maximum bandwidth than bottom-of-the-range xDSL...

Wrong.

Ever heard of contention ratio? Contention ratio is the ration between the actual bandwidth and the bandwidth available to each user. In this case you are providing 11 Mb/s of backbone for 50 users. Assuming a contention ratio of 50:1, which is fairly normal entry level ADSL, this wireless system can provide for ~3-11 Mb/s each for about 50 users. Or ~1-3 Mb/s per user at a contention ratio of 20:1.

and you'll be charging for $100 WiFi NICs instead of $10 PCI ethernet NICs (which many PCs now have as standard anyway)... and for a service subject to atmospheric outages (ever use a WiFi network during a thunderstorm)

Plenty of people have used it over multi-km distances with no problem.

Re:Don't bother with WiFi...

[V.+Mole]

"Um, no." Or, at least, "Um, maybe."

Sure, you can cut the bad box off at the router, but that's not going to help the other people in the building, or sharing the switch. One needs to decide whether the value of that functionality (being able to remotely turn off a particular node, w/o affecting anyone else) is worth the expense, or that need will be rare enough that you're willing to go the switch closet and physically unplug the node.

Re:You people suck...

For you, so that you may 'learn as you go' as well.

Why not wired?

[coyote-san]

Have you considered going with a wired solution instead of a wireless one?

I assume that the units already have cable TV. If they do, you should be able to run a cat-5 cable beside the cable coax and replace the wall plates with one that includes both a coax port and cat-5 port. You then run the cables to a centralized 10base2 switch for each building, and thence to a central switch for the complex. You shouldn't skimp on these - get hubs with real VLANs. Commodity switches still leak information between the ports.

This will initially be more expensive than tossing up some WAPs, but it will probably save you a lot of headaches down the road because you don't need to worry about people running AirSnort, or interference from common household electronics, or any other crap like that. If people really want wireless access, let them set up their own WAP, but make sure they know their access will be cut off if it's abused.

Re:Why not wired?

[87C751]

You then run the cables to a centralized 10base2 switch for each building

You did mean 10Base-T, right? (and one would hope you really meant 100Base-T)

Re:You people suck...n00baphobes

[huhey_groove]

I would have to agree with unity on this one.
This is the next, already grown too far, plague of the internet, n00baphobia.

Why is it when people sit down to a new game and get online to see if it's worth multiplaying, they're treated like 2 bit carny workers not worthy to lick dung off the monkey trainer's broom?

Why is it when someone posts a valid question or asks for help at /. or another well known forum that at least what seems to be more than 1/4 of the posts are lashing back at what a poser the poster is?

Some people really need to grow up. Would you treat your own children this way? Oh wait, women (sorry ladies, most of us /.er's are guys) won't go near you priapistic, propellerhead, dorks.

Do your friends treat you this way when you ask them to help you move? Then again, with an attitude like that, you most likely have no friends.

I could go on and on and on about n00baphobia, but I don't want to seem like I'm ranting. Just give the guy some slack and if you don't really have anything useful or entertaining to say, bugger off.

Groove---Misanthrope to the Stars

802.11 Range

[IcEMaN252]

Just for the record, while you usually think as 802.11 as being relatively limited in range, its really not. For instance, a Primestar dish can be used as a directional antenna and get a supossed 10 mile range. I've also heard of a Pringles can being used similiarly. (Those were the first hits on google, there are many more resources.) My point is that its not just "war drivers" you need to be concerned about, but the guy two blocks away but with line of sight too. For about $10, you can build a directional antenna, and the rest is just a matter of time.

Re:802.11 Range

[wessto]

Good to see a wwc person posting. Keep up the good work!

Use IPSEC or Kerberos with *at least* 1024-bit key

[SailFly]

I setup a small AP in my apartment, only used by me, so far ;)

I used an old 486 laptop running Linux 2.4.18 (RedHat base) with an Orinoco Silver card, using 40-bit WEP (which to a cracker, is slightly inconvenient at best) and IPTABLES, MAC filtering with IPSEC 3DES and 1024-bit keys.

Be sure to use some kind of encryption better than WEP (like Checkpoint VPN, IPSEC, etc.) otherwise, it's only a matter of time before your users' account info is stolen.

Also consider the kinds of antennas used on the AP. I actually bought the 3 dB loop antenna (size of a 10" plastic ruler) but I don't even need it within my own apartment (100' radius). I use both 2.4GHz phone and microwave with no major problems in my access. Mind you, I'm not using the link for heavy-use or Internet/media streaming. Here are some links to sites that helped me:

• O'Reilly Network 802.11b Tips, Tricks, and Facts [Mar. 02, 2001]
• Dockapps @ Schuermann.org
• O'Reilly Network Recipe for a Linux 802.11b Home Network [Mar. 06, 2001]
• NoCatNet

Good luck with it, please post a link to your HOWTO when you get it running!

Screw wireless try this :

[isotope23]

http://www.linksys.com/products/product.asp?grid=3 2&prid=416

PLEBR10 - ethernet via powerline

Are the apartments all on the same side of the transformer?

Does the aprartment own the power lines in the complex?

Better solution IMO no new wires, 12meg of
data vs like 3-4 for 11.b stuff AND
you can move it from outlet to outlet....

No broadcasting via airwaves so people won't even think about checking the powerline for internet
(for awhile).

If the distance between the buildings is too great, or they are seperated by a transformer,
I would think about doing a cat 5 or fiber run
between the buidings. If not, the put
a couple 11.a points up to interconnect.

Re:You people suck...

[unity666]

lol

just increase the rent

[dotstar]

How about keeping it simple.

Increase everybody's rent $20 per month, and let them know that wireless broadband is included "at no extra charge". Build a list of compatible devices, charge a few bucks for installation assistance, and be done with it.

Wireless where necessary?

[linatux]

I don't know what it costs over there, but I suspect you can get a lot of cable laid for the price of the wireless access points. On the other hand, being able to drag a laptop outside while enjoying a coffee under a tree sounds rather pleasant. Perhaps there is a main central area that would benefit from wireless, while the rest could be cabled on request.

None of this addresses security concerns, but plenty of others have opinions there.

Re:I would not hire you

[FCAdcock]

And how is he supposed to learn?

Re:WAP

Although I have tried to not rise to this opportunity of pointing out your stupidity, I have decided I will....

W ireless
A ccess
P oint

Fool!

question - multiple antennae per WAP?

[wfmcwalter]

I have a suplementary question - rather than buying one WAP per region (floor, wing, etc.), is it possible to reduce the number of WAPs by plugging multiple antennae into one WAP, perhaps with something as simple as a Y connector ?

This way someone rigging up a large or complex structure, but with relatively few stations, could have an antenna in each region, and string
coax back to the WAP.

I know this will cause nasty phase-shift and multipath problems, due to the same station being received by both antennae, but 801.11 must already contend with this, as reflection from metal surfaces will cause it, even for the single-WAP-single-station case.

I'm just curious to see if someone has already tried something like this and failed, or if there's a good theoretical reason why it's a dumb thing to do.

THanks
FIn

Re:question - multiple antennae per WAP?

[Cef]

Phase matching the antennas is the biggest pain, simply due to the high frequency (and therefore small wavelength). Many AP's and some cards provide 2 antenna sockets for a system called diversity.

Diversity actually is best used to reduce multipath signals, as the radio listens to both signals, and "picks" the best signal to use from the 2 it received. Since both antennas are in different physical locations (from a few inches to about 2 feet is best), each antenna gets a different signal. Do not place these antennas in largely disparate locations, or seperated by some interfering object (like a steel support beam), as diversity works best when it can see the signal at BOTH antennas.

There are a huge variety of antennas out there, that produce different polarisation and radiation patterns. Some antennas have receiving amplifiers that produce huge (30+ dB) gain on receive, while only producing about 7dB gain on transmit. Semi-directional (from 60 degree to 180 degree coverage) antennas are great for outside walls. Some have clockwise or counter-clockwise "Circular" polarisation patterns instead of the average horizontal or vertical (circular polarisation tends to be better for point to point applications, and your antennas should match each other - CW will talk to CCW).

Re:question - multiple antennae per WAP?

Yeah, there's an idea. Let's share 11 MBit with not just one half of the building, but the whole damn thing. Their slogo could be "Wireless access at Dial-Up Speeds!"

Read Up

[axelbaker]

There is some good documentation out there, that cover a lot of the issues you will run in to. My favorite is Designing Airport Networks from Apple [PDF], it goes on the assumption WEP works, but other than that it covers things such as how to get multiple devices to play nice and some network topologies.
Good Luck.

Re:Don't expect many replies for the next 45 minut

[cluge]

Or the season final of Enterprise.

cluge

Im in a different boat

[rosewood]

Currently I am in the situation where I am trying to talk an office out of spending $6000 from one contractor on a wireless network. Their office is small and has absolutely no need for a wireless network (yet alone at the $6000 price tag). The lady in charge of this decission has no idea what she is talking about and has been brainwashed by her "personal technician" (who has qutie the cush job - $500/mo consultant wether he does something or not).

But the point of my post is this: just because you can go wireless does not mean you always SHOULD - there are times when a wired network makes a hell of a lot more sense.

Re:Im in a different boat

[erc]

I've consulted for shops that needed both. For roaming access in conference rooms and such, wireless is great. For a cubicle environment, wireless is a colossal waste of money. In my current company, we have both 100baseT for the desktops and 802.11b for the iPAQ and conference room laptop crowd. We block access to everything but port 22, and use SSH and port forwarding for everything else.

Spending $6K for wireless is insane. Figure $150 for each WAP, and $100 a pop for 802.11b cards, then plug the APs into a CAT5 jack and hide them above the ceiling tiles.

Re:Im in a different boat

[rosewood]

Being a small time consultant, sometimes its just nice to hear other people say what Ive been saying so Im not insane

They have no conference room and are basically in a cubical environment

The funniest part is the lady fired one girl for running windows 2000 on a laptop because "it was so insecure" and the lady that got fired refused to buy win98 from this other consultant for $200. -- yet she wants wireless (and im sure she nor her consultant have not the first clue in how to secure such a network)

Re:I would not hire you

[shepd]

>Would you want a doctor posting questions like "how do I calcualte someones blood presure?"?

He didn't say that. I learned how to do that in Grade 9 Phys. Ed.

It is quite obvious he far surpasses a high-school knowledge of computing, and it appears he has as much knowledge as your average computer technician (if not more), so there's no reason why he doesn't have the necessary knowledge to have a handle on the situation.

Also, you should know, very, very, very few businesses know how to attack a new problem (and every single client is a new problem unless you only do a single thing) right away.

Your job as a general computer solutions consultant isn't to go there knowing how to do it and telling the client that it will be done that way. Your job is to talk with the client and come up with a reasonable solution. A good client (and a good job) will leave you with enough flexibility that "anything goes" as long as it works reliably, and at a reasonable cost.

And, with that flexibility comes the fact that you can't know everything, and consulting other people who may or may not know more about the topic (such as slashdot) is a very good idea.

In short, you were modded a troll because if you followed your advice you would never land a job unless you and the client think exactly alike (once in a blue moon).

And, BTW, he was asked by the client to do this job. He didn't ask them. When someone offers you money and you think you can do the job (and it seems he thinks he can) you don't say no (unless someone's life is at stake. I doubt that in this case).

The whole "professional" thing is a chicken and egg problem that shouldn't require any explaining.

The professional thing to do, anyways, in all circumstances (except where lives are at stake, which doesn't count in this case), is to leave the client happy. If you can do that, you've beat out a lot of accredited professionals I know by miles.

Think Security First!

[vaughnch]

Wireless 802.11b is riddled with insecurities. In addition to various improprieties within WEP (see attached), 802.11b access association scheme is inherantly insecure. The University of Maryland Study found that "while the current access points provide several security mechanisms,[their] work combined with the work of others show that ALL of these mechanisms are completely in-effective." The mechanisms they are referring to are :

• WEP (Wired Equivalent Protocol)
• Open Systems Authentication
• Shared Key Authentication
• Access Control Lists (MAC Address Lists)
• Closed Network Access Control (LUCENTS Proprietary Access Control)

The important thing to note here is that EVERY one of these mechanisms can be worked around.

• WEP has known vulnerabilities allowing someone to decrypt information in real-time after capturing about a days worth of traffic.
• Open Systems Authenticationhas "shown that the authentication management frames are sent in the clear even when WEP is enabled."
• Shared Key Authenitication has shown that it is rudimentary to capture the Initialization Vector since it is sent in the clear as part of a WEP frame.
• Standard Access Control Lists are easily circumvented by an attacker sniffing the network for a valid MAC and thus reprogramming their network card to an appropriate value to gain access to the network.
• The proprietary Closed Network Access Control list that LUCENT (and others)touts as "a system that will not send the network identification (SSID) as a broadcast, thereby mandating that someone KNOW the SSID before they can associate to the network," is inherently flawed since:

"Several management messages contain the network name, or SSID, and these messages are broadcast in the clear by access points and clients. The actual message containing the SSID depends on the vendor of the access point. The end result, however, is that an attacker can easily sniff the network name, determining the shared secret and gaining access to the "protected" network. This flaw exists even with WEP enabled because the management messages are broadcast in the clear." When setting up a wireless 802.11b network, you MUST consider it to be publicly accessible. Anyone who is motivated can gain access to your physical network. They need not be within 300 meters, and through the use of a Yagi antenna or some other directional device could gain access from miles away. If setting up a wireless network despite the vulnerabilities please follow the following suggestions:

1. The most effective strategy would be to put your wireless access points into aIPSEC enabled DMZ, and have your wireless users tunnel into your network using a VPN. If your corporation doesn't already have a VPN infrastructure in place, it's going to cost you some money to implement. Even if you do have a VPN in place, and all of your clients already have the VPN software, there's going to be an extra effort associated with setting up a VLAN for your DMZ. But this solution adds a layer of encryption and authentication that could make a wireless network suitable for sensitive data.
2. Consider using an additional level of authentication, such as RADIUS, before you permit an association with your access points. While it's not part of the 802.11b standard, a number of companies are optionally including some provision for RADIUS authentication. Orinoco access points, for example, can enforce RADIUS authentication of MAC addresses to an external RADIUS server. Intermec access points include a built-in RADIUS server for up to 128 MAC addresses.( EAP (Extensible Authentication Protocol) is used to allow wireless clients to authenticate to RADIUS servers using a single sign-on. )
3. At an absolute minimum, even with it's vulnerabilities, you should enable WEP. Whether you implement 64-bit or 128-bit doesn't really matter too much, as it's not the encryption scheme that's determining how long it takes to crack it, but the number of possible Initialization Vectors. WEP is only a low barrier to entry, but it will keep out many of the casual hackers because there are so many other wireless networks that are wide open and easier targets.

REFERENCES

University of Maryland Study: http://www.cs.umd.edu/~waa/wireless.pdf

Fluhrer, Mantin and Shamir Study: http://www.eyetap.org/~rguerra/toronto2001/rc4_ksa proc.pdf

AT&T Labs and Rice University Study: http://www.cs.rice.edu/~astubble/wep/wep_attack.ht ml

Phone line

Most phone lines have 4-6 cables in them, and 2 are only used (in AUST at least) instead of using wireless, or costly wiring up of cat5, why couldnt you just tap into the existing phone cables splice off the unused wires and provide access back to a central gateway.

Re:Phone line

[Jonny+290]

Because a good portion of telco wiring installations suck a fat one.

Lucky to get 10mbits over one, let alone 100.

Re:Screw California

That's what we do up here in BGates great neo-stalinist NW ... since electricity comes with the rent, I heat my apartment with 4-K6s. We burn energy like it's kilowatts so Ca weenies freeze ta death in their ice-cold redwood hot-tubs. BWAaahahahahahaha

No

[srichman]

He's talking about 802.11a though

No, actually, he/she said "there are enough channels if we go 802.11a but cost is a concern." In other words, the ideal solution would not be 802.11a-based.

Pickup lines

"Let's get physical and let me link my data to you."

Things to consider

[Cef]

You may consider deploying BOTH 802.11b and 802.11a. There are devices that support both, such as the Cisco 1200, but no wireless cards for 802.11a yet (due August/September 2002). There are also devices that work with your existing Access Point, such as Symbol's Mobius 5224, which sits over an existing Symbol 802.11b access point, uses the same network cable (provides a second network port for the 802.11b AP) and even provides power for the old AP.

If you go with 802.11a for any reason though, be warned, the cell sizes are MUCH smaller. The slowest 802.11a speed of 5 Mbit/s gives you coverage to about the same distance as 802.11b does at 5.5 Mbit/s. At least with 802.11b you can go slower in areas where the coverage is marginal.

Antennas can make a big difference to your coverage pattern, and should not be underestimated. Using semi-directional antennas is also a good way to avoid or reduce outside coverage on a building, which makes it that little bit harder for carpark hackers to get in. If you have a lot of metal around, look at using diversity (2 antennas seperated by a small distance - each antennas signals are compared and the best signal is used), which will improve coverage and reduce dropouts.

You will also want to consider the number and type of client radio's connecting to your 802.11b network. While 2 AP's might provide coverage, you may find the density of users brings everything to a crawl. Decent AP/Client card combo's will load balance across multiple AP's if the signal strength is there. Some AP's (particularly Cisco's) have a real problem delivering speed to more than 2 clients from a single AP at the same time, as they don't load balance (internally) properly. You will find 2 clients will get almost all the bandwidth, and the rest will get a tiny amount (eg: 4-10Kbit/sec). This is totally unacceptable for high user densities.

As for security, there are a number of authentication systems out there that seem reasonable, such as EAP/TLS, and Kerberos based implementations, all implemented in the AP. Authenticating using DHCP and MAC addresses is not worth it, as you can fake MAC addresses easily, and you can always use a fixed IP. That said, if the AP has MAC level Access Lists, USE THEM where possible, with other security methods. Just makes it that little bit harder.

EAP/TLS is the newcomer on the market, and usually relies on a Radius server for it's back end authentication. This is OK, as long as your users don't roam about at all. If they roam from one AP to the next, you will get delays of ~300ms as the AP re-authenicates itself with the Radius server. This might be OK if your users don't move around much, but is totally unacceptable if they are mobile in any way. All the Kerberos authentication systems I have seen distribute details to all the AP's at authentication time, so that roaming is about 50ms or less.

With encryption, if you have WEP, enable it. Once again, like with MAC level ACL's, it's just one more thing for them to get through. Many AP's now support Dynamic WEP, or TKIP (Temporal Key Integrity Protocol). There are also some devices that support AES based encryption methods, and I wouldn't be surprised to see TKIP implemented with AES instead of WEP out there as well.

Of course, you could also use a VPN solution like IPSec. I'd also recommend to use large keysizes, simply because you can. If you do use a VPN, STILL use WEP/TKIP/AES and ACL's, as it'll make it just that little bit harder to try and get into.

Remember, the object is deter them from trying to break into your network. If they try long enough, they'd probably still eventually break in. But if they can break into another system in 1/100th of the time, then unless they have a major grudge or very specific reason, they'll go that way.

Good luck!

X10 And WAP

[K'tohg]

My father is a big Radio Shack Remote lighting finatic. (X10) Every Light is hooked up with a remote switch. All his laps have the plugin appliance system. Even his Cristmas lights are X10 enabled.

Well I needed to toss a cablle modem to me LAN which BTW was Wireless. And the only spot I had was down in the basement. Infact exactly 4 inches (yes I just mesured) away from the X10 modual controling the christmass lights.

My laptop is now on the third floor on the other side of the house. Almost the furthest point without going outside. Well on avarage I get about an 80% signal strength considering the amount of plaster and copper pipes between me and the basement. (For some reason tonight I have a 60% strength).

So, that being the case I'll go check the x-mass lights

. . .

Yup it worked... I'll place my bet that the interferance if any is not that big a deal!!!

Re:X10 And WAP

[itwerx]

Is your wireless gear 802.11a or 802.11b...?

Re:X10 And WAP

[servanya]

yes, the signal will be fine... but the speed will suck.

Re:X10 And WAP

That kind of X-10 is WIRED - 120 kHz pulses on the power line. It has nothing to do with the 2.4 GHz video senders, except for the fact that the same company makes it.

And yes, they have wireless home automation stuff too, but I think that's somewhere around 300 MHz. The transmitter's pulses are too weak for me to give you an accurate number with my counter.

Re:X10 And WAP

[TeknoDragon]

We recieve our internet access from TsunamiUSA.com, they put an access point in a central location in our appartment complex. We THOUGHT we were getting a land line. Our signal is running through a couple walls, some metal, and even with an antenna our signal strength is a paltry 28 of 92. (signal -67dbm, noise -98dbm, 2.412 GHz)

First, the Entarasys drivers that we ran with windows sucked. After moving to the Linux 2.4 Orinoco drivers our upload was 5x better and download was 2x better. (antenna in the same location)

Second, we have a 2.4Ghz digital spread spectrum phone. Channels 1 and 2 of this phone knock out our connection completely.

We haven't noticed an AP side outage since switching to the linux drivers.

I have one suggestion: DO NOT OVERSUBSCRIBE YOUR NETWORK! We have sporradic port 80 (while other ports work fine) and DNS failures all over the place as well as storms of very high packetloss during prime time. Tennants will start buying cable modems or DSL... as we're about to do.

Re:X10 And WAP

[Da_Big_G]

What are you doing with Christmas lights up in May?

Re:X10 And WAP

[K'tohg]

I don't know, how do I tell? I'm using an Apple Airport card. and a Linksys Wireless 4 port switch router (The second model version)

Re:I would not hire you

[Spruce+Moose]

Yeah - most moderators don't seem to know the difference between "offtopic" and "troll".

apartment networks

I don't think it would be that difficult to design but more difficult to maintain.

A number of security issues are involved.

Wireless is amoung the easiest access points to break into.

Who is going to support the users on the network?

Who is going to maintain the network if it has problems?

Who is responsible for replacing the cards the users buy?

My advice:

Let people get their own ISP cable/dsl or phone-line connection. Let either them or their ISP deal with the related problems. No montly fee would be worth all the headaches or potiential legal problems that would result. This is especially true if the apartment manager has little or no networking experience.

on the plus side...

You should be able to get a good price for Pringles since you have a reason to buy bulk...

say it with me now

PPPOE!

Well bugger me

[hayden]

First AND second post and both with content. That has to be some sort of slashdot record.

Re:Well bugger me

Almost made a third post with comment... oh well.

Apartment Designs in the future

[wilsonjo]

I always get flamed when I post stuff like this but... Throughout college and for the next few years of my life I am going to live in an apartment complex and I really don't understand why newer apartment complexes aren't taking into consideration high speed internet access.

Run some Cat5 through the walls and build a telephone/wiring closet into each building.

Then raise the rent about $10 a month which will absorb the cost of a T-1 and a part-time techie. 25 buildings x 12 tenants x $10 = $3000. $1500 for the T-1 connection and $1500 to keep the techie happy.

Wireless would be great, but I'll agree with the person who posted up above and say there is way too much junk out there interfering with the 2.4 GHz spectrum.

Flame away....

Re:Apartment Designs in the future

[yack0]

Not a flame, but just a note to remember how much it adds to the price of the building to put in the non-standard wiring. As much as we like, a lot of builders just don't consider the wires. Even SCHOOLS, where we're pouring money into for tech, don't remember the networks when they design schools - or they woefully underbudget for it.

An electrician I've been working with tells me that not a single house he's worked on (speculation built house - not custom) has requested cat5. Just a couple telephone drops and some coax for cable. The builders just want to make the most and putting CAT5 into a house isn't worth it to them. And most of the electricians putting in CAT5 instantly turn it into CAT3 as they tie nice knots in it, staple it, wire-tie gun it, and other atrocities.

If _I_ were building a new building, damn right, CAT5e into every room. Multiple drops. Multiple coax, and conduit to change the cabling as technology changes. But I'm not a builder.

Apartment complexes don't take the net into consideration because it's not seen as a benefit. It's an expense. And really, how many apartment complexes even care if all the washing machines work. Tell me all your washers work and I'll call you a liar ;)

Someday, it'll all be like we want it, but not for a while. Sadly.

Re:Apartment Designs in the future

[figment]

Good idea, but your numbers are wrong. T1s btwn 25 buildings = 24 * (linecost of t1 between them). which is more then $3k already. Frame relay can get it a bit cheaper, but you're not gonna get it under the 1500 you need for profitability.

The idea works if you have large-occupancy buildings, ie 100+, however doing internet connectivity to an apartment correctly is very hard. There's always going to be like 30 people with their kazaa [or thing like it] on at all times, that's going to make the connection unbearable. Then there's going to be the irc dumbass who is getting synflooded for insulting some 1337 h4x0ring group. Then there's .... on and on. Apt. connectivity requires a lot of babying that other clients dont, and that means much lower margins... and a lot of the time it just isnt worth it.

I spent over a month setting up the architure to actually do an apt building correctly. Accounting, bandwidth monitoring, priority queueing, rate limiting, etc. This required a rather large infrastructure upgrade. The cost of that plus my labor costs will put us at break-even with the proposal in two-years time. While not necessarily a bad investment, it's a lot worse than your typical insurance company that just wants email and a webpage with their t1.

Re:Apartment Designs in the future

[itwerx]

I'll ask you what I asked somebody else above. :) Could you post more info on your project, or, if you'd rather not broadcast the details to the world, send them to me @ sd-at-itwerx-dot-net?

Thanks!

Re:Apartment Designs in the future

[tzanger]

Good idea, but your numbers are wrong. T1s btwn 25 buildings = 24 * (linecost of t1 between them). which is more then $3k already. Frame relay can get it a bit cheaper, but you're not gonna get it under the 1500 you need for profitability.

Why route a T1 to every building? If they're close enough you can do quick optical or even PTP wired links. If they're farther you could put unidirectional antennas on some 802.11 gear and do PTP links that way. You only need one T1 up to the bandwidth provider.

Hell for that matter you could run DSL or cable to each of the buildings and link them together over a VPN but that's increasing your problems (telco/cableco goes down, etc.)

Re:Apartment Designs in the future

[csmiller]

The University of Guelph has built some new apartments. They have 1 Cat-5 point in each bed-room, this is normally connected to your VoIP phone (routed via the University's central switchboard, [call-managment/or operator]), but you can use it instead for your ethernet card. It seemed like a geek's paradise, except Guelph is in the middle of no-where, about 1hr north-westish of Toronto, and it is a agriculture/food University.
I'm not exactly how their stuff works, I spent a week on a mate's floor when I was out visiting him.

Re:Apartment Designs in the future

[dmarcov]

Well no flame here either -- but at least where I live (Bay Area -- and granted, perhaps not typical), but all of the newer apartments do have Cat5 running into them.

Of course, there is a catch. The service was (I'll get to the "was" part in a second) fairly costly, and you had to use that crappy PPoE client (first on my block with PPoE, I assure you). However, it was quite servicable -- until the ISP went under, and apparently it's not cost effective at any reasonable price to get another ISP in here to run data to the jacks. At least there's DSL, but the 10BaseT jacks in all my rooms look really lonely.

Limit your exposure.

[fmaxwell]

I am not a wireless expert by any means, so my words of advice will be from a risks perspective.

1. Avoid, at all costs, trying to bring everything up at once. Try bringing up a few users at a time. Roll it out slowly.

2. Manufacturers want to sell equipment. Try to find one that has engineers willing to work with you in designing the network. While manufacturers don't do that for sales of one and two items to Harry Homeowner, they might be a bit more responsive to an apartment development.

3. Limit your liability. You need to get a written contract with the apartment complex. It needs to spell out that you you are not responsible if the network fails to provide adequate bandwidth, security, or reliability.

4. Item three not withstanding, make certain that you can provide adequate bandwidth for the entire unit. Recognize that there will be people who download porn, MP3s, and CD images 24x7.

5. Make sure that the management puts together a rock-solid acceptable use policy. There will almost certainly be residents who will spam and who will set up web pages to sell their miracle herbal viagra. You don't want the entire network to be taken down by the uplink ISP before you even finish deployment.

6. On a similar note, make sure that the management has a realistic plan for providing the bandwidth. If they are intent on putting 500 units on a single T1 or a cable modem, the project is doomed to failure from the start.

7. If the project looks hopeless because the customer is clueless, get payment in advance.

8. Do not purchase ANY hardware with your own funds. Make the customer pay. Don't shell out several grand with the hope that you will be reimbursed.

9. If you make any design decisions based on information provided by the customer, make sure to document that in "as-per-our-conversation-of" e-mails and/or memos.

Good luck.

The security solution is...

[Rope_a_Dope]

802.1x authentication. 802.1x is a port based authentication method that can be backed up to a radius server, or any other type of authentication device. It is based on EAP, and allows an encryption algorithm to be specified to be used in conjunction with a client app, and the server. When manufacturers start sending APs with 802.1x support in the next month or so, this will be the preferred solution for wireless security. Oh yeah, Windows XP already has built in support for 802.1x too. This will be the next round of wireless security, at least until TKIP is deployed.

Re:The security solution is...

Unfortunately it has been reported 802.1x is exposed to a man in the middle attack.

How I do it (for my apartment only)

[jbf]

I use an old ThinkPad as my access point. It runs Linux. I assume that most of your clients are going to be running Windows. Anyone else should be clever enough to emulate PPTP.

I first chose a random WEP key. I don't consider this secure at all.

I have my ThinkPad play DHCP server (so anyone with the WEP key can get a DHCP addr), and firewall everything other than DHCP and PPTP from the wireless interface. I then use slirp with PoPToP to provide stateless 128-bit MPPE, and assign each windows box a unique password (this is where the security comes from). All real traffic is encrypted; all the user has to do is "dial-in". Of course, everything is NAT'ed; hope that's what you wanted anyways :)

Obviously this works with 2 APs and one computer behind them.

I only have one things to tell you.

[Neck_of_the_Woods]

Your abount to walk into support nightmare. Ever heard the term you touch it you own it. Never ever give your time away for free, period. Your free installation with become in a matter of days "you touched my computer and now the printer does not work". I am by no means telling you not to move forward with the idea, this has been pushed around a good bit by many people I know. I have even helped build out a full push for a new development. Pulls, switches, and the t's. All pre-wired, DHCP, and the price was included in the rent as a "plus" to moving into the new place. I wish you the best of luck, but figure out how to make your time worth it because once they get it for free and you have touched "their" system your going to get pointed at for all kinds of things.

Re:I only have one things to tell you.

[Anonymous+Freak]

Well, I have to assume that (from his wording) he is not going to be doing it for free. He (or another hired tech person) will be paid, it's the apartment complex that will do it for free. Or, probably more technically accurate, the cost will be included in the rent.

Hmm.. a wap eh?

[dome]

Just let me know where that's at..I'd be glad to come on over and help you out.

Try DHCP/MAC/SSL authentication

[ThomasXSteel]

It worked for NASA. WEP is worse than useless, it slows you down with (arguaby) no benefit (read the whitepaper or download airsnort). Use application/transport layer security when you really need it, like at login time.

He with the biggest anything wins....

Just remember the bigger signal gets the attention of wireless devices on the machines, if someone puts up a access point with a stronger, perhaps applified signal, gets some tools like air snort, webstumbler, and wepcrack, he could own your network, route all the traffic through his access point, and sniff anything going through.

another approach

[itzdandy]

im assuming that this apartment complex has rg6 coax for cable television??, and a central location so that the cable provider can administer it??

go for cable modems, place 48 port switch and a cable modem hub, run a DCHP server to make it easy and provide user/password access rights to the internet connection.

You can make a 10mb LAN to provide access AND the posibility of local file sharing.

info needed

[yack0]

Well, anyone suggesting how to lay out radios or frequencies from what you're provided as info can't know that much.

" The buildings are arranged such that 2 AP per building should cover all the tenants "

Well.. ok... so the buildings are one foot wide? To be sure that all the tenants can get signal, you'd probably want to actually do a site survey and detail the results if you're looking for decent feedback.

Interference between AP:
It is impossible to tell from the information you've given whether you'll have an issue. It's MOST LIKELY that if you just have two AP, you'll be ok. (one on channel 1, one on 11, happy!)

Management of hitchhikers:
Why not a FreeNet? But anyway, get AP that allow you to accept only based on MAC. That'll take care of 99% of the hitchhikers. The other 1% know what they're doing and you probably shouldn't waste your time worrying - they'll just blast your AP with random 2.4 if you cut them off. ;/ (well, I would, but I'm a vindictive bastard)

Interference from outside sources:

You can get royally hosed on interference if you're just using off the shelf stuff. You can get hosed by cordless phones, microwave ovens (pop pop pop - the internet is down due to popcorn!), wireless television adapters (check radio shack - they exist at 2.4GHz), and other AP.

Sure, you can do it, but it'll be RF vulnerable, security vulnerable and might not have the range you think it'll have (but I can't tell cause you didn't even provide the most basic size of complex info).

If you called me on the phone and asked me for a quote on this, I could not give you that quote before I came out there. I could guesstimate if you told me the size of the complex, but with what I've got now, I couldn't even guesstimate.

Good luck.

something else to worry about:

[benjamindees]

tenants leaving because your half-assed communist plan won't scale.

I refuse to live in an apartment because the last one decided that it would become a commune and divide everyone's water bills up by, what else, square footage of rented space. One person living in a large apartment paid as much as four Mexicans sharing an economy. When your bosses get the brilliant idea of making this a *requirement*, and everyone's still sharing 11Mb of bandwidth, expect to get sued several times over.

Hehhehheh

[itwerx]

Couldn't have said it better myself! :)

I'd avoid it.

Most complexes built in the past 10 years are like Faraday cages. Metal lined insulation, full length mirrors, refridgerators, filing cabinets, etc. KILL 2.4 signal. *MANY* people have tried delivering service to the MDU market using poorly planned wireless systems and have failed miserably. We use 2.4 systems to deliver service to the property in a PtP setup. We then deliver 10Mb ethernet via ethersplit to the tenant units using existing POTS lines. A 10base-T jack in every unit with our label coming back to a linux box running ipchains to enable/disable service based on MAC addressing. It works and costs less than a properly designed wireless deployment.

thanks,
tom

External antenna

[itwerx]

This external antenna design sounds interesting. Could you reply to this with more info on how that was done? (Or if you'd rather not share it with the world my email is sd-at-itwerx-dot-net).

Thanks!

Here's how I'd do it.

Set up a reverse firewall to start. Take a standard firewall and flip it around. So you have 100 people on the outside of it. Then use a VPN to tunnel through it. That will keep the hijackers off your case.

Also if you want, make it so that everyone who does not sign in gets dumped to a default page on the internal network that says "You need to sign in to the VPN before being able to access the internet" then also put in a link to download and reinstall the software (that is if you don't mind the hijackers knowing what you are using, otherwise use a directory on the webserver that only you know about, so you can easiliy reinstall it)

Set up your DHCP to assign the DNS entries to the DNS on the other side of the firewall.

However if you want to make the /.ers happy choose a VPN solution that runs with linux :)

Re:Here's how I'd do it.

Oops, forgot to mention something. Make sure to disable file sharing on the user's PC. That way it will keep hijackers from "surfing" the computers at the complex. Make the user sign a form that says you are disabling file sharing and reccomend (but won't support) a firewall product to keep other users from trying to access your computer.

Re: Packet loss with congested 802.11b areas

[nomel]

802.11b nics do not "remember" the last channel that someone transmitted on...so if there are many nics or ap's, the nic's have to process all of the data they see and filter what is meant for them and what is not, so packet loss will actually occur. This is a problem that we have at the employer I work for. We have many access points and nic's, and they just crawl when there is a lot of activity, and packet loss does occur. I know that there are people researching this, but it would require either changes in the standard, or changes in the hardware that might not lead to compliance with the standard...

This may be similar to what he is talking about...

re: WLAN for Apartment complex

[Doc+Wireless]

Hello Cliff: While I have never posted on Slashdot I felt compelled to register and reply. PLEASE READ THIS CAREFULLY Allow me to explain that I am a network consultant and have learned the hard way on wireless--very hard and many sleepless nights. My first WLAN installation reminds me of where I think you may be right now, but I had done six months of research and had had endless hours of conversations with engineers from several manufacturers. Before we get to the problems I had, lets start with what you have missed overall: a site survey. NEVER even agree to take on a task like a WLAN unless you have done an extensive site survey. First, you will need blueprints if possible or will need to take fairly exact measurements of each apartment, know materials used in construction etc. You'll also need to have floor plans and more. That said, you should then know the maximum number of users and throw all the specs the manufacturer gave you out the window as regards range, distance and AP's required. And, I am assuming you will have over 20 users. In two different buildings? Don't go with consumer grade stuff like SMC for the AP's. SMC is the best of it but still lacks signal strength in many installs. Go with Cisco for AP's and routers, and ONLY Orinoco Gold cards for laptops and equivalent for desktops. You'll also need a portable spectrum analyzer and know how to intrepret the data it provides. Not sure if they can be rented but I paid $3,000 for mine and it was a deal. You'll need to set up the AP's and then go to every location and check SNR etc.--and record all the data. There's a mountain of paperwork on a project like this, just for the site survey alone. After that's done you will still need to go to each apartment with a mid-range laptop and again record signal strength etc. There will be dead spots, and God only knows where a tenant will put their PC. Now, you will have to roam about again with the spectrum analyzer AND a laptop to look for both multipath interference and to check for other 802.211b nets in the area. And did I mention if you are in a congested urban area or near a university or hospital you will also need to contact the admins at those institutions and hope they will cooperate and give you a map of their devices, antennae and locations? They generally will but may not even know where it all is if it's a large institution--and that can be yet another nightmare to solve. And, forget about promised scalability. Most AP's will really only handle 10 users or so, especially the consumer grade gear. At least unless things have changed drastically since November of 2001, my last nightmare install. You also have another problem: lack of a homogeneous hardware environment. On the Nigthmare Project 2001 (as I call it now) I had some PC's that never worked right if at all on the WLAN (30 users in one university residence, off-campus.) I spent an average of 8 hrs a day on the phone with high-level engineers from Cisco and SMC. Both companies were good but had to admit at times they had no idea why some problems happened. And I had their home and cell phone numbers. I know. Was dealing with a mix of Macs, Linux boxen and Windows PC's running anything from 98 to XP. And some were old Gateways, others new Dells. Gateways were the worst. Forget about the idea that your big worry will be with other 2.4 Ghz devices. Microwaves and phones have seldom been a problem for me on a project unless within 6 ft of the AP or wireless NIC. One stark exception is Panasonic phones, but this is a known issue fopr professionals. I am NOT anti-wireless but do think you should know that the obstacles you face are severe. I do this for a living and can say that I would not take on a project like this unless I had a very tight contract (you do have a lawyer, right.) CAT 5 and other options are cheaper and more reliable--and I haven't even touched on servers or security issues. Wireless is NOT cheaper, is more difficult to roll out and is a real headache--especially in historical buildings and those "impossible to wire" locations. I still do a lot of it but only for corporate installs where I have an open floor plan and decent line of sight. I also refuse to do an install now unless I know the company has skilled admins and will allow me indemnification. Do what you like but don't go into this believing all you have read from manufacturers or home users. Hope you don't have to learn as painfuly as I did. OK to email me at wavelanexperts@yahoo.com and I will be happy to chat on the phone or get you my real email. Good Luck!

Re: WLAN for Apartment complex

[Doc+Wireless]

YIkes! First post. What happened to my paragraphing? Surely was there when I wrote it all. Apologies. Guess that's what I get for using an XP box I'm testing for a client.

Don't be stupid.

Don't be stupid. Take the time and HARD wire in some access points to each apartment. It's sounds hard but it's not. In addition it's way cheaper than you think. Wireless is too insecure now. You will be comprimised within a couple of days. Trust me. I don't care what vendors say about their security. I have done a lot of research on wireless. Like another person said, "...be very afraid" of lawsuits. You WILL be COMPRIMISED.

How about.

Drop the wireless and go for "roll your own" DSL.
http://www.epinions.com/Paradyne_Hotwire_880 0_DSLA M_1_to_72_Ports_48VDC_Ready_SNMP__Bridges___Router s/display_~larger_image

There's one right there. For about 4 large and some change you get a 48 port DSLAM.

If you want to raise some fundage, post a notice that you are going to implement this and say that the first N people to sign up get 6 months free if they pay 50$ now and are willing to wait a month or two.

Re:How about.

http://www.pbs.org/cringely/pulpit/pulpit20010823. html

Formerly on Slashdot. Cringley on Rolling your own DSL

Authentication - use an AP with integrated access

Check the public access point by colubris.

They claim it is worlds first access point with authentication

Worth a look

Then its only users with stuipid passwords you have to worry about & not MAC spoofers.

http://www.colubris.com/en/products/public_acces s/ CN3000/

Some Points

[banadushi_]

I am in the process of developing a city-wide wireless network. Here are some of the thing I am doing in my lab to prepare for rollout.

1. PPPoE
Yes its anoying to users, and I'm not to fond of it myself, but it is a hell of alot better than any other auth method, IMHO, and it allows me to do some cool stuff with radius.

2. Amps are your friend
Most interference can be weeded out just by drownding it out. Pick a channel, and stay with it, when and if you have problems with interference amp it. Other devices that don't need as much as a spectrum in the 2.4 range, such as phones will just look for another clearer channel. At the ITECH i beamed in a signal into the convension center from a nearby hotel and ran an IP phone over it, I found out the morning of the show that lots of other people were using wireless inside the building, i just ran up to the roof of the hotel and stuck on an amp, and bamo 11Mbs, nailed.

3. Channel Selection
Most devices i've played with will either defaul to channel 1 or 6, put your signal on a high number like 9 to avoid killing your clients internal wireless network.

4. Saturation
The one concern I had is saturation, with only 11Mbs on 802.11b several power users could suck up alot of that. I would expect that more technical clients will realize that they are on an ethernet segment together and start setting up shared folders for their buddy 2 doors down so he can get all of his mp3s/porn. with enough users it could turn into a problem. I am remiding this by creating a backbone of 802.11a and then distriuting it with 802.11b

just my $.02

Linux wireless access point with a single PCMCIA

[DrD8m]

This is a must read article to configure a wireless PCMCIA to act like an access point on Linux.
Spanish
French

Free-Include it in the rent

It's not free if you have to put the rent up to pay for the equipment.

Free trials and rentals are a great way to get new users but someone at some stage has to pay for the equipment. Even a government grant is indirectly paid for through taxes.

If someone bought a point out of their own cash and provided free access then that would be cheaper but you still need to buy a WAN card.
Daniel

wwc??

[IcEMaN252]

Forgive my ignorance, but wwc?

PPTP concerns

It's not the protocol at all

It is, according to some people...

Re:Some Points (be careful with amps)

[myrashka]

2. Amps are your friend

Yes - they are your friend - but only if they're legal. Just because 802.11 and other 2ghz devices are unlicensed doesn't mean you can be lax on the technical and legal requirements.

In the US, FCC regs require that Part 15 devices (most of the wireless devices out there) be certified as systems. This means you can only add an amp if it's certified to work with the system (both the wireless bridge AND antenna) you're amping. Many of the common vendors don't have such certified amps, so you're stuck. (I've most commonly found certified amps for Orinoco and higher end products like alvarion - but rarely seen certified ones for SMC, Cisco or the likes).

Don't forget your power calculations as well - depending on your band, your AMP can only boost power _to_ a specific level (30 db or 1 watt total on part 15 2ghz devices). If you have a bigger antenna, then you may have to reduce your amp power (e.g in many cases, it's against the law/regs to amp an 802.11 device with those grid dish antennas).

Also - amping things to drown out interference is akin to shouting louder on a bus to talk "over" a conversation between you and the receiver. Sure, it works, but then you become the interference. You might even convince someone else to shout louder than you. While it's true Part 15 devices must accept any interference, amping up your connection to drown out others could be against the regs (as general rules state no purposeful interference is permitted...there are cases to support this position). If you amp to "drown out interference", it could be construed as purposeful inteference itself (especially if your amping result's in drowning out licensed devices in the same band - remember THEY have the priority (part 18)).

Amps are best used to support "weak" connections - not to handle interference. Believe it or not, most 2ghz devices (even the phones) can be made to play nice. With a little careful planning and design, proper knowledge, and coordination, most, if not all interference problems can be handled _without_ amping.

Re:You people suck...n00baphobes

Anonymous Coward Here....
SF will die in North America.

Hey, I registered!

[jazzbotley]

Ok, I'm back ... no longer an anonymous coward. Here's a public answer to the private emails I've received so far:

Here's the recipe from NASA:

OpenBSD 2.9
ISC's DHCPD 3.0
Apache/OpenSSL
PHP 4.x
Some network-based authentication (we use RADIUS)

I wrote a note to Boscia (the author of the white paper) and she directed me towards server/mdb.c in the DHCP source code -- whenever the DHCP lease changes state from active to free or abandoned, call the "remove firewall rule" function.

slank's post is a little misleading. We allow ANYONE to grab a lease from DHCP. The trick is, you don't let them route outside the wireless subnet until they've presented login credentials to your HTTPS web script. Then, via DHCP's logs and the web script, you now have: username, MAC address, IP address, computer name. Throw all that with a timestamp into a log and you have accountability.

Best of luck! Jeff underscore Wilson at baylor dot edu

Regards,
Jeff Wilson
Baylor University
Waco, TX

Use IPSEC or Kerberos with *at least* 1024-bit ke

[mallo]

An apartment with a 100 foot radius? Enough of the wireless stuff, I want to know how he heats the place.

Testing for interference

[IIRCAFAIKIANAL]

Is there a cheap way to determine if a wireless network would be feasible in a given environment (ie/ measure possible interference)?

Re: WLAN for Apartment complex

You know, what I find funny is that you are
blaming your lack of HTML skills and a complete
lack of understanding as to how slashdot posts
are formatted to an "XP box" problem. Given
these simple skills, or lack thereof, your entire
post is of questionable quality.

Some things to add,...

[Mikeytsi]

Since I've actually done this before, I've got some other things you need to look at.

1. Proper coverage. There's lots of nasty things in apartment buildings that block signals, or attenuate it to the point where the connections get really lossy. You'll have to blanket the hell out of the area to get reliable connectivity, and then you'll run in to crosstalk problems.

2. Using a wireless solution will also mean an increase in latency. This will give people problems when playing online games.

3. Quality of equipment. I'm sure you've thought about this already, but while Linksys and most of the other wireless vendors are great for peer-to-peer wireless, they're going to suck for the kind of solution you want. I'd suggest Cisco or Lucent.

4. Expect problems. We attempted several wireless-to-desktop solutions, and none of them worked very well. We ended up scrapping them in favor of either wireless backbone, or trenching cable. It's also a real pain in the ass to do reliable wireless to a large area over public band, since there's so many things that operate in there and there's so many restrictions on how high you can boost the power on your signal.

As you mentioned, interference is a major problem. You'll run in to all sorts of stuff that'll kill the signal.

If what you want is good, fast service, you've got a couple of options. Personally, I'd scrap the wireless-to-desktop idea entirely, and run a dsl-over-telco solution, and stick the dslam for the DSL in the telco room. This will prevent people from stealing service, since you can have direct control over what ports are active. This is only really viable if you have a central demarc for all the phone lines on the property. An option if you don't have a central demark is to either run your own home runs to create a demarc (trenching cable is cheap, in most cases cheaper than the wireless solution would cost). You can then patch the wires that you had run on to the existing lines in each building, and get the service going that way. Another option is to mount mini-dslams at each building at the phone terminals (I know Tut Systems, for one, makes these), and run either an ethernet or wireless backbone to a central point where you have the uplink circuit.

Fairly Simple

[smammon]

I helped found an ISP based on 802.11. Been there done that.

As stated above - put your access points on opposite ends of the spectrum. Use WAP. Stops the casual observer (and this isn't a military installation after all). Any financial interaction your tennants have should be done with the protection of SSL or some other scheme anyway - that's their problem.

For access control DHCP/MAC again stops the casual moron with a power book. For net access setup a proxy sever and require login/password authentication to get out. Squid handles this nicely. You can then also do things like porn filters and such based on login. (if you want to go down that road)

As far as interference goes we have run multiple different 2.4gHz networks and wireless phones in the same room - 802.11 works every time. If the signal is already running at 1mb and you have strong "near field" interference (cordless phone right next to the AP) you will drop a significant portion of packets.

Oh, and just bite the bullet and use Lucent/Orinoco cards and access points. We've tried em all. Lucent rules the roost.

Re: WLAN for Apartment complex

Please pay no attention to the other AC ass who replied earlier. To answer your question, the default /. posting format is HTML, which means that you ought to mark paragraphs with <P> ... </P>, although you can get away with simply separating them with <P> markers. And don't fail to take advantage of the preview button.

Welcome to slashdot, and thanks for the informative first post.

Seamless roaming and wireless hops

[MobileDude]

Go with a company that has dual radio capability in one UAP so that you don't have to run Cat5 cable. Also, if I was a tenant, seamless roaming would be a requirement.

www.intermec.com

Look at their 210x series; especially the 2100 for outdoors.

Re:You people suck...n00baphobes

Okie Dokie.

Um, what the hell are you talking about?

Re: WLAN for Apartment complex

PLEASE READ THIS CAREFULLY Allow me to explain that I am a network consultant and have learned the hard way on wireless--very hard and many sleepless nights.

snip

OK to email me at wavelanexperts@yahoo.com

I understand that you may have a yahoo email address for privacy reasons, but the fact that it is related to your "professional" area of expertise is a bit suspect. Do you often give out anonymous wireless networking advice?

I don't necessarily disagree with everything you say.

Solution to interference problem: 5GHz

Many have mentioned the problem of interference around 2.4GHz from cordless phones, microwaves, etc. As I see it, the best solution to this (and with future capacity in mind) is to go with 802.11a instead of 802.11b. It operates at around 5GHz and has much higher bandwidth (~60 Mbps). The only drawback right now is that it costs more and only one company I know of sells them yet (D-Link).

Re: WLAN for Apartment complex

[Doc+Wireless]

Hello:

You are correct about the yahoo address being used for privacy reasons. I'm not sure why you think the address is a bit suspect, unless you imagine that I might be seeking to sell products or services--which I am not. I feel that solicitation of goods or services on a site like /. is reprehensible.

I live and work in a Metro area of 500,000 residents and have all the work I need locally.Any projects I take on outside of my local area are due to referrals from one of several wireless vendors.Now, you ask if I often give out anonymous WLAN advice. I do so when I have time, but felt especially compelled to reply to the original poster. What I got from the subtext of his post is that he might be young, have some experience in networking but obviously none to little in wireless. Without the site survey and a good contract drawn up by a lawyer he would be headed for certain disaster.

Even more important to me was the fact that the type of install he proposes it perhaps the most difficult of any to implement. Just thinking about the problems one faces on that sort of rollout makes me want to grab a beer.

Lastly, I am an open source advocate. That said, I feel obligated to help others when I can if the issues are within my area of expertise and do not result in any conflicts with clients or vendors. Many others in the community have been giving of their time and skills, so I like to do my part when I can. I hope this alleviates any concerns you may have.

Kindest Regards,

Doc

Re:Use IPSEC or Kerberos with *at least* 1024-bit

[undie]

True AP mode with Orinoco cards under Linux? Can't be done as far as I know. You must be in ad-hoc mode. FYI actual AP mode with an Orinoco can be done in Windows with the Lucent driver and some undocumented registry settings - for details look here

The only cards that will do actual Access Point mode under Linux are based on Prism2. The HostAP driver provides full AP mode including offloading WEP to the CPU (128 bit WEP on a 40 bit card!), MAC filtering, and lots of other fun stuff. Works beautifully. Check it out here

802.11

First off, there are only three effective channels with 802.11b. 1,5, and 11. All the other channels overlap these three. You should avoid overlapping the same channel in the same area, as it will cause interference. As for security, just inform the users that the connection will be relatively fast (assuming you are not just buying a dsl line for the whole complex, in which case, I as a user would buy my own damn dsl line and wireless AP), but not secure.

WEP is bullshit, how secure is something when you have to give the keys to everyone. Not very... Tell the users that they should ensure that their email accounts are using some kind of secure password authentication scheme. As for people reading my mail, i don't care that much. I use PGP when I do.

To keep freeloaders off the network, mac address filtering is the way to go. Also the lucent/avaya aps support 802.1x and radius. Get yourself a Cisco 3550 L3 switch to connect your aps up, I believe that you can set up mac address filters on it. If someone complains about not being able to get on the network, check out the mac address tables to see which ports that mac address has been seen on and track down the perp.

IMHO

How to deal with the security problems :)

[weirdal]

I found this interesting pice of text on NASA's homepage. You should especialy follow the link in the bottom of the text (this one)

circular polarity

go to www.turbowave.com, these antennas (slh10 and 12) use circular polarity at 2.4ghz. No need to peek through windows, just put one on each building and each person has one pointing at it.
I've seen these little beauties providing wireless
with one antenna pointed down into a 3 story building. And you don't have to hike a mile or two for line of sight. The circular polarization goes through (especially at close range) buildings and vegetation.

can you resell dsl i thought dsl was illegal to

[atapi]

i dont think anyones agreements with there isp allows for the reselling of dsl service any thoughts

Re:Use IPSEC or Kerberos with *at least* 1024-bit

[SailFly]

Yes, that's right, I'm using Ad-Hoc. Sorry for any confusion. I meant that I'm using the old laptop as a wireless interface to my roaming laptop.