Slashdot Mirror

← Back to Stories (view on slashdot.org)

Building a Wireless Network for an Apartment Complex?

Posted by Cliff on from the wave-of-the-future dept.

itwerx asks: "I've been asked to design a wireless infrastructure for an apartment complex. Tenants will pay an 'access deposit' and a monthly surcharge to get a PCMCIA/PCI/USB network card along with free installation and, of course, wireless Internet access. The buildings are arranged such that 2 WAP's per building should cover all the tenants (one WAP per side, far enough away to get line-of-sight through the windows). I do have a few concerns, however. All help is appreciated and when we're done we'll put up a HOWTO!"

"My concerns are the following:

  • Interference between WAP's (there's several buildings) - there are enough channels if we go 802.11a but cost is a concern.
  • Management of 'hitchhikers' - we're planning on manual assignment via DHCP/MAC address for tenants with others having all their HTTP requests get directed to an info page. Anybody done something different?
  • Interference from WAP's and other devices that may be owned by tenants! Should we just avoid the default channel and hope for the best?!?
What other things might I need to worry about?"

10 of 294 comments (clear)

  1. MAC Address/DHCP by dbarry · · Score: 5, Informative

    mac addresses are fairly easy to spoof (at least in OpenBSD), and any two-bit prism based sniffer can tell the mac addresses of other nodes on the network. It would probably be better to go with a different scheme, such as login/passphrase authentication, rather than MAC address. I know UC berkeley is using some sort of program like that check out Calnet

  2. Answers by LowneWulf · · Score: 5, Informative

    - 802.11 manages devices in a friendly way, and is designed specifically to play nice with lots of other 802.11 devices in the area. In fact, infrastructure networks assume it WILL work that way. Put your entire complex on one SSID and one channel - each WAP will form a BSS, and devices should seamlessly roam between them.
    - Other peoples' devices shouldn't interfere with yours unless there is a LOT of devices. If they do, too bad for them, they can choose a new channel. Or you can choose a new channel. But it shouldn't be a problem unless there's a ton of networks.
    - I would suggest leaving your network entirely open (no WEP, etc.) then putting a router at the edge which authenticates MAC/IP addresses, provides DHCP, and only routes those who enter a password of some sort. This leaves the internal network open to hackers unfortunately, but WEP management for an apartment will be hell, and the alternate solutions all tend to be non-standardized.

  3. Wi-Fi by dsmey · · Score: 5, Informative

    I am an assistant network engineer at a large midwestern university. Currently, like you we're in the process of figuring out how to deploy wireless access points. Our campus's Engineering Computer Network let us borrow a mobile testing appratus that has a WAP and an Antenna on it (looks like a camera tripod). We take it to different parts of our residence halls and, with a laptop, we take SNR readings from different parts of the surrounding rooms and record our measurements on the building blueprints. We figure we need about 6 WAP's to sufficiently cover the lounge areas of the older dormitories (with their steel and concrete infrastructure), but for your sake 2 WAP's should sufficiently cover a medium-sized apartment building and more. We also plan to cover several large outdoor areas, a library, and our Union right off the bat. The equipment we are using is Enterasys Roamabouts ($1000 a pop), [link] and they are highly configurable and have a ton of management features. We figure each WAP will get connected to a switch port on the Cisco Catalysts in our buildings. So far, we haven't done much in terms of the deployment because it is a long process, where the Physical Facilities department has to do the actual installation of the equipment, data jacks, etc. I assume in your case you can better coordinate this without all the red tape. We figure that by the time these are all installed and our userbase is well-informed of the network, we will have a great system that will scale to thousands of students and staff in the future.
    http://www.purdue.edu/ITaP/projects/wireless.shtml

  4. Our experience by The+Ape+With+No+Name · · Score: 5, Informative
    We deployed the largest campus wireless (to date) network here. Which involved a lot of the issues you bring up and then some. Was it a pain? Yup. Did we have to backtrack and reengineer (esp. security and client access)? Yup. Check out this stuff for some info:



    I hope this helps. Our wireless guys pulled this off in 130 buildings over a several square kilometer area. Good Luck!

    PS. Cracks about Redneck Rocky Top and such ilk should be modded -1! ;-p
    --
    Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
  5. Re:Karlnet by Benley · · Score: 4, Informative

    I've worked with Karlnet's stuff. It does work as advertised, but in my opinion it is not at all worth the cost (something like $500 per base station *for the software* and $25 per client). In addition, I have never ever seen their Linux driver work. They supposedly came out with a new one recently, but I haven't heard good reports about it either.

    Aside from all of that, Turbocell does do some neat stuff: bandwidth throttling on the client end, key-based authentication, and it supports hidden nodes on wireless networks. It seems more suited for "wireless ISP" type of arrangements than smaller rigs as described in the article.

    To Karlnet's credit, they also now have a $75 version of their firmware that goes on an RG-1000 and allows for one or two wired ethernet devices. Still more than I prefer to pay for such things. And of course, your milage may vary.

  6. IPSEC by SealBeater · · Score: 5, Informative

    I don't know if it's been mentioned, but I would use IPSEC if I were you,
    simply because 802.11a/b sniffing is trivial now and mac address spoofing is
    even easier. Also, I would probably recommend against going with an
    established commercial wap product, as they all almost definately aren't going
    to have the flexibility you need in the future and are probably way too
    expensive. I would roll a couple of OpenBSD boxes with wireless cards, that
    way you have an all in one solution with lots of nifty stuff like traffic
    shaping per mac, monthly bandwidth accounting capablities via pf, syslog, and
    tons of other stuff that commercial vendors just don't offer. And I do mean,
    don't offer, regardless of price. This page
    offers a good howto regarding ipsec on openbsd and this page
    give a pretty good read on replacing wep with ipsec on openbsd as well. Good
    luck.

    SealBeater

    --
    -- Its survival of the fittest...and we got the fucking guns!!!
  7. Use IPSEC or Kerberos with *at least* 1024-bit key by SailFly · · Score: 4, Informative

    I setup a small AP in my apartment, only used by me, so far ;)

    I used an old 486 laptop running Linux 2.4.18 (RedHat base) with an Orinoco Silver card, using 40-bit WEP (which to a cracker, is slightly inconvenient at best) and IPTABLES, MAC filtering with IPSEC 3DES and 1024-bit keys.

    Be sure to use some kind of encryption better than WEP (like Checkpoint VPN, IPSEC, etc.) otherwise, it's only a matter of time before your users' account info is stolen.

    Also consider the kinds of antennas used on the AP. I actually bought the 3 dB loop antenna (size of a 10" plastic ruler) but I don't even need it within my own apartment (100' radius). I use both 2.4GHz phone and microwave with no major problems in my access. Mind you, I'm not using the link for heavy-use or Internet/media streaming. Here are some links to sites that helped me:

    Good luck with it, please post a link to your HOWTO when you get it running!

    --
    Suncoast Linux - Sarasota, FL
  8. Re:Karlnet by snoig · · Score: 4, Informative

    Having used Karlnet quite a bit, I can say that they do offer products that work well for this application. I worked for a wireless ISP and we used Karlnet exclusivly.

    Having already gone through what you are attempting to do, here are a few tips.

    1. Use a DHCP server. Otherwise, you will be getting calls all the time about how to set up DNS, IP's etc. It's a nightmare.

    2. Line of site through a window doesn't always work well. The glass tends to refract some of the signal. If you can align the antenna parallel to the window it will work. Also, it doesn't necessarly have to go through a window. 2.4 GHz will also go through wood and sheetrock to a certian degree.

    3. It works best when you can mount the antenna outside and point it straight at the tower. People are less likely to mess with it then.

    4. You may think that you have three clear channels but many companies are using this spectrum now. If you are in an urban area, you will probably find that someone is already using some or all of these channels. Check before you spend a lot of money on equipment.

    5. Keep your signal levels high. When we started, we would hook up customers with an 8 dB signal to noise ratio. As time went on, the noise floor came up and we had to devise new methods to keep customers online. If you can't get at least a 15 dB S/N ratio, don't even bother hooking them up.

    6. Keep your antenna cables short (usually LMR-400). This is usually your bigest sorce of signal loss.

    The company I worked for eventually came up with a design where the radio card was mounted on the back of the antenna outside the building. Cat 5 cable was run to the antenna with power injected onto the unused pairs. This design works well because the signal is converted directly to 10-BT at the antenna with minimal signal loss. Since the entire unit is outside the building, there is much less interference from microwave ovens and cordless phones.

    Good luck.

  9. Re:Don't bother with WiFi... by insomniak1 · · Score: 4, Informative

    Here are a few truths about 802.11b gear (and a couple of tips):

    1) 11mbit/sec actually turns into about 5mbit/sec because of error correction. (if I remember correctly, the 802.11b standard does errorchecking in a manner where it sends 12 bits and half of that is check sum.)

    2) The top speed of the wireless wan is affected by the number of people on it. Just because each client connects to the AP at 11mbit/sec, it doesn't mean that the 11mbit will be guaranteed speeds.

    3) you'll most likely require more than a 'couple' of access points to achieve building-wide coverage. Even the number of people in the facility that you're trying to cover affects the cell coverage size. (water absorbs and reflects RF - make sure you keep that in mind if you have plenty of foliage in and around the buildings.)

    4) load-balancing is possible, but I've only seen it with the higher-end gear (ie. ciscos, etc.) That'll help with multiple people.

    5) RF is prone to SERIOUS interference and even the waves are affected by the structures. This is very evident when you are a few metersaway from a radio (not line of sight) and you get a strong signal, then suddenly you walk into a RF null. not fun.

    6)Make sure you use decent antennae (and make sure that the radios can handle the power requirements of the antennae you're using.)

    7)Make sure that your cables and the like are properly made if you're doing them youself. If your cables suck, your signal will go to hades.

    tip: make sure you have secure authentication systems and xmission security. it's no fun when someone gets 'smart' and steals free bandwidth... or worse, account data.

    tip: make sure you have something there that can protect your arse should something REALLY go wrong with the network. Hell hath no fury like a geek bereft of network access.

    tip: take the time to do the surveys. If you do proper surveys, you will be a much happier person in the long run.

    Anyhow -- There you go. I'm sure there's some more stuff I missed. Let's hear them. :)

  10. Re:Just wire the buildings. by figment · · Score: 5, Informative

    Yes.

    It really is the party-pooper solution, as it's so low-tech, but when we priced it out, for most buildings Cat5 wiring is cheaper.

    Depending on what kind of walls you're working with, (drywall vs. brick, etc) i've gotten quotes from roughly $30-100 per drop in an apt. Add to that $40/port for a good switch, and you're looking at $140 per room. And good cat5 contractors will give you some ungodly long warranty, on the order of tens of years.

    Contrast this with 802.11. You have to pay for multiple APs (500~2k each depending on what you want/need), then you either have to a) pay for the 802.11 card for each pc and have the tenants pay a deposit (which was ~150ish when i priced them out, 100ish if they had a laptop) or b) force the tenants to buy their own. From doing some informal surveys and asking around, the latter wont work.
    Then you have the line-of-sight problem (the computer has to be kinda near the window for them to pick anything up), the rf interference issue, and other funky stuff rf physics stuff. Not to mention you're on most likely a 1yr warrenty, and have to deal with helping people get their wireless card working, which can be a huge pain in the ass as likely they'll be using one of those pcmcia-pci slot converter things.

    Furthermore security-wise, you honestly cannot beat having a plugged vs. not-plugged-in port, thus you can assure people are not stealing your service... A good switch will tell you what mac addresses are coming from what port, so with some good accounting on the side, you can tell exactly which apt has a hub and is sharing with their neighbors, etc. It also makes catching troublemakers (and there will be some, trust me) a lot lot easier, as you can pinpoint it to the room, not just to a mac address.

    I more or less planned/ran a campus apartment project like this, and we did at first also seriously consider the 802.11 alternative, but quickly threw it away as we realized that a) it was going to certainly cost more long-run in labor than cat5 would,and b) it most likely wouldnt save us money upfront either.