Slashdot Mirror

← Back to Stories (view on slashdot.org)

Building a Wireless Network for an Apartment Complex?

Posted by Cliff on from the wave-of-the-future dept.

itwerx asks: "I've been asked to design a wireless infrastructure for an apartment complex. Tenants will pay an 'access deposit' and a monthly surcharge to get a PCMCIA/PCI/USB network card along with free installation and, of course, wireless Internet access. The buildings are arranged such that 2 WAP's per building should cover all the tenants (one WAP per side, far enough away to get line-of-sight through the windows). I do have a few concerns, however. All help is appreciated and when we're done we'll put up a HOWTO!"

"My concerns are the following:

  • Interference between WAP's (there's several buildings) - there are enough channels if we go 802.11a but cost is a concern.
  • Management of 'hitchhikers' - we're planning on manual assignment via DHCP/MAC address for tenants with others having all their HTTP requests get directed to an info page. Anybody done something different?
  • Interference from WAP's and other devices that may be owned by tenants! Should we just avoid the default channel and hope for the best?!?
What other things might I need to worry about?"

15 of 294 comments (clear)

  1. Re:I would not hire you by aaandre · · Score: 2, Insightful

    There's _always_ a better way. And slashdot is one of the best places to learn about it.

    If I was given a choice between a professional who never asks for help and another one who is smart enough to tap in the potential of Slashdot guess who'd get the project!

  2. Screw It... by mogrefy · · Score: 2, Insightful

    Just make it free (included in rent) and let everyone have internet... great for our communist society!

  3. what is your job at the complex? by edrugtrader · · Score: 5, Insightful

    are you just the fix-it guy that has computer knowledge, or a private contractor?

    if you are expected to stay in house and manage the thing once it is up, get ready for a lot of sleepless nights and angry users.

    it is probably MUCH more cost effective for the complex to just pay for the DSL in all the buildings and keep them hooked up forever. ~$60 a month including a phone line and you have no hassles what-so-ever. then pass the cost onto the tennant

    your month cost per tennant will probably be $20-30/month in hardware depreciation and bandwidth usage. plus you would have a HUGE (you didn't give building or unit numbers so i'll guess) setup fee of $10,000+ assuming you get a couple T1s and all the wireless hardware.

    as a tenant i won't pay you more than $50 a month (standard DSL cost) so you have to figure out if you can provide all this service and not spend $20 a month per user of your time. i don't think you can.

    --
    MARIJUANA, SHROOMS, X: ONLINE?! - E
  4. How I'd do it by Xenophon+Fenderson, · · Score: 4, Insightful

    There's several ways to go about this.

    1. Buy CheckPoint FireWall-1 in addition to your access points. There are SOHO versions of FW1 on dedicated hardware (e.g. Nokia IP71) that retail for less than $1000 and can accomodate up to 50 users. Use its Session Authentication agent to arbitrate access to anything other than DHCP and don't bother with enabling WEP. Unfortunately, the agent seems to be only available for Windows 9X/ME/NT/2K/XP.
    2. Buy Cisco access points and Cisco ACS software and enable LEAP. While non-standard, you are probably forcing them to buy a wireless card anyway, and Cisco's client devices aren't all that expensive. The Aironet device is supported in Windows and Windows CE, Linux, and MacOS 9.x and 10.x. My employer uses LEAP and it works great.
    3. Hack your own. Set up Linux and Squid and Apache and transparent forwarding to redirect unauthenticated web traffic to a HTTPS login form. Have the form automatically add the necessary firewall rules to allow them out, and have a cron job remove them after a delay. Upside: A five banana problem once you've mirrored enough of CPAN to write the Perl scripts. Downside: Easily spoofed/hacked with a copy of AirSnort, Kismet, and Ettercap.
    WEP key management sucks so hard that relying on it is stupid. I'd probably go the LEAP route just because it is so damn easy on both the client side and on the server side, even though I hate Cisco. The build-it-yourself solution would be a complete kludge and would be totally unsupportable except by the author, i.e. lots of work. The CheckPoint firewall is in between the Cisco (easy) and do-it-yourself (really hard) in terms of difficulty.

    Anyway, I'm rambling now, so hopefully this helps and makes sense. If you have questions, post 'em here.

    --
    I'm proud of my Northern Tibetian Heritage
  5. Re:Security matters. by Alex · · Score: 4, Insightful

    I'll assume that he was running this ISP off of university bandwidth?

    Has it occurred that this may have been a SERIOUS breach of AUP?

    Alex

  6. We have a wireless network at our house... by VistaBoy · · Score: 2, Insightful

    You probably do not want to use 802.11b wireless networking in an apartment complex, considering that a cordless phone can interfere with the signal and destroy all connections within. It happens all the time at my house.

  7. Don't bother with WiFi... by YuppieScum · · Score: 5, Insightful

    The whole point about using wireless LANs is to enable environments where you either need to support roaming/migrant users or you have little/no control over the local infrastructure.

    Neither is the case here.

    You also need to remember that the 11MB/s provided by WiFi is shared between all users. If you have 50 "dwelling units" and two WiFi access points, you'll be offering a service with less maximum bandwidth than bottom-of-the-range xDSL... and you'll be charging for $100 WiFi NICs instead of $10 PCI ethernet NICs (which many PCs now have as standard anyway)... and for a service subject to atmospheric outages (ever use a WiFi network during a thunderstorm) as well as interference from a multitude of other devices like microwaves, cordless headphones and DECT telephones...

    I'd recommend taking a bit of up-front hit and running CAT5 to each apartment. Put a switch on each floor (unmanaged 16-port switches are less than $80), and run each floor-switch to a central switch, and from there to the T1 router, squid server and whatever other infrastructure you've going to value-add into the equation.

    This is what business-class hotels now do - just provide an ethernet RJ-45 jack and a DHCP server... all a guest has to do is plug in, configure for DHCP, and reboot.

    If nothing else, support costs for a wired network are trivial... but for a WiFi? How do you explain to a user that they can't get their mail because the guy in apartment 2B is listening to a CD?

    --
    This sig left unintentionally blank.
    1. Re:Don't bother with WiFi... by tzanger · · Score: 4, Insightful

      No. You want a really spiffy switch. It needs to a) be able to do mac-port mapping, b) be able to remotely enable-disable ports, and c) support rmon/snmp. Maybe you dont need c) if you have netflow configured/running correctly, but a) and b) will save you tons of time (and therefore labor costs) longrun by doing these two things.

      Um, no.

      Nice 24-port unmanaged switches are best here. You will have a fat managed switch as the uplink for all of these floor-level switches, and you will have a decent router between that and your bandwidth provider. Use the managed switch to localize which floor the disturbance is coming from, then use the sniffer port to find out the IP. Finally, log in to the router and change the ACLs so that that user (or MAC addy) is simply not allowed to go anywhere. No need to blow enormous gobs of money on managed switches for every floor.

  8. Re:Security is the biggest issue... by Anonymous Coward · · Score: 4, Insightful

    WEP is weak. Especially in situations where there is a lot of use and lots of bits flying around. All that one needs to do to crack a WEP key is accumulate data sent using said key.

    See: AirSnort

    Rather than worry about people having their sh*t sniffed, here are a couple other solutions:

    #1. Set up a portal that uses HTTPS and fetches web pages for the user, then presents these pages to them.

    Pros: Simple
    Cons: Doesn't really work all that well with some sites

    #2. Use IPSec

    Pros: Damn secure.
    Cons: CPU intensive, limited software support outside of the OSS crowd.

    #3. Keep it insecure, but keep the users educated. Let them know their data may be sniffed easily, but also let them know what HTTPS is. Show them how to sign into their Yahoo mail so that their password won't get sent in the clear, etc etc.

    Pros: Cheap ;)
    Cons: Depends on the intelligence of users. You never want to do that ;)

  9. Re:MAC Address/DHCP by Anonymous Coward · · Score: 2, Insightful

    That point is debateable - this is a residential network. He will need stronger login security (maybe PPPoE would work for you - you'd just need a linux box somewhere acting as a radius server).

    Basically the people that need/are concerened about encryption can set it up, but why enforce an extra level of difficulty on the everday users who are checking out cnn.com and pr0n?

  10. Re:MAC Address/DHCP by Bishop · · Score: 3, Insightful

    Strong authentication is needed for this network. A VPN is a pretty good way to insure strong authentication. PPPoE is no easier to setup then a VPN really. PPP authentication has problems anyway. Besides I think people are warming up to the idea of protecting their privacy.

  11. Re:Hitchhikers by brunes69 · · Score: 3, Insightful

    So you give the guy like 5 logins. Its alot better than hardwiring a MAC to an IP as was suggested, as any PC can log in with any ID.

  12. Apartment Designs in the future by wilsonjo · · Score: 2, Insightful

    I always get flamed when I post stuff like this but... Throughout college and for the next few years of my life I am going to live in an apartment complex and I really don't understand why newer apartment complexes aren't taking into consideration high speed internet access.

    Run some Cat5 through the walls and build a telephone/wiring closet into each building.

    Then raise the rent about $10 a month which will absorb the cost of a T-1 and a part-time techie. 25 buildings x 12 tenants x $10 = $3000. $1500 for the T-1 connection and $1500 to keep the techie happy.

    Wireless would be great, but I'll agree with the person who posted up above and say there is way too much junk out there interfering with the 2.4 GHz spectrum.

    Flame away....

  13. Re:Security is the biggest issue... by tzanger · · Score: 3, Insightful

    #2. Use IPSec
    Pros: Damn secure.
    Cons: CPU intensive, limited software support outside of the OSS crowd.

    OSS only? Win2k has support for it in its default configuration. I use this procedure to get win2k to connect to my frees/wan gateway using x.509 certificates. Piece of cake (it looks convoluted but it really easy once you do it once or twice) to set up, and lets anybody (linux, windows, mac, anyone with IPSec and x.509) on in a secure fashion.

    CPU intensive? Not that I'm aware of. I'm pushing about half a T1 to another frees/wan server using a P100 on one side and a P200 on the other. Now I imagine this scales less than linearly for each client that connects, but I've been pleased with the throughput of this little computer.

  14. Re:IPSEC by swb · · Score: 3, Insightful

    Amen. Security geeks who don't appreciate the risk/cost/benefit analysis are all trying to build Fort Knox, often on shifting sand.

    Security doesn't have to be perfect. If you're protecting X, you just need to protect it slightly better than most other people with X. People interested in X will take it where it's easiest to get.

    And I agree that IPSEC is a PITA. It's OK as a dedicated tunnel between endpoints with shared secrets, but cert management gets to be a big nightmare, really fast for client applications.