Slashdot Mirror

← Back to Stories (view on slashdot.org)

Building a Wireless Network for an Apartment Complex?

Posted by Cliff on from the wave-of-the-future dept.

itwerx asks: "I've been asked to design a wireless infrastructure for an apartment complex. Tenants will pay an 'access deposit' and a monthly surcharge to get a PCMCIA/PCI/USB network card along with free installation and, of course, wireless Internet access. The buildings are arranged such that 2 WAP's per building should cover all the tenants (one WAP per side, far enough away to get line-of-sight through the windows). I do have a few concerns, however. All help is appreciated and when we're done we'll put up a HOWTO!"

"My concerns are the following:

  • Interference between WAP's (there's several buildings) - there are enough channels if we go 802.11a but cost is a concern.
  • Management of 'hitchhikers' - we're planning on manual assignment via DHCP/MAC address for tenants with others having all their HTTP requests get directed to an info page. Anybody done something different?
  • Interference from WAP's and other devices that may be owned by tenants! Should we just avoid the default channel and hope for the best?!?
What other things might I need to worry about?"

6 of 294 comments (clear)

  1. what is your job at the complex? by edrugtrader · · Score: 5, Insightful

    are you just the fix-it guy that has computer knowledge, or a private contractor?

    if you are expected to stay in house and manage the thing once it is up, get ready for a lot of sleepless nights and angry users.

    it is probably MUCH more cost effective for the complex to just pay for the DSL in all the buildings and keep them hooked up forever. ~$60 a month including a phone line and you have no hassles what-so-ever. then pass the cost onto the tennant

    your month cost per tennant will probably be $20-30/month in hardware depreciation and bandwidth usage. plus you would have a HUGE (you didn't give building or unit numbers so i'll guess) setup fee of $10,000+ assuming you get a couple T1s and all the wireless hardware.

    as a tenant i won't pay you more than $50 a month (standard DSL cost) so you have to figure out if you can provide all this service and not spend $20 a month per user of your time. i don't think you can.

    --
    MARIJUANA, SHROOMS, X: ONLINE?! - E
  2. How I'd do it by Xenophon+Fenderson, · · Score: 4, Insightful

    There's several ways to go about this.

    1. Buy CheckPoint FireWall-1 in addition to your access points. There are SOHO versions of FW1 on dedicated hardware (e.g. Nokia IP71) that retail for less than $1000 and can accomodate up to 50 users. Use its Session Authentication agent to arbitrate access to anything other than DHCP and don't bother with enabling WEP. Unfortunately, the agent seems to be only available for Windows 9X/ME/NT/2K/XP.
    2. Buy Cisco access points and Cisco ACS software and enable LEAP. While non-standard, you are probably forcing them to buy a wireless card anyway, and Cisco's client devices aren't all that expensive. The Aironet device is supported in Windows and Windows CE, Linux, and MacOS 9.x and 10.x. My employer uses LEAP and it works great.
    3. Hack your own. Set up Linux and Squid and Apache and transparent forwarding to redirect unauthenticated web traffic to a HTTPS login form. Have the form automatically add the necessary firewall rules to allow them out, and have a cron job remove them after a delay. Upside: A five banana problem once you've mirrored enough of CPAN to write the Perl scripts. Downside: Easily spoofed/hacked with a copy of AirSnort, Kismet, and Ettercap.
    WEP key management sucks so hard that relying on it is stupid. I'd probably go the LEAP route just because it is so damn easy on both the client side and on the server side, even though I hate Cisco. The build-it-yourself solution would be a complete kludge and would be totally unsupportable except by the author, i.e. lots of work. The CheckPoint firewall is in between the Cisco (easy) and do-it-yourself (really hard) in terms of difficulty.

    Anyway, I'm rambling now, so hopefully this helps and makes sense. If you have questions, post 'em here.

    --
    I'm proud of my Northern Tibetian Heritage
  3. Re:Security matters. by Alex · · Score: 4, Insightful

    I'll assume that he was running this ISP off of university bandwidth?

    Has it occurred that this may have been a SERIOUS breach of AUP?

    Alex

  4. Don't bother with WiFi... by YuppieScum · · Score: 5, Insightful

    The whole point about using wireless LANs is to enable environments where you either need to support roaming/migrant users or you have little/no control over the local infrastructure.

    Neither is the case here.

    You also need to remember that the 11MB/s provided by WiFi is shared between all users. If you have 50 "dwelling units" and two WiFi access points, you'll be offering a service with less maximum bandwidth than bottom-of-the-range xDSL... and you'll be charging for $100 WiFi NICs instead of $10 PCI ethernet NICs (which many PCs now have as standard anyway)... and for a service subject to atmospheric outages (ever use a WiFi network during a thunderstorm) as well as interference from a multitude of other devices like microwaves, cordless headphones and DECT telephones...

    I'd recommend taking a bit of up-front hit and running CAT5 to each apartment. Put a switch on each floor (unmanaged 16-port switches are less than $80), and run each floor-switch to a central switch, and from there to the T1 router, squid server and whatever other infrastructure you've going to value-add into the equation.

    This is what business-class hotels now do - just provide an ethernet RJ-45 jack and a DHCP server... all a guest has to do is plug in, configure for DHCP, and reboot.

    If nothing else, support costs for a wired network are trivial... but for a WiFi? How do you explain to a user that they can't get their mail because the guy in apartment 2B is listening to a CD?

    --
    This sig left unintentionally blank.
    1. Re:Don't bother with WiFi... by tzanger · · Score: 4, Insightful

      No. You want a really spiffy switch. It needs to a) be able to do mac-port mapping, b) be able to remotely enable-disable ports, and c) support rmon/snmp. Maybe you dont need c) if you have netflow configured/running correctly, but a) and b) will save you tons of time (and therefore labor costs) longrun by doing these two things.

      Um, no.

      Nice 24-port unmanaged switches are best here. You will have a fat managed switch as the uplink for all of these floor-level switches, and you will have a decent router between that and your bandwidth provider. Use the managed switch to localize which floor the disturbance is coming from, then use the sniffer port to find out the IP. Finally, log in to the router and change the ACLs so that that user (or MAC addy) is simply not allowed to go anywhere. No need to blow enormous gobs of money on managed switches for every floor.

  5. Re:Security is the biggest issue... by Anonymous Coward · · Score: 4, Insightful

    WEP is weak. Especially in situations where there is a lot of use and lots of bits flying around. All that one needs to do to crack a WEP key is accumulate data sent using said key.

    See: AirSnort

    Rather than worry about people having their sh*t sniffed, here are a couple other solutions:

    #1. Set up a portal that uses HTTPS and fetches web pages for the user, then presents these pages to them.

    Pros: Simple
    Cons: Doesn't really work all that well with some sites

    #2. Use IPSec

    Pros: Damn secure.
    Cons: CPU intensive, limited software support outside of the OSS crowd.

    #3. Keep it insecure, but keep the users educated. Let them know their data may be sniffed easily, but also let them know what HTTPS is. Show them how to sign into their Yahoo mail so that their password won't get sent in the clear, etc etc.

    Pros: Cheap ;)
    Cons: Depends on the intelligence of users. You never want to do that ;)