Building a Wireless Network for an Apartment Complex?

itwerx asks: "I've been asked to design a wireless infrastructure for an apartment complex. Tenants will pay an 'access deposit' and a monthly surcharge to get a PCMCIA/PCI/USB network card along with free installation and, of course, wireless Internet access. The buildings are arranged such that 2 WAP's per building should cover all the tenants (one WAP per side, far enough away to get line-of-sight through the windows). I do have a few concerns, however. All help is appreciated and when we're done we'll put up a HOWTO!"

"My concerns are the following:

• Interference between WAP's (there's several buildings) - there are enough channels if we go 802.11a but cost is a concern.
• Management of 'hitchhikers' - we're planning on manual assignment via DHCP/MAC address for tenants with others having all their HTTP requests get directed to an info page. Anybody done something different?
• Interference from WAP's and other devices that may be owned by tenants! Should we just avoid the default channel and hope for the best?!?

What other things might I need to worry about?"

interference..

[molo]

Interference between the two WAPs is not really what you have to worry about. Put them on different channels on opposite ends of the chunk of 802.11b spectrum and its done.

The real issue is interference from other devices. I hope no one has a 2.4GHz phone.. or a microwave.. or X11.. or one of the other dozens of devices on the (unregulated) 2.4GHz band. It can knock your 11Mbit down to 1.

MAC Address/DHCP

[dbarry]

mac addresses are fairly easy to spoof (at least in OpenBSD), and any two-bit prism based sniffer can tell the mac addresses of other nodes on the network. It would probably be better to go with a different scheme, such as login/passphrase authentication, rather than MAC address. I know UC berkeley is using some sort of program like that check out Calnet

Answers

[LowneWulf]

- 802.11 manages devices in a friendly way, and is designed specifically to play nice with lots of other 802.11 devices in the area. In fact, infrastructure networks assume it WILL work that way. Put your entire complex on one SSID and one channel - each WAP will form a BSS, and devices should seamlessly roam between them.
- Other peoples' devices shouldn't interfere with yours unless there is a LOT of devices. If they do, too bad for them, they can choose a new channel. Or you can choose a new channel. But it shouldn't be a problem unless there's a ton of networks.
- I would suggest leaving your network entirely open (no WEP, etc.) then putting a router at the edge which authenticates MAC/IP addresses, provides DHCP, and only routes those who enter a password of some sort. This leaves the internal network open to hackers unfortunately, but WEP management for an apartment will be hell, and the alternate solutions all tend to be non-standardized.

Wi-Fi

[dsmey]

I am an assistant network engineer at a large midwestern university. Currently, like you we're in the process of figuring out how to deploy wireless access points. Our campus's Engineering Computer Network let us borrow a mobile testing appratus that has a WAP and an Antenna on it (looks like a camera tripod). We take it to different parts of our residence halls and, with a laptop, we take SNR readings from different parts of the surrounding rooms and record our measurements on the building blueprints. We figure we need about 6 WAP's to sufficiently cover the lounge areas of the older dormitories (with their steel and concrete infrastructure), but for your sake 2 WAP's should sufficiently cover a medium-sized apartment building and more. We also plan to cover several large outdoor areas, a library, and our Union right off the bat. The equipment we are using is Enterasys Roamabouts ($1000 a pop), [link] and they are highly configurable and have a ton of management features. We figure each WAP will get connected to a switch port on the Cisco Catalysts in our buildings. So far, we haven't done much in terms of the deployment because it is a long process, where the Physical Facilities department has to do the actual installation of the equipment, data jacks, etc. I assume in your case you can better coordinate this without all the red tape. We figure that by the time these are all installed and our userbase is well-informed of the network, we will have a great system that will scale to thousands of students and staff in the future.
http://www.purdue.edu/ITaP/projects/wireless.shtml

Re:Wi-Fi

[gmkeegan]

I am an assistant network engineer at a large midwestern university...

I never thought a wireless project like this would happen to me. I was sitting in the study lounge in my dorm when this sexy coed network engineer walks up and asks, "I see you have a seven layer OSI model. That really turns me on..."

Our experience

[The+Ape+With+No+Name]

We deployed the largest campus wireless (to date) network here. Which involved a lot of the issues you bring up and then some. Was it a pain? Yup. Did we have to backtrack and reengineer (esp. security and client access)? Yup. Check out this stuff for some info:

• In General
  
• Scope of Wireless Project
  
• Progress
  
• Challenges
  
• Security -- Careful: Word Doc!
  

I hope this helps. Our wireless guys pulled this off in 130 buildings over a several square kilometer area. Good Luck!

PS. Cracks about Redneck Rocky Top and such ilk should be modded -1! ;-p

what is your job at the complex?

[edrugtrader]

are you just the fix-it guy that has computer knowledge, or a private contractor?

if you are expected to stay in house and manage the thing once it is up, get ready for a lot of sleepless nights and angry users.

it is probably MUCH more cost effective for the complex to just pay for the DSL in all the buildings and keep them hooked up forever. ~$60 a month including a phone line and you have no hassles what-so-ever. then pass the cost onto the tennant

your month cost per tennant will probably be $20-30/month in hardware depreciation and bandwidth usage. plus you would have a HUGE (you didn't give building or unit numbers so i'll guess) setup fee of $10,000+ assuming you get a couple T1s and all the wireless hardware.

as a tenant i won't pay you more than $50 a month (standard DSL cost) so you have to figure out if you can provide all this service and not spend $20 a month per user of your time. i don't think you can.

Can't you guys agree?

[lycono]

Gotta love 'em.

LowneWulf states:

Put your entire complex on one SSID and one channel - each WAP will form a BSS, and devices should seamlessly roam between them.

To which MarkKomus replies:

If you have WAP's on different sides of buildings they most likely won't interfere with each other. Just keep the WAPs with the same channel as far apart as possible.

LowneWulf states:

Other peoples' devices shouldn't interfere with yours unless there is a LOT of devices.

Which is rebutted by MarkKomus:

Interference from WAP's and other devices that may be owned by tenants! Here could be your big problem.

I need to know who has more money or a bigger house so I can know who to believe!

IPSEC

[SealBeater]

I don't know if it's been mentioned, but I would use IPSEC if I were you,
simply because 802.11a/b sniffing is trivial now and mac address spoofing is
even easier. Also, I would probably recommend against going with an
established commercial wap product, as they all almost definately aren't going
to have the flexibility you need in the future and are probably way too
expensive. I would roll a couple of OpenBSD boxes with wireless cards, that
way you have an all in one solution with lots of nifty stuff like traffic
shaping per mac, monthly bandwidth accounting capablities via pf, syslog, and
tons of other stuff that commercial vendors just don't offer. And I do mean,
don't offer, regardless of price. This page
offers a good howto regarding ipsec on openbsd and this page
give a pretty good read on replacing wep with ipsec on openbsd as well. Good
luck.

SealBeater

Don't bother with WiFi...

[YuppieScum]

The whole point about using wireless LANs is to enable environments where you either need to support roaming/migrant users or you have little/no control over the local infrastructure.

Neither is the case here.

You also need to remember that the 11MB/s provided by WiFi is shared between all users. If you have 50 "dwelling units" and two WiFi access points, you'll be offering a service with less maximum bandwidth than bottom-of-the-range xDSL... and you'll be charging for $100 WiFi NICs instead of $10 PCI ethernet NICs (which many PCs now have as standard anyway)... and for a service subject to atmospheric outages (ever use a WiFi network during a thunderstorm) as well as interference from a multitude of other devices like microwaves, cordless headphones and DECT telephones...

I'd recommend taking a bit of up-front hit and running CAT5 to each apartment. Put a switch on each floor (unmanaged 16-port switches are less than $80), and run each floor-switch to a central switch, and from there to the T1 router, squid server and whatever other infrastructure you've going to value-add into the equation.

This is what business-class hotels now do - just provide an ethernet RJ-45 jack and a DHCP server... all a guest has to do is plug in, configure for DHCP, and reboot.

If nothing else, support costs for a wired network are trivial... but for a WiFi? How do you explain to a user that they can't get their mail because the guy in apartment 2B is listening to a CD?

Re:Just wire the buildings.

[figment]

Yes.

It really is the party-pooper solution, as it's so low-tech, but when we priced it out, for most buildings Cat5 wiring is cheaper.

Depending on what kind of walls you're working with, (drywall vs. brick, etc) i've gotten quotes from roughly $30-100 per drop in an apt. Add to that $40/port for a good switch, and you're looking at $140 per room. And good cat5 contractors will give you some ungodly long warranty, on the order of tens of years.

Contrast this with 802.11. You have to pay for multiple APs (500~2k each depending on what you want/need), then you either have to a) pay for the 802.11 card for each pc and have the tenants pay a deposit (which was ~150ish when i priced them out, 100ish if they had a laptop) or b) force the tenants to buy their own. From doing some informal surveys and asking around, the latter wont work.
Then you have the line-of-sight problem (the computer has to be kinda near the window for them to pick anything up), the rf interference issue, and other funky stuff rf physics stuff. Not to mention you're on most likely a 1yr warrenty, and have to deal with helping people get their wireless card working, which can be a huge pain in the ass as likely they'll be using one of those pcmcia-pci slot converter things.

Furthermore security-wise, you honestly cannot beat having a plugged vs. not-plugged-in port, thus you can assure people are not stealing your service... A good switch will tell you what mac addresses are coming from what port, so with some good accounting on the side, you can tell exactly which apt has a hub and is sharing with their neighbors, etc. It also makes catching troublemakers (and there will be some, trust me) a lot lot easier, as you can pinpoint it to the room, not just to a mac address.

I more or less planned/ran a campus apartment project like this, and we did at first also seriously consider the 802.11 alternative, but quickly threw it away as we realized that a) it was going to certainly cost more long-run in labor than cat5 would,and b) it most likely wouldnt save us money upfront either.