How to securely share a broadband connection?

D

DellAxim

Gawd
Joined
Feb 14, 2003
Messages
999
OK, I admit it, I suck at internet security. o_O I have a rental property with 3 units, I would like to be able to provide them with internet access. I have a 1gb fiber connection available. I want them to each have secure access, not like an open/shared WIFI network. I would like to provide each unit with an ethernet cable, which they can plug into their own router and setup their own private WIFI.

Would that be considered secure if they each have a wired connection to the main router? Should they each have a VPN provider on top of that? Is there anything else I need to do to make things more secure?
 
Don't do it, unless you really want to become your own mini-ISP with all of the responsibilities, liabilities, and costs that entails. And given your opening sentence, not to be condesending, you may not have the expertise to do it correctly. How do you ensure that one user doesn't hog the bandwidth, or get you disconnected because they wont stop pirating or leave their WiFi AP open?

Also, it's quite likely the ISP providing that fiber connection doesn't even allow splitting the connection across multiple residences (i.e., a terms of service violation), or support it properly on a technical level (e.g., providing public IPv4/IPv6 subnets for addressing the WAN side of the user's routers.
 
Not asking for advice whether I should or shouldn't. Bandwidth hog is not going to be an issue, if it ever became an issue I can either take it away or kick them out. Nothing to do with responsibilities and liabilities. Tenants have to follow the rules I set, if not, they start packing.

Let's stick to networking, please. The only concern I have is I do not want them to see each other's networks. Worst case scenario I will just let them all share a single wifi connection and require they purchase their own VPN...but I'd rather not do it that way.
 
Last edited:
You will want a managed switch with each rental unit getting their own subnet.
DellAxim said:
Not asking for advice whether I should or shouldn't. Bandwidth hog is not going to be an issue, if it ever became an issue I can either take it away or kick them out. Nothing to do with responsibilities and liabilities. Tenants have to follow the rules I set, if not, they start packing.

Let's stick to networking, please. The only concern I have is I do not want them to see each other's networks. Worst case scenario I will just let them all share a single wifi connection and require they purchase their own VPN...but I'd rather not do it that way.
Click to expand...
I didn't read this but it sounds just like what you want,
https://www.reddit.com/r/HomeNetworking/comments/avr2vs/i_want_to_split_our_internet_between_three/
 
I started thinking through this and ended up with the exact same thoughts/conclusions as the link Zepher posted. Double NAT and port forwarding would be the biggest issues but you can absolutely do this with just setting up some VLANs and some firewall rules to not let those VLANs communicate.

I dont think you need to bring a VPN into this. If you have firewall rules in place so the VLANs cant talk a VPN does nothing extra except hide traffic from your ISP. If your firewall rules were wrong and somehow the VLANs could pass traffic a VPN would only help if every client on the network was setup to use it. So if someone is using a smartphone and not running a VPN app it would defeat the purpose. You could setup a VPN gateway for each unit and tunnel all traffic through them but why add the complexity when just setting proper firewall rules would do what you are trying to accomplish.
 
Get an access point that has isolation. This will prevent all devices from seeing each other, easy peasy! That is the easiest way really.

Depending on what router you have, or AP you get, you could also bandwidth throttle each SSID. If you get an AP that lets you do more than 1 SSID, you can do 3 SSID's all isolated (Ubiquiti) will let you do multiple VLANS and SSID's per AP.

So you could do

ISP----->Router that supports VLANS ------> AP with separated SSID's isolated by VLAN
----> VLAN10 - Unit 1 - 10.0.10.1/28
----> VLAN20 - Unit 1 - 10.0.20.1/28
----> VLAN30 - Unit 1 - 10.0.30.1/28



ISP----->Router---->Switch that supports VLANs (layer 3) -----> AP

If you get a router that supports VLANS, and has enough ports OUT - you could then run separate VLANS, isolated from each other and then run a dedicated wire to each unit, thus you don't have to worry about Wifi and crap and quality et cetera. I would prefer to do it this way.

As for requiring them to use a VPN, if you do not know security, you have no way to tell if they are using one or not so hard to force that.

What router do you have right now?

I would definitely look for a way to throttle bandwidth per Unit - someone will suck it all up at some point and the others will get annoyed when Unit 1 is always slowing things down so they cant game and their streams are stuttering.

Either buy a pfsense router - then you get support and warranty vs building your own or look at Ubiquiti Edge routers, they can do it all as well, then you do not need a managed switch in there to also manage and deal with. Just go out from the firewall/router to the units.
 
I don't currently have any equipment. They just installed the fiber a few days ago (not activated yet), previously the best we could get was DSL at about 3-5mb. LOL! The ISP will not allow more than one connection on the property, and they have made it abundantly clear they don't care what I think or want. I've thought about throttling the speed, but I don't think I will unless that becomes an issue. Tenants will be made clear this is a shared connection and not to abuse it or they will lose it. (I am not charging for internet) I will probably recommend in writing that they purchase and use a VPN, but not require it, much like I do with renter's insurance. If they want to have their own cellular or satellite service they could still do that as well.

I also need a tiny bit of internet service for me so I can use it to read the electric meters every month. I'll have to take some time to look at different hardware, have not had a chance to look around much yet but I'll probably have more questions. :)
 
a VPN is useless in this situation, as someone said, unless they use a device, like a router, and set up the VPN there, it wont be used, or they will forget, and you have no way to validate it is used anyways (you have not right to view their devices or force them to login and show you if they have a vpn set up or not)

They have friends come over, now their friends have to use the VPN or buy one?

Get an Access point which allows device isolation, this is the easiest way and every single client that connects is isolated from seeing any other device on the network.
 
Like I said, recommended but not required. People are dumb, and as a result some blatantly obvious things need to be put in writing. This is why a lease is 5 pages and not just a couple of lines. :)
 
You would be better off to throttle bandwidth from the start. Sounds like it would “be made clear to not abuse it” isn’t defined. Why do think ISP’s put speed and data caps on people? One it’s to make money and the other it’s so they have limits to make more money and it’s not an imaginary line in the sand.

If my ISP had a loose standard of “it’s clear don’t abuse it....” The definition of what abuse is isn’t in writing. My definition and theirs wouldn’t be in agreement.

Tou may think you are iron clad right in what you’re doing. I look at it as skeptical at best. Good luck with your endeavor I would expect long term you will need it.
 
Does Layer 2 VLAN isolation require use of different subnets? Can I get the same level of isolation on the same subnet?
 
if you are running ethernet to their residence, don't let them get their own wifi router, instead you can place your own AP's connected to your main switch, this way you control the security not your residents, you provide them with the SSID/Pass, each on it's own VLAN, and VLANS aren't allowed to talk to each other, this way it's a feature of the property, not something they have control of, also doing it this way won't be a violation of your terms of service with your ISP as you're just extending your own network, even as a VLAN. This is how hotels and such do the same thing between various floors.

This is also how I shared my sisters home internet with her business about 1/2 mile away.
 
PFSense makes it easy with built in captive portal. A lot of other options like idle timeout, custom login screens, authentication, quotas, and bandwidth limits too.
 
Gavv said:
You would be better off to throttle bandwidth from the start. Sounds like it would “be made clear to not abuse it” isn’t defined. Why do think ISP’s put speed and data caps on people? One it’s to make money and the other it’s so they have limits to make more money and it’s not an imaginary line in the sand.

If my ISP had a loose standard of “it’s clear don’t abuse it....” The definition of what abuse is isn’t in writing. My definition and theirs wouldn’t be in agreement.

Tou may think you are iron clad right in what you’re doing. I look at it as skeptical at best. Good luck with your endeavor I would expect long term you will need it.
Click to expand...
I can take away their internet at anytime without notice or reason. I can also end their tenancy with 30 days notice. Honestly if somebody is causing a problem here, I'd be more likely to get rid of them entirely. This is a landlord friendly state. ;) We're also talking about 4 people, not an entire hotel, or even a starbucks. If somebody is up late and nobody is using the internet, they should be free to use 1000mb if they really want to, there is no need to artificially limit it. ISPs use speed and data caps as a way to generate more revenue, many with caps even lift them late at night. Considering we have been getting by with less than 10mb total, it's not going to be a problem.

scrappymouse said:
if you are running ethernet to their residence, don't let them get their own wifi router, instead you can place your own AP's connected to your main switch, this way you control the security not your residents, you provide them with the SSID/Pass, each on it's own VLAN, and VLANS aren't allowed to talk to each other, this way it's a feature of the property, not something they have control of, also doing it this way won't be a violation of your terms of service with your ISP as you're just extending your own network, even as a VLAN. This is how hotels and such do the same thing between various floors.

This is also how I shared my sisters home internet with her business about 1/2 mile away.
Click to expand...
I prefer to minimize equipment on my end thus limiting technical support/problems. I hope that once it is setup and all the settings are saved, if a device stops working it shouldn't need much more than a hard reset. Then again I suppose that would be the same for individual routers...I'll think about it.
 
DellAxim said:
I prefer to minimize equipment on my end thus limiting technical support/problems. I hope that once it is setup and all the settings are saved, if a device stops working it shouldn't need much more than a hard reset. Then again I suppose that would be the same for individual routers...I'll think about it.
Click to expand...
I will say prosumer/enterprise grade AP's are going to need to be reset MUCH less often than consumer gear, personally I use Ubiquity AP's in my home, and for my sisters business, since I set my sisters AP up in June of last year it hasn't needed reset yet, except for firmware upgrades, even in -28 degree weather, personally i've been very impressed with their reliability. They are also relatively inexpensive compared to other APs out there. But i get not wanting to be tech support for your tenants, but if you're sharing your own internet with them...you'll be their tech support anyway, if they complain it isn't working, but your internet is still up, you'll have to find out why, you'll be on the hook, and you'll have to learn their gear. However, if you use your own gear, it will be far easier to troubleshoot/replace should something go wrong.
 
You must log in or register to reply here.
Back
Top