Researching solutions for apartment buildings.

T

Tech249

n00b
Joined
Sep 17, 2011
Messages
46
We have started to get some clients that have apartment buildings that offer broadband with their lease, currently most have a few broadband connections and a switch.

I would like to evolve this into a system that is more intelligent. Maybe a switch that we can limit port speed on, or some other mechanic that will help us manage the ISP connection over many users.

Does anyone have anything they use and like or any ideas?

Thanks!
 
I like pfSense; a separate VLAN could be used for every apartment, it does bandwith shaping, good security.
 
Yeah, my apartment complex does this as well. But, luckily they don't limit it. So, I'm getting about 80/25 at times. ;) I don't think they know what they were getting into when I moved in. ;)
 
Should be able to do it with higher end Cisco/Enterprise switches. Rate limiting could work.

If you go with VLANs, you still need the routing between them and rate limiting.

Another option, that I have seen done, is making people use a captive portal (like a wifi hotspot) that has rate limiting as well. This works well for most devices, though can be annoying to constantly login to (once every day, etc.) and will make setting up devices like xboxs a hassle.
 
Is the goal to provide an ethernet connection to each unit or wifi?

Are we talking about an existing network here? If so, how is each building wired currently (including the network between buildings).

Are we talking about multiple WAN connections too?
 
RocketTech: I might have to look into pfsense, we have used untangle in some basic small business offices. That has been working out great. We also utilize Sonicwall's,

Grentz: I thought about the captive portal but came to the same conclusion - consoles would be a nightmare.

dbs1904: For this project it's ethernet to each unit. We have a few setup with wifi. I would consider this for both medium's.

Most of these are existing networks that other companies screwed up or stopped caring about.

Most installs have multiple WAN connections, a few have one large one.

Are there any switch manufactures that make a rate limit capable device that is priced well, between $500 - $1,000?

Thanks for are you feedback and questions! This is turning into a good thread. :)
 
Well, I don't normally do this (only because it's roll your own hardware, the software and support are fine), but I really suggest using pfsense in this instance.

Read up on rate limiting

In your case you will want to use "Dynamic queue creation". That will mean no matter what your WAN connection(s) is/are, you will be presenting the network with a single default gateway. Using the "router" (pfsense box) as the rate limiting device simplifies your network setup. This will limit the traffic on a per IP basis.

Using the pfsense box means that your internal network (network going to the appts) won't require any special hardware. In a situation with multiple buildings all you would need is the following:

  • Core switch in central location where pfsense box is
  • Switch in each building with uplinks to the core switch
  • Wiring from switch in building to each unit.

You could even go crazy and make links from switch to switch as well as switch to core (with the appropriate configuration) for some redundancy.

If we are talking about a really large network you could separate each building into vlans and still use a single pfsense box to provide the routing.

Heck, wifi could even be incorporated in this situation.
 
Last edited:
bds1904 said:
Well, I don't normally do this (only because it's roll your own hardware, the software and support are fine), but I really suggest using pfsense in this instance.

Read up on rate limiting

In your case you will want to use "Dynamic queue creation". That will mean no matter what your WAN connection(s) is/are, you will be presenting the network with a single default gateway. Using the "router" (pfsense box) as the rate limiting device simplifies your network setup. This will limit the traffic on a per IP basis.

Using the pfsense box means that your internal network (network going to the appts) won't require any special hardware. In a situation with multiple buildings all you would need is the following:

  • Core switch in central location where pfsense box is
  • Switch in each building with uplinks to the core switch
  • Wiring from switch in building to each unit.

You could even go crazy and make links from switch to switch as well as switch to core (with the appropriate configuration) for some redundancy.

If we are talking about a really large network you could separate each building into vlans and still use a single pfsense box to provide the routing.

Heck, wifi could even be incorporated in this situation.
Click to expand...

Sounds advice, thank you. I'm going to start working with pfsense tonight and see what I can do.

Thanks for taking the time to write this up, I really appreciate it!
 
If you can afford it, Meraki. They have the slickest and easiest interface I've seen. Otherwise go the pfsense route.
 
bds1904 said:
Well, I don't normally do this (only because it's roll your own hardware, the software and support are fine), but I really suggest using pfsense in this instance.
Click to expand...

We use a SuperMicro VAR for hardware support on pfSense boxes. Next day parts, and you can keep common ones on the shelf if you've got a lot deployed. In something like this with a lot of users, I would probably go with a dual-PSU, server grade box or a CARP cluster of a few cheaper boxes.

I also suggest investing in support from the pfSense devs - portal.pfsense.org - they're awesome and provide amazing service.

Once you've got them set up, you wont regret running pfSense.
 
Meraki looks awesome - they are pricey.

Just noticed the announcement on their site - "Cisco announces intent to acquire Meraki"
 
obrith said:
We use a SuperMicro VAR for hardware support on pfSense boxes. Next day parts, and you can keep common ones on the shelf if you've got a lot deployed. In something like this with a lot of users, I would probably go with a dual-PSU, server grade box or a CARP cluster of a few cheaper boxes.

I also suggest investing in support from the pfSense devs - portal.pfsense.org - they're awesome and provide amazing service.

Once you've got them set up, you wont regret running pfSense.
Click to expand...

Solid advice. When budget is tighter, I get used PowerEdge 1650/1750s off eBay- Redundant PSUs, Dual Broadcom/Intel GbE, Redundant memory capable, RAID available, optional Remote Access. Bulletproof and spare parts are cheap
 
Great advice on the used Dell servers.

What other used/refurb models do people commonly use?
 
ASA 5510 and a layer 3 switch, like a 3560. Each unit gets its own VLAN. All VLANs trunked out a single uplink to the ASA. Let all the VLAN routing happen in the swtich. If you really want to get crazy you can do dual ASA's in active passive. If you want to do WAN failover you will need the Security + license on the ASA. You can do rate limiting or policing in a 3560 to shape the bandwidth.
 
schnell said:
ASA 5510 and a layer 3 switch, like a 3560. Each unit gets its own VLAN. All VLANs trunked out a single uplink to the ASA. Let all the VLAN routing happen in the swtich. If you really want to get crazy you can do dual ASA's in active passive. If you want to do WAN failover you will need the Security + license on the ASA. You can do rate limiting or policing in a 3560 to shape the bandwidth.
Click to expand...

You can do all that for free with pfSense- you just need an 802.11Q capable switch and hardware to run pfSense.
 
RocketTech said:
You can do all that for free with pfSense- you just need an 802.11Q capable switch and hardware to run pfSense.
Click to expand...

And? He asked for suggestions. I gave one. My personal opion is a company should never sell anyone a service without a guaranteed SLA and that would include hardware on a maintenance contract from a well known vendor that can be serviced by more than just you.
 
schnell said:
And? He asked for suggestions. I gave one.
Click to expand...
Right on. I was springboarding off your comment to add aditional information to mine. No offense or negation intended.

My personal opion is a company should never sell anyone a service without a guaranteed SLA and that would include hardware on a maintenance contract from a well known vendor that can be serviced by more than just you.
Click to expand...

Good to know where you are coming from. I'll assume your comments are aimed at the pfSense implementation, and I'll fill you in on some information:
SLAs are available for equipment, software, and packages of both for pfSense. Hardware can be purchased from any vendor you choose- Dell, HP, Lenovo, INTEL, etc. All vendors who have well documented and observed SLAs.
Software support is offered by a very active community, and by many companies, all with track records.
Just because an SLA reads Dell instead of Cisco, or BSD Perimeter rather than Juniper does not mean there is no competent support.
pfSense is not exactly arcane; even if you were ignorant of that fact a simple Google search would lend you many, many support options.
If you are worried about lock-ins based on knowledge, are you also concerned about lock-ins based on recurring subscriptions, proprietary hardware, proprietary protocols, upgrade programs, etc?

Maybe you see pfSense solutions the same way I see proprietary solutions. Both have their place, both are perfectly valid options when presented and supported professionally.
 
I have run pfsense at home for the last 5 years. I am well aware of its capabilities. My main point is it is much easier to find someone who can work on an ASA than pfsense. Yes I am well aware there are plenty of good pfsense guides and it is pretty darn simple to use but when the sh*t hits the fan I can be pretty sure the guy with his CCNA can handle fixing the ASA.
 
schnell said:
I have run pfsense at home for the last 5 years. I am well aware of its capabilities. My main point is it is much easier to find someone who can work on an ASA than pfsense. Yes I am well aware there are plenty of good pfsense guides and it is pretty darn simple to use but when the sh*t hits the fan I can be pretty sure the guy with his CCNA can handle fixing the ASA.
Click to expand...

I see where you are coming from, but if someone that has their CCNA can't figure out pfsense, they are retarded.
 
bds1904 said:
I see where you are coming from, but if someone that has their CCNA can't figure out pfsense, they are retarded.
Click to expand...

I would agree. My point is some companies would prefer a one vendor solution like Cisco. Some don't care and would be ok with something home brewed like PFsense. This is a classic case in IT of build vs buy. Both solutions are viable options but both have their pluses and minuses. I am simply providing an alternative to the OP.
 
RocketTech said:
I like pfSense; a separate VLAN could be used for every apartment, it does bandwith shaping, good security.
Click to expand...

Another vote for pfSense. I did a setup like the one you describe for an office building that provides every tenant with internet, with a pfSense and 3 HP ProCurves. Each office gets its own VLAN/subnet. Setting up a DMZ where tenants can have public IPs instead of being behind the building's NAT is trivial. MultiWAN is an option (fail over and load balancing), and with a little bit of tweaking routing for a VLAN you could dedicate a WAN to a specific VLAN - if someone wanted to pay extra to have their own dedicated line.
 
You must log in or register to reply here.
Back
Top