Need some help with networking a coffee shop.

[TheBlueChanell]

My parents are going to be opening up a coffee shop and my mom asked me if I'd help figure out the best and most secure way to hook everything up.

They would like to have the POS System, 2 Desktops and 2 Laptop's all linked securely and then have a public hot spot for the customers.

What would be the best way to do this?

EDIT: I'm also looking for a router for home use. It's going to be replacing a 3 year old Netgear Rangemax G that is slowly dieing out. I'd like to spend no more than $100 and I'd prefer wireless N for the laptops as well as Ethernet capability for the remaining desktops in the house. (Which are only mine haha )

 

[YeOldeStonecat]

I'd go with a router that supports QoS well. At least a business grade router, not some home grade one.

I'd uplink a managed switch to it which supports port based VLANs...put your office rigs on VLAN1, and create a second VLAN, VLAN2, which has an access point uplinked to it. This way wireless "guest" clients cannot access any of the office rigs, pretty much separated networks..only sharing an internet connection. I'd go with a business grade AP also..home grade ones will not handle concurrent clients very well (more than several wireless clients)

Good QoS control would prevent those abusive users from sucking up the rest of the bandwidth.

May also consider something like a "captive portal"..in which you change the password on some sort of basis. This way you help cut down on "neighboring kids" from sucking up the bandwidth.

Might want to consider running a *nix router distro as your primary router, greater stability, usually good QoS/Traffic shaping, ability to "cap" client bandwidth, and many have built in captive portals. PFSense would be my first choice.

 

[TheBlueChanell]

I'd go with a router that supports QoS well. At least a business grade router, not some home grade one.

I'd uplink a managed switch to it which supports port based VLANs...put your office rigs on VLAN1, and create a second VLAN, VLAN2, which has an access point uplinked to it. This way wireless "guest" clients cannot access any of the office rigs, pretty much separated networks..only sharing an internet connection. I'd go with a business grade AP also..home grade ones will not handle concurrent clients very well (more than several wireless clients)

Good QoS control would prevent those abusive users from sucking up the rest of the bandwidth.

May also consider something like a "captive portal"..in which you change the password on some sort of basis. This way you help cut down on "neighboring kids" from sucking up the bandwidth.

Might want to consider running a *nix router distro as your primary router, greater stability, usually good QoS/Traffic shaping, ability to "cap" client bandwidth, and many have built in captive portals. PFSense would be my first choice.

What router would you recommend? What switch would you recommend? I'm not familiar with captive portal as that on the hardware or software side of things? I'm going to look into PFSense is DD-WRT something similar or different?

 

[YeOldeStonecat]

I'd shoot for a PFSense solution first. But I realize that building and implementing a *nix router distro isn't for everyone. Not that they're hard...they're actually quite easy...you don't have to know linux. If you've played with DD-WRT...you already show some desire to experiment a bit with stuff like this.

For an "off the shelf retail router"...I'd go with a Cisco/Linksys RV082.

The RV0 series has a managed switch on the LAN side that allows you to do port based VLANs right from there.

I don't know the size of the shop..but if it's small, and you plan on having only a couple of wireless clients at a time...you may be able to get by with a router running DD-WRT. I can VLAN, do multiple SSIDs, VLAN wireless clients (I think that's important..wireless client isolation), and they are coming out with (if they haven't already) an open source captive portal add-on
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=53293&sid=1b9a9f28029faf519dd3cfa7bc4029d8

 

[marley1]

YeOlde does the RV042 have the port based, or only RV082 and higher?

Have a good weekend?

 

[YeOldeStonecat]

YeOlde does the RV042 have the port based, or only RV082 and higher?

Have a good weekend?

Originally it didn't, they may have added it in newer firmware versions....I haven't looked for it on them....won't be around one for a while.

Weekend was awesome, lotta time on the boat 'n beach 'n cooking out.

 

[TheBlueChanell]

Alrighty. I've got the RV082 sitting right next to me. I've been browsing the pfsense forums and I'm not sure if I should run it off a desktop?

Am I able to just load fpsense onto the router itself and configure it that way or do I need to use a PC for this?

 

[marley1]

why would you load pfsense onto the RV082?

The RV082 is the router firewall and lets you do the vlan

 

[archivalbackup]

pfsense would run on a separate computer and be the gateway for (at the minimum) your guest traffic so that you can setup a captive portal and QoS / bandwidth limits.

 

[TheBlueChanell]

pfsense would run on a separate computer and be the gateway for (at the minimum) your guest traffic so that you can setup a captive portal and QoS / bandwidth limits.

ty. I've got everything up and running the next question I have is, is there a way to automatically direct the customers to the shops homepage when they connect to our network?

 

[YeOldeStonecat]

Yes..are you running PFSense?

 

[TheBlueChanell]

Yes..are you running PFSense?

Not yet I have to set that computer up and get everything installed. I'm burning the iso as of now.

 

[kevinzak]

If you wanted to get fancy you could even set up a page where users had to agree to a certain terms of service before using your internet (this is what YeOlde meant about a captive portal, I believe), and then after they click through that they are redirected to your home page.

 

[Berg0]

I would completely segregate the two networks, most likely physically

have your POS system and any back office computers on one network, and have a guest WAP with a captive portal on another. Can't recall if you can segregate switchports on those linksys routers, but the RV's are dual WAN router, if you get a business connection it will liekly come with two or more IP's, use one for the "office' network, and one for your "guest" network

 

[TheBlueChanell]

I would completely segregate the two networks, most likely physically

have your POS system and any back office computers on one network, and have a guest WAP with a captive portal on another. Can't recall if you can segregate switchports on those linksys routers, but the RV's are dual WAN router, if you get a business connection it will liekly come with two or more IP's, use one for the "office' network, and one for your "guest" network

Yeah. We have 5 seperate IP's. We have the POS hooked straight into the modem. I have RV082 setup with VLAN1 for the office pc's and VLAN2 for the Public Router.

I'm gonna fiddle with fpsense later on. I've got some time before it opens.

 

[criccio]

You have the POS hooked staright into the modem...? Like.. no firewall between it and the internet?

 

[YeOldeStonecat]

You have the POS hooked staright into the modem...? Like.. no firewall between it and the internet?

That just made my eyes pop out too! Hopefully it's a combo modem/router doing the NAT...and not just a pure bridged modem.

 

[TheBlueChanell]

You have the POS hooked staright into the modem...? Like.. no firewall between it and the internet?

I'm not too sure to be honest. The POS is the one thing I didn't do myself. The company that does the POS stuff installed it and configured it. I do believe that our modem as a firewall though. I was told not to touch it but if it's not secure I really don't care.

It has it's own IP and it's the only thing running off that port of the modem. The other port is used for the RV082 and the Netgear we're using as a tide me over router until we get a new one for the customers once we open.

Would I be better off running the POS off one of the VLAN1 ports? That's an easy fix.

 

[Deleted member 12106]

If it was me, I'd do dual internet connections and keep everything for the business locked down and all WIRED.

Then, get another line for just hotspot. Setup a router with DD-WRT. Set the broadcast time for the hours of the shop. Use untangle to filter content/categories/protocols/qos along with opendns. Other then the cost of an old machine for UT and a dd-wrt able device, it would be low buck and simple.

Boom done.