Researching solutions for apartment buildings.

Discussion in 'Networking & Security' started by Tech249, Dec 14, 2012.

  1. Tech249

    Tech249 n00b

    Messages:
    46
    Joined:
    Sep 17, 2011
    We have started to get some clients that have apartment buildings that offer broadband with their lease, currently most have a few broadband connections and a switch.

    I would like to evolve this into a system that is more intelligent. Maybe a switch that we can limit port speed on, or some other mechanic that will help us manage the ISP connection over many users.

    Does anyone have anything they use and like or any ideas?

    Thanks!
     
  2. RocketTech

    RocketTech 2[H]4U

    Messages:
    2,359
    Joined:
    Oct 7, 2009
    I like pfSense; a separate VLAN could be used for every apartment, it does bandwith shaping, good security.
     
  3. JeffBlair

    JeffBlair Limp Gawd

    Messages:
    333
    Joined:
    Jul 13, 2009
    Yeah, my apartment complex does this as well. But, luckily they don't limit it. So, I'm getting about 80/25 at times. ;) I don't think they know what they were getting into when I moved in. ;)
     
  4. Grentz

    Grentz [H]ard as it Gets

    Messages:
    17,118
    Joined:
    May 5, 2006
    Should be able to do it with higher end Cisco/Enterprise switches. Rate limiting could work.

    If you go with VLANs, you still need the routing between them and rate limiting.

    Another option, that I have seen done, is making people use a captive portal (like a wifi hotspot) that has rate limiting as well. This works well for most devices, though can be annoying to constantly login to (once every day, etc.) and will make setting up devices like xboxs a hassle.
     
  5. bds1904

    bds1904 Gawd

    Messages:
    1,006
    Joined:
    Aug 10, 2011
    Is the goal to provide an ethernet connection to each unit or wifi?

    Are we talking about an existing network here? If so, how is each building wired currently (including the network between buildings).

    Are we talking about multiple WAN connections too?
     
  6. Tech249

    Tech249 n00b

    Messages:
    46
    Joined:
    Sep 17, 2011
    RocketTech: I might have to look into pfsense, we have used untangle in some basic small business offices. That has been working out great. We also utilize Sonicwall's,

    Grentz: I thought about the captive portal but came to the same conclusion - consoles would be a nightmare.

    dbs1904: For this project it's ethernet to each unit. We have a few setup with wifi. I would consider this for both medium's.

    Most of these are existing networks that other companies screwed up or stopped caring about.

    Most installs have multiple WAN connections, a few have one large one.

    Are there any switch manufactures that make a rate limit capable device that is priced well, between $500 - $1,000?

    Thanks for are you feedback and questions! This is turning into a good thread. :)
     
  7. bds1904

    bds1904 Gawd

    Messages:
    1,006
    Joined:
    Aug 10, 2011
    Well, I don't normally do this (only because it's roll your own hardware, the software and support are fine), but I really suggest using pfsense in this instance.

    Read up on rate limiting

    In your case you will want to use "Dynamic queue creation". That will mean no matter what your WAN connection(s) is/are, you will be presenting the network with a single default gateway. Using the "router" (pfsense box) as the rate limiting device simplifies your network setup. This will limit the traffic on a per IP basis.

    Using the pfsense box means that your internal network (network going to the appts) won't require any special hardware. In a situation with multiple buildings all you would need is the following:

    • Core switch in central location where pfsense box is
    • Switch in each building with uplinks to the core switch
    • Wiring from switch in building to each unit.

    You could even go crazy and make links from switch to switch as well as switch to core (with the appropriate configuration) for some redundancy.

    If we are talking about a really large network you could separate each building into vlans and still use a single pfsense box to provide the routing.

    Heck, wifi could even be incorporated in this situation.
     
    Last edited: Dec 15, 2012
  8. Tech249

    Tech249 n00b

    Messages:
    46
    Joined:
    Sep 17, 2011
    Sounds advice, thank you. I'm going to start working with pfsense tonight and see what I can do.

    Thanks for taking the time to write this up, I really appreciate it!
     
  9. NobleX13

    NobleX13 2[H]4U

    Messages:
    3,093
    Joined:
    Jun 15, 2010
    If you can afford it, Meraki. They have the slickest and easiest interface I've seen. Otherwise go the pfsense route.
     
  10. obrith

    obrith Limp Gawd

    Messages:
    267
    Joined:
    Jun 11, 2004
    We use a SuperMicro VAR for hardware support on pfSense boxes. Next day parts, and you can keep common ones on the shelf if you've got a lot deployed. In something like this with a lot of users, I would probably go with a dual-PSU, server grade box or a CARP cluster of a few cheaper boxes.

    I also suggest investing in support from the pfSense devs - portal.pfsense.org - they're awesome and provide amazing service.

    Once you've got them set up, you wont regret running pfSense.
     
  11. Tech249

    Tech249 n00b

    Messages:
    46
    Joined:
    Sep 17, 2011
    Meraki looks awesome - they are pricey.

    Just noticed the announcement on their site - "Cisco announces intent to acquire Meraki"
     
  12. RocketTech

    RocketTech 2[H]4U

    Messages:
    2,359
    Joined:
    Oct 7, 2009
    Solid advice. When budget is tighter, I get used PowerEdge 1650/1750s off eBay- Redundant PSUs, Dual Broadcom/Intel GbE, Redundant memory capable, RAID available, optional Remote Access. Bulletproof and spare parts are cheap
     
  13. Tech249

    Tech249 n00b

    Messages:
    46
    Joined:
    Sep 17, 2011
    Great advice on the used Dell servers.

    What other used/refurb models do people commonly use?
     
  14. schnell

    schnell Gawd

    Messages:
    763
    Joined:
    Jul 22, 2005
    ASA 5510 and a layer 3 switch, like a 3560. Each unit gets its own VLAN. All VLANs trunked out a single uplink to the ASA. Let all the VLAN routing happen in the swtich. If you really want to get crazy you can do dual ASA's in active passive. If you want to do WAN failover you will need the Security + license on the ASA. You can do rate limiting or policing in a 3560 to shape the bandwidth.
     
  15. RocketTech

    RocketTech 2[H]4U

    Messages:
    2,359
    Joined:
    Oct 7, 2009
    You can do all that for free with pfSense- you just need an 802.11Q capable switch and hardware to run pfSense.
     
  16. schnell

    schnell Gawd

    Messages:
    763
    Joined:
    Jul 22, 2005
    And? He asked for suggestions. I gave one. My personal opion is a company should never sell anyone a service without a guaranteed SLA and that would include hardware on a maintenance contract from a well known vendor that can be serviced by more than just you.
     
  17. RocketTech

    RocketTech 2[H]4U

    Messages:
    2,359
    Joined:
    Oct 7, 2009
    Right on. I was springboarding off your comment to add aditional information to mine. No offense or negation intended.

    Good to know where you are coming from. I'll assume your comments are aimed at the pfSense implementation, and I'll fill you in on some information:
    SLAs are available for equipment, software, and packages of both for pfSense. Hardware can be purchased from any vendor you choose- Dell, HP, Lenovo, INTEL, etc. All vendors who have well documented and observed SLAs.
    Software support is offered by a very active community, and by many companies, all with track records.
    Just because an SLA reads Dell instead of Cisco, or BSD Perimeter rather than Juniper does not mean there is no competent support.
    pfSense is not exactly arcane; even if you were ignorant of that fact a simple Google search would lend you many, many support options.
    If you are worried about lock-ins based on knowledge, are you also concerned about lock-ins based on recurring subscriptions, proprietary hardware, proprietary protocols, upgrade programs, etc?

    Maybe you see pfSense solutions the same way I see proprietary solutions. Both have their place, both are perfectly valid options when presented and supported professionally.
     
  18. schnell

    schnell Gawd

    Messages:
    763
    Joined:
    Jul 22, 2005
    I have run pfsense at home for the last 5 years. I am well aware of its capabilities. My main point is it is much easier to find someone who can work on an ASA than pfsense. Yes I am well aware there are plenty of good pfsense guides and it is pretty darn simple to use but when the sh*t hits the fan I can be pretty sure the guy with his CCNA can handle fixing the ASA.
     
  19. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,744
    Joined:
    Feb 15, 2003
    /thread.
     
  20. bds1904

    bds1904 Gawd

    Messages:
    1,006
    Joined:
    Aug 10, 2011
    I see where you are coming from, but if someone that has their CCNA can't figure out pfsense, they are retarded.
     
  21. Tech249

    Tech249 n00b

    Messages:
    46
    Joined:
    Sep 17, 2011
    Good info on the Cisco equipment, thank you.
     
  22. schnell

    schnell Gawd

    Messages:
    763
    Joined:
    Jul 22, 2005
    I would agree. My point is some companies would prefer a one vendor solution like Cisco. Some don't care and would be ok with something home brewed like PFsense. This is a classic case in IT of build vs buy. Both solutions are viable options but both have their pluses and minuses. I am simply providing an alternative to the OP.
     
  23. RavenD

    RavenD [H]ard|Gawd

    Messages:
    1,516
    Joined:
    Jun 30, 2005
    Another vote for pfSense. I did a setup like the one you describe for an office building that provides every tenant with internet, with a pfSense and 3 HP ProCurves. Each office gets its own VLAN/subnet. Setting up a DMZ where tenants can have public IPs instead of being behind the building's NAT is trivial. MultiWAN is an option (fail over and load balancing), and with a little bit of tweaking routing for a VLAN you could dedicate a WAN to a specific VLAN - if someone wanted to pay extra to have their own dedicated line.