Sign in with
Sign up | Sign in
Your question

router for apartment complex

Last response: in Networking
Share
Anonymous
August 19, 2004 4:55:54 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Howdy Y'all!

I'm looking to get a new router for my apartment complex. At peak
operation, I'd be servicing no more than 48 network devices in 16
apartment units, mostly desktops and laptops used by the renters with
the exception of one web/email server visible to the outside. I'm trying
to find an effective solution for as little $$$ as possible, preferably
something under $200.

In order of necessity, this is a list of features for my ideal router:

* NAT

* a good track record for remote operation such that I won't find myself
having to make an inconvenient trip to the complex to punch a stupid
when a packet gets jammed somewhere. This is what is happening with my
BEFW11s4 which is currently handling the routing for this place.

* a good firewall. I don't know much about what makes a good firewall,
so I'm open to recommendations on what would be good here.

* 10 MBPS. That's all I really need for distributing broadband. Faster
is okay, but this is all I really need.

* SNMP management and monitoring

* web-based management (though ssh or telnet would suffice)

* dual WAN connections in case one goes out.

* compatible with the Cisco IOS features of my Catalyst 1924 switch

* some way to logically separate units of the apartments complex for
security and bandwidth management. VLANS? My CAT switch can do
port-based VLANS, but requires VTP functionality in the router.

* dynamic domain name service client, similar to the one found in most
netgear home routers

* integrated or modular support for an ADSL bridge.



I'm leaning towards getting a Linksys WRT54G ($56 at NewEgg) and putting
some 3rd party firmware on it, but I have reservations with Linksys
equipment after my experiences with my current router.

so... any recommendations on what I should get?

Thanks!
-Thomas Hallock
Anonymous
August 19, 2004 11:23:46 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

On 2004-08-19, Thomas Hallock <altrouters.20.antialias@spamgourmet.com> wrote:
> I'm looking to get a new router for my apartment complex. At peak
> operation, I'd be servicing no more than 48 network devices in 16
> apartment units, mostly desktops and laptops used by the renters with
> the exception of one web/email server visible to the outside. I'm trying
> to find an effective solution for as little $$$ as possible, preferably
> something under $200.
[snip: features]

Apart form this being a bit OT here, if it has to be _cheap_: AFAIK
there's very few home-``routers'' like you describe that interact well
with ``cisco IOS features''. There are however a few open-source things
that do more or less that. If cost is really an important factor I'd
get an old pc with two network cards and start playing around with some
free software. I am partial to FreeBSD[1] altough NetBSD, OpenBSD, and
various linux distributions (gentoo or debian seem to be nice) will also
do the trick. The price is that you'll have to gather the knowledge and
the various applications and utilities together yourself.

Then again, we're talking >16 users, so I don't see why the hardware has
to cost less than what you pay for _one new computer_. With a bit of
accounting you can actually afford a real router to do this.


[1] FreeBSD 4.latest, as 5 hasn't entered the -STABLE phase yet.

--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
Anonymous
September 5, 2004 8:25:16 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

"jpd" <read_the_sig@do.not.spam.it> kirjoitti viestissä
news:1092900227.908383@entelocal.ipberlin.com...

> If cost is really an important factor I'd get an old pc with two network
> cards and start playing around with some free software. I am partial to
> FreeBSD[1] altough NetBSD, OpenBSD, and various linux distributions
> (gentoo or debian seem to be nice) will also do the trick.

A ready made FreeBSD based firewall and router distributon suitable for this
purpose is m0n0wall:
http://www.m0n0.ch/wall/

Version 1.1 came out last week. This version contains a traffic shaper and a
captive portal with a Radius client for WLAN access.

We have had this serving an apartment block for over a week now. So far the
results are good.

***

When using an old PC it is best to load the software (= firmware) on a
Compact Flash card and use an adapter to connect it to the IDE cable. No
hard drive is needed.


--
Petri Krohn
petri. krohn <a@t> iki. FI(nland)
_____________________________________________________________
Fiber-optic Community Networking: http://www.HelsinkiOpen.net
Related resources
Anonymous
September 5, 2004 9:31:23 AM

Archived from groups: comp.dcom.lans.ethernet,uk.telecom.broadband (More info?)

"Thomas Hallock" <altrouters.20.antialias@spamgourmet.com> wrote in message
news:altrouters.20.antialias-4AC5AB.00555419082004@geraldo.cc.utexas.edu...

> I'm looking to get a new router for my apartment complex. At peak
> operation, I'd be servicing no more than 48 network devices in 16
> apartment units...

How do you plan to share the costs?
Will you act as an ISP to your neighbors? (And pocket the profits?)

What do you call this kind of network activity? Community networking?

***

> In order of necessity, this is a list of features for my ideal router:
> * NAT
> * remote operation...
> * a good firewall...

> * 10 MBPS. That's all I really need for distributing broadband.
> Faster is okay, but this is all I really need.

Where do you get a 10Mbps connection that you can distribute freely at a
reasonable price?

I just connected a 150 apartment block to a fiber-optic Ethernet-link. The
speed had to be reduced to 6Mbps/6Mbps to get the price under 1000 euros /
month

> * dual WAN connections in case one goes out.

This is a though one. Not too many devices around that can do this.
Some Taiwanese load balancers or "Multi-Homing Broadband Routers" have been
available in Finland. One main use has been to combine to ADSL-lines for
residential networks in housing co-operatives (HomePNA or Ethernet).

- Taicom TMH-121
http://www.taicom.com.tw/cpebu2/BU2-WEB/PDF/DM/TMH141-%...
- Leadfly ADV420
http://www.leadfly.com/ADV420_Manual_1_3_1.pdf
- Edimax BR-6524
http://www.edimax.com/html/english/products/BR-6524.htm

The price for these devices in Finland is 120 - 200 euros (including VAT)

> * some way to logically separate units of the apartments complex for
> security and bandwidth management. VLANS? My CAT switch can do
> port-based VLANS, but requires VTP functionality in the router.

You do the separation in the switch(es) using asymmetric port-based VLANs.
I believe most new switches can be configured to work this way. This is also
a standard feature in HomePNA switches.

To see how this works see the Cabletron ELS10-27MDU manual:
http://www.enterasys.com/support/manuals/hardware/3276....

***

> I'm leaning towards getting a Linksys WRT54G ($56 at NewEgg) and putting
> some 3rd party firmware on it, but I have reservations with Linksys
> equipment after my experiences with my current router.

Something like OpenWRT?
http://openwrt.org/

The user inferface for OpenWRT is still lacking. My personal preference is
m0n0wall (+ PC). The user interface is excellent
http://www.m0n0.ch/wall/

What is missing from your list is a traffic shaper to stop p2p-traffic from
slowing down or blocking interactive traffic. Both WRT54G + OpenWRT and
m0n0wall can do the job.


--
Petri Krohn
petri. krohn <a@t> iki. FI(nland)
_____________________________________________________________
Fiber-optic Community Networking: http://www.HelsinkiOpen.net
September 5, 2004 9:40:44 AM

Archived from groups: comp.dcom.lans.ethernet,uk.telecom.broadband (More info?)

On Sun, 5 Sep 2004 in uk.telecom.broadband, "Petri Krohn" wrote:

>> * 10 MBPS. That's all I really need for distributing broadband.
>> Faster is okay, but this is all I really need.

>Where do you get a 10Mbps connection that you can distribute freely
>at a reasonable price?

I think the poster was intending to use 10 Mbps *within the building*
as it would be sharing lower speed WAN connection(s) and 100 Mbps is
therefore not essential. Thanks for the useful links in your post.
September 5, 2004 9:57:56 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

On Thu, 19 Aug 2004 00:55:54 -0500, Thomas Hallock
<altrouters.20.antialias@spamgourmet.com> wrote:

>Howdy Y'all!
>
>I'm looking to get a new router for my apartment complex. At peak
>operation, I'd be servicing no more than 48 network devices in 16
>apartment units, mostly desktops and laptops used by the renters with
>the exception of one web/email server visible to the outside. I'm trying
>to find an effective solution for as little $$$ as possible, preferably
>something under $200.
>
>In order of necessity, this is a list of features for my ideal router:
>
>* NAT
>
>* a good track record for remote operation such that I won't find myself
>having to make an inconvenient trip to the complex to punch a stupid
>when a packet gets jammed somewhere. This is what is happening with my
>BEFW11s4 which is currently handling the routing for this place.
>
>* a good firewall. I don't know much about what makes a good firewall,
>so I'm open to recommendations on what would be good here.
>
>* 10 MBPS. That's all I really need for distributing broadband. Faster
>is okay, but this is all I really need.

Good call. Useg 10-meg equipment goes pretty cheap on eBay.

>* SNMP management and monitoring
>
>* web-based management (though ssh or telnet would suffice)
>
>* dual WAN connections in case one goes out.
>
>* compatible with the Cisco IOS features of my Catalyst 1924 switch
>
>* some way to logically separate units of the apartments complex for
>security and bandwidth management. VLANS? My CAT switch can do
>port-based VLANS, but requires VTP functionality in the router.

To cover your own arse, you need to isolate the tenants from each
other. If someone sniffs traffic and steals credit card info, you can
be held liable for not taking reasonable precautions. The cable
companies got dinged for this as orignally, it was not a properly
isolated setup.

You're talking about pvlans or protected ports in Cisco lingo.
Essentially the "protected" ports cannot talked to each other,
effectively preventing them from directly talking to each other. You
also avoid having to manage 48 vlans and subnets.

If you go this route, you just need to make sure your router doesn't
allow routing packets back onto the internal network. Otherwise,
someone can get clever and bounce packets off the router by using a
misconfigured subnet mask. The potential for someone to try ARP cache
poisening or flooding would still be a concern, but probably not a
huge one. Watching the syslogs on the router would help you catch
that.

I think you meant vlans in the router. I would avoid using VTP if at
all possible. Turn off CDP as well since that just advertises your
switch/router capability.



>* dynamic domain name service client, similar to the one found in most
>netgear home routers

Why worry about Dynamic DNS?

>* integrated or modular support for an ADSL bridge.
>
>
>
>I'm leaning towards getting a Linksys WRT54G ($56 at NewEgg) and putting
>some 3rd party firmware on it, but I have reservations with Linksys
>equipment after my experiences with my current router.


There are a bunch of 1924 switches on eBay at $9.99 at the moment.
They should support protected ports.
Anonymous
September 5, 2004 8:32:55 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

------------------------

>Howdy Y'all!
>
>I'm looking to get a new router for my apartment complex. At peak
>operation, I'd be servicing no more than 48 network devices in 16
>apartment units, mostly desktops and laptops used by the renters with
>the exception of one web/email server visible to the outside. I'm trying
>to find an effective solution for as little $$$ as possible, preferably
>something under $200.
>
>In order of necessity, this is a list of features for my ideal router:
>
>* NAT
>
>* a good track record for remote operation such that I won't find myself
>having to make an inconvenient trip to the complex to punch a stupid
>when a packet gets jammed somewhere. This is what is happening with my
>BEFW11s4 which is currently handling the routing for this place.
>
>* a good firewall. I don't know much about what makes a good firewall,
>so I'm open to recommendations on what would be good here.
>
>* 10 MBPS. That's all I really need for distributing broadband. Faster
>is okay, but this is all I really need.
>* SNMP management and monitoring
>
>* web-based management (though ssh or telnet would suffice)
>
>* dual WAN connections in case one goes out.
>
>* compatible with the Cisco IOS features of my Catalyst 1924 switch
>
>* some way to logically separate units of the apartments complex for
>security and bandwidth management. VLANS? My CAT switch can do
>port-based VLANS, but requires VTP functionality in the router.
>* dynamic domain name service client, similar to the one found in most
>netgear home routers
>* integrated or modular support for an ADSL bridge.
>
>
>
>I'm leaning towards getting a Linksys WRT54G ($56 at NewEgg) and putting
>some 3rd party firmware on it, but I have reservations with Linksys
>equipment after my experiences with my current router.

---------------End of Original Message-----------------

A Nortel Contivity switch fits your requirements pretty well.
They have IPSec compatible NAT so your clients can use their
VPN software through it to connect to their own company networks.

Fronting it with a BayStack 470 would also allow you to cable
the apartment units in such a way so that they can communicate
to the Internet but not with each other ("private VLAN"), for
security/liability relief. No proprietary protocols are used
to do this.

/*
Paul Tichy Houston 281-260-4849
Southwest District Achitect, Switching Solutions
Nortel Networks
*/
Anonymous
September 5, 2004 8:32:56 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Paul Tichy wrote:

>
> ------------------------
>
>>Howdy Y'all!
>>
>>I'm looking to get a new router for my apartment complex. At peak
>>operation, I'd be servicing no more than 48 network devices in 16
>>apartment units, mostly desktops and laptops used by the renters with
>>the exception of one web/email server visible to the outside. I'm trying
>>to find an effective solution for as little $$$ as possible, preferably
>>something under $200.
>>
>>In order of necessity, this is a list of features for my ideal router:
>>
>>* NAT
>>
>>* a good track record for remote operation such that I won't find myself
>>having to make an inconvenient trip to the complex to punch a stupid
>>when a packet gets jammed somewhere. This is what is happening with my
>>BEFW11s4 which is currently handling the routing for this place.
>>
>>* a good firewall. I don't know much about what makes a good firewall,
>>so I'm open to recommendations on what would be good here.
>>
>>* 10 MBPS. That's all I really need for distributing broadband. Faster
>>is okay, but this is all I really need.
>>* SNMP management and monitoring
>>
>>* web-based management (though ssh or telnet would suffice)
>>
>>* dual WAN connections in case one goes out.
>>
>>* compatible with the Cisco IOS features of my Catalyst 1924 switch
>>
>>* some way to logically separate units of the apartments complex for
>>security and bandwidth management. VLANS? My CAT switch can do
>>port-based VLANS, but requires VTP functionality in the router.
>>* dynamic domain name service client, similar to the one found in most
>>netgear home routers
>>* integrated or modular support for an ADSL bridge.
>>
>>
>>
>>I'm leaning towards getting a Linksys WRT54G ($56 at NewEgg) and putting
>>some 3rd party firmware on it, but I have reservations with Linksys
>>equipment after my experiences with my current router.
>
> ---------------End of Original Message-----------------
>
> A Nortel Contivity switch fits your requirements pretty well.
> They have IPSec compatible NAT so your clients can use their
> VPN software through it to connect to their own company networks.
>
> Fronting it with a BayStack 470 would also allow you to cable
> the apartment units in such a way so that they can communicate
> to the Internet but not with each other ("private VLAN"), for
> security/liability relief. No proprietary protocols are used
> to do this.

The problem with this approach is that they might _want_ to communicate with
each other.
>
> /*
> Paul Tichy Houston 281-260-4849
> Southwest District Achitect, Switching Solutions
> Nortel Networks
> */

--
--John
Reply to jclarke at ae tee tee global dot net
(was jclarke at eye bee em dot net)
September 6, 2004 9:36:56 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

>> Fronting it with a BayStack 470 would also allow you to cable
>> the apartment units in such a way so that they can communicate
>> to the Internet but not with each other ("private VLAN"), for
>> security/liability relief. No proprietary protocols are used
>> to do this.
>
>The problem with this approach is that they might _want_ to communicate with
>each other.

Yeah, that's a possibility. I still wouldn't advise allowing them.
I'd rather have a secure setup and avoid the possibility of a tenant
pointing the finger at my setup as the reason they got hacked by their
neighbor.

If you're natting, then they can still talk, but it's through the
front end router where you can still control unsafe ports.


-Chris
Anonymous
September 7, 2004 5:38:39 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

------------------------
From: "J. Clarke" <jclarke@nospam.invalid>
Subject: Re: router for apartment complex
Date: Sun, 05 Sep 2004 14:33:29 -0400
To: "comp.dcom.lans.ethernet" >
>>Howdy Y'all!
>>
>>I'm looking to get a new router for my apartment complex. At peak
>>operation, I'd be servicing no more than 48 network devices in 16
>>apartment units, mostly desktops and laptops used by the renters with
>>the exception of one web/email server visible to the outside. I'm trying
>>to find an effective solution for as little $$$ as possible, preferably
>>something under $200.
>>
>>In order of necessity, this is a list of features for my ideal router:
>>
>>* NAT
>>
>>* a good track record for remote operation such that I won't find myself
>>having to make an inconvenient trip to the complex to punch a stupid
>>when a packet gets jammed somewhere. This is what is happening with my
>>BEFW11s4 which is currently handling the routing for this place.
>>
>>* a good firewall. I don't know much about what makes a good firewall,
>>so I'm open to recommendations on what would be good here.
>>
>>* 10 MBPS. That's all I really need for distributing broadband. Faster
>>is okay, but this is all I really need.
>>* SNMP management and monitoring
>>
>>* web-based management (though ssh or telnet would suffice)
>>
>>* dual WAN connections in case one goes out.
>>
>>* compatible with the Cisco IOS features of my Catalyst 1924 switch
>>
>>* some way to logically separate units of the apartments complex for
>>security and bandwidth management. VLANS? My CAT switch can do
>>port-based VLANS, but requires VTP functionality in the router.
>>* dynamic domain name service client, similar to the one found in most
>>netgear home routers
>>* integrated or modular support for an ADSL bridge.
>>
>>
>>
>>I'm leaning towards getting a Linksys WRT54G ($56 at NewEgg) and putting
>>some 3rd party firmware on it, but I have reservations with Linksys
>>equipment after my experiences with my current router.
>
> ---------------End of Original Message-----------------
>
> A Nortel Contivity switch fits your requirements pretty well.
> They have IPSec compatible NAT so your clients can use their
> VPN software through it to connect to their own company networks.
>
> Fronting it with a BayStack 470 would also allow you to cable
> the apartment units in such a way so that they can communicate
> to the Internet but not with each other ("private VLAN"), for
> security/liability relief. No proprietary protocols are used
> to do this.

The problem with this approach is that they might _want_ to communicate with
each other.
>
> /*
> Paul Tichy Houston 281-260-4849
> Southwest District Achitect, Switching Solutions
> Nortel Networks
> */

--
--John
Reply to jclarke at ae tee tee global dot net
(was jclarke at eye bee em dot net)
---------------End of Original Message-----------------

And naturally, the same product can be configured to do
that, if desired. It isn't all or none.

/*
Paul Tichy Houston 281-260-4849
Southwest District Achitect, Switching Solutions
Nortel Networks
*/
Anonymous
September 14, 2004 8:51:43 AM

Archived from groups: comp.dcom.lans.ethernet,uk.telecom.broadband (More info?)

"Petri Krohn" <etunimi.sukunimi@iki.fi.invalid> kirjoitti viestissä
news:chdtp2$p6r$1@news.bbnetworks.net...

> You can do the separation in the switches using asymmetric port-based
> VLANs. This is also a standard feature in HomePNA switches.

> To see how this works see the Cabletron ELS10-27MDU manual:
> http://www.enterasys.com/support/manuals/hardware/3276....

Cisco calls this feature "Private VLANs" (PVLANs) or "protected ports".
The feature is not supported on the Catalyst 1924 switch.

See the "Private VLAN Catalyst Switch Support Matrix":
http://www.cisco.com/warp/public/473/63.html

It is also described in RFC 3069 -
VLAN Aggregation for Efficient IP Address Allocation:
http://www.faqs.org/rfcs/rfc3069.html


--
Petri Krohn
petri. krohn <a@t> iki. FI(nland)
_____________________________________________________________
Fiber-optic Community Networking: http://www.HelsinkiOpen.net
!