As many people know by now I have moved to Tennessee and started building a house. While in the process of building we are living in a Motor Coach we purchased and staying long-term in a really nice RV park. The people there are great and the owners are really nice and fun to talk to. One of the first things I noticed after moving in was that the wireless internet was HORRIBLE. Of course being like all of my technical friends….I offered to help out. Here is the adventure I have been on and where it is going. I learned a lot about wireless networks along the way!
The first thing I found was that the main office has a Comcast Cable line that initially supported 25Mpbs down and 7Mbps down on a business account which is generally pretty good. That was the first thing I tested was to make sure this was getting the speed to the modem from a local laptop hard-wired. Then what I learned was they were using some old gear from a company called Alcon that I never heard of. It consisted of a B/G access point on the office roof and a B/G repeater about 450′ away on the bath house. This was needed because there is no hardline to that location. The issue mainly was the repeater was killing the signal and then cutting it in half. Coupled with the fact it was about 5 years old and only supported the B/G protocol it was time to upgrade all this. Lastly there were users abusing the connections by streaming, and constantly hogging whatever bandwidth was available to the other campers. In talking to the owners everyone agreed it was time for a an upgrade and some changes.
Let me start by showing the diagram of what we have set up and then start explaining the components and some of the technical details as I have actually learned some of them through the whole process.
The Right Access Points
The first thing I did was contact Engenious Technology about their dual radio outdoor units. They were great on the phone and explained exactly what I wanted to do. The solution was to use TWO identical access points and NO repeaters, Specifically the ENH700EXT Model. One access point at the office would be hard-wired to the router over a gigabit connection. We would use the 2.4 Ghz radio just for client connections and then use the 5Ghz radio as a dedicated Back Haul WDS network between the two AP’s. The second AP provides the same 2.4 Ghz client connections and sends all that data back to the first AP over the separate back haul network. This was perfect as there was separate radios for the two networks. The only hitch so far is the distance between the AP’s on the back haul. Right now in their current locations we get about -79dBm which equates to about 13Mbps between them. Not horrible and CERTAINLY better than the old repeaters. We will be playing with placement to see if we can get this better. For reference here is a table from a Cisco Forum that really helped out understanding some of the possible speeds.
Now that we had the two new access points installed and connected we needed to contend with the “abuse” of the internet. We setup two SSID’s and two VLAN’s for this so we can separate campers from office use. We also updated the speed from 25/7 to 50Mbps down and 10 Mbps up.
Adding a Small Business Router
I’ve had really good experience with the Cisco RV series stuff at home. So I went and picked up an Cisco RV180 small business router to replace the home user level linksys unit that all the campers were ultimately going through. You need to imagine about 50-60 camp sites all with an average of two devices all connecting. Heck even a /24 might barely be big enough to handle all the IP addresses. We made sure to reserve an entire /24 for the campers and due to the overnight nature, we set the DHCP leases to 8 hours. Sounds like a simply thing….but how often do leases get eaten up and held for a day or longer? half the spots here are overnight use so 8 hours is plenty and the long-term folks will just keep renewing as needed.
However, the challenge is that the new AP’s were N-Capable and could support higher speeds on the client side, but the back haul is currently maxed out at about thee 14.4 shown above. We may try changing to 40Mhz and moving the unit, but right now that’s a stable number. So if half the sites all start hammering things the back haul itself would clog up.
So we decided to implement the rate limiting capability on the router. Basically we setup two VLAN’s to match the AP’s and separate DHCP scopes on each VLAN all using the RV180. The camper SSID will limit users to 768Mbps upstream while the office private SSID and VLAN would be un restricted. Now we still run the risk of the back haul filling up, but that would be if a handful of people all consumed their respective download speed. We may not see this until the park fills to capacity but I have already seen as many as 18 devices connected to the second AP. I actually need to talk to the owners about making sure more people are placed near the primary AP which usually has half the users connected right now. By rate limiting we are able to better control access and give all the campers fair and even chance for connecting. The goal is to make everyone happy, but the noisy neighbors doing downloads will still always complain.
I am a HUGE fan of OpenDNS and now they offer a free tier now for people to do basic filter on a single IP. This was the final step in providing safe secure browsing. We setup statistics and blocked harmful adware sites and are considering other sites like pornography just to minimize the possibility of unruly usage. We also used the RV180 to force all DNS requests to the OpenDNS servers so people cannot get around it. We force all clients to get DNS from the RV180 and forward the requests from it and block DNS on port 53 from the general networks so even if people change their DNS….it just won’t work.
We did this by enabling the DNS proxy feature in the RV180 so all DHCP subnets get DNS cache lookups from the router. Then we used a firewall rule to BLOCK DNS on TCP/UDP port 53 from the public subnet range. That way if people manually change it to go around OpenDNS….the requests will be blocked and they will have to use the default settings of the router’s DNS proxy. Sadly, OpenDNS is great but people can go around it if they change their local settings so if you want it to really be forced you have to think it through.
Although I am not a networking expert by any means, this was a cool project that got me to learn more about the outdoor wireless setups. I have never used them and never setup WDS before and wanted to make sure the place was setup correctly. The owners were very agreeable to doing things right and getting people to get online with fair access for everyone. I will continue to tweak things and update this post as I learn more or make changes but so far things are going good!
UPDATE: Turns out the RV180 only limits UPLOAD not download, which is sort of half truth on the specification settings of the router. It says it can do Priority limiting and asks for “Total Internet Bandwidth” which assumes up and downstream. Come to find out after calling Cisco it’s up only. I called Cisco to tell them how stupid that is, and that the documentation and UI lead nobody to know this and it should be updated to do both. I opened a ticket for Cisco to look at a feature request since the other RV units do both up and down, and the unfortunate thing is nothing else does all the nice VLAN routing and DHCP per VLAN like this does at the price point. We may stick with it with upstream limits and hope that Cisco wakes up and adds the downstream limiting.
UPDATE (5/19/2014): Well the other thing I discovered is many wireless vendors do NOT pass VLAN Trunks over the WDS link. In the case here the first AP will pass VLAN tags directly to the switch since it is hard-wired. Since the second AP is not wired and using a WDS link, it will only pass the Native VLAN over the WDS link. So in order to manage the bandwith limiting I needed to swap things around as below.
Main Access Point:
SSID1 = Public Clients, VLAN 1, Untagged (192.168.1.x/24)
SSID2 = Private Clients, VLAN 2, Tagged (192.168.2.x/24)
Management IP = Untagged (192.168.1.2)
2nd Access Point:
SSID1 = Public Clients, VLAN 1, Untagged
SSID2 = Private Clients, VLAN 2, Untagged
Management IP = Untagged (192.168.1.3)
Once the clients and the office gear was on separate VLAN’s I was able to apply the rate limiting to VLAN 1. The “Office” people connecting to the 2nd Access Point would still get limited, BUT by using a different SSID we can see the MAC address of employees and unlock their MAC address from the rate limit. It’s much easier to allow a few people when needed.
So far the OpenDNS side is working perfectly and having DNS proxy enabled on the two VLAN’s allows the router to cache and forward where the firewall rule denies DNS lookups from the LAN side so even if people change DNS servers, they will not be able to bypass OpenDNS. I also setup VPN for myself to remote access everything and last thing I will play with is using the firewall to block the Public DHCP clients from accessing the Office network. I need to keep Inter-VLAN routing in place so that the office machines can access the management IP’s of the access points. I should still be able to block access from the firewall though.
I can still add a Public VLAN on the wired Access Point if we ever need another separate broadcast domain, but right now at least all public clients are in one space.