Help a noob spec WiFi for a church

[itpromike]

So I'm trying to put this wifi network together for a price that won't break the bank since these folks don't have much of a budget. The building is probably 4000 Squarefoot or so and they want to be able to cover the area and make Wi-Fi available for folks in service on Sundays (about 250 clients) and then during the week they have tutoring going on so like 20 to 30 clients. The building setup is basically a dome and then attached behind that a long rectangular hallway with some offices. Initially I used a UniFi LR and but even when only like 15 clients were connected it seemed to drop clients left and right so I'm not sure what was up there.

I'm thinking I need to use a router and a separate unit as a Wireless AP and put a few of those wireless AP's in various spots spread through the building - my questions though are:

1.) what are some good routers for this type of application? or should I get a cheap all-in-on router/wifi and just use it as a router?
2.) What are some reliable AP's I can use to spread throughout the building?
3.) Is this even the best solution or will this severely limit the throughput?

Any guidance or help with this would be great, thanks guys!

 

[htismaqe]

Router + independent wired APs is the way to go. Are you looking at PoE to power the APs or just plugging them in?

 

[clifton.stokes]

I had to do something similar at my church. I ended up getting all that I needed from Ebay. A lot of people are upgrading to AC AP's and there are some good deals on dual band AP's.
I also bought a managed POE switch so that I could have a guest and work wireless setup.

I would get with a POE Switch so you can just scatter AP around the building.
The one area I spent some money on was a UTM to filter the internet. It was a little expensive and there is the cost for the licensing but for a church it is worth it to filter it so
there is no need to worry about what content is being used on their system.

I got a good deal on some Brocade components but it you look around you should be able to find some Cisco AP for a reasonable price. Look for someone selling a lot of them and get a few spares because you don't know when might need more capacity or to replace a faulty unit.

If you need more info I will be glad to help you. (if you don't need much speed, just capacity I have a turnkey system (AP's, power inserter, Switch All you need is cables) that I need to sell after I upgraded our church. (it is B and A)

 

[itpromike]

Router + independent wired APs is the way to go. Are you looking at PoE to power the APs or just plugging them in?

Sorry for the delay in answering, was out all day. That's a good question though... So my understanding is that you shouldn't piggy back an access point off another access point because that severely degrades your speed.... that correct? If that's the case my best bet would be to run each AP directly from the switch - however my concern is, that might prove to be very difficult because of how the building was constructed. It might be doable but I'd have to look into it a bit more. That being said what would a good choice of equipment be for:

1.) If I couldn't run each AP directly from the router/switch and had to daisy chain each AP wirelessly to each other?
2.) If running each AP directly from the router/switch was feasible...?

 

[htismaqe]

Yeah, it's not desirable to use wireless for the AP to router uplink since you'll take a performance hit or limit your options at the far end.

If you HAVE to use wireless for the links, it would be advisable to use dual-band APs so that you can use one band for the link and the other for the users. However, as mentioned previously, that has its own set of issues.

 

[System Error Message]

You can use inexpensive indoor dual band AC APs and some of them cost $80 or less. Go with cheap stable consumer or enterprise grade ones but if you use your APs as only APs doing nothing else than you can get cheaper APs as long as they are from a reliable brand. A managed/semi managed switch with POE is a good option and wiring the APs to a switch is the best way for performance. You may need to work out 2.4 Ghz frequencies but on 5Ghz you can bunch together many in the same place.

It is most desirable to wire APs to a switch via ethernet however if it is not possible avoid using WDS or wireless bridging, instead look at other options such as MoCA or ethernet over powerline. If you need to bridge wifi and cannot use wire than the best thing to do performance wise is get 2 more APs and fit them with directional antennas of narrow angles and use that to bridge on the 5 Ghz band. This would reduce the performance impact from bridging wifi and wire on to switch and the other to the AP that needs to be bridged.

For security, i suggest you use a managed switch and WPA2 auto with frequent key changes on your APs coupled with hotspot/radius. You can save some money by reusing a PC and installing a UTM firewall or OS like pfsense. UTM firewalls, pfsense and reusing a PC is faster and cheaper than buying a high end router and provides more features. For best performance make sure to use intel NICs on the router or you can buy a dual NIC intel card for the router PC. I also suggest checking on protecting against man in the middle attacks or the famous pineapple hack. Almost every home network is vulnerable to this and some business/public networks but it can be prevented using a managed switch, a router that can perform layer 2 check, hotspot/radius and dropping NATed packets (requires NAT detection). Since the church is a public place there will always be people who will want to leech free wifi to their nearby homes or exploit it to gain access to other peoples online accounts and expect lots of load or stress on the network. I have been to a number of public places that offer free wifi and because of the amount of stress placed on wireless their APs/router did need reboot since internet on their network became very slow or non existant.

 

[stevech]

I'd skip premium $ for AC for this church setting.
I'd use 11n APs that are under $50.

Be sure to have WPA on, and/or a guest SSID that routes only to the Internet. If residences are in range, maybe no unencrypted guest SSID at all.

 

[thiggins]

What's the internet bandwidth available? With 250 clients peak, you're going to need some sort of bandwidth control at the APs. You will probably also need port/service blocking so that a few streamers don't hog bandwidth.

You will need more APs than you think, not just for coverage but to handle the peak load on Sunday.

 

[htismaqe]

Hopefully you peak load is before and after service! Unless your users are on Bible Gateway I imagine your pastor is going to have a problem!

 

[itpromike]

Hopefully you peak load is before and after service! Unless your users are on Bible Gateway I imagine your pastor is going to have a problem!

LOL, usually after. I used the 250 clients number because we can at times have that many people in attendance on Sunday but I'm sure the actual wifi usage would be much less.

 

[itpromike]

I'd skip premium $ for AC for this church setting.
I'd use 11n APs that are under $50.

Be sure to have WPA on, and/or a guest SSID that routes only to the Internet. If residences are in range, maybe no unencrypted guest SSID at all.

Yeah I think I might save some money and go with N AP's instead of AC - I'm doing this for them and buying this stuff myself so I'd like to save money where I can.

You can use inexpensive indoor dual band AC APs and some of them cost $80 or less. Go with cheap stable consumer or enterprise grade ones but if you use your APs as only APs doing nothing else than you can get cheaper APs as long as they are from a reliable brand. A managed/semi managed switch with POE is a good option and wiring the APs to a switch is the best way for performance. You may need to work out 2.4 Ghz frequencies but on 5Ghz you can bunch together many in the same place.

It is most desirable to wire APs to a switch via ethernet however if it is not possible avoid using WDS or wireless bridging, instead look at other options such as MoCA or ethernet over powerline. If you need to bridge wifi and cannot use wire than the best thing to do performance wise is get 2 more APs and fit them with directional antennas of narrow angles and use that to bridge on the 5 Ghz band. This would reduce the performance impact from bridging wifi and wire on to switch and the other to the AP that needs to be bridged.

I think I can do wired from all the AP's, I talked to some staff last night and I can drill through some drywall above the drop ceiling to run some CAT6 so I should be good to go I think in that regard. That being said, what are some AP's you'd recommend for this job to cover the amount of clients and load etc...? Also what's a good semi managed switch you'd recommend that had POE and possibly set some bandwidth limitations?

 

[htismaqe]

LOL, usually after. I used the 250 clients number because we can at times have that many people in attendance on Sunday but I'm sure the actual wifi usage would be much less.

If you have a church youth group, find out when they meet. That will be your peak usage period.

 

[System Error Message]

Im not the best at suggesting brands or models but if you have the skill and willing to spend the effort mikrotik has routerboards (9xx series) that are basically APs and cost $80 or less that should accept POE.

If you need indoor wifi you can get tp-link, ubiquiti, mikrotik or even cisco. Mikrotik has indoor dual chain AC APs that can accept POE and also has SFP. Its quite minimal because its an AP but theres a higher end version which has mini PCIe if you fancy adding more wifi at the same spot but you may need to ask if it is a dual band AP that supports abgnac and you would need to get a case too (even plexiglass or plastic or 3d printed plastic will do fine). Mikrotik isnt that easy to configure though since aside from configuring the AP you would have to configure the system entirely to secure it but you can create a backup configuration and just use it to configure the rest and change the IP and name.

Ubiquiti has a good managed switch with POE but it can be pricey but it is fully managed. Other option would be to get a non POE managed switch and use passive POE in between (if all your APs are the same). Make sure to check the specs for POE that it can do gigabit with the right ethernet cable and length. If you dont have that many APs many brands have smaller affordable managed POE out capable switches. If you use pfsense/a dedicated router and you have 1Gb/s of internet or less in any direction (not total) than you can use an 8 port switch with 7 APs and the router itself. It is efficient to have a central switch but not always good for uptime/redundancy but this does not matter if the goal is only to provide internet access and provide a basic intranet.

From my experience with various brands (for buying a switch):
Tp-link, cheap and does well with basic features but can crack under pressure or with advanced features used.
d-link, inexpensive but hardware and firmware are usually flaky and insecure
netgear, good hardware but firmware may not be as stable
zylink, hardware and firmware generally good
mikrotik, very stable hardware and firmware but very high learning curve (their switches use different terminologies)
cisco, very reliable, stable though expensive
linksys, generally same quality as zyxel but can sometimes be lower

There may be other brands but the enterprise ones are the best so if you can go for them make sure you do since even a 2nd hand or even older one will do well. Make sure to look for semi-managed/smart in the description for the switch and check that it has features that relate to security and such. It is very important to be able to thwart the pineapple and man in the middle attacks. Make sure your switch and APs have a return period so you can return them for hardware failure or instabilities. If you have to restart a piece of hardware within a month that means that it is not stable and you should replace with a different model or brand. Wireless however isnt always stable regardless of brand or market.

Other than this you may want to also prepare and make allocations in your network for future upgrades such as network based information displays, smart clocks, etc. If all your APs connect to ethernet it might be possible to use WDS to distribute load among your APs (im no expert at this but there should be someone around who can confirm this).