"mile high" overview questions on VPN for multiple customers in star topology

[coop4lyfe]

Hey folks,

I'm pretty new to the world of networking beyond the basics I've learned using Linux and some router alt-firmwares for a decade plus.

Right now I invested in an expensive Internet connection and am starting to roll out wireless service to neighbors so we can all share it, because it's the best option for our location. Currently I only have one network other than my own, and right now that's kludged with their router as the DMZ box on mine. Obviously, that can't last.

I guess my questions are:

1. I assume a capable "head end" router in my location, connected directly to the ISP, and then configured for 1 VLAN per neighbor-net is the best idea? If not, why not? I have switches and so forth that can handle VLANs so I can do a point-to-point link wireless link to the neighbors anywhere I can run Ethernet (or powerline Ethernet) and have line of sight.
2. As far as keeping neighbors' networks private from each other and my own, will the VLAN scheme suffice? I intend to use OpenWRT on the "head end" and, where possible, on the devices in neighbors' homes.
3. Since the links from me to my neighbors are all wireless, and they are all Netflix/Hulu/HBOgo users, is there any point in using a UDP-based VPN from my "head end" router to their bridges in order to minimize the cost of TCP renegotiation due to temporary radio interference? It's my understanding that wifi + TCP can result in some pretty choppy streaming when there is intermittent interference. So far with my single install, my "solution" has been to buy better antennas until the link rate is 4x what they need for Netflix HD.

 

[Cloud200]

Long story short, you are trying to roll out a WISP (wireless internet service provider) infrastructure. This is pretty much a ubiquity job through and through.

You get an edgerouter on your end, set up some VLANs through a managed switch to AirMax point to point units and let the customer plug whatever they like into the other side.

You can of course swap out the EdgeRouter with any router capable of vlans or even a layer 3 switch.

Just a side thing. However you do this keep your home network on separate hardware. Get another router or use your old one and treat yourself as another one of your neighbors.

 

[coop4lyfe]

Hi there and thanks for the answer. Definitely making myself "another one of the neighbors" is part of the plan.

I have been looking at Ubiquiti 900MHz gear for the point-to-point links because we have some foliage issues and so forth. The problem we have is, everyone is broke (hence the sort of co-op structure) so right now the pilot project is using common consumer gear for the most part.

Right now: my house to the shared neighbor house with 4 tenants - is 802.11n over 2.4GHz. At my 'head end' (from my house to pilot project neighbor) is a MIMO N300 router with two 2.4GHz yagis aimed at the neighbors' and one omni for when they happen to come by and would like to use their own network here. On the remote end is a highly problematic (firmware freezes) N300 wireless-to-Ethernet bridge which receives the signal, and another spare N300 access point to which the neighbors' devices connect.

The problematic bridge will be replaced soon with some kind of thing running OpenWRT. I just realized that OpenWRT is probably the best bet going forward as I'm not impressed with the others by comparison.

I would love to deploy 900MHz point-to-point links but right now we just don't have the money. I am however looking at some of the ALIX boards at http://www.mini-box.com/ALIX-boards and considering whether one of those, if it can run recent OpenWRT, would be a good idea to be the "true head end" router - it plugs into the ISP, then has a VLAN for each network (mine and each neighbor who wants a separate one - the 4-tenant household wanted to be on the same LAN). Fortunately I have enough VLAN-capable switches for that part of the job.

The pilot project has already had enough problems that I won't use consumer hardware again unless it's stable with OpenWRT. Surprisingly enough, our currently jury-rigged point-to-point link is pretty good once we got the aiming right - every single one of the problems except a cable failure have been related to proprietary firmware.

I'd appreciate any more advice anybody could give. This is saving all of us money but we need it to be reliable in the long run. My old personal setup only ever got rebooted if I had to move wires around and that's what I'm going for here.

 

[coop4lyfe]

Another quick question. As soon as the pilot project is stable, I need to replace the router running the whole show, which is a WRT54G v3 (!) with the radios long since disabled, running Tomato. It's had about 10 years (!!) near continuous uptime but I think it will be put out to pasture soon.

Considering what I'm planning on doing, would one of these ALIX boxes - http://www.mini-box.com/Alix-2D-Board-3-LAN-1-MINI-PCI-RTC-battery?sc=8&category=1361 - be a good thing to run OpenWRT on (or are there cheaper similar alternatives)? I would use one port for the ISP equipment, one port for my "one of the neighbors" network, and the third port for >1 VLANed neighbor networks. (I keep a physical port for myself because it allows me to evade some more reconfiguration of my old stuff.)

Or should I just get a decent N600 router, assuming OpenWRT can put the wifi and my "one of the neighbors" LAN on one port, the VLAN'd neighbor LANs on another port?

I currently have laying around (none claimed supported in OpenWRT TOH but maybe it's out of date): a Netgear WNDR3400 (N600), a Belkin F7D8301 (N600), or a Netgear WNR2000 v3 (N300). I could use any of those for this application if firmware were available, and spending $0 is preferable. But if they're not supported, I can't help but wonder about the ALIX. It's spendy though.

All I really care about is that if I scale my WAN connection to 100Mbps downlink, that what I've got in place can keep up for, say, 12 users + me (they all like streaming video, and I use a lot of outbound bandwidth) with decent QoS enabled, and preferably on firmware that has TCP CoDel as an option. I suspect that task is beyond the WRT54G by a good distance.

 

[Cloud200]

I'm still at work so give me chance for a longer reply.

1. If you are already using 2.4ghz equipment then why the need for a 900mhz ubiquiti? Wouldn't a 2.4ghz unit be far cheaper?

2. Are you planning on letting everyone access the full 100mb/s line or will be cutting it up somehow?
I see 3 ways to do it:
A. Users can hit a Max of 50% but are reserved a minimum of 5% of the total.
B. Users are locked to 10%. How they cut it up isn't your concern.
C. Users get unrestricted access and everything is done by QOS to limit bandwidth.

3. The wrt54gs will most defiantly not have the horsepower to push 100mb/s.

4. Any reason for openwrt vs pfsense?

 

[coop4lyfe]

1. Better penetration in a non-ideal line of sight situation. It'll probably be a non-issue for a long time if 2.4GHz gear manages to do the job. (So far just barely, but it's been 90% software issues and 10% radio issues.)

2. Unrestricted access, VLANs can burst up to full ISP rate but if there is contention, they're limited to the share they pay for by QoS.

3. It's not even a GS, it's a G, v3.0, from back in 2004.

4. Hadn't even really heard of pfsense - that's a good bit of info. OpenWRT strikes me as by far the least worst of the *WRT type distros (dd-wrt and Tomato being the others). Some semblance of a dev process, better (though still highly inconsistent) docs, and it's an actual Linux distro instead of blobs served off free file hosters by random dudes.

Edit: looking at pfsense, I'm far more familiar with Linux, even mongrel distros, than FreeBSD. Not that that rules pfsense out if it's Seriously Way Better. I've touched it before, I can learn.

 

[Cloud200]

1. Better penetration in a non-ideal line of sight situation. It'll probably be a non-issue for a long time if 2.4GHz gear manages to do the job. (So far just barely, but it's been 90% software issues and 10% radio issues.)

2. Unrestricted access, VLANs can burst up to full ISP rate but if there is contention, they're limited to the share they pay for by QoS.

3. It's not even a GS, it's a G, v3.0, from back in 2004.

4. Hadn't even really heard of pfsense - that's a good bit of info. OpenWRT strikes me as by far the least worst of the *WRT type distros (dd-wrt and Tomato being the others). Some semblance of a dev process, better (though still highly inconsistent) docs, and it's an actual Linux distro instead of blobs served off free file hosters by random dudes.

Edit: looking at pfsense, I'm far more familiar with Linux, even mongrel distros, than FreeBSD. Not that that rules pfsense out if it's Seriously Way Better. I've touched it before, I can learn.

1. Personally, I would try out a pair of 2.4ghz units on the worst spot you have. If it works . . . it works. If not . . . at least it will still be manageable from the same console as the 900mhz units if/when you decide to purchase them.

2. That has to be done at the router level then. No way a layer 3 switch could get this done.

3. Take a look at the netgate APU2. Its basically the ALIX but better.

4. There are many x86 *nix based firewalls out there.
Smoothwall, IPCop, Pfsense, Untangle, M0n0wall, OpenWRT, ClearOS, Endian, etc. I just personally like PFsense but this is more of a preference thing.