Commercial Wifi Hardware suggestions for Whole buidling wifi

[brentrieman]

I currently own a 8 unit townhouse building. I am looking to offer the residents wifi as part of their rent. My local provider suggested at least their 300/20 business class package (200$ month). I am interested in suggestions for hardware. The building is 130' long by 30' wide, each unit has a block wall separating them. I am hoping to get away with an access point in every other basement. So 3 or 4 access points. Id like something that can run off POe so I can stick the modem and POe switch in one unit and run cat5 to the access points. I looked at something like this. ZyXEL 3 Pack-[NWA1123ACv2 I would also like a POe switch that I can remotely power cycle if stuff acts up. Ill probably run some POe IPcams off it too, and from my experience they run best when rebooted every week or so. Thank you for any suggestions.



Update-2/11

Thanks all for the replies. I believe I am going to proceed with this project. I understand the legal ramifications and went over these concerns with my ISP wowway.

I like the unifi system. here is the setup I am looking at

Ubiquiti Unifi Cloud Key
Ubiquiti Networks 8-Port UniFi Switch, Managed PoE+ Gigabit Switch with SFP, 150W
Ubiquiti Unifi Security Gateway (USG)

I would really like to put the access points in the basement of every other unit. I this access point but I believe i would have to get it up on the ceiling of the 3rd floor which will be very difficult
Ubiquiti Unifi Ap-AC Lite (UAPACLITEUS)

Could I use 2 or 3 of these with the cloud key, switch, and gateway and have them in the basements?
Ubiquiti UAP-AC-M-US

I would like to be able to set up a VLAN for each unit. I was reading through the manuals and was not sure if I could do this?

Thanks for any suggestions

 

[nigelivey]

Take a look at Ubiquiti Edge router and their range of APs. You have other considerations here as you would want wireless isolation to prevent unit A browsing unit Bs devices but this wouldnt allow unit A devices to "see" other unit A devices. You really need a layer 3 switch in the mix to create VLANS per SSID to segregate the traffic and allow a WLAN per unit. Is there no way of just offering 1 wired connection per unit and let the tenants sort themselves out?? You should also be aware you will be responsible for all traffic passing out the WAN connection you are paying for including any illegal activity.

 

[kanewolf]

You need to protect the tenants from each other. You don't want to facilitate one apartment spreading a virus to all the others. I would do separate WIFI source for each apartment. Give them each a unique SSID and password. VLAN each WIFI source back to a managed switch and to a VLAN aware router. Do each apartment at 100Mbit so that no single tenant can hog more than 1/3 the bandwidth.

I like the Ubiquiti UniFi system.

 

[brentrieman]

Take a look at Ubiquiti Edge router and their range of APs. You have other considerations here as you would want wireless isolation to prevent unit A browsing unit Bs devices but this wouldnt allow unit A devices to "see" other unit A devices. You really need a layer 3 switch in the mix to create VLANS per SSID to segregate the traffic and allow a WLAN per unit. Is there no way of just offering 1 wired connection per unit and let the tenants sort themselves out?? You should also be aware you will be responsible for all traffic passing out the WAN connection you are paying for including any illegal activity.

Thanks for the info. I can just run a wire to each unit, and I did think about that, In the end that would definitely be the easiest and cheapest option. I do want to shield myself from the illegal activity issue. Im not sure the best option for this, maybe as simple and having them sign an agreement or makeing that part of the lease.

 

[boosted1g]

The uqbiquit hardware recommandation is a good one.

You dont need layer 3 switches. VLAN tagging can be done at layer 2.
You dont even want tennat A using AP B to be able to see the devices of tennat C also using AP B
Agian though, this can all be set at the router, no need for expensive layer 3 switches.\
I have done this exact setup with uqiquiti router for motel so I know what I am talking about.

Ubiquiti edgelite 3 is an awesome router for this load, you cant beat it for the price for a true commercial grade device.
WIth that said it requires someone that truley understands network concerpts, including firewall rules.
You will want Guest VLAN, Office VLAN, and management VLAN and apropriate firewall rules for all 3.

You wont be able to put celiing mount APs in the basement, you will need to install those on top ceiling. Without physically seeing yoru building just making assumptions from your information, 3-4 APs sounds right in tbe ballpark.

 

[boosted1g]

Take a look at Ubiquiti Edge router and their range of APs. You have other considerations here as you would want wireless isolation to prevent unit A browsing unit Bs devices but this wouldnt allow unit A devices to "see" other unit A devices. You really need a layer 3 switch in the mix to create VLANS per SSID to segregate the traffic and allow a WLAN per unit. Is there no way of just offering 1 wired connection per unit and let the tenants sort themselves out?? You should also be aware you will be responsible for all traffic passing out the WAN connection you are paying for including any illegal activity.

Thanks for the info. I can just run a wire to each unit, and I did think about that, In the end that would definitely be the easiest and cheapest option. I do want to shield myself from the illegal activity issue. Im not sure the best option for this, maybe as simple and having them sign an agreement or makeing that part of the lease.

Having wired connetions is not per say a bad idea.
My only issue with that is then you are going to have a massive wifi sturation of everyone plugging in their own devices and interfering wiht everyone else. This is not per-say your porblem (unless you want to use wifi in an office building attached to this). You would still need a good router (like the edgelite) to enfore security policy.

In regrads to the illegal activity, signing a petition does not mean much when you will have no way to tell which computer belongs to which guest, even more so if user does things like spoofing mac addresses. Hell if someone can phish the office/guest for password then you cant even be sure it is a tennant.

You could certainly set a download limit per IP to reduce torrenting, in edgelite there is a setting to block torrent ports, but this does not work very well.

 

[bill001g]

I will just comment on the legal part. It does no good to just get some legal document. Unless you have some way to log things you will not really know who is going bad things. When you get a RIAA cease and desist letter that say they say your IP at time xxx on date yyy downloading something you need a way to tie it back to at least the apartment. Everyone will say "wasn't me", in many cases it is the 12yr old child that did it and the parent didn't even know.

This is a massive effort for someone who is not in the IT type of business. In may be easier to work with a ISP to get some kinda on infrastructure installed but let the tenants deal with the ISP directly for internet. The ISP already has lots of experience dealing with the issues of illegal activity.

It is very sad that this issue makes it almost impossible to offer services like this. To many small restaurants quickly find out why offering free internet is extremely risky.

 

[brentrieman]

The uqbiquit hardware recommandation is a good one.

You dont need layer 3 switches. VLAN tagging can be done at layer 2.
You dont even want tennat A using AP B to be able to see the devices of tennat C also using AP B
Agian though, this can all be set at the router, no need for expensive layer 3 switches.\
I have done this exact setup with uqiquiti router for motel so I know what I am talking about.

Ubiquiti edgelite 3 is an awesome router for this load, you cant beat it for the price for a true commercial grade device.
WIth that said it requires someone that truley understands network concerpts, including firewall rules.
You will want Guest VLAN, Office VLAN, and management VLAN and apropriate firewall rules for all 3.

You wont be able to put celiing mount APs in the basement, you will need to install those on top ceiling. Without physically seeing yoru building just making assumptions from your information, 3-4 APs sounds right in tbe ballpark.

I figured id have to get the APs to the ceiling it will be a pain in the A$$ but its doable. how did you handle security in the motel? this is the one side of this project that i want to ensure im covered. do you just do a landing page like most hotels have? although I know most consumer things probably wont work with that, like a roku or smart tv

 

[brentrieman]

I will just comment on the legal part. It does no good to just get some legal document. Unless you have some way to log things you will not really know who is going bad things. When you get a RIAA cease and desist letter that say they say your IP at time xxx on date yyy downloading something you need a way to tie it back to at least the apartment. Everyone will say "wasn't me", in many cases it is the 12yr old child that did it and the parent didn't even know.

This is a massive effort for someone who is not in the IT type of business. In may be easier to work with a ISP to get some kinda on infrastructure installed but let the tenants deal with the ISP directly for internet. The ISP already has lots of experience dealing with the issues of illegal activity.

It is very sad that this issue makes it almost impossible to offer services like this. To many small restaurants quickly find out why offering free internet is extremely risky.

I can handle most IT projects and learn what I dont know. I wonder if their are any companies that offer and over the top service or something to handle the security. Although at that point it probably would be cheaper to let the ISP handle it. If I set up a VLAN for each unit wouldnt the router log the activity and if I ever did have a legal issue I could just give them the log

 

[kanewolf]

You might want a pfSense firewall or similar to handle logging. A good router may be able to log enough and send that log to a syslog server but can't keep much log local.

 

[bill001g]

These tend to be scary many times. The letters you get from the lawyers have all kinds of legal threats. In general as long as you take actions to work with them the will not come after you. If you have good logs and can point the finger at the actual person who actually did the bad things they tend to go after them. Still if it happens a lot your ISP may just get tired of dealing with this stuff...just like you would it if a tenant did it over and over..and cut you off. I have never heard of a small business that had to provide their logs in a court trial but there is always that risk because you are pointing the finger.

I mostly deal with this issue in a company where it is employees that are doing the bad stuff. It is surprising the number of even very highly paid people that lose their job over this crap. As part of the first day training they are told multiple times that everything is logged and must sign a form acknowledging that they were informed.

I spend more time trying to protect against employees doing thing wrong or just being stupid that I do against hackers from the outside.