Question Controling routers through an online system

Apr 17, 2019
5
0
10
In my business organization, we use a good number of TP-link routers on multiple locations to offer wireless internet facility to allover the office. We have to make passwords public and very often outsiders connect to the routers and fully occupy the bandwidth. Now we want to develop an online server/system through which we can automically control our routers so that users whose mac addresses are not listed on our sever can not connect to the routers even if they have the passwords. Besides, we want to monitor the internet use, control internet speed, and completely operate the router through the online server/system.

Now my query is whether it is possible to develop such online server/system and whether it requires to customize the router firmware.

Routers we use are: TP-Link TL-WR840N, Tp-link TL-WR850N, TP-Link TL-WR841N, TP-Link WR845N.
 
Not with a consumer router that is a feature only a business needs so they don't have those features. Hard to say which router would meet your needs. Obviously things like cisco enterprise models will do it but the cost is very high. You might get buy with ubiquiti products they are in between consumer and the high enterprise devices. The main issue is some of the requirements are very difficult. Monitoring usage and bandwidth control generally is a function done by a firewall server type of device. Remote configuration is a little simpler.

The part you can do with consumer routers is very detailed user control. The key here is to put the wifi in enterprise mode. Every user then has his own userid and password. It uses a radius server to do this. If you work at it you could use a single centrally controlled radius server for all the sites. Gets a bit tricky running it over the internet but it can be done. A radius server does not require a very large machine unless you have many thousands of users. People run them on raspberry pi but I would not recommend that a old laptop likely would be fine.
 
  • Like
Reactions: Ippothechamp
Apr 17, 2019
5
0
10
Not with a consumer router that is a feature only a business needs so they don't have those features. Hard to say which router would meet your needs. Obviously things like cisco enterprise models will do it but the cost is very high. You might get buy with ubiquiti products they are in between consumer and the high enterprise devices. The main issue is some of the requirements are very difficult. Monitoring usage and bandwidth control generally is a function done by a firewall server type of device. Remote configuration is a little simpler.

The part you can do with consumer routers is very detailed user control. The key here is to put the wifi in enterprise mode. Every user then has his own userid and password. It uses a radius server to do this. If you work at it you could use a single centrally controlled radius server for all the sites. Gets a bit tricky running it over the internet but it can be done. A radius server does not require a very large machine unless you have many thousands of users. People run them on raspberry pi but I would not recommend that a old laptop likely would be fine.

Thank you for your reply. Normal TP link routers can be controlled & monitored manually through online. Can this be done through online automatically?
 
If you look at how this is done on commercial equipment they use 3 basic methods. They have a proprietary system to manage them, they can be configured via command line so it is easy to write scripts, or they use SNMP which allows use of some of the fancy commercial monitoring/configuration tools. Some have all three methods.

Tplink does none of these. The problem with any gui based system is designed for a person to look at the screen and click on stuff. That is extremely hard to automate. It can be done but it would require someone who was very good at html coding.

It is the same reason it is so hard to help someone configure something remotely. You almost have to have a video that show them screen shots. It is much easier if you can send someone a list of commands they can cut and paste into the router.
 
Thank you for your reply. Normal TP link routers can be controlled & monitored manually through online. Can this be done through online automatically?
By online do you mean remotely?

Home-class routers typically let you manage-access through its LAN ports only, so unless you have an remote access server somewhere.

Home-class routers don't have all the fancy stuff an business-class would, that's the bottom line.
 
In my business organization, we use a good number of TP-link routers on multiple locations to offer wireless internet facility to allover the office. We have to make passwords public and very often outsiders connect to the routers and fully occupy the bandwidth. Now we want to develop an online server/system through which we can automically control our routers so that users whose mac addresses are not listed on our sever can not connect to the routers even if they have the passwords. Besides, we want to monitor the internet use, control internet speed, and completely operate the router through the online server/system.

Now my query is whether it is possible to develop such online server/system and whether it requires to customize the router firmware.

Routers we use are: TP-Link TL-WR840N, Tp-link TL-WR850N, TP-Link TL-WR841N, TP-Link WR845N.

A lot of consumer routers offer MAC filtering and role based VPN Support. a MAC is like a serial number attached to each network device. You could also set up QOS and limit their badnwidth. But for fat connections, QOS has a tendency to lower total throughput on consumer grade (even if it ensures your devices get first priority)

You can also get something like a FING box to control bandwidth usage. But these are cheap low grade solutions and I would not recommend them if you needs lots of bandwidth. Another way to do it is assign specific MACs to specific IP's and turn off DHCP. What this means is the attaching computer wouldn't get an IP. No IP, no real access.

But I'll be honest with you, if your business has reached this level where clients need access, you need professional grade stuff and the people to go with it. You don't have to invest a full time person. But you might want to consider hiring out an IT firm to maintain such a network. It's money well invested in the long term. (It's a lot like anti-virus or health insurance: It seems expensive till it saves your tail.)

So the question becomes WHY do vendors need VPN access to your network? Is it network shares? Documents? Programs? Ordering systems?

The most ideal solution would be to create a web portal they can log into for Sharepoint, or WebAPI (RESTful services) using a server that's put in the DMZ. This protects not only your data, but isolates customers from accessing areas they shouldn't, or using your network for more nefarious activities. At this point you need to contact an appropriate IT person who has experience in these areas who can take a holistic approach of how your business operates and then start to make recommendations.
 
Thank you for your reply. Normal TP link routers can be controlled & monitored manually through online. Can this be done through online automatically?

BTW: I wouldn't do this.

There's a dirty little secret in the router industry that may shock people, but many many consumer grade routers all operate off the same publicly available code base (software stack) with tweaks and modifications for their specific hardware and features they wish to offer. So a bug exposed in one is likely exposed to many. (Remember the Intel library flaw for UPnP?)

That said there's a well known bug that affects many routers that remote admin login credentials are often sent unencrypted. I'm not sure it affects TP-Link, but as these libraries are often reused, I wouldn't be surprised. So if you have remote admin, I would change all your admin passwords and turn off remote configuration. For these setups go business/enterprise only.
 
Apr 17, 2019
5
0
10
Top of my head, use a remote desktop app to again access to one of the PC on the LAN, then from there hopefully u can talk to all routers, one painful box at a time. Unless, like I said u already have a remote server somewhere and since u did not respond to this, I assume no.
I talked with TP-Link and they have suggested me to develop radius server in order to control those routers. I am a business guy and dont have much IT knowledge. Can a radius server be enough to serve my purposes? what do you think?
 
Apr 17, 2019
5
0
10
BTW: I wouldn't do this.

There's a dirty little secret in the router industry that may shock people, but many many consumer grade routers all operate off the same publicly available code base (software stack) with tweaks and modifications for their specific hardware and features they wish to offer. So a bug exposed in one is likely exposed to many. (Remember the Intel library flaw for UPnP?)

That said there's a well known bug that affects many routers that remote admin login credentials are often sent unencrypted. I'm not sure it affects TP-Link, but as these libraries are often reused, I wouldn't be surprised. So if you have remote admin, I would change all your admin passwords and turn off remote configuration. For these setups go business/enterprise only.
I talked with TP-Link and they have suggested me to develop radius server in order to control those routers. I am a business guy and dont have much IT knowledge. Can a radius server be enough to serve my purposes? what do you think?
 
It will only do part of what you need. If you go back to my first post you can control user access but you can not monitor or control bandwidth using enterprise mode...ie a radius server.

What the radius server does is replace the common shared password with a system that each user must have their own userid and password. So instead of asking the local router for permission to connect the local router proxies the logon request to the radius server. You can run a single central radius server. So you access control is centrally located and maintained.
 
image.jpg
 
  • Like
Reactions: Ippothechamp
I talked with TP-Link and they have suggested me to develop radius server in order to control those routers. I am a business guy and dont have much IT knowledge. Can a radius server be enough to serve my purposes? what do you think?

How are you going to set this up without IT support? This ". Now we want to develop an online server/system through which we can automically control our routers so that users whose mac addresses are not listed on our sever can not connect to the routers even if they have the passwords. Besides, we want to monitor the internet use, control internet speed, and completely operate the router through the online server/system." needs some network tech to setup. You can't just hack this together if you like your business functioning.

Outsiders connecting to the routers? What kind of setup is that? As in random people just accessing your routers from outside your company? Sounds like a really bad setup there, no proper business setup would have this. You need an IT consultant or two to setup your network.