New Building - tenants plug their own routers causing IP conflict

[Jamal15]

Hi all,

We are trying to set up a LAN network in a new building. We have an AP which is connected to my ISP and a Netgear switch. The switch goes to each flat (around 20) so that tenants can use the Ethernet port to go to Internet. We also have set up 2 TP-Link routers on the ground and second floors so that they can also use Wireless. Please see below configuration with IP addresses

AP:
- Connected to my ISP;
- Static LAN IP: 192.168.0.1;
- Sitting on the first floor;
- Also used to provide Wireless access on first floor.

Netgear switch: Used to provide Ethernet access to each tenant.

Router Ground floor:
- Used to provide Wireless access;
- DHCP WAN IP;
- Static LAN IP: 192.168.1.1.

Router Second floor:
- Used to provide Wireless access;
- DHCP WAN IP;
- Static LAN IP: 192.168.2.1.

The problem is some tenants plugged their own routers in the Ethernet port. They then pick up a static default gateway IP address of 192.168.0.1 or 192.168.1.1 and causing the IP conflict (with AP or Router Ground floor). Tenants are then loosing connectivity on the Wireless network. I have done some researches on this Tomshardware and didn't find anyone with the same problem....

Have you ever come across this issue? If so, how did you fix it?

Please let me know if you need additional information (e.g. Hardware details, other configuration...).

Many thanks,
Jamal

 

[ComputerSecurityGuy]

That's an interesting question. My approach would be to set up a VLAN, and add the APs to them. That way nobody else could interfere with the APs no matter what went on on the other Ethernet ports. (Unless they accessed the router, that is.) Then, if the tenants conflict it's their problem.
Oh, and you probably should reserve a block for static IPs on the other Ethernet network- probably 192.168.X.0-100 or something like that.

 

[kanewolf]

• 
  ■ Setup one master DHCP server. It handles the WIFI devices on the APs and the WAN addresses on the tennant routers. Use a subnet that is unlikely to be copied 192.168.167.x.
  ■ You may have to have more than a class C network. With WIFI access points for 20 apartments, you could easily have 100+ WIFI connected devices. You could run out of IP addresses in a class C network.
  ■ Use real commercial access points. Not routers. Use something like the UniFi system from Ubiquity. You will be able to control all the APs at once.
  ■ Use a managed switch for your core switch. Set each apartment up as a separate VLAN. That way they are isolated from each other.
  ■ Put the common APs on a unique VLAN

 

[Jamal15]

Hi ComputerSecurityGuy,

Thanks for your suggestion. I am going to wait for others and may pick up yours. I may get back to you with some questions if I decide to go ahead. I keep you updated.

Cheers,
Jamal

 

[ComputerSecurityGuy]

I'll second what kanewolf said. Pick up some low grade commercial stuff, Ubiquiti APs are probably best. And yep, all the other stuff as well. Managed switch, more than a Class C, and so on.

 

[Jamal15]

• 
  ■ Setup one master DHCP server. It handles the WIFI devices on the APs and the WAN addresses on the tennant routers. Use a subnet that is unlikely to be copied 192.168.167.x.
  ■ You may have to have more than a class C network. With WIFI access points for 20 apartments, you could easily have 100+ WIFI connected devices. You could run out of IP addresses in a class C network.
  ■ Use real commercial access points. Not routers. Use something like the UniFi system from Ubiquity. You will be able to control all the APs at once.
  ■ Use a managed switch for your core switch. Set each apartment up as a separate VLAN. That way they are isolated from each other.
  ■ Put the common APs on a unique VLAN

This solution looks good. I will definitely test it. However I have no control on the tenant routers. Most of commercial routers use 192.168.0.1 as default gateway, will they interfere if they are not in the same VLAN?

Please find my below roll-out plan:

■ Master DHCP server assigned a static IP address of 172.16.0.1. DHCP pool: 172.16.0.2 - 172.16.254.255. With a class B subnet, I will not run out of private IP addresses.

■ For Router Ground floor, I keep the same configuration:
- DHCP WAN IP;
- Static LAN IP: 192.168.1.1.

■ Router Second floor:
- DHCP WAN IP;
- Static LAN IP: 192.168.2.1.

■ Define a VLAN for each appartment, another one for ground floor and last one second floor.

I think my switch is NETGEAR GS748T-500EUS ProSAFE (need to double check), if so can it act as a Core Switch?

As for my AP, it's HUB 3.0 from Virgin Media in the UK. I have looked up the specs and the device name may be ARRIS TG2492S/CE (see below source). What do you think?

http://www.ispreview.co.uk/index.php/2015/11/new-virgin-media-superhub3-cable-broadband-router-to-target-voip.html

Many thanks,
Jamal

 

[kanewolf]

I think your switch can act as your core switch.

Your networking knowledge is better than I expected. Many posters here wouldn't understand the concept of a class C network. You don't need an entire class B. I would think a 1024 address range should be more than enough. Why make your mask any wider than necessary.

You keep using the term router first floor and router second floor. They really aren't routers are they? They should be access points. You want to keep all the devices connected to them in your 172.16.x.y subnet. Not to have them DHCP a new subnet.

Maybe you need to post a wiring diagram to ensure I am understanding your plan.

 

[Jamal15]

I think your switch can act as your core switch.

Your networking knowledge is better than I expected. Many posters here wouldn't understand the concept of a class C network. You don't need an entire class B. I would think a 1024 address range should be more than enough. Why make your mask any wider than necessary.

You keep using the term router first floor and router second floor. They really aren't routers are they? They should be access points. You want to keep all the devices connected to them in your 172.16.x.y subnet. Not to have them DHCP a new subnet.

Maybe you need to post a wiring diagram to ensure I am understanding your plan.

/22 netmask will suffice and I can use 172.16.0.1 - 172.16.3.254.

Sorry for the confusion. I will draw a network diagram at my earliest and send it over. There are three routers:

- The one on the first floor which is connected to my ISP;
- The one on the ground floor which is connected to the switch. It is used to provide Wireless access to tenants living on the ground floor;
- The one on the second floor which is also connected to the switch. It is used to provide Wireless access to tenants living on the second floor.

The routers that I don't have any control are the ones brought by the tenants in their apartments. They cause IP conflicts and connectivity issues. I need to find out whether two separate private VLANs using the same private default gateway IP address can not cause IP conflicts. Do you get my point?

Many thanks for your help,
Jamal

 

[kanewolf]

The two routers that are providing wireless should be changed to light commercial quality access points. Routers are the wrong device there. You want the WIFI devices to be part of your 172.16.x.y subnet. Routers that have DHCP enabled are wrong. Start by converting the routers to access points by connecting to a LAN port and disabling DHCP. They routers will act like access points. BUT they should be replaced by dedicated AP hardware.

 

[kanewolf]

I don't know how tennant routers will cause IP conflicts IF you do as I recommend and use access points rather than routers for your WIFI.
The LAN default gateway of a tennant device can be their router, a 192.168.x.y address. And the WAN gateway will be a 172.16.x.y address. Your WIFI will be 172.16.x.y if you use access points.

 

[Jamal15]

Hi kanewolf,

Sorry for the delay. Below a link to the network diagram.

https://www.dropbox.com/s/wfv0fzv8g5w5tcv/RussellStreet.pdf?dl=0

Additional details:

- Configure Router (connected to ISP) set to Static IP with 172.16.0.1, VLAN 1 and DHCP Range: 172.16.0.4 - 172.16.3.254

- Wireless Access Point (Ground Floor) set to static IP with 172.16.0.2 and VLAN 2

- Wireless Access Point (Second Floor) set to static IP with 172.16.0.3 and VLAN 3

- Configure the Netgear Switch with a separate VLAN for each port (I think we have 20 ports)

If you think this solution will work, then the next step is how to configure my Netgear switch with separate VLAN (I guess that I can find a youtube video for this), then ensure that I have Wireless AP (or turn into Wireless AP).

What do you think?

Jamal

 

[kanewolf]

That sounds like what I would do. You just want to make sure that your master router port is a member of each VLAN. It doesn't need to be a separate VLAN, it is the common link.

I would add one thing to your drawing, add a management VLAN with a single unused port allocated to it. Assign the IP of the switch to that VLAN and add the AP and master router ports in that VLAN. You want to make sure you can get to everything from a single laptop on that management port.