[SOLVED] Renting out two houses, internet connection on my name.

[swealp]

I am renting out 2 houses, and the internet connection is on my name. So i want to save my <mod edit> if the renters do some stupid thing. Thank you for advice.

I was thinking of having a router with 2 vpn protection on specific ports, what do you think?

And also bandwith limit each port.

Thank you

 

[bill001g]

I never though of using VPN for that purpose. The vpn will limit what they can do ....legit stuff. Many video sites block all vpn sites. Netflix and amazon video don't work on most. There are other sites that complain about vpn also. You get a lots of silly captcha on google search sometimes. It also will prevent many console based games that are dependent on UPnP or port forwarding to function. Some game companies and even a few normal site detect the vpn and give warnings that they do not support vpn/proxy

I would look at asus 86u in particula with the merlin firmware image. Normally I don't give specific recommendations but this router uses a different cpu than many. It has a vpn accelerator in it. Most routers will cap you out well under 30mbps using vpn because of cpu. This one I have had well over 250mbps and I think it is the vpn service that prevents it going higher. It also has the ability to limit bandwidth and I have not used that feature much because it does not use the NAT accelerator which limits the speed to the cpu ability on very fast internet connections. That likely does not apply when you are running vpn since the traffic is being bottlenecked by the vpn.

 

[swealp]

I never though of using VPN for that purpose. The vpn will limit what they can do ....legit stuff. Many video sites block all vpn sites. Netflix and amazon video don't work on most. There are other sites that complain about vpn also. You get a lots of silly captcha on google search sometimes. It also will prevent many console based games that are dependent on UPnP or port forwarding to function. Some game companies and even a few normal site detect the vpn and give warnings that they do not support vpn/proxy

I would look at asus 86u in particula with the merlin firmware image. Normally I don't give specific recommendations but this router uses a different cpu than many. It has a vpn accelerator in it. Most routers will cap you out well under 30mbps using vpn because of cpu. This one I have had well over 250mbps and I think it is the vpn service that prevents it going higher. It also has the ability to limit bandwidth and I have not used that feature much because it does not use the NAT accelerator which limits the speed to the cpu ability on very fast internet connections. That likely does not apply when you are running vpn since the traffic is being bottlenecked by the vpn.

Thank you for your advice.


I need to check if it can limit bandwidth per interface.

We could use same VPN, that dont matter so much.

And maybe I should try to use a not so well known VPN provider then, and I was thinking about paying for static ip from the VPN provider maybe that could prevent that google search block etc also.

 

[bill001g]

That is one of the things I like about the merlin image...even though I think asus factory took the feature also....is you can run multiple vpn providers and you can select which traffic goes where if you really want to.

What you may want to do is talk to the renters when they have issues with the VPN and have them give you lists of things that are causing issues. You can then set that traffic to bypass the vpn and go directly. Its not like you really care if they are using netflix that they pay for from your real IP address. This would be the same for any port forwarding rules they need.

Although I think you can setup 2 different networks on the ports and then limit them on those ip pools it likely is the hard way to accomplish it. You generally can't just limit by interface I suspect because of how the hardware works. The lan ports are a switch with a single uplink to the router chip internally.

Since they will get better wifi coverage if you would place a router inside each house. You could then assign a static ip to each much like a ISP does. They could connect whatever they like behind it but all the traffic would come from a single IP address.

 

[swealp]

In fact, i am sorry but i dont think i will care so much if they can not play any games or having issues with some streaming service. I need to be selfish here i am sorry.

I will ofcourse test all standard things for some time before renting out, for example if netflix works etc.



Right now i have asked in the asus merlin, dd-wrt and edgerouter forums about if people have a advice that can do this:

-1. Router with OpenVPN that turns off connection if the OpenVPN provider goes offline.
-2. Bandwith limiting per interface.

I think this 2 is the most important, no need to have multiple openvpn providers.



Thank you so much! =) I will buy you a pizza if you come to Sweden.

 

[bill001g]

The first one almost all routers with vpn clients can do.

The second is not likely possible...again unless you define things like vlans and then assign ip blocks to those vlans. The lan ports are on what used to be a actual separate switch chip. Even though they are on the same physical chip as the cpu in most modern routers they still function as 2 separate chips. There is only a single connection between the switch chip and the router. There is no way for the router to know which port it came in on. The traffic limit function would have to be done on the switch chip. The switch function in these routers is pretty simplistic...even though it does support vlans and some other features it does not have the ability to actually limit traffic. This is a hardware restriction with almost all consumer routers.

Now you could likely find some kind of firewall that has this ability or you could put a fancy switch that has bandwidth limits in front of the router it just gets expensive fast.

 

[Ralston18]

No disagreement with any of the above.

However, you are taking on more burden than is really necessary. Especially if you do not really care about what they can or cannot do.

And if something does go astray (rightly or wrongly) then your ISP may still disrupt your service accordingly. Bottom line is that the service is in your name.....

You may end up in the middle of some mess trying to manage it all. E.g., them calling you every time service is slowed, stopped, etc.. And the problem could be on their (user) end.

My recommendation is to just have the tenants get their own internet service.

Simplicity matters.

 

[swealp]

No disagreement with any of the above.

However, you are taking on more burden than is really necessary. Especially if you do not really care about what they can or cannot do.

And if something does go astray (rightly or wrongly) then your ISP may still disrupt your service accordingly. Bottom line is that the service is in your name.....

You may end up in the middle of some mess trying to manage it all. E.g., them calling you every time service is slowed, stopped, etc.. And the problem could be on their (user) end.

My recommendation is to just have the tenants get their own internet service.

Simplicity matters.

You are so right in what you say. But i want to give it a try.
It would cost me over 1.700 USD to install one more internet service.

Then if its not possible to do BW limiting with dd-wrt, asus merlin etc. Maybe the most easy is like you guys say is to have 2 hardware.

1x router for openVPN
1x firewall/switch for BW limiting


Or else Edgerouter seem to have both BW limiting and openvpn support. But it looks really to advanced. https://community.ubnt.com/t5/EdgeR...n-on-port/m-p/2709818/highlight/false#M244352


What do you guys think? Thank you!!

A pic for fun:

 

[bill001g]

If you are going to place devices in front then just use 2 very cheap routers. The only purpose of the router is to make all the machines appear to come from the same IP address for each renter. You now have your "port" number since all traffic coming in a physical port will only come from a single IP address. It is trivial to limit traffic by ip address.

You would have to dig around but I think the main drawback of the edge router using openvpn is its slow performance. They have mulitple models but cpu size is going to be the limiting factor. Then again most routers will cap your vpn speed to 20-30mbps and it will drop more using traffic limiters that also use cpu.

 

[Ralston18]

Fair enough.

Always trade-offs to be made. Costs vs time vs manageability vs practicality.

Will defer to @bill001g accordingly - the technical decisions are far more his forte' than mine.

But stick with the diagrams - always helpful....

 

[swealp]

If you are going to place devices in front then just use 2 very cheap routers. The only purpose of the router is to make all the machines appear to come from the same IP address for each renter. You now have your "port" number since all traffic coming in a physical port will only come from a single IP address. It is trivial to limit traffic by ip address.

You would have to dig around but I think the main drawback of the edge router using openvpn is its slow performance. They have mulitple models but cpu size is going to be the limiting factor. Then again most routers will cap your vpn speed to 20-30mbps and it will drop more using traffic limiters that also use cpu.

You are so right, the Edgerouters is missing something called "hardware-acceleration for openVPN" so it will get very poor speed.
Big thank you for letting me know this!

I only have 1 real ISP ip so will not work with 2 routers. And why cheap routers, think the performance will be bad?

This now looks like to be
1x dd-wrt/asus/tomato router
1x switch or firewall for BW limiting.

Do you have any advice what will perform best?

Thank you !!!

I need to google a little bit more.. =)

Diagram just for fun:

 

[bill001g]

In a way I was actually thinking of the edge router as the cheap router. They have ones for $50. Depends if you need wifi for the renters. The only purpose is NAT I would do the traffic limit on the main router that is also doing the vpn. Almost any router can run gigabit speed for nat.

The only switches I know that have traffic limiters are fairly expensive commercial devices. It also gets complex because most only limit inbound. They do this to not delay traffic. This would be considered UPLOAD from the renter viewpoint and is seldom the issue. Outbound traffic does not make a lot of sense since the traffic has already entered the switch. Some high end switches can do it but it is considered a poor design. It is more used in corporate networks where you have full control over the entire network.

You have a similar issue going this on the router because the ISP is actually in full control over what is sent or not. The only reason it works is because when you get traffic loss the end client detects it and slows it requests for data. If for example a application on the internet sent at a fixed 10mbps and you limit it to say 5mbps you would still receive the extra 5mbps even though you never delivered it to the end user. Lucky most applications do not work that way but torrent comes close since it opens more sessions when it has troubles.

 

[ElectrO_90]

To me this doesn't make sense.
You can easily use Ubiquiti equipment, use login so its proof they are logged in - under their name - and give them total internet access.
Any and all logs will show they logged in using their credentials and thus probably free you from anything ( if something illegal happens) due to the fact they logged in and with MAC addresses that are recorded its a good solid defence.

Personally, you have made it way more complicated than it needs to be, and if you are providing the internet service as a service in your house, and then you are liable for not disclosing your intentions and the things you are blocking, which is a legal litigation you can face.

 

[swealp]

To me this doesn't make sense.
You can easily use Ubiquiti equipment, use login so its proof they are logged in - under their name - and give them total internet access.
Any and all logs will show they logged in using their credentials and thus probably free you from anything ( if something illegal happens) due to the fact they logged in and with MAC addresses that are recorded its a good solid defence.

Personally, you have made it way more complicated than it needs to be, and if you are providing the internet service as a service in your house, and then you are liable for not disclosing your intentions and the things you are blocking, which is a legal litigation you can face.

This is just a second hand renting, so any legal problems because of me using VPN for my "customers" is nothing i think will happen.

And that logged thing dont make sense, IF they do something illegal and IF it happens. I dont want to talk with some goverment and prove my self, then it is already in a bad situation if you understand what i mean. Better to use VPN to in-directly "help" the customers to be anonymous so I dont get problem.

I hope you understand me. I wish it was a easy way to do this, but I couldnt find anything here in Sweden.

 

[swealp]

In a way I was actually thinking of the edge router as the cheap router. They have ones for $50. Depends if you need wifi for the renters. The only purpose is NAT I would do the traffic limit on the main router that is also doing the vpn. Almost any router can run gigabit speed for nat.

The only switches I know that have traffic limiters are fairly expensive commercial devices. It also gets complex because most only limit inbound. They do this to not delay traffic. This would be considered UPLOAD from the renter viewpoint and is seldom the issue. Outbound traffic does not make a lot of sense since the traffic has already entered the switch. Some high end switches can do it but it is considered a poor design. It is more used in corporate networks where you have full control over the entire network.

You have a similar issue going this on the router because the ISP is actually in full control over what is sent or not. The only reason it works is because when you get traffic loss the end client detects it and slows it requests for data. If for example a application on the internet sent at a fixed 10mbps and you limit it to say 5mbps you would still receive the extra 5mbps even though you never delivered it to the end user. Lucky most applications do not work that way but torrent comes close since it opens more sessions when it has troubles.

Oh, i dont understand now.

I dont know what NAT is.

I tought Edgerouter was to slow to run OpenVPN + BW limiting.

A cheap Netgear switch seems to be able to limit the speed by interface.
http://documentation.netgear.com/gs108t/enu/202-10337-01/GS108T_UM-07-05.html

Thank you

 

[bill001g]

I see it does that is likely your best bet. I have a number of commercial cisco layer 3 switches from back in the day I was chasing cisco certifications so I have not been buying much for many years.

NAT is the function that lets mulitple machines share a IP address. Kinda like your ISP gives you one IP and then all your machines share it. I was just thinking you could in effect give each rental just 1 IP. Then you could use IP based rules. That switch should work to do basically what you need.

 

[swealp]

Thank you for your help!!

I am into using Asus Merlin with a fallback VPN if the first one goes down.

Do you know if it is possible to "whitelist" some websites or online-games-ports when using openVPN?


Thank you!

 

[swealp]

It seems to be much more easy on dd-wrt vs asus merlin ohhh

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1158922#1158922

 

[bill001g]

It depends on what router you are going to use. I am not sure dd-wrt supports the VPN acceleration. I don't even know if they support the NAT cpu bypass in many router platforms. From what I have read this is mostly due to the open license issues. I think currently the only way to get the vpn acceleration on third party firmware is with merlin and that only runs on asus....well officially.

Not sure what you mean to get it to bypass the vpn it is pretty simple you mark the redirect internet traffic box as policy rules and key in the list of sites you want want to bypass.

They guy "merlin" actually supports this on the small network builder forums. It tends to be your best source of information and he sometimes will directly answer questions.

Eventually both dd-wrt and merlin you are force to edit that nasty iptables file by hand for really advanced configurations.

 

[swealp]

Thank you for your reply!

I will ask there and let you know what I come up to.

Do you know how to use vlans or dhcp to prevent devices in 2 houses to see or at least crash with each other.

I made a pic i think it is more easy to understand.

Thank you!!!

 

[bill001g]

The switch would need to do any function like that. It depends if you can filter traffic between ports. You could put a rule in that 192.168.50.x ip addresses could only talk to the internet.

You could use vlans but the router would also need to support vlans. It would need 2 different networks defined and 2 different dhcp scopes. You would need to define a tagged port between the switch and the router to carry both vlans.

If the devices you have depicted as radios in the rental houses are actually router the NAT function in those devices will prevent users from behind the routers from access devices behind the other.

 

[swealp]

The switch would need to do any function like that. It depends if you can filter traffic between ports. You could put a rule in that 192.168.50.x ip addresses could only talk to the internet.

You could use vlans but the router would also need to support vlans. It would need 2 different networks defined and 2 different dhcp scopes. You would need to define a tagged port between the switch and the router to carry both vlans.

If the devices you have depicted as radios in the rental houses are actually router the NAT function in those devices will prevent users from behind the routers from access devices behind the other.

"actually router the NAT function in those devices will prevent users from behind the routers from access devices behind the other."

That is perfect if it works!

I am thinking about buying one of these switches to limit bandwidth.

What should you choose?

Cisco SG200 SLM2008T.
https://www.cisco.com/c/en/us/support/switches/sg200-08-8-port-gigabit-smart-switch/model.html

Amazon.com: Cisco SG200-08 8-port Gigabit Smart Switch (SLM2008T-NA): Electronics

Amazon.com: Cisco SG200-08 8-port Gigabit Smart Switch (SLM2008T-NA): Electronics

www.amazon.com

Netgear GS108Ev3
https://www.netgear.com/support/product/GS108Ev3.aspx

http://www.downloads.netgear.com/files/GDC/GS105EV2/WebManagedSwitches_UM_EN.pdf

https://www.amazon.com/NETGEAR-Giga...ywords=GS108E&qid=1552324389&s=gateway&sr=8-1


Thank you!

 

[bill001g]

I suspect you know as much as I do. Seems I have not kept up on consumer market gear...I worked in commercial and we never were allowed to use the lower end stuff no matter how much money it saved.

The cisco is much more expensive and I don't see it does much more...at least that you will use. I like things like 802.1x support. Used if you really wanted to lock things down. It requires authentication for every device plugged in, prevents adding switches or routers to a lan.

 

[hang-the-9]

Why not simply have whoever rents the house provide their own internet access when they move in. Unless in a hotel or some apartment building where that is a selling point, I have never run across internet access provided by the landlord. The two apartments I lived in, I had to get my own internet service.

Seems like a lot of work when just saying "when you move in, contact blah blah to get service" will also work.

 

[swealp]

I suspect you know as much as I do. Seems I have not kept up on consumer market gear...I worked in commercial and we never were allowed to use the lower end stuff no matter how much money it saved.

The cisco is much more expensive and I don't see it does much more...at least that you will use. I like things like 802.1x support. Used if you really wanted to lock things down. It requires authentication for every device plugged in, prevents adding switches or routers to a lan.

Thank you for your reply!

I have another problem, do you know a solution how to make a "failover" VPN?

If #1 vpn provider is offline, use #2 vpn provider.

I looked with asus wrt-merlin but they didnt have it as default, same with dd-wrt. No answer yet from tomato people.

What should you do?

hang-the-9: I have ofcourse think about all that, this houses dont have any seperate internet connection.