Question Setting up Nest in a multi-family

[compworld]

Hello all,

I am in the process of taking over a multi-family and I am adding a bunch of Nest products to each unit. I'm adding, Nest doorbells, Nest thermostats, Nest cameras in the common areas and a Nest lock to all five units. The building will have encrypted wifi which all tenants are able to use and they will be paying a monthly fee for the smart home products and secure internet. The building is a big tech area in Silicon Valley. I've already setup my place with it and it works well.

Any ideas on how to handle this setup effectively? I have the electrician installing them, but I would just need to setup each within their own account. I was thinking of allowing the tenants a Google Hub as well in their units. It will be the first building on our street that is smart home enabled. The units are already rented as well and all will be moving in on July 5th.

 

[kanewolf]

Is there VLANs for each unit? Trying to understand what you mean by "secure" internet ... Is there wired or only wireless tenant networking?

 

[compworld]

The the solo router but the cable company said it's powerful enough to support the whole building. The building itself is only four stories. Each will have separate logins as well. secure whereas it's encrypted and they have to use their own logins to access Internet in their apt. Wireless only, nothing is wired. However, I was debating if I should add mesh on each level for stronger signals to the top floor.

 

[kanewolf]

Without VLANs, what prevents one tenant from being able to see all traffic from all other tenants?

 

[compworld]

Without VLANs, what prevents one tenant from being able to see all traffic from all other tenants?

Each have their own login.

 

[kanewolf]

Each have their own login.

But once logged into the network, is there something (like a vlan) that prevents apartment #1 15 year old computer geek from seeing or attempting to interact with apartment #2 ? If not, you have a liability.

 

[compworld]

The Internet is basically for the Nest services, but they are able to use the Internet if they wish. They are one bedroom apts, so it's mostly professional people. However, I can see what you mean. What do you recommend I do for each apt?

Also, I had the tenants sign an Internet Acceptable Use Policy (AUP) protecting us from any liability for use of the free wifi with no guarantees of privacy.

 

[kanewolf]

You need multi-SSID WIFI access points with VLANs. You want Apt #1 to be able to interact with apt #1 devices and the internet. How will someone with a TV (that can't use a login) connect that device to YouTube? It doesn't seem like your implementation works for that use-case.

 

[compworld]

You need multi-SSID WIFI access points with VLANs. You want Apt #1 to be able to interact with apt #1 devices and the internet. How will someone with a TV (that can't use a login) connect that device to YouTube? It doesn't seem like your implementation works for that use-case.

Each apt. has their own login to access the Internet. So they select the wifi network, enter in a username and password, and then they are online. If the device doesn't have an ability to login to the Internet, then they'd not have the Internet. Most TVs over the past 10 years have wifi, so I do not think that should be an issue.

 

[USAFRet]

Adding to the questions...

1. From your description, this appears to be one "LAN". Yes, they each have a username/password. But being a single "LAN", how are the different logins walled off? Can User A see any traffic or resources of User B?
Have you tested this?

2. WiFi only? I can't have any wired devices that talk to the internet? That's an apartment I would not rent.

 

[kanewolf]

Each apt. has their own login to access the Internet. So they select the wifi network, enter in a username and password, and then they are online. If the device doesn't have an ability to login to the Internet, then they'd not have the Internet. Most TVs over the past 10 years have wifi, so I do not think that should be an issue.

Yes, they have WIFI which can have a password associated with it. That is different from a login. Maybe your terminology is inaccurate. To me a login, requires a webpage to be displayed and a user to enter data. That is not possible with a TV connecting to YouTube.

 

[compworld]

Adding to the questions...

1. From your description, this appears to be one "LAN". Yes, they each have a username/password. But being a single "LAN", how are the different logins walled off? Can User A see any traffic or resources of User B?
Have you tested this?

2. WiFi only? I can't have any wired devices that talk to the internet? That's an apartment I would not rent.

1) They are walled off by each level. Since they need an SSL login (w/ WPA encryption), Frontier doesn't think the traffic could be read by the other tenants.

2) This is primarily for the smart devices. The Internet access is "complementary" due to legal and liability reasons. Similar setup with hotels and such. The rented pretty quickly since it's new construction and most loved the idea of the smart devices w/o having to pay the upfront fees to acquire them and install/maintain them.

 

[compworld]

Yes, they have WIFI which can have a password associated with it. That is different from a login. Maybe your terminology is inaccurate. To me a login, requires a webpage to be displayed and a user to enter data. That is not possible with a TV connecting to YouTube.

Possibly. For example, a wifi network would be named building-1-apt-1 with a login of username and password (password would be alphanumeric and have symbols). They select the network and use their provided login to access said network. It's saved in the tv, roku, Amazon Fire, etc. and they are good to go.

I am just debating if there is a way to add mesh to each floor. I recently switched from access points to mesh in my house and the Internet is much more reliable and faster than the old access points.

 

[bill001g]

You are going to have to find a way to prevent devices from different user actually seeing each other.

Even if they have different logon they are all on the same network. All for example will be assigned ip addresses from the same pool of ip say 192.168.0.x. This means they can talk to each other after they log on.

If this was just end user pc it ls not good but the firewalls in the end user devices will protect them from attack. Things like door bells and thermostats are know for having poor security and it has historically taken them a long time to patch these devices. All you need is one tech savey tenant that has a beef with one of his neighbors to do something like mess with the temperature in another apartment.

You need to have a way to keep the traffic isolated between the apartments. You are just asking to get a lawsuit if you mess this up.

 

[compworld]

You are going to have to find a way to prevent devices from different user actually seeing each other.

Even if they have different logon they are all on the same network. All for example will be assigned ip addresses from the same pool of ip say 192.168.0.x. This means they can talk to each other after they log on.

If this was just end user pc it ls not good but the firewalls in the end user devices will protect them from attack. Things like door bells and thermostats are know for having poor security and it has historically taken them a long time to patch these devices. All you need is one tech savey tenant that has a beef with one of his neighbors to do something like mess with the temperature in another apartment.

You need to have a way to keep the traffic isolated between the apartments. You are just asking to get a lawsuit if you mess this up.

The Internet user agreement waives liability on this, but what would you recommend I add to the network?

 

[USAFRet]

The Internet user agreement waives liability on this, ...

If Tenant A is compromised by Tenant B, a judge may not be in agreement with that 'waiver'.

 

[bill001g]

This comes back to the suggestion about using vlans. That is the cleanest solution and is best to isolate traffic. You are still going to need a route/firewall that understands vlans and can run different subsets for each.

If you want to brute force it I would put a router between each apartment and the central network. The tenant should have no access to this device and no access to the main cables going into the router.

You could use ubiquiti edge routers either as a central router or to act as a router for each. There are models that are fairly inexpensive since they do not have wifi. This may not be you optimum solution since I don't know how you plan to implement the user/password stuff. If you are going to have a server then you are better off using a pc running pfsense. Pfsense understands vlans and is a full firewall and has captive portal feature that can control access. You can buy preloaded servers with pfsense if you don't want to do it yourself but it is fairly simple.

It all depends on the details on how you implement this.

 

[compworld]

If Tenant A is compromised by Tenant B, a judge may not be in agreement with that 'waiver'.

Seems to hold up with the hotels, and our attorney seems to feel the agreement is solid; since his firm wrote it. In addition, we have a cyber insurance rider on the insurance policy as well. However, Frontier has a enterprise managed wi-fi solution which I am looking into as well.

 

[USAFRet]

If you're using the same sort of infrastructure as a hotel, sure.
From your description, that did not seem to be the case.

"Insurance" does not really help if my data is compromised and released by the asshat in Apt 2A.

 

[compworld]

If you're using the same sort of infrastructure as a hotel, sure.
From your description, that did not seem to be the case.

"Insurance" does not really help if my data is compromised and released by the asshat in Apt 2A.

There is a firewall, and each apt has their own login. It is not a shared login that all have access to. Our cyber insurance policy does protect again hackers and DDOS.

 

[compworld]

I have confirmed with the Frontier tech support that their is a firewall and each unit has their own login. In addition, unit A wouldn't be able to read unit B's traffic.

 

[USAFRet]

Well, if they say it, it must be true.