[SOLVED] Splitting one internet connection to 3 apartments ?

Sep 3, 2022
14
0
10
I would like to split one internet connection to 3 apartments and create 3 separate networks independent from each other.

I will be using one outdoor 4g LTE modem and at the moment I have 2 scenarios in mind:

1. The modem is connected to a master router, which then connects to 3 slave routers.

The slave routers are where users of each apartment will be connected to, both wired and wirelessly, while the master router only handles the 3 slave routers.

So my question for this scenario... does the master router need to be modern, capable and fast? Or will any old reliable router do? Does it handle all the traffic, or does it only ''see'' the 3 slave routers?

For the 3 slave routers I have 3 xiaomi ac2350s in mind.

2. In this scenario, the modem is connected to a switch, on which the 3 xiaomi ac2350s are connected. Is this even possible to share one internet connection like that?
Thanks in advance

Stavros
 
Solution
Hotel in general have fancy monitor software so they can track traffic back. This is why many require you to put in some credentials. They generally log all the mac addresses and where they are going to some extent.
They have learned that bad people go around using open connections. Only takes one police investigation into why child porn was posted from their account/IP to get most business to not offer completely open wifi.

For senario 2 it all depends on what the box that connects to the LTE signal is. If it is a router then you do not need your main router. If it is a modem then you are only going to get a single IP and need a router to share this ip with your 3 other routers.

Part of the reason the ISP charges so...
In general the design is correct but I tends to be a risky thing to do if you have no control over what the people in the apartments do. If someone where to do something bad with the internet you might get the account canceled and worse the police could show up and your excuse of it wasn't me will not be believed so much.

So the connection would go ----signal---modem---main router----3 remote routers.

Not sure you need a switch depends on how many ports the main router has. You likely want to disable the wifi on the main router. You need to make sure you use different subnets on the network between the routers and the network to the end users. Ie use 192.168.1.x and 192.168.2.x depending on what is used by default in your routers.

Using routers like this will prevent people in one apartment from hacking on people in another.

4g connections tend to be rather slow and with no control over how much bandwidth or what they users are doing you can run into issues. It only takes 1 teen running torrents to kill your connection and put you at legal risks.
 
Sep 3, 2022
14
0
10
I was thinking of using a ''spare'' tp-link TD-8970B as ''master'' for scenario 1. Would that be viable?
Does the master router handle all the traffic, when the slave routers (not access points) is where users connect to? That is the main question for scenario 1
 
Sep 3, 2022
14
0
10
I would look into 3 individual Access Points for the 3 apartments instead of getting routers for each apartment. What is the primary router's make and model?

That is an option too, but I don't want the users of one apartment to be able to ''see'' the ones in the other. So for example, if you were to cast your phone to the tv, the neighbour's tv wouldn't/shouldn't show up too. Would an old TD-8970b be up to the task of the master router? Then use the Xiaomi AC2350s as slaves (not access points)?
 

falcon291

Honorable
Jul 17, 2019
647
145
13,290
I would like to split one internet connection to 3 apartments and create 3 separate networks independent from each other.

I will be using one outdoor 4g LTE modem and at the moment I have 2 scenarios in mind:

1. The modem is connected to a master router, which then connects to 3 slave routers.

The slave routers is where users of each apartment will be connected to, both wired and wirelessly, while the master router only handles the 3 slave routers.

So my question for this scenario... does the master router need to be modern, capable and fast? Or will any old reliable router do? Does it handle all the traffic, or does it only ''see'' the 3 slave routers?

For the 3 slave routers I have 3 xiaomi ac2350s in mind.

2. In this scenario, the modem is connected to a switch, on which the 3 xiaomi ac2350s are connected. Is this even possible to share one internet connection like that?
Thanks in advance

Stavros
4G LTE modem. Does your phone company provide limitless Internet? It can be limitless but they may also wrote in small letters that abnormal usage can be punished.

How many users are we talking about? You must somehow limit the bandwidths, so that if one of the users start downloading Flight Simulator packages, other users will be unable to use Internet. I know because when I did that yesterday, my wife could not use Netflix. I have a decent VDSL connection 70 Mbit or so. But still with bigger bandwidths it is an issue.

It is not as simple as that.
 
Sep 3, 2022
14
0
10
In general the design is correct but I tends to be a risky thing to do if you have no control over what the people in the apartments do. If someone where to do something bad with the internet you might get the account canceled and worse the police could show up and your excuse of it wasn't me will not be believed so much

Yes but is it not the same with the internet access in a hotel?

4g connections tend to be rather slow and with no control over how much bandwidth or what they users are doing you can run into issues.

Unfortunately the sole internet provider of the remote area wants 1200 euros to run a cable to the apartments, and promises a speed of 30 - 50 mbps at best. I'm getting around 100mbps on 4g, depending on weather.

Not sure you need a switch depends on how many ports the main router has.

In scenario 2 I was thinking of skipping the master router alltogether and have the Xiaomi AC2350s connect to a switch, then on to modem.
So, modem - switch - 3x Xiaomi AC2350s. is that possible?
 
All the traffic must pass through the tplink router. Although it won't see the individual end user devices since they will be hidden by the other router the traffic will still pass through the tplink. To some tiny extent this will reduce the load on the main router since it does not have to deal with giving out ip addresses etc to the individual devices. It still must keep track of all the open session etc they just come from few IP addresses.

In general that router like most will be able to pass 1gbit of traffic wan/lan. The bottleneck will not be the router it will be the total bandwidth you have on the LTE connection.
 
Hotel in general have fancy monitor software so they can track traffic back. This is why many require you to put in some credentials. They generally log all the mac addresses and where they are going to some extent.
They have learned that bad people go around using open connections. Only takes one police investigation into why child porn was posted from their account/IP to get most business to not offer completely open wifi.

For senario 2 it all depends on what the box that connects to the LTE signal is. If it is a router then you do not need your main router. If it is a modem then you are only going to get a single IP and need a router to share this ip with your 3 other routers.

Part of the reason the ISP charges so much, other than they are greedy, is they are doing it securely. They know which apartment is sending which traffic and keep logs for a while. The ISP too have learned telling the police/government "it wasn't me" does not work.
Depending on the country there are many law regarding this. This is why you see vpn services that claim no logging set up in countries where they can get away with not keeping logs.
 
  • Like
Reactions: Stavros80
Solution
Sep 3, 2022
14
0
10
4G LTE modem. Does your phone company provide limitless Internet? It can be limitless but they may also wrote in small letters that abnormal usage can be punished.

How many users are we talking about? You must somehow limit the bandwidths, so that if one of the users start downloading Flight Simulator packages, other users will be unable to use Internet. I know because when I did that yesterday, my wife could not use Netflix. I have a decent VDSL connection 70 Mbit or so. But still with bigger bandwidths it is an issue.

It is not as simple as that.

Yes the phone company provides limitless internet with no restrictions on speed. Tried and tested for a couple of months on my mobile now. We are talking 15 occupants max. I plan to use QOS bandwidth restrictions on master router for each individual slave router in scenario 1

Or QOS bandwidth restrictions within the 3 routers in Scenario 2.
 
Be very careful running QoS it puts a huge burden on the CPU of the router. In addition it disables they key feature that makes routers be able to pass gigabit rate traffic. Most routers have a feature that allows the NAT function to be done off the main cpu in hardware asic chips.
When you run QoS the CPU must see all the traffic so in addition to the load from the QoS it now must also do the NAT function.

It may not be a huge issue if you are getting less than 100mbps on the LTE but you need to watch the CPU. I have not looked into what features that tplink router has. Some are pretty advanced and other have stupid high/medium/low stuff with is worthless.
You likely have even more issues if you go to scenario 2 if you plan QoS. The LTE router might not even have any QoS ability.
 
Sep 3, 2022
14
0
10
For senario 2 it all depends on what the box that connects to the LTE signal is. If it is a router then you do not need your main router. If it is a modem then you are only going to get a single IP and need a router to share this ip with your 3 other routers.

This answers my question in regards to scenario 2, i.e. not possible. Thank you!


Be very careful running QoS it puts a huge burden on the CPU of the router. In addition it disables they key feature that makes routers be able to pass gigabit rate traffic. Most routers have a feature that allows the NAT function to be done off the main cpu in hardware asic chips.
When you run QoS the CPU must see all the traffic so in addition to the load from the QoS it now must also do the NAT function.

It may not be a huge issue if you are getting less than 100mbps on the LTE but you need to watch the CPU. I have not looked into what features that tplink router has. Some are pretty advanced and other have stupid high/medium/low stuff with is worthless.
You likely have even more issues if you go to scenario 2 if you plan QoS. The LTE router might not even have any QoS ability.

In regards to QOS, assuming that I will adopt scenario 1, I was planning to assign 30mbps to each of the 3 slave routers and set the rule on the ''master router''. I suppose I could also set a limit of 30mbps from within the slave routers too. I was only worried that if I only set the limit on the slave routers, a simple reset performed by the occupants would remove the limit.
What do you think?
 
Last edited:
It depends on the firmware on that tplink. It would be nice if tplink actually ran the same firmware across their line like asus does but they only "mostly" do that. The more advanced forms of QoS on tplink allow you to set a maximum rate by IP address.

Note if you are worried about them resetting the router there really is nothing that prevents them from say removing the router and connecting other things and/or setting other IP addresses to bypass your QoS restrictions.

What you are doing is becoming a ISP and using equipment that is not really designed with the security as its primary goal. ISP do all kinds of stuff to prevent people from causing damage to their network and other users as well as prevent unauthorized connections.
 
Sep 3, 2022
14
0
10
It depends on the firmware on that tplink. It would be nice if tplink actually ran the same firmware across their line like asus does but they only "mostly" do that. The more advanced forms of QoS on tplink allow you to set a maximum rate by IP address.

Note if you are worried about them resetting the router there really is nothing that prevents them from say removing the router and connecting other things and/or setting other IP addresses to bypass your QoS restrictions.

What you are doing is becoming a ISP and using equipment that is not really designed with the security as its primary goal. ISP do all kinds of stuff to prevent people from causing damage to their network and other users as well as prevent unauthorized connections.

Fortunately, the apartments are purposed for holiday accommodation so no long term occupants. This means that any alterations to the network will be remedied within one or two weeks. Also, I don't know many average Joes that carry routers on holiday, although I am sure, a few and far between people do.

So to summarise, best solution is: outdoor 4g lte modem - master router (tp-link) - 3 x slave routers (xiaomi) in parallel connection lan to wan and cross fingers the TP-link can handle the load of around 100mbps connection.
 
Sep 3, 2022
14
0
10
Use a proper router designed for this purpose, software such as pfsense will allow full control of your three networks from the main router, you can log all traffic and set bandwidth controls. Simple access points are then all thats required in the apartments.

Proper router, any suggestions?
Pfsense looks interesting and very potent, but won't that need a computer constantly on to run? I think that is a bit of an overkill, when all I'm trying to do is split 100mbps to 15 people as equally as possible.
 

USAFRet

Titan
Moderator
when all I'm trying to do is split 100mbps to 15 people as equally as possible.
15 people.
And all their devices.
And all their friends and their devices.

You may be looking at 30+ devices connected to this.
A couple of them maxing out their torrent connection, a couple of others watching movies.
Then big game downloads....

At times, this network is going to choke.
 
Sep 3, 2022
14
0
10
15 people.
And all their devices.
And all their friends and their devices.

You may be looking at 30+ devices connected to this.
A couple of them maxing out their torrent connection, a couple of others watching movies.
Then big game downloads....

At times, this network is going to choke.

100% guaranteed, that's why I thought of limiting the bandwidth to 30mbps on each apartment, regardless of wether all three are occupied or not. Might have to do it with the upload also. Otherwise, one will be streaming 4k and the other won't be able to even access their emails or simply open websites. It's happened to me at hotels a few times
 
Sep 3, 2022
14
0
10
It depends on the firmware on that tplink. It would be nice if tplink actually ran the same firmware across their line like asus does but they only "mostly" do that. The more advanced forms of QoS on tplink allow you to set a maximum rate by IP address.

Note if you are worried about them resetting the router there really is nothing that prevents them from say removing the router and connecting other things and/or setting other IP addresses to bypass your QoS restrictions.

What you are doing is becoming a ISP and using equipment that is not really designed with the security as its primary goal. ISP do all kinds of stuff to prevent people from causing damage to their network and other users as well as prevent unauthorized connections.


I played around with the old Tp-link for a little bit... So, I can do mac adress binding, and guaranty that the slave routers will be getting the same IPs always. Then create QOS rules setting max bandwidth, both global and on each of the 3 IPs. That way, even if a reset is performed, which is unlikely, their mac adress is still the same, and as a result, the slave routers will still be under the TP-link's QOS rules, even if their own rules have been reset.
 
Almost all routers let you key in whatever you want for mac addresses. In addition that is only the DHCP if they override the IP your main router will still accept a different IP tied to that mac address. You would have to set static ARP entries which almost no consumer routers allow.

It is very trivial to bypass what you have setup.

The only way to prevent it would be to block all ip other than those 3 and then lock the mac addresses to those IP. Not sure you can do that with a consumer router and even if you can it might put such a load on the cpu that it slows down too much to be usable.

A consumer router is not designed to prevent intentional abuse it is very basic function and assumes you do not have someone attempting to bypass the restrictions.
 
Sep 3, 2022
14
0
10
Almost all routers let you key in whatever you want for mac addresses. In addition that is only the DHCP if they override the IP your main router will still accept a different IP tied to that mac address. You would have to set static ARP entries which almost no consumer routers allow.

And I thought mac adress binding/ip reservation, would mean that always the same internal ip is given to a certain device / mac adress.

The only way to prevent it would be to block all ip other than those 3 and then lock the mac addresses to those IP. Not sure you can do that with a consumer router and even if you can it might put such a load on the cpu that it slows down too much to be usable.

That is a very good idea. Thank you!! Mac adress filtering is also an option I've seen in the Tp-link. So I will have it accept only 5 mac adresses, the 3 slave routers plus 2 of my devices for set up purposes.

I do understand that I am using simple pad locks and not a bank vault here, but I expect people on holiday to be having better things to do than hack the network, just to get some extra bandwidth out of it
 
Sep 3, 2022
14
0
10
By the way bill001g could you suggest an affordable master router, recommended for this scenario? Also, would you use services like No-IP to restrict things like porn/torrents etc? I have tried in the past but most times it didn't work for me. any ideas?
 
As mentioned by someone early in this thread you can use a dual nic pc running something like pfsense or other firewall software. This has the most ability to filter traffic and since it is a pc you don't worry too much about the cpu. Hard to say how big a cpu you would need.
It really is nothing too special. You need very little memory, it can run from disk rather than ssd, it can use a cpu with onboard video since you will likely not have a monitor connected after it is running. The only special thing would be you need to have a extra ethernet card which costs about $15. This solution would even allow fancy stuff like captive portals used by hotels to force authentication before allowing use.

Not sure about no-ip I thought that was a dynamic dns thing or does it also attempt to filter.

DNS filters are pretty much worthless because the user can change them on his pc and you no longer can even block other DNS servers because of the use of encrypted DNS. Encrypted DNS is designed to pass through firewalls and prevent spying on the traffic by say the government but it prevent everyone from doing this. Pretty much you can only filter by IP address and that may have limited use since a lot of sites now use cloud services that share many servers on the same IP and map back to large providers like amazon or cloudflare.

You can to a point block torrents by only allowing say web traffic but this would also block online games. Torrents though are have been designed to bypass blocking methods used by isp. They can run on web browser ports but the performance is not real good.