I will try to be concise, while providing adequate info.
I handle IT for a property management company that recently took over management of an RV park. This park provides wireless internet for the residents. Currently, the wireless system consists of 3 ez3 APs
formatting link
mounted on poles at the front, middle, and back of the park, each connected with a cat5e home run that plugs into a
10/100 unmanaged switch that connects to a Linksys WRT54G rev 2 that I flashed with dd-wrt r23 sp2. The internet pipe is a T1 provided by a local LEC. We estimate that during the summer the network will need to support
30-50 users.
There are several strategic considerations that need addressing, and the first one in my opinion is bandwidth management. Just in the last 2-3 days we've seen the inernet speed drop to a crawl when one or two users start hogging bandwidth with what appear to be massive downloads. The status tools in the APs showed download/upload ratios on these users in the 20/1 range. I've got to find a way to impose QoS on the network.
But a big issue for the company right now is cost, so I have very little budget to work with. So, if possible, I need to use whatever free and low cost solutions I can come up with.
Thank you for any assistance. Please let me know what information I've left out.
It would appear as if some users are doing big downloads and setting the priority to BULK may let them use bandwidth remaining from other "normal" users. Quite a bit of tuning is available in the QoS section of DD-WRT. You may also wish to upgrade to RC6 or 7 also.
It may be necessary to impose some user restrictions to basic browsing and emails and no bittorrent or streaming videos etc. In a shared public arena, this is not unreasonable. Again DD-WRT is very good.
DSL has a flat rate pricing (but a TOS prohibiting sharing out your connection). Depending on the speed, its priced generally from $30 to $90 per month for 1.5 Mbps to 10 Mbps.
T1 is distance priced. In a large city, it can be had for around $300 per month. But fifty miles from that city, it may cost upwards $600 per month.
that was a specific question for the OP can get in their area, not a generic educational question....
BTW - you might try going to McD's, Starbucks, Panera, etc... and see with a Ping and/or Speedtest to the outside world, what kind of service they are using and "sharing" with their customers. Does it test out as symetrical (T1) or not (DSL/cable).
Old version. Please re-flash with DD-WRT v24 RC6.2.
I suggest the dd-wrt.v24_generic_nokaid.bin version. The bandwidth managements (QoS) is much better in v24 than in v23:
Ouch. That's possible, but not likely. All it takes is one P2P user, and they will saturate all your available outgoing bandwidth. At least the T1 is symmetrical, so it handle more outgoing traffic than a DSL line, but it still can be killed by just one user. What you're really looking for is not bandwidth management. You're looking for applications control or abuse management. That's not easy.
These daze, users are accustomed to a minmal DSL line with a
1.5Mbit/sec download limit. That's the same as your entire T1 with
30-50 users. Even if you succeed in balancing the load among these
30-50 users, the average performance will be so low, that you're certain to have 30-50 complaints. What you probably consider abuse, it common practice on their home connections. I suggest you consider either a bigger pipe, faster connection, or multiple connections using a load balancing router.
Yep. Slimbox downloads of videos. IPTV (watch TV on your computah). You might consider sniffing the traffic to identify the exact type and source of the traffic.
That's not P2P file sharing. That's probably IPTV or downloading videos. Any clue as to the approximate number MBytes or what IP's or URL's are being used? That should give a clue as to what you're dealing with.
The QoS built into the WRT54G with DD-WRT firmware will prevent saturation but will not stop the abuse. It's easy enough to throttle specific connections. However, with 30-50 simultaneous users, no amount of throttling is going to make everyone happy.
Number of active users. I suspect that there may be 30-50 connections, but they are not all active at the same time.
Is there a PC available to do monitoring?
Is everyone connected via wireless or are there wired connections? If wireless, I don't think you are going to be very successful at distributing more than a T1 to the RV park. If you have conduit in the ground, or CATV coax to the utility connection, you might consider going wired instead of wireless.
Are all the wireless connections authenticated or is it a free for all? If open, are you sure that all your users are your RV park residents and not the neighbors? Do you have a RADIUS server? Note that DD-WRT v24 includes various built in hotspot front end features, but requires an external RADIUS server (or service) for authentication.
Are you prepared to bill for excessive bandwidth use? That's the only counter incentive I can offer for clueless users that think they own the entire T1.
I first used v24 RC5 on a WRT54G v8, but swapped in the v2 with r23 sp2 when I mistakenly thought the v24 RC5 was not port forwarding. Since my post I rectified the problem and put the other back in. I'm interested to see what changes accompany the RC7. Thanks for the suggestion.
All the above, actually. I'd like to have a method of capping each connection, but I'm sure the equipment to accomplish that is not "free or low cost." I've worked a couple of hours today with the v24 RC5 firware's QoS lan port settings, and I cannot get anything consistent. Theoretically, I should be able to connect each of the 3 APs into one of the router's switch ports and limit the bandwidth per port (the settings are
256k/512k/1m/10m/100m). However, this does not provide me "per connection" bandwidth limiting - only "per AP" - and, besides, the lan settings don't seem to work by the numbers. It does have some effect, but not in any precise way.
As for applications control, can that be accomplished to any significant degree by port filtering? Is it realistic that I could sniff the network over time and identify ports that typically are used for things like music and video downloads and then block these ports? Are these ports consistent, or do they differ according to the particular service, vendor, client software, etc?
I broached the topic of more bandwidth the first day I got involved. The LEC that provides the T1 can bring in "business class" ADSL circuits for about $80/month (the T1 costs about $350/month). I think the DSL is 4mb/1mb or so. I like T1s, from a network admin standpoint, but I'm not sure it's the best solution in this case. It's an easy sell for the LECs, because it's a dynamic pipe that carries the voice and data. The LEC provides an IAD (fancy channel bank) and breaks out two connections - one that terminates on a RJ-21'ish block for the phone system and a 10/100 port for the customer router. It's a good product, and I've had good experiences with it for other customers, especially those with bursty voice traffic. But this RV park almost never has more than two voice lines going at one time. It has occurred to me that we could get 3-4 copper lines (at ~35 per) and ~3 DSL circuits for what they are paying for the T1. See, part of the thought process for the T1 (they used to have 2 with a different provider) was to provide the guests with phone lines. However, it just hasn't materialized. Everyone has cell phones, and almost no one needs a dial up or fax line. There is a fax in the main office for publick use.
Or music. I've got a Sonicwall SOHO3 that actually provides very good data of this type. I can stick that in there and watch for a few days.
That's what I think, too. FWIW, the 30-50 estimate may be a little high, but still the point remains if the actual use is 20-30 or similar. That's potentially way too much for a T1. Something I've given thought to this weekend is an AUP (acceptable usage policy) that is at least posted in the office, if not made part of the guest contract. Is it realistic that we whitelist the open ports? I simply don't know enough about the range of services "needed" for such a population of users. Can one limit the available internet traffic to "the basics?" Is there such thing?
Well, that's an interesting thing. While monitoring the connections it appears that many of the connections stay alive constantly, but the internet usage is "on and off." In other words, I see some MAC addresses maintain a wireless connection over a period of hours, but the behavior of the user seems to be on-off, on-off, on-off. I guess this is not so different that most networks, but it seems like these residents keep the internet up all the time, and periodically use it for something specific. These kinds of connections are the usual, and they don't seem to be problematic. It's the users that obviously are downloading content that are the killers.
Yes.
The original plan was for both. Conduit is available for the purpose, but no further network wiring is to be done. There is coax at every "pad" for TV. I'm relatively sure management is locked into wireless. I do no think they will consider other options, as long as a solution to the immediate challenge is within reach.
The latter, which is regrettable, in my opinion. But management claims that security measures would be confusing to this particular user population, and they don't want to give any reason for these users to go elsewhere.
I am not sure. To the contrary, I'm sure that we've basically built a free WISP. FWIW, this park is relatively isolated, but as we know, it only takes
1-2 abusive users to wreck the whole thing. I'm starting to see some kind of authentication as a necessity.
I have been working with these settings in r23 and r24 RC5, and hopefully they are more accurate in RC6 or 7. The bandwidth settings are not very useful, as they don't seem to produce anything specific, but the categories (bulk, premium, etc) seem to prioritize pretty well.
I completely agree. That's what I was getting at in another post when I mentioned "whitelisting" the ports/services. My main concern is related to the handful of serious business people who come through. These people tend to be reasonable, relatively computer savvy professionals who expect unfettered access to the internet. I have never researched the range of ports they would need to have open to avoid frustration and complaints.
If they're that "serious" then they'll have their own means of making connections to the internet. You're on a fool's errand if you think catering to these folks will buy you much. You're far better off maintaining a stable baseline of basic services. Just doing THAT is a full-time job.
Port forwarding from the outside-in is less than trivial if you want to connect inward to more than just one computer. It involves multiple external IP addresses or internal proxying systems (and this is GREATLY oversimplifying it).
There's also a good no-tech way of dealing with bandwidth abuse. Throttle their connections such that it looks like the service is unreliable. Pretend incompetence when they come calling to bitch about it. Sometimes it's better to have them think you're a fool and the setup is worthless rather than have their abuse drive you crazy. This is assuming it's a "free" service. Once you start taking money from folks for it your headaches enter a whole new range of complexity.
Search Google for "bandwidth manager" or "bandwidth management". There are a variety of Linux bases solutions that will work. I've used DummyNet:
for bandwidth management. The big problem is optimizing the configuration for the traffic mix. That's neither easy or cost effective as it's impossible to predict the type of traffic and number of users in your obviously transient user setup. One P2P user will break the system if they know a few tricks. There are lots of articles on the web on how to configure various QoS applications. What you'll soon find is that few of them agree with each other. That's because everyone's situation is different.
There's a point where all this network management will outgrow the capabilities of the WRT54G and DD-WRT. You're already at a disadvantage by using the v8 hardware, which is lacking in sufficient RAM to do much. I suggest you get a GS version with enough RAM to add some additional applications that might be useful (i.e. MRTG). It's also possible that you might be maxed out already. If there's any growth planned, you might consider a better router (i.e. Cisco) with much better system management and monitoring features. This would also be a good time to separate the wired from the wireless parts of the puzzle and switching to brain dead wireless access points and wired connections.
The author of DD-WRT decided to sell a commercial version of DD-WRT and reserved the "per-connection QoS" feature for the commercial version. I really don't know much about it other than Buffalo licensing the firmware and supplying it with some of their products.
No. Some of the P2P applications use common ports. If you throttle them by port number, you clobber the common applications. The only effective way is to throttle by content which requires sniffing. A few P2P apps have well known ports, but they are becoming the exception.
You might want to look at the Hughesnet FAP (fair access protocol), which has the same problem. How does one share a limited satellite backhaul, with an inordinately large bandwidth demand.
No. That's because some apps and users change port numbers if they suspect they're being throttled. For example, BearShare, Limewire, Morpheus and ToadNode all can use any port number to communicate.
Some use static port numbers, but most cannot be blocked by port number.
Backwards. Ask about active user count and customer expectations. That will determine the required bandwidth. The problem with P2P is that it will saturate ANY amount of bandwidth you supply. If you give them an OC-192, they'll fill it up.
Old rule of thumb for how many users can share a T1: 100 light users 10 business users 1 file sharing user Unfortunately, it's true.
It's probably a 6Mbit/sec by 640Kbits/sec DSL line, which will yield about 5Mbits/sec download, and 570Kbits/sec upload.
That's NOT a T1. That's an HDSL line:
Watch out for the 100VDC or so on the line.
Yep. Very low latency with committed bandwidth. No sharing on the backhaul makes it great for VoIP.
Or, you can just get a fat pipe of some sorts and switch all the phone lines to VoIP. If the line can do G.711, fax will work. If you compress with G.729, the fax will screw up. There are specialized FAX over IP services available. Or, just use eFax and be done with it.
Streaming or downloading? I stream music almost continuously on my connection. About 100kbit/sec continuous download is not even noticeable on a 1.5 or 3Mbit/sec DSL line. If they're downloading music, then it's just another aspect of P2P file sharing.
Nope. If my coffee shop customers are any example, I see 30 laptops online all the time. I have no problem sharing a 3Mbit/sec DSL line with 30 connections. I can't do that with 30 active users, but most of the machine are just idle and doing nothing most of the time. I just checked one of the busier coffee shops. 38 leases assigned. 17 active users. Average bandwidth use over the last hour is about
200Kbits/sec. Peaks to about 600Kbits/sec. Hardly being used at all. Incidentally, DD-WRT v24 RC6.2 has cute graphs of the traffic usage on the status page.
Well, I lied. I just looked again and the incoming traffic is up to
1.4Mbits/sec. Looks like someone is furiously downloading something. I expected to find one user doing a big download. Instead, I find 3 users watching what appears to be YouTube videos. Sigh.
Not really. It depends on what the customers are expecting. If they're paying for access, they'll complain. If it's "free" or part of the hookup, then they'll take whatever they can get. The easiest way to know for sure is to install it with a limited bandwidth connection and see if there are any complaints. If not, leave it.
I've written (actually plagiarized) 3 different AUP/TOS documents. I promised myself I would never do another.
No, because you can't. Unless you're planning to deliver (or alias) routable IP's to all the users, you can't open ANY ports on the router to the clients machines. That means no servers of any kind. It also breaks a few applications. You can get blocks of 32 IP's from some ISP's, but what a waste of money for transient users.
That's what your traffic analysis will show. If it's like the wild wild web, 75% of the bytes will be to/from P2P applications.
Yep. The easiest and messiest way is to use a SOCKS5 proxy server. Only those applications that are allowed will go through the proxy server. Each application has it's own configuration line. That what is not specifically allowed, is blocked. Your clients will hate you, the phone will ring constantly with complaints, and you will spend many a sleepless night fighting the configuration. It won't work anyway because it's essentially white listing by port number, and many P2P applications can effectively spoof common applications.
In my never humble opinion, you really only have two options:
Sniff traffic and either block or throttle by content. Maybe some port blocking for obvious problems (i.e. port 25 to prevent users from becoming spammers).
Throttle by user count to insure there's always some overhead left for ACK's. If there's only one user on, they get the whole pipe. If there are 10 users, each gets 1/10th. Fair share and all that.
Duh. That's normal. Right now, I have 5 wired and wireless connections to my router. All (but one) show up on the MAC address list. None of them are generating any traffic. Ooops, one of my neighbors machines just came alive with what looks like a periodic check for email.
Actually, if you have the DHCP leases saved to NVRAM, the MAC to IP address mapping will be essentially permanent. I was wondering why I was seeing 200 users connected, and eventually figured out that they were long gone, but their DHCP leases were still in memory. Uncheck the box "save DHCP leases in NVRAM" on DD-WRT or you'll rapidly run out of DHCP assigned IP's.
Yep. That's why it's called a "full time" connection. No dialing required.
Nope. Users *DOWNLOADING* isn't as much a problem as *UPLOADING*. The asymmetrical nature of the DSL line makes uploading bandwidth far more important than the larger downloading bandwidth. If the upstream is saturated with P2P (server) content, the ACK's will not be received by the various internet servers and they will try to resend whatever the users are looking at. Or worse, they will time out the connection even if there's downstream bandwidth available. This is why you always want to preserve some upstream bandwidth.
Use it to monitor the existing connections. MRTG, RRDTool, various SNMP monitoring tools, traffic sniffers, security monitors, etc.
Wireless lucks for 30-50 full time users in a confined area. It can be done but 802.11 was never designed for that application. I can list a few failure scenarios if you want. The easiest is that one leaky microwave oven will take down the entire system.
Coax cable is a good thing. If the park has conduit, run CAT5. If not, share the coax with one of several available products:
(TVNet/C) Worst case, lease a bunch of cable modems and get a contract with the local CATV provider. Rent them to the visitors (with a suitable deposit to cover the $200 cost per box).
No, it's fatal. You cannot efficiently run, manage, or otherwise operate a wide open system. You need some sort of security for the paying and authorized users. If that means a RADIUS server with WPA-RADIUS encryption and authentication, then that should be high on your priority list. Who know.... perhaps your traffic will drop when you kick off the free loaders.
Since when is a user name and password on a splash page confusing? I can't believe that this would inspire a camper/trailer to go elsewhere. If nothing else, the lack of wireless encryption will expose them to sniffing issues, which is far more serious than some theoretical "confusion".
Look at the various hot spot software included in DD-WRT. Services -> Hotspot I kinda like ChiliSpot, although WiFiDog seems easier to setup. You'll eventually need an external RADIUS server for authentication.
Fine. If you don't want to go through the trouble of securing your mess, then there's no reason to be optimizing the traffic. Leave it wide open, and may the most persistent user win all the bandwidth. Never mind that it will be effectively useless for any of the guests. Either do it right (encryption, security, traffic management, monitoring), or just let it free run.
Yep. Are you aware that a good size 24dBi dish antenna can connect effectively over a distance of a mile or more?
You'll need it for authentication. You could use an online RADIUS authentication service until you get one setup:
I've got an internet connected RADIUS server running that I use for testing at some of my customers hotspots. It's not really reliable enough yet but shows possibilities.
If you had a monitoring station, that will generate a per-computer traffic report, you could bill for abuse and overuse. This would be an alternative to traffic management. Just let them do whatever they want and bill them when they screw up. It's not a popular method, but it works well if applied diplomatically. A friends apartment building wireless network works this way. He posts the monthly traffic summaries so that everyone can see who's hogging the wireless. Needless to say, that even the teenagers have begun cooperating.
Good luck. I think you're about to make a few major mistakes. You really have no clue as to the number of active users, their traffic patterns, or their expectations. You've also failed to investigate the alternatives to wireless. The really big problem you're missing is "who's gonna jump when the phone rings"? Are you going to get the customer complaints or the park management? Do you really want phone calls at 1AM when their email doesn't work for some reason? Think of it this way: "What can I do with this system to prevent the phone from ringing"?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.