(HELP) Multiple AP's and net management.

[thms7722]

Hello guys,

I am currently working in Afghanistan and am in dire need of some help. I’ll try and better explain my scenario. Well I decided to invest some money into a personal satellite internet system (what is offered here is slow as hell) so me and about 10 other co-workers can enjoy some down-time and communicate with friends and family back stateside. If any one would like to know, the prices of satellite internet are crazy high. I’m paying $1100.00 a month for internet speeds that roughly max out at 75kbps (I don’t understand the QOS of satellite either but that’s another story). Ok well this is how I got it set up. From my Satellite router to a Netgear FVS318 Firewall 8 port switch, to a DWL-7700ap set up in WDS transmitting to (2) DWL 3200ap also set up in WDS. I purchased a net manager (cyberoam) from the satellite provider because they suggested it. I have no idea of where to start with this unit. And of course the satellite provider redirected me to another company (cyberoam) to seek support. Well my Indian isn’t as good as my English so I’m screwed out a $1000 until I get this thing running. So right now I have every one up and running for the most part. Every once in a while my AP’s will drop, I believe I tried just about everything; changed channels (11 seems to work best) moved around AP’s, used higher gain antennae’s and messed with the RTS settings and what not. And since bandwidth isn’t being distributed evenly people are starting to get pissed. I’m not too familiar with a lot of this stuff so if any one can offer some advice I would greatly appreciate it. Also if more info is needed I will be glad to share it with you guys…


Thanks...

 

[thiggins]

You are learning the hard way that being a WISP isn't easy.

What sort of signal levels and distances are you dealing with? Also terrain,
weather conditions and are the APs indoors or out?

 

[thms7722]

Yea I kinda got in over my head on this one... It's been running ok compared to other guys who have attempted it out here and I think the Dlink's DWL's have a lot to do with it. Another co-worker tried the same thing (I bought the system from him) but he used Linksys WRT 54G's (I think) and had to practically reboot the AP's every other day. The terrain is pretty clear, no trees, buidings or other hard structures. There are only tents that the signal has to travel through. The farthest client is located approximately 450ft away. I have a DWL3200 with an outdoor antenna shooting directly to my DWL7700 with a clear line of sight and in the web interface it says I’m getting 55% signal. The Second DWL3200 is about 350ft away with the same setup and gets about 75% signal to the DWL7700. They are all set up with the same SSID and are running in WDS/APmode. I get pings anywhere from 13ms - 40ms to each AP. Oh and the DWL 7700 is mounted on a pole (outdoor) approximately 15ft high.

 

[jdabbs]

Heh, I was in your shoes in 2005. 2 Mbps satellite, 4 radio links, and 25 moderately-disgruntled users. Made some mistakes (on my dime), but learned a lot. I don't know what you know, so don't take offense if I stress some basic concepts.

Radio:

You really need to get the antennas positioned to obtain a clear line of sight (tents do matter), and anchored properly. An one-time investment in getting things done right is worth it, as every component that you know is configured properly is one less item you have to worry about when troubleshooting. Is there a building nearby you can mount an antenna onto? Or an already erected antenna mount you can co-opt? If not, feel free to improvise: for one site, we had some taped-up camo poles sandbagged against a trailer, and staked down 550 cord for guy wires. You said you've already tried directional antennas--with them movement becomes even more of a problem due to the more narrow beamwidth. For the distances you listed, a simple 12+ dBi panel antenna will be more than sufficient, and depending on the antenna, gives you a 30 degree spread. That's both azimuth and elevation, and for best performance you may need to do more orienting beyond making sure they're pointing in the general direction of the distant end. It helps to obtain visual confirmation of correct elevation alignment, but unless you can get rooftop access, this may not be possible. I don't know what the wind conditions are, but if you do use segmented poles, I recommend inserting some tape inside/between the breaks so they don't rotate as easily. Again, the distances don't sound too bad, but another concern is cable attenuation. We were evicted from a site, and to re-establish a link the link needed to clear a DFAC. We used a 9 M mast, and had a 50 ft coax pigtail connect the antenna to the AP located in the nearby building. I had problems with signal strength (it was a 1 km shot); what I eventually did was use a PoE kit to place the AP on the mast with the antenna. You can also be fancy by placing the AP and PoE unit in a NEMA enclosure; I used plastic bags and only one AP melted due to the heat.

I tested the link quality by periodically running continuous ping sessions to distant APs: ping ip -t -w 25. I'd usually get 1-2% p/l on average, and latency of 3 ms. This method is also very handy when orienting a directional antenna. 40 ms sounds suspiciously high; I'd try to identify the cause, be it poor link quality or bandwidth issues.

Network management:

Today, I'd use a pfSense box to handle QoS/traffic shaping, but back then I used some cheapo Linksys routers. I used RL policies: no P2P, and no Internet radio. Since either one would kill the connection, it was easy to catch offenders in the act. I wouldn't be able to get away with just email/simple browsing today though, thanks to Youtube. Since you are likely sharing equipment costs with your "customers," I recommend drafting an acceptable use policy to be voted on, and hold people accountable (I disconnected them for a day). If people are content with having one person consume your quota, there's not much you can do apart from traffic shaping.

I don't know how your ISP handles usage, but I can explain how mine worked. Satellite bandwidth is expensive--we used a contention scheme instead of dedicated bandwidth, a 1:10 ratio (ten users would be expected to use as much as one continuous user). To keep usage down, we were only allowed to download X MB of data in an 8-hour period; if that amount was exceeded, our throughput was throttled to 128 kbps (IIRC). For 25 users, that's pretty much unusable. Windows Update is your worst enemy: if you are the only show in town, visitors are going to use your connection, and immediately start downloading months' worth of hot fixes/service packs. Depending on your quota, one user can consume your allotment easily. I used MAC filtering to encourage foreign systems to be brought to me, which more often than not was to everyone's benefit as they were virus-laden. I recommend distributing a CD with hotfixes and free AV software (and updates) to some trustworthy individuals. You can also set up WSUS to distribute updates to your clients, but you may find a server too expensive. If you do set up a pfSense box to handle network traffic, you can also use Squid (proxy) to cache web pages and images which reduces satellite-bound traffic.

 

[thms7722]

jdabbs,

Don't worry about offending me hehe, as many a disgruntled client I have right now you'll have to try harder than that .So far the line of site is good from ap to ap with no hard structures or anything else and its as close to direct as I think Im going get. But you did point out something that I have thought about before. That's the antenna mounts/poles, I am using those segmented poles and I did secure them with duct tape and screws but it does get windy out here and as far as a secure, solid place to attach the poles well I'm sol, nothing but tents... I would like to try and tweak it to get the most reliable performance as I can but as of right now it has run for 3 weeks without the need of a reboot. Also I have started to notice a hell of allot more ap's in the area so I'm assuming that can be a problem too. The net manager (http://cyberoam.com/downloads/datasheet/CyberoamCR25i.pdf) I think is somewhat similar to what you recommended (pfSense box) but like I said I have no idea where to start with that thing so it's serving as a very expensive paper weight right now(until I can get a TS rep to walk me through it). And yea if we go over a certain amount of download allowance then they throttle us down too. If you dont mind can you take a look at the net manager and tell me what you think? Thanks... Oh and I suspect a couple of clients are using voice and video chat so of course the band width is being directed to them, but the funny thing is these are the people doing most of the complaining lol.

 

[jdabbs]

I'll try to take a look at the Network Manager some time this weekend.

 

[thms7722]

Well finally I got the Cyberoam up and running. It seemed to have been the netgear router, (I think) I removed it and used a plain ol switch and viola! It works. I still have no clue about setting up all the security features. Just too much stuff to deal with.. Now my main problem lies in my lan clients, it's just open and free for anyone to access the internet. My wireless is fine because the AP's are set up in Mac/IP filter. I’m not sure where to start, Is it supposed to be added as a firewall rule or IPSEC or what? Sorry bout the newbness....

 

[jdabbs]

I couldn't find an emulator so I don't know how feasible some options are.

Before you start adding policies, you need to find out as much information as you can about your network. The ISP I used (Bentley-Walker) had a status page that would identify customers that hit their quota. If you are, then you should look at the type of traffic that is causing the problem. If it's P2P, block the ports at the router. If it's streaming, then you want a low per-user quota, or blocking the sites outright.

I rarely had a problem with quotas. By having a big enough pipe, the quota was large enough to weather the occasional spike. Costs were comparable by increasing the amount of users. If you get a do over, I'd try balancing your users. I made an effort to keep an equal number of day and night users. It looks like your manager supports time-based access; you could sell day or night (or both) access to customers. This'll also help if you have users that share their connection with off-shift neighbors.

QoS depends on what complaints you are getting. I would give the highest priority to DNS traffic, then POP3, then HTTP. The guy that just wants to check his email is your best customer; I think most people will accept that there are some things you can't do well over satellite, like webcam streaming. That's not necessarily true, but you have to take measures to protect the majority of your customers.

Security-wise, MAC filtering is ineffective. Since you're not giving away access for free, people are going to try to split the cost with their neighbors. Most any router will allow you to clone the client MAC. If your manager supports a captive portal, you can require a login/password. The effectiveness of this depends on the implementation; if the router passes the logon prompt to the NAT'd user, it won't work.

 

[thms7722]

Hello again, the online demo is here http://demo.cyberoam.com/. I am using Bently Walker sesat2(Linkstar) with the office 2000 package. I check the website once in a blue moon (when the net feels slow) but never witnessed my account going over yet or being throttled. Most people use the net for a couple hours after work say 1900L-2200L (roughly 6 clients) or 0800-1100L (about 3-clients). I’m doing my best to keep it split even so this is pretty much all the people I’m letting on now. Like I said I’m not in this to profit just to get a decent connection to the rest of the world. You can access it through "http" I hate to bother you about this but would you mind (if you had the time) to take a look and see?