Share internet with tenant securely (cabled, using QoS)

[jakobbg]

Scenario: I have a 100mbit fibre internet connection into my house, where I also have a tenant, who has a network cable.

I want to set up this network so I get 75mbit and tenant get 25mbit using my internet connection. I should not be able to see computers of the tenant and vice versa.

How can I achieve this as easy as possible. Can it be achieved using a few advanced SOHO-routers? Cost and ease-of-setup is definetly an issue here as well .

I have asked around a lot, and nobody can give me a relatively easy solution with both bandwidth limitation as well as separate secure networks.

All tips are highly appreciated!

 

[Nullity]

If you are open to using an old computer as a router, you should check out pfSense. The online wiki and forum are a great resource and there is also a recently available official book. The available documentation was a major reason why I chose pfSense.

This type of scenario is a common topic on pfSense forums, with a few different ways of accomplishing it. pfSense has QoS/traffic-shaping (which is powerful and potentially complex), but there is a more simplistic feature of called "limiters" which does exactly what it says. You will have to deal with learning pfSense's initial peculiarities but I'm sure searching the pfSense forums would give you a few examples of how to reasonably easily accomplish your goal.

Along with pfSense, there are other router operating systems you might research like IPFire and m0n0wall. m0n0wall is meant primarily for low-end/embedded systems, and it has less features as a result.


Although I am a networking newbie, splitting incoming bandwidth among separate networks seems to be outside the usual feature-set of consumer routers. A router that supports tomato, DD-WRT, OpenWrt, might be an option if they support what you need.


If you end up choosing pfSense, PM me and I will try and help you as much as my free time allows. I reasonably well acquainted with the traffic-shaping/QoS of pfSense. I also have experience with running pfSense from a CompactFlash card using an IDE to CompactFlash adapter which can save a bit of power compared to a standard HDD.

Good luck.

 

[System Error Message]

aside from pfsense, mikrotik and ubiquiti offer devices that can do what you ask. it depends on what you want to use and your budget. pfsense is great if you want to reuse machines while mikrotik routerboards will do the job using a lot less watts.

mikrotik routerOS has QoS too that'd work for your case but it requires skill to set up. If you are using any one of the routers like pfsense or m0n0wall than you would have the skill needed.

3rd party wrts would support what you need but they arent easy to set up usually requiring linux config file editing through command line.

 

[Nullity]

My answer rambled, so I will try to be more concise with this post.

You could use a single pfSense PC and 3 network cards (1 for internet, 2 for the separate LANs). You would most likely then run a cable from your configured LAN port to your switch/wireless-AP, and the same for your tenant. Within pfSense you would configure LAN1 as 192.168.1.* and LAN2 as 192.168.2.*. Then you would set 2 firewall rules disabling LAN1 to LAN2 and LAN2 to LAN1 communication. The QoS could be done through general pfSense's traffic-shaping or limiters.

There are plenty of details and options omitted, but that is the general idea.


Anyone got an easier or more gooder method?

 

[System Error Message]

Its much easier to do that using routerOS considering that the majority of their customers are private ISPs. in routerOS you set up internet by making NAT forwarding src-nat masquerade, create firewall rule to mark preroute packets, create firewall rule to unmark postmark packets, create ques with target bandwidth and max bandwidth using source IPs and another using destination IPs (one for upload and one for download). You can also use radius or hotspot to achieve this too on routerOS as an easy option if you want to have that login feature for connecting to the network.

As long as you dont switch/bridge the ports and use different subnets they will be isolated (some switch chips may have port isolation so that is not required and lets you put everything in same subnet and simplify rules). Routerboards dont use many watts with only the highest end using 60W but achieving wirespeed routing. Typical routerboard uses 10-30 watts which is much lower than using an existing PC. You could make a low powered x86 PC using intel atoms or similar for pfsense or similar if you want low wattage.

You can also use a laptop and add ethernet adapters using usb or miniPCIe slot via adapters which would give you the low power option too.

 

[azazel1024]

The easiest way to do it is to get a semi-managed switch which supports bandwidth limiting port controls and VLANs.

Then assign your network to one VLAN and their network to another VLAN. Set ingress and egress bandwidths to your port to 75Mbps and their's to 25Mbps. Then connect the 3rd port to the router (with wifi turned off, or regular wire only router) and make the 3rd port a member of both VLANs.

Or skip VLANs and do ACLs on the switch if the switch supports ACLs.

Don't need anything that supports VLANs before or after the switch to make it work.

I can say for certain that the TP-Link SG2008, 2216 and 2424 can all do that as I have the 2216 and I've played with it and it works (though that isn't my setup).

There are other ways to skin this rock if you want, but that is likely the easiest way to go about doing it.

 

[jegesq]

Hey guys, someone in another thread asked a similar question (see this thread:http://forums.smallnetbuilder.com/showthread.php?t=22239), and it had me stumped, but the scenario described in that thread was somewhat reminiscent of this thread, and I'm wondering if your suggestions could be applied to the other fellow's situation. His issue was this:

About 1 year ago on my RT-N66U, I tried Asus-Merlin 374.40. I use the router in repeater mode to share (with his permission) my neighbor's (WPA2-encrypted, 2.4GHz WiFi cable-Internet connection) on a different SSID throughout my house. It works fine, but I don't want my neighbor to have access to "my" network. At that time ASUS-WRT did not allow me to isolate "my" LAN from my neighbor's LAN. (I can do this on DD-WRT, but the throughput seems worse than Asus-Merlin.) Is that possible now?

Based on the suggestions in this thread, could one do essentially the same thing, i.e., take the signal that he's picking up on his repeater and simply connect a managed switch to one of the LAN ports on the repeater, and create two new and separate VLANs off of which the guy would then run his own wired and wireless network (using a separate wireless AP), thereby blocking the neighbor's ability to see what he's running on his shares (while still using what I assume is the neighbors single NATted IP address)? Or, alternatively, instead of a switch, could he repurpose an old computer to create a pfsense router and do essentially the same thing described above to create his own walled-off network, thereby preventing his neighbor from seeing what's going on with his shares?

He had asked if there was some setting that could accomplish this in the Asus GUI, but I had no answer for him since it doesn't seem possible to do, at least not without adding some additional devices like switches or another AP.

Any thoughts on this?

 

[azazel1024]

You would need to do PFSense or some other router. You can't VLAN this one in to seperate networks as you have a single bridged connection. No way to treat the neighbor's traffic and your's as seperate VLANs unless the neighbors network was tagging their traffic with VLANs.

You CAN VLAN the bridge, but again, no way to seperately tag the two different traffic sources.

A router on the other hand, you can put everything behind its own network then. Easiest way to do this is use a router that already comes with WISP/WWAN functionality (several TP-Link routers have this, as do some cradlepoint and a couple of other guy's products).