WiFi options for small multi-company office building.

[Tim D]

Hi all!

I'm currently looking for a decent WiFi solution for a 3 floor building. We have several small non-profits in the building and we want to have a shared network infrastrcture to reduce costs.

I've looked at Xclaim, Mikrotik and Ubiquiti., but I need more than 4 SSID's (5 actually), so Ubiquiti and XClaim or not an option. Then again Mikrotik has not got Band Steering or Airtime Fairness.

Does anyone know a (cheap) solution that meets the requirements (or at least partially)?

Btw: the >4 SSID requirement would not be required if we could do Dynamic VLAN Assignment via RADIUS.

Thanks!

 

[thiggins]

At minimum, you can use any wired router and a smart switch that supports port-based VLANs. Connect each floor via Ethernet to a small switch with enough ports to support enough APs to provide sufficient coverage for the area and any wired clients.

That way, each floor will be on its own VLAN and traffic will be kept separate. You can also use APs that don't support VLAN tagging with this method.

The smart switch should also have ingress/egress rate limiting so you can split bandwidth from floor to floor.

More companies are getting into low-to-midrange APs. Look at ZyXEL and EnGenius. They both have systems where one AP can be turned into a controller.

 

[Tim D]

Thanks for the reply!

The problem is, every AP needs to broadcast all networks, these organisations are not separated by one floor. Some floors might have multiple organisations. The goal is to have access to your own company network anywhere in the building.

I've looked at ZyXel and EnGenius, but I see little reviews about their AP's. I'm just not sure they'll deliver what they promise. Or that they keep geving them updates for an extended amount of time.

 

[thiggins]

Well, that's a more complicated situation.

Forget Xclaim, they don't have the features you want. One of the Mikrotik supporters that's a forum regular may weigh in on their suitability.

You're talking about something that, to my knowledge, isn't cheap to implement. You may need to move upscale at Meraki or Ruckus.

In addition to band steering you're going to need bandwidth and possibly application management, no matter how large an internet pipe you have.

You won't find a lot of reviews on multi-AP systems in general. They take a lot of work to thoroughly review.

 

[sfx2000]

One probably needs to go into a controller based WLAN setup where policies can be established across many AP's, SSID's and VLAN's - company "A" should not be able to see what is happening in Organization "B"

Meru, Cicso, Xirrus come to mind - a bit more spendy, but this is likely the best approach to ensure confidentiality across the different businesses in the building.

Time to consult with a Pro... money well spent up front will prevent issues later on.

 

[coxhaus]

Segmenting traffic base on a VLAN is not a problem. It is an inherent property of a VLAN. A VLAN can span multiple floors you just need to design your network correctly. The wireless device needs to assign the SSID to a VLAN which can flow all over the building. Sharing or not sharing is handled at layer 3 and I an sure you would want a layer 3 switch handling the VLAN traffic as a router would not be fast enough. You also need to think about the network design and cabling which might include fiber it just depends on how big of building you are talking and how many users and servers. How many users are you talking total? You design differently for a 1000 users vs less than a 100 users.
PS
The basic idea is to use a VLAN per organization but depends on size as you may need more than one VLAN per organization.

 

[stevech]

Hi all!

I'm currently looking for a decent WiFi solution for a 3 floor building. We have several small non-profits in the building and we want to have a shared network infrastrcture to reduce costs.

Thanks!

As a building owner/manager, I would NOT provide wifi to tennants. too many liability issues. And the 24/7 support issue.
Help them or price into the lease, Internet connections in the telco closets, but no wifi, no wired LAN. Support comes from that ISP, not you.

 

[System Error Message]

mikrotik routerboards and APs support VLANs but im not sure how well they support your wireless needs as i only know their wired routers best. From what i know about mikrotik routerOS, band steering and airtime fairness would have to be implemented manually via a bunch of rules and modules so theres a lot of room for error. They use the same wifi chips as others do but rely on software which tends to work out more reliably.

VLANs arent the only way. You can have multiple groups of users with a RADIUS server which means connecting them via layer 3 instead of layer 2 which is more common. That means that each user who connects will be assigned an IP based on the user group. Im not so sure how much network sharing they will be doing but if they arent going to be seeing each other's resources than layer 3 segmentation is an option. This would eliminate the need for multiple SSIDs.

@stevech he is providing connectivity to multiple non-profit businesses.

 

[sfx2000]

VLANs arent the only way. You can have multiple groups of users with a RADIUS server which means connecting them via layer 3 instead of layer 2 which is more common. That means that each user who connects will be assigned an IP based on the user group. Im not so sure how much network sharing they will be doing but if they arent going to be seeing each other's resources than layer 3 segmentation is an option. This would eliminate the need for multiple SSIDs.

That's one approach - but keeping SSID's and VLAN's aligned is a lower maintenance activity - this is a non-profit, so having a full-time sysadmin probably isn't in the cards...

Keeping each .org as a separate SSID allows them to manage their WiFi credentials, and the VLAN's keep the DS segregated so that there is no exposure from one org to another...

Yes, one can do it with Radius, but it's a lot of work from a policy management perspective, and even then, that only handles the Wireless side, there's still the DS to consider, so hence the suggestion for dedicated VLAN's for each org...

 

[sfx2000]

As a building owner/manager, I would NOT provide wifi to tennants. too many liability issues. And the 24/7 support issue.

Actually, what I've observed is in co-working spaces, as we become more project driven, Wireless is becoming a key item...

I recently was on a project with 4 vendors (we were the project owner) in a 'camp' environment off-site - and by segregating traffic, and the building's management team facilitated this. Their ability to do so, was key to our selecting their facility to support the project.

What was nice - by breaking out the SSID's and VLAN's, we were all able to get back home to resources, and share things as though we were back in the home office - without having to do complicated VPN solutions.

The platform we used onsite was Aruba, but Cisco can do the same...

So we'll see more of this in the future...

 

[coxhaus]

Cisco will handle 8 APs per cluster in their cheap small business products. I would assume you could run multiple clusters. Might be cheaper than a full blown controller. How many users? Do you already have cabling? How many square feet?

PS
I assume you have planned for a guest or conference room wireless network. Organizations will not want their servers or inter network exposed to outside PCs. I don't see why you cannot share the guest network for all organizations.

 

[Tim D]

Thank you all for your replies!

To cover the entire building, we need only 5 AP's. It's in total only 30 users if we combine all organisations (+ some on a guest WiFi network).
Cables are already there, we only need to buy the AP's and maybe a new switch.
There is no money for Cisco or Aruba devices, we need to be able to get a decent network for about 250 max per AP.

 

[System Error Message]

You could for example get a consumer wifi AP and install a 3rd party firmware like openWRT or tomato. The netgear r7000 has good hardware for it.
While i was reading through there isnt any recent info if mikrotik supports band-steering and airtime fairness but i did find that they actually support hundreds of clients on wifi. Hopefully openWRT and tomato firmware should support the features you need and make sure that VLANs are done on switch chip configuration, not CPU.

 

[coxhaus]

Sounds like you need what I run at my house with a couple more wireless APs. I run a Cisco SG300-28 layer 3 switch and 3 Cisco WAP321 with the same 2 SSIDs on all 3 APs. I run 3 separate VLANs in my house as my music server picked up a virus from a laptop brought into my house for me to fix. I bought all this stuff off eBay cheap. The switch cost $200 plus shipping and the APs cost $35 to $50 bucks plus shipping a piece. This stuff has been fine for awhile with no down time other than to upgrade the firmware. Cisco has a free tool called "Findit" which I have loaded on a desktop which automatically tracks firmware updates and downloads them. I am not sure the WAP321 will do 5 in a cluster but one of the newer ones will. This system is plenty fast enough for 30 people. You can add more switches with VLANs extended. I have a Cisco 200 switch which I flow all 3 separate VLANs to and there is a AP hung off of it.. So adding switches and flowing VLANs is not a problem. If you want a faster core layer 3 switch Cisco has the 500 series switch which also includes a routing protocol but they are about $1000 used on eBay. The 300 series should handle 30 people no problem. Of course all the big business class switches from Cisco will do this but they cost more and they are not as easy to setup unless you know command language.
PS
The 300 series switch is located in my server rack and is battery backed up with an APC 1400 UPS. So no down time. The 200 switch and the WAP321 are scattered through out my house. We did have a power outage so they have lost power and came back working. Other than that they have been up 24/7.

 

[Mokers]

The ability to support multiple SSIDs is not the same thing as having good performance. One of the first things I do when people ask me to look at a wireless network is try to reduce the number of SSIDs as much as possible. Meraki has a good primer here:

https://documentation.meraki.com/MR...ractices/Multi-SSID_Deployment_Considerations

Microsoft's NPS can assign VLAN based on login. Simply have a user for each organization who needs WiFi. Of course that means somebody needs to maintain the accounts and the server requires hardware, but overall I think that gives you the best performance:

http://wifinigel.blogspot.com/2014/03/microsoft-nps-as-radius-server-for-wifi_18.html

 

[Tim D]

The ability to support multiple SSIDs is not the same thing as having good performance. One of the first things I do when people ask me to look at a wireless network is try to reduce the number of SSIDs as much as possible. Meraki has a good primer here:

https://documentation.meraki.com/MR...ractices/Multi-SSID_Deployment_Considerations

Microsoft's NPS can assign VLAN based on login. Simply have a user for each organization who needs WiFi. Of course that means somebody needs to maintain the accounts and the server requires hardware, but overall I think that gives you the best performance:

http://wifinigel.blogspot.com/2014/03/microsoft-nps-as-radius-server-for-wifi_18.html

Yeah I was looking at Dynamic VLAN Assignment as well, but it seems that feature is only available on high end (expensive) enterprise AP's. Nor Mikrotik, nor Ubiquiti support it. Don't know about XClaim.

 

[System Error Message]

dynamic VLAN assignment can be done on mikrotik using scripts. Out of curiousity have you considered pfsense? You can buy those tiny Intel NUC PCs which are about the size of a router and use a mini PCIe WLAN card and run pfsense on it. Ofcourse you can run other OSes on it too.

 

[Tim D]

dynamic VLAN assignment can be done on mikrotik using scripts. Out of curiousity have you considered pfsense? You can buy those tiny Intel NUC PCs which are about the size of a router and use a mini PCIe WLAN card and run pfsense on it. Ofcourse you can run other OSes on it too.

I haven't considered pfSense as an AP os. I just looked it up and it seems it would be quite risky, pfSense's own docs say that don't recommend using it as an AP OS. I think it has a high risk of being buggy.
btw, i've asked in the Mikrotik forums about dynamic vlan assignment and nobody told me it could be done via scripts, they just all said they tried and it didn't work. Do you by any chance have some kind of example script?

 

[System Error Message]

I haven't considered pfSense as an AP os. I just looked it up and it seems it would be quite risky, pfSense's own docs say that don't recommend using it as an AP OS. I think it has a high risk of being buggy.
btw, i've asked in the Mikrotik forums about dynamic vlan assignment and nobody told me it could be done via scripts, they just all said they tried and it didn't work. Do you by any chance have some kind of example script?

Unfortunately no. I have not gotten my hands on any of mikrotik's wifi stuff though i did try attaching a usb wifi card to my CCR1036 but it wasnt supported because of their closed OS when you need drivers.

If you need something script related i could make a few but even than mikrotik wifi is missing one of the hardware features you want. I still think it is worth using a linux AP on x86 mainly because you have more hardware to choose from and the software to run it. There are many tiny x86 boxes made for these applications.

If you need some feature not provided by mikrotik but can be done via software list it and i'll see if it can be scripted. If it can i'll write some.

 

[coxhaus]

Why use a slow router instead of a layer3 switch to handle VLANs? This is what layer 3 switches were built to do.