setting up public wifi

[techie2k4]

Hi... just recently purchased a Linksys E4200 and am currently shopping around for wireless access points. Would the UniFi access points work with 3rd party routers such as my E4200 or would I have to abandon my router in favor of UniFi gear? Regards...

[unc417]

EricE: I just noticed you said you have the LR's. Have you had problems yourself regarding client range vs AP range with the LR's when the client is on the edge of the AP range? Have you had more problems with laptops, smartphones..etc?

techie: As far as I know, the AP's should work fine with any router. I don't even think Unifi makes routers, just AP's.

[EricE]

Quote:

Originally Posted by techie2k4

Hi... just recently purchased a Linksys E4200 and am currently shopping around for wireless access points. Would the UniFi access points work with 3rd party routers such as my E4200 or would I have to abandon my router in favor of UniFi gear? Regards...

Like unc417 pointed out, if you are using the Linksys just for routing and not WiFi too, you won't have an issue. If you are currently using it for routing and Wifi, you can keep it but Unifi won't manage the wifi on the Linksys so it would be separate. If you are indeed using it for both now, and if I was you, I would turn the Wifi on the Linksys off and only use the Unifi APs for wifi.

Once I were to get them, of course Distributors do seem to be catching up on inventory but it can still take some hunting. The forums on Ubiquiti's web site usually have people posting resellers that have stock so it's a good place to check if you are interested in getting them.

I've had ours for two months now and other than the controller, when installed as a service under Windows, occasionally stop responding they have worked flawless. Since for the open guest network I have the captured portal turned on with the terms of service presented, if the controller stops people just can't use the guest network so it's not that big a deal - the private network keeps working. If I turn of the TOS/Captured portal then the guest network would keep working even if the controller wasn't running, but I like presenting generic TOS and reminding people it's a free resource and please don't abuse - I've seen folks pull into our parking lot during the week early in the morning or later at night and use the wifi from time to time...

[EricE]

Quote:

Originally Posted by unc417

EricE: I just noticed you said you have the LR's. Have you had problems yourself regarding client range vs AP range with the LR's when the client is on the edge of the AP range? Have you had more problems with laptops, smartphones..etc?

I've only got three of the LR ones, and when I'm in the building I'm usually within 10 feet of one so I'm not a good one to judge. I haven't heard any complaints, then again our wifi use is pretty ad-hoc and not really something we support heavily.

Having said that, I will not be buying any more LR units - I'm already running into issues of too many clients per AP and I need more APs anyway - LR units just make it worse with overlap.

I'm going to wait for the new Unifi Pro models - they are dual radio - they can do A/B/G and N at the same time, so I can keep the N side N only and much higher speed. I'll be adding at least two of them to our sanctuary and two to the staff area due to the density of devices/users more than anything else, then deploy the LR APs I have now to cover the rest of the building. And even then I'll probably have to cut the power in 'em so I don't have too much overlap, which encourages the wifi clients to switch to a better AP sooner rather than keeping a "death grip" on the current one longer than they should.

[andrewf]

A few things to consider:

1) How many unique users per weekend;
2) How many active users at any given time;
3) Do you need roaming capability throughout your facility;
4) Are there other devices in the 2.4 GHZ (for b/g) range to content with; (in ears, wireless microphones, remotes, WDMX, etc)
5) Do you want to have a separate staff and guest network (YES);
6) Do you need to incorporate SMUT filtering?

For our facility, when I first started attending several years ago, they had 8-10 Linksys APs all over the facility on overlapping channels. Even though each one had its own SSID, they all were on the same physical network.

They had lots of problems with APs requiring reboots, on top of no real security. Additionally, these are consumer grade equipment.

Since I am an IT professional, we put together a plan to address all the above issues.
Our facility is a large facility with 4-5k people coming thru a weekend.

We settled on Cisco 1130AG units (before N was a standard, and even then who really needs N for a church setting). We have 7 APs distributed throughout the facility, configured to handle session hopping. Meaning, you can roam anywhere in the facility and not drop your connection.

This also enabled us to have our check-in kiosks on WIFI and move them around the facility as needed, without having to re-wire. We also use the kiosks for special events where we scan barcoded tickets.

We have a secure-staff SSID that is WPA2 encrypted and grants access to the secure office network. We have a guest SSID that permits semi-open access to the internet. Each SSID is on its own VLAN, to keep the traffic separate and avoid issues of security breaches.

We originally were using opensource software for our SMUT filtering, but that proved to not be reliable enough and was buggy. We settled on a Sonicwall product that enables us to have different access-controls per VLAN. Our guest users cannot get to p2p apps, porn, gambling, drugs and other distasteful sites. Our sonicwall provides gateway level anti-virus, anti-spyware protection for all traffic, plus the typical router/firewall features and enables a point-to-point VPN between our main campus and a satelite facility, as well as my home.

On a given weekend, we burn thru around 500 unique users. You'll need to keep this in mind when designing your setup as a typical DHCP lease is 7 days and if your network is only a class C (254 ips) you may run into IP issues without first expanding the pool.

We also monitor our APs for traffic levels and # of associations. This enables us to keep tabs on unwanted traffic.

Looking at our monitoring graphs, I can see that at peak, we had 156 users today online in the sanctuary. This is around 10% of the attendance for a given service, we have 4 weekends services. (We had around 500 unique connections this weekend.)

Note: We have never announced we provide free WIFI, it has been deployed for almost two years.

[EricE]

andrewf - great points.

We don't have the funds - or requirement - for Cisco grade equipment. This setup is a fraction of the cost. Yup, it doesn't do the "instant" roaming of the Cisco, Rukus, etc. but then again I don't need that.

I've got separate wifi networks with a closed/encrypted for the staff and other equipment, and I'm currently relying on the built in isolation features of the Ubiquity guest network - which are good enough for the moment. When I get some time, I'll set up a separate vlan for the public wifi - and to combat the DHCP issue you mentioned, it will have it's own DHCP server and DHCP pool with leases in the hour or so range. Pretty standard stuff.

For filtering were relying on the free OpenDNS solution and it's working great. There's some new stuff built into the new pfSense firewall release I need to research some more - it looks like it can be as capable as the sonic wall solution. The trade off is a little up-front work, but not having to pay a hefty annual subscription we can't afford anyway

We have about 2,300 flow through on a Sunday and the most I have seen is about 180. Most don't bother to accept the TOS so I know they aren't actively using their devices - that did catch my by surprise.

[Gracetech]

I've just started using Zyxel NWA3160-N AP's and have some Zyxel NWA3560-N on order. The cool thing about these are they are MSSID with up to 8 per radio. I don't need that much but it's nice to know it's there. Of course this means they are VLan compatible and that part of them works better than any sub $500 AP i have used to date. The software is a bit weird at first but i'm finding that it actually makes more sense than the others that i've used once i figured it out. The terific part is that the range on these and the simultaneous users is unheard of at this price point. The cherry on the top is that you can setup one AP as a managing center for the rest of the APs. This allows central management so you only need to change settings on one AP then they are rolled out to the other APs. If you have a lot of area to cover then these may not be for you since you can only control 24 APs in a group. Of course for most churches that is plenty. We have a large campus and will only end up using 12.

crt

[EricE]

Quote:

Originally Posted by Gracetech

I've just started using Zyxel NWA3160-N AP's

That's a nice looking option - especially given that you can use one as a controller - great if you don't have a server or computer to run controller software on.

However those are quite a bit more than the Unify AP's - if you only need a few, the ability to run as a controller and the built in RADIUS server with some of their other features are very nice touches. But for 12, the Unifi solution would be much cheaper overall. The only drawback to Unifi right now is the current APs are A/B/G/N single radio only; the UnifiPro will be dual radio/dual band so you can have an A/B/G and N networks simultaneously. The Unify APs also blend better into your environment - they are designed to be streamlined and no more obvious that a smoke detector - personally I don't care, but I can't believe how many times stuff like that comes up

And for comparison, the UniFi APs support multiple MSSIDs and VLANs too...

The bottom line - it's is nice to finally see some relatively inexpensive managed wifi solutions for smaller organizations! Zyxel makes good stuff - I turned to them in the modem days when Supra went downhill and I still didn't want to shell out the big $$$ for USRobotics My only complaint with them is their UI's were always a little obtuse - looking at screen shots it looks like they have improved a little.

[Gracetech]

Do you currently have a UniFi setup? I would like to see it in action if you are in the area?

I've seen and tried just about every "budget" solution except these. While i'm impressed with the Zyxel,and will continue using them, i would still like to check a UniFi setup, for future uses.

crt

[wogster]

Quote:

Originally Posted by Gracetech

Do you currently have a UniFi setup? I would like to see it in action if you are in the area?

I've seen and tried just about every "budget" solution except these. While i'm impressed with the Zyxel,and will continue using them, i would still like to check a UniFi setup, for future uses.

crt

There are a few other things to consider, other then just the equipment.

1) How big is the pipe, DSL, Cable and other similar connections, that may be fine for staff use, however for public use, it may not be big enough for the amount of traffic, and the bigger the pipe the more expensive it is.

2) How much traffic are you allowed, staff probably don't use a lot, the public might. Especially if people are sitting there playing Facebook games during the sermon.

3) You need to figure on how to limit where people can go, is smut filtering easy or hard, and if it's a service, are they limiting legitimate sites people might want to go to. There are smut filtering services that would filter out Christian and religious sites. Is there a way around the filter, some have passwords that will allow you around the filter. How up to date is the filter, people are always coming up with new smut sites, so is one that came up yesterday filtered out, how about one last month or last year.

[EricE]

Quote:

Originally Posted by Gracetech

Do you currently have a UniFi setup? I would like to see it in action if you are in the area?

Yup, I picked up a three pack of the long range APs and am very pleased so far. Page one of this thread has a screen shot of the map view of the management console with our building map inserted (just took a picture of the low voltage floor plan hanging on the wall in our server room with my iPhone, cropped and uploaded to the Unifi Controller software!)

I'm just outside of DC - if you are ever in the area you (or anyone else on the forum - PM me) are more than welcome to come by and check 'em out. Or we can do a screen sharing session and I can show you the controller interface.

Quote:

I've seen and tried just about every "budget" solution except these. While i'm impressed with the Zyxel,and will continue using them, i would still like to check a UniFi setup, for future uses.

For the money they are very hard to beat. I'm very interested in seeing where the new dual-radio and native POE supporting UniFi Pro APs come in price-wise. The management software still has a few glitches here and there, but the developer is active in their forms and they seem to push out regular updates. I'm very pleased so far!

[EricE]

Quote:

Originally Posted by wogster

1) How big is the pipe, DSL, Cable and other similar connections, that may be fine for staff use, however for public use, it may not be big enough for the amount of traffic, and the bigger the pipe the more expensive it is.

We get six phone lines and for Internet 20MB down, 2MB up (more than enough for us) for $350 a month. 1/4 what we were paying for the original fractional T1 they installed when the building was new six (or is it seven?) years ago

Quote:

2) How much traffic are you allowed, staff probably don't use a lot, the public might. Especially if people are sitting there playing Facebook games during the sermon.

If people aren't going to focus on the sermon, having wifi is going to hardly be a differentiator! As for traffic, the Unifi solution allows you to do basic traffic shaping, and as soon as I get around to setting up a VLAN and getting all the APs on our managed switches that support VLANs I'll be using our pfSense firewall to do bandwidth limits - if I need to. We peaked at 125 connected clients last Sunday, but only about 30 of them bothered to accept the TOS in the captive portal and get authorized - so the majority of wifi devices wandering the building weren't actively used.

Quote:

3) You need to figure on how to limit where people can go, is smut filtering easy or hard, and if it's a service, are they limiting legitimate sites people might want to go to.

Again, there is only so much you can do to keep the honest people honest, unfortunately. I'm playing with the Dan's Guardian package for pfSense and will probably implement that. We were relying on OpenDNS and Trend Micro content filtering for the church owned computers, but OpenDNS either has or is getting ready to change their model and they are not as appealing anymore. And with guest wifi, a gateway solution is essential now.

Since I'm not the only technical volunteer at my church and I'm slowly starting to get everything more documented we are avoiding the short term convenience of services or subscriptions where possible and reaping the longer term savings of not having reoccurring monthly or annual expenses where possible. For some people that's not a trade off they can make - for me it's one of the contributions I can make to my church. Plus I'm slowly turning from a techie into a bureaucrat/paper-pusher at my "real job" so this is about the only way I can keep my sys admin skills honed