Forcing Intranet Traffic to use specific WAN provider

[matt326]

Hello everyone,

Looking for help on a problem that we have at our church. We currently are only able to get a DSL connection at our church with the speed of 3.5Mbps Down and 0.4Mbps Up. We get these speed because we are so far away the DSL source, and are unable to get any other connection because we are so far out from the city.

We are currently in the process of setting up a cable internet connection at an apartment building in the city and wirelessly link it to the church building. We are looking at keeping both the DSL and Cable because the DSL is a grandfathered plan that has no bandwidth cap, and for redundancy. The cable company can provide us with a 30Mbps Down and a 2 Mbps Up.

We are looking for some kind of product to do the following:

Traffic shaping: We would like to offer wireless in our church and force users to use the DSL, but have the office staff use the Cable connection.
Content filtering
Time limits and bandwidth limits for wireless or "unknown computers" on the network
We also live stream on Sunday, and it would be great if we could have it switch so that our live stream computer would be the only user on the cable internet access and everyone else use DSL.
Does anyone have any hardware or software solutions that don't require a monthly service fee and can be done in house.

[rkresge]

Quote:

Originally Posted by matt326

Hello everyone,

Looking for help on a problem that we have at our church. We currently are only able to get a DSL connection at our church with the speed of 3.5Mbps Down and 0.4Mbps Up. We get these speed because we are so far away the DSL source, and are unable to get any other connection because we are so far out from the city.

We are currently in the process of setting up a cable internet connection at an apartment building in the city and wirelessly link it to the church building. We are looking at keeping both the DSL and Cable because the DSL is a grandfathered plan that has no bandwidth cap, and for redundancy. The cable company can provide us with a 30Mbps Down and a 2 Mbps Up.

Hmmm... You didn't mention the distance, but you *might* be able to do this with 802.11n gear. Directional antennas might well be required. Check your terms of use from cable company *very* carefully. You could be violating an agreement with them.

Quote:

We are looking for some kind of product to do the following:

Traffic shaping: We would like to offer wireless in our church and force users to use the DSL, but have the office staff use the Cable connection.
Content filtering
Time limits and bandwidth limits for wireless or "unknown computers" on the network
We also live stream on Sunday, and it would be great if we could have it switch so that our live stream computer would be the only user on the cable internet access and everyone else use DSL.
Does anyone have any hardware or software solutions that don't require a monthly service fee and can be done in house.

My experience with the content filtering issue is limited to my full-time field, public education - the products we use probably won't work for you, or would cost too much. But your traffic shaping could easily be done with two separate WAPs; broadcast the SSID of the public one, and hide the one for internal use only; make it secure with WPA2 encryption, etc.

For additional security you could run them on separate cabling systems, or even on the same cabling system but use a different IP addressing scheme to keep the network traffic separate.

Just some quick ideas.

Roger

[cmchamp]

Yes, I believe it's possible. You may need two separate Cable/DSL routers.
Someone else will have to tell me if two different DHCP servers can function in two separate subnet masks.
Even if they can't, that's Ok, I think.
Set your DSL Router to be the DHCP server on one subnet mask.
Set your CableRouter to be a manual DHCP and assign all users their own IP on another subnet mask.
Much like Roger recommended above.
C.

[rkresge]

Quote:

Originally Posted by cmchamp

Yes, I believe it's possible. You may need two separate Cable/DSL routers.
Someone else will have to tell me if two different DHCP servers can function in two separate subnet masks.
Even if they can't, that's Ok, I think.
Set your DSL Router to be the DHCP server on one subnet mask.
Set your CableRouter to be a manual DHCP and assign all users their own IP on another subnet mask.
Much like Roger recommended above.
C.

Alas, there's no practical way to have two different DHCP servers and IP subnets on the same physical network. DHCP is totally based on broadcast packets, and a new device that comes on the network actually gets its IP address configuration from the first DHCP server that responds to its request - no way to control it. My suggestion would include doing manual addressing on the internal/private network, and doing DHCP only for the public network.

You *might* conceivably be able to get a single DHCP server to service multiple subnets on the same physical segment, but you would absolutely have to program the MAC addresses and corresponding IP addresses of one of them. In Windows Server this would be a Reservation.

Roger

[cmchamp]

Some Cable/DSL routers have a "Reservation" ability as well. The D-Link router we utilize allows this and we "Reserve" the IP address for our server as well as for our business manager's CPU.

[rkresge]

Quote:

Originally Posted by cmchamp

Some Cable/DSL routers have a "Reservation" ability as well. The D-Link router we utilize allows this and we "Reserve" the IP address for our server as well as for our business manager's CPU.

Yup. But I doubt very strongly that you'll ever find a DHCP server that can support multiple IP address ranges (in separate subnets) on the same physical network segment. The only possible answer I can see is to manually configure the IP settings of the systems that need to be on a separate IP subnet.

Roger

[Gracetech]

I hate to steer you to the more expensive alternative but it would serve you better to either physically separate the networks or to get managed switches that support VLans(layer2 or layer 3).

You will then need a router to handle the connection of both networks to your Internet connection.

crt

[Twanks]

As Gracetech said, much of what you are looking to do could be implemented with a managed switch and an appropriate router. You can build your own router using software like "pfSense". pfSense has support for multi-WAN setups, captive portal (guests), traffic shapping (actually throttling each user to a specified bandwidth), and obviously VLAN support. You can then separate private and public networks by implementing VLANs on a managed switch and creating firewall rules. It may sound like a hassle but it is actually fairly straightforward.

[EricE]

What you are describing is a "mutlihomed" Internet access. You will need a firewall that supports multi-homing. pfSense, which was mentioned earlier, is a great solution. But it won't be for the faint of heart - you will have to do some reading and experimenting.

SuperMicro makes great 1U Atom servers that are awesome pfSense boxes - and most even have the much better Intel based Network interfaces: http://www.newegg.com/Product/Produc...82E16816101332

That one even has an IPMI card - external management - you can power on/off the server, remote control it, etc. pfSense is pretty stable (I've never had it lock up) but since it's included, very nice functionality. You'll need a 2GB stick of RAM and for a "hard drive" I use these SATA DOM drives - you need the right angle ones because the 1U case is very short: http://www.memorydepot.com/ssd/listc...satadomD150SHF

2GB is more than enough - the only gotcha is when you install pfSense, you have to do a manual config - otherwise it tries to create a 2GB swap partition (to match the memory size to do a core dump) which obviously won't work with a 2GB drive to begin with. You don't need to worry about reading core dumps so it's not that big a deal. If you go this path and run into an issue, post back and I can walk you through it - it's not as scary as it sounds

Finally you'll need the bracket for the PCI Express card and a two port NIC - SuperMicro has a great and affordable 2 port NIC that is Intel based. You need two ports for your Internet connections since you have two, and then one port for your local area network (LAN). If you get the 2 port NIC, you have an extra NIC port for expansion (the server comes with 2 and you added 2) - and the SuperMicro 2 port card is pretty reasonable for a two port NIC. I just scored one for $40 off of eBay. When it comes in and if it works and is good, I can tell you the seller if you are interested.

If you can't utilize a rack mounted machine or you don't care that much, you can also get a great deal on the HP Microsevers from time to time - I scored this model from MacMall for $200 a few weeks back: http://www.macmall.com/p/HP-Servers/...50~pdp.gdahgba

It only came with one NIC, not Intel either - but it does have two PCIe slots so that's what the SuperMicro 2 port card I referenced from eBay is for. For the money you can't beat it. They also make GREAT Windows Home Servers - and at the risk of digressing, if you don't know about WHS and it's ability to do full client backups for up to 10 computers with complete bare metal restore (WHS 2011 will even automatically make a flash boot drive to restore a failed machine!) - consider yourself notified Great for pastors with laptops who don't save files back to the network server, don't do backups and are either accident prone or travel allot and give admins like me premature grey hair when obsessing about potential data loss.

Anyway, back to your issues: As for connecting your two buildings, at the risk of sounding like I work for them (I don't - honest!) look at their WiMax based solutions - like http://www.ubnt.com/nanostationm

Rated for outside (weatherproof) it has the power and speed for you to get the most out of your cable internet connection. It also has much better management software and will be easier to configure than hacking something together with consumer gear. And will more than likely not cost that much more - they used to have an AirCable (that was the name) solution that is literally plug and play - nothing to configure - and it was under $200. You can find them online from time to time still.

So, your Cable via wireless and your DSL would come into the back of your pfSense box. Those are your WAN or Internet connections. Your LAN would be on a third interface. There are some tutorials and a few places to get online support for pfSense, so if you are the least bit adventurous getting multi-homing to work should be eminently doable.

Good luck and let us know how it goes!