They were sharing the connection using a 24-port unmanaged D-Link switch connected to a D-Link router (DIR-100). Most of the time this setup worked surprisingly well, but every now and then someone would connect a wireless router the wrong way to the network: If the LAN side of such a router is connected to the shared network, the DHCP server happily serves (non-working) IP addresses to the rest of the network.
It will just be a matter of coincidence if you get an address from the "rogue" router or from the D-Link router.
Another problem could be someone using all the bandwidth all the time e.g. for BitTorrent. Adding to the problems was the fact, that it was difficult to track down the culprits. The only way was to disconnect the appartments one at the time and see if the problem went away.
My friend asked if there was a (not to costly) way to avoid these problems.
Obviously, there was a need for a more managed approach. First I considered if a managed switch in itself could solve the problems. But since the appartments all needed access to the same router I couldn't simply create a VLAN for each appartment. In addition this wouldn't solve the bandwith sharing issues.
The router needed to be aware of the VLANs so each one could get their fair share of the available bandwidth.
I ended up using an old Dell PowerConnect 2716 switch. I created a VLAN for each appartment. Port 1, where the router is connected, it used as trunk. Packets leaving the switch on port 1 are tagged, so the router knows which VLAN the packets are from. VLAN ID 1 (port 1, port 16) is used for administration. The first appartment is connected to port 2 (VLAN ID 2), the second appartment is connected port 3 (VLAN ID 3), etc.
The second part the the equation is the VLAN aware router. I had some previous experience with m0n0wall so I decided to give it try and ordered a Soekris 5501 box. An alternative solution could be an old PC with two network cards, but I wanted something that was reliable and had low power requirements.
On m0n0wall I created all the VLANs (2-15) on interface vr0 (router LAN).
Then I configured an interface for each VLAN (OPT2-15).
A private IP net was assigned to each interface (192.168.2.0/24 on OPT2, 192.168.3.0/24 on OPT3 etc.).
Next, I enabled the DHCP server on each interface.
The firewall was configured on each interface to allow all outgoing traffic, but block traffic to the other internal networks. E.g. appartment 2 on VLAN ID 2, network 192.168.2.0/24, can talk to the world, but not to the other appartments on VLAN IDs 2-15, networks 192.168.2-15.0/24.
Finally, I configured the traffic shaper by using the Magic shaper wizard.
The cost of the solution was 250€ for the Soekris box and about the same for the PowerConnect switch, in total about 500€.
I haven't heard from my friend since the solution was implemented a few months ago. I consider that a good sign ;-)
No comments:
Post a Comment