-2

We have 3 open-space floors of 80 square meters each that we want to cover by the same wireless network in a big concrete building. We also have ethernet cables set up throughout all the floors.

The requirements are:

  • we want internal (let's call them employee) devices (cabled laptops, a DVR, a server) to be part of the same network and see each other; if possible, through the wireless also, if not, just cable
  • we want to offer visitors wireless internet access and to seamlessly roam between different access points / wireless routers; so we want a reliable wi-fi connection for our visitors, with the lowest or no dropouts in connection possible
  • we want to install a wi-fi hotspot script, that conditions wireless visitors to access the wireless network by a Facebook check-in. The script is FBWLAN, which needs Wifidog to be installed on the router. Because of this, the routers must be flashed with the OpenWRT firmware. We would also prefer OpenWRT over stock firmware because of all the extended config options and the possibilities it offers (an adblocker, for example). The PHP hotspot script relies on client MACs to manage authentication, so addresses must be transmitted unaltered to the 3rd party server hosting the Fbwlan PHP script

Our proposed solution is to use one router for each floor, and these should be wired by cable to a 4th, main router, which will act as a DHCP server. The 3 "slave" routers would have the same configuration: DHCP disabled, static IPs associated (different, of course), same SSID, same password/key, same encryption (WPA2-PSK), and some kind of bridge betwen the wireless network and wired network. I read somewhere that it would be wiser to set different, far apart channels (1, 6, 11) for each router to avoid bandwidth overlapping. Wifidog would also be installed on each of these routers. All these settings are supported by OpenWRT as I understand, so all 4 routers would have the latest version (Chaos Calmer 15.05) of OpenWRT.

UPDATE: no password and no encryption, as the wi-fi captive portal would require this.

I was planning to buy 4 x TP-Link TL-WR1043ND routers, which are reasonably cheap (about $50 each). Same hardware yields better success at configuring this setup. Although this is an old router, I already have at home a TL-WR1043ND, hardware v2, had no issues installing and configuring OpenWRT on it (Barrier Breaker), has good connectivity, no Wifi signal loss, so this was my first go-to option, giving the budget constrains.

We don't have an internet connection yet, but it will be a fast fiber-optics, 1000 Mbps connection. The ISP will probably bring its own fiber-optics capable router into the equation, but I don't plan on using it as the main router as it will most probably be a Huawei brand with few config options, no MAC-based IP leasing, etc. So I plan to connect the main TPLink router in one of its LAN ports.

Also, I plan to use an unmanaged 16-port Gigabit Switch (TP-Link TL-SG1016) to wire all RJ-45 wall-mounted sockets for cabled devices.

So the overall setup would be: ISP router -> main TPLink router -> unmanaged switch (cabled, internal clients wired here) -> slave wireless routers -> wi-fi clients (visitors).

I heard of repeater configurations, extenders, WDS, but don't know much about them as I'm not much into networking.

My question is: is this a good hardware setup that meets our requirements?

I need help in making a decision to buy the equipment - not what brand, but what type: weather if APs, extenders, routers, etc.

binar
  • 109
  • 5
  • What sort of office has 4 PS3s? I think I want to work there. – Michael Hampton Sep 24 '15 at 22:35
  • Do not cheap out on wireless gear. Go for a centrally-managed solution like Ruckus, Meraki, or Ubiquiti at the very least. It is impossible to get seamless roaming with standalone APs. – EEAA Sep 25 '15 at 03:52
  • @MichaelHampton it's not really an office. It's half incubator/makerspace and we also offer trainings on the business side. It's hard to explain even to our visitors, but let's call it a social club. – binar Sep 25 '15 at 06:44
  • @EEAA - I updated the question to be more specific. I'm not interested in what brand of equipment to buy, but to know if this sort of network configuration (1 main router, 3 slave routers) would work. – binar Sep 25 '15 at 08:21

1 Answers1

3

The biggest problem I see is that I don't think you can do captive portal and any form of link-layer encryption (WEP, WPA, WPA2) at the same time. The problem is that link-layer encryption schemes require link-layer authentication before you can use the link, and captive portal authentication is higher-layer authentication that requires a working link. That is, you can't load the captive portal authentication web page unless you've already entered the WPA2-PSK password.

Unless you don't mind visitors having to ask you for, and enter, the WPA2-PSK network password, and THEN being forced by the captive portal to do a Facebook checkin.

If you don't mind leaving your visitors' traffic unprotected at the link layer, you could probably publish a separate SSID with WPA2-PSK encryption for employees. But this setup would only make security sense if the "employee" network is the one with the PS3's, projector, DVR, etc. on it, and if the "visitor" network is firewalled off and only provides access to the Internet.

Don't go WPA-PSK. 802.11n and 802.11ac data rates require WPA2/AES-CCMP. So go with WPA2-PSK. Disable all WPA/TKIP; you want pure WPA2/AES. WPA/TKIP was only ever truly useful for a tiny number of devices from 12 years ago; by the time WPA/TKIP came out c. 2002, WPA2/AES was already on its heels, and there were very few devices that could do WPA/TKIP but never saw an upgrade to be able to do WPA2/AES. Leaving TKIP enabled just complicates things and reveals buggy implementations that screw up when the multicast cipher is different from the unicast cipher.

Don't go 2.4GHz-only. Go for simultaneous dual-band and 802.11ac. Maybe a $93 TP-Link Archer C7 v2 (make sure to get v2, the v1's radio won't be supported for 802.11ac on OpenWrt). May as well have wireless that can keep pace with your Internet connection. Plus the dual-band gives you much higher capacity.

Review your captive portal authentication scheme. From a quick read of your proposed network and the captive portal tools involved, I'm afraid your proposed setup will have each router acting as its own captive portal instead of using a centralized captive portal, so your users might keep having to re-Facebook-checkin every time they roam between APs.

For channel planning, yes, always set non-overlapping channels. In the 2.4GHz band, that means you have to use 20MHz-wide channels 1, 6, and 11. That limitation of 20MHz channels means that your 2.4GHz AP won't be able to offer its 450Mbps rate, which only works with 40MHz-wide channels. Instead, it will be limited to 217Mbps (and most of your clients will only be able to do 144 or 72Mbps with it anyway, because most clients don't have 3-stream radios).

Make sure you only have one device on your network doing NAT and acting as a DHCP server. Make sure the slave APs are configured to simply bridge traffic between the wired network and the wireless clients. You'll probably also need to make sure that the "visitor" SSID is bridged into a separate VLAN that goes straight to the router, to segregate it from your "employee" network with all the wired devices on it, for security reasons.

binar
  • 109
  • 5
Spiff
  • 2,578
  • 17
  • 20
  • First part - captive portal - you are right and I forgot that along the way. The captive wireless needs to have no password. I could go with publishing 2 SSIDs, but it would make things too complicated and I'm not that savyy (in routers, Linux, networking). I think I'll keep the LAN wired and only access internal devices (DVR, server) by cable and only offer an internet connection by wireless. But, would AP roaming work with no password for the wireless network? If not, I would most likely drop the captive portal. – binar Sep 25 '15 at 06:50
  • PS3s only need an internet connection, no need to access the LAN, so I could connect them wirelessly. – binar Sep 25 '15 at 06:51
  • Paragraph 4 - WPA2 - thanks for pointing that out. I was actually thinking about WPA2/AES (that's what I have enabled on my home router), but mistaken the name with the old WPA-PSK. – binar Sep 25 '15 at 06:57
  • Paragraph 5 - TP-Link Archer C7 - l'll look into it, but giving our budget (btw, I do this as a volunteer) and the fact that I don't expect in downloading torrents wirelessly, just provide basic browsing for visitors, I think we can stick to 2.4GHz. We aim for coverage more than speed, and in 5GHz speed lowers the farther you are from the router anyway. Maybe in the future we could go for an upgrade. – binar Sep 25 '15 at 07:18
  • Paragraph 6 - The captive portal relies on MACs to authenticate. Wifidog (on the router) asks Fbwlan (PHP script on external server) if a certain MAC is already "authenticated". So it _should_ work, as all the logic seems to be in the Fbwlan part. I can also modify the PHP part do suit my needs. – binar Sep 25 '15 at 07:22
  • Paragraph 7 - channels - with the TL-1043ND at home, OpenWRT, I set "HT mode" to 40MHz, enabled "Force 40MHz mode" and get a 150 Mbit/s Bitrate. I know it's not recommended, but I don't have neighbouring routers overlapping my 10+11 channels. The router is actually v2 not v3, and is 300Mbps rated, not 450 as in the link I gave in the description to the TP-Link site. – binar Sep 25 '15 at 07:30
  • Last paragraph - my actual question. So the proposed setup - main router acting as DHCP server and 3 other slaves connecting to its LAN ports, configured as bridged between wire and wireless networks is a good solution. – binar Sep 25 '15 at 07:34