So I have a question and I really need some guidance for this as networking unfortunately isnt my strongest area of IT expertize.

I've recently had a new client of mine approach me wanting to setup internet access for tenants at an apartment complex he owns. Attached is a very basic topology diagram image I put together with my initial vision of how to set this up seemlessly.

The initial proposal was fine since it was a bunch of WAPs powered by a POE switch in a locked server room and were generally inaccessible inside the ceiling. I had planned on setting up a custom logon page similar to what you see at hotels when you use their wifi and keeping everything strictly monitored. However now to save money (did I mention hes also kind of a cheapo?) instead of using WAPs he wants to run hard wired connections (one each) from the utility room to every apartment living room area, allowing his tenants the ability to directly plug in. Naturally I assume his tenants are going to probably plug in their own router trying to setup their own presonal WiFi. My worry is that the initial design of the network was not meant to handle this kind of environment as now the tenants have direct access to mess around with the appliances.

Also there are other areas of concerns I have been clear with him about. Mostly that since everything is going under his name, anything his tenants download or browse is now HIS responsibility. Things like child pornography or throttling the network bandwidth because one guy is downloading 50GB worth of anime preventing the other tenants from playing Netflix or apple TV (which is the guys primary purpose of setting this up). I am looking for a gateway that can handle a substantial amount of internet traffic that can manage bandwidth allocation so that the network speed never gets drained by one person. One with very tight adjustable firewall security features. I’m also going to propose adding additional web filtering systems to work with the gateway to prevent access to shady or illegal websites that he would be liable for.

So with all that in mind, my question is the following...

**How do I make sure that when or if tenants plug in their own wireless routers, that their routers wont try to hijack the network flooding it with ARP packets from a default 192 subnet? **

**How do I set things up so that the tenants can have their own private networks and WiFi but not have access to the primary gateway? I was thinking it would be possible by configuring tight firewall rules on the primary gateway using default subnets ( / 1.0 ) allowing access to internet but not to networking appliances **

**What is the best Gateway to purchase that has managed bandwidth monitoring and flexible firewall configurations? I've used Cisco RV042 and RV320 routers before with good success but I'm not sure if they are graded for this kind of network traffic. I'm leaning more towards Dell Sonicwall or Fortigate **

**What is the best DNS filtering solution? Should I go for a subscription with OpenDNS or should I install an on site IPS that monitors and filters web traffic? **

My final question is, is this a good idea? Is this something doable or does it look like a disaster waiting to happen? What are your recommendations?

Recommended Answers

All 2 Replies

  1. The building systems must be on their own subnet that is not accessible from the tenant subnet.
  2. Each apartment should have its own subnet, but with gateway access to the Internet.

Doing this, they can plug in their own router with a 192.168... local unroutable domain and all the WiFi or hard-wire connections to that will be local. They need to point their router to the building's gateway so the tenants and their guests can get on the Internet.

Note that you should provide detailed instructions to the tenants how to do this, as well as how to setup an SSID for their WAP that also is secured with WPA-2 and appropriate password. Of course they could leave their SSID open so others in the area can use their connection, but then if they do that, neighbors who are into "bad stuff" can mask their location and cause the tenant serious legal issues...

Hi Rubberman thanks a ton for your wisdom.

Would making the default subnet for the primary gateway a class A address ( and strict firewall rules for other IP classes prevent tenants who plug in their routers (which are by default a class C) the ability to access primary network appliances or get online until after instructions are provided?

I believe I set this up one time successfully as a guest wifi on a seperate router utilizing firewall rules for a business. My suspicion for why my friends facility went down might have been due to the primary gateway sharing the same IP class and subnet mask so that the rouge routers spamming DHCP information could technically reach one another openly.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.