So I have a question and I really need some guidance for this as networking unfortunately isnt my strongest area of IT expertize.
I've recently had a new client of mine approach me wanting to setup internet access for tenants at an apartment complex he owns. Attached is a very basic topology diagram image I put together with my initial vision of how to set this up seemlessly.
The initial proposal was fine since it was a bunch of WAPs powered by a POE switch in a locked server room and were generally inaccessible inside the ceiling. I had planned on setting up a custom logon page similar to what you see at hotels when you use their wifi and keeping everything strictly monitored. However now to save money (did I mention hes also kind of a cheapo?) instead of using WAPs he wants to run hard wired connections (one each) from the utility room to every apartment living room area, allowing his tenants the ability to directly plug in. Naturally I assume his tenants are going to probably plug in their own router trying to setup their own presonal WiFi. My worry is that the initial design of the network was not meant to handle this kind of environment as now the tenants have direct access to mess around with the appliances.
Also there are other areas of concerns I have been clear with him about. Mostly that since everything is going under his name, anything his tenants download or browse is now HIS responsibility. Things like child pornography or throttling the network bandwidth because one guy is downloading 50GB worth of anime preventing the other tenants from playing Netflix or apple TV (which is the guys primary purpose of setting this up). I am looking for a gateway that can handle a substantial amount of internet traffic that can manage bandwidth allocation so that the network speed never gets drained by one person. One with very tight adjustable firewall security features. I’m also going to propose adding additional web filtering systems to work with the gateway to prevent access to shady or illegal websites that he would be liable for.
So with all that in mind, my question is the following...
**How do I make sure that when or if tenants plug in their own wireless routers, that their routers wont try to hijack the network flooding it with ARP packets from a default 192 subnet? **
**How do I set things up so that the tenants can have their own private networks and WiFi but not have access to the primary gateway? I was thinking it would be possible by configuring tight firewall rules on the primary gateway using default subnets (192.168.0.0 / 1.0 ) allowing access to internet but not to networking appliances **
**What is the best Gateway to purchase that has managed bandwidth monitoring and flexible firewall configurations? I've used Cisco RV042 and RV320 routers before with good success but I'm not sure if they are graded for this kind of network traffic. I'm leaning more towards Dell Sonicwall or Fortigate **
**What is the best DNS filtering solution? Should I go for a subscription with OpenDNS or should I install an on site IPS that monitors and filters web traffic? **
My final question is, is this a good idea? Is this something doable or does it look like a disaster waiting to happen? What are your recommendations?