In the last article, access points were installed, WDS links set up for hopping, and we were ready to access the Internet. Although TriadLand is ready to rock, we now need to connect the users. First we need to connect the network to some type of Internet service and then come up with a way to authenticate people who want to use it. After that we will cover the details of system management and how to overcome them.
WISP operators are typically forced to work with local bandwidth providers who have some type of monopoly in an area. A WISP cannot resell most of the business services over DSL or Cable because the local provider does not allow it. WISPs are generally resigned to T-1 circuits or more expensive business options. Assuming that you order a T-1 for your system, you now have 1.5Mbps of bandwidth for your network. If you plan on using cable or DSL services, check with your local provider to see if that is allowed. Other bandwidth options are also available but you will have to check for each area.
Assume that one of the 4 center APs out of 16 are the Internet connection point. We will set up the WDS links so that now end point is no more than 4 hops (meaning we may have to skip one) which will keep the last AP with around 5Mbps at the end point. If we can skip more than one AP, we can keep the hops to 3 or even 2 if we have LOS between the APs. We have enough signal to hold very high modulation rates with ½ mile links between APs. Keep in mind that APs between the end point and the egress point will be handling users while simultaneously passing WDS backhaul for other APs down the chain. This will directly affect throughput for users down the chain. It is one of the limits of this design but no different than any of the other earlier mesh designs. The end result is that the entire square mile will eventually be routed through one AP.
Recently I received a couple of emails on the problem of security. The drawback of inexpensive radios is that you may have to give up something in return for the reduced price point. This system provides no encryption over the WDS links. This problem gets resolved with additional hardware as part of an upgraded system. The system can run security between the laptop and the AP but there isn’t much use if the AP hops are not secure. If you plan on upgrading later with more bandwidth, then it might be a good idea to get the users to use WPA2 on the APs from day one so they won’t be confused later. Just make sure your EULA clearly states that the system is not secured over the wireless link.
The second problem with this network is that it only supports a single SSID. I do not know if that is going to change in the future. There is third party firmware that will run on the Bullets that may offer more options but that typically comes with additional costs which gets away from the original premise. If you need security, then VPN tunnels are the only option with the basic system. Phase 2 resolves most of the security issues.
There are many good products out on the market for authentication of users. Our sites use Patronsoft Firstspot for user authentication and management. FirstSpot runs on Microsoft Windows XP or Windows Server, can support SQL Server for extending site deployment and centralized user management, uses PHP for the web pages, and can run fail-over servers for offline management. Since our company has years of experience with Windows, it works for us. Those of you with more experience with Linux have many other options. We ran tens of thousands of users through our servers over 5 years so I’m pretty comfortable with it. However, it’s not CALEA compliant yet but they are looking at it now.
Running the network: CALEA and other issues
Triadland is up and running. Users attach to the broadcast SSID, get a login page, diligently read the EULA word for word in which they agree to follow the rules, and then they get online. Now what happens? This is stuff normally planned out in advance but the article focus was determining the basic wireless technology first. It’s time to deal with the actual functionality of operating the system.
Let’s move on to the first issue which is keeping control of your network. Several things will stress both you and your network. Let’s start with junior’s desire to fill up that new 2 Terabyte hard drive he just got for his birthday. File-sharing is one of the biggest problems faced by most ISPs. Fortunately or unfortunately, depending on which side of the equation you are on, recent rulings by the FCC allow operators to limit file-sharing. There are 2 basic ways to handle this. You can use either an authentication server that keeps track of bandwidth used or a web application firewall that allows you to block file-sharing applications. Limiting users to 10GB – 20GB per month is a good start.
Early on, we had an incident where some users on our network had been infected and turned into spam servers. The bandwidth provider started blocking Internet access for the entire system until we got it resolved. With 200 plus users and some of them still running Windows 98, the battle to keep viruses and spam under control is difficult at best. We purchased a Barracuda Web Application server which not only blocked the offending users, it redirects them to run spam removal software and won’t let them on Internet until the computer is cleaned. A Web Application filter also allows blocking of specific websites that might cause unwanted legal attention and file-sharing applications.
Now that we have built our 1 square mile network in Triadland, our next step is to make either make it profitable or find a way to give it purpose. We will cover those ideas next article.