In comp.os.linux.networking Keng Ng <(E-Mail Removed)> wrote:
> I just recently finished refurbishing a house to rented out by rooms
> to about 5 - 6 tenants. I expect everyone would one some kind of
> broadband connection and prefers to share one connection instead of
> having to pay for service overhears for each individual connection.
A common scenario in apartments etc and visitor networks.
> To save money on cabling between room walls, I have opted for
> wireless.
I would consider that a mistake myself, as there's too much that can go
wrong with wireless, and its very bothersome (and timeconsuming) to
troubleshoot.
> I believe my basic needs are:
>
> * Authenticated DHCP by username/password not MAC, since it is likely
> my tenants would have more than one PC.
There are no mechanisms in DHCP for authenticating via
username/password. Something like RADIUS might work, but its not really
the way to go for this scenario.
> * Volume usage accounting by user, I must be able to track and report
> on accumulated usage by user and ability to reset it.
User or Address? The two are very different and require different
treatments.
> * Set a pre-define volume limit on each user, once the limit is
> reached, it should either stop all access to that user or throttle
> bandwidth down to modem speed.
Doable, although there may need to be a bit of programming to integrate
bandwidth accounting with your firewall / traffic shaper to do the
throttling/blocking.
> Since I am reasonably comfortable with Linux, I will be using linux to
> do the job. Can anyone suggest:
>
> (a) How I should go about it?
First, I would use a wired network. Depending on how many ports you want
to provide, this shouldn't be too difficult, or _too_ expensive. Since
its only for internet access, you might even find some cheaper cable,
but don't go lower that Cat5.
If this were a larger complex, I would start with a switch, and assign
each tenant a different vlan tag. Each tenant should not be able to see
each other by default anyway.
Then I would configure your Linux router/firewall/shaper with support
for VLANs. I have no experience with VLANs on Linux (its on my TODO
list).
Actually, if you give each tenant a few ports, you could justify the
cost of a switch with 16 ports with VLANs. You may be able to get a
smaller VLAN capable switch too.
> (b) What software/apps should I use?
IPTables for firewalling of course. It's counters can be used for
accounting to. Integrate those with a bit of Perl or your preferred
scripting language (there is a Perl module for dealing with IPTables).
You should have a Perl script or somesuch that runs via cron every X
minutes to update accounting information and run another script to deal
with throttling if need be. (see below).
You won't need to do anything wrt to MAC filtering if you use VLANs, nor
do you need to worry about usernames and passwords. You can just do your
accounting based on VLAN tag and IP address.
You should also allocate each tenant a subnet (not a single address),
and if you're doing NAT, then you will want some mechanism for users to
manage port forwarding, although ideally each tenant would want their
own public IP address, otherwise it could get complicated if there two
tenants want to forward the same port.
To do the "throttling to modem speed" trick, you could have have a
script that adds in appropriate rules using tc (part of iproute2).
Requisite Parts and Knowledge:
* Something to deal with accounting (Perl DBI can make use of a
flat-file as a table and do SQL queries on it if you like, or
just some simple tabular format, but something you can do various
queries would be better).
* IPTables
* tc (advanced) See the Traffic Shaping & Advanced Routing HOWTO
* VLAN support (802.1q) in the Kernel
* Two NICs in you Linux router
* VLAN switch with at least 8 ports (one will be spare). This will
give each tenant a single port, althought you could plug in a
normal switch to each port to provide extra ports. This would be
easier and cheaper to cable this way too.
* Perl or other high-level scripting language (sh may do also) to
integrate it all-together.
* A web-server with a page so each tenant can see what their current
usage is. This should be done based on the IP address of the
client, or based on username/password, but u/p should be avoided
for easier managability.
> Thanks in advance.
If you want to know a bit more, you might try searching on the following
topics
visitor networks
This network (which appeared in Cisco's Internet Packet Journal) should
be very useful. Note that IPJ is quite Cisco agnostic.
http://www.cisco.com/warp/public/759..._networks.html
Note however that large chunks of this are irrelevant to your situation,
as you have long period "visitors" and you don't need to worry about
bollocky issues as redirecting things such as mail servers.
--
Cameron Kerr
(E-Mail Removed) :
http://nzgeeks.org/cameron/
Empowered by Perl!
Similar Threads
Linear Mode
