Looking for Advice

I am looking to revamp our Network set up at our Gym.  I was wondering if anyone had advice on how we should go about it?  I can list what we have/want and what I thought would be a good setup.  If you have a better idea, please let me know.

Gymnastics environment in a open warehouse.  Size 250ftx100ft

2 office areas with deck on top.

18 computers and 1 server

2 Guest (Internet Only) PCs

Need Guest and Private Wireless for the entire building.

General Plan:

1 Linux or Cisco Router (need recoomendation on Router)-rack mount

1 Intel based / Gigabit  File/DC server comuter. -rack mount

Comcast Cable based Internet

1 Cisco 3524 Switch -24 100based ports and 2 Gigbit ports

1 Secondary switch for 2nd office to link to primary switch.  Hopefuly Gigabit.

2 Cisco 1200 Series wireless G Access Points, (POE hopefully)

I need the Guest wireless to only have Internet access.  I was told the Cisco APs can do both a private (secure) and a Guest SSID on the same AP.  If this is true, then we should be able to mount 2 APs in the 30ft ceiling to cover the entire building.  Does that seem feasable?

Also - does anyone have experience with the Linux based Routers (PC based)?  It looks to give me good segragation of private, and guest type connctions.  It also can do Spam filtering and website tracking, etc...  I've tried IPCop at home and like it.  Is it good for a business?  There are no Business License issues with this SW as per the website.

-Apollo

OGA - Beaverton, Or.

Hi Apollo, you seem to be on the right track as far as I'm concerned.  One thing I would not do is mount your wireless access points 30 ft in the air.  You're already punishing the users by being at least 30 ft away and you have 250 x 100 to cover.  Perhaps there are columns in the warehouse you can mount to - one on either side?

If you are familiar with administering and using IPCop at home, by all means, give it a shot at work, too.  There are plenty of people on these boards that use firewal//routers like IPCop, m0n0wall, Smoothwall Express, Untangle...  and more.  I prefer Astaro Security Gateways (disclaimer, my company resells these).

If you are eligible for the Cisco product donations, look at all the Cisco products available here (check the eligibility as the OEMs will put restrictions on what type of non-profit can receive their donations).  For a server, take a look at this donation from Sun.  It will run Windows, or any other OS you want.  You will have to find the rails to mount it in the rack, which might actually cost more than the computer, but you're looking at a good server for probably $500 or less.  (Sun eligibility page).

If you are ineligible for the product donations, search from an Atom 330 based rack-mount server.  If its just a DC/file/print server for so few people, it will perform with no problem at 2GB of RAM and Server 2003 R2 32-bit (its a 32-bit only processor).  You should be able to find one with a hardware RAID-1 / SATA II drive controller.  And look at Netgear products instead of Cisco, they will provide enough control and reliability for a network of this size.

+1 for the Linux-based router. IPCop should work fine

There shouldn't be any problem mounting the APs on the ceiling. Consider this:
If you were to mount a single AP 30' up in the center of a 250 by 100' room, the distance to the furthest corner is only about 140' (40 meters). This distance is well within the useable range for modern wifi access points... especially in an open environment like a warehouse.

Using 2 APs will give you even better coverage than the example above, so I don't see an issue.

Something to keep in mind: a single AP can reliably support around 50 users, so your setup can handle around 100 people.

Your equipment list looks pretty solid.

I recommend a Cisco Wireless Lan Controller for managing guest access.

Excellent advice from all.  Thank you very much. 

 I have one last question.  Can the Cisco 1200 AP have both Guest and Private segregation?  Or is that better done at the Router?  The Linux router has a good method to segregate and only allows Guests to have Internet access, but that means 2 separate APs mounted in the center of the building.  I've had experience with wireless routers defaulting back to factory settings and leaving the access wide open.  I'm afraid that could happen.  Are there issues with mounting 2 APs next to each other - but on different channels and SSIDs of course?

-Apollo

I support a couple of non-profit's with PF:Sense - it's a FreeBSD based firewall appliance (open source, no charge) that has a very nice Web management GUI, similar to IPCop.  In general, FreeBSD is more highly regarded for network security applications then Linux based solutions although you can quickly enter religious war territory :)

You can get PF:Sense from here:  http://www.pfsense.com/

It will run on a wide variety of hardware and is pretty easy to set up and configure.  It will run a captured portal for your guest access PC's and provides pretty good flexibility in restricting what those PC's can do.  There are add on modules for web content filtering and web caching too.

They have finally released their book documenting how to operate PF:Sense - I'm eagerly awaiting my copy as OpenVPN has been giving me fits and I just haven't had time to digest and reconcile the many guides that are on the internet.  The link I provided is for Barnes and Nobel where it's currently on sale.  In case you want to look from another seller, the ISBN for the book is 0979034280  Good documentation is a godsend - some of these firewall configurations can be arcane and the online documentation often leaves much to be desired.  I think a good book under $40 that is written in easy to understand language is a huge benefit that shouldn't be overlooked.

Also, while Cisco gear (esp. the wireless management and access points) are very good, we have been slowly switching to the HP ProCurve line.  It's much more reasonably priced and so far for our needs just as capable.

ahavelind:

I have one last question.  Can the Cisco 1200 AP have both Guest and Private segregation?  Or is that better done at the Router?  The Linux router has a good method to segregate and only allows Guests to have Internet access, but that means 2 separate APs mounted in the center of the building.

I use the latter method with some LinkSys routers re-flashed with the Tomato firmware

I've had experience with wireless routers defaulting back to factory settings and leaving the access wide open.

Change the firmware as outlined above :)

Are there issues with mounting 2 APs next to each other - but on different channels and SSIDs of course?

No - I do that now.  Just manually set network 1 to Channel 1, and the other network to Channel 12.  On the other end of the building flip/flop them - set network 1 to Channel 12 and the other network to Channel 1.

Also with the new N routers, one AP may cover your entire building if it's open with 30 foot ceilings - I have noticed dramatically better coverage with some of the newer N based APs.  It might be worth trying out.

Yes, I found an article explaining how to segregate users into separate VLANs using the Cisco 1200 [PDF]. Each AP can provide both the secure and guest connections.

Commercial/enterprise-grade equipment (like the Cisco AP) will probably have most functionalily you need. You can use software like Tomato (I use a similar product, dd-wrt, at home) to add that functionality to consumer-grade APs, but I would go with the Cisco or the HP since you have the budget for it.

OK - more good advice. I'll try the tomato firmware at home next.  I have a spare WRT router. 

One last question.  I had the cisco switch in mind only due it's name.  There are so many managed switches out there.  I was thinking of going with a managed switch to allow some segregation of PCs on the private network.  I want some of the PCs to only have access to a video folder and the internet.

Any recommendations on a switch.  Main requirements: 24ports or more, 2-4 Gigibit ports, rack mount.

These seemed good:

--From TechSoup Stock:  Cisco WS-C2960-48TT-L  -Catalyst 2960

--NETGEAR ProSafe FS728TS

--Or of course the Cisco 3524.  Saw some on eBay for $150-200 or so.

There are a lot of features on these that look like they can be done with the IPCop or PF Sense router though.

-Apollo 

Remember that your switch is a layer 2 device unless you get a specific layer 3 switch, so you still need a router to put your traffic on the correct segment. So you will have pfsense or m0n0wall moving the traffic between the segments you set up in your switch.

Another managed switch to check out is the HP ProCurve line.  The ones I've gotten have lifetime warranty. Though the Cisco donation makes the 2900 attractive.

Dave