[master4g]

One reason I was looking for an inexpensive but effective solution was because we already have a solution in place right now. This project is more about convenience than necessity. Currently we have a Linux box running Squid which operates as a gateway. Everyones traffic goes through the server and there is no back alley straight to the modem. Currently we are able to: block off ip, mac address, set up a delay pool, block certain ports (all these with ACL), and best of all we have a small program called Squint which spits out very detailed reports from the log files about all the Internet usage. The disadvantage is that this server requires more maintenance than if we got one of these managed swtiches/routers. The reason we need this control is several years ago one of the the residents had a virus which was sending out continuous pings along with some other things. A the time we had an internet connection which the local schools and libraries also used. Because of this virus, all those local schools and libraries internet went down, even the internet at University of Michigan (we are in California). The ISP cut us off and told us we need more control of our network and need to block off such and such ports if we want the internet again. At the time we were just as low budget as we are now. The ISP suggested some firewall solution which cost $10,000 and we had nowhere near that. So I had to do loads of research and had to talk with several experts and was finally able to pull off this squid server (had never used linux before that). We were without internet for 3 weeks, though.

I looked up that cisco box on ebay as well and there was a company only 10 minutes away which had it at buy it now for 40$ last week. Everything now is much higher. I emailed the seller to ask if he has any more. Also, are there other comparable models which allow me to do the same thing? maybe another reputable manufacturer, or different model/class?

[zx10guy]

You need to impress upon those holding the purse strings that to do things right it costs money. We're not saying you need to buy a full blown Catalyst 6500 series with a Sup 720 3BXL, 6724 GigE line card, and a FWSM firewall for about $50k. But as you have realized, cheap has problems in higher back end O&M costs with maintaining a free solution with Linux. I always laugh when people think free is just that without thinking about the overall picture which is how much of a headache is it to maintain and what are the support options if there is a problem.

Because of the type of system you have and the issues at stake here, this is what I would say is doing it right. I'm not going to half a** a solution when there is a problem (and you'll bet there's going to be a problem) my butt is going to be in a sling when I'm going to be held liable as the IT guy who put together this solution.

From the ISP modem, I would see about bridging it so it is a pure modem and does no routing. But this isn't a show stopper. Next I would buy a legitimate Cisco ASA 5505 to start with or maybe even a 5510. The ASA 5505 would have a security plus license installed on it. I would then buy a copy of Websense and run it off a server which is configured into the firewall which you can set internet policies without the overhead of constantly having to update and manage black lists of baddies you don't want people to get access to. If throttling the connection at the ASA is not good enough, I would purchase a Cisco 3560-8PC-S. This is a layer 3 managed switch with 8 10/100 ports and a GigE uplink port. You can then set QoS policies there and hang off your unmanaged switches from the 3560 and then connect the 3560 to the ASA via the uplink port.

This is how I would do it. I have deployed a similar setup sans the layer 3 switch on the corporate network for my previous employer. The company is small and the setup was more than adequate for their needs. The ASA 5505 with the security plus license is about $950. I'm suggesting the security plus license because you will need this if you find that you'll need the additional functionality of having a IPS/IDS system running on your network. The 5505 has the option to have the ASA-SSC-AIP-5-K9 card installed into it. Through continual signature updates, the ASA 5505 can detect network anomylies which can be a result of virus or malware activity. The signatures would either be uploaded by you or can be automatically pulled from Cisco. The 5510 has the ASA-SSM-AIP-10 which is a beefier version of the SSC. If you feel you'll never use the IPS/IDS functionality of the ASA5505, then you can get away with just the base BUN-K9 license.

Again, I would not go with the lowest price of what you can find on Fleabay. If you said you found a ASA5505 for $40, I would say I have a bridge to sell you. There is no way that a legitimate ASA5505 would sell for $40 even used. One of a few options has occurred. The ASA5505 in question is either hot, sourced from a grey market channel where you don't know if this ASA is a real deal or not, or the guy is just ignorant over what he has.

My suggestions are biased in that I primarily work with Cisco gear. As I've stated in other posts, I have experience with other vendors like Netgear, Dell, and Linksys in their SMB line of products. If I was aware of a product from one of these vendors which I felt can address all your needs, I would recommend it. But I feel there isn't as far as I am aware.

Given the past history of what happened with a shoddily put together network, your management seems to have not learned their lesson.

[JohnWill]

I'd add something to the previous post, but I can't think of anything else to say.

You can have it cheap or you can have it good, you get to pick.

[master4g]

As much as I would love to bring that equipment in, Its just out of the question. Let me just give you a little idea of what Im dealing with. The apartment complex is a low income housing project (many residents pay less than 200$ a month). In the complex, there is a computer lab (where I work) which provides computers for the residents to use. They can also come here to learn how to use the computer. We have 7 computers here, average: pentium 2 with 550mhz, 256mb ram, xp, crt monitor. All but 2 computers were donated to the place with tax-deduction. We have one printer set up with refillable ink cartridges, and one scanner. The Squid box is in the back and was bought about 7 years ago. They cant afford to hire me for more than 16 hours a week ( I spend way more time than that). This apartment complex was the first of its kind in the entire USA when it opened in '95. It was recognized by people like Al Gore and the like when it opened. It opened up the way for grants and funding, which allowed for this whole infrastructure (underground wiring to all buildings and cat5 jacks in all apartments, fiber optic, etc)..... but now... NO money.

there are 74 apartments, about 25 of them don't have computers. Several of them got their own internet line when we had internet problems a while back where it would go down at least once a week (I wasn't working here then). Some have also gotten their own line because of the restrictions, cant download files more than 100mb, no xbox live, etc.

That leaves us with about 40 apartments. half of them use less than 1gb of traffic a month. Out of the other 20, only 5 of them use more than 10gb in a month. Some have wifi routers set up and have up to 4 computers/laptops per apartment.

So if you ask me again if i want good or cheap, Im afraid good is beyond reach so Im stuck with cheap. My mission is to try to get a little bit of good in this cheap. But then again, if you look at the numbers above, the usage just isn't that intensive and serious, so getting something that isn't the latest and greatest will do.



One thing to consider is that soon I will get the 50mbps line but the modem doesn't act like a gateway, so it wont work if I just hook up a managed switch directly to the modem.

btw, i have a sonicwall dmz firewall sitting here, do you think it could be of any use?
Edit: Also have a cisco 2600 series router (CISCO2621). And a Cisco 827. Any use?

[zx10guy]

As much as it is to provide internet for low income families, it's still a luxury. Again, I would still settle for nothing less than good instead of cheap and barely acceptable. If need be, scale back the amount of connectivity you provide. You said one of the buildings has a computer lab. Focus on making that facility to be built out properly.

If this complex has received all the recognition you've stated in the past, it shouldn't be a problem to at least enlist help from other sources. Who ever is running this facility needs to start reaching out to other organizations for additional resources. A call to city hall would be a start. Next would be contacts with various companies like Cisco, Dell, etc, etc. I would bet these companies could find something in the way of helping you all out. Donations of equipment in exchange for some PR.

There are ways to still do it right without trying to promise the world on a McDonald's budget.

[zx10guy]

Forgot to answer your last questions.

I don't know much about Sonicwall products so I'm not much help there.

As far as the 2621 router, you can probably still use it without problems. You just need to know how to properly configure the router. Using straight ACLs will get you by but you really want to utilize a SPI firewall. The 2621 can do this with a IOS feature called CBAC but the router will have to do this all in software which further taxes the router's processor. I wouldn't even think about using the 827 with the network scale you're talking about.

[master4g]

The Lab I work for will possibly close down in the coming months, however the internet will continue so getting grants are out of the question. Also, there are many apartments complexes which have wired networks now, several in the city I live in alone.

Anyways, its good news that the 2621 might work. I will try to set it up and play around with it , assuming it works and has all the parts/cables. Also, I was thinking about setting up a dd-wrt router and testing it. I have a dd-wrt compatible router available at home to try.

This question is off topic, but maybe you have a idea about it:



The whole complex is wired so that each apartment has a ethernet jack inside, which then connects to a closet under the building which will have a unmanaged switch, which then connects to the main switch, which is inside the computer lab, then it goes to the internet (via squid server/router/modem)

Now, say for example that 12 of the residents (two from each building, marked in red on rough drawing above) decide they don't want to use the internet provided by the management because of the restrictions, and they want to take advantage of the infrastructure which is already in place by doing the following. One of them buys a separate internet connection, uses 3 ports (from router) in his apartment, then plugs the last one into the ethernet port in his apartment with plans that he can share the connection with other neighbors. They will be on a different group of IP's , for example they will be on 192.168.5.xxx while the main connection will be on 10.214.6.xxx. Their next door neighbor will only have one switch between their home computer and the new internet gateway, while the residents who are in a separate building will have 3 unmanaged switches between them and the internet gateway (the switch in their building, the main switch in the computer lab, and the switch in the building of the internet provider)

My question is, do you think this will cause problems for the main internet connection from the management? collisions? speed problems? bandwidth problems? Also, would there be a problem in having 3 unmanaged switches between you and the actual modem?

Would it be beneficial? maybe by taking some of the load off our modem onto another connection..? Also, I'm not sure to what extent this would be a problem, but say for example the new internet connection is also a comcast cable connection... my understanding is that the more users who are using cable at once, it will affect the speed of everyone else on the block, whereas DSL wouldn't do this. So would their usage slow down the main connection even though it is through another modem.

Thanks

[JohnWill]

You are opening an enormous can of worms allowing other traffic on your already taxed network. I can't tell if you plan on simply connecting their Ethernet connection to a totally separate network (which would be OK), or somehow lashing it into your existing network (which would be a huge mistake).

Can you draw a diagram of what you are trying to accomplish?

[zx10guy]

I'm sorry but I think this sums up both John and my feelings on this:



If you had problems in the past with keeping control over your network, do you seriously think you're going to be successful when you allow your users/residents to plumb up their own internet access and their own LANs to your infrastructure? If these residents are able to get their own service, I would leave it up to them to deal with their own issues and if they want to share out their own connection to other residents, let them figure it out on their own. NIMBY comes to mind here. Also, I would bet the ISP the residents are using will be pretty upset with them sharing out their connections in the manner you suggest. In the ToS, there is specific language that you can only share/network out the internet service to others within the same household/residence.

[master4g]

One of the residents asked me if it would work, I told him it wouldn't work properly even though I know it will. BTW, he was planning on chipping in and getting a business line which wouldnt violate ToS. You can get a 15mbps business line for around 70$

@John, The plan was to use the existing network wiring, nothing new. The red line from the new modem to the switch was there to represent that he would connect that modem into the ethernet port in his apartment (which leads to the switch in his building).

I was just wondering if it was somethingI needed to worry about blocking if they decided to work it out themselves and make it happen.

On an average given time, there really isnt that much traffic going through our network, especially at each individual switch, as there is probably only 5 people in each building to use that switch (at peak times). Our network isn't taxed. We were having dropped packets and ever since I replaced the head hub (10mbs) with a 8 port unamanged switch(100mbps) a month ago, the problem is no longer there. The comcast guy also came over and swap the modem at the time and I'm starting to believe that was the problem (it was there for 4-5 years)

If those guys got their own internet line, it wouldnt add additional users to our network, all it will do is take more users off our modem and onto another modem. The only thing of ours which would be used are the 100mbps switches and wires. These swiches and wires would have been used the same amount if they decided to stay on our internet line. The only additional traffic which will result is the stuff which is blocked off on our network. The main addition would be about 5 families would start using Xbox live (about 40mb download for a hour of gameplay), Some will be able to use skype several times a week to call their homelands.

Edit: by the way, i received the signamax converters today. Brand new sealed in the box. The guy has 6 left, just in case you think they are a good deal and might need them in the future.

[master4g]

I took out the cisco 2621 router, it has no cables or software cd's. it uses the same power cable as a computer so i dont need that. I have ethernet cables as well. There are 4 ports in the back: Ethernet 0/1, ethernet 0/0, console, Aux. I got the installation pdf off cisco's website and read it, but I couldnt figure how I can acually get into the routers interface. Would I be able to do it with a regular ethernet cable, or do i need some "RJ-45 to serial or something" cable? Can I plug an ethernet (or crossover) into one of the ports in the router and connect the other end to my laptop and be able to access the router? Do i need a special program on my computer?

thanks

[zx10guy]

You need a console cable:



If your laptop doesn't have a 9 pin serial port, you'll need to get a USB to serial adapter. Be aware that not all USB to serial adapters work well. When you have this cable, you'll have to plug it into the RJ45 port labeled Console. You need a terminal program like Hyperterminal or Putty. Set up the Com settings to what ever the Com port the serial adapter comes up as. The settings for the Com port needs to be 9600 Baud, 8 Data Bits, 1 Stop Bits, No Parity, and Hardware Flow Control or XON/XOFF.

Once you get everything set up above, you'll need to get into privileged mode by issuing the Enable command at the prompt. If the router has never been configured before, usually hitting enter at the password prompt will work....sometimes the password is cisco. If none of these work, you'll have to break into the router and reset the password. You also might be challenged for a username and password. If you don't know an account login, then again, you'll have to break into the router.

Once you get into privileged mode, this is where the hard part begins. You'll need to use the command line to configure the IOS operating system of the router. A show version command will tell you what IOS version you're running. You can download the configuration guide from Cisco to see the various features and commands with some examples. If you've never worked with IOS which it seems like you haven't, there's a steep learning curve. It might take you a while to get simple routing to work. And then configuring NAT overload, CBAC, etc, etc.

[JohnWill]

The mind simply boggles at letting users connect their modems and routers to your network and attempting to mix the traffic.

I CAN ASSURE YOU, NOTHING GOOD WILL COME OF THIS!

[JohnWill]

Closed, duplicate continuing here: http://forums.techguy.org/networking...ns-router.html