A good friend of mine is renovating a whole apartment building (8 doors) and he wanted my help in upgrading his previous network infrastructure. He wants PoE camera with a NVR, a Akuvox intercom at the main entrance and 1 AP in each apartment with a couple of hardwired jack in every room. He also want to use a single ISP for the whole building (I think he have a good business deal for a 3Gbps up and down FTTH).
What would you recommand as a setup for this situation? Here’s my idea:
CAT 6 UTP Solid Copper cabling everywhere (or 6A if he can approve the cost difference). For 10Gbe over CAT6 with run - of less than 55m he should be good right?
1x 25U Rack to store everything
1x Used Dell R210 II Server (8Gb Ram, E3-1220 v2 3.1GHz) with a 10Gbe SFP+ PCIe Card with a cat 6a cable to the ISP modem I’m thinking of running PfSense.
1x Used Dell X1052P 48 Port PoE Gigabit SFP+ Switch
1x Used Optiplex 7040 SFF ( (Intel Core i5-6500, 16GB Ram) as the NVR for the cameras running BlueIris under Windows 10
1x CyberPower CP1500AVRT UPS
8x TP-Link EAP610v2 APs
Here’s my vLAN ideas:
Management network
Cameras NVR
Intercom VoIP
One in each of the apartement
Couple of ideas for the APs. Should I broadcast 8 differents SSID on every APs so they can roam around and still be in their own vLAN? Doing that would open the door to someone using the AP’s ethernet port to access all those vlans right (like a bad neighbor)? Or should I limit the vlan to their own AP (the one in their own apartment)?
I’m all ear for your opinion and recommendation for that kind of project.
Seems like a solid plan. The only thing I would change is using UniFi AP’s and switches. As for the VLAN setup you wouldn’t need so many SSID’s, with UniFi you can set a single SSID and depending on what password they use it will connect to the to proper VLAN.
I would make a port profile (this is what these are called in the Unifi Network app for the Unifi switches) for each apartment where each profile contains on ly the VLANs for the corresponding appartment. Then providion the profiles to the ports connected to devices in the respective departments. That way even if a neighbour sniffs on the trunk for thier own AP they will only see traffic for their own VLANs.
Thanks for the idea! After doing some testing in my lab and I was able to achieve that using TP-Link AP I had on hand using 1 SSID with PPSK without radius. I would issue one key for each apartment with their own assigned vlan. That way when they connect the vlan will be dynamic based on the key provided.
I also tried with 802.1X and a Radius server but most IoT devices aren’t happy with it.
That would work but I would need to create different SSIDs for each apartment. I kind of liked the idea of sharing a single SSID and using dynamic vlan depending on the key provided. That way the user can use any APs in the building and still be connected to their own vlan.
I only need to think of a way to avoid someone unplugging the AP and plugging their computer on that port and having access to all the different vlans of their neighbors. One way could be by filtering using MAC address and only allowing the AP address (not that great since spoofing is so easy) or using 802.1X wired on that Port but this isn’t supported with TP-Link APs.
Why does the building owner need to be responsible for this?
In most small apartment buildings I’ve lived in, the owner worked with the ISPs to get coax ran from the outside into each apartment.
From there it was each tenant’s responsibility to open an account with the ISP and pay for service.
It seems like this project, while interesting, could be an unnecessary headache and a drag on the property’s return.
if these are short term rental apartments that’s understandable.
I didn’t know you can assign vlan dynamically to wifi devices with only one ssid.
I could use that as my AP only allow 4 ssid.
Those 2 ideas ((a) filtering VLANs on the switch, and (b) using the same SSID for different VLANs after authentication) are not mutually exclusive. You could still use the same SSID everywhere and only deploy the VLANs corresponding to a living unit to devices (switches, APs) within the living unit. This will of course limit roaming. Example: if a neighbour X visits another neighbour Y, then X will not be able to connect to the AP in the appartment of Y. This would be not the case if all VLANs were deployed everywhere. This is obviously a trade-off between security/privacy and convenience. However, what you could do to solve this would be to have a BSSID and VLAN for external guest access deployed everywhere and still authenticate access to this, probably using a second account per living unit, just for external guest access. This way neighbours would have guest access in other than their own appartment, and internal access in their own appartment. In public areas where you can physically ensure that the ethernet uplink cannot be fiddled with without being detected via CCTV or by neighbours there you could deploy all VLANs, so tenants/owners have internal access e.g. in community / shared rooms and (outside areas), e.g. garden, pool.