I recently took over a student housing complex because the previous guy wasn’t answering the phone and they were completely down. They had 2.4 ghz original unifi APs (yes, that’s what Tom uses at home) and over the past year we’ve been swapping them with ac-lr to handle the traffic demand. We’re almost done swapping out all the APs but there now we’re getting complaints from people in apartments that already have the new equipment. We changed out the unifi gateway router with a pfsense appliance built on an intel i5 protectli. Last year they had on average about 300 devices connected but now we’re seeing up to 480. Students are now bringing watches, speakers, and other iot on top of their phone, laptop, and tablet. The previous guy had it setup as a flat /23 network so we replicated that for the sake of getting them up and running. I’ve been thinking about setting up each AP with it’s own VLAN knowing that as students roam they’ll hop to different IP addresses.
The big issue I have now is traffic prioritization. I know that Untangle can do a much better job at application layer throttling so I’m wondering if I made a mistake doing PFSense. I need to completely block torrents to make sure that doesn’t hog the traffic. I need to have netflix and gaming down on priority. Web and voip/video (biggest complaint right now is online classes with zoom are freezing) need to be priority. I’ve been trying to contemplate an easy way to make sure they aren’t just allowing all their friends that don’t live there to connect and ruin the network for people that pay to be there. We doubled their fiber to 200 Mbps but I’m starting to see that their sustained traffic is increased over last year and if this continues we might have to go to 300. I don’t think that is currently a problem though. 1/3 of the apartments don’t have an AP in them and they feed off the neighbor but if I start to see too many devices I can start adding APs to each that doesn’t have one. Preferably we control the traffic though because college kids nowadays will saturate anything instead of doing homework so I’m worried if I install that many new APs and it doesn’t fix the problem that I’ll look like a fool.
Anybody have some advice? Do I need to ditch PFSense and go to Untangle? Will there be a big enough benefit to VLAN each AP? Do I do radius credentials or mac auth? Problem with radius is the iot devices can’t join. But if it’s off mac then the manager has to gather every mac from every device people bring and every 4 months they rotate 150 people. Do I rate limit per device at just enough speed to handle video stream and then their web browsing will suffer? Thanks for any input to improve this I really appreciate it.
in pfsense, that will help you to get started, the vids by Mark Furneaux will give you the detail. I would add that if you can reduce latency, the general surfing experience will become very snappy.
Why don’t you use some kind of voucher system off the AP rather than radius, with TP-Link Omada you can also manage bandwidth by each code.
Can’t imagine you can block torrent traffic, if users have a VPN for sure not. There might be lists that block torrent sites in pfblocker that you can use.
Thank you for your input. I didn’t notice the recent video from Tom so I’ll check it out. Hopefully PfSense can tell the difference between zoom and netflix so I can prioritize. I’m not positive how much is possible thanks to HTTPS.
PfSense does vouchers and I use them at my office. I didn’t think about the idea of doing a voucher that expires after 4 months. I think they’ll be a problem for IoT. PfSense can also do bandwidth by voucher.
Do you have any input on whether or not VLANs will help? If things grow next year like they did last year they’ll outgrow the original 192.168.0.0/23 and it just seems like a bad idea for all those devices to be communicating but I’m not sure how anal to be about doing 30 different VLANs.
At the college where I work, you get a maximum of 3 devices on the wifi. That may cut out a lot of nonsense.
After that, we are having lots of problems with online video classes cutting out. Not too many more details because I don’t handle that area, but there is normally an AP about every 20 to 30 feet. Some of that has changed because they pulled a bunch out of hallways and put extras in specific areas for people on campus to go if they have a video class. We have 1gb download and I think 1gb upload.
My experience is from an end user, but, I would say I easily have the need for at least 5 internet connections hence you can easily run out of ip addreses.
If your access points handles both vlans/multiple SSiDs and roaming, then setting up a couple of vlans should make the user experience at least convenient.
I assume they use WPA enterprise to handle the device count as radius users have the ability to specify login sessions? I’d like to implement the same but I don’t know how they’ll get their speakers, watches, TVs, and game consoles online.
We use some kind of web based log in, it redirects to a web page where you put in your email address and password, then accept the terms and connect. Must have an AD hook to verify the email. It was all done so that if I student was sharing copyright material, we could know who was doing it and turn it over to authorities.
