Organizing a LAN

[jj9987]

Some backstory - We are just a group of university students wanting to organize another LAN party  I have been here before with similar questions, but this time I will be doing better preparation. We are planning another LAN in December with approximately 120 people. It will likely last for about 24-36 hours. I have been reading about the network layout in Dreamhack events, though due to lack of money we will need to stick to something less fancy.

 

I can get Cisco switches (can't remember model, but they are Gigabit and enterprise class) from the university tech guys, but am still looking for a router. Last time we used a consumer-class TP-Link router, which did it's job, however it's DHCP failed due to unknown reasons. When we gave out IPs manually to everyone, everything worked fine for the rest of the event. All the participants will be connected via cable, at this point we do not consider any WiFi solution.

 

I might be able to get a Mikrotik or Cisco router for the event (do not have any confirmed response yet) so I am preparing a backup plan which is running either VyOS or pfSense (or anything else you suggest?) on a separate computer. Mainly due to lack of monetary support so that we could purchase a proper device (such as EdgeRouter). Do you have any suggestions for a router and regarding it's configuration? What should I look out for? How powerful PC would be needed for routing tasks?

 

Some game servers (CS:GO for example) will be hosted by ourselves (likely on my server, which is also in my sig, will do some testing beforehand), though we will also allow access to outside for games that we can not set up (League of Legends for example). We have access to 1 Gbps link to outside world. I am planning to make use of SNMP to gather network data (monitoring, some statistics if possible). 

 

Also I look for some advice on packet prioritizing. How can I achieve that gaming traffic will not be bottlenecked by someone who forgot their torrent client on?

[Mikensan]

pfSense or Sophos Home UTM can handle DHCP / gateway services as well as QoS. 

 

You could go cheap, and buy 2 NICs or 1 2-port NIC and create a virtual machine on your computer. Only downside is if you reboot for any reason then 120 people lose interwebz.

 

You can turn a computer into a very capable router - if you have the time you could even pickup a cheap R710 / R610 and call it a day (~$200-$250).

[Lurick]

Depending on the model you can run Layer 3 and routing on top of the switches along with DHCP so you won't need to worry about another device to do the routing for you

If it's a 2960 series, then you can do very limited L3

If it's a 3xxx series then you can do full L3 routing.

 

If you can let me know the exact model or models you'll be using I can craft up a QoS policy you can apply for each user

[jj9987]

Howdy, planning further now.

 

I will be getting Cisco 2960 series switches (24 or 48 100Mbps ports) for the event, most likely 9 of them as desk switches. Will get them in the next couple of days so I will have time to play around with them. For the core network, I will a Gigabit switch (looking for one with enough ports) and then the router.

 

I have been promised a MikroTik 3011 router, so currently I am betting on that. The person also says that he has blocked torrent traffic via Layer 7 rules and will gladly assist me with setting that up as well. As a backup option, I am looking at Ubiquiti EdgeRouter series, more specifically EdgeRouter Lite. In my previous topic, they said this should be capable of all that necessary. pfSense and such are a possibility, but I feel more secure having a specific designated device to do the routing than dedicate a separate PC.

 

Are there any specific network threats I should be looking out for (apart from securing all the routers and networks with usernames/passwords, block telnet etc)? Anything that I might be forgetting?

[legopc]

Just now, jj9987 said:

Howdy, planning further now.

 

I will be getting Cisco 2960 series switches (24 or 48 100Mbps ports) for the event, most likely 9 of them as desk switches. Will get them in the next couple of days so I will have time to play around with them. For the core network, I will a Gigabit switch (looking for one with enough ports) and then the router.

 

I have been promised a MikroTik 3011 router, so currently I am betting on that. The person also says that he has blocked torrent traffic via Layer 7 rules and will gladly assist me with setting that up as well. As a backup option, I am looking at Ubiquiti EdgeRouter series, more specifically EdgeRouter Lite. In my previous topic, they said this should be capable of all that necessary. pfSense and such are a possibility, but I feel more secure having a specific designated device to do the routing than dedicate a separate PC.

 

Are there any specific network threats I should be looking out for (apart from securing all the routers and networks with usernames/passwords, block telnet etc)? Anything that I might be forgetting?

 

 

Well, how much time and effort do you want to invest in this? You could go all overboard and make a seperate vlan for every row/switch and a management vlan bla bla bla. But do you really need that? I think you will be fine with a MikroTik or Vyos router with a descent config, for example: finding a way to block torrenting and streaming, propper means of management but ssh with a password and snmp v3-ish will be just fine and other then then what really is there to configure? Its not like you are going to need lots of QoS, you have a freaking 1gig pipe for 100-ish people, a 1000 man lanparty in Belgium make due with 800-ish mbps. 

As for the switches, there is no need to make a crazy config, a single vlan for all will be more then plenty. I would take a look at port security to make sniffing all traffic more difficult. And other then a simple LAG bundel to some kind of core and the basic management etc a basic config would be sufficient for 100-ish people. 

If you need any help regarding the config of the Cisco's please send me a pm, I would be more then happy to help you out. I am also part of the network team for Frag 'o Matic in Belgium, we use a pair of Cisco 6500 chassis as the core  

Edit: Do take a look at the block diagram of the Mikrotik, that is the reason I dont like a lot of Mikrotik routers, they are just 1 or 2 switches hooked up to a cpu with a bit of software that does the rest.  

[Guest]

Something to note regarding the DHCP servers, I know for sure that the Edgerouter Pro falls over when you're looking at 200 DHCP clients so I wouldn't be surprised if you found similar issues with the Mikrotik.

 

Also as Lego mentioned, keep in mind which ports to use with that Mikrotik due to the software based switch method.

[brwainer]

Thankfully it's a 3011 and not a 2011 - sure you have two switch groups of 5 ports each, but at least they are all gigabit unlike the 2011. And the CPU in the 3011 is dual core, so it should be fine for your DHCP load. That L7 blocking of torrent traffic might cause some performance issues though, since it will disable FastTrack AFAIK.

[CiscoFan]

Well you could get a Cisco 1841 for about $50 and be able to configure g0/0 for everybody and then use a subnet of 254 useable addresses for your LAN party. As an example, you could use 192.168.1.0/24 as your network address which gives you 256 addresses total, including the network and broadcast address. You can then setup excluded addresses for the DHCP pool, then you can configure the pool with network 192.168.1.0 255.255.255.0 and then set the default gateway to 192.168.1.1, and you are going to need to configure the DNS server... you could use use Google's DNS servers.

[mariushm]

You could have two separate networks, one for games (p2p etc) and one for browsing, file sharing, torrents. 

 

You should look into renting three 48 port gigabit network switches that can be linked together on a high bandwidth bus (maybe 10gbps) between them - almost 8-10 years ago I used Allied Telesyn 48 port 100mbps switches that had a special cable which allowed me to connect two identical switches at a speed of something like 17 gbps

 

See companies like Curvature which rent hardware .. never used them as I'm in Europe, but they seem like they have some good hardware and they have phone listed on their website. Give them a cal and see how much it would cost to rent them for a week or a month (whatever the minimum term is).. or if you're lucky maybe they'd even be willing to rent them for a smaller fee for only 3 days.

 

See for example Arista Network 7048T .. 48 gigabit ports and 4 SFP+ 10 gbps ports : https://www.curvature.com/arista-networks/switches/7000-series

Maybe rent 3 of these with a bunch of direct attach copper cables to have 10gbps or more between switches ( the 10gbase-cr twinax cables are from $12 and up on eBay or around 75$ each new)

 

They also list Dell N3000 switches on their site, 48 gigabit ports with 2 x 10 gbps ports sfp+ : https://www.curvature.com/dell/dell-networking/campus-and-wireless-networking

 

It's kinda old but for fun you should also look into setting up a DC++ server (Verlihub used to be all the rage years ago when I used it) ... very convenient as you have both chat in the network and people can also share and download stuff they put in share (and modern dc++ clients can also find same files based on hash on multiple users shares and download in parallel stuff) .. well , i guess that is if you're willing to accept (or turn a blind eye as the expression goes) the fact that people may share pirated content.

 

120 people is not that many, so i'm not going to recommend setting up a transparent proxy to cache the steam downloads, if you have a 1gbps download link it probably won't be a big deal.  I guess you could look into something like this but like I said, probably not worth the trouble of reserving a powerful computer for it : https://blog.multiplay.co.uk/2014/04/lancache-dynamically-caching-game-installs-at-lans-using-nginx/

 

[legopc]

1 hour ago, mariushm said:

You could have two separate networks, one for games (p2p etc) and one for browsing, file sharing, torrents. 

 

You should look into renting three 48 port gigabit network switches that can be linked together on a high bandwidth bus (maybe 10gbps) between them - almost 8-10 years ago I used Allied Telesyn 48 port 100mbps switches that had a special cable which allowed me to connect two identical switches at a speed of something like 17 gbps

 

See companies like Curvature which rent hardware .. never used them as I'm in Europe, but they seem like they have some good hardware and they have phone listed on their website. Give them a cal and see how much it would cost to rent them for a week or a month (whatever the minimum term is).. or if you're lucky maybe they'd even be willing to rent them for a smaller fee for only 3 days.

 

See for example Arista Network 7048T .. 48 gigabit ports and 4 SFP+ 10 gbps ports : https://www.curvature.com/arista-networks/switches/7000-series

Maybe rent 3 of these with a bunch of direct attach copper cables to have 10gbps or more between switches ( the 10gbase-cr twinax cables are from $12 and up on eBay or around 75$ each new)

 

They also list Dell N3000 switches on their site, 48 gigabit ports with 2 x 10 gbps ports sfp+ : https://www.curvature.com/dell/dell-networking/campus-and-wireless-networking

 

It's kinda old but for fun you should also look into setting up a DC++ server (Verlihub used to be all the rage years ago when I used it) ... very convenient as you have both chat in the network and people can also share and download stuff they put in share (and modern dc++ clients can also find same files based on hash on multiple users shares and download in parallel stuff) .. well , i guess that is if you're willing to accept (or turn a blind eye as the expression goes) the fact that people may share pirated content.

 

120 people is not that many, so i'm not going to recommend setting up a transparent proxy to cache the steam downloads, if you have a 1gbps download link it probably won't be a big deal.  I guess you could look into something like this but like I said, probably not worth the trouble of reserving a powerful computer for it : https://blog.multiplay.co.uk/2014/04/lancache-dynamically-caching-game-installs-at-lans-using-nginx/

 

 

COMPLETE overkill... There is no need for any kind of 10gig networking or backbone what so ever. He will be fine with the 10/100 Cisco 2960 switches, if he just pulls a bundel to some kind of 1gig switchs so no single client can saturate the switch uplink. 

3 hours ago, droidrzrlover said:

Well you could get a Cisco 1841 for about $50 and be able to configure g0/0 for everybody and then use a subnet of 254 useable addresses for your LAN party. As an example, you could use 192.168.1.0/24 as your network address which gives you 256 addresses total, including the network and broadcast address. You can then setup excluded addresses for the DHCP pool, then you can configure the pool with network 192.168.1.0 255.255.255.0 and then set the default gateway to 192.168.1.1, and you are going to need to configure the DNS server... you could use use Google's DNS servers.

 

Cisco 1841 does not have gig interfaces. if you meant the 1941 that has gig interfaces but by far wont push a gig connection... 

[Lurick]

12 hours ago, legopc said:

-snip-

Ah, 6500's, the beasts that will never die, lol. They are definitely work horses

I know one customer who was pushing so much traffic through them that the linecards got so hot the heatsinks slid off the chips.

 

 

As for the topic itself, definitely agree with you. No need to go overkill on the switches. 100 meg ports per person will be more than enough.

[Mikensan]

Just for warm and fuzzies, there's no real difference aside from potential reliability of a PC vs appliance. Mikro still uses RouterOS if I recall correctly which can still be installed on a PC. Believe their hardware is x86/x64 architecture anyway - so you're still technically running a PC.

 

Looks like you're on the right track. Just make sure you do setup a "user" VLAN so they cannot access the management interfaces of the switches or router/firewall - usually tends to be a few bright people in the gaming community that while not malicious just want to try their luck at getting in.

 

Otherwise I would put the onus of protecting the users' computers on them. Tell them at minimum to turn on Windows' Firewall.

 

I don't foresee the layer7 functions being too much of an issue for < 200 users. Majority of users shouldn't be establishing too many connections per person anywho.

 

Let us know how it goes!

[brwainer]

19 minutes ago, Mikensan said:

Just for warm and fuzzies, there's no real difference aside from potential reliability of a PC vs appliance. Mikro still uses RouterOS if I recall correctly which can still be installed on a PC. Believe their hardware is x86/x64 architecture anyway - so you're still technically running a PC.

 

Looks like you're on the right track. Just make sure you do setup a "user" VLAN so they cannot access the management interfaces of the switches or router/firewall - usually tends to be a few bright people in the gaming community that while not malicious just want to try their luck at getting in.

 

Otherwise I would put the onus of protecting the users' computers on them. Tell them at minimum to turn on Windows' Firewall.

 

I don't foresee the layer7 functions being too much of an issue for < 200 users. Majority of users shouldn't be establishing too many connections per person anywho.

 

Let us know how it goes!

Mikrotik router hardware isn't x86 anymore - in the old days it used to be, but at work we retired our last x86 official Mikrotik hardware router at least four years ago. Nowadays, lowend stuff is MIPS, midrange is MIPS or PPC, and high end is Tile (Mikrotik is basically the only manufacturer using this CPU, but it does have mainline support in the linux kernel). The odd standout is the 3011, which is ARM based.

 

There are two x86 RouterOS versions - plain x86 meant for install on normal hardware, which is licensed based on feature set, and the Cloud Hosted Router, meant for install in a VM, which is licensed based on the maximum transfer speed of the interfaces you need.

 

Of course, none of this affects @legopc. He is being offered a 3011, and help with setup, by his school's IT, so it doesn't make sense for him to buy or rent anything else. A 3011 might be pushed hard by the workload, but it should be able to handle it. He should just make sure that the WAN and LAN are on seperate switch chips, which are nicely divided on the front of the unit.

[Mikensan]

15 minutes ago, brwainer said:

Mikrotik router hardware isn't x86 anymore - in the old days it used to be, but at work we retired our last x86 official Mikrotik hardware router at least four years ago. Nowadays, lowend stuff is MIPS, midrange is MIPS or PPC, and high end is Tile (Mikrotik is basically the only manufacturer using this CPU, but it does have mainline support in the linux kernel). The odd standout is the 3011, which is ARM based.

 

There are two x86 RouterOS versions - plain x86 meant for install on normal hardware, which is licensed based on feature set, and the Cloud Hosted Router, meant for install in a VM, which is licensed based on the maximum transfer speed of the interfaces you need.

 

Of course, none of this affects @legopc. He is being offered a 3011, and help with setup, by his school's IT, so it doesn't make sense for him to buy or rent anything else. A 3011 might be pushed hard by the workload, but it should be able to handle it. He should just make sure that the WAN and LAN are on seperate switch chips, which are nicely divided on the front of the unit.

oooo very cool, did not know that! I've had my blinders on for pfsense for so long, just haven't been keeping up.