Network setup

[IgorM]

I want to share a single internet connection between 6 apartments and I want to do the following: ISP Modem > Switch (TL-SG108E) > 6 wifi routers.

As described each apartment will have its own Wifi router (isolated from the other ones for security) connected to the switch. The switch says it is capable of Qos and Vlan. Is this solution enought to run this setup? The vlan feature is important for security and Qos is needed to guarantee 1/6 or more of the bandwidth.

[Oshino Shinobu]

No. NAT is an essential function for connecting multiple local devices to a single connection to the ISP unless you specifically have multiple IP addresses allocated to you on one connection from the ISP. NAT is generally performed by the router, so typically the router must come before the switch.

 

A way you could do it is to have one router, then the switch. Separate the different parts of the network via VLANs on the switch and you're good to go really. Each apartment will need its own access point if you want WiFi, but none of the different parts of the network will be able to talk to each other if they're separated by VLANs. The only common part of the network they'll be able to communicate with is the router, but as everything passes through the switch, the network segregation stays in place. 

[IgorM]

14 minutes ago, Oshino Shinobu said:

No. NAT is an essential function for connecting multiple local devices to a single connection to the ISP unless you specifically have multiple IP addresses allocated to you on one connection from the ISP. NAT is generally performed by the router, so typically the router must come before the switch.

 

A way you could do it is to have one router, then the switch. Separate the different parts of the network via VLANs on the switch and you're good to go really. Each apartment will need its own access point if you want WiFi, but none of the different parts of the network will be able to talk to each other if they're separated by VLANs. The only common part of the network they'll be able to communicate with is the router, but as everything passes through the switch, the network segregation stays in place. 

In fact there would be a router (ISP modem/router combo). But I just need a simple solution to avoid one port of the switch from communicating with each other. The TL-SG108E switch has these three features 1.MTU VLAN 2.PORT BASED VLAN 3.802.1Q VLAN plus Qos. Shouldn't that be enought? I don't have experience setting up something like this. Also It should coast as few as possible.

[KarathKasun]

You will also need traffic shaping capability.  To be honest, getting a cheap server with 8 ethernet ports running Linux would likely be what you need.

 

A cheap PC with two good NICs should also be able to do this if you have routers with VLAN capability, but the setup is much more complicated.

[Oshino Shinobu]

1 minute ago, IgorM said:

In fact there would be a router (ISP modem/router combo). But I just need a simple solution to avoid one port of the switch from communicating with each other. The TL-SG108E switch has these three features 1.MTU VLAN 2.PORT BASED VLAN 3.802.1Q VLAN plus Qos. Shouldn't that be enought? I don't have experience setting up something like this. Also It should coast as few as possible.

That would work. 

 

You'll want to read up on setting up VLANs a bit to familiarise yourself with how they work, but essentially you'd assign apartments 1 to 6 their own VLAN (VLAN 1 for apartment 1, VLAN 2 for apartment 2 etc., for simplicity's sake) and make the port connecting to the modem/router combo a common ground where all VLANs can access it. That way they can all access the modem/router and therefore the internet, but cannot interact with other parts of the network that are not on the same VLAN, effectively making them into 6 individual and separate LANs, hence the term VLAN. 

 

You'd basically give each apartment a connection point, which can then be expanded upon without any special requirements, as if expanding upon a normal LAN. In order to keep WiFi traffic separate, the best method is to have an access point for each apartment, which in turn probably means you'll want at least a small switch for each apartment so that the access point isn't taking up the only connection point available for each apartment. The switches for each apartment can be unmanaged as the VLAN side of things is taken care of at the central switch. 

 

I'd note that you'd probably want to go with a 10.x.x.x/8 address range for a setup like this. While a 192.168.1.x/24 address range would likely provide enough addresses, it can be surprising how quickly they can get eaten up with even things like smart scales and coffee machine requiring IP addresses now days. 

 

For cost... Basically going with close to the cheapest gigabit capable equipment is probably the best way to keep costs down, as switches are fairly inexpensive at the gigabit level. Still, networking isn't particularly cheap when doing something like this, as you'll need 6 access points and 6 switches (plus the central one). If you go for decent equipment (something like UniFi UAP AC models), you're looking at around $600 for the access points alone.

[IgorM]

52 minutes ago, Oshino Shinobu said:

That would work. 

 

You'll want to read up on setting up VLANs a bit to familiarise yourself with how they work, but essentially you'd assign apartments 1 to 6 their own VLAN (VLAN 1 for apartment 1, VLAN 2 for apartment 2 etc., for simplicity's sake) and make the port connecting to the modem/router combo a common ground where all VLANs can access it. That way they can all access the modem/router and therefore the internet, but cannot interact with other parts of the network that are not on the same VLAN, effectively making them into 6 individual and separate LANs, hence the term VLAN. 

 

You'd basically give each apartment a connection point, which can then be expanded upon without any special requirements, as if expanding upon a normal LAN. In order to keep WiFi traffic separate, the best method is to have an access point for each apartment, which in turn probably means you'll want at least a small switch for each apartment so that the access point isn't taking up the only connection point available for each apartment. The switches for each apartment can be unmanaged as the VLAN side of things is taken care of at the central switch. 

 

I'd note that you'd probably want to go with a 10.x.x.x/8 address range for a setup like this. While a 192.168.1.x/24 address range would likely provide enough addresses, it can be surprising how quickly they can get eaten up with even things like smart scales and coffee machine requiring IP addresses now days. 

 

For cost... Basically going with close to the cheapest gigabit capable equipment is probably the best way to keep costs down, as switches are fairly inexpensive at the gigabit level. Still, networking isn't particularly cheap when doing something like this, as you'll need 6 access points and 6 switches (plus the central one). If you go for decent equipment (something like UniFi UAP AC models), you're looking at around $600 for the access points alone.

Assuming all units already have a wireless router that will be connected to the switch, the cost would be from the wiring (cat 5e is ok for 240Mbps?) and the TL-SG108E switch. That in theory should get it running. Thanks for your advice

[Oshino Shinobu]

4 minutes ago, IgorM said:

Assuming all units already have a wireless router that will be connected to the switch, the cost would be from the wiring (cat 5e is ok for 240Mbps?) and the TL-SG108E switch. That in theory should get it running. Thanks for your advice

Just be aware that if you're using wireless routers in each unit, they will need to be set up to run in access point mode. In the event they don't have one, NAT and DHCP should be disabled to avoid conflicts with the main router. 

 

Cat5e is good for 1Gbps up to 100 meters per run (device to device). I'd advise going for Cat6, or ideally Cat6a as it provides 1Gbps more reliably and can allow for the network to be upgraded to 10Gbps without needing to replace the wiring. The price difference often isn't that big, so I'd suggest going with the best Cat cable that fits your budget. 

[IgorM]

3 hours ago, Oshino Shinobu said:

100 meters

That should be more than enough (it's a 3 story building) . Even if placing the switch and modem on the garage floor.

[Windows7ge]

14 hours ago, Oshino Shinobu said:

you'd assign apartments 1 to 6 their own VLAN (VLAN 1 for apartment 1, VLAN 2 for apartment 2 etc., for simplicity's sake) and make the port connecting to the modem/router combo a common ground where all VLANs can access it. That way they can all access the modem/router and therefore the internet, but cannot interact with other parts of the network that are not on the same VLAN

Wouldn't it be necessary to configure sub-interfaces on the router? Otherwise if a trunk port is assigned and connected to the router then all traffic from each VLAN could still communicate with other VLANs because the router wasn't told to keep the traffic separated. VLANs only on the switch may prevent people from using thing like Wireshark but pings and other forms of communication would still get through so if anybody went into their network connections they could see other people's computers/NAS/printers/etc.

 

I'd probably consider setting up sub-nets but that's not a great idea over open Wi-Fi or Wi-Fi in general if the APs are close enough to each other to where the users could hop APs. A router that supports sub-interfaces would be easiest. It would stop the hosts from being able to talk to each other via the router.