Tales from the Towers Chapter 5: Reality, What a Concept

In the last article, access points were installed, WDS links set up for hopping, and we were ready to access the Internet.  Although TriadLand is ready to rock, we now need to connect the users.  First we need to connect the network to some type of Internet service and then come up with a way to authenticate people who want to use it.  After that we will cover the details of system management and how to overcome them.

WISP operators are typically forced to work with local bandwidth providers who have some type of monopoly in an area.  A WISP cannot resell most of the business services over DSL or Cable because the local provider does not allow it. WISPs are generally resigned to T-1 circuits or more expensive business options.  Assuming that you order a T-1 for your system, you now have 1.5Mbps of bandwidth for your network.  If you plan on using cable or DSL services, check with your local provider to see if that is allowed.  Other bandwidth options are also available but you will have to check for each area.

Assume that one of the 4 center APs out of 16 are the Internet connection point.  We will set up the WDS links so that now end point is no more than 4 hops (meaning we may have to skip one) which will keep the last AP with around 5Mbps at the end point.  If we can skip more than one AP, we can keep the hops to 3 or even 2 if we have LOS between the APs.  We have enough signal to hold very high modulation rates with ½ mile links between APs.  Keep in mind that APs between the end point and the egress point will be handling users while simultaneously passing WDS backhaul for other APs down the chain.  This will directly affect throughput for users down the chain.  It is one of the limits of this design but no different than any of the other earlier mesh designs.  The end result is that the entire square mile will eventually be routed through one AP.

Recently I received a couple of emails on the problem of security. The drawback of inexpensive radios is that you may have to give up something in return for the reduced price point.  This system provides no encryption over the WDS links.  This problem gets resolved with additional hardware as part of an upgraded system.  The system can run security between the laptop and the AP but there isn’t much use if the AP hops are not secure.  If you plan on upgrading later with more bandwidth, then it might be a good idea to get the users to use WPA2 on the APs from day one so they won’t be confused later.  Just make sure your EULA clearly states that the system is not secured over the wireless link.

The second problem with this network is that it only supports a single SSID.  I do not know if that is going to change in the future.  There is third party firmware that will run on the Bullets that may offer more options but that typically comes with additional costs which gets away from the original premise.  If you need security, then VPN tunnels are the only option with the basic system.  Phase 2 resolves most of the security issues.

There are many good products out on the market for authentication of users.  Our sites use Patronsoft Firstspot for user authentication and management.  FirstSpot runs on Microsoft Windows XP or Windows Server, can support SQL Server for extending site deployment and centralized user management, uses PHP for the web pages, and can run fail-over servers for offline management.  Since our company has years of experience with Windows, it works for us.  Those of you with more experience with Linux have many other options.  We ran tens of thousands of users through our servers over 5 years so I’m pretty comfortable with it.  However, it’s not CALEA compliant yet but they are looking at it now.

Running the network: CALEA and other issues

Triadland is up and running.  Users attach to the broadcast SSID, get a login page, diligently read the EULA word for word in which they agree to follow the rules, and then they get online.  Now what happens?  This is stuff normally planned out in advance but the article focus was determining the basic wireless technology first.  It’s time to deal with the actual functionality of operating the system.

This is where every WISP’s worst nightmares start.  It begins with the Federal government getting access to your system in the name of Homeland Security and ends with junior making it his personal mission in life to download the entire Sony movie collection.  Your first job is to file your CALEA paperwork.  CALEA is an entire article by itself and I may cover it much later.  Go to http://www.wispa.org/?page_id=2022 for more information.  After that, you need to figure out how you are going to keep control of junior.  You are also going to have to deal with the users who upload and download large files with spamware or spyware without even knowing it.  These same users can get you disconnected from your Internet circuit if it’s bad enough.

Let’s move on to the first issue which is keeping control of your network.  Several things will stress both you and your network.  Let’s start with junior’s desire to fill up that new 2 Terabyte hard drive he just got for his birthday.  File-sharing is one of the biggest problems faced by most ISPs.  Fortunately or unfortunately, depending on which side of the equation you are on, recent rulings by the FCC allow operators to limit file-sharing.  There are 2 basic ways to handle this.  You can use either an authentication server that keeps track of bandwidth used or a web application firewall that allows you to block file-sharing applications.   Limiting users to 10GB – 20GB per month is a good start.

Early on, we had an incident where some users on our network had been infected and turned into spam servers.  The bandwidth provider started blocking Internet access for the entire system until we got it resolved.  With 200 plus users and some of them still running Windows 98, the battle to keep viruses and spam under control is difficult at best.  We purchased a Barracuda Web Application server which not only blocked the offending users, it redirects them to run spam removal software and won’t let them on Internet until the computer is cleaned.  A Web Application filter also allows blocking of specific websites that might cause unwanted legal attention and file-sharing applications.

Now that we have built our 1 square mile network in Triadland, our next step is to make either make it profitable or find a way to give it purpose.  We will cover those ideas next article.

* * * * * * *

NEXT CHAPTER (6): Tales from the Towers Chapter 6: Free is not a business plan

PREVIOUS CHAPTER (4): Tales from the Towers Chapter 4: You Should Never Hang APs With Your Spouse

* * * * * * *

About the author

Rory Conaway is president and CEO of Triad Wireless, an engineering and design firm in Phoenix. Triad Wireless specializes in unique RF data and network designs for municipalities, public safety and educational campuses. E-mail comments to rconaway at triadwireless.net. Rory writes regularly for MuniWireless.com.

About Rory Conaway

Rory Conaway has been in the IT and Wireless Industries for the past 25 years as an author and consultant. He currently operates a growing WISP operation in Southern Arizona. He consults with investors, manufacturers, and WISPs, and develops financial business models for startups. In addition to writing articles in industry publications such as Mission Critical Magazine, Mr. Conaway also writes the series “Tales from the Towers” that can be found on various such as www.triadwireless.net and www.muniwireless.com. He has also engineered several wireless designs such as S.P.I.R.I.T. and Guerilla Wireless as well as building integrated wireless and video surveillance for airport security, municipal and critical infrastructure, SCADA systems, and hotel/MDU deployments.