dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
808
share rss forum feed


jap
Premium
join:2003-08-10
038xx

[Connection Sharing] router firmware that supports user login accts?

Want to setup a router that provides multiple user accounts & some simple per-acct usage logs (eg: list of device names/MACs that have logged on under each account, total bandwidth used) for sharing a single business ISP uplink with 5-10 users. Are there routers (stock or 3rd party firmware like Tomato) that perform this task? I've only deployed basic consumer routers with single logins and not sure what else exists out there. Would like to avoid a dedicated pfsense box.

Setting is an old mill building with artist studios and the renters are stuck with a single ISP option which most cannot justify or afford the terms of (Comcast business, minimum 1yr contract, $200+ init fee, $80/mo).


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8

What you want is common to carriers and data centers, but it isn't simple, or cheap. Something could be built with a switch/router and netflow collector, but I suspect this would quickly be over your head.


HELLFIRE
Premium
join:2009-11-25
kudos:16

1 recommendation

reply to jap

2nd cramer See Profile 's comments. Also, it'd be instructive to know a) your budget, b) your level of techical competence / skills,
c) how fast an internet speeds this needs to support, and d) is there any other requirement(s) you may need, now or in the future.

I'll tell you right now that "stock" firmware from the likes of DLINK, LINKSYS, Belkin, et al don't do this.

The sense I get of what you want to do is pool your resources at this "old mill building" to get a shared internet for the tenents.
With this device will have each tenent login whenever they want to access the internet (a captive portal). From that the device
will log how much data they use over a period of time so that the ISP cap is not exceeded, and if it is, the offender can be tracked
down. Do I have this right so far?

If so, off the top of my head :

- software distros like Vyatta, Untangle, and Astaro Security Gateway may fit the bill -- these've been on my "to try out" list
for some time, but reading over the datasheets SEEMS to imply they could be set up in the fashion you want. The only thing you'd
have to supply is the computer to run it on, and the willingness to figure out the software.

- as cramer See Profile alluded to, setting up a device to be monitored via SNMP or netflow is a possibility, but you'd have to be
versed the the particular piece of equipment; if you've never seen / touched equipment made by names such as Juniper, Cisco,
Watchguard, Force10, et al. then this option's not viable.

- in that vein, the Ubiquiti Edgemax Lite router's been making the rounds on this board; a VERY powerful and capable device for
$100USD, but definately NOT for the technical faint of heart.

- we were discussing this in another forum cramer See Profile but I seem to recall Meraki CloudManagement has functionality the OP's looking for?

My 00000010bits

Regards



Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to jap

Anav See Profile is a great source for this type of information. I know I had a Zyxel router that had per user log ins, but I don't know about the tracking.
--
"Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something." - Robert A. Heinlein


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8
reply to HELLFIRE

I was just thinking the same w.r.t. Meraki, but it'd be expensive, and on-going. And from my poking around with the demo, it won't do exactly what he wants (meter individual user bandwidth.)



clarknova

join:2010-02-23
Grande Prairie, AB
kudos:7
Reviews:
·TekSavvy DSL

1 recommendation

reply to jap

I'm not sure what you mean by "user accounts", but most current versions of Tomato can do per-IP bandwidth allocation and stats. The EdgeRouter models include a PPPoE server (with GUI!), but I don't know what kind of stats it keeps without the help of RADIUS.

pfsense is another option that can do all of the above, including RADIUS. I'm not sure how a dedicated box for a pfsense router is different from a dedicated box for any other router, but if you're worried about size there are plenty of compact low power options available from the pfsense store.
--
db



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to jap

As already mentioned, Edge Router Lite should do most of what you want, but the learning curve is quite steep. You'd also need additional components i.e. SNMP or NetFlow collector/analyzer.

ZyXEL ZLD based devices (USG series) will do partially what you want but also SNMP collector/analyzer would be required.

You may want to look into linux/BSD based router/firewall distros ... on those you should be able to everything you need, but again it's not plug & play, you need some advanced expertise.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to jap

Click for full size
Click for full size
Click for full size
Click for full size
Most business (SOHO) and up should have most of the functionality you desire. I have attached some pics from my zyxel router. On top of whats shown one can reserve or afffix mac addresses to IPs and apply firewall routings and special routings, use VLANS etc....


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to jap

Click for full size
Click for full size
Click for full size
Click for full size
more pics


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to jap

Click for full size
Click for full size
Click for full size
Click for full size
and some more


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to jap

Click for full size
last one promise LOL


jap
Premium
join:2003-08-10
038xx
reply to jap

Thanks to all repliers. Even for the boatload of zyxel screenshots from Anav.

said by HELLFIRE:

... what you want to do is [...] have each tenent login whenever they want to access the internet (a captive portal). From that the device
will log how much data they use over a period of time so that the ISP cap is not exceeded, and if it is, the offender can be tracked
down. Do I have this right so far?

Yup. All that I need to achieve is
1: simple disincentives against people giving access to non-paying tenants
2: measurement of per-user ongoing usage so I can alert heavy users (simple social feedback loop)

I ought to have emphasized the casual nature of this neighborly affair. The goal is not data security, robust access control, bandwidth allocation, shaping or metered billing ... though the monthly cap may rear it's ugly head.

Reason I'm seeking a commodity router device rather than re-purpose one of these PCs gathering dust on my shelves is I'll be vacating my studio in August and handing off oversight to a non-techy. Want to leave him with purpose-built devices which he can replace-with-same then apply a config file to restore service. I looked at the PFSense store and the $450 device would be nice but it's overkill for us in both function & cost.

@Anav -- are you familiar with a particular models of Zyxel or other SOHO device that sounds right for us and has good bang for buck? If I can have 10 sets of login credentials + associate 2 or 3 whitelisted MACs with each + track each for data usage then I'm done & happy.

@clarknova & other Tomatoites -- Will Tomato allow me create a MAC whitelist of devices allowed to connect + fix an IP to each MAC + then track usage by IP over multiple sessions forever? If so then I can manually compile each person's data consumption without having discreet logins. It would be a minor pain in the ass to maintain a MAC list + might frustrate users that they cannot wander onto the network with unregistered devices. But spotting data hogs would be easy and no need to routinely add-up the numbers, just need to eyeball them for high numbers towards the end of each billing cycle when & if ISP ever warns of high usage.
Not an ideal solution but cheap and good enough for us if Tomato can do it.

Cheers all!

Quattrohead
Premium
join:2005-02-09
reply to jap

Comcast will install a business class connection to a commercial building and there is no usage limits on commercial connections, so that problem is one to cross off your list.
You need a router that will provide Radius logins.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit
reply to jap

You should really abandon the MAC filtering idea. Stick to user logins or subnets or VLANs ...something that you control.
MACs are in user control and can be relatively easily spoofed/changed. It's also PITA to manage MAC access list. Phones and computers change every day. Assigning a user his/her login name to get through a firewall or segregate them to subnets (or VLANs) is the way to do it.


HELLFIRE
Premium
join:2009-11-25
kudos:16
reply to jap

@ Anav See Profile
You sir, owe me a new mouse wheel!

@ jap See Profile
Okay, just wanted to make sure.

Also, still looking for a) your budget, and c) how fast an internet speed it needs to support. From the sounds
of things $450 is waaaay over your head... do you have an exact figure in mind?

said by jap:

Want to leave him with purpose-built devices which he can replace-with-same then apply a config file to restore service.

I'm going to burst your bubble right now and say it may not be that simple as each device out there has its own
idiosyncrasies about config restore. Definitely plan for writing a step-by-step document on what they have to
do in such a situation, and leaving it behind.

I also 2nd Brano See Profile 's comments about MAC filtering.

My 00000010bits

Regards


jap
Premium
join:2003-08-10
038xx
reply to jap

said by Quattrohead:

Comcast will install a business class connection to a commercial building and there is no usage limits on commercial connections.

Thanks for that. Another tenant claimed same but I was dubious and hadn't yet confirmed with Comcast.

said by HELLFIRE:

From the sounds
of things $450 is waaaay over your head... do you have an exact figure in mind?

Cost isn't the issue, sensible benefit is. I'm working for free, a long term tenant (same person to assume tech oversight when I leave) is signing the 2yr Comcast contract & fronting cash to establish a connection & purch hardware. Nobody's making money, nobody expects always-on rapid-restore service. I voiced a guesstimate of $150-200 in hardware costs. He didn't blink but there's no budget & he's waiting for me to get back with an implementation proposal. His concern is social & technical ease of oversight. I'm certainly not going to offer longterm remote management.

If Tomato or other firmware cannot achieve above iterated tasks then I'll paint him a picture of full-on firewall/router PC (which I'd actually enjoy building) versus the familiar cafe approach of throwing unmanaged commodity routers on the ceiling and let the userbase collectively sink or swim. Unless I've completely misread him he'd chose the latter.

said by HELLFIRE:

I'm going to burst your bubble right now and say it may not be that simple as each device out there has its own idiosyncrasies about config restore.

Bubble intact.
I love matching hardware versions. Would purch 3 identical routers, establish one as AP, other 2 as extenders. If/when AP fails an extender can be moved into AP position and flashed with same config file. I can thoroughly test and walk other guy through the file application process. What gets used to replace a lost extender doesn't matter.
Need to hands-on investigate aftermarket firmwares (starting with Tomato, I guess) if I can't get a firmware guru to save me the effort.

said by Brano:

MACs are in user control.

I did my fair share of spoofing back in the '90s when MAC filtering comprised workplace access security scheme. Not a concern for this project: both risk of & consequences of are very low.

said by Brano:

It's also PITA to manage MAC access list.

True and I expressed same in a previous post. But I do not know how to better ID password leakage by paying users to non-paying users. AFAIK (and please correct me if I'm wrong) VPNs do not ID devices so would not help with the password leakage problem. This group is definitely likely to share router password with non-paying neighbors. It's more of a concern then bandwidth hogging behavior. Requiring them to register device MACs will be a very affective barrier against sharing access but I do worry about the list maintenance load. Depends on how frequently people swap out gear. Again, if there's an easier way ID password sharing on commodity-router LAN then I'm all ears. I've no experience configuring VPNs, just the push button apps like TunnelBear.

/typing stuff

LittleBill

join:2013-05-24
kudos:1

Click for full size
Click for full size
realistically a hot spot portal would be a better idea, give the user x number of logins and call it a day, you can then set individual quto's and total transfer rates if thats a concern

and if the user give the pw away it just affects them thus killing it dead

HELLFIRE
Premium
join:2009-11-25
kudos:16
reply to jap

said by jap:

He didn't blink but there's no budget & he's waiting for me to get back with an implementation proposal.

Okay, so this is at the "cost be d**ned, what's out there that works!" stage, fair enough.

said by jap:

AFAIK (and please correct me if I'm wrong) VPNs do not ID devices so would not help with the password leakage problem.

Umm... I'm confused here, what's a VPN have to do with password leakage?

As LittleBill See Profile points out, and the way a captive portal is SUPPOSED to work, no valid username / password
or no valid session, no connectivity, even to the LAN, generally speaking -- VPN doesn't even figure into it.

My 00000010bits

Regards


jap
Premium
join:2003-08-10
038xx

said by HELLFIRE:

said by jap:

AFAIK (and please correct me if I'm wrong) VPNs do not ID devices so would not help with the password leakage problem.

Umm... I'm confused here...

Understandably since I was confused in my response to Brano: he typed VLAN, I read VPN. My bad.

Been awake & working since 4:00 this morning. Fried.

HELLFIRE
Premium
join:2009-11-25
kudos:16
reply to jap

Okay... that makes sense now. So a) get some sleep, and b) no VLANS do not ID devices, they only
segment the network.

Regards

Expand your moderator at work