dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1153

Shaman
join:2014-12-16
Kingston, ON

Shaman to nosomo

Member

to nosomo

Re: how do you keep track of customer usage

said by nosomo:

Indeed, place a limitation on CPE for outbound traffic and handle inbound with PPPoE. Limiting outbound at CPE prevents them from hogging an AP.

Er... yes, but that has its own set of issues, too.

As the saying goes, there's no such thing as a free lunch.
nosomo
join:2008-12-17

nosomo

Member

True, but a heavily discounted one might as well be free -- take it to go and eat it while driving down the road
soamz
join:2015-02-24
India

soamz to thewisperer

Member

to thewisperer
Im planing to setup my wisp company in this month. We have finalized dma radius manager for everything.
So that will be it, or do we need to use any other software too ?

Smokeshow
Premium Member
join:2009-02-26
Cold Lake, AB

Smokeshow

Premium Member

We use some in house custom software that handles our customer records, billing, bandwidth usage accounting & throttling, and speed limiting. It allows us to limit our customers speeds and track / limit their usage using only a MAC address. Customers can easily purchase more bandwidth when they use up their monthly allotment, and also switch plans and add a new MAC to their account via a simple web interface. Definitely takes a lot of work off of our technicians plates.
OHSrob
join:2011-06-08

OHSrob to soamz

Member

to soamz
said by soamz:

Im planing to setup my wisp company in this month. We have finalized dma radius manager for everything.
So that will be it, or do we need to use any other software too ?

I would recommend the following software to run a WISP.

Syslog server
NTP server
Cacti (For SNMP graphing and monitoring)

Bind9 for your DNS server. You can get away with dnsmasq but its not as scalable as Bind 9 and will do strange things if you put too many clients on it.

Don't forget to separate your MGMT plane from your data plane as well.

And depending on how much rack space you have at your main POP.

Suricata IDS can be used for an IDS. Put its promiscuous interfaces on cloned switch ports connected to the network segments you want to monitor. use a /30 PTP to a mysql server and firewall the shit out of the box or when someone uses a zero day buffer overflow you will be sorry.

I strongly advise having separate Sensor/Logging facilitys. One server with a ton of network interfaces and only a PTP connection to your database server that can only pass data to the SQL server nothing to anything else.

NTOP - Make sure it can't do anything but be managed like your IDS. Ive had some crash's and error messages that said the wrong things to make me feel comfortable about security.

I strongly recommend you put each service you wish to run on separate VM's or physical boxes and setup a proper chroot jail.

Also I recommend using OpenVPN to get access to your MGMT plane.

If you go with Mikrotik rather then Ubiquiti I would recommend The Dude as well.

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_

MVM

said by OHSrob:

Also I recommend using OpenVPN to get access to your MGMT plane.

That might be goint a little far.

Rather, I would suggest MPLS enabling your network, and provision an L3VPN and put all of your management in there.

Your NOC, i.e. management workstations, would also be connected to that L3VPN, and a firewall would sit between the L3VPN and the Internet.

You could then configure a VPN server to allow you to access your management network from remote locations, but I wouldnt make it the only way to get to it.

To enhance security, I'd recommend using only HTTPS and SSH to access your gear (where supported) and disable all other protocols.

Shaman
join:2014-12-16
Kingston, ON

Shaman

Member

A simple (but not nearly perfect) way to protect management is to put all management units on a private IP network. It's quick, cheap and dirty but it is also worth doing. I'm sure most people are doing that anyways.
OHSrob
join:2011-06-08

1 edit

OHSrob

Member

said by Shaman:

A simple (but not nearly perfect) way to protect management is to put all management units on a private IP network. It's quick, cheap and dirty but it is also worth doing. I'm sure most people are doing that anyways.

That's called separating your Data Plane and Management Plane in the Cisco world.

Its also only dirty if you implement it poorly.
voxframe
join:2010-08-02

voxframe to thewisperer

Member

to thewisperer
Bingo. We do the same with simply using private IPs and firewall rules for the management channel. In a beautiful world you could use VLANs and such, but MT's implementation, and Ubnt's cooperation, when it comes to VLANs is ummm, lacking. Throw some Cambium gear in there and things aren't friendly.

DMA Softlabs Radius Manager is great. It needs some serious re-skinning and custom work to get it to run properly, but it works wonderfully, and support is awesome.

WARNING: HAVE TWO RADIUS SERVERS RIGHT OFF THE BAT. Don't skip this. Do it! We have two cloned RadiusManager servers, that actually mirror weekly. We don't do them daily since there isn't a ton of updates, and if something corrupts, I don't want it propagating to the next machine before we notice it. Support is only done over email/tickets, and there is a time zone difference. So be ready for the worst case of a 24 hour turnaround on your box.

We are actually in the process of migrating over to Azotel Simpler at the moment. It's a monster of a system in comparison, but not for the faint of heart price-wise. We have outgrown the RM4 capabilities, and have gotten sick of managing 6 different systems that don't talk to each other.