We have contracted a cell phone site where we want to sale fixed internet for the business and roaming internet for residential customers. Our equipment looks like this:
We have a 100MB fiber connection, coming into a watchguard firewall and we have a stack of 120 public IP addresses. We want to have the watchguard as an internal IP of 10.1.0.1, we want to have a powerrouter connected behind it with an IP address of 10.1.0.2. Connected to the powerrouter we will have a Wavion BaseStation 2400 Omni, broadcasted SSID for roaming customers and a hidden ssid for the fixed customers. (thoughts about this).
We want to hand out PUBLIC ip addresses to our fixed business customers, and private IP addresses to our roaming customers. Roaming customers will need to authenticate against our radius server. (can this work, if so..how can I make this work?)
Is this a feasible setup? What suggestions would you make, if any?
In addition, we will have Proxim 300MB bridge connections between 4 or 5 cell phone towers, so we will need to keep this in mind as this will be one large network.
This is not a trivial / straightforward undertaking and it is a good sign that you are asking the questions at an early stage!
Your basic plan is sound, but as the saying goes “the attention is in the detail”.
If you are planning on feeding multiple sites, you will require a well thought through IP address network scheme, which will allow the network to expand easily and not by taking the easy path by bridging everything on one broadcast domain. I have seen networks with hundreds of interconnected sites and everything is bridged and they wonder why they have problems. By the time I get involved, to sort out the mess, the news that I recommend they start all over again does not get very well received with the client!
Suggest you abandon the idea of a hidden SSID. The “security” you think you will get by “hiding” your SSID is a waste of time and only makes it more difficult for you and your radio neighbours / competitors to plan and mitigate interference problems. Instead, use an encrypted signal, such as with AES to secure your fixed services. If you wish to secure your network further and keep your competitors guessing, consider using radionames on your routerboards that only mean something to you. Names that contain real locations give away far too much!
Hotspot usage for roaming clients will of course have to remain unencrypted, but we also provide an additional SSID with encryption for our more regular business customers who wish to use our hotspot with more security that is still connected to the same Hotspot.
The Mikrotik Hotspot system will cater for your hotspot users along with MT’s UserManager or you can use RadMan or even your own solution based on a FreeRadius Server and writing all your own front end.
You need to consider how you will physically manage the service to your fixed clients. If there are just a few, then you can just statically add them to your Mikrotik AP as authorised clients. If you are thinking of a much larger quantity of fixed clients, then managing this manually becomes too time consuming and you may wish to either consider a PPoE server based solution. This is also dependent on the type of client equipment you are planning on using.
You may also wish to consider adding a network monitoring system such as TheDude, I would not be able to maintain our networks without it.
So we have a radius server for authentication/billing.
I like the idea of PPPoE for fixed customers. Will I need to build out a windows based server for this? Also, we are typically using Ubiquiti for our fixed clients.
You can do the whole AAA with Mikrotik modules, search for User Manager. You can provide the Radius, PPoE and user management from one RB if you’re starting with a small customer base. You can always move it to another more powerful box later if it grows.