Need to share business internet with tenants, need router suggestion/ideas!

[Silenus]

Ok I need some suggestion on the best way to accomplish the following. This is at the small company I work for. We purchased a building that has two additional suites which just got tenants renting them. We will be sharing our internet with each suite. I will describe what need, and would appreciate the best way you can think to accomplish this. I have few hundred dollars to spend on gear if needed.

1) We have two hard lines run from our network closet, one to each tenants space. Assume that each tenant will like have there own typical home/smb wifi router as the end point which they will have control over.
2) EACH tenant will be assigned one of our unused STATIC IPs so each suite will have all traffic a separate assigned static IP.
3) EACH tenant MUST have bandwidth limits imposed that simply throttles all traffic. Not your typical QoS based on service or IP/mac, just straight throttling.
4) EACH tenant must be obviously be isolated network wise from each other and us, either by port grouping/vlans, or just connecting outside of firewalls.

In our closet we have switches provided by our ISP with unfiltered connections outside our firewall which we can use to hook up other gear/use other static IP's with. I'm look for best and simplest way to accomplish the above.

The absolute simplest way I could think of was be introducing some kind of managed switch that could do a per port or per IP bandwidth throttling and just go straight to each tenant router and give them the outside static IP's directly for their respective WAN ports. If that is not possible I was thinking some kind dual WAN router we control perhaps. But I'd also want to be able to open up all traffic and ports through the router, perhaps just DMZ from BOTH WAN ports to each tenants respective router. In this case our router would have static IP's from our ISP and would also need to be able to bandwidth throttle. Not sure if this would potentially cause any double NAT issues.

Anyways....thoughts on best/simplest way? Thanks.

 

[Silenus]

Update: I stumbled across the old Netgear GS108T smart switch and it looks like it has per port inbound and outbound rate limiting. Placed outside our firewall with ISP coming into it, and three lines coming out, one to each respective router (ours + 2 tenants) would be about the simplest thing and do all I need it to do. As long as I can limit each tenant to 1-2Mb up and down each, and leave ours unlimited, we should be good. That allows each router to get a static IP directly which keeps unnecessary extra routers out of it.

I have budget for a better/nicer/more robust switch if you can come up with other suggestions. It just needs to be reliable and at least do per port (or per IP) rate limiting control (inbound and outbound). It would be only for internet traffic and no inter-network traffic so very light on overall bandwidth demands.

 

[Elixer]

A managed router should be able to do the job you described, and each subnet would be isolated, as long as you don't bridge them.
How much bandwidth are you planning on giving them? Are we talking fiber connections?
What about fail-over, how complex of a setup will this be?
Also, hope you got the legal stuff in order. Would really suck if they abuse the network, and get you in trouble with the ISP and they pull access from you, and thus everyone goes down because some idiot downloaded some movie or whatever.

 

[Silenus]

A managed router should be able to do the job you described, and each subnet would be isolated, as long as you don't bridge them.
How much bandwidth are you planning on giving them? Are we talking fiber connections?
What about fail-over, how complex of a setup will this be?
Also, hope you got the legal stuff in order. Would really suck if they abuse the network, and get you in trouble with the ISP and they pull access from you, and thus everyone goes down because some idiot downloaded some movie or whatever.

We have written agreements for the internet access in order with verbiage that is essentially a terms of service that excludes illegal activity. These have been signed by the tenants. This is one of the primary reasons to also have fixed static IP's assigned to each tenant and documented.

We are talking low DSL speeds for the limits, something like 2Mb/s down and 1Mb/s up each. Unfortunately we are in a area with very limited options and our incoming ISP connection is only 10/10.

Ok so for a managed router idea i don't need any kind of firewalling, just strictly routing. How would I use three static IP's and have them routed to to specific tenants router/wan ip? That is a little outside what I've normally setup but I'm sure I could figure it out. Keep in mind I need to individually throttle two or all three three of those routes or ports or IP's of each tenant router.

 

[mxnerd]

Probably a good DD-WRT router will do. Do not go for a cheap one.

I used to have one, but don't now.

Don't know effectiveness of these functions.

It supports port VLAN, torrent block, speed control and some basic content control.

Someone with more experience with DD-WRT can help.

 

[Silenus]

I forgot to mention...I have two spare consumer level Wifi routers laying around, both loaded with DD-WRT (one is older Linksys WRT160Nv3, and one newer Netgear R6200). I also have available a Cisco small business dual wan router, RV320.

I have had had some look around DD-WRT, and my initial temporary plan was to use on or both of them. There is some functional basic rate limiting in DD-WRT, but it looked like I needed to use both routers so that they could indivually be assigned static IP's in or keep all traffic to discrete IP's for each tenant. If I can do this with one that would be better and simpler.

Anyone with Cisco experience? The little dual WAN CISCO router looks perhaps promising, and I have it on hand....but I'm not experienced enough with it to see if it can properly rate limit particular connections. I will bring it up to my office and start looking through it. And again...it needs to have all traffic from one subnet/tenant router go through one WAN port/static IP, no load balancing or failover ect.

 

[Gryz]

A managed router should be able to do the job you described ....

This makes me curious.
I've been doing router stuff for 20-25 years now.
But what the heck is a "managed router" ?
And what is an "unmanaged router" ?

I am really curious.

 

[mxnerd]

You can put the DD-WRT routers behind CISCO then. Lock them up so tenants can't access the routers.

Don't give the router to tenant since they can reset it. The only way they can access it is through Wi-Fi. You must have complete control. Each tenants connects to its given router and you should be able to easily control the traffic.

I have touched Linksys dual wan RV082 (then a Cisco division) long time ago and configured load balancing for it. But don't have access to it now, either.

Since you don't have two WAN access, just forget the dual WAN feature.

 

[sdifox]

Your business router should be able to do this.

 

[mxnerd]

Just checked RV320's online emulator, doesn't seem has any bandwidth control.

https://www.cisco.com/assets/sol/sb/RV320_Emulators/RV320_Emulator_v1.1.0.09/default.htm

OP probably still needs to use DD-WRT.

 

[sdifox]

Or setup pfsense and use limiter. Hardwire connected to dedicated nic on computer, done.

 

[freeskier93]

I'm confused when you use the term "three static IPs". Is the ISP providing multiple public address (multiple WANs) or are you only getting one public IP that you want to share? You should really consider asking your IP for multiple connections so each tenant has their own public IP.

Please don't be using some consumer class junk with DD-WRT either, get yourself a real router. You should be looking at stuff like the Ubiquiti EdgeRouter (https://www.ubnt.com/edgemax/edgerouter/), which is a pretty inexpensive but powerful router that will let you professionally manage your network. I would also not let the tenants run their own routers, if it's you that has the contract with the ISP then you should fully manage the network.

 

[mxnerd]

pfSense is more powerful, but you need a PC with multi NICs, or mini-Pc mentioned below.

https://forum.pfsense.org/index.php?topic=75415.0

or

http://www.amazon.com/s/ref=nb_sb_n...s=aps&field-keywords=c1037u&rh=i:aps,k:c1037u

of course you need at least dual ethernet.

If you use pfSense, then you can put other routers away or sell them.

And like freeskier said, if you have 3 public static public IP, what I feel is why do you want to assign static IP to each of your tenants unless they want to host website or whatever. But actually there is no point to maintain one if their bandwidth is limited to only 1M bps, it's just too slow.

You also need to put tenants behind firewall/router to control bandwidth, you can't put them before firewall/router and expect to control their bandwidth.

DD-WRT is not junk, it does have its market and it performs well in most cases.

 

[sdifox]

pfSense is more powerful, but you need a PC with multi NICs, or mini-Pc mentioned below.

https://forum.pfsense.org/index.php?topic=75415.0

or

http://www.amazon.com/s/ref=nb_sb_n...s=aps&field-keywords=c1037u&rh=i:aps,k:c1037u

of course you need at least dual ethernet.

If you use pfSense, then you can put other routers away or sell them.

And like freeskier said, if you have 3 public static public IP, what I feel is why do you want to assign static IP to each of your tenants unless they want to host website or whatever. But actually there is no point to maintain one if their bandwidth is limited to only 1M bps, it's just too slow.

You also need to put tenants behind firewall/router to control bandwidth, you can't put them before firewall/router and expect to control their bandwidth.

DD-WRT is not junk, it does have its market and it performs well in most cases.

I just figured they would have a server for their own purpose and can just run a pfsense vm.

 

[mxnerd]

Yes, OP can have a server and run pfSense VM off it, but I think that's unnecessary complexity.

 

[sdifox]

Yes, OP can have a server and run pfSense VM off it, but I think that's unnecessary complexity.

shrug, he is going to need a firewall anyway for his company.

 

[Silenus]

I'm confused when you use the term "three static IPs". Is the ISP providing multiple public address (multiple WANs) or are you only getting one public IP that you want to share? You should really consider asking your IP for multiple connections so each tenant has their own public IP.

Please don't be using some consumer class junk with DD-WRT either, get yourself a real router. You should be looking at stuff like the Ubiquiti EdgeRouter (https://www.ubnt.com/edgemax/edgerouter/), which is a pretty inexpensive but powerful router that will let you professionally manage your network. I would also not let the tenants run their own routers, if it's you that has the contract with the ISP then you should fully manage the network.

We have a block of 5 public static addresses. Two are in use (one for our own router and one for voip system, which is provided by and managed by the ISP). We have 3 spare to use. It seemed easiest to simply assign them each a public IP which allows each tenants activity to be associated with a specific external IP. Not so much for hosting, but it would simplify things if one of them wants to VPN into their place.

The management at my company does not want to be involved in day to day management of each tenants network/firewall settings, wifi, ect. They simply want to assign them IP's, drop the cables into their spaces and let them manage what they will do inside their own spaces. With the caveats being that we want to restrict bandwidth if reasonably possible. Beside, even if we agreed with the tenants to fully manage their respective networks/firewall/nat rules/wifi, ect. ...you know they are going to put wifi routers in their spaces anyway at some point.

Please note that I very much don't want to use junk and I don't have to, at this moment I am simply pressed for time and trying to get something going until I can get more proper hardware. Just trying to use whas laying around to get going since the tenants are literally moving in right now. Also....I am at this new job only 3 months and walked into a lot of existing setup. It's not actually too bad what they have here, I've seen a lot worse. By the way the Ubiquiti Edgerouter is perhaps a fabulous idea. I'll get to that further below.

pfSense is more powerful, but you need a PC with multi NICs, or mini-Pc mentioned below.

https://forum.pfsense.org/index.php?topic=75415.0

or

http://www.amazon.com/s/ref=nb_sb_n...s=aps&field-keywords=c1037u&rh=i:aps,k:c1037u

of course you need at least dual ethernet.

If you use pfSense, then you can put other routers away or sell them.

And like freeskier said, if you have 3 public static public IP, what I feel is why do you want to assign static IP to each of your tenants unless they want to host website or whatever. But actually there is no point to maintain one if their bandwidth is limited to only 1M bps, it's just too slow.

You also need to put tenants behind firewall/router to control bandwidth, you can't put them before firewall/router and expect to control their bandwidth.

DD-WRT is not junk, it does have its market and it performs well in most cases.

I love pfSense and built no less 3 pfSense boxes (2 physical, 1 virtual) at my last job. But that was my last job. This current job the IT stuff I am doing is incidental and not actually my main job (how many of you can relate to that?!). It's just myself and the existing guy that do the IT stuff, and it's not his main job either. I could bring up pfSense and see what they say but I don't know that I have time to DIY something like that. We don't have a virtual infrastructure of any kind but are nearly at the point where it might make sense to have a single host to consolidate a few lightly loaded machines. Thats not proprity right now though.

shrug, he is going to need a firewall anyway for his company.

This...is becoming clear. In fact something I have discovered and forgot to mention yesterday is that the existing router that my company is using for our side of the network is a very much aging Fortinet router/VPN endpoint. It needs replacing and they know it already. I am starting to think two birds one stone is the way to go.

I have a $400 budget give or take. I am going to look carefully the Ubiquiti EdgeRouters. I am fan already, having used the Unifi Wifi stuff. I am also already pushing for a full Wifi replacement for our offices and my first choice is Unifi. That will also have to come later.

So who's worked with the EdgeRouters, how flexible are they, and how do you like them? If I pipe everything for us an our tenants through a single edgerouter that would be great. An ER-8 is in my budget. I'd need to essentially use as if if it's 3 separate routers in one.

 

[mxnerd]

EdgeRouter seems a good choice if you have the budget.

You can control bandwidth, but probably only through CLI.

EdgeMAX - Set traffic policies for upload, download and VoIP
https://community.ubnt.com/t5/EdgeM...cies-for-upload-download-and-VoIP/ta-p/474369

EdgeMAX - Configuration Examples Knowledge Base
https://community.ubnt.com/t5/EdgeM...ples/tkb-p/EdgeMAX_Configuration_Examples@tkb

 

[mxnerd]

I went back to RV320 emulator and take a look again and found it does have Bandwidth control. I don't know why I missed it.

http://sbkb.cisco.com/CiscoSB/GetAr...uration_on_RV320_Router.xml&pid=2&converted=0

 

[Silenus]

I went back to RV320 emulator and take a look again and found it does have Bandwidth control. I don't know why I missed it.

http://sbkb.cisco.com/CiscoSB/GetAr...uration_on_RV320_Router.xml&pid=2&converted=0

Ok interesting. Funny I have the RV320 on my desk and looked through the config, missed that myself. I am still investigating Edgerouter. I may try to upsell management on that in addition to a new Unifi Wireless setup.