Three-zone wireless coverage, advice needed



  • Hello everyone!

    Readed forum and pfSense documentation a lot, and most of things I need seems possible, but there is still some doubts. So, decided to explain my planned setup here and ask gurus to point me on future troubles, if any… Sorry if explanation will be a bit long...

    We have three zones where we need to get wireless coverage. First is small office building that already have wired LAN and working Internet connection. Second is hangar-like, metal sheet covered building (not heated at winter, not air-conditioned at summer, but there is heated cabinet where fire/intruder alarm equipment housed and there is some extra space for some wireless AP). Third is parking lot, currently nothing except two relatively tall (~5m/15 ft) poles with lighting fixtures there.

    Hangar is located ~60m away from office building, gate faces to office building side. Parking lot is ~150m from office building, on another side. I expect that coverage of APs installed in hangar and office will partially overlap when gates is open.

    Ethernet cable already routed from office to hangar. There is some facilities between office and parking lot, so if 150 m is too long for single Ethernet cable run, we can drop some router in-between.

    No external RADIUS server, and it will be fine if pfSense on a CF-booted thin client like computer (3 Ethernet interfaces on board) can maintain user database on its own.

    What we need to get:

    1. Permanent access to Internet and internal LAN for all company laptops and handhelds (15 or so total, authenticated by MAC address). Switching from AP to AP looks easy with IBM laptops that have Access Connections software on board, but reconfiguration of some handhelds may be difficult, but they can live with 3 different profiles configured. IP should not change when switching from one zone to another.

    2. Password-protected access for authorized guests on office building and parking lot. Access passwords will be changed daily. Guest should have access to Internet, but not the company LAN. I thinked to provide guests with WEP key and password for a captive portal to get to Internet.

    3. Best possible wireless encryption that we can have with this setup without too much hassle.

    There is no AP or wireless routers purchased yet, so I will be glad to hear any advices concerning field proven units to look for.



  • well i can answer 1 of ur Q's, the limitation of 5 and 5e is 100m, u can look into the limitations of the other cables. http://en.wikipedia.org/wiki/Category_5_cable



  • You should really use optical for building-building runs. Since the buildings are distant, it's possible for them to be at fairly different ground potentials. This can damage equipment and be a major safety hazard if someone touches contacts on an Ethernet cable. Plus it will get you the distance you need. This might complicate things for installation in the parking lot though; what facilities are available there, or are you trying to mount a small AP on top of a light standard or something?

    You can get 100baseFX (and even 1000baseSX) gear quite cheap on eBay these days. You'd need a couple fibre NICs or switch ports at your pfSense box, and then a media converter for your wireless APs, or again switch ports.

    If you keep all the APs on the same SSID and in the same network segment, the clients should switch to any of them on their own (but usually only when they totally drop signal with the old AP, which could be a problem for you).

    As far as guest access, proper commercial APs can do multiple SSIDs with different security settings, and then tag them with different VLANs. This might be a setup to look into, you could use no encryption with CP for guests and then WPA2-enterprise for your corporate clients. The problem is that you then need to buy enterprise grade APs, which aren't cheap. You might be able to use the Ubiquiti hardware (which I'd recommend anyway) with 3rd party firmware to do this, but I know their included firmware doesn't support it.


Log in to reply