Neighbourhood isp

[Ray Taylor]

Hi all.
My first post here.

I am looking at setting up a neighbourhood isp and need some advice.
Basically the plan is to have a server based on Kerio Winroute firewall. I
have a licence for and am expierenced at administering it.

The problem is this. How can my customers / neighbours connect to me.
Basically the only option is wireless. This i thought is pretty simple -
just stick an antenna on my roof which can see just about everyone else in
the neighbourhood and then have it bridged to each customers ap and down to
their computer.
Unfortunatly, if my customers are the way i expect them to be, they have
more than one computer and the web login to kerio doesnt always work well
and lets things like msn through without counting their bandwidth.

I also dont want someone else setting themselves up as a client (WEP or WPA
will not be used at all!!!) and then having their own proxy server on the
network to their isp to bypass my nat gateway / kerio. I also dont want
users able to connect to each other.

Next i thought VPN. Kerio has a vpn server built into it and i thought that
if i had a router at the client end, routing traffic back to me, that would
stop them talking to each other, but then only a few computers on the client
network can connect through their router.

So i guess my question is this:
Does anyone have an idea on how i can have my clients connect to my server
on the network, while keeping their network private, and not being able to
directly communicate with other users on the network. eg. 192.168.1.5 cannot
talk to 192.168.1.6 without going through the gateway and having their
access authenticated?



Thanks,

Ray Taylor

 

[Kurt]

You'll need to be sure everyone has a router. One important thing here,
though: You're offering INTERNET. Internet IS public. Anything that is
connected to the Internet is public. So as an ISP, it's not your
responsibility to secure your client's networks. You can't stop them from
connecting to each other. That's what the Internet is all about. But by
forcing them to connect through a router, you'll make them do it at
layer-three instead of layer-two which should help you with bandwidth
provisioning and accounting.

Just for the record, wireless sux for the most part. Even if you buy a
mega-blast system with a big-dog antenna, your users half a block away
arent' gonna get a connection from their $19.99 pcmcia wireless NIC on the
laptop in their basement. They'll get 5 bars and no connect because their
transmit signal is non-existant beyond 35' from their station. Not to
mention that everybody and his brother has an 11b or g box in their living
room with all the default settings. It really messes things up.

....kurt

 

[Ray Taylor]

That is true.
I am using probably a 20db omni and a 400mw seano accesspoint at my end up
on the roof, and then i have line of sight to about 20 houses on the block
and i hope to have about 5-10 sign up.

Client equipment would be something like a 15db yagi and a linksys wrt54
then a cat5 cable down to their computer or if they have more than one
computer, i will charge extra on their monthly account to stick a 802.11b ap
on the roof which their laptops / desktops can talk to and then have it
'relayed' throught the wrt54 back to my house.

I am also not doing this as a business although i wouldnt mind a small
amount of income from it. I am primarily doing this because in New Zealand
we have very high internet costs. Its about $51 USD / $80 NZD for a 3mb
down/ 512k up and 10gb per month here and dsl is the only option.

I have an agreement with my isp so that i can buy topup blocks of data on
top of that $80 and then just charge each user $30 per month.

As for the not talking to each other, the telco has a system where if you
set your dsl router to login as (e-mail address removed) then you have internet
access, but if you login as (e-mail address removed) you have full 8mb /
1mb access to their game servers. You can communicate to these servers at
full speed, but you cant ping or talk other users on the network (even if
their firewalls permitted). We could never find a way to transfer files
through a game server.
I would like to do this so that no user at the other end of the block can
connect up to my network and start sharing their internet access because i
am putting a couple of thousand worth of investment into this.

Hey you wouldnt know of a way to get the clients to authenticate to a server
would you? i am looking for a way to authenticate users, but not have them
login through a web portal to gain internet access all the time. I am
thinking if a family has more than one computer at their house and dont want
the kids to know the password. I thought of a vpn but that wont work if most
routers on my customer equipment side wont handle more then 1 or 2
passthrough connections.


Any ideas???


Thanks