Extending Wi Fi Across a Castle Grounds

So Friday I have a new internet provider setting up 12mb download service at the castle. It's satellite (Exede), but it's better than Hughes.net. Once I have a pipe worth sharing, I need to extend my wireless coverage. It's currently set up off a single router in the castle proper, and only covers a portion of that. I need to extend it throughout the castle, as well as out to and across the entire village complex - probably an area of 5 acres or so.

At home I extended my wireless range by simply adding a second wireless router, hardwired into the network, with the same SSID on different channels. At the castle I'm not going to be able to get a hardwired connection out to the village without trenching. Is it possible to extend my wireless range in a purely wireless manner? Can I setup a second wireless router while it's connected via Cat5, then disconnect it and move it to the edge of the current wireless range? Or once it's disconnected from the wired connection will it stop working as an extender? What other options do I have?

Thanks again to the GWJ Tech Horde!

I would look into the capabilities of outdoor WiFi repeaters such as this:

Amped Wireless Wireless-600N Pro Repeater

Agreed. I use this repeater/access point in my house. You can connect a computer to it via ethernet and use it as a wifi signal repeater from the wireless router.

Setting them up isn't that complicated but it generally isn't as easy as the instructions make out (usually due to translation issues).

So perhaps one of Nevin's access points in an upstairs room (near the roof access) to pick up the signal from the router down in the office. Then cable from that up to one of Gorilla's repeaters mounted on a pole on the roof...

Thanks guys, I'll give those a shot.

check out ubiquiti.com
I've started using some of their managed APs and really like the price and usability.
they have outdoor antennas and something called AirFiber that looks really awesome.

I'd recommend using a series of tubes:

There are a lot of things to consider. Distance, line of sight, interference from other radio devices, etc. If you honestly don't know what you are doing, hire someone good. If you really want to this wirelessly, see diagram below. We currently use Ubiquiti NanoStations.

Honestly, I would trench and did so after learning my lesson on wireless. My biggest issue when I wired an entire apartment complex, I had these point-to-point wireless backhaul radios that sat on top of each apartment building that fed into a Tut system using the building's phone line and the radios kept getting hit by lightning and frying them.

We eventually gave up and trenched to each building and feed it to a coax network with modems and all.

This is a very poor and rough sketch of basically what you need.


I didn't even think of the fact that I'm going to need to set up a separate switch for guest access in order to segregate it from the office computer. More stuff to research, yeah! (That's only half sarcastic. I do enjoy learning this stuff. Just so much of it all at once )

If you're still learning networking, this is probably one thing you want to leave to professionals. In addition to the logistics (which others covered), you're going to want to make sure that your two networks are completely logically separate, since you've obviously got sensitive data in your own network.

Nevin73 wrote:

Agreed. I use this repeater/access point in my house. You can connect a computer to it via ethernet and use it as a wifi signal repeater from the wireless router.

Setting them up isn't that complicated but it generally isn't as easy as the instructions make out (usually due to translation issues).

These types of repeaters basically halve local bandwidth if I'm not mistaken. But if you're only sharing 12 Mb, that might still be OK.

Train ravens to carry burned DVDs.

If it were me, I'd hire professionals and learn from them as they worked. Let them handle the design and do all the difficult stuff, then finish whatever parts I think I could manage myself. The other nice thing about bringing in pros is if something breaks you can always get them to come back and sort it out. As for the setup itself, trenching will definitely be the most reliable and may be the cheapest, with a directed wireless option as the alternative. Peppering the place with access points isn't likely to give you the service you want.

One other thing to be aware of... I don't know how old this place is or what it's made of, but there's a chance that a WiFi signal won't propagate very well through walls in there. If you haven't already, I'd stick a WiFi router in various locations and use an app like inSSIDer to see where the signal goes and where it doesn't. Pros should do this for you, but it may help you to get an idea of how much interior work might be needed.

To expand on complex's post, if you are dead set on doing this yourself, get the floor plans and do something like this. http://www.metageek.net/products/map...

That way you can plan out potential coverage, deploy it, measure actual coverage and adjust based on what you record.

It occurs to me that I may not have been clear enough on this point: wired connections are better.

That is all.

I have to say, when I posted I completely didn't think about the size of the grounds or the need for separated networks. Yeah, I'd go with the smarter forum members have posted. Hire a professional. Or better yet, a really smart CompSci college freshman.

You probably ought to get a professional involved, Teneman. This is a big enough area to cover that it's going to need some clever design.

If running fiber wouldn't work, I'd probably be trying to set up dedicated 802.11n backhauls, up on 5Ghz, to each separate location where I wanted clients. Each backhaul would get a dedicated pair of APs; all they'd do would be bounce the signal back and forth. (one would be the master, and one would be in 'client bridge mode'.) There'd be a master switch that all the master APs plugged into, and then a router to the outside world. On the client end, each of the 11n APs would have an 11g AP plugged in, broadcasting a regular network for guests. So guests would talk to the 11g access point in each location, and it would talk over wired to the 11n client, which would forward the packets to the associated 11n master through the air. Then the master AP in each pair would forward the packets to the outside router.

Your work network could just be another AP/firewall, attached to the external router. Note that it NEEDS to be a firewall if you want to be protected from guest traffic.

Overall, it would end up looking kind of like this:

edit: I forgot a legend here. In this diagram, BAPs are bridging APs, your backhauls. I drew four of them, but you could have more or fewer. HAP is the Hotel AP. I show it as wired, but you could run a wireless if you wanted to. GAPs are Guest APs, the networks that guests actually connect to.

INTERNET | External router/NAT/firewall | | | | | BAP1 BAP2 BAP3 BAP4 HAP1 . . . . | . . . . HOTEL NETWORK . . (wireless N) . . . . . . BAP5 BAP6 BAP7 BAP8 | | | | | | (wired) | | GAP1 GAP2 GAP3 GAP4 . . . . . . (wireless G) . . . . . . area 1 clients area 2 clients area 3 clients area 4 clients

In essence, you're setting up 'islands' of connectivity, the (heh) G spots. The islands can be quite large, but covering the entire grounds would probably take a lot of equipment to do properly. This approach should give you excellent throughput with minimal wireless interference; by using the separate N backhauls, on different channels and on different APs, you're never asking much of any one unit. You're breaking a complex problem down into a bunch of simple ones. First, get the Internet out to your islands via 11n; then distribute it via 11g.

Doing the IP numbering could be a little involved. The easiest way to handle it is with a double layer of NAT. If you get more than 1 IP from your provider, then you could assign those IPs to BAPs 1 through 4, and to HAP, and then do NAT only at that layer.

You should seriously consider doing fiber runs instead of wireless; it'll last for freaking ever, and there's a huge number of possible wireless hassles you just avoid completely. It also means you can use dumb switches you never have to think about, as opposed to APs, which need constant firmware updates. You'll still need APs for guests, but the fewer you have, the less time you'll spend with them.

Note that you'd need reasonably good switches, ones with fiber ports. These are not insanely expensive anymore, but they're not especially cheap, either. I haven't seen a map of your grounds, but I'd guess you could probably wire the whole thing for, oh, probably under $7500. You'd need an external router (a fairly good one), one master switch with a bunch of fiber ports, daughter switches on the other end with one fiber port each, and then a cheapo AP attached to each switch. Your hotel network could probably just plug into the master switch, possibly with an AP for that, if you want it to also be wireless. You could also have a guest network up there, but that would need to plug into the master switch next to the hotel AP, not behind it.

You should be able to get a good solid twenty years out of fiber, possibly a lot longer, depending on what technology does. Fifty years might be completely possible.

Oh, you could also be somewhat risky and run copper instead, but it's usually not a good idea to run copper between buildings. You end up with ground-potential differences and constant current flow. Fiber keeps the buildings electrically isolated. Fiber is also immune to lightning, and lightning seems pretty darn common in the Midwest. If you've run copper, one hit could take out the entire network, but with fiber you should only lose the equipment in the building that was hit.

Again, I'd suggest getting a professional involved.

Nevin73 wrote:

Or better yet, a really smart CompSci college freshman.

I... would avoid this choice. A CS freshman almost certainly incorrectly believes they know how to set something like this up. Think of this more like installing phones in every room if you didn't already have phones in them. You really don't want someone who thinks they know how phone switches work based on having a phone in their room as a kid doing that, do you?

Look into professional options and see what you can afford. That way you also figure out who you can pay to help you if everything suddenly goes wrong. Full coverage is likely to be expensive--so think about what you can afford to spend, and what kinds of trade-offs you might be able to make in terms of coverage.

Most importantly: Think in terms of what practical effect you want, not what solution you want. If you hire someone and they know your motivations, they'll have a much easier time helping you figure out what's practical than if they have to try to work back to your motivations based on what you ask for.

(For example: "I want to make sure the majority of rooms have good Internet access of some sort, and I want coverage of most of the common areas for wireless access." is a goal, but "I want to extend my main wireless to cover all the rooms." is a proposed solution.)

Good luck!

(And don't be too disappointed if it turns out that doing everything you want to do right away is more expensive than you can afford. It's kind of a hard problem, which is part of why so many hotel Internet services are crappy. If that's the case, see if you can come up with a plan that allows you to invest more later to improve things without having to replace everything.)

Best plan: Offer Malor and/or Edwin a free stay at Castle Ravenwood.

Between the two of us, I'm sure we can ghetto rig something into place. Still better idea to call in professional installer to trench fiber like Malor said, but I won't say no.

Grumpicus wrote:

Best plan: Offer Malor and/or Edwin a free stay at Castle Ravenwood. :D

Pillow of heterosexuality included at no charge!

Well Exede went in last night. I'm not hitting the full 12mb download speed, but it's still much faster than Hughes.net. And I'm not sure the speed tests are accurate with the satellite, they seem to vary rather wildly.

I'm not able to invest in trenching at this point, too many other projects that take higher priority. For now I'm going to get a few extra wireless routers and set up a separate network within the main building itself. Not ideal, but better than what's available now.

Once I get to the point where grounds wide networking is at the top of the list, I'll give you guys a call

Well, wouldn't you know it. NOW all of the sudden Frontier has got DSL available. Yes, literally two weeks after telling me it was impossible, and one week after I had Exede put a dish on the roof.

So here's the question. I may cancel the dish if the cancellation terms aren't too onerous. If they are, it still may be more cost effective for me to add the DSL (giving me uncapped bandwidth) than it is for me to bump up to the next level with Exede, (which would still be capped).

So if I end up with both, is there any way for me to dynamically assign what types of traffic - or from which sources - use which internet service? I'd like to have the guests use the DSL, and my backups use DSL, but normal office traffic use the dish, for instance.

Not sure what the contract terms would be, but why not use both? Use Hughes for your business connection and the DSL for the guests. That way you don't have to worry about keeping the networks separate because they will be separate and you don't have to worry about guests jacking your rates by exceeding the cap.

Nevin73 wrote:

Not sure what the contract terms would be, but why not use both? Use Hughes for your business connection and the DSL for the guests. That way you don't have to worry about keeping the networks separate because they will be separate and you don't have to worry about guests jacking your rates by exceeding the cap.

That's actually exactly what I've been thinking. With the exception that I'd like to use Logmein Backup, and would need that to be on the DSL as well. So not sure if I can use the dish for normal office, but somehow have the backup of those same office computers go through DSL.

Well, yes, that sort of thing can be done, but it can potentially get really, really nasty and snarly.

You'd probably need a separate router on your office network edge, one that had three interfaces... one pointed at the external router for the satellite, one pointed at the external router for the DSL (ie, on the same network with your hotel guests), and one on the office network. You'd want a firewalling engine on it too, so that people wouldn't be able to cross into your office network via that router. A small Linux box would probably work well.

The basic idea is that you want the default route to be out the satellite, but then the backup traffic needs to go out the DSL. Normally, routing is done based on destination IP address. An unusual approach, but one that might work, would be to set up routing based on source or destination port instead. All traffic aimed for, say, port 7733 might automatically be given to the DSL.

Linux routing is amazingly flexible, but that's a very strange thing from a routing standpoint, so I'm uncertain if it's doable without doing some digging. If you could guarantee that all Logmein traffic would be aimed at a specific port, this might be an approach that would work, and it wouldn't require any maintenance once it was up. (unless the port changed.)

A more normal approach, from a routing standpoint, is to identify the Logmein network servers, and then set up manual routes on the Linux box saying to send any traffic aimed at those networks to the other router. This would mean you would need to determine exactly what IP ranges Logmein's servers are on, and then you'd have to monitor that list for changes. (Logmein might not even be willing to tell you what their network ranges are, and they certainly aren't going to be updating you if they add new data centers as their business grows.)

If you could set up a specific source or destination port for the backup process, you could block all communication on that port out the satellite link, so that it wouldn't accidentally back up on the expensive link if their servers moved.... but then your backups would just mysteriously start failing, and you wouldn't immediately know why.

If you can guarantee the outbound port, and if I'm correct that Linux can route on ports, rather than just IP addresses (again, this is REALLY WEIRD from a networking standpoint) then I suspect that's probably the easiest way to handle the problem. But whether you can find anyone in rural Ohio with a reasonable degree of Linux, firewalling, and routing experience... that I dunno.

I don't think I'll be able to get up there myself, and this isn't the sort of thing that's easy to do remotely. If we determine that the Linux ip engine can do what you need, maybe one of the other Linux geeks can get up that way, and get you set up. You wouldn't need a very big or fast machine, maybe something like a little Soekris unit, if your chosen technician knows how to build a headless Linux box. (Soekris machines have no video hardware, only serial.... they're little machines about the size of a big paperback book, usually, designed to be used in fairly extreme environments. The current generation is running Intel Atom processors with Intel networking, which would be way plenty fast to handle what you need. Earlier units were much slower.)

A really quick search suggests that, yes, routing can happen based on dport -- you'd use the iptables engine (the firewalling ruleset) to mark packets aimed at a destination port with a label, and then you'd do routing and NAT based on those labels. There's a number of ways this could be problematic trying to all happen at once on the same router.... I recall there being some messiness about which layer of the Linux packet-handling engine is working at which time.

I'm reasonably confident that this can be made to work, but like I was saying earlier, it's nasty and snarly.

Can't programmable routers be set up to change the default route based on whether a link is active? For corporate networks, failover to a backup link tends to be pretty automatic. It's been ages since I've programmed a router though, so I have no idea of the specifics.

Well, yes, but what he wants to do is have both links live, but send some traffic one way, and some traffic another way. That's what routing is, but routing decisions are normally made based on destination IP addresses (and, sometimes, source IPs) -- it's very unusual to want to send traffic aimed at a particular port down a different link.

If he knows all the IP addresses that the backup servers can use, then the routing can definitely work... that's routing on destination IPs, which is what routing normally is. But routing all traffic aimed at a given port is much harder. I'm sure it's possible, but it will be tricky, and it might potentially take two routers.

Basically, routing is just making a forwarding decision... where do I send this packet? And that decision is normally made first by destination IP address... the router first determines valid directions for the packet to go, and then it chooses the 'best' one. What constitutes 'best' is can be defined in many different ways.

In the example you're thinking of, the primary link is considered 'best' for all traffic, so normally everything goes out that way. But when the primary link fails, the next best link moves to the top of the list, and all the traffic goes out that way instead. If and when the primary link comes back up, the traffic moves back over there as soon as the router finishes running the calculations that show it that the primary link is best. Those calculations can be essentially instant, for a small router on the edge of a network, or they can take a fair bit of time, if it's a major router with multiple interfaces running BGP. Once the calculations are done, the primary interface starts carrying most or all of the traffic again.

Disclaimer: I am not a networking professional.

I don't know if this is simpler or not but what about doing something like a shadow copy to a second machine that gets its internet from the DSL? Then that machine could be the one that uses remote backup. Bonus: you have an on-site backup as well as an off-site.

Satellite DSL | | Router/Modem Router/Modem | | Private Network Public Network | | Master-----------Router/Firewall-----------Backup

With a firewall between the two networks, this should be secure enough - especially if you can VLAN the backup server from the rest of the public network.

An I misunderstood. I thought the office would use satellite and failover to DSL and guests would use DSL and failover to satellite. I didn't realize the routing was more fine-grained than that.

Well, I'd thought about a multihomed server, but I was assuming that he'd want to be backing up multiple machines directly to the outside provider. If he can do all his backups locally to one machine, and then back that one machine up over the DSL (by telling it never to talk to the Internet via the satellite), then that would work, and would be easier. But that also puts his backup server on the guest network, so evil guests could potentially hack into it.

And, since he's going to be providing a free WiFi service, he's also directly exposing his backup server to anyone within miles with a good antenna and a sense of mischief.