Switching network between metered and unmetered connections

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Switching network between metered and unmetered connections

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Switching network between metered and unmetered connections
Switching network between metered and unmetered connections
2024-06-06 06:06:45 - last edited 2024-09-23 08:49:48
Model: EAP225  
Hardware Version: V4
Firmware Version: 5.1.6

I am trying to determine the best setup for my network, and I have several ideas that all might work, but I don't know which one is the best.

 

I'm on a ship that spends about half of it's time in port and half at sea. We have three Starlink terminals, two for inport that are unmetered and one for underway that is metered. While underway, we limit access to prevent blowing through the data cap for underway. While inport, we open it back up for everyone onboard, as it's the ground based connection that isn't metered.

 

My hardware configuration is an ER8411 with 3 WAN connections in, an OC300 on one of the LAN connections, and a LAN connection to an SG2218P, which then connects to a bunch of other SG2210Ps, which connect to a bunch of EAP225s.

 

Currently, I use one SSID for both inport and at sea, and I enable or disable MAC filtering and IP based ACLs with DHCP reservations to control who has access to the internet while at sea. That is on VLAN 10. VLAN 1 is my management VLAN, which all the infrastructure is on. This works fine enough, but I'm trying to figure out a way to get each person 1GB of data per month to use, mainly so people can text their familes back home while underway, again without blowing through the datacap.

 

My current thought is to build two WLAN groups, one for underway and one for inport.

 

The underway group has three SSIDs: a restricted, an unrestricted, and a special use.

  • For the restricted, I make a voucher based portal that gives each person 1GB each month of data. Everyone gets a code, and that's how their device gets registered. If you change phones, we revoke the previous voucher and issue you a new one. You lose that one, you get to come up with the best story you can find for why you are so terrible at keeping your phone, and we don't give you another.
  • For the unrestricted, I make a voucher based portal that gives either 1, 10, or 100GB per day based on what you need to do underway. Those get documented of who has what voucher so that I can maintain accountability of your data usage.
  • The special use SSID is so I can make short-term vouchers to fit whatever specific need someone has without adding them to the unrestricted network.

 

The inport group has one SSID. It's open to everyone, and I apply QOS rules to ensure the people who need bandwidth to do their jobs get the bandwidth.

 

When we transition connections, I just batch config all the APs to switch between WLAN groups. The WLAN groups stay apart so that people don't get charged against their 1GB of data while we are on an unmetered connection, but when we go to sea twice in a month it keeps the running data total underway when we switch back.

 

Each of those SSIDs gets a VLAN associated with it, along with different subnets. The underway networks will probably be something like 192.168.4.0/22, 192.168.8.0/22, and 192.168.12.0/22 for a crew of about 500. The inport will probably then be 192.168.128.0/17, because people generally like to connect multiple devices. The management VLAN will stay on 192.168.0.0/22 which it currently is.

 

I have several questions about the consequences of this configuration:

  • If people connect WiFi extenders to the network, will those bypass the portal authentication? They seem to show up right now as wired connections, which makes them much harder to control and regulate.
  • Is there a way to regulate anything showing up as a wired connection without also impacting wireless connections?
  • What about people connecting their own APs that aren't in the SDN? Will those bypass the portal?
  • How do the ports on the switches need to be setup? I can't seem to get the hang of what needs to be tagged vs untagged on the port profiles, and most guides seem to assume you already fully understand this.
  • Will doing a batch config on all of my APs to the inport WLAN group actually stop the running total on the underway data usage?
  0      
  0      
#1
Options
1 Accepted Solution
Re:Switching network between metered and unmetered connections-Solution
2024-06-07 00:32:14 - last edited 2024-09-23 08:49:48

Hi  @BHJohnson 

 

1. Your switch is SG2218P, it can also be controlled by an Omada controller. When you config the Portal, you can pick up the whole network, not just the SSIDs;

2. Maybe create a new VLAN network for the wired-connected devices. 

3. Portal authentication is based on the devices' MAC address. Although they can connect an AP to the switch, the client devices are still required to obtain IP from the main router and pass authentication independently. (I know some kind of mini router can do authentication by their WAN port, but that's not normal router/AP, not so many people know how to do that)

4.  By controller, you don't need to understand the VLAN tag or untag. The controller will create the profiles automatically. Just follow these principles:
If the port is connected to the router, switch, or AP, keep the profile as "ALL";
If the port is connected to the client devices, choose the network profile you want to put this client in.

 

 

For your network, I think Local User portal could be more easy to limit the network usage. I know it's not convenience to create user accounts for all your crews, but if you can do that, then you just need to enable this portal on network/SSID when you are on the sea, and disable the unmetered portals. Switch the portals could be more easier than switch the SSIDs. 

 

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#2
Options
1 Reply
Re:Switching network between metered and unmetered connections-Solution
2024-06-07 00:32:14 - last edited 2024-09-23 08:49:48

Hi  @BHJohnson 

 

1. Your switch is SG2218P, it can also be controlled by an Omada controller. When you config the Portal, you can pick up the whole network, not just the SSIDs;

2. Maybe create a new VLAN network for the wired-connected devices. 

3. Portal authentication is based on the devices' MAC address. Although they can connect an AP to the switch, the client devices are still required to obtain IP from the main router and pass authentication independently. (I know some kind of mini router can do authentication by their WAN port, but that's not normal router/AP, not so many people know how to do that)

4.  By controller, you don't need to understand the VLAN tag or untag. The controller will create the profiles automatically. Just follow these principles:
If the port is connected to the router, switch, or AP, keep the profile as "ALL";
If the port is connected to the client devices, choose the network profile you want to put this client in.

 

 

For your network, I think Local User portal could be more easy to limit the network usage. I know it's not convenience to create user accounts for all your crews, but if you can do that, then you just need to enable this portal on network/SSID when you are on the sea, and disable the unmetered portals. Switch the portals could be more easier than switch the SSIDs. 

 

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#2
Options