ProSoundWeb Community

Church and H.O.W. – Forums for HOW Sound and AV - Your Displayed Name Must Be Your Real Full Name To Post In The Church and HOW Forums => H.O.W. AV => Topic started by: Stephen Swaffer on August 11, 2014, 09:53:18 PM

Title: Inconsistent Wifi access
Post by: Stephen Swaffer on August 11, 2014, 09:53:18 PM
Our pastor likes to use Keynote with either an iPhone or iPad to control the presentation, lately we have been having trouble getting devices to talk even though they appear to be on the same network.  Short on time to get the setup done, I had another member help but I think I am going to have to dig in and get it fixed.  I would prefer a stand alone network for media, but for various reasons I think we will wind up on the church network.  We have a wireless router in the office, but to get better wifi in the auditorium we added another router that he setup as a WAP.  He said all he had to do was use the same network name?

When I use inSSIDer, I find two networks with our SSID a belkin and a Netgear-the 2 "routers".  My Android device shows one network with our SSID and Apple devices show a network with our SSID and a second called "our SSID".media.

This shouldn't be difficult, but I don't understand what I am seeing.  I am a newbie at using multiple WAPs and with Apple products-and I usually only get hands on with the Apple stuff for a few minutes before the service when we are in a full court press to get it up and running.  I am not even sure our setup "should" work?



   
Title: Re: Inconsistent Wifi access
Post by: Cailen Waddell on August 11, 2014, 11:57:02 PM
So to completely over simplify it,   A wireless home router has 3 parts,

The router which is like the air traffic controller, identifying devices and deciding what goes to who

A switch, which let's multiple wired devices connect to the network

A WAP, or wireless access point which allows devices to connect wirelessly to the network

A network only needs one router, but can have multiple WAPs and switches.  One of your two wireless routers needs to be 'in charge' and the other needs to follow.  In order to do that, one router should have its wan port connected to the lan port of the in charge router.   The follower router should also be put into bridge mode. 

This allows all devices on the network to see eachother. 


Unfortunately, you'll probably run into a bigger problem. When everyone in the congregation shows up and all of their cell phones try to access the wireless in the sanctuary, your small home office routers will probably get overwhelmed.  They will not be able to handle the number of connection requests and could kick your pastors iPad off.  The solution is a network just for production, with a password and hidden ssid.  Usually operating in 5 ghz mode only (if your pastor has a new enough iPad to do 5ghz)
Title: Re: Inconsistent Wifi access
Post by: Stephen Swaffer on August 12, 2014, 12:40:29 PM

Unfortunately, you'll probably run into a bigger problem. When everyone in the congregation shows up and all of their cell phones try to access the wireless in the sanctuary, your small home office routers will probably get overwhelmed.  They will not be able to handle the number of connection requests and could kick your pastors iPad off.  The solution is a network just for production, with a password and hidden ssid.  Usually operating in 5 ghz mode only (if your pastor has a new enough iPad to do 5ghz)

We use Line 6 wireless mics, so I have been wanting to get to 5ghz Wifi anyway-inSSIDer sees a bunch of 2.4 ghz wifis-most disappear when mics are turned on (no doubt just interference). 
If a device-my ASUS or pastor's iPad has 5 ghz capability will there be a setup screen for it?  inSSIDer allows me to look at 5 ghz, of course, but it is not seeing anything making me wonder if my ASUS has 5 ghz capability.

Network is password protected already.  If SSID is hidden, will that help avoid connection requests?  My original setup-5 years ago or so-used a hidden SSID.  When that router died, I was not asked to setup the new one and the SSID was not hidden on the new setup.  I can get that changed, but it will help if it is not "my idea".

So, I found specs and my ASUS does not do 5 Ghz-and the .media SSID was a 5 Ghz. One mystery solved.  I logged into the router and found 25 devices logged in=many by people with less reason to be on there than myself, since I did not have the wireless password, I assumed it was closely held.  Guess not!

Unfortunately, "home routers" don't seem to play well with other devices.  No "bridge mode".  One does do a WAP, the other only allows a "repeater" function.

I plan to follow Cailen's advice and push for a production network.  The 2.4 Ghz and 5 Ghz on the two "routers" have different SSIDs.  Does that equal separate networks?
Title: Re: Inconsistent Wifi access
Post by: Jonathan Johnson on August 20, 2014, 05:11:28 PM
A network only needs one router, but can have multiple WAPs and switches...

Cailen's on the right track. However, I'd recommend that the second router (the one in the auditorium) be wired with a cable from the LAN side of the office router (which I'm assuming is the main router that connects the LAN to the Internet) to the LAN -- not the WAN/Internet -- side of the auditorium router.

To set up the auditorium router, give it a LAN IP address on your local network (but not the same IP as the office router! The last octet must be unique). Set up the WAN interface as DHCP, and leave it disconnected. Set the wireless network settings (SSID, security mode, passphrase) the same on both routers for convenient roaming, but make sure the channels do not overlap. Also be sure to disable the DHCP server on this router.

I've used this configuration many times. It works, but it's definitely not a strong, commercial/production network. It's a cheap way of implementing a second WAP in a network; inexpensive routers are cheaper than dedicated WAPs.

* * * * *

There are a few issues with WiFi that are easily overlooked.

First is that a WAP (Wireless Access Point) acts kind of like a simplex hub, not a duplex switch. For example, if your wireless network allows 54 Mbps, that bandwidth is shared among ALL WiFi devices attached to that WAP. A switch may allow gigabit speeds on each port, but the "switch fabric" or backplane provides for much greater speeds. So ports 1 and 2 can talk to each other while ports 3 and 4 talk to each other at the same time at gigabit duplex speeds. So the effective load on the backplane of the switch can be 4 gigabit in that instance. (A 48-port enterprise grade gigabit switch may have a switch fabric capacity of 100Gbps, even though each port is only capable of duplex gigabit speeds.) In a 54 Mbps wireless network, if devices A and B are talking, A can send packets to B at 54 Mbps. But if C and D want to talk at the same time as A and B are talking, each can be limited to half of that, as the TOTAL speed the WiFi "backplane" can handle is 54 Mbps. If you've got a bazillion devices on your WiFi, the performance between any two devices can go to zilch.

The second issue is that if you use the same SSID on all of your WAPs, there's not really any way to control which WAP your devices connect to. Most of the time they will connect to the strongest signal, but I've seen where a device will connect to WAP A (because it's strongest at the time), then the device can be moved to mere inches from WAP B, but it remains connected to WAP A because the signal from WAP A hasn't dropped below the threshold which will trigger renegotiation.

The third issue is that renegotiation when you move from WAP to WAP can result in several seconds of downtime. This is especially true if your WAPs are different brands. Some WAPs support roaming better than others. Two brands that support roaming very well are Ubiquiti UniFi and SonicWall -- they will share authentication with each other so when you are authenticated with one it doesn't require reauthentication when you roam to a different WAP. (The Ubiquiti UniFi is much more affordable than the SonicWall SonicPoints, which require a SonicWall firewall to act as a controller.) There are other brands as well, but these are the two that I have experience with.

(EDIT: Clarified brand name. Unifi is a series of products made by Ubiquiti Networks.)
Title: Re: Inconsistent Wifi access
Post by: Jonathan Johnson on August 20, 2014, 05:21:54 PM
There are a few issues with WiFi that are easily overlooked...

One more: many WiFi routers and WAPs now have a security feature that prevents wireless devices from communicating with each other (often called "client isolation"). You will need to turn this feature off if you need WiFi devices to communicate with each other. Some routers also have a "guest" mode that only allows the WiFi clients access to the Internet; they block traffic between WiFi devices and other wired devices on the LAN.
Title: Re: Inconsistent Wifi access
Post by: Stephen Swaffer on August 20, 2014, 08:28:35 PM
I understand networking basics-wired networks are easy.  Wireless-and especially wireless roaming is where things get fuzzy-and I don't have the hands on experience to make things fly right.

If I understand correctly, I have three options.

1.  The cheap WAP Jonathan suggests.

2.  A commercial/business class network with a router in the office to internet and a WAP.  Ballpark pricing on this?  I can look at audio gear and discern pro vs consumer, but not sure here.

3.  Would a dedicated production WiFi router make sense-using the WAN to our wired network for internet access?  I don't think signing into a dedicated network for "production" would be a big deal might even be a plus as a step that says "we are now ready to go live."

Pros/cons?
Title: Re: Inconsistent Wifi access
Post by: Scott Holtzman on August 20, 2014, 10:38:07 PM
I understand networking basics-wired networks are easy.  Wireless-and especially wireless roaming is where things get fuzzy-and I don't have the hands on experience to make things fly right.

If I understand correctly, I have three options.

1.  The cheap WAP Jonathan suggests.

2.  A commercial/business class network with a router in the office to internet and a WAP.  Ballpark pricing on this?  I can look at audio gear and discern pro vs consumer, but not sure here.

3.  Would a dedicated production WiFi router make sense-using the WAN to our wired network for internet access?  I don't think signing into a dedicated network for "production" would be a big deal might even be a plus as a step that says "we are now ready to go live."

Pros/cons?

Couple of things.  The double NAT of the second access point (if you could turn off NAT all the better) will mess up access to streaming and other real time apps on the Internet side of the equation.

Take a look at the ubiquity gear.  It supports roaming, multiple VLAN's and is surprisingly affordable.

Each wireless network and each VLAN needs to be in it's own subnet.  You need a router/firewall on the Internet connection and an interior router to get between the inside networks.  For the budget conscious a used Cisco 2811 is more than enough router for inter-Vlan traffic and has two Gig E. ports.

If you can hook up the cables a consultant can remote into a laptop with some type of WAN wireless (cellurlar) and config from the console ports until the network is up.  That way you save the expense of an engineer to set it up.

Have you seen if you have an network engineer in the congregation (not a jack of all trades IT trunk slammer)?  I know in my church I not only get to install/configure and maintain the equipment I also donate it!

Title: Re: Inconsistent Wifi access
Post by: Jonathan Johnson on August 21, 2014, 12:51:45 AM
The double NAT of the second access point (if you could turn off NAT all the better) will mess up access to streaming and other real time apps on the Internet side of the equation.

Configured the way I suggested, there is no NAT layer to worry about in the second router. Configured with the WAN port of the second router connected to the LAN there would be unless you disable NAT and set routing up properly. However, you'd have two separate subnets, so should not use the same SSID. Using the same SSID and security settings would result in clunky if not unworkable roaming.

The way I've set things up for many of my customers is a Sonicwall (the TZ 105 is an affordable model that can be purchased for less than $300) as the main firewall, then Ubiquiti UniFi access points. The SonicWall is very configurable, though there is somewhat of a learning curve to understand the way it works. Typically I set up the WiFi in a separate subnet/security zone from the LAN, so the customer can grant guests Internet access. I've never messed with VLANs on these, but I imagine you could set up the UniFi with multiple WiFi networks on different VLANs, and use the SonicWall to grant access to the wired LAN for one WiFi network but not the other. Maybe.

The SonicWall does let you create multiple subnets on its multiple interfaces. Each port is a separate interface, which can be configured either as discrete interfaces or as a switch.

Ultimately, the most secure firewall is the one that you understand the best. If you're a Cisco guy, then go for Cisco gear. If you're a Juniper guy, go for Juniper. I like Sonicwall, because I've learned how they work and I understand them the best.
Title: Re: Inconsistent Wifi access
Post by: Scott Holtzman on August 21, 2014, 01:12:39 AM
Configured the way I suggested, there is no NAT layer to worry about in the second router. Configured with the WAN port of the second router connected to the LAN there would be unless you disable NAT and set routing up properly. However, you'd have two separate subnets, so should not use the same SSID. Using the same SSID and security settings would result in clunky if not unworkable roaming.

The way I've set things up for many of my customers is a Sonicwall (the TZ 105 is an affordable model that can be purchased for less than $300) as the main firewall, then Ubiquiti UniFi access points. The SonicWall is very configurable, though there is somewhat of a learning curve to understand the way it works. Typically I set up the WiFi in a separate subnet/security zone from the LAN, so the customer can grant guests Internet access. I've never messed with VLANs on these, but I imagine you could set up the UniFi with multiple WiFi networks on different VLANs, and use the SonicWall to grant access to the wired LAN for one WiFi network but not the other. Maybe.

The SonicWall does let you create multiple subnets on its multiple interfaces. Each port is a separate interface, which can be configured either as discrete interfaces or as a switch.

Ultimately, the most secure firewall is the one that you understand the best. If you're a Cisco guy, then go for Cisco gear. If you're a Juniper guy, go for Juniper. I like Sonicwall, because I've learned how they work and I understand them the best.

I was a Cisco guy, for a long time, however the past 5 years I jumped to the Juniper side of the street.  There are technical reasons but it really got down to how Cisco treats customers and resellers.  I prefer my vendor to be my partner not also my competitor.  Juniper knows the meaning of partner.

Sonicwall I run from at full speed.  Won't even work on a network that uses one.  Just too many issues with VoIP.  Yes, you can get them to work but it should not be that hard. 

This is also way off thread.

I thought that the Sonicwall would act as a wireless controller and support roaming?  I have never worked a venue large enough I could not cover with one AP so I can't comment.

I know that I can hold a voice call on my Android phone with a SIP client as I roam between the two Engenius AP's on the same SSID at my house.

I did have to run the Zone Controller software from a VM that could be an inconvenience for the venue.  The software controls access and fast handoff among other things.

Title: Re: Inconsistent Wifi access
Post by: Tim Padrick on August 24, 2014, 01:25:29 AM
This network is comprised of home grade routers (no bridge function).  The connections are all LAN port.  http://padrick.net/LiveSound/TheaterNetwork.htm
Title: Re: Inconsistent Wifi access
Post by: Eric Eskam on January 21, 2015, 06:37:48 PM
2.  A commercial/business class network with a router in the office to internet and a WAP.  Ballpark pricing on this?  I can look at audio gear and discern pro vs consumer, but not sure here.

I know this is an older thread, but if you are still struggling with this I would heartily recommend the Unifi wireless access points from Ubiquity Networks (http://www.ubnt.com/unifi/unifi-ap/).  It's by far and away the most cost effective commercial system I have found.  I love mine!  Ubiquity lists resellers on their website (http://www.ubnt.com/distributors/).  I've used Business Systems Connection over the years because when I first found out about the Unifi stuff it was new and they were the only ones that had 'em in stock.  I have just continued using them as they are fast and responsive whenever I have had a question but the other resellers are probably fine, especially if you happen to have one local to you. 

You can find the regular Unify AP's for around $65-$70, and they have a very nice three pack for $200.  I just installed another Unifi system in the church I grew up in when I was home for Christmas - the hardest part of the install was running cable to where I wanted to mount the access points.  The units utilize Power over Ethernet (POE) and the required passive POE injectors are provided so you don't have to worry about having power near where the AP's are mounted.  Passive POE is a different POE standard than the "traditional" POE you see offered for most switches to run things like voice over IP phones, so you may still have to use the provided ubiquity injectors unless you have a switch that supports both POE standards.  No biggie really, but some people seem to get really hung up on that so just pointing it out.  They come out of the box with everything you need to make them work in your environment no matter what kind of switch you have.  No special cable is required for POE - standard CAT 5, 5e or 6 is fine.  If available I do prefer to use shielded cable, but it's not required unless you are doing stuff outdoors - anything outside should be using shielded cable. 

Ubiquity also has a Pro model for $200 that also supports 5GHz (the regular Unifi APs are 2GHz only), but at least at the four locations I have set up Unifi systems, 2GHz has so far been more than sufficient.  A real plus for the Pro AP's - they use the "regular" POE standard that's more widely supported, so if you have a POE switch already and are installing more than a handful of units it the Pro could be worth it just for the tidy install.  I'm cheap so I use the injectors :)   You can mix and match the regular, long range, pro and outdoor Unifi AP's in one system - they don't all have to match. 

Three of the locations I have installed Unifi systems in are pretty remote from other people - if your in the middle of a densely populated residential or commercial area, 5 GHz that the Pro model offers may be of more value/necessity.  I'd encourage you to start with 2GHz with a couple of units and if you find you really need 5GHz, you can always add a Pro unit to your high density location - such as the sanctuary.  But I would suspect it isn't necessary from what you have described - and it's significantly cheaper to not get the Pro's (three regular radios to one pro!).  Unifi also offers an AC access point.  Since AC isn't finalized yet and VERY few devices support it, unless you REALLY need it I would definitely pass on the AC access points right now. 

The really nice thing about Unifi is the system is all of the AP's are managed from one point via the free controller software Ubiquity provides, and whether you have 1 or 50 (or more) access points, you control and configure them all from that single management console.  The controller software does not have to be running once you get past the initial configuration and setup, but if you have a server or other machine you can leave the controller running on, it provides some very nice usage stats and history functionality.  If you wish to offer an open guest network, the stats the controller provides are nice to see if you have any neighbors mooching your wifi and causing performance issues.  If you find such you can ban devices by MAC address - pretty handy (thankfully we haven't had to do that yet).  If you leave the controller running, it also has a nice built in portal for the guest network where you can require users of the guest network to acknowledge terms of service or if you have problems with neighbors you can also use vouchers and codes to control access to the guest network. 

The system supports up to four individual wireless networks (unique SSIDs) per system (where a system is all APs that are managed by one controller).  It has guest network functionality built in that will let you offer an open guest network where guests won't be able to see devices on your network or other guests on the guest wifi - they will only have Internet access, all without needing a VLAN.  They also support assigning wireless networks to individual VLANs and if you have a managed ethernet switch that is VLAN capable, this is absolutely the way to go - but I have used the Ubiquity provided guest network with unmanaged switches with no issues and consider it perfectly viable/secure. 

In general, whether using Unifi or not, you want to set up your networks with the same SSID, and if password protected the same credentials, and let devices choose when to roam from one device to the other.  If the devices are next to each other, they should be on unique channels - 1, 6 or 11 are the "pure" channels, so those are the only ones you should be using.  If you pick, say, channel 4 you will overlapping on channels 1 and 6 - not good!  The nice thing about the Unifi system is, all of this is done for you automatically - you can even let it pick the radio channels automatically.  I'm normally not a fan of auto-configure stuff like this, but so far the Unfi controller has been pretty reliable in spacing out the channels appropriately and not overlapping channels. 

As for hand-off, unless you are supporting VOIP over wifi (you really don't want to, trust me), wireless devices have handoff/migration capabilities built into them.  Unfortunately there are few standards that are implemented inconsistently across manufacturers so often devices will "hang on" to a poorer performing APs as they move away from them, even if there is a much better AP that could provide a much better connection now available to them as they move closer to it.  The only way to really combat this is to do something that at first blush seems counterintuitive - turn the power of your AP's down!  This forces devices to "let go" of poorer performing APs more quickly. 

However, if in turning down your APs you now have holes and you need more APs to provide adequate coverage, then that's what you should do - add more APs running at lower power and ensuring you don't have two APs on the same channel overlapping with each other.  I'm glad to see you know how to do a site survey - that's the biggest key to being successful with wifi - seeing how the radio waves work in YOUR environment.  Ubiquity does have a zero hand off solution that purports to get around some of these issues - it requires a beta version of the controller software and the controller software to be running at all times - so far I haven't found it a necessity and I can see devices move from AP to AP as people walk around the building.  Where people get problems is they have multiple AP's blaring away at full power on the same channel so that devices can "see" both AP.  Not good.  Juggle your physical layout and radio power to ensure that any one device can only see one AP on channels 1, 6 and 11 and you will be 98% there towards having a fast performing and stable wifi network with happy users. 

You don't want to try to put one uber-powerful AP in the middle of the building and try to get all devices to work off of it.  1st of all, unless you get into the really higher end systems that are in the thousands of dollars you can only really support about 30 or so active devices on a single AP (and those thousand dollar access points with multi thousand dollar controllers essentially have multiple access points embedded in them with fancy antennas that shape the radios to not overlap with each other - that's why they cost thousands of dollars) .  And by active I mean 30 users streaming youtube or actively surfing the web.  Not just a smartphone that automatically attaches to your AP but is mostly idle - they count to a point, but unless you have a stadium full of people probably not enough to matter for you. 

TL;dr - more AP's mean you can support more really active/heavy users. 

2nd  if a device can "hear" a powerful AP, but can't "talk" back to it because the radio in the device isn't powerful enough to reach it, then you can't really have a conversation now, can you?  Phones in particular tend to not have really powerful wifi radios since that would dramatically impact battery life (ever have a roaming phone particularly in a remote area kill your battery?  Similar concept) That's why I find the long range Unifi AP's worthless for general deployments.  And when I say that people get defensive and want to know why they make them then - the answer is for two long range units to talk to each other, not for  a long range AP to support cell phones or laptops!  As I said, having more APs running at lower radio power to ensure you don't have two APs on the same channel overlapping (or visible to a device at the same time) is key to managing multiple access points in an environment.  If you understand nothing else about wifi, this is the most key concept.  Get it right and everything else is simple. 

Anyway, I think Unifi would be perfect for your situation.  It's fairly inexpensive, the management console provided via the controller provides useful statistics and reporting information, and the system is easily expandable as your needs grow.  It's certainly much easier and cleaner than managing two consumer grade routers. 

Finally, Ubiquitiy is really fleshing out their Unifi system by adding managed ethernet switches that provide both active and passive POE as well as a new security gateway device (based on their EdgeMax routers)  that today is a little feature incomplete but shows great promise.  What's really exciting is all of the above is managed from the same Unifi console.  They also have some new Android based VOIP phones that will also be managed by the Unifi console, I'm less intrigued by those - call me old fashioned but I prefer desk phones with real buttons.  If you have no such hangups they are really attractively priced.  I've got a security gateway on order to test/play with/keep an eye on and if I add any more switches in the future or need to replace any of my existing ones they will be the Unifi switches for the awesome management capabilities provided by their controller software and the management console it provides.  The thought of having one end-to-end view of of our network makes me giddy. 

============
If you are still reading this, congratulations! 

For reference, we have a fairly large building with a sanctuary that seats 1200 at the front of the building (average attendance of 500-750 these days), a gym in the middle of the building, about 25 class rooms and 12 staff offices clustered around the Gym in a U on the sides and back, and I cover the building pretty effectively with three APs.  One is in the sanctuary in the middle, the other in the staff hallway mid-way on that side of the building and the third in our back hallway in the middle, directly opposite the sanctuary AP that's in the front of the building (they are probably about 250 feet apart).  I routinely have 200-300  devices each Sunday attached to all three APs (has peaked up to 400+ on holidays, special events), including our children's ministry check in kiosks - and the system never misses a beat.  I was concerned initially reading the dire warnings about high-density installs and crowding on 2GHz spectrum that I may need to pretty quickly get some of the (then brand new) Pro APs to have 5GHz available - but watching our stats for the past three (wow, time flies!) years the system has been running, those concerns were completely unfounded.  If we ever started having capacity problems (obviously most of my "users" are idle), it's trivial to add more radios to get extra capacity.  I would just have to do some site survey's and testing of radio power to ensure I don't have overlap.  Right now with three radios it's easy - they are all on their own channels. 

As an aside, over Christmas I also installed two Ubiquity Nanostation Loco M5 radios outside two of the buildings at my old church to link the buildings together.  The Nanstation's are on their own wireless network with a hidden SSD; they are dedicated just to bridging the two buildings together and now that they are working they shouldn't ever have to be touched again.  It was the first time I used those and I really liked them - getting sustained gigabit connectivity between the two buildings after spending 15 minutes configuring them and then pointing them at each other through two windows was pretty amazing.  I eventually permanently mounted them outside, but their optional mounting kit has wall mount as well as really effective window suction cups.  If there weren't so many trees between the two windows I had available, I would have just left the radios suction cupped to the windows.  In the winter it wasn't an issue - no leaves.  But the next Spring/Summer I couldn't risk the trees providing interference and moved them to a more clear line of sight externally.  Much easier than running cable - and no need to worry about ground potential differences between the two buildings.  It's not fun getting shocked by touching your network ports/cables/devices plugged into your network.  Wireless or fiber optics are your friend for interconnecting buildings.  But now I'm really digressing...