One Meetinghouse Internet Implementation

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

One Meetinghouse Internet Implementation

#1

Post by aebrown »

Over the last weekend, I completed a successful (but not problem-free) implementation of an Internet connection, under the Meetinghouse Internet program approved for my area in the 26 Mar 2008 letter. In a previous post, I talked about the process of ordering DSL and getting it installed. Here I will talk about what happened inside the building.

The goals of the implementation were:
  1. Obtain a DSL connection for a building in our stake which did not have any Internet connection
  2. Extend that connection to each of the administrative computers in the three clerk's offices. W1 and W2 are on the west side of the building, and W3 is on the east side.
  3. Provide a wireless connection for the bishops' and clerks' offices, chapel, cultural hall, Relief Society room, multi-purpose room.
Preparation
We ordered and purchased the following hardware:
  • DSL modem from our ISP ($60, plus about $60 DSL line installation charge)
  • Church-managed Firewall from ldscatalog.com (listed at $500, but CHQ covers cost)
  • Two Linksys Ultra RangePlus Wireless-N Broadband Routers (WRT160N) ($80 each)
  • Cat5e cables ($50)
  • Extension cords, surge suppressors, phone jacks, phone cable ($70)
I consulted with the FM Group as to which office should contain the DSL modem, which pair of phone wires to use for the DSL line, and how and where to run the Cat5e cables. The FM Group sent a mechanic to the building to meet with me and walk through these issues, and even offered to meet the DSL provider to connect the DSL line to the demarcation point. Since I work over 30 minutes away from the building, I was grateful for that help.

DSL Connection
We accomplished goal #1 by obtaining a DSL connection from Qwest (the local phone company and our chosen ISP). Qwest ran the wire to the demarcation point. A 6-wire phone cable runs to each clerk's office, and only one pair of wires is used for phone service. With the help of my FM group, we identified an unused pair of wires (green/white) leading to W1 clerk's office. I changed the single phone jack plate to a double, rewiring the existing phone line to use one jack, and the green/white pair to use the other.

Once Qwest had run the wire to the punch panel, I connected their incoming pair of wires to the green/white pair for W1 at the punch panel. I followed Qwest's instructions for connecting the DSL modem we had purchased from Qwest. I connected it to my personal laptop, to avoid exposing an administrative computer to the Internet prior to setting up the firewall. Qwest provided a CD that smoothly went through the configuration and activation process. A few minutes later, I had a working DSL connection.

I then connected the Church-managed firewall to the DSL modem, and connected W1's administrative computer to the firewall. Everything on the network uses dynamic IP addressing. After IP addresses were refreshed, I opened a browser on the administrative computer and saw that I had a connection to the firewall, but I was not connected to the Internet because the firewall had not yet been activated.

I collected all the information required by the firewall Installation Guide (DSL provider, support number, connection speed, firewall serial number, firewall IP address, my name, contact info). I called the Global Service Desk and asked them to activate the firewall. I was transferred to second level support (OTSS) and the technician gathered all that information, then activated the firewall. The whole process took about 10 minutes. At the end, I had an Internet connection on W1's computer.

Wiring to other offices
We chose W1 for the DSL connection because the wall of W1's clerk's office with the phone jack is basically in the middle of the row of offices on the west side of the building. I installed one of the routers between the firewall and the administrative computer. I didn't configure the wireless settings at this point.

From that office, we ran a 50-ft Cat5e cable to W2's clerk's office on that side of the building. Because of the way the walls were constructed, I couldn't drop a cable into the box the phone cables came into. So we drilled a hole in the corner of each ceiling. Not the most attractive, but that's what the FM Group said I would have to do. So far so good. W2's office needed nothing more than a cable -- no additional hardware required. Their computer connected immediately.

Then the fun began. Running the 200-ft cable to W3’s clerk’s office is a tale that I could tell for hours – certainly at least the three hours it took to run that one cable. The attic of our 30-year old building is compartmentalized into areas that are not easy to get to from one another, and there are long stretches of dropped ceilings that you can’t cross. Fortunately, my 14-year-old son on two occasions was able to throw a rope connected to the cable over 25 feet to within 6 inches of my hand that was reaching out through a hole in the wall. We finally reached W3’s office, drilled a hole, and dropped the cable through.

Wireless
In W3’s office we put the second router. I disabled the DHCP, since this router is really functioning only as a switch and wireless access point. I got the router, since it was the cheapest way to get that functionality, and administration is simpler with two matching devices. I configured it to use WPA-PSK security. I configured the other router in W1’s office to use WPA-PSK security, and the same key.

I tested the range by walking around the building with my laptop, which has a built-in 802.11b adapter (it’s a rather old laptop). I was pleasantly surprised to find that I had a reasonable connection throughout the chapel, all the bishop and clerk offices, the RS and multi-purpose rooms, and the cultural hall. Only along the back hall (which contains the Primary room and a dozen classrooms) was I not able to get a signal. I’m guessing that if I had a 802.11n adapter I would be able to get a signal even there. If that were a requirement, I could probably locate another access point or two on that end of the building, but that is not a requirement now and I’m not anxious to face that attic again.

Security
At this point our stake president has said that the WPA key should be shared only with bishoprics, stake presidency, executive secretaries, clerks, and assistants. Other specific individuals may be told the key if bishops make an appropriate request. We want the connection to be used for valid Church purposes, but not so broadly known that it will be used too casually for other purposes.

Conclusions
The process went rather smoothly except for the challenges running the 200-ft cable. The one-time installation costs were around $400; the monthly cost will be $44 plus tax for the business rate for a 1.5Mbps DSL connection. MLS has been configured to use the Internet connection, rather than dial-up, and transmission speeds are much faster. So far, everyone is happy.

I hope this was helpful. If I missed anything or if you have any questions, please post a response.
SheffieldTR
Community Moderators
Posts: 145
Joined: Wed Apr 04, 2007 12:44 pm
Location: Utah, USA

#2

Post by SheffieldTR »

What a wonderfully detailed report! I am sure many will benefit from this!
russellhltn
Community Administrator
Posts: 34384
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#3

Post by russellhltn »

Alan_Brown wrote:I installed one of the routers between the firewall and the administrative computer. I didn't configure the wireless settings at this point.
You are using the DHCP function of that router rather then the firewall? (I'm assuming the firewall has the usual router features.)


Alan_Brown wrote:In W3’s office we put the second router. I disabled the DHCP, since this router is really functioning only as a switch and wireless access point.
In your setup the admin computers are potentially accessible from the wireless, correct?
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

#4

Post by aebrown »

RussellHltn wrote:You are using the DHCP function of that router rather then the firewall? (I'm assuming the firewall has the usual router features.)
I don't know how many IP addresses the DHCP server of the firewall might be configured to issue. I have to give IP addresses to the wireless connections, and I didn't know how many that might be -- it could be more than the firewall can issue. So it seemed prudent to have the router issue the IP addresses.
RussellHltn wrote:In your setup the admin computers are potentially accessible from the wireless, correct?
Well, the admin computers are on the same subnet as the wireless connections, so they can be pinged from each other. But I have not enabled any file sharing or web servers on the admin computers, so I wouldn't think any files on those computers are accessible. But I'm not a networking security expert, so I would welcome feedback as to whether this configuration has risks.
russellhltn
Community Administrator
Posts: 34384
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#5

Post by russellhltn »

Alan_Brown wrote:I don't know how many IP addresses the DHCP server of the firewall might be configured to issue. I have to give IP addresses to the wireless connections, and I didn't know how many that might be -- it could be more than the firewall can issue. So it seemed prudent to have the router issue the IP addresses.
Good point. It's worth asking. With the PIX programmed for FHCs, there was no limit on IP addresses but a limit of 10 connections to the Internet. If this is the same, then I don't think you'd have a problem.

Alan_Brown wrote:Well, the admin computers are on the same subnet as the wireless connections, so they can be pinged from each other. But I have not enabled any file sharing or web servers on the admin computers, so I wouldn't think any files on those computers are accessible. But I'm not a networking security expert, so I would welcome feedback as to whether this configuration has risks.
In theory, the combination of no services and a software firewall on the computer should be secure enough. But new venerabilities keep turning up.

Personally, I'd like to run the computers right off the Cisco and then set the DHCP of the router/AP to the same subnet as the Cisco. That prevents packets from the wireless from going anywhere but the Internet. (And prevents a rogue clerk from setting up a share so he can access the ward computer from the wireless.) Not your normal network setup, but I think it would be more secure. However, that would mean somehow running a second line to that far office. Either by running a second cable or by using a "Y" that makes use of the unused wires for another circuit.
User avatar
hkk2
New Member
Posts: 16
Joined: Thu Mar 13, 2008 1:25 pm
Location: Anthem Stake (Henderson, NV)
Contact:

#6

Post by hkk2 »

RussellHltn wrote:And prevents a rogue clerk from setting up a share so he can access the ward computer
I know we may talk about rogue clerks, which leads me to a question of why they have admin access on windows (being security minded). Has this question already been answered in another forum? My first guess is the installation process of upgrading MLS, but that's just a guess. If the STS does it in admin mode, couldn't that make up the difference?
I'm alone in my own little world.
User avatar
hkk2
New Member
Posts: 16
Joined: Thu Mar 13, 2008 1:25 pm
Location: Anthem Stake (Henderson, NV)
Contact:

#7

Post by hkk2 »

Oh, and nice implementation. I was thinking of something similar except using the wifi routers to do most of the subnetting and internal admin work.
I'm alone in my own little world.
User avatar
Mikerowaved
Community Moderators
Posts: 4728
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

#8

Post by Mikerowaved »

cybr wrote:I know we may talk about rogue clerks, which leads me to a question of why they have admin access on windows (being security minded). Has this question already been answered in another forum? My first guess is the installation process of upgrading MLS, but that's just a guess. If the STS does it in admin mode, couldn't that make up the difference?
Yes, you're right. This has been discussed in several other threads. I would also like to see this aspect change, but the bottom line is, this is the only way to configure an MLS machine until we are instructed otherwise.
So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 34384
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#9

Post by russellhltn »

cybr wrote:which leads me to a question of why they have admin access on windows (being security minded).
I'm not sure if it's because of the communication software, or the fact they send updates during send/receive. But the bottom line is because CHQ, though the Desktop 5.5 Instructions has told us they have to.

Up near the top of my own wish list to allow MLS to function as "user".
The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 9:12 am

Vlan

#10

Post by The_Earl »

RussellHltn wrote: Personally, I'd like to run the computers right off the Cisco and then set the DHCP of the router/AP to the same subnet as the Cisco. That prevents packets from the wireless from going anywhere but the Internet. (And prevents a rogue clerk from setting up a share so he can access the ward computer from the wireless.) Not your normal network setup, but I think it would be more secure. However, that would mean somehow running a second line to that far office. Either by running a second cable or by using a "Y" that makes use of the unused wires for another circuit.

You might be able to use VLANs to make that work. I run my public wireless off VLAN-2, and I told the router not to move traffic between VLAN-1 and VLAN-2. The boxes all end up with the same IP subnet and everything, but you can't get from the wireless to the wired network w/o going through the firewall.

I am doing this with a hacked WRT54G, I am not sure how you would do that with the Cisco router.

Thanks
The Earl
Post Reply

Return to “Meetinghouse Internet”