National City - El Toyon Rec Center

El Toyon Rec Center

Background

El Toyon is a rec center operated by the city of National City. It serves low income neighborhoods with diverse populations. In addition to being a community meeting and focal point, the rec center also offers after school programs attended by 50-60 children on a daily basis. Activities include board games, organized sports and ceramics classes.

Funding Source

The source of funding for this project was a donation from a generous and civic minded local resident who lives 5 blocks away from the rec center. The project sponsor has offered to pay for all hardware expenses in addition to the monthly ISP fees. h3. Address The location is El Toyon Rec Center: 2005 E. 4th Street National City.

Results

On March 26, 2005, Socalfreenet volunteers completed the installation on Saturday with a large turnout from the local community. Local council members also came by to help, and the installation was featured on the local TV news and in the Union Tribune. The Tribune reported:

On Monday, which was the beginning of spring break, many of the kids at the center were surprised when they saw the new computers. Up to 90 kids a day visit the center.

"They're really excited," said recreation leader Katrina Baca. "A lot of them don't have access to computers or the Internet. They don't want to get off."

Read the full article.

Background

Background

El Toyon is a rec center operated by the city of National City. It serves low income neighborhoods with diverse populations. In addition to being a community meeting and focal point, the rec center also offers after school programs attended by 50-60 children on a daily basis. Activities include board games, organized sports and ceramics classes.

The facility itself was build in 1962 and appears to contain pourous and very RF friendly building materials. During our site survey, only 2 APs were discovered (SSID = natwireless, channel 6, WEP on).

The rec center facility itself is a series of medium sized "conference rooms", attached to each other to form a U shape. All building are single story with angled pitch rooflines. A telephone jack exists in the administration office (adjacent to the ceramics room).

Funding Source

The source of funding for this project is a donation from a generous and civic minded local resident who lives 5 blocks away from the rec center. The project sponsor has offered to pay for all hardware expenses in addition to the monthly ISP fees.

Address

The location is El Toyon Rec Center:
2005 E. 4th Street
National City

Project Objectives

Objectives:

  • Wireless Coverage
  • Computer Lab
  • Educational Opportunities for Volunteers

Wireless Coverage Objectives:

  • No specific performance parameters have been defined or established. Our goal is to create an 802.11b point of presence with the maximum coverage possible to the surrounding neighborhood.

Computer Lab Objectives:

  • We have secured a donation of 10 PCs to be installed in the ceramics room. Our goal is to create a 10 station computer lab with full Internet access.

Educational Objectives:

  • We plan to have a 1/2 hour lesson on setting up M0n0wall on the install day, 1/2 hour before we start building the network.
  • The hardware installation will be a great learning experience, teaching everything from antenna grounding and waterproofing techniques, to cat-5 cable making and testing.

Technical Solution

We propose deploying a Soekris Net4511 to provide wireless coverage to the surrounding neighborhood. This device would run the M0n0wall FreeBSD based operating system. The advantage of the net4501 is that it supports a PCMCIA card (allowing us to install a 200mw Senao radio) in addition to a mini-PCI slot, which we could leave unoccupied and available for future 802.11a expansion. Unlike the Netgate G8 WRAP-based alternatives, the Soekris net4511 contains 2 ethernet ports.

We intend to assign one port for the WAN. We have selected DSL Extreme as the ISP, as they allow sharing in their ToS. The other port will be configured as a LAN port (in a segment protected and firewalled from the WLAN segment). The LAN port of the Soekris device will be connected to a 24-port switch, which will then be connected to the lab PCs.

M0n0wall offers standard functionality we intend to enable, including captive portal, bandwidth shaping, SNMP monitoring and more.

El Toyon m0n0wall configuration

Here are the steps taken to program monowall for use at El Toyon Rec Center with a Soekris 4511 box. Read the Network Configuration in conjunction with this guide.

Download M0n0wall, install on 16MB CF Card.
Connect Ethernet to eth0 (PoE). By default, M0n0wall will be running DHCP on that interface and give your laptop an IP address of 192.168.1.199/24, with a default gateway of 192.168.1.1. Open a browser and point it to 192.168.1.1. Default username/password = admin/mono.

The latest version of m0n0wall available was used, 1.2b6. It was configured as follows.

Query: It would also be possible to bridge the wireless and LAN interfaces and just use one /24 subnet instead of two separate ones. This may be a preferable configuration. It also has the advantage of forcing the captive portal on the lab computers also - which would otherwise avoid the captive portal because it can only be active on one interface

  1. IMPORTANT NOTE: Do not reboot until you have made all changes.
  2. Click Sytem -> General Setup:
    • Change hostname to ElToyonRecCenter
    • change password
    • set webGUI protocol to https
    • set timezone to America/Los_Angeles
  3. Click Save
  4. Click Interfaces | assign, then click on the + (This will add the third interface) and then click Save
  5. Click Interfaces | WLAN
  6. Click Interfaces | OPT1
    • Click (to select) "Enable Optional 1 interface"
    • rename OPT1 to WLAN
    • set the WLAN IP to 10.12.10.129/25
    • set the SSID to "socalfreenet.org" (lower case, no quotes)
    • set the channel (we're using 1)
    • WEP should be disabled
  7. Click Interfaces | assign
    • Verify Interfaces: LAN, WAN and WLAN are assigned to sis0, sis1, wi0 respectively.
  8. Click Interfaces | LAN
    • set the LAN IP to 10.12.10.1/25, click Save.
  9. Click Interfaces | WAN
    • set the WAN to PPPoE as the DSL modem will be PPPoE
    • fill out the PPPoE username and password
    • leave the Enable Dial-On-Demand *un*checked - this will create a full time connection
    • leave the idle timeout empty
    • Click Save
  10. Click Services | DHCP Server
    • LAN Tab: enable DHCP Server, set range to 10.12.10.50 - 10.12.10.99, click Save.
    • WLAN Tab: enable DHCP Server, set range to 10.12.10.154 - 10.12.10.250, click Save.
  11. Click Firewall | Rules
  12. Click on the LAN tab (if not already selected). Then click on the + sign next to the rule that has the description "Default LAN -> any". This will create and go to edit mode a new rule with the same settings. Then change:
    • Interface: WLAN
    • Source: WLAN subnet
    • Description: Default WLAN -> any
  13. Click Save
  14. Click Apply Changes

That's the important settings completed. Everything should basically work at this point and its worth stopping to make sure. Click Reboot.

After rebooting, you'll need to release and renew your IP address. Assuming you are on a wired interface, M0n0wall should assign an IP address of 10.12.10.99/25, with a default gateway of 10.12.10.1. Open a browser and point it to https://10.12.10.1. (Don't forget the S in httpS://10.12.10.1).

We want to keep the LAN completely firewalled from the WLAN so we need some rules to ensure that it is:

  1. Click Firewall | Rules | WLAN tab
  2. Click 'e' next to the WLAN rule that allows all traffic anywhere
    • under Destination check the 'not' box and then select Lan subnet from Type
    • modify the description (e.g. add ", except LAN")
  3. Click Save
  4. Click Apply Changes

Unfortunately now we can't access the browser-based administration interface via wireless on the WLAN, so we add another rule. We make this rule very specific:

  1. Click Firewall | Rules | WLAN tab
  2. Click '+' next to the WLAN rule that allows all traffic anywhere (except LAN)
    • change Protocol to TCP
    • Under "Destination", deselect "not".
    • Under "Destination", change to Type "Single host or alias" and the address to 10.12.10.1
    • Under "Destination port range", set "from:" and "to:" to HTTPS
    • Under "Description", change to "Allow WLAN admin access"
  3. Click Save
  4. Now, move the new rule to the top by checking the empty box next to the new rule and the click on the left arrow next to the first rule.
  5. Click Apply Changes

At this point it shold now be possible to access https://10.12.10.1 from a client on the WLAN port (i.e. a wireless client).

Some additional settings will complete the configuration:

  1. Click Diagnostics | Logs | Settings tab
  2. Click (Select) "Show log entries in reverse order (newest entries on top)
  3. Click (Select) "Enable syslog'ing to remote syslog server"
    • Under "Remote syslog server", enter xx.xx.xx.xx and select all events except firewall
  4. Click Save
  5. Click Firewall | Traffic shaper | Magic shaper wizard tab
  6. Click (Select) "Set P2P traffic to lowest priority" and "Share bandwidth evenly on LAN"
  7. Click Install/Update
  8. Click the Rules tab
  9. Click (Select) Enable traffic shaper
  10. Click Save
  1. Click Services | Captive portal:
  2. Click (Select) "Enable captive portal"
    • Under "Interface", select WLAN
    • Under "Idle timeout", enter 60 minutes
    • Under "Hard timeout", enter 1440 minutes (24 hours)
    • Under "Portal page contents", add the portal page - see file attached to this page
  3. Click Save
  4. Click on Allowed IP addresses tab
  5. Click on the blue plus sign, to the right of the description field
    • Under "Direction", select "To"
    • Under "IP address", enter 216.193.213.171
    • Under "Desription", enter www.socalfreenet.org
  6. Click Save
  7. Click Apply Changes

That's it! Save the configuration just to be safe (under Diagnostices -> Backup/Restore).

Further configuration can be done for syslog, outside PPTP access etc. This will be added here as time permits.

Install Plan

Wireless Install:

Network configuration: El Toyon network IP layout and m0n0wall config

Cabling: We will install 2 cables- one from the DSL modem to the Soekris, the other from the lab switch to the Soekris.

Office & Ceramics Room Given that the RJ11 telephone jack terminates in the manager's office, we will place the DSL modem adjacent to the telephone jack. Near the DSL modem, we will drill a hold to penetrate to the outside wall (on the side connected to the interior of the courtyard). In addition, we will drill a hole between the manager's room and the ceramics room, which share a common wall. Manager's Office Manager's Office

One Cat5 cable will be fed from the switch in the ceramics room, through the hole to the manager's office, then through the hole to the courtyard, elevated to the roofline and laid out along the edge of the eve along the length of the building to the location of the Soekris mounted in the outdoor box (LAN port).

The second cable (running alongside the 1st cable) will run from the DSL modem to the WAN port of the Soekris and be injected with power at the DSL modem side in the manager's office.

Proposed Antenna Mast LocationProposed Antenna Mast Location The Soekris will be mounted on one of the primary roof beams of the southwestern most building, as close as possible to the telescoping mast. (This appears to be the highest point). The mast (appx. 25-30 feet tall) will extend from the ground to the roof line, where it will be attached to a supporting beam using a metal bracket. The mast will extend above the roofline by 5-8 feet (as permissible by safety considerations). The omni antenna will be attached to the top of the pole using a hose-clamp or other secure mechanism.
The lightning arrestor will be grounded using grounding wire attached to an 8 foot metal grounding rod, or adjacent grounding point as determined to be safe, effective and building code compliant by Marc Palumbo, QA/Safety/Regulatory Compliance Manager.

Computer Lab Install:

- 10 PCs with monitors, mice & keyboards will be assembled in the ceramics room, across folding tables along the length of the wall, opposite the door. All PCs will be connected via custom length Cat5 cables to the switch.

Day of Install Tasks -- March 19th, 2005

Project Manager: Lee

Volunteer 1 (Lee)
- Install & test DSL modem using laptop
- Install M0n0wall and test config prior to install day
- Verify M0n0wall configuration on install day
- Assist others

Volunteer 2 (Drew &Marc)
- Prepare mast assembly (attach antenna / lightning arrestor / waterproof putty)
- Prepare bracket for roof truss and antenna mount.
- Drive 8 foot ground rod for antenna base support and ground.
- Install mast and secure to building with mounting bracket
- Mount Soekris / outdoor enclosure to beam / under roof
- Run grounding wire, find (or build) appropriate grounding point

Volunteer 3 (Marc & Mick Laver)
- Run Cat5 along roofline
- Crimp Cat5 heads (terminate cables w/RJ45 jacks)
- Build custom length cables for lab
- Perform QA / Safety checks, complete checklist

Volunteer 4 (Mick Laver)
- Drill Holes in wall - manager's office to lab, manager's office to courtyard

Volunteer 5 (?)
- Perform QA/Safety/Regulatory Compliance testing and complete checklist

Volunteer 6 & 7 & 8 (Wayne & Bao Nguyen & ?)
- Physically set up PCs
- Determine Ethernet cable length requirements
- Attach cables for keyboard, mouse, video, Ethernet
- Configure & verify networking

Volunteer 9 (?)
- Walk around the neighborhood and determine wireless coverage area

Schedule
9:30AM - 10AM Educational session on how to set up and configure M0n0wall
10AM - Begin Install

Budget

Proposed Equipment Budget and Status

PurposePriceProductStatus
Access Point166Soekris 4511mikemee
60Senao PCMCIAmikemee
11MMCX to N-female bulkhead pigtailmikemee
20PoE adaptermikemee
13electric box casemikemee
CF card 8MB or greaterdonated by Lee
RF gear3015 dBi antennamarc
24.3110' LMR400 N-Male - N-Maleordered from WLANParts.com by Lee
20lightning protectormikemee
mounting5030 foot telescoping antenna mast & fittingsMarc
Misc35cat-5, ground wire, fittings, rodmikemee
50lunch for volunteers
Security70IP Cameraneed to order
Lab24 port switchdonated by Steve



Most prices reflect tax and shipping. "Need to order" prices may not.

El Toyon Install Day Report

The El Toyon Rec Center was an extremely successful install day!

We all met at 9:30AM and proceeded through a M0n0wall installation lesson. We reviewed every detail of how to install M0n0wall and repeated all the steps to configure M0n0wall as performed for the El Toyon installation.

After the M0n0wall lesson, we walked through the procedures to be performed during that day's activities. We immediately noticed an issue with the Manager's office- the telephone line was on a wall that had no available AC power. (The closest power outlet was on the other side of the room). As a result of this discovery, we modified the plans slightly. We drilled a hole between the Manager's office and the lab room (formerly the Ceramics room), and ran the RJ11 cable between the two rooms and mounted the DSL modem inside the lab. This change had the added advantage of not requiring physical access to the manager's office for future troubleshooting.

Volunteers then set up the physical PCs on the desks along the wall. They were oriented such that the monitors were facing the main entry door and a computer user would have their back to the main door. In this arrangement, the computer users could always be monitored. After a few minutes, we discovered that the tables could not support the weight of the computers (they were bowing in the middle), therefore we replaced the tables with stronger tables. Custom length Cat5 cables were made between each PC and the switch. Several members had the opportunity to learn how to make Cat5 cables.

Next, two long lengths of Cat5 cable were run. One cable ran between the Soekris board and the switch ("LAN"). The other cable ran between the Soekris board and the DSL modem ("WAN"). Great care was taken by SoCalFreeNet members to tack the cable to the ceiling and roof eve very carefully and in an aesthetically pleasing manner.

To mount the antenna mast, a sheet of hardened aluminum was cut to size. The reason for adding the aluminum brace was to provide a mounting surface for the antenna mast (pole) that extended more then 3 inches away from the roof (per Marc, this is a requirement to be compliant with building codes). The antenna was then mounted to the pole. Also, the Outdoor box was mounted to the side of a beam. This was a clever solution which provided protection from the elements. In order for the mount to work, we needed to remove the Soekris board from the case, mount the case to the beam, then reinstall the Soekris board into the case. This was an extra step, but resulted in a more solid and secure installation.

The mast was then hammered from above to drive it a few feet into the ground. An additional 8 foot grounding rod was installed next to the mast. The lightning arrestor was installed and connected to the pole, which was, in turn connected to the grounding rod at its base.

We powered everything up, and amazingly (on the first try) it all operated perfectly. The surrounding neighborhood is now covered by free wireless Internet access. We will be working with SoCalFreeNet member and project sponsor Wayne in order establish a regular "Help the Neighbors Get Online" day.

The most amazing part of this installation was the enormous volunteer response that we received. Around a dozen SoCalFreeNet members showed up on their Saturday to make this deployment a great success!! Thank you again to all who volunteered!!!