Tech Forum

I'm serving as Stake Technology Specialist. I received a request from my stake president asking if there is any possible way that I could configure the system in the stake center such that there were guaranteed bandwidth available to the leadership. Basically, since he is at the building for several hours every Sunday beyond his sacrament meeting, he would like to have reliable access to Internet sites related to his calling in spite of how ever many other church members in other wards are saturating the LDSAccess wifi at the moment, and without having to tether his equipment to a cell phone data plan.

I am aware that I can use tm.lds.org to dynamically tighten the firewall filters on Sunday from normal to strict, so that members aren't able to access bandwidth-hogging services like video downloads, in the hope that it makes the overall bandwidth usage nicer for everyone (including the stake president), but that's not the same as actually guaranteeing bandwidth to any particular client.

The stake president even offered to provide a separate Access Point box in order to allow me to setup a second SSID/password (leadership would be told to use that network to get guaranteed bandwidth, while the general membership continues to use the LDSAccess SSID for whatever bandwidth is leftover). If I were to install that AP in between the ISP modem and the firewall box, then I've trivially met the bandwidth guarantees (the AP gets traffic first, and the firewall gets whatever is left over) - but bypassing the firewall filters is not wise. Conversely, if I put the AP downstream from the firewall, then it is competing with everything else the firewall is servicing (so filtering works, but not only did I not solve bandwidth, but it might actually be worse for the leadership SSID depending on whether the firewall treats the AP as a single client rather than as a passthrough device to multiple clients). Then, regardless of whether I were to stick an AP before or after the firewall, there's the even bigger issue that church policy recommends against installing any rogue equipment (inserting our own equipment instead of using what the FM group provides is NOT the way technology is supposed to be run).

I know that it is a common thing in enterprise-grade networking equipment to be able to set up separate subnets and/or SSID, where you can configure priority levels of service based on which subnet a client is connected to, or even based on client MAC addresses. However, in browsing through tm.lds.org, while the firewall equipment itself may be capable of such a network setup, the interface exposed to STS does NOT let me tweak anything along those lines (I can see that my firewall has three zones: USER serving 192.168.108.2 - 192.168.111.254, with all the Meraki AP tied to that zone; then FAC serving 10.173.33.2 - 10.173.33.14 and SP serving 10.156.171.2 - 10.156.171.254) - but no way to add a new zone, or to switch an AP over to a different zone, or anything else that would let me set up priority traffic for leadership.

Does anyone have ideas or solutions they have used for giving guaranteed bandwidth to leadership while still remaining compliant to policy? Or is this something where I will gently have to inform my stake president that as important as his calling is, I still can't bend the rules to give him better Internet access than anyone else in the building?

ebb9 wrote:I received a request from my stake president asking if there is any possible way that I could configure the system in the stake center such that there were guaranteed bandwidth available to the leadership.

None that has been revealed.

ebb9 wrote:Or is this something where I will gently have to inform my stake president that as important as his calling is, I still can't bend the rules to give him better Internet access than anyone else in the building?

I think you've just answered your own question.

It's not just him, but the clerks and others doing church business. I think your best plan is to change the filtering level.

Or turn off the AP’s assuming that the Clerk computers are hard wired to the network?

Biggles wrote:Or turn off the AP’s assuming that the Clerk computers are hard wired to the network?

The stake center building is old enough that it did not come with any in-wall wiring. The stake clerk's office has a hard-wired connection obviously added after the fact in a conduit from the drop ceiling, but the three ward computers rely on wifi (and I have no idea how hard it would be to add more drop-down conduits to those additional rooms). Thus, killing wifi APs would negatively impact the ward clerks. That, and the stake president is a fan of his ipad which has wifi but no RJ45 port. Even if I turn off the Meraki AP, someone would undoubtedly be turning the hard-wired port into a wifi AP (at least the stake president was nice enough to ask me if I'd install his AP, rather than trying to do it himself - because I'm sure there are other stakes out there where leaders have completely bypassed the STS for an even harder-to-audit situation).

(funny story: while I was auditing the equipment, I noticed the ward clerk computers had their wired ports cabled up, although Windows reported no internet access from the wire. Tracing the cables, I found them connected to a box labeled "3dds.com Keval Online" with that box further connected to a landline phone jack with no dial tone - it looks to be a really old modem from a company that is no longer in business, and that the previous STS faithfully kept the connection cabled across computer upgrades long after the land line phone was no longer useful, and without realizing that the ward clerk computers now depend on wifi)

ebb9 wrote:The stake center building is old enough that it did not come with any in-wall wiring. The stake clerk's office has a hard-wired connection obviously added after the fact in a conduit from the drop ceiling, but the three ward computers rely on wifi (and I have no idea how hard it would be to add more drop-down conduits to those additional rooms).

That, my friend, is where the FM folks come in. The installers they contract with have wired buildings of every kind of configuration and age. It takes FM budget money to hire the contractors, so if funds are tight it may have to be budgeted in for a future year, but this is who the stake president and/or PFR should be dealing with. I applaud your creative thinking, but there's only so much an STS can do. IMO, hard wiring all the ward offices should be the next move.

BTW, who is your ISP and what kind of bandwidth are you getting?

Mikerowaved wrote:

ebb9 wrote:The stake center building is old enough that it did not come with any in-wall wiring.

That, my friend, is where the FM folks come in.

Agreed. My stake center was built in 1941 using the then new "continuous pour" cement technique. All church computers are hard wired. Done by a contractor hired by FM.

Mikerowaved wrote:BTW, who is your ISP and what kind of bandwidth are you getting?

This is something worth looking at. It may be worth calling around and seeing if you can get more speed at a reasonable price.

Probably the best way is to set up an entirely new zone for those in leadership. Most major filtering solutions allow for this, where you can set policies for different workgroups and this approach is the most commonly used to manage bandwidth use. For example, leaders would have access to a few more sites than members would in meetinghouses, examples would be cloud storage where they might have something they need to show and they would stream from that, or some other sites that provide practical tools they might need.

On a given Sunday, members in meetinghouses only need access to Church resources and apps, there may be a way to block apps outside of that--there is a lot of talk about that in the commercial space, I think what the real problem is is that those who manage what is allowed or blocked on the general level got the sites OK, but not the corresponding apps, almost every site named in the April email and some things later has a corresponding iOS and Android app.

Then there are the VPN tunnels, someone said we got the two or three biggest ones app, but not the rest or only a few of the rest and there are a lot. It is whack-a-mole on those though, block one and they will find another, and new ones are created all the time.

I just thought of another, unexpected issue, one that is unexpected because we may not have realized there might be a problem.

Some meetinghouses contain an FHC. The machines there are normally in the FHC zone, and FHCs have wifi. So, the problem there may be that some that are near the wifi are getting on through the wifi that is on the FHC zone as that allows some sites that are necessary for FHCs such as the partner sites to be accessed through wifi, and their apps, and it is in some aspects different than the site listing in the Normal mode or Strict mode.

So, while they may be going through the firewall, the WAP may be on a different zone than the rest of the building, and anyone near that WAP may be getting to sites that are blocked where they are on a different zone. That WAP should be off when the FHC is not in use, and only on when the FHC area is in use.

JamesAnderson wrote:Probably the best way is to set up an entirely new zone for those in leadership.

Just to be clear, that option isn't available to us as stakes/wards. The filtering is set at the firewall level, not the zone level.

To Implement such a thing would require somehow logging into the network so the network can recognize the calling the leader holds. The problems with a different SSID/password is that in a short period of time all the "cool kids" have that information.

The church was contemplating this, until they discovered that it would in insecure unless the STS installed certificates on all the leader's devices.

JamesAnderson wrote:The machines there are normally in the FHC zone, and FHCs have wifi.

In my last conversation with someone in networking, I was told that FHCs technically didn't have WiFi, that it was expected that people would be using building WiFi. Of course, I know not all FHCs follow that. Also, I was told that currently there's no difference in filtering between the USER zone and the FAC zone.

russellhltn wrote:The filtering is set at the firewall level, not the zone level.

Actually, the SP zone used for FHCs has a different filtering level than the USER zone the members use. It is the USER zone that changes when an STS changes the filtering level.

I do not know how the FAC zone filtering works.

You are correct that the stake cannot add additional zones. Those are regulated by headquarters.