Providing free wifi?

[VaKo]

A lot of people want to lock out wifi access completely, ie have no one be able to access it apart from trusted computers. But after moving house, and spending 3 days looking for a unsercured WAP I know how much being without the internet sucks (took me 2 mins to find an address on the net, without the net I'd spent 2 days phoning people and getting nowhere). So my idea is to provide free basic wifi to strangers, no P2P, no network access, limited speed etc. Just enough for people to be able to check there email, browse the web or us an IM client.

But I also want to have a set of my own wireless computers that have full access to my LAN.

So far I've thought of using 2 WAP's, a more expensive system. Or VLANS, but that only seems to seperate out the cabled from wireless. Or a RADIUS/Chillispot style system, which I don't know enough about. Can they provide 2 classes of users on 1 WAP? One which is limited, and one which is full access.

My main worry with this is that someone will abuse the free internet, so how would I prevent that, and keep the limited class of wireless users in there own sandbox area?

[stingwray]

Ok, they way I would do it is with a wired router which acts as the gateway and the wireless access point. Probably cheap routers wouldn't be able to do this, so you'll need something like monowall or a more expensive router.

Anyway, on the router you'll have three interfaces, WAN, LAN, OPT. WAN goes into your modem or however you connect. LAN goes into your wired network around your house. And then your WAN goes into your wireless access point.

Then with monowall, setup up a firewall rule that prevents traffic between the two interfaces directly. This prevents them from people on your wireless network from contacting the wired network. Then using monowall or a seperate VPN server set it up that the VPN connected computer will appear on the wired network side of the firewall. That way you can use your wireless and get into your wired network with VPN access, and leave the wireless unsecured for other people to use.

Probably then you would want to put some firewall rules between OPT and WAN to prevent all traffic except on ports like 80, its not going to prevent people from doing P2P on it but it will stop them somewhat.

To be more advanced from that you can use Captive Portal, which on the page that it will automatically load to log in can have the details for a Guest account, then you can start limiting the number of connections etc. that individuals have.

You can also have the DHCP server on the OPT interface assign subnets of 255.255.255.255 which means they will only be able to talk to themselves and the gateway. Just another little thing to deter some script kiddies.

[Arsenic]

I move around alot, and I know what it's like to not have interent and to have to run around trying to find something open. Latley I have been using my cell phone to get online with a whopping 15k connection (it could be better if I had a slightly newer phone :cry: ).

[VaKo]

<snip>

Now that is pretty much damn perfect. With m0n0wall, and wireless, do you need a seperate WAP? Or will a compatible wireless PCI card with an external antena be enough? Any idea how monowall works with wireless and which cards work?

[VaKo]

I move around alot, and I know what it's like to not have interent and to have to run around trying to find something open. Latley I have been using my cell phone to get online with a whopping 15k connection (it could be better if I had a slightly newer phone :cry: ).

Yeah, i've been doing that. But my vista beta didn't work with my treo DUN so I was stuck. Just thinking that we don't use all the bandwidth all the time, and we have unlimited downloads, and we don't pay for it... so we may as well share it with people who need it.

[armadaender]

Just out of curiosity, have there been any cities in the UK that has considered implementing city-wide wireless access? My home town (around 1 to 2 million residents) is considering this and I always wondered if the UK or elsewhere in Europe had as well.

[stingwray]

Now that is pretty much damn perfect. With m0n0wall, and wireless, do you need a seperate WAP? Or will a compatible wireless PCI card with an external antena be enough? Any idea how monowall works with wireless and which cards work?

Monowall doesn't work brillantly atm with wireless, because it is still based on FreeBSD 4.2 which had very limited support for wireless (a few 'b' chips and that was it). So I wouldn't recommend using only a monowall box atm (v1.3 of monowall is going to be using FreeBSD 6.1 but thats probably a few months off).

Plus, I have read things on that using wireless cards for access points isn't the best. All of them don't work as well as something designed to be an access point and some can't be put into a mode where they can work.

On another not, I don't know if when using the wireless features of Monowall that it comes up as another interface or just an extention of the LAN interface. I've never got into that detail.

Another plus of using a seperate wireless access point is that you can place that better, for maximum range. Your monowall box is likely to be some sort of old desktop, so therefore loud and ugly. I have my monowall box with my servers, but my wireless access point is downstairs in a more central location to make wireless reception better.

On another note, I have just thought that you might want to add QoS to your wireless connections that don't go through the VPN pass through. That way people won't be able to steal the whole of your connection, and perhaps limiting each wireless user to say 15KB/s would prevent them from downloading loads, but give them enough to check a few sites, e-mails and IM etc.

The only thing you have to be warned is that I seriously doubt that the T&C of your internet connection will allow you to allow other people access to your internet, freely or for profit. So just be careful.

[VaKo]

Non that I know of... BT is implimenting something called Cloud, but this looks like a pay system. No one as far as I know is planning on setting up basic free wifi over here. That might change since the EU mandated that internet access is a basic provision along the lines of water & power. The main issue against it is that computer uptake is not as high overhere as it is in the states. I still know people who have never owned a computer, and still watch VHS tapes. So you'll find pockets of wifi activity here and there in the more affluent ares, and vast areas of dead air in between. I'm guessing that once BT Basic (pretty much the crappest UK ISP package) starts giving away free wifi kit this will change, but its still limited today.

[armadaender]

<snip>

Still uses VHS tapes? I havn't touched one of those in years.

Ok, that makes sense, thanks VaKo.

[stingwray]

There is a spainish company (I think) that is "selling" linksys wireless routers for $5 or £5 (yes, they really need to sort out their exchange rate) in return you have to sign up to their scheme in which your share some of you internet bandwidth.

It still has the problem with the ISPs that say that your not allowed to though.

You just have to look at the rest of Europe to see how crap englands really is for technology. Less than 30 miles from where I live, going east into france. I can pay the same amount of money a month for what I get 2Mbps ADSL, to get more than 50Mbps ADSL.

The BBC is only just starting HD trials with about 600 houses in england, if you want HD you have to go with bSkyb at the moment.

At least though we do have more than three ISPs in this country and no fear of any kind of Net Neutrality problems cropping up.

I think it just stems back to the fact that everything was owned by the government, there was no competition to bring the best telephone services etc. so therefore there was no innovation.

You just have to look at the fact that BT has only just started opening up their exchanges so that other ISPs can get some hardware into them to make things work better.

[tabath]

Simplest thing to do is just use two routers , the one with the "public" access upstream from the one securing you own network, or am I being thick here and not getting exactly what it is you want to do? :?

[VaKo]

Simplest thing to do is just use two routers , the one with the "public" access upstream from the one securing you own network, or am I being thick here and not getting exactly what it is you want to do? :?

Its the simplest solution, but it also involves spending more money. Going to look into the simple options such as VLANS, VPN's and RADIUS first.

[metatron]

Simplest thing to do is just use two routers , the one with the "public" access upstream from the one securing you own network, or am I being thick here and not getting exactly what it is you want to do? :?

That’s what I do. I have three AP’s and one is left open and I just limit it’s speed and log the traffic to see if anyone is doing anything interesting.

[stingwray]

Simplest thing to do is just use two routers , the one with the "public" access upstream from the one securing you own network, or am I being thick here and not getting exactly what it is you want to do? Confused

He wants to be able to provide free wifi for people who need it because they are away from their connection for a long time and need to check e-mails and browse a few websites. And of course do it securely.

Using two access points might be slightly simpler, but with my method you can save yourself money by having only one access point. Plus I think my method would provide a more secure approach, for both his use of wifi and other people.

Also, with SOHO hardware I think it would be difficult to get it to do some of the things, like prevent packets from going where they shoudn't.

[armadaender]

Simplest thing to do is just use two routers , the one with the "public" access upstream from the one securing you own network, or am I being thick here and not getting exactly what it is you want to do? :?

That’s what I do. I have three AP’s and one is left open and I just limit it’s speed and log the traffic to see if anyone is doing anything interesting.

Anything worth mentioning?

[tabath]

ahhh.....can see what you mean on the cheapness front but securitywise its the easiest and most secure......esp. if they vpn routers. Just need a win on the lottery.

[metatron]

Simplest thing to do is just use two routers , the one with the "public" access upstream from the one securing you own network, or am I being thick here and not getting exactly what it is you want to do? :?

That’s what I do. I have three AP’s and one is left open and I just limit it’s speed and log the traffic to see if anyone is doing anything interesting.

Anything worth mentioning?

I get a lot of passwords and I like reading peoples emails and IM’s. :twisted:

[stingwray]

ahhh.....can see what you mean on the cheapness front but securitywise its the easiest and most secure......esp. if they vpn routers. Just need a win on the lottery. Laughing

Didn't cost me anything. All you have to pay for in my solution is the hardware. Which would be one Modem, Old PC, and Wireless Access Point.

You've just got to look at Apache to know that you don't have to pay for the best server software around.

[tabath]

ahhh.....can see what you mean on the cheapness front but securitywise its the easiest and most secure......esp. if they vpn routers. Just need a win on the lottery. Laughing

Didn't cost me anything. All you have to pay for in my solution is the hardware. Which would be one Modem, Old PC, and Wireless Access Point.

You've just got to look at Apache to know that you don't have to pay for the best server software around.

Well i will agree on the apache front - just this once mind - I'm deffo not gonna agree with anything else at all.

[armadaender]

Simplest thing to do is just use two routers , the one with the "public" access upstream from the one securing you own network, or am I being thick here and not getting exactly what it is you want to do? :?

That’s what I do. I have three AP’s and one is left open and I just limit it’s speed and log the traffic to see if anyone is doing anything interesting.

Anything worth mentioning?

I get a lot of passwords and I like reading peoples emails and IM’s. :twisted:

Not bad, I'd do the same but I live in suburbia, most people around here have their own set-up. Which makes for easy bandwidth theft. :twisted:

[VaKo]

Could you set the SSID and channel to the same as a targets, and crank up the power on your setup, so they connect to you instead of there own AP.

[Snowy©]

The cloud is supposed to be covering ALL of London

Nintendo DS's get free wifi access from most public wifi points across the world (The cloud included - Opera for DS due soon in Japan - and some people are saying they get free access using homebrew too!)

Virgin is about to market for NTL/Telewest and will offer 50 MB connection with IP streaming HD TV

Oh and it's FON who are doing the £5 router thing you get one share your access and in return you get to access through all the other FON users access points anywhere anytime :) - Someone has already hacked the router though so it say's he is online and accessable when he's locked down his network.

Bandwidth filtering is a feature I haven't seen/read about in any router (sub £100)... anyone seen a sub £100 router with it in???

Edit isn't the bad thing about this child porn? as in you'll be the one they come to crucify first???

Edit Edit Erm don't Wifi Routers slow all connections to the speed of the slowest device connected to it? (I think this has been removed in N series though)

[stingwray]

Bandwidth filtering is a feature I haven't seen/read about in any router (sub £100)... anyone seen a sub £100 router with it in???

Most of them I have seen have. QoS really isn't that big of deal. My old USR9106 had it with a firmware upgrade and that was £50 when I bought it two years ago.

Recently I bought a WRT54-GS to replace it and that came with QoS, and to my suprise a lot more filtering features. Such a blocking access to certain domains, so say your child was addicted to myspace then you could block them without needing to install horrible net nanny software on their pc.

So if that routers got it then I wouldn't be suprised if a lot more had it.

Edit Edit Erm don't Wifi Routers slow all connections to the speed of the slowest device connected to it? (I think this has been removed in N series though)

No, because the connection speed falls with distance from the access point, so if one person was really far away and was only getting 5Mbps it wouldn't stop someone standing next to the access point from getting 54Mbps.

Edit isn't the bad thing about this child porn? as in you'll be the one they come to crucify first???

Basic filtering of the web wouldn't be hard to add to the setup. And blocking just porn wouldn't cause too much of a problem for people surfing and finding other sites blocked, as there are some good blacklists of URLs to block.