Slashdot Mirror

A few things I would consider:
1. Security: security of your network - at a basic level you'll need to make sure your devices are patched. For more security you might want to use a seperate SSID and VLAN's etc... You could look at something like the Cisco 861W routers for these and more features.
2. QOS - I wouldn't let those connecting for free get better bandwidth than you! You'll probably want to use QOS to give your own devices a higher priority
3. Bandwidth limiting - unless you have truely unlimited internet then you'll probably want to limit bandwidth somehow (e.g 100MB per session?).
4. Misuse - If you're giving away free, anonymous internet then it's possible that someone will misuse it. How would you feel about a knock on the door from the police? Should you be keeping logs? Should you only allow people free internet after they've knocked on your door and shown you some kind of photo-ID (e.g drivers license) which then means you've got to create accounts and probably keep logs, *sigh*.

I know that here in Australia all Mc Donalds restaurants provide free wifi. Some of them (but not all?) get you to agree to some terms and conditions.
Perhaps you could protect yourself legally with something like that (e.g No Cat).

Unfortunately, after considering everything you might find that the risks (legally a lot) might outweigh the return (a warm fuzzy feeling).

For me the happy medium is to provide free wireless to everyone living in my house and my friends that visit. I can't be bothered setting up the legal work for
strangers.

If folks borrow my internet, that's fine by me. If they park for a while I ask them to move along.

Frankly, I'm very disappointed that the http://nocat.net/ project seems to have died off. I would very much like a standard distribution where I would monitor and modify access to my wifi using a trivial web interface. A micro linux or *bsd ROM image with a couple of configuration file that I could run in a VM would be ideal.

The problem with that is you'd have to maintain logs of everyone who connected and what they did to disprove if someone did something illegal that it wasn't you (which even then, it's hard to disprove it wasn't you). RIAA, etc. is going to say your Public IP was sharing such and such, or law enforcement may say you did such and such, and your left holding the bag.

I used to run an open WAP (freenet.artoo.net), and even had a proxy setup (NoCatNet) to filter access and block smtp outbound access and log who was logged in, etc., but I just won't continue to maintain such a thing with the legal climate these days. I don't have time for the hassles it may cause me, especially when I refuse to download or posses any copyright material I didn't buy (or legally get, like recording off my own cabletv), so I know there is no way any legit claims can come in.

What you describe is not only incorrect but way overthinking.

Go read up here.

http://nocat.net/

Essentially what TFA is doing. If your point is to keep people off your bandwidth, this will do it. It wont, however keep them from sniffing your traffic and invading your LAN.

It is still a great piece of software, I currently work for a company whos product is exactly this, commecially (for hotels etc.)
www.solutioninc.com

Perhaps it is time to take back *our* Internet, and more importantly, *MY* Internet. While I am only a generic sysadmin, and not Vinton Cerf, I did help build the Internet in what it is today. I worked at ISPs, webshops, and software huts. I took care of Internet customers. I told everyone how useful the Internet was. I posted to Usenet, sent emails, published videos, toyed with mashups, and other things. I helped make the Internet work, even if only in a teensy tiny small way.

I want to continue to experiment with everything Internet. I want to post, and send email, and publish. A tiered Internet would not make that financially possible for me, if I have to have two or three colocations to publish my stuff. Or, by not being an approved corporation that is allowed to reach certain network endpoints, how do I reach my intended audience?

So I suggest that the Internet's users take back what is rightfully theirs, and ours, and more importantly to me, mine. We can build our own infrastructure, which some groups have already started doing. Go get some wireless gear. Learn about it. Go wardriving. Have fun at a Wi-Fi shootout. Know the geeks in the area. I think the best way to take back our Internet, is to own a larger piece of it. I think the only way this can happen, is if there are more of us interested in wireless networking -- enough of an interest to start taking this more seriously.

Boy do I wish I were a better salesman sometimes.

Take a look at ChilliSpot, which is an open source captive portal --http://www.chillispot.org/ .

Another option (already mentioned) that would work with the is to run NoCat
http://nocat.net/ on a "server" along with NoCatSplash on the WRT54 (see http://nocat.net/~rob/wrt54g/ ).

Take a look at http://www.slcwireless.com/ to see how they are providing free wireless to location in Salt Lake City, Utah.

Good luck!

Take a look at ChilliSpot, which is an open source captive portal --http://www.chillispot.org/ .

Another option (already mentioned) that would work with the is to run NoCat
http://nocat.net/ on a "server" along with NoCatSplash on the WRT54 (see http://nocat.net/~rob/wrt54g/ ).

Take a look at http://www.slcwireless.com/ to see how they are providing free wireless to location in Salt Lake City, Utah.

Good luck!

Well, I was just going to use my mod points to mod up whoever posted the first link to this site:

http://nocat.net/

But since nobody did, I posted it myself.

http://nocat.net/

I think NoCat is what you want. Their page mentions that it's ported to the WRT54G in a couple of different versions.

You may be anticipating a problem you'll never have. i.e. people sucking your bandwidth and sending spam. Why not leave it open. I do with mine. I think it's important to share bandwidth. I worked for a comany in San Francisco with a DS3. I built a Wi-Fi network for them and convinced them to share it with the public. It was't a problem (however, I did put it the DMZ and block port 25 just in case).

If you still think you need to have usernames and passwords try nocat. It handles authentication but I usually use it for a splash page for access points I build from old laptops.

Good luck.

Community Wireless doesn't mean sharing with all, but with your community.. There are many ways to do this.. 802.1x.. http://nocat.net/ is another And that is waht community wireless groups do.. the build systems of authentication for their communities to access their networks. Simple really

Overall I would say that it depends on the area that the coffee shop is in and what sort of customers the owner is hoping to attract. I say that kids in general will appreciate the wireless access but will most likely ignore it or abuse it. Business customers would definately use it and would appreciate it, but there comes a point when they will start to abuse it.
My idea would be to set up something like a nocat http://nocat.net/ setup and base the autentication on something that can be added to the receipt. Obviously not 1,2,3,4 but some random number generator or something. I leave that up to your imagination, because it would be simple or hard depending on your implemenetation of a cash register. Give each number an expiration of a certain time. You can only log on from that time on of issueance of the passkey. So I buy my Latte, on the receipt is my passkey. Use it or loose it. Heck you could vary the expiration time based on traffic.
I would also hang a sign that gave some general guidelines. No illegal activity, nothing indecent, no taking others Internet time.... And put something to the effect that violators will be banned. Physically and by mac addresss (well I wouldn't put that in the sign.)
Other than that, I would block all traffic except web. Secure administration policies, and no access to the equipment by the beverage servers.

That's all I have.

Use a login system that makes everyone fill in their name and telephone number when they first attempt to connect to the 'Net from the shop. When the name and tel are submitted, the script gets the IP address, connects it to a MAC address and puts it in a database.

From there, have all traffic in or out be logged. The traffic won't be that high, really. Set up a spare box with a Dual-Layer DVD burner and a nice sized hard drive to hold the logs. Burn stuff off any time you have the 9.5 GB (or however big DLDVDs are). I highly doubt you'll burn off more than one CD a week unless you get some serious traffic.

If things come back to you in a lawsuit (be it a subpoena or even someone looking for evidence), you've got your logs. If someone falsifed information, they've committed a crime of a different kind - one for which you can't be responsible.

Wait, did I just describe a simplified version of NoCatAuth?

This of course is the source of the free wifi "organiser" http://nocat.net/ URL.

NoCatAuth

http://nocat.net/

Nice captive portal and highly configurable.

Briefly looking over the M0n0wall website, it appears to be just a firewall rather than a wireless hotspot solution. Did I miss a feature or did you fail to post all of the configuration modifications that you had to make in order to turn M0n0wall and FreeRADIUS into a captive portal?

I'm not trying to be offensive but, how is M0n0wall better than the likes of ZoneCD or NoCat Auth? I understand that 'you' found NoCat complicated as compared to M0n0wall but, is that an accurate assessment or is it simply your situation because of your preference to BSD?

NoCatNet will do what you need it to.

NoCat

This is old news.

Set up a regular access point.

Install a web server like NoCat.

Subsitute the NoCat splash page with a copy of the T-Mobile (or whatever) login page. You can use wget to grab this.

From there you use a plain old cgi script to pipe the userID, password, credit card number, etc. into a text file.

What you really want is something like NoCatAuth (described nicely by this article. There are plenty of other similar solutions out there - look for 'linux wireless authentication gateway' or something similar on your favorite search engine.

NoCatAuth would be a good starting point. It'll at least provide you with a captive authentication system. In order to surf, they'd have to log in. Thus, you could control how and when they log in. Now the only thing you'd have to look into is limiting how long they stay authenticated. This may or may not already be in there.

NoCatAuth is what you are looking for. Authentication is required before access is granted beyond the local network with all traffic being redirected to a login page that you can specify.

Meh, I'll just get verizon's fiber to the home service. Then setup a Less Networks node, roll my own NoCat Auth AP or join one of the great Area Wide Wireless networks.

Verizon is just a 500lb gorilla that can't see more than 2inches infront of its face!

The patent is dated May 1, 2001. The earliest download I can find for NoCatAuth is dated July 12, 2001. I so believe this patent.

It's called "NoCatAuth". Read more here or here.

Pro|Structure of Portland, OR has two guys that have got Linux running on, I believe, a Linksys WRT54G. NoCatAuth is included. Otherwise, if you feel slightly more adventureous, you can install Linux on an old laptop (I used an old P2 Compaq) with a wireless NIC and a wired connection and, viola (aka a lot of time and configuration later) you have wireless.

No such forced terms of service exist for open WAPs that I know of unfortunately

There are a few: anyone thinking of running an open Access Point should strongly consider the use of something like the NoCatSplash firmware (if you've got a WRT54G). This'll turn your AP into a "NoCat open portal", which means that users will be presented with a "splash page" of your choosing, and must click a button before they can access the network from your AP: instant ToS agreement/disclaimer. Also, you'll need to make sure all logging is turned off and there's no way of recording or knowing who is doing what with the connection; this'll then protect you - at least to some extent - though, like you say, you'll probably still be breaking your own ISP's ToS, and maybe other laws (depending on where you live).

There are plenty of other firmware hacks for the WRT54G (and similar) around, too, check out LinksysInfo.org for more details. There are a good few that include similar features to NoCatSplash, plus enhancements such as the "ping" hack (to boost the AP's signal strength), in an easier-to-use firmware: for example EWRT. Oh, and Seattle Wireless is another good source of information.

> To get access to the AP, you need to try to > pull up something in your Web browser. When you > do, you first get redirected to a page that > says, "Hi, welcome to our network!" or > something similar. Isn't this what http://nocat.net/ does ? but then I am a newbie, so may be confused ...

The issue with WEP is that there are predictable packets where you can slowly derive information, and eventually obtain complete key recovery, and increasing the keylength only increases the difficulty LINEARLY, not exponentially.

Normally when you add a single bit, it doubles the time for brute force attacks. Instead of being TWICE as difficult when going from 40 to 41 bits, it's only 1/40'th more difficult.

You need to collect about 2GB of data to recover a 104 bit key, on the average.

Now... that all said, it's arguable that if you even use a 40 bit key that you are proclaiming your network PRIVATE, where unauthorized use is actually a criminal offense. In other words, any use of it requires actually attacking the network, not just turning on your computer, which typically meets or surpasses any implied consent requirements. You will discourage anyone that wants to "ethically" borrow wireless by setting a WEP key.

It's kind of like locking your screen door. It's easy to get past, but pretty obvious it's breaking and entering.

If you're interested in providing an open network but with a "I won't break your network or the law" agreement, check out NoCat.

I've been meaning to setup a system using NoCat

It creates a splash-screen authentication at first connection. Either that or mandatory VPN.

This software provides an "Active Portal" which basically means any web traffic is redirected from wherever it was supposed to go to some specified machine.

Its not a difficult thing to do manually either with iptables. (from memory its something like: iptables -T nat -I prerouting -P tcp -dport 80 -d ! localnet -j DNAT --dest localbox). Just make sure you have a DNS server running that sends all requests back to your IP or else their browser will give them an error.

From there, you just set up and run apache on 'localbox' and you're off!

Has anyone raised this issue up? Is it just me or does this look like a hacked version of NoCatAuth that first serves as a proxy for accessing and paying via your PayPal account? For those of you who are not familiar with NoCatAuth, it's:

centralized authentication code that make shared Internet services possible.

On the wifi network, it essentially forces the wifi client to use a proxy and before allowing you to access anything else, it will pop up a web page for you to enter a login and password. By logging on, NoCatAuth can keep track of all the users on the wifi network. Hmmm, sounds a lot like linspot to me.

Have you looked into NoCatNet? The group works on a wireless network and the software that makes it possible (NoCatAuth). From what I gather the prefered configuration involves a central authentication server seperate from each gateway.

You dont need super expensive cable running all over creation.
The max speed of the WR54G is 54 Mbps which is a little over 1/2 the speed of 100 BaseT. Any Cat 5 will be more than enough as long as you're careful.

Depending on the size of the building, this really shouldnt cost you much over 2K (including gear) if you are willing to learn how to do it yourself.

Also, you shouldnt have to worry about bandwidth hogs at the AP level. You should probably do that at your NAT box. Check out something like nocat. All you really need to do is setup QoS for certain groups you already know of (like residents) and let other connect but put them in groups who get allocated much less bandwidth.

Also, I think 7K can still be considered a gift and should be tax free...but you should double check that.

Also, if you're really serious about gaming and you're already running cable to each floor, why not put a cheap 100BT switch on each floor?

According to this article on the NoCatNet mailing list.

Things have come quite a long way and the latest firmware one enterprising individual has created has stuff like:

• Option to give wireless interface a separate IP/network address
• NTP timeserver time update
• Wondershaper bandwidth management
• Command Shell access via the WWW interface
• Client/AP mode select to WWW interface
• Enabled IP forwarding on boot
• Power adjustment and Antenna selection via the WWW interface
• sshd (dropbear) and telnetd (busybox 0.60.x)
• sshd, telnetd on/off controls to web interface

Also, you have a single box solution that is easy to maintain and will preserve its settings on a power cycle/reboot (assuming you have a version of the firmware with NoCatSplash built in, which I think is out there somewhere, or you could compile a firmware yourself if you have the skills).

DaveC

all you need is one or two 486 class Linux PCs and NoCatAuth
to set up a gateway server and an authentication server. It can regulate the access of anonymous users and grant better access to authenticated users. (anonymous users can be set up to only be allowed to certain sites ...the auth server as a minimum... or given really limited access to the net , your decision.) User passwords are kept in a MySQL database, so you can have a program change the user ids and passwords on a regular basis.

For an open hotspot, I would suggest using NoCatAuth. Even for an open, free-for-all hotspot, NoCatAuth can be setup to require users to click past a disclaimer screen. This forces the user to accept usage terms before getting Internet access, which is perhaps a greater indemnifier than a sign out front saying "Security not provided".

The linksys WRT54-G does it all. You can compile and run NoCatSpash for it, and take credit card or other authorization. Check it out at SeattleWireless.net

I'd never consider 802.11a at this point, the marketshare is all in 802.11b.

So, the next question is, should you go 802.11g (~54mbit), which is backward compatible with 802.11b?

How fast is your internet access going to be? Is it even going to be faster than 802.11b will provide (11mbit)? If users want to do laptop to laptop transfers, they should just use a crossover ethernet cable (100mbit). Hint: Most ADSL is 384kbit and will let you grab ~1mbit when things aren't busy at the ISP. 1mbit is "fast" for most folks.

IHMO, the owner should just see is as a way to increase his customer base for his existing revenue model, and have a cool thing to do when things are slow (but need to keep the other employees in check if things aren't getting done and he's not there all the time).

Futher, I'd suggest a caching engine like Squid, which can help with content filtering as well (say for employees, make them login before they can surf so you can track their time, etc.). Squidguard is my filter preference for filtering and there are many free content DBs online.

I'd be filtering porn sites, probably gambling, probably hate sites, etc., as I'd not want one customer offending another with graphic images. Of course, you could say MYOB and tell the guy to sit where no one can see his laptop, whatever...

NoCat is a good authentication model as well just so you can track folks in case something illegal is taking place.

Unless there's some option I'm missing, my Netgear access point does not log when users come on/offline

If that's the case he should not buy a netgear.
Linksys I know for sure does log MAC addresses in the DHCP log.
Mind you the DHCP log doesn't help if they hardcode an IP.

Something like nocatauth on a small PC running Linux would solve these issues, because then everyone would have to authenticate with a username and password and that could be logged quite easily.

Check out these folks. They have everything you need for your purposes. Here is their wiki for some more info about the actual softare involved..

Check out these folks. They have everything you need for your purposes. Here is their wiki for some more info about the actual softare involved..

you can do it with far less hardware.

802.11b is the absolute maximum you should go. it's silly to go higher when your Internet access is slower than 802.11b with 10 users on that same access point.

next you need a firewall, a P-1 166 will do it perfecly and handle twice the load that you will ever see ... this is a freebie most anywhere... no hard drive needed just get frasierwall or freesco single floppy firewall distros... you MUST firewall off your wireless from you and your internet... consider it more hostile than the internet ever could be.

now go to here and get their system that works great and will solve most all your worries.

Oh and be sure to survey your entire area to be sure there is good access in every sitting location but not much available outside your desired coverage area.

basically, if you already have a commercial T-1 or other business level internet access in your building you can get it installed and running for less than $200.00 in hardware and a couple of weekends of time.

provides alot of free nodes around Seattle. I would check out their website, as well as the NoCatNet authentication software...

Check out:

http://nocat.net/

If you're interested in community-sponsored wifi projects, you should take a look at this. It's run by Rob Flickenger, the guy who wrote Linux Server Hacks and a couple of wifi books for O'Reilly.

Check out the Linux MediaServer - there is a server available for Linux. No UI yet, but Rob Flickenger made a nice perl script to catalog your media files for the MediaPlayer.

Actually, it's a slightly more modern eComstation box. Also CDS also makes a Windows and a Linux version.

Besides, old computers cost nothing and can still be put to lots of uses such as killer voicemail/fax platforms or NoCatAuth routers and web servers (good enough for a DSL pipe).

Also, my old eComstation box has a REAL voice modem instead of one of those useless winmodems. If you want to do quality voicemail, you almost have to use an older computer.

I don't understand why everyone doesn't do this. It kicks ass over those Radio Shack answering machines. Having full control over the scripting means I can do stuff like have a different greeting message for different callers, do fax on demand and even kick off shell scripts by punching in various codes. Before DSL became available, I had it set up so that I could call my computer, punch in the password and initiate a script that would hang up the phone, dial up my ISP and send me an email with the dynamically assigned IP address so I could "home from work". The possibilities are endless.

Most of these enhancements to the stock WRT54G can be accomplished as changes to it's filesystem's ramdisk so that they are not permanent and a simple reboot of the router will get you back to the non-hacked state. If you're feeling brave however, you can try to create your own firmware and commit it to flash at the risk of messing up and creating a small doorstop out of a perfectly good router.

Unfortunately the built in capabilities accessed via it's HTTP interface are a bit slim and simplistic (ie. no SNMP router logging and the built in logging capabilities are VERY basic, only 5 port filters, no Static IP assignments based on MAC addresses, no port triggering) but par for a home/office grade router. Besides, you could always add what you want via your root linux access neh?

Reviews of the router performance have been positive, with little difference in bandwidth in running with WEP on or off (unlike many other inexpensive wireless routers, which have up to a 50% reduction in wireless bandwidth with encryption turned on).

Pretty exciting to have a little router that has the potential to do much more than the usually lukewarm manufacturer's firmware allows.

Dave