Rental Home Wireless Networks?

Tangential asks: "I'm looking for advice. I have a rental home at the beach that I've equipped with Cable Modem and WiFi. After trying to use it with WEP for a summer I gave that up (life is far too short for me to talk every renter thru configuring their notebook). I would like a bit of control over who uses my system. I've blocked outbound port 25 (since my ISP doesn't), but what I'd really like to do is run something like hotels do, where you enter a password and activate your MAC address for a certain amount of time, Then I could just tell the renter the password and manage that remotely. I run OSS in my Linksys WRT-54G router at home (from Sveasoft) and I like being able to use a low cost router for such a function. I'd like to know what systems other folks have encountered that do this using OSS and mass market equipment."

Hassle

[turtled]

Sounds like hassle for people trying to get away from it all. Why not just a wired router/firewall. Does it have to be wireless? I would assume the vacation home isn't that big to warrent wireless... just my 2 cents.

Re:Hassle

[garcia]

Why not just a wired router/firewall. Does it have to be wireless? I would assume the vacation home isn't that big to warrent wireless...

Some of us do enjoy sitting on the deck and watching the ocean while getting some e-mail, work, or surfing in. In fact, if it's close enough to the beach, I'm all about sitting in my lounge chair (like the movie The Net) and doing stuff on the Internet.

I have mobile access via GPRS but would love to have a full broadband connection. YMMV.

Re:Hassle

[Profane+Motherfucker]

Not to mention that someone might want to check into their flight, see the weather forecast, look up local restaurant reviews, or do any billion fucking other things that people like to do on vacation. There's always someone who says, "DUH, you're on vacation. Like why can't you just enjoy the vacation?" Because IT'S FUCKING BORING EVEN ON VACATION TOO, sometimes.

Now, granted, that wasn't the issue in the parent, but I know that's what some hanyack is thinking.

PUBLICip

[SFalcon]

Try this.

Check out the features and see if that's what you're looking for. It's free!

Re:PUBLICip

[Eye+of+the+Frog]

That looks like a great solution. Pair it with this, stick it behind a wall, and you're golden.

Re:PUBLICip

Thanks for posting this. You've restored my faith in Slashdot for another six months. Keep up the good work.

PublicIP

[mr.+mulder]

I've read about Public IP before: http://www.publicip.net/ Perhaps it will give you the solution you're looking for.

Keep in mind..

[SocialEngineer]

Things like that aren't guaranteed - if you need to ensure that no user is using it for bittorrent, or anything like that, you might as well give up :)

For instance, if you leave port 22 open, your users will be able to set up a socks proxy through SSH (requires a box available on the 'net with SSH tunneling privs, but that isn't hard to get). If you have that blocked, but have ping open, well.. They'd have to have another box on the outside with admin privs, but they could also tunnel all the traffic through ping (I've seen it done before, never tried it myself).

You probably won't have to worry about the tenants doing this, but always be wary of wardrivers who are looking to leech some wifi.

If the benefits outweight the risks, go for it.

whats the point of trying to control it

[Suppafly]

what's the point of trying to control it? just leave it open.

Re:whats the point of trying to control it

[Jeff+DeMaagd]

what's the point of trying to control it? just leave it open.

I would take it as a kindness if the easy ways to block spam relays were taken.

On the right track..

I believe that Sveasoft (or somebody else) has a firmware for the WRT54G which will act like a "coffeeshop" type distro. Generate passwords, etc. Keep looking at the firmware.

Post Google:

http://www.portless.net/menu/ewrt/

and look into software called "nocatauth", which the above has put on a WRT54G

Luck

Re:On the right track..

[SillyNickName4me]

For people who have some Linux knowledge, I'd suggest looking into OpenWRT with Chilispot.

It basicly provides you with all you need for running a hotspot without bothering your users with new software or different settings. User connects, is directed to a webpage where they have to login, and everything works..

tunnel

[TheSHAD0W]

I would personally recommend running a server connected to both wireless and internet with routing between them turned off, and then log on to the server w/ an ssl tunnel for your outside connection. This lets you give individual accounts to people and prevents someone from sniffing the contents of your traffic to the net from the airwaves. I believe you can also control bandwidth per link, as well, but I'm not sure about that.

D-Link Airspot Line of Wireless Routers.

[JustAnotherBob]

Perhaps you are looking for a solution like this?
DSA-5100http://www.dlink.com/products/?sec= 0&pid=349/

Product Features: Creates Multiple Public Networks with Five Different

Authentication Policies

Supports up to 400 Concurrent Online Users
Advanced User Management with Traffic Monitoring and Policy Enforcement Product Description:

D-Link®, the industry leader in innovative networking solutions, introduces another breakthrough in the Airspot family of service gateway products. As the need for on-demand Internet connectivity continues to grow, the D-Link Airspot DSA-5100 Public/Private Hot Spot Gateway provides large establishments a solid solution for adding multiple public access networks while still maintaining the integrity of an existing private network. The DSA-5100 Hot Spot Gateway is a business-class service gateway designed to segment public and private network infrastructures. By adding a managed switch to the integrated public port, network administrators can deploy several public networks over a large-scale establishment such as a university campus or resort. Through the private port on the DSA-5100, the backend private network such as the campus operation centers or central office, can remain completely separate and secure.

To optimize and maintain network up time and performance, the DSA-5100 Hot Spot Gateway has two built-in WAN ports that support link fail-over in order to provide Internet connection redundancy. In the case that the first ISP's connection fails, the second link (if configured and conencted to a second ISP) will take over to ensure that Hot Spot customers with maintain uninterrrupted Internet access. The DSA-5100 supports virtually all WAN connection types including static, dynamic, and PPPoE Client.

The DSA-5100 Hot Spot Gateway also offers several advanced features to help manage and support up to 400 public users online at any time. Additional user management controls include bandwidth control, network policy enforcement, customizable user timer, login/logout web-page, online traffic monitoring, and URL redirection.

To ensure authorized network access, the DSA-5100 supports multiple authentication methods such as POP3, RADIUS, LDAP, internal user database, and external Web (HTTP or HTTPS) authentication. With support for 802.1q VLAN tagging, different authentication policies can be used per administrator-assigned VLAN networks for maximum security. In addition, VLAN tagging helps to segment and prioritize incoming traffic. For the private network, the integrated DHCP server and firewall with Denial of Service (DoS) Protection safeguards the network from malicious attacks and hackers.

Network administrators can manage the DSA-5100 Hot Spot Gateway and all of its features via the Web-based, CLI, SSH, or SNMP v2 management interfaces. With a wide array of convenient management utilities, the D-Link Airspot DSA-5100 Public/Private Service Gateway is an efficient and powerful hotspot solution.

Re:D-Link Airspot Line of Wireless Routers.

[MindStalker]

Sounds great, but my experience with D-Link products have been bad at best. The products I've bought from them were badly made and never worked as advertised. Have anyone used this product that could recommend it?

Re:D-Link Airspot Line of Wireless Routers.

[DrSkwid]

Amen,

Sometimes someone in our circle will crack and buy a Dlink because of some feature set. It doesn't take long to remember why we say "oh it's a Dlink, there's you're problem"

Re:D-Link Airspot Line of Wireless Routers.

[schon]

In March I bought a Dlink wireless router and a A/G card for my laptop, and they work exactly as advertised.

I can use the laptop anywhere in the house, and even out in the yard. The hardest part was getting WPA running on Linux (took me about 1/2 hour.)

I had a friend visit for a couple of weeks, and his iBook worked flawlessly with it too.

Re:D-Link Airspot Line of Wireless Routers.

The problem with anecdotes is that they're, ummm, anecdotes. My experience is just the opposite of yours - I had several Linksys products that were unreliable crap, but D-Link came in and saved the day each time. Thus I make my recommendations accordingly, with nothing but positive feedback from those who've taken the advice. Truth is that all products are crap, so we're both right and wrong!

No experience with the one in question here, though.

Re:D-Link Airspot Line of Wireless Routers.

[bhtooefr]

Exactly. Except for one USB WiFi adaptor that I soldered the USB connector down on, because they forgot to do it in manufacturing(!), D-Link's come through for me time after time.

Linksys, OTOH, has given me nothing but problems.

Re:D-Link Airspot Line of Wireless Routers.

[MindStalker]

I wonder if there is a certain section of D-Link products you buy. For instance with NetGear anything in a blue case works great. Anything with a grey box or some other fancy case works like crap. Thus I only buy their "commerical" line in the blue boxes and everything is fine. Linksys has a similar structure, buy only their commerical products, not their home products. My experience with Dlink on the other hand has shown they have equal low quality across the board so I don't know what I can trust.

Re:D-Link Airspot Line of Wireless Routers.

$3,000 bucks? $3,000 bucks? THREE THOUSAND US DOLLARS????

Do you realize how many computers you could buy for one of these things?

"Seems a little pricey"

What's the problem?

[max+born]

You may be anticipating a problem you'll never have. i.e. people sucking your bandwidth and sending spam. Why not leave it open. I do with mine. I think it's important to share bandwidth. I worked for a comany in San Francisco with a DS3. I built a Wi-Fi network for them and convinced them to share it with the public. It was't a problem (however, I did put it the DMZ and block port 25 just in case).

If you still think you need to have usernames and passwords try nocat. It handles authentication but I usually use it for a splash page for access points I build from old laptops.

Good luck.

Re:What's the problem?

[miTcixelsyD]

I see that a couple people have mentioned leaving it wide open. Why is this a bad idea? Liability. I hop onto your network, download kiddie pr0n, then hop off (by law, an ISP must report this if they know about it or else they are breaking the law). You *could* be held responsible. Note that I said could, not will. There are always mitigating factors, but even if you, in practicality, couldn't be help liable it might not be worth the hassle/expense/time to defend yourself (i.e. show logs proving it wasn't a machine you use, etc.).

MOD Parent UP

[BeesTea]

I use this solution myself, it works GREAT!

OpenBSD pf

[DrSkwid]

Run pf on a 486 and use pf as your firewall, then you don't need MAC addresses and shizzle like that.

http://www.openbsd.org/faq/pf/authpf.html

Authpf(8) is a user shell for authenticating gateways. An authenticating gateway is just like a regular network gateway (a.k.a. a router) except that users must first authenticate themselves to the gateway before it will allow traffic to pass through it. When a user's shell is set to /usr/sbin/authpf (i.e., instead of setting a user's shell to ksh(1), csh(1), etc) and the user logs in using SSH, authpf will make the necessary changes to the active pf(4) ruleset so that the user's traffic is passed through the filter and/or translated using Network Address Translation or redirection. Once the user logs out or their session is disconnected, authpf will remove any rules loaded for the user and kill any stateful connections the user has open. Because of this, the ability of the user to pass traffic through the gateway only exists while the user keeps their SSH session open.

Re:OpenBSD pf

[wowbagger]

So, this guy is concerned about users being too computer-illiterate to configure their wireless cards with the proper WEP key, and for a replacement, you are suggesting that the users be asked to SSH to the firewall prior to going out.

Re:OpenBSD pf

[DrSkwid]

for Windows it's two clicks

one to download putty from the default page on your pf firewall

one a link to putty.exe

and one to download & run a batch file from the same webserver that does :

putty -D 8080 -ssh gatewayIP

which will also add a SOCKS proxy on localhost:8080 into the mix

hardly rocket science and it leaves you with one set of instructions for windows without having to know anything about the configuration programs of various Wireless cards

Re:OpenBSD pf

[Matt+Perry]

Run pf on a 486 and use pf as your firewall, then you don't need MAC addresses and shizzle like that.

Shizzle? Is that a new networking term?

Re:OpenBSD pf

[DrSkwid]

get down with the street homes =)

shizzle means shit

amongst other things

Ask the hotel?

[nes11]

this may sound too simple, but if you've already found hotels that do it like you want, why not ask them? of course the front desk clerk won't know anything but they can direct you to the manager who can direct you to the IT guys. you'll probably get more info that way than a general request on slashdot.

Re:Ask the hotel?

[walt-sjc]

Most hotels outsource their networking. I've only been to ONE that had an inhouse solution, and they were just a wide-open network (anyone could connect - no password or anything.)

Re:Ask the hotel?

[ElectroBot]

If you start asking people that don't know much about IT or IT Security they tend become wary and usually assume that you're trying to "hack" it and either won't give you info or will try to hand you over to the authorities to "stop you from commiting any more crimes". Some IT people have this much paranoia and lack of understanding as well. Not many people know that almost no one is out to get them or their network/computer(s).

Port 25 blocking, arggh

[MobyDisk]

I've blocked outbound port 25 (since my ISP doesn't)

Most ISPs don't block port 25 because they still haven't migrated to SSL SMTP on port 465. Why is this? The last 2 ISPs I've used don't support it, and my complaints fall on deaf ears.

Re:Port 25 blocking, arggh

Most ISPs don't block port 25 because they still haven't migrated to SSL SMTP on port 465. Why is this? The last 2 ISPs I've used don't support it, and my complaints fall on deaf ears.

Let me try to explain it to you. It's because you are an ignorant twat! SSL SMTP is a means of encrypting the SMTP traffic between two points, nothing more. SSL SMTP does NOT prevent you or anyone else from sending spam over that encrypted connection.

What SSL SMTP does is cause lots and lots and lots of support problems. First is the problem of configuring clients. Configuring Outlook Express with an SMTP and POP3 server address is already "too complicated" for most ISP customers. Imagine the problems with configuring SSL SMTP, especially when you realize that MANY older versions of mail clients and MANY mail server do not support SSL SMTP.

The second issue is that, unless there is an agreement between administrators, restricting mail transfer to SSL SMTP connections will almost certainly break MTA to MTA connections to every other MTA out there! So, now you can't transfer your mail from you.com to yahoo.com or aol.com or msn.com and you can't receive any mail either. This will definitely reduce your storage costs but, I can't imagine that the users would be too thrilled.

But, despite all the problems that SSL SMTP causes for ISPs, SSL SMTP does absolutely nothing to stop sending spam. Blocking port 25 is the best solution.

Re:Port 25 blocking, arggh

[SpaceLifeForm]

That may have something to do with that guy named Echelon.

NoCat

[Omniscient+Ferret]

I think NoCat is what you want. Their page mentions that it's ported to the WRT54G in a couple of different versions.

Re:NoCat

[JofCoRe]

I'll second that. NoCat is what you want. It does the "captive portal" that you're talking about quite well. And according to the dox, it can do it on a 486/25 :) I still haven't managed to get the bandwidth throttling working, but that's something w/tc I think so it's not neccessarily a NoCat problem. But doesn't sound like you'd need bandwidth throttling anyway, so it should work perfectly for what you want.

RTFM

[pyrrhonist]

...but what I'd really like to do is run something like hotels do, where you enter a password and activate your MAC address for a certain amount of time...

I run OSS in my Linksys WRT-54G router at home (from Sveasoft)...

The firmware you are using has the ability to make a captive portal.

My project, macf

[Piquan]

A few years ago, I wrote the skeleton for this sort of thing. It was for a job, the guy never did the paperwork to hire me, so I stopped working on it and put my code on Sourceforge. It worked; I just hadn't polished anything. (The management interface, in particular, sucked.) It pretty much requires FreeBSD to use as your filter box.

The basic architecture is like this. First, there's a management interface that's just some PHP scripts talking to a MySQL database. That's how you add leases, how long you want them to last, etc. You could also add the leases to the database using any other means you want.

A daemon is running that frequently sweeps the database and reconfigures the kernel part (described in a minute). The daemon expires old leases, adds new leases, etc. It also watches the traffic (passively, so the traffic isn't going through the daemon) and logs usage stats. (This last was part of the spec the original customer gave me.)

The kernel part is what actually does the filtering. This doesn't need any custom kernel modules or anything; it's just a netgraph node inbetween the interfaces you're filtering on that uses the built-in BPF netgraph driver. (In those days, the packet filters in FreeBSD didn't support MAC filtering.)

Anyway, like I said, it all works-- or at least did when I wrote it, and I don't see any reason that anything would have broken seriously. Check it out; it's macf on SourceForge.

Have you looked at NoCatAuth?

[bnf]

http://nocat.net/

Why not let them pay someone to set it up?

[YaRness]

Why does this need a technical solution? Find a competent technician in the area, put his number on the fridge. Let the renters pay him to type in the WEP passkey.

Re:Why not let them pay someone to set it up?

[Jussi+K.+Kojootti]

So, should the guy sit in the lobby waiting for the renters to come in, or should the renters be without a connection until mr. technician arrives?

Re:Why not let them pay someone to set it up?

Why not simply put the WEP password on the rental aggreement they get, or on the check in list. I assume that someone visits the property after the renter has left, and at that point you can change the WEP for the next renter.

NoCatAuth NoCatSplash

[ers81239]

Well, I was just going to use my mod points to mod up whoever posted the first link to this site:

http://nocat.net/

But since nobody did, I posted it myself.

Re:NoCatAuth NoCatSplash

#13875015
#13875241
#13875817

ChilliSpot or NoCat with NoCatSplash

[snowsam]

Take a look at ChilliSpot, which is an open source captive portal --http://www.chillispot.org/ .

Another option (already mentioned) that would work with the is to run NoCat
http://nocat.net/ on a "server" along with NoCatSplash on the WRT54 (see http://nocat.net/~rob/wrt54g/ ).

Take a look at http://www.slcwireless.com/ to see how they are providing free wireless to location in Salt Lake City, Utah.

Good luck!

I implemented a setup similar to this

[g1zmo]

I used Squid with SquidGuard on a transparent proxy (Linux gateway router) combined with a few shell scripts to manipulate the router's IPCHAINS rules upon authentication (it was in the days of IPCHAINS).

OpenWRT+meshdog

[codehead]

Once I get a spare WRT54G I'll install an open hotspot using OpenWRT and meshdog. You can set up OpenWRT in a snap (the Wiki was *very* useful) and the packages are installed using a debian-like tool aptly named ipkg.

Try DD-WRT instead of Sveasoft

[michaelredux]

The DD-WRT version of the firmware for the Linksys WRT54G wireless router is a similar to the Sveasoft firmware, but includes Chilispot hotspot and NoCatSplash, without any GPL Controversy

I haven't tried the hotspot features yet, but I like the rest of the DD-WRT software a lot, especially in client mode as a wireless network extender. You can set up firewall rules, time-of-day restrictions, even restrictions on website based on keywords. I don't use most of those features, but they're in there if you want them. DD-WRT also has Traffic shaping by port or mac, VOIP Sipserver, WDS mesh-networking for extending your wireless network by several hops, and optimizations for gaming. It's true GPL, and it makes me feel like a kid in a candy store.

Make It Open

Leave the thing open. Easy to connect, and you're contributing to society via the free Wi-Fi.

Also, don't bother to block ports. It is better to give your clients full internet access.

m0n0wall

[anderiv]

I'd highly recommend you check out m0n0wall. It's a BSD-based router distro. M0n0 comes in several forms, a hard drive image, a compact flash image, and a bootable cd. I use the bootable cd. The entire thing runs from a RAM disk, storing configuration on a floppy disk. All administration is done from a very robust and feature-complete web interface. You can make m0n0 as simple or complex as you wish - it includes traffic shaping, wireless support, PPTP & IPsec VPN support, multiple interfaces, a captive proxy, etc.

The captive proxy support would be especially useful for you - from the web interface, you can remotely add/delete/change the usernames and passwords for the captive proxy.

Yes - there are other captive proxy projects out there (NoCatAuth etc.). I evaluated several of them, but ended up sticking with m0n0wall due to the ease of implementation and the foolproof architecture it has.

I think that's the point

[Andy+Dodd]

He wants to keep Joe Wardriver Leech out, but doesn't see a need to restrict his users.

Re:I think that's the point

[SocialEngineer]

If he wants to keep a wardriver/leech out, then he isn't going to do it with a hotel-style system. If ping is open, there will always be room for leeches. If SSH is open, even moreso.

I did this on freebsd...

[sgasch]

You can do this on freebsd with ipfw, apache and a couple of perl scripts. Here's a little guide I wrote back when I did this: http://wannabe.guru.org/scott/hobbies/wireless.htm l

Scott

NetReg

[chickenmonger]

It's used at my university to link a user name with a particular IP and MAC address. I imagine it could be used in this scenario as well. http://www.netreg.org/

Mod parent WAY up

[davidwr]

The liability post is at least as insightful as the grandparent.

Regualting Wifi

[Stephen_Ireland]

I had this problem with a hotel, i made a vb app that does it by checking and everytime a request is made on any port from 1 - 9999 the vb app checks an approved ip list to check does it have any time remaining, if there is time remaining it sends on the traffic over another ethernet interface, basically if there is time remaining for that IP then it forwards the request. the access and time is controlled by the entering a code, which is kept by the admin (in this case the hotel) and the code consists of how long the user is allowed access for.