Slashdot Mirror
Ask Slashdot: Best Way To Leave My Router Open?
generalhavok writes "I read the story on Slashdot earlier about the EFF encouraging people to leave their WiFi open to share the internet. I would like to do this! I don't mind sharing my connection and letting my neighbors check their email or browse the web. However, when I used to leave it open, I quickly found my limited bandwidth dissappearing, as my neighbors started using it heavily by streaming videos, downloading large files, and torrenting. What is an easy way I can share my internet, while enforcing some limits so there is enough bandwidth left for me? What about separating the neighbors from my internal home network? Can this be done with consumer-grade routers? If the average consumer wants to share, what's the easiest and safest way to do it?"
Wasn't it just this week that we had the lovely account of someone getting the SWAT treatment just for leaving their router free and open?
http://yro.slashdot.org/story/11/04/25/1415259/Bizarre-Porn-Raid-Underscores-Wi-Fi-Privacy-Risks
Envious?
Just restrict access by MAC address!
Are you not concerned about security. Sharing is fine and dandy, but I don't want anyone behind my network firewall that I don't know.
Well if you can identify the culprits (the IP and/or MAC of whoever is doing the most damage) you can have some fun with them by creating an upside-down-ternet. That might discourage them.
The second part (keeping people off your home network) CAN be done by some consumer grade routers that support a Guest Network. My Netgear 37AV has that ability. You set up a second SSID that is open. It can get to the WAN port, but can't see anything on the LAN or the private SSID.
As for using bandwidth... no I'm not sure you can do a lot there with a standard router. You could turn on QoS to make sure that your traffic has priority on the router over someone elses, but you'll be pretty limited in terms of stopping them from chewing up bandwidth the rest of the time. I really don't recommend this if you're on a metered connection.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
It's absolutely possible and fairly easy these days with out of the box router firmwares, or if yours doesn't support QoS (Quality of Service), then you can potentially put on an open-source firmware -- DD-WRT to provide that ability and much more. QoS lets you designate classes of traffic, such as streaming, gaming, and other protocols, or particular devices on a WAN or plugged into the router itself and set priorities for them. Doing this, you can share your WiFi AP (good for you!), but also get the lions' share of your bandwidth when you are wanting to use it.
Be very, very careful what you put into that head, because you will never, ever get it out. -Thomas Cardinal Wolsey
The ramifications of someone looking at, downloading, or even uploading something illegal with your internet can get you in serious trouble, I would think. I appreciated the kind-heartedness of the idea, but I would recommend against it personally.
It can get you in to trouble
That said, I leave my wifi router open as well, but if you're going to do it you have to do it knowing the risks. Being accused of kiddie porn, for instance, is going to stick with you forever, regardless of guilt or innocence.
All new mac-addresses get 24 hours of free access; after that they're blocked for 1 week... Adjust thresholds accordingly...
Your ISP may be none to happy when they find out you're sharing your connection, I'd double check their terms of service just in case.
If there's anything more important than my ego around here, I want it caught and shot immediately.
I suggest checking this out. I've used it for a few clients. http://www.publicip.net/
You talk better than you fool!
How about talk to your neighbors? You can share bandwidth without leaving your WiFI open.
C'mon, let's go all the way with this. Leave your door unlocked so I may go in anytime and help myself to a snack from your refridgerator. Leave your key in your car so I may borrow it for a quick milk run.
We're all just sharing everything now, right? Right? Yeah I thought so.
Don't bother. Secure your wifi. I used to keep my wifi open to the public... Then my home was raided by the FBI. Don't make the same silly mistake I did, it really isn't worth the risk.
I just posed the same question in another topic, and wrote this:
WiFi routers should have the option of putting the air link on the outside of the local firewall. Actually, it would make sense if, by default, open WiFi links gave guest access to the outside Internet world, but not the inside LAN world, while encrypted links offered access to the inside world. This allows opening up guest access without exposing local servers and Windows shares.
A router should support both modes simultaneously, offering itself as two access points. Encrypted links should have higher packet priority over nonencrypted links, so that guest access can't starve out authorized users.
This seems obvious enough that some routers probably implement it already. Anyone know of one?
Sounds like you have a network neutrality problem on your hands. How to provide services while downgrading heavy users through selective throttling...
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
...You should be worrying about, but rather anyone that happens by looking to do devious things (e.g. download kiddy pr0n on your line).
The FBI will be knocking on YOUR do
My plan at the office was similar:
- One SSID for client access
- One SSID for local network access
- VLAN tagging
DD-WRT has an issue with tagging and enabling encryption on both, but if you are doing one open, it should work. It is a world of hurt to set up, not being very well documented, for something that would be trivial with a soekris + BSD/linux.
I'm planning to try this again with Tomato USB one day.
Basically the Open SSID is relegated to a VLAN that can only access a VLAN interface on my router. The router runs DHCP on that interface, recommending upstream DNS. Traffic to/from this subnet is lowest priority in QoS.
Being stupid is one thing. Being intentionally stupid?...well that's just a different level of stupid.
Don't do it. The world is just not ready.
Hey,
Yes, it can be done, just like the FON network. My ISP here in Portugal partnered with FON, each router they install in your has 2 separated networks each with different IP addresses. It is also a different connection and it wont affect your bandwidth. If you chose to register to the service all the shared hot spots.
A $50 linksys router with one of these free custom firmwares can do QoS, allowing you to give priority to certain types of traffic (DNS > SSH > HTTP > Bittorren, etc).
You'll be liable for any excess traffic charges your ISP puts on you. You're letting total strangers into your LAN, which is a security risk. And there's no guarantee at all that the cops will leave you alone. It's an idiotic thing to do.
Try and use your open router to get private info on your neighbours. Then extortion, then business class connection, then expand to even more neighbours, and voila, you're an entrepreneur!
you can get an anonymous vpn for as cheap as 5 eur per month. just route all external traffic through the vpn-tunnel.
I wouldn't recommend this setup at all, but if you HAD to leave your router "free and open", the D-Link DIR-655 has the ability to broadcast a Guest Network (which limits access of those using it from seeing your machines behind your router) and has QoS (so you can prioritize your packets over your "guests").
You've got a couple of choices - get a system that gives you lots of detailed controls so you can do anything you want, at the cost of understanding the complexity yourself, or sticking to simple cookie-cutter tools, but you won't find most of those letting you do bandwidth limitations on some connections. You can probably take DDWRT and convince it to do what you want, or you can take a dedicated BSD or maybe Linux machine and do all sorts of interesting things with it, but either way you'll have to do some work. But even if you take a commercial Cisco router, which can do fancy prioritization and rate-limiting, you'll find yourself burning a lot of its limited CPU.
I usually run into higher-bandwidth versions of this problem, where the one easy kluge is to put in a 10 Mbps Ethernet segment, so the speed limit happens in hardware and the priority queueing works naturally. If your home DSL is more than 2 Mbps, I suppose you could get an old 802.11b or maybe 802.11g wireless router, limit it to 2 Mbps per channel, and put it on a different radio channel than the one you use for yourself (e.g. put it on Channel 1 and use Channel 11.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You might take a look at IPCop or Smoothwall. Both give you access to the Linux command line, so you can use IPtables to do whatever the hell you want. Smoothwall might, possibly, have some sort of add-in to limit bandwidth by bandwidth or zone, though I'm not sure.
I offered public wifi in my apartment complex on a limited pipe. First, I setup a linux firewall with three nics - one for outside, one for my inside stuff+personal wireless, one for the public. On the public wireless side, everything except port 80 was blocked. I included 443 in the blocks because I wanted to limit where people went, so I could mitigate potential trouble like pedo browsers. On port 80, I sent all traffic to a transparent squid proxy. The proxy then checked which URLs were being requested and if they were in my allowed list. If not allowed, I rewrote the URL and sent people to kittenwars.com (I'm sure you could find an equally evil site to send if that isn't your preference). I did add in an html frame on the left side (right side was kittenwars) when people tried going to a site that explained here are all the sites you can go to, and the dangers of using someone else's unencrypted access point. Allowed URLs were fairly small, but from the usage the access point was still popular. wikipedia, Microsoft patches, PBS, weather.com, local government sites. I'm sure you could find more, but I wanted a very limited set that probably won't attract trouble. Then finally I limited people from soaking up my pipe using linux traffic shaping on the transparent proxy.
QoS may help you throttle your guests' upstream bandwidth, which is more important, but it's not going to do anything for downstream, which is the more common problem, because the QoS markings on downstream packets will normally be set to the default value by the websites or bittorrent peers that are sending them.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You really just need something that either has an extra interface for your wireless network, or can do 802.1Q vlan tagging and a vlan capable switch. I think even with a LInksys and DDWRT, you can put the built-in wireless AP on it's own VLAN. THen you just give the wireless it's own subnet, disallow traffic from the wireless subnet to your personal subnet. I think you can even do multiple SSID's and put each SSID on it's own VLAN, one for the public and one for you. Then just allow egress traffic on port 53,80, and 443 for your guest subnet, set up the traffic shaping queues with whatever amount of traffic you want to donate, and set it and forget it.
Of course, this doesn't address the issue of people using the connection to do illegal things, but I've been doing exactly what I described above in a very densly populated are of San Diego since 2002 and haven't had any problems yet *knock on wood*
Also, keep in mind, that this violates the TOS of most ISP's. I have a business class cable connection at home, which has a much less restrictive TOS, which makes it legal. I also have multiple public IP addresses, and run all my guest wireless traffic over it's own IP, so if anyone gets banned from say Ebay or something for fraud, it won't effect me.
But to answer your question, no, I don't think you can do this on many consumer grade router/AP's without flashing the firmware with DDWRT, and not all consumer routers are flashable. I think Buffalo sells a model that comes with DDWRT preloaded.
If you wanted to make a project out of it, you could buy a used Cisco Aironet for $50 and pair it up with an old PC with multiple NICs and install PFSense on it and have yourself a grand old time. The tools in PFSense can actually be quite entertaining when you collect anonymous statistics about what sort of things your neighbors do with your connection. NTOP will entertain you for hours :)
Forget being a nice guy, and in this case, the EFF's recommendations. Aside from the issues you raise yourself, this story should be all it takes to convince you of the foolishness of such a policy these days.
To answer your question directly, yes, some consumer AP / Routers can shape traffic like you're asking. You will need to divide your network into multiple VLANs, I would suggest three: One wireless and wide open, one wireless and secure for your use, and one for the wired side. Then, bandwidth limit the free wireless, route appropriately, and apply a security policy to protect yourself. You might also consider logging all that "free" traffic so when the Feds show up with a warrant, you have some kind of audit trail to get yourself out of jail.
I'm not aware of any consumer grade equipment that will do this out of the box. On the other hand, there are several free / open firmware projects that replace the factory firmware that are linux based, and may be able to meet your needs. A couple (by no means all) of these projects are http://www.dd-wrt.com/site/index> dd-wrt and https://openwrt.org/> Open-wrt .
Beware though, that not all of the consumer hardware is created equally internally. Research carefully the hardware / replacement firmware combinations to make sure you can get where you want to be before spending money. You'll also be stressing the hardware far beyond it's original design, so opt for more RAM and a faster embedded processor.
Gee, this sounds like a PITA.....
Hope this helps, and that you don't get arrested.
--Red
After I read a recent story on Slashdot about people being apprehended for downloading child porn when not they but someone outside the house was downloading it, I would be very careful. I would only share it with people I know and base it on some pre-shared authentication scheme.
Whenever I have tried to be too nice, I have always ended up getting hurt. The lesson I have learnt is - be nice as much as is needed, but do not over do it. You are overdoing it and will learn the same lesson the hard way.
I assumed this would have already been mentioned, but I don't see it,
Using OpenWRT and several other FOSS packages was able to cobble together a nice captive portal that logs everything, warns users that it logs everything, and requires an email-verification to ensure you have some form of contact information to go with all that lovely logged information. It also allowed me to throttle down the public side of the wifi and keep them from using up my bandwidth. Open-mesh.com has a firmware for their devices (I'm rocking a handful of the mr302a's or whatever) that lets you do all of this through their nifty dashboard.
Now, IANAL and have never had to defend against accusations such as those in the kiddie-porn raid link above, but it definitely was enough to get my ISP off my back for a DMCA violation once I disabled that persons mac from continuing to access the open network.
the NOT method.
As with most things, I can see both sides of it.
From an organization like the EFF's point of view? It's in their best interest to get a "critical mass" of individuals sharing their Internet connections via free, open wi-fi, because it weakens the case for law enforcement to hold people responsible for "not properly securing their connection" if something goes wrong. (If I had to come up with a quick analogy for this, I guess I might liken it to the police giving you a ticket or fine for not locking your doors or windows, after someone breaks in and they're called to the scene. It just seems a bit like punishing the victims.)
So from a "freedom" standpoint, it's perfectly understandable. Wouldn't you like to retain the right to share your Internet connection with your friends and neighbors, if you so choose? Or do you prefer an authoritarian society where despite you paying for your own connection and wireless router, government can dictate the way you actually use it?
On the other hand, you're probably opening yourself up to a lot of potential headaches and liabilities if you go this route. Even the hotels and restaurants I've visited that offer "free wi-fi" for their customers tend to make you click past some sort of opening "terms of service" agreement page before using it. At least then, they can claim they only offered said access subject to certain usage terms and conditions that you, the user, agreed to before using it.
IMHO, the best solution is to use one of the wi-fi routers that offers a "guest" network (makes sure the people using it are firewalled off from any of the hardware on your own local LAN), and place a good, strong WPA/WPA2 password on it. Then, give the password out to your neighbors and friends you trust to use your connection. No random strangers will be able to stumble onto it and use/abuse it that way, and if your neighbors or friends start abusing it? You can always change the password on them and lock them out until you determine who the culprit was. (Or change it and only give it out to 1 or 2 people for a while and see if things are ok. Keep adding one more user until you find out which person is hogging the bandwidth or what-not.)
The DMCA protects service providers. If I am deliberately sharing my internet connection, I AM a defacto service provider. There are rules one must follow but most of them apply only to operators of a certain size - which means we enjoy the protections of the DMCA without sharing the burdens like forced record keeping.
People have been abused by law enforcement for al sorts of reasons. If they go to far, you sue. Of course, if they are led to your house by the actions of a neighbor and then find, through some poetic justice, that you are in fact doing what they suspected even though it wasn't your actions that directly led to the raid, well then it sucks to be you.
Yup. The biggest concerns I had when picking my ISP were Terms of Service and availability of static routing. Back when I first got consumer broadband, there were many ISPs that didn't want you to run web servers from home, and some major ones that only allowed you to use one computer on the account unless you paid extra. Eventually the ISPs decided to allow multiple home computers (usually with NAT), because they understood that the market had changed and when people got new computers for themselves their kids got the old ones, but some of them still don't like the idea of guests. The real concern for ISPs was to make sure that you didn't buy one set of cable modem service and share it with your neighbors, instead of them each buying their own. They've pretty much accomplished that by now, but they're not going to let up on the scare stories.
My ISP's approach to ToS was "We're selling you a connection to the Internet, that means you've got a connection to the Internet. Do anything you want except for spam. If you want to share it with other people, we'll be happy to sell you extra email addresses for a small extra price."
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I used to have this setup. It was pretty easy to do.
All traffic from the public ssid was sent through redsocks via iptables. all DNS requests from the public ssid were sent via a small daemon that was 99.9% python code pulled from another socks proxy project (name escapes me right now)-- took a few minutes to make it into a proper daemon.
Hostapd had multiple ssids, which were isolated to diff bridge interfaces, so traffic didn't mix.
If you don't care about leaking DNS requests, redsocks + iptables is enough.
More details here: http://www.ilesansfil.org/welcome/
http://m0n0.ch/wall/ m0n0wall, for example
What say we try to answer the question for this person? I'd suggest that Fon is the simplest way to share your network, though I believe that only Foneras will then be able to use it. However, for somebody who is not a sysadmin, Fon provides a simple way for the "average consumer" to set up separate public and private SSIDs and to throttle traffic.
You can do more sophisticated traffic management with DD-WRT than with the stock router firmware.
Take care, though. There have been several cases of the FBI busting in and making life hard because of child porn traffic on open routers. You could also look at a FON router. They allow for some management of traffic (and cashing in).
Comment removed based on user account deletion
But the existing traffic shaping solutions are impenetrable and impossible to use. This makes me very unhappy. I'm also not sure that the traffic shaping policy I want is possible with the existing traffic shaping tools.
I have a small Linux box I use as a router, and I have 3 LANs + the external link. LAN 1 is my trusted internal network. LAN 2 is the network for any windows box, my gaming systems and any housemates. LAN 3 is the wireless.
I want a traffic shaping policy that says something like this:
This is complicated by the fact that I want intra-LAN traffic to be essentially unlimited. If someone somehow manages to saturate the 1Gb backbone on my internal network, I'll figure out how to deal with it outside the traffic shaping policy.
I already have a firewall policy that treats my wireless network as being as untrustworthy as the Internet.
Need a Python, C++, Unix, Linux develop
Here's the way we do it
We have an old router which is plugged into a spare port on our optical switch (fiber to the home), and has an open wireless G for anyone to use, configured to assign DHCP addresses from 192.168.200.x where x is 175-200, and with SSID of "All Connections Logged". Our newer router is plugged into a different port on the optical switch and assigns DHCP addresses in the range 192.168.100.y where y is 100-125, and our home net is connected to this one by cat6 cables and encrypted wireless N (MAC filters, hidden SSID, long key, blah blah). Each of these routers has a different public IP address assigned by the ISP, and they both maintain logs of MAC addresses connecting to them, so we don't worry too much about misbehaving outsiders - there have been none so far.
FWIW, we have no usage caps on our 100Mbps fiber connection, so leaving a 54Mbps wireless-G open to passers-by does us no harm economically. In principle we could set it to 11Mbps Wireless-B, but we have never had a bandwidth hog connecting. Incidentally, our ISP gives us up to 8 public IPv4 addresses, of which we use 3-5: the IP-TV box uses the third, and work-related laptops sometimes use one or two more (via cat6 to another port on the optical switch).
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Apple Airport Extreme Base Station lets you set up a well protected separate guest network. Used it with no troubles for a while now.
I believe all of this is possible (even multiple SSIDs with one router) with OpenWRT or DD-WRT on certain hardware, but I never got it working right. I just ended up using an two Linksys routers (one with open wifi, one encrypted) and pfSense as a router. You can even do this with just pfSense and couple wireless cards. Private wifi bridges to the local network, public is on an isolated subnet. pfSense traffic shaping keeps users in check. I have a QOS class for "public" traffic which is limited to a couple mbit/sec down and few dozen kb/sec up. Rock solid, more than I can ever say for either of the Linksys routers.
I found pfSense: The Definitive Guide to be a decent dead trees source for getting started with pfSense.
So what if I am? What are you going to do about it?
I read a comment here a while back to use encryption and put your phone number in the SSID. That way you can identify who wants to use it and this will prevent abuse better than anything else.
And as mentioned, being dragged out of bed and arrested on Child Pornography charges will ruin your life, even if you are found innocent (most likely years later)
Hey, we let you in, Mr. Anonymous Coward!
You may not want any strangers on the "trusted" side of your firewall, but that's a job for a DMZ, which has access controls between it and your trusted side as well as between it and your internet connection.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
AP Isolation is a nice DD-WRT option that prevents wireless clients from communicating with each other. Best to disable wireless GUI access to the router, as well. I've had a DD-WRT router for years and I've never looked through all these settings until now.
Many modern routers can be configured to broadcast a "guest connection" with its own SSID that you can then throttle as you see fit.
I'm not sure if this option will be avalible to you, but currently I have a router built to support FON so other FON user can use a low connection for free. Might be worth a look. link: http://www.fon.com/
Hmmm..... with all this no-knock SWAT raids over open wifi routers, your car's GPS automatically sending your speed data to teh cops, your cellphones tracking your every move, and runaway inflation jacking up the prices of gasoline, electricity and store-bought groceries... then maybe the Amish way of life ain't so bad after all.
Monowall is a nice BSD based software firewall. It is a captive portal that can be used to set usage terms by redirecting the web user to a page you can require they agree to before they can use the connection. It also includes QOS controls that can help you limit use of the connection to users on the open network. I've used this myself before for this very thing, and used the page to tell the user they had no privacy. I also made mention that I would be VERY helpful to anyone with warrant in hand. I found this made misuse far less likely, but your usage may vary.
A few points however. To be legally binding you'd have to have a usage agreement likely designed for your state by a lawyer. Just because such statements of cooperation with the authorities might scare off some; the worst of abusers wont care a bit about your silly little agreement. If I'm going to commit wire fraud on your connection, to conceal my identity, I wont be back and I'm faking my MAC. So depending on the crime they may still burst in machine guns in hand.
Just because you can technically do it may not mean you should. Do be sure to properly research this completely, and with your state's laws in mind. It would be nice if the EFF continued to work on this and generated user agreements for us to use.
In a side note Monowall is highly versatile and there are several commercial solutions based on it.
The objective is to prevent trouble, not to punish the guilty after they've caused it. Sometimes trouble is drive-bys spamming, sometimes it's a regular abuser, like the neighbor's kid downloading too many movies and hogging all your bandwidth. The main things you want to do are keep their bandwidth use limited, and keep them from connecting to any machines you don't want them to access (e.g. visiting friends can access your printer, but strangers can't.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I just saw this post come up on lifehacker.com. I've been planning on doing it at my new place. http://lifehacker.com/#!5791208/run-your-home-network-like-a-coffee-shop
http://www.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000512----000-.html
Put up a shared wap. Make it so that they have to click through a web page every 24 hours to get access enabled. Make sure there is a contact email address on your web page.
Make the DHCP leases expire, say, every 30 minutes. That will allow sporadic youtube viewing, email checking and all sort of other activity without allowing lengthy file transfers.
Now your neighbors have access, you have good qos, and you may be reasonably protected under the dmca.
I use dd-wrt on my linksys e2000. You can create multiple SSIDs, with different authentication. In my setup, I have my HomePrivate and HomePublic networks. Private uses WPA2, Public uses nothing. Iptables rules keep anyone on Public from accessing my home machines, printers, nas, etc, but allows access to the internet. Additionally, you can QoS Private to ensure that when Private is trying to get something, it gets precedence over Public.
I know my wifi router supports quality of service. You can throttle byl IPs. probably if you used static IPS for your box you could just throller everyone down to a reasonable bandwidth. The problem is when your Wifi is open the pirates can jump on. I've seen people parking in my apartment park lot and sitting on their notebook running Limewire. If you IP is open then when that legal notice comes for that guy in car, it will arrive in your name instead. Its a foolhardy thing to do.
--- Always remember. 99.36% of all statistics are inaccurate.
You should set a password so that your wireless sessions are encrypted. If you want others to be able to use your connection, just tell them the password.
http://steve.grc.com/2010/10/28/instant-hotspot-protection-from-firesheep/
where do you stop in limiting?
how will you keep delimitation ongoing and up-to-date?
All you need is your neighbor to distribute child porn and suddenly you are in jail. Internet access is not expensive or difficult to obtain, let your neighbor pay for their own connection. If you don't want neighbors abusing your connection, then don't leave it open.
http://www.publicip.net/
1) If you're reading slashdot, you can easily figure out how to set this up.
2) No, your mother cannot figure out how to set it up.
3) Yet, it will let you throttle your connection (you can say give them 100K\Sec connection), limit how long they can connect, limit what sites they can visit, limit what ports, use a web filtering service (i.e. no porn, video, or other random behavior)
4) you can setup accounts for friends (no more sharing WiFi Keys) that won't have restrictions.
5) you can charge (they get a cut of it)
Good for you for doing the right thing. Free wifi for all. I wish everyone did this.
Cheap way to do it with no programming and very little technical knowledge:
Get 3 routers and a 10Mbps or slower hub or switch that will be your bandwidth-limiting device:
ISP wire to
* Gateway router WAN port.
Gateway Router LAN ports to:
* Private Router WAN port
* 10Mbps or slower hub or switch port #1
10Mbps or slower hub or switch port #2 to:
* Public Router WAN port
This limits the total public-access bandwidth to 10Mbps or whatever.
Obviously, the bandwidth-limiting device should be much slower than your ISP pipe.
There are other configurations, maybe even better ones. This is just an off-the-cuff example of how to do it cheaply without installing any special software or knowing Linux.
If you really wanted to drive people nuts get a pair of serial-port-to-ethernet devices from the 1990s and watch your neighbors have fun at 56Kbps.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I used to keep my wireless router open for several years. A few outside computers regular used my network, but then a couple of months back I noticed that someone was downloading more data than usual. I let it slide since I have enough bandwidth and a large enough cap to deal with it. A week later, my ISP sent me a copy of a DMCA complaint that they received from a movie studio whose content my neighbour was illegal downloading through BitTorrent. So I was basically forced to finally password-protect my network and end my little social experiment.
But if you must... Where did you live again?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
If someone uses your connection to buy something with a stolen credit card, there's no way to prove it wasn't you. I applaud the altruism, but it's kind of like lending your car to a stranger - you have to trust them not to use it in a bank robbery.
is never provide open Wifi.
For conscience is the wound, and there's naught to staunch it
As I mentioned in another post (http://slashdot.org/comments.pl?sid=2111634&cid=35964896), I wish that nocat.net was updated
route everything coming from the open wifi network over tor to keep swat from banging down your door?
I don't even understand why any self-respecting geek would buy a router that couldn't run OpenWRT, Tomato or DD-WRT. The stock firmware of commercial routers is always just rubbish compared to the open source (ish, in the case of DD-WRT) replacements.
For setting up bandwidth limiting for OpenWRT, well, OpenWRT is for real men (or real women), as this wiki page should make clear. Losta commandline and config files; there are web frontends but I'm unsure if any let you fiddle with these kinds of powers. But if you're looking for fine-tuned control, OpenWRT is pretty much a distro in its own right so the possibilities are pretty vast.
For Tomato (which I use 'cause the graphs are pretty), unlike what SighKoPath has said here, you don't have to set up specific rules for each MAC or IP; just set up the classifications for your own devices, then in QoS -> Basic Settings set the Default Class to something like, say, Class E. Now you can set the bandwidth limits for random strangers in Class E and any device or type of traffic that you don't have an overriding rule for gets categorized in Class E, so any new random neighbor devices will fall into that class. Simple.
As far as routers go, a lot of existing routers (as long as you didn't buy a really bad one with too little memory to even install anything to) are supported by at least one of the three main firmwares. Tomato is far more restricted in terms of choice, but if you can't find a spare WRT-54Gv1-4 lying around, Linksys deliberately sells the WRT-54GL for the sake of folks who'd like to install Linux-based alternate firmwares. For OpenWRT you can check their Table of Hardware, random pick, the Buffalo WZR-HP-G300NH is good bang-for-your-buck. DD-WRT's equivalent table is here; you can actually get some routers, like Buffalo's WHR-HP-G54-DD, which come with DD-WRT pre-installed. Never actually tried DD-WRT myself . . . I'm a bit of an open-source zealot, and DD-WRT has had a somewhat sketchy record. Plus, have I mentioned Tomato has pretty graphs?
I remember sigs. Oh, a simpler time!
A link to FON would be helpful. It really doesn't get much easier that this. FON even helps you set up selling day passes for non FON members so you can actually pay for your broadband by sharing it. The service is international so anybody with a broadband connection can do exactly what you want to do just by buying their $49 WiFi hotspot.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Because they might make a bomb
Well hand me those tweezers and we'll get you that happy ending...
Is it not possible to restrict access to a specified list of websites but for those with certain MAC addresses (or something else which you can be reasonably sure identifies you and your computers but which couldn't easily be guessed by others).
You could send people trying to get to other sites to a standard page showing the sites they could go to. You could whitelist several email providers, facebook, twitter, wikipedia, etc. And you could only allow them to use HTTP, IMAP, or POP3 connections say. If that worked, you wouldn't have to worry about people torrenting hundreds of gigs on your connection.
I remember a story from a few years ago about someone who decided to mess with someone who was using his wifi connection, and was blurring images this person saw on the interet, and maybe redirecting every tenth page to goatse... I would have thought that system could be made to work for a whitelist.
Anyone have any experiance with that system?
I think the idea is that if everyone participates in this "movement" then law enforcement won't be able to willy nilly break down our doors and start throwing people in jail.
That and wireless will be everywhere!
The question is flawed. While you may think you are helping society, you are unlikely to do much good and risk getting hacked. It isn't the robbed bandwidth or the chance of the FBI knocking on your door because somebody downloaded kiddie pr0n. It is because getting into the wi-fi router puts that person's computer inside your intranet. Would you let some random person sleep in the spare room of your house?
'nuf said
"No matter where you go, there you are." -- Buckaroo Banzai
Leaving your wifi open is a security nightmare and an invitation for abuse. Someone hogging your bandwidth is the least of your worries. Before long someone is going to hack your own computers and download kiddy porn on your connection. Law enforcement won't accept "intentionally left it open for the good of mankind" as a legitimate excuse. Rather, they'll tell you that you should have known better and you asked for the trouble you got into. Why do you want to make life difficult for yourself?
If you have a few neighbors that you trust and want to share your connection with, then give them your access key. This way, you can know exactly who is doing what because you have their hostnames and MAC addresses.
Oh, officers, you have it all wrong! Those terabytes of k1ddy pr0n on my hard drive prove my innocence!
I always wanted to do this but in a slightly more involved way. I would have 2 wireless access points. The first is the switch to my trusted LAN, the second is the switch to my untrusted LAN. I would then have a computer with something like UNTANGLE installed on it. UNTANGLE would contain 3 interface cards. One red (Internet - goes to ADSL modem), second purple, goes to the wireless access point/router tagged for the untrusted LAN, and one green that goes to the wireless router tagged for the trusted LAN. I would then use the features of UNTANGLE to set up filters etc for the purple interface such that persons using it would not perform actions that could get me in trouble. Basically lock it down to browsing/webmail. Further to that I would not just leave the purple interface totally open I would put some WPA-AES on that and set the SSID to something like "FREE-WIFI_PASSWORD_IS:12345678", which would hopefully give the users who connect some protection from each other, where firesheep/sidejacking etc is concerened.
I am not sure what kind of neighborhood you live in or what kind of router you have, but this is almost pointless. With my old G router, which was set in the living room, I could get a signal on my front porch and the bedroom right next to it. My N router has dramatically futher reach, but signal is still weak in many areas. With my N, I can get almost to the street with connection in the front, and about a quarter of the way into my back yard.
My neighbors on either side of me - well, one is an older couple in their 80s who don't even own a computer. The neighbors on the other side have several teenagers in the house, and even if I wanted to share with them, the aluminum siding on my house and theirs makes it impossible to get a signal in their house.
On a GOOD day, I get about a 10%-25% signal from my neighbor across the street, but normally cannot maintain a signal long enough to obtain an IP address.
These are with older, SMALL houses. My parent's house is much larger, and we actually had to reposition the router and use Wireless NICs with powered antennas to get signal in many areas of the house. I can pick up signal from the church next door, which is about 200 feet away, and has open WiFi, but I cannot get a signal at all in the house, and if I am outside, I can get a fair signal, enough to pull down e-mail in a few minutes. The people who live right behind them (tiny backyards), you can get their signal on a good day. Theirs is open, but I have only been able to get into it once, long enough to get an IP address, before I lost the signal.
If you are in an apartment or dorm, you MIGHT be able to share with a couple of your neighbors. I have seen people do that. But don't expect to do streaming video or a stable VPN connections if there is a floor between you, they tend to crap out (know this from experience on the helpdesk).
Now, lets assume that you are a good neighbor and let people camp out on your lawn with their laptops, or share with neighbors in your apartment building. What happens if they decide to use BitTorrent or Limewire? As far as I know, there is no court precidents that allow you to establish yourself as an individual as a service provider. IF you do this, you are opening yourself up to lawsuits and criminal investigations. Not saying it would happen, but it COULD happen.
And then, of course, there is the possibility of your ISP finding out. What if you have a bandwidth cap? What if they suddenly notice a large amount of traffic on your IP address? Pretty sure this would be a violation of your TOS with the ISP, unless you have a business account with them.
To put it simply, DON'T DO IT! This is the one time that the EFF is WRONG.
So people with Wi-Fi connections are responsible for what other people download with it (regardless whether they break a password to do so)? What a stupid idea. And what if it's malware that does the downloading? I'm just saying it's extremely easy for anybody to send an innocent person to jail. My question is not about using strong passwords, it's about why you should be at fault when that protection is broken or doesn't exist.
Is an airport responsible if someone uses an airport's public Wi-Fi to download illegal material? And if not, why not? How is that setup any different from a normal person providing public Wi-Fi?
From the sounds of it, businesses can provide public Wi-Fi but you can't because you're not big enough.
Have you ever heared of Fonera? :o)
Sharing is easy and safe, and it gives you back free internet all over the world on any device
Route all the guest traffic through tor, and they won't (practically) be able to track those packets to your network.
Heck, for that matter run a tor exit node too, to really confuse the courts if they every go after you anyway. :)
Shouldn't the ISP deliver my bits regardless of what they are?
If someone knocks on my door and asks to borrow my telephone, I don't need the phone company's permission.
If I type an email on behalf of a friend without a computer, my ISP doesn't get to complain that those weren't "my" bytes.
But if you're that concerned, just route the guest traffic through TOR and at least through packet sniffing they won't be able to distinguish the guest traffic from your own. All they'll see is encrypted traffic which could be to/from anyone on the tor network.
Supply, meet Demand. People, generally, will abuse anything they haven't paid for or don't care about. There is no signal that lets them know what they are using, such as a meter, pricing, etc. All they see are slowdowns. This should explain to anyone why Socialism and Communism are failed systems that murdered millions of people in the 20th century.
One of my all time pet peeves is when people don't answer the question and instead try to act smarter than the question.
HE'S NOT ASKING IF IT'S A GOOD IDEA OR NOT. HE'S ASKING HOW TO DO IT.
Take notes all you smart(dumb) asses out there. I am answering his question. I am not pointing out that his idea is stupid:
You could look into OpenBSD and pf. I believe they let you setup priority and schedulers for traffic:
http://www.openbsd.org/faq/pf/queueing.html
Why should anyone run and do this just because the EFF told them to?
I live in a relatively densely settled suburban area, but it's all single-family houses. I believe that anyone who wants a wireless connection either already has one at his/her house, or has a smartphone or tablet with a decent 3G signal. Why should I open an access point to very likely nobody? The only thing I have to gain is risk of someone doing harm to me, just to meet some imaginary goal of "sending a message."
If this is a political issue for you, start an internet petition (similarly useless) or buy a Fonera (which is not exactly setting the world on fire with its popularity either). This geek crusade is attempting to right a purely imaginary wrong.
Let me get this straight. The whole net neutrality thing is a fine idea to impose on the big boys, but when _you_ play the ISP role, then traffic shaping and priority for your preferred content is all perfectly fine, and btw here are two dozen ways to do it. Am I missing something?
Hypocrites!
http://www.ex-parrot.com/pete/upside-down-ternet.html
Buy a Linux-based router that can run open-source firmware such as DD-WRT. See the DD-WRT site for a list of available devices.
Replace the junk firmware the comes with the router, which is primarily used to segment identical hardware into low-end and high-end product categories. You now have a much better device at no extra cost.
With DD-WRT the router can be configured to run two wifi networks. They can be configured separately and throttled for bandwidth if you prefer.
One LAN is open to the world. One LAN is closed. Done!
http://www.dd-wrt.com/site/index
One day later . . .
I just tell my router to accept only specific MAC addresses. No WEP or WAP, just don't accept anybody without the right addy.
So I can send all my Pedobear friends...
Don't!
It'd be nice to have a simple linux distro that could run on old hardware, say a spare pentium-III, and which would A) have a wi-fi access device attached (possibly with an external antenna) B) Act to firewall off/protect access to the owner's local resources, only allowing traffic of selected types and only communicating with the internet C) Log all peers, to provide a basic record of who used the access point D) Would form a mesh network with other devices of similar types, permitting peer to peer traffic passing while skipping internet use entirely.
As a bonus, have it limit traffic per device on a scheduled basis, so a given MAC had a weekly, monthly, or daily bandwidth limit, to keep the connection from being hogged by one guy (eg. cheap jerk of a neighbor). Set up the box to limit only guests, and not your own connectivity (subject to the security limits of wi-fi, of course).
Users take the distro, build it on an old or other low power box, attach a wi-fi device, and provide safe, free communications to your neighbors without them overrunning your own connection. Set the box up to mesh with its neighbors and permit the other access points to share your connectivity. If a lot of the boxes are near each other as in a metro area, then you have a "wireless internet" that's not tracked by any ISP or govt. agency. If you know where your "neighbors" with these devices are, then use cantennas and a spare wi-fi device to establish a point to point link as needed, to go beyond normal wi-fi range.
Finally, set up a web site where people can register their access points so folks can see where they are, and provide a pattern and manufacturing source for a standard "free wi-fi access" sign for the front yard, so maybe the cop$ will notice it and realize you're not the guy deserving the swat team.
Opening up your sole wi-fi internet access device to sharing is a nice gesture, but it can cause you enough trouble to stop wanting to do it no matter how nerd-friendly you are. An out of the box solution easy enough for the average guy with a spare machine to use would go a long way toward proliferating both free wi-fi and meshed "alternative" networks without the headaches.
Erik
A relatively cheap consumer router/AP that happens to come with guest network support, site filters, access hours filters, etc. Even doubles as a basic NAS appliance...
Just do routing of all "unknown" users through a Tor proxy. #1 - It's slow enough that you'll never notice it. #2 - It's private, and will never trace back to your IP (no party van coming because your neighbor is a pedophile). #3 - Most outbound Tor gateways don't support any other protocols other than web or IRC. So no file sharing or streaming.
You're just as safe running an open router with Tor as you are with just running Tor for yourself. But I wouldn't use the same router as your personal one. Buy a separate router, run it behind a computer with a second NIC, and pipe that NIC through Tor and from there, just route it like it's your normal traffic. It's a bit technical, and you'll have to play with it (hell, isn't that the point, to have fun and learn?).
And, have a good laugh when your neighbor tells you about his internet getting a German language version of Google (because the Tor gateway happened to be in Europe).
I8-D
I am not exactly super router knowledge guy, but I bought an ASUS RT-N16 because it was on sale. The specs were great but the ASUS firmware was garbage so I installed DD-WRT (http://dd-wrt.com) and it *rocks* now. I get great throughput, it's very very stable (currently up for 51 days without a reboot -- last reboot was only because I was cleaning behind my desk and unplugged it). It also has quite a few options that you don't get in your typical consumer-grade router. You can block certain services/apps/games (e.g., bittorent, tor, aim, skype, team fortress). You can block websites by url or keyword. You can limit your blocking policies to certain times of day if you like. You can apply blocking policies to specific MAC addresses which lets you target offenders. You can even serve ads to folks who use your router for access. It does all sorts of other stuff I don't understand. It's pretty amazing.
DD-WRT is free, but if you choose to use it, please consider donating to the developers.
If your ISP gives you hard time for leaving a wifi router in the open the answer is: DITCH THEM
Once one has ditched the cable company in favor of the DSL company, in favor of whom should one ditch the DSL company?
I wouldn't say that is an easy way the average consumer could do though. It requires some knowledge of Linux as well as Networking.
That and buying a new AP, in a lot of cases. I've never owned any of the products on OpenWRT's list. And a lot of people still rent a modem with integrated AP from the cable company or the phone company.
By using a free wifi you could be have run into some risks. The wifi owner could:
- Monitor your traffic, especially non https.
- Redirect your traffic to unsafe / unwanted pages (transparently, for example mimicking a bank page)
- Place code to exploit browser / application bugs
I have been doing this for a couple of years now. I have a couple of wireless ap's mounted on the outside of the building. This give me good coverage inside and give reasonable coverage to the shops across the road. I have a separate ssid for public which is not protected where as my private net is wpa2. The networks are on separate vlans with the public net being limited to 64k/64k bandwidth. This is a tiny amount of my bandwidth so i don't notice it. I also allow only certain protocols out. Mail, web, etc, etc but its not open so running a torrent client would be difficult. I keep track of all the mac addresses that have requested a dhcp lease. Currently i have connected 1500 unique devices. My theory is that it good enough for someone to read their email without being to attractive to make them stay. Also, i am on a business plan from my isp that allows redistribution of internet. I use a freebsd box running ipfw to do the traffic shaping and filtering.
I literally was the first person in my neighborhood to install first a router, than a wifi router back in the days long yore.
I was also one of the first to get wise enough that when decent workable security in the name of WPA was made available I immediately closed my routers up. I have a habit of checking now and then what other SSID's come up to range of our dwelling. At first it was 4 -6 all of them open. Now it's well over a dozen and all but one of them are closed.
And they're closed for bloody good reason. The open range has a lot of nasty people on it.... or rather the freeness, anomynous nature of the 'Net has empowered the knowledgeagble malicious few over the many who while not neccessarily being idiots aren't as technially adept.. There are those who will happy hop on your bandwidth and clog it to death downloading 100's of gigabytes of porn, or pirated software to the point where your provider starts throttling your access, or enforces of other types start knocking at your door with some pointed questions.
As a consultant for families and small buisnesses it would be ethically and morally irresponsible of me not to counsel them and aid them in securing thier home WIFI. For corporate types who want open WIFI for thier guests, I aid in restricting the range and access to that WIFI to protect them from mischief.
Similarly if you're browsing on an open WIFI net, you two can be vulnerable to malice sharing that subnet with you. If you're going range on the wilds... make sure you protect yourself.
This doesn't mean that you can't share... You can, but just like driving, you have to share responsibily, not blindly.
This small device would do the job.
http://corp.fon.com/us/products/simpl/
I know it's old fashioned but could you actually talk to them in person and let them know what you are up to and give them permission and block them if they blow it?
Currently hooked on AMP
If you really want to do this, I'd recommend using router software that supports a captive portal (so they are presented with a welcome page and must agree to your terms of use before they are allowed through your firewall) and VLANs. The idea is you can create a VLAN for your public wifi access, and another for your private network. People connecting to your public wifi network would be allowed only access to the Internet, and nothing else on your network (we don't want people snooping through your porn now do we).
DON'T!!
Be More, Be Manly, The Manly Geek Ubergeek Extraordinaire Blogger: www.manlygeek.com/blog Podcaster: podcast.man
You would want a separate virtual wireless lan and you would limit the bandwidth of that to about as low as it can go and adjust it so the priority it gets in the router is as low as it goes... if they want actual Internet they can go and get it themselves opening your wifi just puts you under liability for when someone downloads child porn on your connection and or hacks into your pc on your network cause you wanted to be mr friendly and share the internet you pay for with any old person walking the street.
The eff has some very naieve views on how things should work open wifi is one until there is some protection for the one who maintains a wifi hotspot i would not leave mine open...
But if you must look into one of the routers supported by dd-wrt...
fonera does this out-of-the-box if i am correct ...
The new Cisco Valet routers support this "Guest WLAN" feature I do believe.
Setup the cool open source Untangle firewall on commodity hardware with three network cards one internal one external and one DMZ. Put one wireless AP on the DMZ to share and use QOS to control the bandwidth allowed. Firewall off that DMZ from your internal network and put a second locked down wireless AP on the internal network just for your stuff. You could even use the captive portal feature to have them agree to terms and condition to indemnify you.
so add a wireless access point locked to a lower bandwidth to one wired port and put it's address scope in the DMZ.
If you don't have these options in your router you need a better router.
All this said, it's really not worth all the effort, no matter your "sharing is caring" ideals. If you're that nice, you're going to get taken advantage of.
The EFF dresses up their appeal (https://www.eff.org/deeplinks/2011/04/open-wireless-movement) in BS rhetoric about a 'tragedy of the commons' that's
ensuing as people turn on WPA at home.
No. This is people configuring their equipment as recommended. This is what a successful education campaign looks like. The fact that when the tech first hit, everyone was setting it up wrong does not mean that's how we ought to leave it.
Even the EFF admits that the time for just leaving the door open yet has not yet arrived. Consumer routers don't do network segmentation
and traffic prioritization well enough yet.
My favorite EFF knee-slapper:
"There is currently no WiFi protocol that allows anybody to join the network, while using link-layer encryption to prevent each network member from eavesdropping on the others. But such a protocol should exist."
OK, so I should leave my network unprotected because a protocol that doesn't exist, should?
Whiskey, tango foxtrot, you digital hippies. Would you please go loiter somewhere else?
I do this, using a Mikrotik RB750 router - about $40 anywhere online. Even has virtual OS/router support. Using the firewall, block everything & open the ports you want (80, 443, 25, 110, 587, etc.). You could even redirect their DNS to OpenDNS or something else if you don't want them doing naughty things on your connection.
Reno Web Design |
I'm actually surprised no-one has mentioned this one before. FON is a community sort-of-thing that sells (pretty cheap) routers designed to do precisely what you're looking for. http://corp.fon.com/en
1. download dd-wrt and flash your router; a decent one with a full 8 MB of flash is probably ideal.
2. set it up to have two SSIDs; one will be encrypted, one will not. DO NOT BRIDGE THEM. (You don't want the open wifi AP traffic to be able to reach your other subnet.)
3. set up traffic rate limiting (QoS) on the router; put the public subnet traffic into the "bulk" (i.e., low) priority and your private subnet's traffic into something higher.
4. turn it on, test it well, and smile because you're doing well and doing good.
Go away you moron, you're not a real Slashdotter.
I paid for my bandwidth. You didn't.
If the EFF wants open wireless, let the EFF install it all around my city.
My router, an Apple Airport Extreme (extreme!), allows for a guest network. Mine is unencrypted. There have been occasions when I've needed an open WiFi network to find where I'm going or quickly check an email, and I've found one. The same is true for everyone posting on or reading this thread. Now, I'm giving back, and if the police and the cable company don't like it that's too damn bad.
Don't be hypocritical. You've all taken, give back when you can.
Somehow, some way, this seems to be an opportunity to open up such machines to public access by setting up a default server that either simply authorizes anyone/everyone - or that requires a subscription and some form of signup.
An open-source project if there ever was. It has been a LONG time since I did anything with radius but I bet it could be done.
richard
Been there, done that, paid for the T-shirt
and didn't get it
When I lived in a densely populated downtown area with plenty of students, I setup a FreeBSD box with PF / ALTQ, Snort and Squid which provided an enjoyable experience for fast web browsing and MSN for anyone who wanted it.
I used PF for proper firewalling, on both sides to ensure the young folk wouldn't attack me or neighbors, but also to block certain ports for known applications that would drain the experience for others. ALTQ is for packet queuing quality of service, to ensure everyone had an equal amount of bandwidth. I used Snort to ensure the savvy wouldn't navigate around these port blockings to P2P over regular ports. And I used Squid to proxy cache a fast web experience, as many students travel to the same sites, viewing the same content and youtube videos (there were many positive cache hits, saving everyone plenty of bandwidth).
At its peak usage, I had roughly 30 users and testing it during that time I found web browsing just as snappy as ever. The neighbors enjoyed it, especially on Halloween when I flipped all images with a little trickiness. I also logged all web activity so I could ensure that people weren't accessing illegal content and if they were, I'd have their MAC address to confirm identity (or at least attempt to prove it wasn't me).
Are you going to give your little speech to the judge after someone uses your router to download child porn?
Anyone who wants free internet can go the library.
Okay, I'm going to skip the obvious argument. Suffice it to say it is irresponsible to have your network open.
I don't think you can really do anything. I have never seen a consumer router that is smart enough to throttle or block services competently. You could talk with your neighbors about keeping the usage down, but human nature being what it is, they're unlikely to listen. Remember that they are exploiting you. They may be nice to you in person, but they will happily take advantage of you and rape your badwidth if it means they get to save some money. That's just the way our brains are built.
Check out Monowall or Pfsense. I have used both in hotel/motel WIFI systems. The great thing about them is they can be run on an old computer you don't use any more. A PIII 500MHz with 128Megs ram is all that is needed.
Anyone mention Fon (www.fon.com) yet? Its not really open to just anyone, but I think it is somewhat interesting. It sort of brings the "open to anyone" concept to "don't rape my internet".
I always said, "Locked wifi only hurts poor people", poor people (like me) cannot afford 3G.
Why don't the people who wrote ddd-wrt create a build to manage a new breed of open-router?
this story
Yeah, I read the arstechnica article a few days ago, and the comments there were much better than the ones here. Among the sentiments I enjoyed:
To actually respond to the OP...
Good luck and have fun, don't let the man keep you down! :P
Regarding consumer level gear - yes some of it has the ability to run multiple SSIDs out of the box, but many do not.
If your router doesn't support multiple SSIDs, what you can do is use two routers. Connect Router A to your modem and leave the wireless on this router unsecured. Router A will be your public access router. Now connect Router B's WAN port to one of the LAN ports on Router A. Secure the wireless on Router B - this will be your protected personal network.
Since any traffic on Router A can only get to Router B by way of Router B's WAN port (which is the NAT outside interface and has a firewall rule that denies all inbound traffic by default), traffic from Router A cannot get to the network on Router B.
One advantage here is that any host connected to Router B (your private network) can inherently talk to any host on your public network. For instance, if a friend came over and connected to your public wifi with his laptop, you would be able to connect to his laptop from any of your computers using VNC, file sharing, remote desktop, etc if you needed to (assuming his laptop's software firewall permits the connection).
A disadvantage is that since all traffic is exiting your network through Router A, all hosts will share a single public IP, so traffic from the two networks cannot be differentiated by IP address.
As someone else has already said, the ideal method would be to connect two routers directly to your Internet modem, where each router gets its' own public IP, but the vast majority of ISPs only give you one IP address so this isn't feasible.
The method I've outlined above will work with ALL ISPs and ALL routers. Keep in mind that even though you've segregated public and private networks, wireless security, even the best wireless security, is not infallible. If you truly must have a secure environment, turn off the wireless on Router B and only use wired connections on the private network.
Ok, I'm somewhat surprised this hasn't been mentioned. I'll admit I didn't read all the way down though....
Pfsense ppl!
www.pfsense.org
All the power of a BSD firewall condensed into a nice web-GUI friendly interface that doesn't require command-line knowledge. I use it in conjunction with two old wrt routers running dd-wrt in an AP config. One is my WPA2-AES secure wi-fi, the other is wide open, albeit "requiring" a visit to a certain youtube video to use my wireless. The open AP is VLAN'd to keep visitors from interacting with my network..
Note... I used to use Ipcop... it appears to be dead for all intents and purposes.... I left before it died I think, but pfsense is better anyway.
A few things I would consider:
1. Security: security of your network - at a basic level you'll need to make sure your devices are patched. For more security you might want to use a seperate SSID and VLAN's etc... You could look at something like the Cisco 861W routers for these and more features.
2. QOS - I wouldn't let those connecting for free get better bandwidth than you! You'll probably want to use QOS to give your own devices a higher priority
3. Bandwidth limiting - unless you have truely unlimited internet then you'll probably want to limit bandwidth somehow (e.g 100MB per session?).
4. Misuse - If you're giving away free, anonymous internet then it's possible that someone will misuse it. How would you feel about a knock on the door from the police? Should you be keeping logs? Should you only allow people free internet after they've knocked on your door and shown you some kind of photo-ID (e.g drivers license) which then means you've got to create accounts and probably keep logs, *sigh*.
I know that here in Australia all Mc Donalds restaurants provide free wifi. Some of them (but not all?) get you to agree to some terms and conditions.
Perhaps you could protect yourself legally with something like that (e.g No Cat).
Unfortunately, after considering everything you might find that the risks (legally a lot) might outweigh the return (a warm fuzzy feeling).
For me the happy medium is to provide free wireless to everyone living in my house and my friends that visit. I can't be bothered setting up the legal work for
strangers.
Sorry, my ping is far more important than any stupid hippie cause.
It's crazy to share your connection with anyone you don't trust. When they mess up the bad people will come after you.
For most people that means don't share your connection.
Don't set up your Wifi router near a college dorm.
I am anarch of all I survey.
Seems as though the wifi is either accessible or it's not. There's nothing you can be careful about. It's on or off.
Depending on your router, you may be able to use QoS (Quality of Service) directives to prioritize an IP on your network over others. I do this on mine.
This would require you to either use a static IP, or your router to be able to assign specific IPs outside of its DHCP range (usually 192.168.1.100-255) to specific network cards based on their MAC addresses. You can use this first to make sure your computer gets a specific IP address when it connects to your router, and then set up QoS afterwards to ensure that that IP gets first bids on bandwidth.
If your router supports VoIP, it should feature QoS as well.
I use this strategy on my router, and it works very well.
Best way to do this is to get on board with the fon network! www.fon.com
Buy one of their routers (not expensive). It provides two WiFi SSIDs - one open, one closed. You then share your connection with other fon users (who either also share their connection or they pay a small fee per day for access). For your neighbours etc, you can set up "friends and family" accounts so that they can access your connection freely.
With any of their routers other than the Fonera SIMPL, you can also limit the bandwidth of the open SSID, as per this article - http://wiki.fon.com/wiki/Settings#Limit_the_bandwidth_you_share
The great thing of working this way is that you also get free WiFi access anywhere that fon is used! In the UK, BT have latched onto this and all of their customers' routers also act as a Fon hotspot.
Hi, .100-.200 pool.
I have been using a Linksys WRT54GL since years now with wireless wide open. I live in an area which has a lot of tourists and people passing by, so I have the satisfaction that leaving the access open actually gives a benefit to a relatively large amount of people.
After years, things have been tweaked considerably, so here are my suggestions for a relatively secure implementation:
- I use the latest Tomato firmware on a WRT54GL
- while the network is completely open, I use IP-based access limitation, that is if you are a known person/computer (your MAC address is, in fact) I'll manually add you to a list so that the DHCP gives you an address in the region 192.168.1.10-20 or so, while otherwise you are offered a random IP in the usual
- guest (.100-.200) enjoy only ports 80 and 443
- known machines have full access
- I implement QoS (reason I have gone with Tomato, it was the easiest to set up) and guests have always class E, which I defined as the lowest priority, so when I am at home I don't notice their presence, while if not there they can use my bandwidth at will, and I don't mind.
- I leave my router on at all times, even if I am away for weeks, as I know that some people started relying on it and like that they can avoid spending pointless money thanks to my open wifi; this also helps reducing the amount of wifi in the air and the undesired interference issues (currently counting tens of access points per block and having a hard time finding a free channel)
I know that the security is inexistant, and that the MAC/IP-based access control is very weak, but it si enough to prevent all the people with win machines and a trojan/bot to start spamming the world. Obviously it will not stop a malicious attacker, but I personally believe that those are more the exception than the rule, and I harden my machines otherwise (locally, at machine level) to protect from those.
Not suggesting this is the best solution ever, just saying that this has been proven to be working with relatively little effort for years in a quite busy street with several people accessing per day. Oh and yes, some of them gave up or never subscribed to an ISP, but well, I don't think an artificially created market has a reason by itself to exist; some people still will want their full control on the bandwidth, or full privacy, and those will still be customers; ISPs shouldn't fear my access point too much.
My 2 cents,
Fabio
There's a very simple solution to give people free Internet access without opening up your internal network, but it requires three routers.
I simply connected my old wired 100 Mbps router to the Internet, and then hooked up my new, secured WiFi router, and an old, unsecured 10 Mbps WiFi router, to one port each. Each router is on a different subnet, and the wired router has no idea how to route packets between the two WiFi subnets. Since I have a 100 Mbit Internet connection, 10 Mbit feels just about right to donate to the public.
If you leave your router open, you're letting strangers on your network.
If you refuse access to your router, you're keeping strangers off your network.
What's so hard to understand about that?
I'm all for letting others use my resources if I don't need them - but I'm not willing to spend the extra time ensuring that strangers don't take advantage of me.
www.fon.com has an extra "public wifi" ssid for visitors...they still have to login but do not need a wpa key... .... which is more than the mere 100.000 wayport/boingo hotspots
they are also "logged" so if police comes; you van give them your visitors log
FON is active internationally.... with over 3 mio "hotspots"
the device can be bought cheap directly from shop.fon.com
they offer a boingo like but "prepaid wifi" kind of service to access premium hotspots btw!
Trying to secure something by decreasing your signal strength is an excellent way to be more secure. It's just not a way to be absolutely secure, as AliasMarlowe seems to think. Even if he cannot detect a signal outside the property, someone with an ultra-high-gain antenna could. Having said that, minimizing the RF signal leakage, hiding the SSID, and MAC restrictions are all steps that increase security by making interception more difficult, even if none of them produce an absolutely secure system.
Saying that these steps for wireless security are useless because they can be breached with enough effort is like saying that locking your doors is useless because the locks can be broken with enough effort. The point is not to achieve perfect security, but security that is good enough to deter the intruders.
Fon offers a nice compromise in that it allows for an ecrypted private signal just for you and a separate signal that can be shared with others (including your neighbors). You have buy a Fonera. But after that there are no more hurdles. Just connect it and register, and forget about it. There is a layer of password protection. But members of Fon can always connect for free and it feels open, especially if you download an autoconnection app. I don't want to turn this into a commercial, so check out fon.com if you want to learn more.
See http://www.fon.com
The secret is to buy a little router which also enables you to freely share other foneros's wi-fis when you travel. It's kind of like a wi-fi social network.
See http://www.fon.com/ The secret is to buy a little router which also enables you to freely share other foneros's wi-fis when you travel. It's kind of like a wi-fi social network.
I suppose you could do something like allow access to only the Google services, like Gmail, normal searching, and Google Maps, but then again there could still be trouble.
One thing I've thought might be kind of interesting to do is to route traffic through Tor. Many people here have mentioned having a separate SSID for open access; with some routing you could have all Web requests on this network sent through the Tor network. It would be slower, but you are offering it for free, and it would be a good way to allow some access without worrying too much about getting raided. Then again it could also encourage people to do bad things, if word got around that you were offering free, untraceable Internet (not that other's can't download Tor, of course). And, if the authorities were sniffing the traffic on the open network they might still find a reason to raid you, but it might work.
At any rate, if you are allowing open access logging connections religiously is probably not a bad idea.
Saying "I'll probably get modded down for this" in a post is the best way to get it modded up.
Yes you can use pfsense. Two wireless routers one for the open connection and one for you and a pfsense box. Make sure they are on a different network address space. Then just limit the bandwidth for the open network using the pfsense box, good enough for surfing and email and filter what you like.
The SWAT treatment that guy had it up his arse was absolutely not something nice. On the other hand no one wants to die in a car accident either and yet it happens and this doesn't stop us from still using our cars. I personally know many people with their wireless open, with similar setups like the ones suggested here (DDWRT, OpenWRT or Tomato). Yet nothing bad has happened to them. Fear is understandable but for an educated decision we might need some real statistics.
For a while I had my router - not open- but I put the password in the name, so others could use encrypted internet for free. Is this generally a bad idea, or is it something that's ok? I just need to figure out what the OP asked, which is how to limit outside connections / not allow heavy bandwidth sites through the wifi.
Um, why would I want to open up my network connection that I spend my hard-earned money on? Split the costs, and you can have all you want.
Seriously, though, all you have to do is hook up your wireless access point to the DMZ port and enable traffic shaping on that network interface. There are apparently fancier things you can do, but I just configure inbound/outbound bandwidth limits). Quite simple, and it's all through a friendly web GUI!
Here's the documentation (sorry, no screenshots) that describes how to configure the shaping: http://m0n0.ch/wall/list/showmsg.php?id=35/88
In most US markets, there's only one cable company, but there are lots of DSL companies. The speed/price floor is going to based on the telco wiring, and your ISP may be buying telco services at protocol layers 1,2,3,or 8, but they're still much different. For instance, I'm using sonic.net as my provider, and their terms of service are radically different from the local telco DSL service which they're using for wholesale. Telco service is cheaper, but since I want a static IP address, which the telco marks up much more heavily than my ISP, it balances out. If I want to run a web server at home, or send email over port 25 from my own Linux mail server, I'm free to do that. (I'm not currently doing the latter, and I think they're currently dealing with Port 25 by having it disabled by default but letting you turn it on by checking a web form.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Country : Sweden
ISP : Bredbandsbolaget
Speed : 100Mbit downlink, 10Mbit uplink. No traffic-limits. No shaping at all.
Price : ~15USD ~120SEK / month
My other point, if there's any to be made, is that if you allow your router to have open access for all, you can claim common carrier status and be exempt from the actions of your "users". Comcast doesn't get arrested for someone downloading kiddie porn using their network, why should you?
I"ll keep this simple:
A common carrier offers its services to the general public under license or authority provided by a regulatory body.
Common Carrier
The common carrier is defined by law and regulated in the public interest.
Monowall, an opensource firwall/router/more from http://m0n0.ch/wall/
It run's on any pc from pentium up with 64 M of memory and is based on freebsd. Plug in 3 cards, one to your internet router, one to your lan and one for the wireless.
You have a rather easy to use firewall, dhcp, and you can even limit the bandwith so you have all the bandwith you need.
With control over the dns and the firewall, combine it with a parental control like OpenDNS, it's you who controls the site's they can visit.
You can even decide who can use your equipment.
I always dreamed to get something like what is used at Panoptickick ( http://panopticlick.eff.org/ ).
They obviously work with enormous efficiency to identify you in an unique way, but for the good (they want to *warn* you).
Having a public wifi setup with Panopticlick tools would allow tracking anonymous users, and ban their profile as soon as some 'unfair' use is detected (here you decide what you put, wrong port numbers, excessive throughput during too long a time, watever)
A setup like that, which would be openly distributed, would I believe allow both helping passers-by and demonstrably banning 'unfair users'.
(Then comes the contractual terms of their ISP provider, which most generally will explicitly forbit this anyway, but this is yet another issue...)
Herve S.