Slashdot Mirror
Ask Slashdot: Best Way To Leave My Router Open?
generalhavok writes "I read the story on Slashdot earlier about the EFF encouraging people to leave their WiFi open to share the internet. I would like to do this! I don't mind sharing my connection and letting my neighbors check their email or browse the web. However, when I used to leave it open, I quickly found my limited bandwidth dissappearing, as my neighbors started using it heavily by streaming videos, downloading large files, and torrenting. What is an easy way I can share my internet, while enforcing some limits so there is enough bandwidth left for me? What about separating the neighbors from my internal home network? Can this be done with consumer-grade routers? If the average consumer wants to share, what's the easiest and safest way to do it?"
Wasn't it just this week that we had the lovely account of someone getting the SWAT treatment just for leaving their router free and open?
http://yro.slashdot.org/story/11/04/25/1415259/Bizarre-Porn-Raid-Underscores-Wi-Fi-Privacy-Risks
The second part (keeping people off your home network) CAN be done by some consumer grade routers that support a Guest Network. My Netgear 37AV has that ability. You set up a second SSID that is open. It can get to the WAN port, but can't see anything on the LAN or the private SSID.
As for using bandwidth... no I'm not sure you can do a lot there with a standard router. You could turn on QoS to make sure that your traffic has priority on the router over someone elses, but you'll be pretty limited in terms of stopping them from chewing up bandwidth the rest of the time. I really don't recommend this if you're on a metered connection.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
It's absolutely possible and fairly easy these days with out of the box router firmwares, or if yours doesn't support QoS (Quality of Service), then you can potentially put on an open-source firmware -- DD-WRT to provide that ability and much more. QoS lets you designate classes of traffic, such as streaming, gaming, and other protocols, or particular devices on a WAN or plugged into the router itself and set priorities for them. Doing this, you can share your WiFi AP (good for you!), but also get the lions' share of your bandwidth when you are wanting to use it.
Be very, very careful what you put into that head, because you will never, ever get it out. -Thomas Cardinal Wolsey
It can get you in to trouble
That said, I leave my wifi router open as well, but if you're going to do it you have to do it knowing the risks. Being accused of kiddie porn, for instance, is going to stick with you forever, regardless of guilt or innocence.
Your ISP may be none to happy when they find out you're sharing your connection, I'd double check their terms of service just in case.
If there's anything more important than my ego around here, I want it caught and shot immediately.
I just posed the same question in another topic, and wrote this:
WiFi routers should have the option of putting the air link on the outside of the local firewall. Actually, it would make sense if, by default, open WiFi links gave guest access to the outside Internet world, but not the inside LAN world, while encrypted links offered access to the inside world. This allows opening up guest access without exposing local servers and Windows shares.
A router should support both modes simultaneously, offering itself as two access points. Encrypted links should have higher packet priority over nonencrypted links, so that guest access can't starve out authorized users.
This seems obvious enough that some routers probably implement it already. Anyone know of one?
MAC addresses which can be cloned and spoofed so there's really no security at all!
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
You might take a look at IPCop or Smoothwall. Both give you access to the Linux command line, so you can use IPtables to do whatever the hell you want. Smoothwall might, possibly, have some sort of add-in to limit bandwidth by bandwidth or zone, though I'm not sure.
I offered public wifi in my apartment complex on a limited pipe. First, I setup a linux firewall with three nics - one for outside, one for my inside stuff+personal wireless, one for the public. On the public wireless side, everything except port 80 was blocked. I included 443 in the blocks because I wanted to limit where people went, so I could mitigate potential trouble like pedo browsers. On port 80, I sent all traffic to a transparent squid proxy. The proxy then checked which URLs were being requested and if they were in my allowed list. If not allowed, I rewrote the URL and sent people to kittenwars.com (I'm sure you could find an equally evil site to send if that isn't your preference). I did add in an html frame on the left side (right side was kittenwars) when people tried going to a site that explained here are all the sites you can go to, and the dangers of using someone else's unencrypted access point. Allowed URLs were fairly small, but from the usage the access point was still popular. wikipedia, Microsoft patches, PBS, weather.com, local government sites. I'm sure you could find more, but I wanted a very limited set that probably won't attract trouble. Then finally I limited people from soaking up my pipe using linux traffic shaping on the transparent proxy.
You really just need something that either has an extra interface for your wireless network, or can do 802.1Q vlan tagging and a vlan capable switch. I think even with a LInksys and DDWRT, you can put the built-in wireless AP on it's own VLAN. THen you just give the wireless it's own subnet, disallow traffic from the wireless subnet to your personal subnet. I think you can even do multiple SSID's and put each SSID on it's own VLAN, one for the public and one for you. Then just allow egress traffic on port 53,80, and 443 for your guest subnet, set up the traffic shaping queues with whatever amount of traffic you want to donate, and set it and forget it.
Of course, this doesn't address the issue of people using the connection to do illegal things, but I've been doing exactly what I described above in a very densly populated are of San Diego since 2002 and haven't had any problems yet *knock on wood*
Also, keep in mind, that this violates the TOS of most ISP's. I have a business class cable connection at home, which has a much less restrictive TOS, which makes it legal. I also have multiple public IP addresses, and run all my guest wireless traffic over it's own IP, so if anyone gets banned from say Ebay or something for fraud, it won't effect me.
But to answer your question, no, I don't think you can do this on many consumer grade router/AP's without flashing the firmware with DDWRT, and not all consumer routers are flashable. I think Buffalo sells a model that comes with DDWRT preloaded.
If you wanted to make a project out of it, you could buy a used Cisco Aironet for $50 and pair it up with an old PC with multiple NICs and install PFSense on it and have yourself a grand old time. The tools in PFSense can actually be quite entertaining when you collect anonymous statistics about what sort of things your neighbors do with your connection. NTOP will entertain you for hours :)
Forget being a nice guy, and in this case, the EFF's recommendations. Aside from the issues you raise yourself, this story should be all it takes to convince you of the foolishness of such a policy these days.
To answer your question directly, yes, some consumer AP / Routers can shape traffic like you're asking. You will need to divide your network into multiple VLANs, I would suggest three: One wireless and wide open, one wireless and secure for your use, and one for the wired side. Then, bandwidth limit the free wireless, route appropriately, and apply a security policy to protect yourself. You might also consider logging all that "free" traffic so when the Feds show up with a warrant, you have some kind of audit trail to get yourself out of jail.
I'm not aware of any consumer grade equipment that will do this out of the box. On the other hand, there are several free / open firmware projects that replace the factory firmware that are linux based, and may be able to meet your needs. A couple (by no means all) of these projects are http://www.dd-wrt.com/site/index> dd-wrt and https://openwrt.org/> Open-wrt .
Beware though, that not all of the consumer hardware is created equally internally. Research carefully the hardware / replacement firmware combinations to make sure you can get where you want to be before spending money. You'll also be stressing the hardware far beyond it's original design, so opt for more RAM and a faster embedded processor.
Gee, this sounds like a PITA.....
Hope this helps, and that you don't get arrested.
--Red
Yes, and locks can be picked, so it's useless to use locks on doors too! (You aren't stupid enough to lock your door are you?)
I hate that argument. Even a weak lock is a lock which says "unauthorized not welcome." And MAC address filtering requires that someone knows what a MAC address is and how to change theirs. You have to admit, this is not "casual technical knowledge." True what you say, but that depends mostly on what demographic you are speaking about. If you are talking about your average Facebook/twitter/Youtube user on the net, you'd basically be wrong.
Here's the way we do it
We have an old router which is plugged into a spare port on our optical switch (fiber to the home), and has an open wireless G for anyone to use, configured to assign DHCP addresses from 192.168.200.x where x is 175-200, and with SSID of "All Connections Logged". Our newer router is plugged into a different port on the optical switch and assigns DHCP addresses in the range 192.168.100.y where y is 100-125, and our home net is connected to this one by cat6 cables and encrypted wireless N (MAC filters, hidden SSID, long key, blah blah). Each of these routers has a different public IP address assigned by the ISP, and they both maintain logs of MAC addresses connecting to them, so we don't worry too much about misbehaving outsiders - there have been none so far.
FWIW, we have no usage caps on our 100Mbps fiber connection, so leaving a 54Mbps wireless-G open to passers-by does us no harm economically. In principle we could set it to 11Mbps Wireless-B, but we have never had a bandwidth hog connecting. Incidentally, our ISP gives us up to 8 public IPv4 addresses, of which we use 3-5: the IP-TV box uses the third, and work-related laptops sometimes use one or two more (via cat6 to another port on the optical switch).
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
There is a whole world of difference between a pickable lock on a car door and security on a router:
Someone sits there spending 30 minutes by a car door. People eventually will notice and either drop a note to the local gendarmes, or approach the person with pointed questioning. Especially people know the owner of that car.
Someone parked in a car spending 30 minutes on a laptop or cellphone to crack open a WEP protected router, few would notice, much less care about the issue.
MAC address filtering also is a switch flippable by anyone on a router. Yes, it gives a speed bump, but use it for what it is designed for -- keep honest people honest (say after a LAN party, you turn it on to kick everyone off but your stuff before you change your key.)
I highly recommend using MAC address filtering as the icing on the cake, but if you don't use WPA2 (or if forced to, WPA), you are asking to be hacked.
In any sharing setup, which is the advice the poster is looking for, non-authenticated traffic should always be on a distinct VLAN, with no access to the network used by authenticated traffic, or any ability to access the router config interface(s). All they need to see is their own system and the public internet. Segregating each non-authenticated user from other non-authenticated users isn't a personal security imperative; but it is polite.
To deal with the bandwidth issues, that non-authenticated VLAN should, naturally, have a QoS priority below any authenticated traffic(possibly with a small slice of guaranteed bandwidth, if you are a really nice guy and your authenticated traffic frequently saturates the line..)
Most consumer routers won't let you do that with stock firmware; but openWRT can likely help you out, with the right firmware.
Worst case, it is often possible, with better stock firmwares, to at least set up the VLAN and QoS side of things, and then just hang a $20 cheapy router off the VLANed port on the primary router. Ugly; but cheap and easy and doesn't require any software support for multiple SSIDs or the like.
When I first started to use tethering on my phone, it was just called something like "3G internet" and I would get 10-12 people trying to connect to it when I'm at an airport or coffee shop. Then I changed the name to "You_will_get_viruses_from_this", and now only 1-2 try to connect to it. So, while changing the name isn't the best protection, it could still help.
"To prevent this day from getting any worse, I'll just read ERROR as GOOD THING" 1GJU8xLuDKDxEs4KLf8fAGyptoDsqvEsBT
http://www.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000512----000-.html
Put up a shared wap. Make it so that they have to click through a web page every 24 hours to get access enabled. Make sure there is a contact email address on your web page.
Make the DHCP leases expire, say, every 30 minutes. That will allow sporadic youtube viewing, email checking and all sort of other activity without allowing lengthy file transfers.
Now your neighbors have access, you have good qos, and you may be reasonably protected under the dmca.
The fact that the law protects service providers doesn't give you back your dignity or any time you lost sitting in a jail cell or any money you spent on a lawyer defending yourself. Remember, your name isn't AT&T or Comcast, the law has no idea that you were not the one downloading the illegal material. If you open your router up, it is your legal responsibility to prove, should something arise, that it was no one in your house that performed the illegal actions. Innocent until proven guilty doesn't mean they can't arrest you and send you to trial. The courts must assume you are innocent. The police and district attorney think you are guilty, or they wouldn't arrest you in the first place.
If a dead body shows up in your house with a kitchen knife sticking out it's neck, the police are going to arrest you. Now, if it is later revealed that two vagrants broke into your house intent on robbing the place, and one stabbed the other over a dispute, then yes, you will be let go. However, that does not mean the police or district attorney acted inappropriately in any manner whatsoever. You aren't owed an apology, much less monetary damages.
This is, unfortunately, how all justice works. Think about murder or robbery. Even if the guilty party goes to jail, you aren't getting back your loved ones or lost property (and yeah, you can sue, but not every murderer is OJ Simpson). You can't rely on the law to protect you. The law only deals with crimes (or in this case, "non-crimes"), after the fact, it can't prevent something from happening. Just because the DMCA says service providers are protected, doesn't mean you won't sit in jail (or have to mortgage your house for bail) until its proven that you were in fact just a service provider in this one instance.
Eggs
Milk
Bread
Cat Litter
Soda
Try to get that to hold up while you are being arrested. By the time you get to the courts, have a lawyer to cover you, a judge to listen and a jury to understand, let's see that should only cost you about 1.5 years of your life, about $50k, not counting lost time from work, etc. Self righteousness is a wonderful thing, but without deep pockets and a really good attorney, seldom do they go hand in hand.
But if you must... Where did you live again?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I don't even understand why any self-respecting geek would buy a router that couldn't run OpenWRT, Tomato or DD-WRT. The stock firmware of commercial routers is always just rubbish compared to the open source (ish, in the case of DD-WRT) replacements.
For setting up bandwidth limiting for OpenWRT, well, OpenWRT is for real men (or real women), as this wiki page should make clear. Losta commandline and config files; there are web frontends but I'm unsure if any let you fiddle with these kinds of powers. But if you're looking for fine-tuned control, OpenWRT is pretty much a distro in its own right so the possibilities are pretty vast.
For Tomato (which I use 'cause the graphs are pretty), unlike what SighKoPath has said here, you don't have to set up specific rules for each MAC or IP; just set up the classifications for your own devices, then in QoS -> Basic Settings set the Default Class to something like, say, Class E. Now you can set the bandwidth limits for random strangers in Class E and any device or type of traffic that you don't have an overriding rule for gets categorized in Class E, so any new random neighbor devices will fall into that class. Simple.
As far as routers go, a lot of existing routers (as long as you didn't buy a really bad one with too little memory to even install anything to) are supported by at least one of the three main firmwares. Tomato is far more restricted in terms of choice, but if you can't find a spare WRT-54Gv1-4 lying around, Linksys deliberately sells the WRT-54GL for the sake of folks who'd like to install Linux-based alternate firmwares. For OpenWRT you can check their Table of Hardware, random pick, the Buffalo WZR-HP-G300NH is good bang-for-your-buck. DD-WRT's equivalent table is here; you can actually get some routers, like Buffalo's WHR-HP-G54-DD, which come with DD-WRT pre-installed. Never actually tried DD-WRT myself . . . I'm a bit of an open-source zealot, and DD-WRT has had a somewhat sketchy record. Plus, have I mentioned Tomato has pretty graphs?
I remember sigs. Oh, a simpler time!
Shouldn't the ISP deliver my bits regardless of what they are?
If someone knocks on my door and asks to borrow my telephone, I don't need the phone company's permission.
If I type an email on behalf of a friend without a computer, my ISP doesn't get to complain that those weren't "my" bytes.
But if you're that concerned, just route the guest traffic through TOR and at least through packet sniffing they won't be able to distinguish the guest traffic from your own. All they'll see is encrypted traffic which could be to/from anyone on the tor network.
"Someone sits there spending 30 minutes by a car door."
No, they have or make a "slim jim" and have it open nearly as fast as if the car were locked in many cases. Wedging doors etc is easy too.
That's how wreckers respond to lockouts when you call AAA!
If you have physical access, game is usually over unless owner takes advanced precautions.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Let me get this straight. The whole net neutrality thing is a fine idea to impose on the big boys, but when _you_ play the ISP role, then traffic shaping and priority for your preferred content is all perfectly fine, and btw here are two dozen ways to do it. Am I missing something?
Hypocrites!
Of course I'm sure your ISP has a TOS that states you can't be a service provider and you are buying service for personal use only.
Such a clause is not really enforceable. They can't demonstrate any harm if you violate it. At best they can discontinue the contract. contracts are about allowing both parties to protect themselves from harm. It is not about allowing parties to impose a restriction. Its especially not there simply to limit competition in the free market.
A packet is a packet is a packet. they are alleging to sell you bandwidth, so as long as you don't exceed what they claim to be selling you, they are not harmed.
I could be wrong but if I am, I'd like to see the court case where a customer was ordered to pay damages merely because they allowed someone else to access the internet.
No one has a right to their *own* opinion. They have a right to the TRUTH.
I don't think you even have to go through the motions of a straw man arguments you made. Fact is small ISPs get pushed around by law enforcement all the time. I've work for some of the biggest and some of the smallest and it's a night a day difference how law enforcement treats you for the exact same thing. It's not uncommon for law enforcement to threaten to confiscate your data center because you dared to stand up for your legal rights. It's not uncommon for law enforcement to harass your employees or call the larger upstream providers and peers to talk about their theories. Small ISPs have been run out of business by Attorneys, Cops and Feds who knew nothing about technology but had a gut feeling something was off.
On the other hand working at a large ISP the Cops and Feds are practically at your beck and call. In exchange we processed their wiretap orders (usually dozens to hundreds daily.) And they better have had their paper work in order or we weren't going to do jack squat for them. They wanted to tangle we could lawyer them hard. The cops were going to burn a lot of OT pay in deposition, let alone the other legal fees we could create.
Star Bucks, McDonalds, Dunkin Donuts, etc, they don't worry about free WiFi. They're big companies.
The law is not about being right in either a legal or moral sense. It's about resources, connections and power.
That's a contract with your service provider (and a rather weak one, at that, since it's probably a "contract of adhesion"). It has nothing to do with the legality of sharing your connection.
Violating your contract with your ISP -- if you have -- is purely a civil matter, and has nothing to do with anything else being discussed here. And it definitely does not make you a criminal.
My phone tethering SSID is "Covert FBI Van".
Redundancy is good And also good.
"I'm sorry, are you saying that because of "innocent until proven guilty", it's not in your own best interest to present a defense?"
No, that is not even remotely what I wrote. You wrote that "it is your responsibility" to prove your innocence. It is not. Period. Regardless of how it plays out in court, legally the responsibility of proof rests completely with the state.
"Your analogy lacks on key aspect. The police KNOW that specific IP address was assigned to YOUR account when the illegal actions occurred."
No, it does not lack in that respect. You are forgetting that my wifi router can be accessed from anywhere in the neighborhood, not just from my home. LOTS of people have theoretical access, including residents of a nearby apartment complex.
That means, very clearly, that my IP address, "asigned to me" or not, does not constitute probable cause.
"But like I said elsewhere, if you aren't worried, then by all means, don't bother trying to protect yourself. "
And like I wrote elsewhere on this page: if you want to live your life in fear, afraid that some government agency will illegally arrest or harass you, and you want to alter your behavior according to that fear... then be my guest. But don't expect sympathy from me. That's not exactly what is normally considered The American Way.
1. download dd-wrt and flash your router; a decent one with a full 8 MB of flash is probably ideal.
2. set it up to have two SSIDs; one will be encrypted, one will not. DO NOT BRIDGE THEM. (You don't want the open wifi AP traffic to be able to reach your other subnet.)
3. set up traffic rate limiting (QoS) on the router; put the public subnet traffic into the "bulk" (i.e., low) priority and your private subnet's traffic into something higher.
4. turn it on, test it well, and smile because you're doing well and doing good.
John Q. Public never even hears from the cops. That's the thing most people don't seem to get getting about the whole SWAT team thing -- it happens to like six people out of a hundred million. You might as well argue that people shouldn't share their connections because they could be electrocuted while configuring their routers, it's about the same probability.