Ask Slashdot: Best Way To Leave My Router Open?

generalhavok writes "I read the story on Slashdot earlier about the EFF encouraging people to leave their WiFi open to share the internet. I would like to do this! I don't mind sharing my connection and letting my neighbors check their email or browse the web. However, when I used to leave it open, I quickly found my limited bandwidth dissappearing, as my neighbors started using it heavily by streaming videos, downloading large files, and torrenting. What is an easy way I can share my internet, while enforcing some limits so there is enough bandwidth left for me? What about separating the neighbors from my internal home network? Can this be done with consumer-grade routers? If the average consumer wants to share, what's the easiest and safest way to do it?"

Think again

Wasn't it just this week that we had the lovely account of someone getting the SWAT treatment just for leaving their router free and open?

Re:Think again

[elrous0]

No problem. After you open it up, just call your local police and let them know that any illegal activity on your IP address is probably not coming from you. Problem solved.

Re:Think again

[ethan0]

You, and the many other commenters who agree with you have it completely backwards. Your linked story is exactly why more people should open up their networks.

Fear of the police abusing their power is a terrible reason to avoid doing a perfectly legal action. Yes, it's more convenient, but if everybody goes along with the police abusing their power in that manner, it implicitly becomes acceptable. Providing internet to other people is not illegal, and not a good reason to get your door kicked in, and the police should know this. The consequence for the police not knowing this should NOT be more people cowering in fear. It should be that whoever is affected files suit against the police and the police are sanctioned for their actions.

Nobody wants to go through that, of course. But we should.

Re:Think again

[cjb658]

I agree with #3, just route all traffic through Tor.

If you have a Linux server, you could set up Squid to reduce web bandwidth usage. To reduce torrent bandwidth usage, you could also host an FTP server on one of your PCs, so they don't have to go out to the internet. But then that opens up a whole new legal can of worms.

Reminds me of a time when I worked at my school's I.T. department, and they were considering whether we should block pornography in the dorms because it was consuming a lot of bandwidth. My solution? Host our own porn server!

My proposal was rejected.

Re:Think again

[MoonBuggy]

To quote the ever-apt XKCD: Fuck. That. Shit.

The fact that so many technically inclined Slashdot types are crying 'liability' and 'log everything' is almost as saddening as the fact that our government has pushed us to this. That some guy got thrown down the stairs by a rifle-wielding mob from nothing more than an IP address isn't a sign that we should all lock down our precious connections lest the same happen to us, it's a sign that every fucking one of us should open up our connections and tell the government that we refuse to be intimidated. Whether it was just intended as a PR move, allowing the police to say "Look at the nasty paedophile we caught. Aren't we good at our jobs?", whether it was an excuse to give the SWAT team something to do to justify their budget, whether it's a nefarious conspiracy to destroy anonymity, limiting each person to their own easily-surveilled connection, the reason matters far less than the fact that the only reaction that will stop it from continuing is outright defiance.

Every abuse which we allow to happen, every time we modify our behaviour because of one rather than standing our ground, it only further legitimises the abuse, validates the government in their action, and brings us one more step along the road to greater loss of freedom. For all our sakes, I can't bear to see that happen.

Re:Think again

[SealBeater]

...prove you are innocent...

I'm no longer so naive that I can't recognize the futility of saying "You can't prove a negative, and under our system of jurisprudence, the burden lays on them having to prove you are guilty, not you having to prove you are innocent"....but that's no longer true is it, if indeed it ever was. It makes me sad that we are falling into that.

My other point, if there's any to be made, is that if you allow your router to have open access for all, you can claim common carrier status and be exempt from the actions of your "users". Comcast doesn't get arrested for someone downloading kiddie porn using their network, why should you?

3rd point and this is the most important, is that there is an increasing digital divide between those who have and those who don't. If you are poor, out of work, etc, it's a lot easier to get a laptop than it is to get internet service. I don't want my bandwidth abused as I am a heavy downloader but I have WRT-DD installed and I'll be looking into segregating and rate limiting my wireless connection.

The older I get, the more I realize that it's going to be important for the good of all for people to start breaking free of the corporate binds. In the future, I can't help thinking that there might be some poor kid, with an old laptop, and having even a 5k connection (remember that?) might mean the difference between having a future and not having one.

So, do what you want, all of you but I'm the type of guy who runs tor on his laptop hooked to his iphone all night just to piss off ATT. Flooding our corporate overseers with lots of misleading info is one good way to hide yourself. There's a lot of good reasons to consider doing this but separate VLAN and rate limiting are mandatory first

Re:Think again

[Jane+Q.+Public]

Mod parent up (more)!

People really need to stop changing their behavior out of fear, and start standing up like men again.

If you aren't willing to stand up for what is right, please go somewhere else. I rather liked America when it was the land of the free and independent.

DD-WRT + QoS

[seanmcelroy]

It's absolutely possible and fairly easy these days with out of the box router firmwares, or if yours doesn't support QoS (Quality of Service), then you can potentially put on an open-source firmware -- DD-WRT to provide that ability and much more. QoS lets you designate classes of traffic, such as streaming, gaming, and other protocols, or particular devices on a WAN or plugged into the router itself and set priorities for them. Doing this, you can share your WiFi AP (good for you!), but also get the lions' share of your bandwidth when you are wanting to use it.

Just be careful with that

[WiglyWorm]

It can get you in to trouble

That said, I leave my wifi router open as well, but if you're going to do it you have to do it knowing the risks. Being accused of kiddie porn, for instance, is going to stick with you forever, regardless of guilt or innocence.

Re:Just be careful with that

[icebraining]

In your Firefox profile there's a file called

places.sqlite

, which has a table with a list of visited URLs. Writing a script to extract those URLs, filtering the domains, removing duplicates and formatting the list in a way that can be read by the filter shouldn't be too hard.

Re:I do this all the time!

[erroneus]

Yes, and locks can be picked, so it's useless to use locks on doors too! (You aren't stupid enough to lock your door are you?)

I hate that argument. Even a weak lock is a lock which says "unauthorized not welcome." And MAC address filtering requires that someone knows what a MAC address is and how to change theirs. You have to admit, this is not "casual technical knowledge." True what you say, but that depends mostly on what demographic you are speaking about. If you are talking about your average Facebook/twitter/Youtube user on the net, you'd basically be wrong.

Two routers

[AliasMarlowe]

Here's the way we do it

We have an old router which is plugged into a spare port on our optical switch (fiber to the home), and has an open wireless G for anyone to use, configured to assign DHCP addresses from 192.168.200.x where x is 175-200, and with SSID of "All Connections Logged". Our newer router is plugged into a different port on the optical switch and assigns DHCP addresses in the range 192.168.100.y where y is 100-125, and our home net is connected to this one by cat6 cables and encrypted wireless N (MAC filters, hidden SSID, long key, blah blah). Each of these routers has a different public IP address assigned by the ISP, and they both maintain logs of MAC addresses connecting to them, so we don't worry too much about misbehaving outsiders - there have been none so far.

FWIW, we have no usage caps on our 100Mbps fiber connection, so leaving a 54Mbps wireless-G open to passers-by does us no harm economically. In principle we could set it to 11Mbps Wireless-B, but we have never had a bandwidth hog connecting. Incidentally, our ISP gives us up to 8 public IPv4 addresses, of which we use 3-5: the IP-TV box uses the third, and work-related laptops sometimes use one or two more (via cat6 to another port on the optical switch).

Re:Two routers

[satoshi1]

MAC filters, hidden SSID

Those don't do anything. MACs can be found by outsiders not connected to your network despite how encrypted the network is. Hidden SSIDs aren't anything either. The same tools that will display the MACs will also show all hidden SSIDs within range.

Sure, they block the average user, but anyone who wants to get in will have no trouble at all.

Re:Two routers

[AliasMarlowe]

MAC filters, hidden SSID

Those don't do anything. MACs can be found by outsiders not connected to your network despite how encrypted the network is. Hidden SSIDs aren't anything either. The same tools that will display the MACs will also show all hidden SSIDs within range.

Sure, they block the average user, but anyone who wants to get in will have no trouble at all.

Ah, but it will block intruders, including the script kiddies you refer to. First, the antenna is unidirectional, and points from a lower corner of the house to the opposite upper corner. The wireless-N field is usually undetectable outside the house near ground level - I've checked - and utterly undetectable outside our garden (which extends more than 20 meters from the house on all sides). So there is no network and no SSID to detect outside our garden. Second, there are only two MACs allowed to connect to the secured wireless, and they are rarely connected, so snooping for MACs would mostly fail even if a snooping device were smuggled inside the house. All other devices connect via the cat6 wires, and if they have wireless, it is disabled. Thirdly, the secure network uses WPA2 with a nontrivial AES key, so bypassing the MAC filter would be useless in any event.

And why would anyone spend the effort trying to crack our secure wireless-N when we make available a completely open wireless-G which is detectable for over a hundred meters in all directions? Unless they enter our garden and attach permanently-on snooping devices to the walls of our house, they would fail to get past the MAC filter, and even then they would not penetrate the wireless-N encryption anyway. So in our case, your warning is both wrong and wrong-headed. Didn't you ever learn that wireless networks can be secured against anything short of a police/military grade attack?

Re:Two routers

[spazdor]

and what is the benefit again?

Living in the kind of world where other people might do the same for you.

Re:I do this all the time!

[mlts]

There is a whole world of difference between a pickable lock on a car door and security on a router:

Someone sits there spending 30 minutes by a car door. People eventually will notice and either drop a note to the local gendarmes, or approach the person with pointed questioning. Especially people know the owner of that car.

Someone parked in a car spending 30 minutes on a laptop or cellphone to crack open a WEP protected router, few would notice, much less care about the issue.

MAC address filtering also is a switch flippable by anyone on a router. Yes, it gives a speed bump, but use it for what it is designed for -- keep honest people honest (say after a LAN party, you turn it on to kick everyone off but your stuff before you change your key.)

I highly recommend using MAC address filtering as the icing on the cake, but if you don't use WPA2 (or if forced to, WPA), you are asking to be hacked.

Re:Security

[fuzzyfuzzyfungus]

In any sharing setup, which is the advice the poster is looking for, non-authenticated traffic should always be on a distinct VLAN, with no access to the network used by authenticated traffic, or any ability to access the router config interface(s). All they need to see is their own system and the public internet. Segregating each non-authenticated user from other non-authenticated users isn't a personal security imperative; but it is polite.

To deal with the bandwidth issues, that non-authenticated VLAN should, naturally, have a QoS priority below any authenticated traffic(possibly with a small slice of guaranteed bandwidth, if you are a really nice guy and your authenticated traffic frequently saturates the line..)

Most consumer routers won't let you do that with stock firmware; but openWRT can likely help you out, with the right firmware.

Worst case, it is often possible, with better stock firmwares, to at least set up the VLAN and QoS side of things, and then just hang a $20 cheapy router off the VLANed port on the primary router. Ugly; but cheap and easy and doesn't require any software support for multiple SSIDs or the like.

OpenWRT/Tomato/DD-WRT or bust

[Phil+Urich]

I don't even understand why any self-respecting geek would buy a router that couldn't run OpenWRT, Tomato or DD-WRT. The stock firmware of commercial routers is always just rubbish compared to the open source (ish, in the case of DD-WRT) replacements.

For setting up bandwidth limiting for OpenWRT, well, OpenWRT is for real men (or real women), as this wiki page should make clear. Losta commandline and config files; there are web frontends but I'm unsure if any let you fiddle with these kinds of powers. But if you're looking for fine-tuned control, OpenWRT is pretty much a distro in its own right so the possibilities are pretty vast.

For Tomato (which I use 'cause the graphs are pretty), unlike what SighKoPath has said here, you don't have to set up specific rules for each MAC or IP; just set up the classifications for your own devices, then in QoS -> Basic Settings set the Default Class to something like, say, Class E. Now you can set the bandwidth limits for random strangers in Class E and any device or type of traffic that you don't have an overriding rule for gets categorized in Class E, so any new random neighbor devices will fall into that class. Simple.

As far as routers go, a lot of existing routers (as long as you didn't buy a really bad one with too little memory to even install anything to) are supported by at least one of the three main firmwares. Tomato is far more restricted in terms of choice, but if you can't find a spare WRT-54Gv1-4 lying around, Linksys deliberately sells the WRT-54GL for the sake of folks who'd like to install Linux-based alternate firmwares. For OpenWRT you can check their Table of Hardware, random pick, the Buffalo WZR-HP-G300NH is good bang-for-your-buck. DD-WRT's equivalent table is here; you can actually get some routers, like Buffalo's WHR-HP-G54-DD, which come with DD-WRT pre-installed. Never actually tried DD-WRT myself . . . I'm a bit of an open-source zealot, and DD-WRT has had a somewhat sketchy record. Plus, have I mentioned Tomato has pretty graphs?

Re:think again? u aint thunk yet

[Kagato]

I don't think you even have to go through the motions of a straw man arguments you made. Fact is small ISPs get pushed around by law enforcement all the time. I've work for some of the biggest and some of the smallest and it's a night a day difference how law enforcement treats you for the exact same thing. It's not uncommon for law enforcement to threaten to confiscate your data center because you dared to stand up for your legal rights. It's not uncommon for law enforcement to harass your employees or call the larger upstream providers and peers to talk about their theories. Small ISPs have been run out of business by Attorneys, Cops and Feds who knew nothing about technology but had a gut feeling something was off.

On the other hand working at a large ISP the Cops and Feds are practically at your beck and call. In exchange we processed their wiretap orders (usually dozens to hundreds daily.) And they better have had their paper work in order or we weren't going to do jack squat for them. They wanted to tangle we could lawyer them hard. The cops were going to burn a lot of OT pay in deposition, let alone the other legal fees we could create.

Star Bucks, McDonalds, Dunkin Donuts, etc, they don't worry about free WiFi. They're big companies.

The law is not about being right in either a legal or moral sense. It's about resources, connections and power.

Re:think again? u aint thunk yet

[Jane+Q.+Public]

That's a contract with your service provider (and a rather weak one, at that, since it's probably a "contract of adhesion"). It has nothing to do with the legality of sharing your connection.

Violating your contract with your ISP -- if you have -- is purely a civil matter, and has nothing to do with anything else being discussed here. And it definitely does not make you a criminal.