Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Setting Up a Wireless Catch-and-Release

Posted by samzenpus on from the you-don't-have-to-browse-at-home-but-you-can't-surf-here dept.

First time accepted submitter SSG Booraem writes "I'm on the IT committee at my church. We've recently added wireless access points to our Family Life Center, but the committee chair isn't comfortable with allowing unrestricted access to our network. We host a lot of guests during the week for Upwards basketball practices and on Saturdays for games, so we want to restrict internet access to the Sunday school classes held in that building. Unfortunately, neither he, nor I, know anything about setting up a wireless catch-and-release like in hotels. If anyone could point me at good documentation, I would be very grateful."

20 of 332 comments (clear)

  1. Open-mesh by hedwards · · Score: 4, Informative

    Honestly, just use something like open-mesh, it has all the software available to do just that without too much hassle. Additionally they're more easily spaced throughout the building with less interference than you would normally get.

  2. Small budget with time on your hands? by Anonymous Coward · · Score: 3, Informative

    Try to flash a Linksys:

    http://www.polarcloud.com/tomato
    http://www.dd-wrt.com/site/index
    http://coova.org/

  3. Simples by Anonymous Coward · · Score: 3, Informative

    try Easy Hotspot - http://easyhotspot.inov.asia/ obviously depending on exactly what you want to do... (we run the authentication system as a VM but it'll work nicley on a cheap PC) also we're using DDWRT on our access points so only using the easyhotspot system as an authentication system.

  4. Here's an idea by Pikoro · · Score: 5, Informative

    Try a google search for "Captive WiFi Portal".

    That's the term you want. Get yourself a DD-WRT compatible router and install one of these packages: http://www.dd-wrt.com/wiki/index.php/Captive_Portal

    --
    "Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
    1. Re:Here's an idea by Anonymous Coward · · Score: 3, Informative

      Absolutely. I will throw my (considerable, following Christmas excesses,) weight behind pfSense (pfsense.org) as a captive portal (CP) solution.

      An old PC with a (couple of) extra $5 NIC(s) will provide a great, free, robust, easy to setup CP.

    2. Re:Here's an idea by Lumpy · · Score: 4, Informative

      Dont use DD-WRT, that project is dead. Last BETA release was 2 years ago. Use OpwnWRT that has many packages for this and is still actively maintained.

      No matter what he IS going to have to spend at least 2 weeks learning this stuff, or buy a commercial setup maintained by a It professional.

      --
      Do not look at laser with remaining good eye.
    3. Re:Here's an idea by hairyfeet · · Score: 3, Informative

      Its a shame you posted AC as i'd say your idea is the clear winner and would only add that if you are doing this for a church you should talk to your local mom & pop PC shop. Not only are we packrats and tend to have boxes full of NICs but if its a church or other non profit we'll often work with you to get you something thrown together as close to cost as possible. Since its a non profit I'd not want some big old power sucking P4 blasting through power, i'd use an underclocked Celeron or Sempron, maybe something in the sub 2Ghz range since he won't need that much power for that job, and build it into a nice cheap old Dell or Emachine mini tower and there you are, a dirt cheap CP box. hell if you are lucky they may even have an older SFF office box just sitting in the back they can let you have dirt cheap that would be perfect for the job and if you ask nicely i bet the guy would even be willing to help you set it up.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  5. Captive Portal by Anonymous Coward · · Score: 4, Informative

    It's called a captive portal, and it's not the solution you're looking for. Depending on AP it'll be easier to setup time of day access or only give the WPA2 passpoem to churchgoers.

    1. Re:Captive Portal by Anonymous Coward · · Score: 4, Informative

      From past experience (probably obsolete) - ChilliSpot was a very straightforward captive portal to setup (simplest setup is a beige box with two network cards, plus two configuration scripts).

      ChiliSpot appears to be a defunct project, but CoovaChilli has risen from its ashes.

  6. My router can already do this. by Computershack · · Score: 3, Informative

    I can set up a guest wifi network on my router that has a separate WEP/WPA key and does not allow access to the other wired/wifi network unless I specifically say it can. Its a Netgear DGND3300v2 if thats any help...

    --
    I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
  7. Re:charge 'em by dissy · · Score: 5, Informative

    Another option is to use a Captive Portal built into a routing device.
    If you can throw together a machine with two NIC or some wireless cards, the software side can be handled with ZeroShell, or if you prefer a paid support contract, the previously open source Untangle

    Captive Portal requires registration with a username/password to use the wifi, and can perform metering for if you wish to charge or just limit time. You can also setup different sets of web filters or firewall rules that change on a set schedule.

    The Web Filtering modules will likely make your committee chair happy, as you can easily block most categories like pornography, gambling, hacking, etc.
    It isn't impossible to get around of course, but should be enough for due diligence.

    Good luck!

  8. Re:Just turn it off by 1u3hr · · Score: 5, Informative

    If you don't want to turn off then setup the access point to NOT broadcast the SSID (network name).

    Don't.

    http://www.zdnet.com/blog/ou/the-six-dumbest-ways-to-secure-a-wireless-lan/43 "SSID hiding: There is no such thing as "SSID hiding". You're only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, youre talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all youve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. "

  9. Captive portal/Hot spot/walled garden hardware by ldm · · Score: 3, Informative

    I've used MikroTik hardware in the past to build wifi hotspots for customers. It's pretty easy to use, very friendly command line. You want something like this in an enclosure something like this. They're reasonably robust, and once configured properly, will do what you want (and a whole lot more should you want to change the setup in future) for a good long time.

  10. Re:StackExchange by buchner.johannes · · Score: 5, Informative

    Forwarding from superuser.com:

    http://superuser.com/questions/183105/hotel-like-wifi-manager (recommends AnchorFree, SputNik)
    http://www.macinstruct.com/node/188
    https://en.wikipedia.org/wiki/Captive_portal

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  11. Re:Not sure I understand the point here by Kjella · · Score: 4, Informative

    You're trying to set up one of those hotel style "Welcome to our network give us all your money to see the internet" pages to let only your sunday school students reach the internet?

    Most hotels I've been to in the last years in the Nordic countries have had WiFi included in the room charge, but they've all required a login all the same. I assume it's a) so that "everyone else" in nearby buildings can't connect and b) maybe related to some kind of billing between the hotel chain and the wifi provider. It's all a matter of how much management you need, because surely at least one of the patrons is there both for sunday school and for basketball practice and will leak a fixed key to everyone and their dog. Personal accounts means lots of management overhead. I assume he's looking for a simple way to give ad hoc access to the people attending the sunday school, something like a ticketing machine that'll give you a login valid for X hours. Like, you must be in the physical areas for sunday school to get a wifi login or a simple printout the teacher can bring to class that's good for the class(es) that day.

    --
    Live today, because you never know what tomorrow brings
  12. Re:charge 'em by heper · · Score: 4, Informative

    goto www.pfsense.org Pfsense is all you need for this and every other firewall / router / captive portal / ... project and it's opensource with optional paid support if required

  13. Re:charge 'em by Anonymous Coward · · Score: 5, Informative

    Untangle (http://www.untangle.com/Lite-Package the lite package which i think is still free) is what I implemented at my work guest network and implementing at my Church's guest network. Initially we deployed this with the captive portal at my work, we have some policy requirements that require logon and captive portal checks that compliance checkbox.

    For Church we will only be using the transparent proxy features to blacklist or whitelist websites. It keeps it simple, which translates that I don't have to manage it all the time (which i am sure having time to do this is a problem for you as well).

    For the comittee that is concerned about the internet access, give them access to the Untangle webpage so they can see the reports of what sites are being blocked and what is getting the most usage. This should help them be more comfortable that this is being used for good.

    I would also recommend using access points that support multiple VLANs and SSIDs. This avoids placing extra WAP's just for guest and allows you to keep your guest SSID separated away from the church's systems (you will have to configure your firewall, we place the guest VLAN in a simple DMZ) that may have financial information or member on them.

  14. Re:Really? by realityimpaired · · Score: 5, Informative

    Posting up here, because it's quite a bit of scrolling before you see answers that don't have something to do with peoples anti-religion bigotry. I do not care what your beliefs are, nor do I think it's my place to comment on them when replying to a technical question.

    Why don't you set up a guest wifi? Have the internal wifi that's for your private network, and a guest wifi where you publish the key for people to use, but set up a rule so it's only enabled on Sunday from 7am until 1pm? That should cover the Sunday school's hours, and it won't be there at all during the week, when you don't want people accessing the wifi. It will also segregate your internal network from the wifi you're providing for people to use, which will help secure your private files, or any fileserver you're running.

    And if you're hosting some kind of event, like a Parish council meeting, where you want to give people access to the 'net, just turn the guest wifi on manually during the event.

    It'll be cheaper, and easier than setting up a catch-and-release system, as a fair number of wireless routers have that ability these days, and if it doesn't, you could always install Tomato or DD-WRT to have access to it.

  15. Re:Not sure I understand the point here by nurb432 · · Score: 3, Informative

    Not all hotels charge. They just force you to agree to a EULA so they don't get into legal hassles.

    --
    ---- Booth was a patriot ----
  16. Re:Just turn it off by swv3752 · · Score: 3, Informative

    Turning off Broadcast SSID is like locking the screen door. It does nothing to prevent unauthorized folks from entering, and it hinders many authorized folks.

    --
    Just a Tuna in the Sea of Life