Slashdot Mirror
Ask Slashdot: Setting Up a Wireless Catch-and-Release
First time accepted submitter SSG Booraem writes "I'm on the IT committee at my church. We've recently added wireless access points to our Family Life Center, but the committee chair isn't comfortable with allowing unrestricted access to our network. We host a lot of guests during the week for Upwards basketball practices and on Saturdays for games, so we want to restrict internet access to the Sunday school classes held in that building. Unfortunately, neither he, nor I, know anything about setting up a wireless catch-and-release like in hotels. If anyone could point me at good documentation, I would be very grateful."
IT committee in a church? Trying to find God by wardriving?
What's that?>/a>
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Here, http://superuser.com/. Or you could pray and wait for God to answer your wifi questions, idiot.
Honestly, just use something like open-mesh, it has all the software available to do just that without too much hassle. Additionally they're more easily spaced throughout the building with less interference than you would normally get.
Use enterprise WPA2 with keys. Give each client device a key. Charge $5 to provide a key. Church members who are donating will probably reduce their donation by $5 that month in order to pay for the key.
You can revoke keys individually.
Disclaimer: I don't know what I'm talking about, you might need expensive hotspots to do that, but for large building with more than one hotspot, you probably want special hotspots with decent handover as folk move from one hotspot to another.
blog.sam.liddicott.com
You're trying to set up one of those hotel style "Welcome to our network give us all your money to see the internet" pages to let only your sunday school students reach the internet? Or are you trying to block the guests off your network complete? Since this is tagged as wireless why not just use WPA2 and set up your students, classes, or whatever with access?
Not sure what the point of one of those hotel pages is here.
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
pfsense.org
Try to flash a Linksys:
http://www.polarcloud.com/tomato
http://www.dd-wrt.com/site/index
http://coova.org/
If the access point is only meant to be used by the Sunday school, and they only meet at certain times. why not just switch the AP off when the Sunday School meeting isn't running?
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
try Easy Hotspot - http://easyhotspot.inov.asia/ obviously depending on exactly what you want to do... (we run the authentication system as a VM but it'll work nicley on a cheap PC) also we're using DDWRT on our access points so only using the easyhotspot system as an authentication system.
Try a google search for "Captive WiFi Portal".
That's the term you want. Get yourself a DD-WRT compatible router and install one of these packages: http://www.dd-wrt.com/wiki/index.php/Captive_Portal
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
It's called a captive portal, and it's not the solution you're looking for. Depending on AP it'll be easier to setup time of day access or only give the WPA2 passpoem to churchgoers.
Seems like you could just set a password and post it somewhere in a room that is not accessible to guests. Change the password every week.
Restrict the wireless router's use to Sunday mornings during class. Don't operate it during the week.
I'm a leaf on the wind. Watch how I soar.
Maybe you should pray to your non-existent deity for guidance since he's omniscient and everything.
Try a google search for "Captive WiFi Portal".
That's the term you want. Get yourself a DD-WRT compatible router and install one of these packages: http://www.dd-wrt.com/wiki/index.php/Captive_Portal [dd-wrt.com]
Maybe you can adapt a FON hotspot and socialize WiFi-sharing. Fon uses an unencrypted public network, but you need to have a login to access it. Or you can pay for access. More information can be found on http://fon.com/
This place intentionally left blank
To make it as simple as possible, without requiring learning too much on your part and with a simple concept for the comitte chair to grasp:
Start with a simple timer on the power supply for the AP, only allow it to power up on Sundays. If you need wireless for the church admin the rest of the week use a second AP with security and share that with the admin. This way the guests on Sundays don't need to know any secret keys and nobody without a secret gets to use the net the rest of the week.
If you feel comfortable with setting up advanced software and convincing the chair that you know your trade, you might want to use a CAPTIVE PORTAL, with or without pay sollution, or a double AP (guest and secret zone), or an AP with the timer implemented in software or one of the many other sollutions that no doubt will be suggested here, most of them without regard for the hardest task, convincing the chair that this is the right sollution.
Surely God will have the answer not a bunch of heathen nerds on slashdot ? Perhaps you need to pray harder for the answer.
Use something like the Meraki MR16 - It sounds like you aren't the most technically savvy in this regard, and even if you were this makes life easy. There are other ways to do this, but this is probably the easiest I've seen. www.meraki.com
go pray to your imaginary friend in the sky. maybe he'll help you out.
ePoint Systems has a solution for you. Cheaper and better than Meraki, full Open Source, great service.
www.epointsystem.org
At my church we have a pretty simple policy: the network is protected with WPA2 encryption, it has an easy-to-remember password, and we give it to everyone who needs it. Make sure staff knows not to tell the password to your basketball guests, etc. We change the password about once a year, and let the new password spread organically. It works pretty well. People in the congregation ask each other for the password (or more likely, ask someone whom they know is on the tech-savvy side) and so those who need it are able to get back on. Another thing that you can do is give the network an essid name like "Sunday School Only" -- that will make your guests less likely to try to gain access, and also the Sunday School patrons will know that they should feel free to ask for the password.
Get a second router that can be turned on and open during these events, and lock down the current infrastructure. Make the DHCP lease 60 minutes.
Hi, latest BSD mag 1/12 has this article Home Brew Captive Portal With OpenBSD:
Have you ever used a public wireless network that has a splash screen such that you have to agree to certain terms before going to the Internet? The author of this article will show you step by step how to build one of those using OpenBSD’s Packet Filter (pf).
Whilst the captive-portal system where you login via a HTML form seems to be popular (perceived ease of use?), you can also do per-user password authentication at the WiFi level.
All you need is a AP that supports EAP (or Enterprise) WPA (all good ones will), and to setup a RADIUS server (http://freeradius.org/) to handle the actual authentication.
Personally this is much cleaner (AP isn't listed as unsecured, you don't have to wait for the redirection to the portal which is inevitable slow and doesn't work at all if you are using email not a web browser).
dd-wrt then setup hotspot etc etc.
What I think the OP wants is to give people Internet access without simultaneously giving them access to the organization's LAN. He also doesn't want to invest in new hardware, seeing as how they've just done that.
So: how to set up the WLAN APs to block IP packets directed to anything except the gateway (or the Internet) itself?
Just give up your irrational Christian beliefs and all your problems will be solved at once.
Oh, and kids: Don't go to school on Sundays, alright?
I'm not going to give you the answer to your problem, because you're just going to thank "god" and run with it while dismissing the fact that *I* gave you the solution; not "god".
I can set up a guest wifi network on my router that has a separate WEP/WPA key and does not allow access to the other wired/wifi network unless I specifically say it can. Its a Netgear DGND3300v2 if thats any help...
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
You want to get your hands on a patron saint of wifi figurine to put on top of your router.
If you mod me down the terrorists will have won
It's not my area of expertise, but doesn't the "turning the other cheek" policy apply here? Open your wi-fi. If you run out of bandwidth, buy more bandwidth. Also, isn't praying wireless data transmission? You might want to look into that, they've obviously got some military-grade encryption going there.
Quote at the bottom of the page:
"All Bibles are man-made." -- Thomas Edison
Wasn't this all about sharing?
. . . is between Him and yourself; during silent prayer. He doesn't charge outrageous rates for crappy service, and He doesn't throttle traffic either. There is no need for gadgets that do the Devil's work in a Sunday school class: God, the Book and the Rod is all you need.
Seriously, is maybe one hour a week a little to long to go without our life's electric information and communication traveling symbiotic companions?
What's God's twitter channel anyway, maybe I should listen in? Isn't Facebook problematic for Allah, because he doesn't like seeing pictures of himself and Mohammed?
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
@almightygod
http://lmgtfy.com/?q=wifi+catch+and+release+for+jesus
Just make the pass phrase a biblical quote. Change it each week and you kill 2 birds. How likely is it that the basketball players will have a bible handy AND your religious classes will have an incentive to read it to find the reference.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
He's pretty sloppy with the ACKs though.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
My Router (Billion 7800N) can have different wifi profiles for different time periods. allowing to do what you need.
Another way would be to use a second router (an old ISP provided router donated by someone would be great) connect it by cable, and have it set on a timer plug that would be really easy to set up
Use enterprise WPA2 with keys. Give each client device a key. Charge $5 to provide a key. Church members who are donating will probably reduce their donation by $5 that month in order to pay for the key.
You can revoke keys individually.
Disclaimer: I don't know what I'm talking about, you might need expensive hotspots to do that, but for large building with more than one hotspot, you probably want special hotspots with decent handover as folk move from one hotspot to another.
That sounds like a great quick-get-the-job-done solution but here's the 'but': adminstration.
Most churches have an admin - one business admin. I don't know how to put it kindley so here's a prediction of what will happen based upon what I've observed with other things that these adminstrators do:
You will be constantly dealing with folks who's key doesn't work. Keys that still work when they shouldn't and a constant searching for keys.
It will be one cluster fuck.
Volunteer IT person?
They turnover fast: they have work projects that take all their time up, can't deal with church committees, they find mega paying jobs on another coast, etc .....
From what I read, you want to restrict internet access to the sunday school classes. Are we talking censoring or actually only allowing sunday school pupils to connect? If you mean the latter, simply enable wpa or wpa2 security on sundays and only give the wpa/wpa2 password to students. If you mean the former I can and will not help you, for I think each is in his own right to have the freedom to inform oneself by anyway possible as to whether to believe or not to believe.
axi.
--
I am an atheist but I believe in the right of religion even if it makes no sense to me,.
why not get the macs from the PC units and initiate wireless access only by mac address
The best documentation I could recomend for you is The God Delusion by Richard Dawkins XD
If taxation is legalized theft, then Capitalism is a prolonged rape followed by a slow death.
Obligatory non-answer: If it's an uncapped connection, how about just being a good neighbour and leave it on? If you get scary DMCA letters or the users on your wired network gets slowed down, *then* think about access control. Like others have suggested, please consider putting the AP on a timer switch if it's only used a few hours every week, to reduce interference for others.
And a very common word. Word 7 would be better, but still rather short.
I was promised a flying car. Where is my flying car?
http://coova.org/
Ubuntu Server + CoovaChilli + DD-WRT = an easy and free captive portal system
WARNING: this is not a drop-in solution, some customization and piecing-together required. Throw FreeRADIUS or CoovaRADIUS into the mix for easier user-level authentication.
The original post stated that the chair was not comfortable allowing unrestricted access to the church's network. The problem does not appear to be one of bandwidth but rather security. The wireless network should be on a separate segment from the church's systems. Increasingly, many visitors use YouVersion or Logos during church activities. I would use an appropriate number of WPA/WEP enabled devices to cover the family life center. Use a simple password that is freely shared with members and guests. One other caveat, If the church does not already have an Internet filter in place consider using something like openDNS. This will help restrict access to porn and other inappropriate material.
Its called Nomadix. http://www.nomadix.com/products_overview.php
I've used MikroTik hardware in the past to build wifi hotspots for customers. It's pretty easy to use, very friendly command line. You want something like this in an enclosure something like this. They're reasonably robust, and once configured properly, will do what you want (and a whole lot more should you want to change the setup in future) for a good long time.
You might also want to look at PacketFence.
Using the inline mode (if your APs aren't too "enterprise class"), it'll offer you everything. The current development version also integrates with billing engines (like authorize.net) if you want to charge for network access.
You can specify day/time options for wireless access. I know it's on Linksys routers. Probably Netgear too.
And it's free. Does Captive Portal with ease and runs on almost anything, so long as it has 2 Ethernet cards. Runs on top of BSD and uses the pf routing module. Uses a web interface to set up.
I have an office with 40 PC's being served by an P3 something with 512mb ram running PfSense with 3 network cards (balancing dual ADSL2 connections) and a gigbit out to the switch and it works a treat and never dies. It's a sinch to setup and I also have setup captive portal and again, it is DEAD EASY.
http://www.pfsense.org/index.php?option=com_content&task=view&id=71&Itemid=81 This should answer most of your questions.
Oh, and don't be detered by the BSD logo (Beastie!) since I am pretty sure the fella has nothing against Christianity as he is, you know, a cartoon! As for me, whatever floats your boat I say...
And setup an open, guest only wireless connection and setup another for people to connect to network resources. Believe you can even set different DHCP ranges for the 2 networks and tell it not to route between the 2.
Done.
Most religions have been superseded in the 21st Century by finding several Seem-To-Be-Truths by and through Yourself, also known as rational, open-minded, scientific Spiritualism.
If you want to stick to old, close-minded, blind-faith-based, Zero Century religious institutions, be my guest, but please don't talk about it openly as if it's a good or even acceptable thing to do.
Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
Just because churches operate as tax exempt non-profits doesn't mean they can't afford to pay someone to do the work. If your church doesn't have a member that is in the IT business (and willing to do the work for free) then hire a local tech company to set it up for you. Support the local nerd economy!
Keep the Classic Slashdot.
Go ask jesus you fucking tool.
It sounds like what you want is not catch-and-release, but just to allow certain specific machines in your Sunday school to access the net. In that case you can enable the MAC address filter in the router to limit access to only those machines. Everyone else will be blocked. This solution requires no extra hardware or software, it is built into the router.
http://compnetworking.about.com/cs/wirelessproducts/qt/macaddress.htm
You're on a committee about things you don't understand.
Your CHAIR is another guy who knows nothing about this.
You have come up with rules about how to implement this (e.g. "these people will have access" "these people will not have access") and you don't even know what "access" is.
Here's my advice.
You're fired. You're all the worst kind of incompetent... the kind that EVEN THOUGH YOU KNOW that you know nothing you insist on doing it.
Dipshits like you are a dime a dozen. Don't worry. You'll be replaced, but odds being what they are you'll be replaced by someone smarter.
E
...would be to get a dual-band WiFi router, something like the Netgear N600, which has a "Guest Access Point" setup screen in the web interface that allows you to setup a network that is completely separate from your production network. You can setup access times on the internal scheduler and you can give it an access password (or not) that everyone who is allowed to be on the network can be given and then you can change it weekly or monthly.
It's what happens when a congregation with money decides to spend it on themselves instead of using it to help others.
OP is probably a volunteer.
Plus he/she knows enough to ask for help rather than assume they know everything already.
You are posting a response to a situation you know nothing about.
Dipshit posters like you are a dime a dozen, but don't worry, you'll be modded down and odds being what they are, your ignorant comment will be replaced by one from someone who is smarter and more helpful that you.
AC
Is your goal to provide internet access to church members or to charge them for internet access like a hotel?
How many people do you expect?
For example the Linksys E class routers have a built in 'guest network' feature that has a second SSID that is broadcast for Guests and allows up to 10 simultaneous users to connect. This gives them internet access only and doesn't allow them access to the actual network. Though it's limited to 10 people. This would be a simple solution but if you had more than ten people wanting access it could cause problems.
I have a NetGear WNR3500L. It has a guest network option that allows me to create a second SSID, allow or disallow access to the rest of my network, and allow or disallow the ability of the machines to connect to each other if they're on that network.
If you aren't looking to charge for it those two options to me seem like the best. Inexpensive and easy to configure.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
http://www.pfsense.org/
Firstly, let me state that I hate the term "The Cloud" - it's over hyped in the industry to the point where it means nothing anymore. However, management of public WiFi via the Internet makes sense to me.
There are a lot of suggestions here to use captive portal implementations based on Linux distros - and they're good suggestions if you know what you're doing with network configurations and setup and also have some time to throw at implementing the setup successfully. If so, this is a good route to take and can be as fancy - or not - as you want it to be.
However, I am assuming the poster has limited exposure to networking beyond what someone would do in their home. If this is the case, consider a solution like Meraki (http://meraki.com/). You buy the access points, plug them into an internet connection and configure them via a website on the Internet. Full captive portal functionality is available with just a few clicks complete with a ticket system - someone wants access and you provide them with a code that enables say 2 hours of web surfing.
We have only bench tested Meraki at this point, but we were impressed with the simplicity and functionality of the system. We are considering implementing their system simply to free up our time from managing public WiFi so we can get back to working on more impactful projects.
Note: I work for a municipal government an have no affiliation with Meraki.
Check out pfsense.org
I seriously doubt that the vast majority of (US-based) strident atheists on Slashdot "endure a lot of religious bigotry in their daily lives". In our area, atheism is the new cool thing to be, having replaced Buddhism a while back. I know several Buddhists that really don't like Christianity, but for the most part their beliefs constrain them to be at least polite. Atheism has no such constraints.
just set a password and only list it in the areas that you want people to have the wifi.
And that does not cost anything to put it.
Linksys homeowner AP's have the ability to add time restrictions to wifi access, but that would only work if the basketball and sunday school are on different schedules. Also If you just don't want the guests to have access to your internal network, set up a guest SSID vlan tag it and add a route to go straight out to the internet, doesn't really touch your internal network and in an environment like this its a simple solution that covers due diligence on your part.
"Catch and Release"? From where I come from, that phrase mostly refers to a type of fishing! How are you going to get the wireless devices inside all of the fish?
What? Read the article? This is Slashdot, we don't have to read no stinking article!
Many newer access points (APs) will automatically set up two SSIDs when you run through the initial setup. The primary one is one you can use for your everyday office use. You assign it a key that will only be used on computers owned or authorized by the church. The secondary SSID is for a guest account. The guest account is configured with no security (for the initial connection--no AP security), but it presents you with a splash screen where a guest password must be entered when you initially connect (if you assign a password during setup). That guest password is one you can had out to your Sunday School teachers or other authorized users.
Traffic on the guest network is fully segmented from that on the primary network, thereby keeping your church office network free from curious eyes while facilitating Internet access for anyone else who may need it.
The Cisco E3000 ($100) is one device that provides for such guest networks. It handles current and legacy protocols (802.11b/g/n). I've been using one for about six months and it has been great. My home PCs have access to the primary connection, and we give out the guest password to our kids' friends when they are over.
I use irony whenever I can, but my shirts are still wrinkled...
Why would you not solve the problem before doing that first bit?
Many thanks for all the helpful suggestions. I honestly didn't know that what I was looking for was called a "captive portal." I genuinely appreciate all the people who pointed me in the right direction.
Have a blessed day!
Why not go with a Public VLAN and Secure VLAN? Setup the public just to have internet access and the secure to have full access. Make the Public password simple and let it out by word of mouth. That will allow users to access the internet and get mail when they are on campus and keep them away from the important stuff. Obviously, since you admit you don't know what you're doing, you'll hire someone to do this, yes?
Catch and Release? I too have to question that naming, but from the summary, I get that they want to set up some sort of system where you first log in in some way and then you have access to the network.
Turns out, the type of system is a bit easier than you might think.
Let's start with the basics:
DHCPD. It's a process that we're all familiar with... at least in the sense that we all know what it's for. Turns out, you can specify MAC addresses for special treatment and assignment to specific pools. That's a great start isn't it? You just set up the default pool to offer a non-routing IP range, giving out a DNS server which resolves all requests to the same server IP which hosts a page offering the user a chance to enter a password or whatever.
That page has a PHP (or whatever language you like on the backend) thing that accepts the input, adds it to a table in MySQL, then updates the DHCPD configuration to reflect the new lease information... that is to say, the MAC address of the user now has an assignment to the "live" pool rather than the default.
That's a simplistic description of a simple process. Of course there are details to work out. There are background processes which would periodically check the connections and lease times and stuff like that, but once you have the basic of the system working, those details can be accounted for as development progresses. I feel like I'm reinventing the wheel, but I've not seen a free version of what I describe anywhere.
(I'm quite sure they exist, I've just never seen one... next up, someone will link me to precisely that...)
Sorry for the anonymous post. Hadn't logged in yet from work. Thanks for all the suggestions, and for pointing me at "Captive portal." All your suggestions are greatly appreciated. Have a blessed week.
When researching for the same setup, I came across this: http://www.intellinet-network.com/en-US/products/9236-guestgate-mk-ii . We have a very large building, and trying to provide any kind of technical support to anyone who might possibly need it would be impossible, so encryption with a key was out of the question. For us, the main point of the capture portal is to keep people from driving by and using our internet connection. I basically use the Guest Gate because it provides a catch-and-release portal, but its internal DHCP server provides also each client with an IP on a different subnet (a little bit of security there). I couple it with Netgear access points that have client separation enabled so no two wireless clients can talk to each other. The Guest Gate has some rudimentary web filtering, but I wanted something a little more granular so I installed a Linux proxy with white/blacklisting capabilities outside of the portal. Now I can manage some content, and when guests or church members want internet access, I just need to give them the password for the portal. By the way, this setup is connected directly to the dual-WAN router and the router's firewall is setup so that none of the traffic on the wireless network has access to the internal network. The church staff can't access any internal network resources over the wireless network, but they've pretty much been content to have access to the internet itself. It's probably not the cheapest or easiest solution (unless you used the Guest Gate by itself), but it does exactly what I want, and everyone seems to be happy.
What I do is get an additional separate network from my ISP. Connect my routers through my patch panel and then use Netgear Wireless Routers that allow you to restrict based on time.
Good luck if you need any additional help contact me
Nick Dreyfus
Nick@Dreyfustc.com
Just schedule times when connecting to the wifi is allowed? I'm assuming that the sunday school classes are always within a certain time frame (ie: sundays at 11am-2pm) and many routers I've seen have on/off times which can be set up through the interface. So, just set up the scheduling. My DD-WRT flashed WRT54G has that very capability set up (just looked into it while typing this post in fact) and it's quite simple to do, you can set up allow/disallow times with just a few clicks.
its his will if you get sued for child porn on your network
Buy a digital Timer. Set it to power up the wireless AP only when you want it available. Keep the AP and timer out of reach of those that may want to mess with it. If a special event comes up and wireless access is needed anybody can push the timers "ON" button to turn on the wireless and then the "OFF" button later to return it to timer mode.
I have used this solution in the past to great success in a warehouse/office environment to cut the internet at night because warehouse night staff were surfing instead of working.
Look at www.fon.com
You know you're going to hell that.
Seriously, is it worth risking your immortal soul to be wrong?
All you have to do is let Jesus into your life and ask forgiveness for all your sins.
Can you not just change the key after each weekend, and re-issue it to the next weekends visitors? You want the simplest solution here, nothing complicated - changing the encryption key is usually pretty easy and someone could easily write a guide with screenshots - that way if someone leaves or moves away who has this as their job, the person who takes over can easily pick it up and carry on in the same way.
You can get open source firmware updates for some wireless routers/access points which will let you set up login names etc. but someone has to manage this for each new visitor - having a weekly changing key you can print off and hand out may well be much much simpler.
I'm on an IT committee at my church as well. We've set up an old Dell Dimension 2400 with pfSense 2.0. 3 NICs (1 on-board, 2 PCI) and set up two VLANs, one VLAN being their office LAN and the other being a Captive Portal enabled VLAN with three WRT54G WAPs loaded with Tomato.
Firewall rules were created in pfSense to prevent wireless users from accessing the office LAN and wireless segregation was enabled on the access points to prevent chatter between wireless clients (prevents infected clients from attacking potentially vulnerable clients on the same network).
pfSense has a voucher system that allows you to create several rolls of time-based vouchers. You can either give the teachers a roll of active vouchers that are only good for a certain length of time, (say, the length of the Sunday school class) or you can set pfSense scheduling to restrict all access to the Captive Portal off-hours.
You can also add MAC address exceptions to the Captive Portal instead, (not really completely secure, but keeps your average users out) limit the number of associated users and bandwidth per associated client to prevent one user from monopolizing the entire connection.
Here's a blunt force method, which is extremely cheap, unhackable, and understandable to even the old ladies in the pews. Intermatic makes digital timers that can have 8 different programs. Turn the access points off when you don't want them accessible, turn them on when you do...
http://www.amazon.com/Intermatic-TB121C-Digital-Tabletop-Appliance/dp/B000E8XGBI
Providing an internet connection which a user then misuses does not make you a criminal. Otherwise ISPs could not function.
Is this so the eeeeevul atheists can't use it??
Get a new wireless access point. Many new models include what you're looking for. They appear as if they are multiple Access Points. Make two networks:
ChurchBusiness: WPA2 security, user accounts or strong password; full access to internal network
ChurchGuest: Security either as WPA2 password, or no wireless encryption and web redirect to authentication page; has only access to Internet, no church net access.
Many new routers under $200 have the ability to do the above. The Apple Airport Extreme can do the above, as can various Netgear or Linksys. Pick one up at a local retailer, give it a try.
Trashware PC with dual Ethernet cards and run the Easyhotspot either as the ISO or run a regular distro e.g. Ubuntu, add the bits and run the Easyhotspot interface (there is a manual on setting this up - I wrote much of one of the manuals). Generate and print out "token" passwords that are valid for the training week. I have only patched bugs on this, I am not related to the original coders, I am a secular humanist, I have a dog.
You honestly believe this? I just got back from a trip where I spent a week using the wireless network of a parish school across the street - it was widely known in the neighborhood, whether they were parishioners or not. My mom isn't a parishioner, and had the password on a sticky next to her monitor!
You might as well run a network with no password, as that's essentially what you're already doing, and save yourself and your parishioners the trouble.
Most routers already give you access/restriction options very similar to what you want, right in the administration settings.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Whitelist the specific sites you use (bible references, your church's website etc.), whatever generally useful sites you would like to allow (maps, taxi companies, airport schedules) and social media you want to allow (facebook, twitter). That should make most people happy and stop most abusive behaviour. The neighbors who want to surf pron will get frustrated and give up and any sites they do view should use minimal bandwidth.
Why not run an unrestricted network. Are you afraid some one will run a spam mill or bot network through it. With modern AV those are not very likely. Or is it that you are more concerned that someone may actually use the network to view (oh my Gad!!!) porn. /. help you?
Now isn't that your real concern.
So why should
One of these: https://www.google.com/search?q=mikrotik+RB751U-2HND
Documentation on configuring it is at: http://wiki.mikrotik.com/wiki/Hotspot
You can set up user/password authentication, mac address authentication, or whatever sort of authentication meets your criteria.
Actually, why not just share the internet? (with proper precautions of course) IMO, one of the missions of the church is to provide. Just isolate it from the office network so there are no surprises and give the people what they want :)
Build one with DD-WRT. Here's a set of instructions:
http://www.smallnetbuilder.com/wireless/wireless-howto/30150-how-to-build-an-open-source-wi-fi-hotspot-with-dd-wrt
John
Yeah but this is a church and their primary motivation has always been control. They can't allow people to do whatever they want...
1. Setup the routers on their own isolated network (e.g. if the church run 192.168.x.x run it in 172.16.x.x, both with different netmasks) and have a central gateway that can then just push the wireless network directly to the internet; best if the routers are cabled directly to that system too if you can help it; otherwise someone with the right smarts might jump networks if they know enough about the other networks config. You could couple this with a MAC Address DHCP assignment for staff computers so that staff can use the wireless on the normal network if you like; but I'd suggest that you make them VPN into the other network instead for better security.
2. The ideas of Captive Portals, etc. are probably what you want as well.
So, it's not really a single solution - capture them into one network (e.g. 172.16.x.x); grant them Internet Access after they agree to your terms, and then allow VPN to the other network (e.g. 192.168.x.x).
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Scientific spiritualism means that I am not willing to state, authoritatively, that there is nothing but atoms and energy.
It means that I must -- out of open mind and an earnest search for Truth, wherever it may lead -- examine every belief system I have, regularly, and cast out that which I can disprove and accept that I do not have many answers at all.
I am not a materialist, I am not a god worshipper (I have absolutely no proof that there's some cosmic being anything like a god), but I also do not discount synchronicities, the possibility that consciousness affects and may even pervade the Cosmos.
There probably is something bigger than Me. But I'm just not positive! Ergo, I'm a scientific spiritualist.
Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
I don't know what your topology looks like and what your equipment can do; but if your APs can support multiple BSSIDs then set up one for the sunday school/staff with WPA2, turn the broadcast off, put them in their own subnet and vlan if possible and push the configuration out via whatever central management tool you're systems use be it NIS or Active Directory or something else. (you can probably also set this up to have a domain account be a required part of authentication if you are using newer systems.)
Then you can set up a BYOD (bring your own device) BSSID if you wish, this can go in yet another subnet and vlan if possible, and can go through thicker filtering and network access restrictions, possibly even bandwidth throttling.
That is what I would do. I'm not exactly sure I understand how a hotel style access system would fix the problem.
Just pick up an Apple Airport Extreme WiFi base station. They're "mesh"-able so you can stack additional units into a network to expand it out -- but for your use case, you can set up a guest access network that you can change the password to. This way, your base network does not have to change their settings at all, and you can simply set up the guest network on a per event basis with new credentials.
Unit: http://store.apple.com/us/product/MD031/AirPort-Extreme?afid=p219|GOUS&cid=AOS-US-KWG
Cost: $179
Support article on guest network: http://support.apple.com/kb/HT3477
Upside, you also get some wicked strong WiFi, dual band 802.11n/a/b/g.
Downside, max out @ 50 clients (according to product page)
jeezbus is going to ignore his dad's copyright and duplicate all the fish
I'm the last dude to start spouting religion, but seriously, WWJD? Would he restrict access? Charge for it? You're a church for God's sake, or at least part of it. Why not make it wide open and invite anyone who wants to come, even if you get to spew out a little religious html their way?
I am working and have worked in the HSI for guest industry for over a decade as a support rep, software developer and network engineer. I can tell you that the standard install solution used by all the top vendors for hotels is Nomadix or SolutionIP Server as the registration portal page and guest management software, then for the network it is typically segmented as needed with vlans. The registration server uses these vlans to provide different registration methods to the client. Wireless AP's typically are Rukkus devices. They have smart antana's that will redirect and calibrate based on the conditions of the connected clients to provide the best signal. But this is not an affordable option for most.
There are a lot of already developed options that provide similar functions, ones that can be flashed on home devices like a linksys wifi router, there are options for software that can be loaded on linux in conjunction with a bridged wifi AP also.
However, if you do understand the process of how to provide an auto-redirect captive portal page you can, and I have, program your own linux server with open source software and then put any wireless device in bridge mode.
The method used by Nomadix and SolutionIP server software are both patented, although it is just arp spoofing, there are lots of lawsuits and the industry is slowly becoming a monopoly by Docomo. BUT... you can duplicate the results as I have with the following.
OpenSuSE for the base Linux install.
In order of connection process:
1. Client does DHCP (ISC-DCHP)
For DHCP we create a default pool (10.1.0.0) for all new / unknown clients. This has a very short lease time so that when we register them, we move them to another pool (10.6.1.0) so that we can manage their registration and IPTables access. We track their DHCP entries that we have moved to the known clients pool in dhcpd.registrations with the following type of entry:
host 70F39570CB12 {
hardware ethernet 70:F3:95:70:CB:12;
fixed-address 10.6.1.92;
}
This will provide a specific IP that will be given out to a specific device based on it's MAC Address. We can manage this file with some programming and data stored in MySQL.
The 3rd pool is for if we need another pool for any specific reason.
dhcpd.conf:
authoritative;
option domain-name "mynetwork.ca";
ddns-update-style none;
omapi-port 7911;
omapi-key mykey;
key mykey {
algorithm hmac-md5;
secret "SECRETKEY";
}
include "/etc/dhcpd.registrations";
shared-network clients {
subnet 10.6.0.0 netmask 255.255.0.0 {
deny unknown-clients;
option domain-name-servers 10.6.0.1;
option dhcp-server-identifier 10.6.0.1;
option routers 10.6.0.1;
default-lease-time 60;
max-lease-time 60;
}
subnet 10.1.0.0 netmask 255.255.0.0 {
pool {
allow unknown-clients;
range 10.1.0.2 10.1.255.254;
option domain-name-servers 10.1.0.1;
option dhcp-server-identifier 10.1.0.1;
I dont see how giving people access to the internet is a problem. if you run out of bandwidth and see someone lurking outside with a laptop call the cops.
We use untangle were I work for the public Wifi, its fantastic. needs only a really simple machine and almost any noob can set it up.
Providing an internet connection which a user then misuses does not make you a criminal. Otherwise ISPs could not function.
ISPs can provide the name an address of a subscriber to law enforcement given an IP address. The provider of an open access wireless connection generally cannot. Police don't like it when an investigative trail goes cold.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Not everyone has the time to re-invent the wheel with a home-brew hack-a-thon frankenstein Linux thing... I'm sad to say, many of the things mentioned here are abandon-ware, don't work right, or have never worked right....
If you like Windows, DNS Redirector does what you want really well: http://www.dnsredirector.com
Hey, maybe you've already made up your mind, but my advice is: just don't.
Really, why do Sunday morning classes need wifi? So the teens can watch a YouTube video? Just download it onto a flash drive--then you won't have to worry about slow or down connections. Or do you want people surfing on the iPhones even more, instead of paying attention?
If they really must have wifi at times, then my advice is: Give the password to church staff and class teachers who need it, and tell them not to share it. Undoubtedly someone will share it with a friend or relative eventually, so change it once a month.
Sometimes the best answer is really: "You know, we don't even need to do this at all."
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
One of the best firmwares out there is Tomato, and its various forks like TomatoUSB. I am running TomatoUSB on my Linksys E2000 router right now, it's rock solid. For a captive portal specifically, there is a "Tomato RAF" version by Victek. Check it out here:
http://victek.is-a-geek.com/tomato.html
The Cisco/Linksys E4200v2 wireless router can support up to 50 wireless devices using the guest network. This network is separate from the regular wireless network and users connect to it by typing in a password you define into a default web page, similar to hotel access. You could then change the password every x weeks without affecting your normal wireless network configurations.