Ask Slashdot: Setting Up a Wireless Catch-and-Release

First time accepted submitter SSG Booraem writes "I'm on the IT committee at my church. We've recently added wireless access points to our Family Life Center, but the committee chair isn't comfortable with allowing unrestricted access to our network. We host a lot of guests during the week for Upwards basketball practices and on Saturdays for games, so we want to restrict internet access to the Sunday school classes held in that building. Unfortunately, neither he, nor I, know anything about setting up a wireless catch-and-release like in hotels. If anyone could point me at good documentation, I would be very grateful."

Open-mesh

[hedwards]

Honestly, just use something like open-mesh, it has all the software available to do just that without too much hassle. Additionally they're more easily spaced throughout the building with less interference than you would normally get.

charge 'em

[samjam]

Use enterprise WPA2 with keys. Give each client device a key. Charge $5 to provide a key. Church members who are donating will probably reduce their donation by $5 that month in order to pay for the key.

You can revoke keys individually.

Disclaimer: I don't know what I'm talking about, you might need expensive hotspots to do that, but for large building with more than one hotspot, you probably want special hotspots with decent handover as folk move from one hotspot to another.

Re:charge 'em

[dissy]

Another option is to use a Captive Portal built into a routing device.
If you can throw together a machine with two NIC or some wireless cards, the software side can be handled with ZeroShell, or if you prefer a paid support contract, the previously open source Untangle

Captive Portal requires registration with a username/password to use the wifi, and can perform metering for if you wish to charge or just limit time. You can also setup different sets of web filters or firewall rules that change on a set schedule.

The Web Filtering modules will likely make your committee chair happy, as you can easily block most categories like pornography, gambling, hacking, etc.
It isn't impossible to get around of course, but should be enough for due diligence.

Good luck!

Re:charge 'em

[heper]

goto www.pfsense.org Pfsense is all you need for this and every other firewall / router / captive portal / ... project and it's opensource with optional paid support if required

Re:charge 'em

Untangle (http://www.untangle.com/Lite-Package the lite package which i think is still free) is what I implemented at my work guest network and implementing at my Church's guest network. Initially we deployed this with the captive portal at my work, we have some policy requirements that require logon and captive portal checks that compliance checkbox.

For Church we will only be using the transparent proxy features to blacklist or whitelist websites. It keeps it simple, which translates that I don't have to manage it all the time (which i am sure having time to do this is a problem for you as well).

For the comittee that is concerned about the internet access, give them access to the Untangle webpage so they can see the reports of what sites are being blocked and what is getting the most usage. This should help them be more comfortable that this is being used for good.

I would also recommend using access points that support multiple VLANs and SSIDs. This avoids placing extra WAP's just for guest and allows you to keep your guest SSID separated away from the church's systems (you will have to configure your firewall, we place the guest VLAN in a simple DMZ) that may have financial information or member on them.

Re:charge 'em

[petermgreen]

Be aware that the combination of an unsecured wifi connection with a captive portal while conviniant for users is fundamentally insecure. The actual data traffic is unencrypted (unless the particular application/website uses application level encryption) and anyone can gain access by spoofing the IP/MAC of an existing client.

Re:charge 'em

[cr0nj0b]

I've done this with m0n0wall. http://m0n0.ch/wall/
A computer with 2 network card. One network card plugs into your network. The other network card goes to your guest wireless AP.
In order to block access from the guest wifi to your internal network, you can put in a Firewall ACL to block access to your internal network.
For example, if your internal network is 10.10.1.0/24:
Setup the second interface as 192.168.1.0/24 (or take your pick). On that interface set a block Firewall rule for all traffic with a destination of 10.10.1.0/24. The guest Wireless can still get to the internet, but not to anything on your internal network.

With either m0n0wall or pfsense, you can setup captive portal. This will block outgoing connections until the user registers or logs in.
http://doc.m0n0.ch/handbook/captiveportal.html

Not sure I understand the point here

[Shadow+of+Eternity]

You're trying to set up one of those hotel style "Welcome to our network give us all your money to see the internet" pages to let only your sunday school students reach the internet? Or are you trying to block the guests off your network complete? Since this is tagged as wireless why not just use WPA2 and set up your students, classes, or whatever with access?

Not sure what the point of one of those hotel pages is here.

Re:Not sure I understand the point here

You could still try to point him in the right direction, if someone asks for the way to the airport it isn't that important if you understand why he wants to leave town!

Re:Not sure I understand the point here

[Kjella]

You're trying to set up one of those hotel style "Welcome to our network give us all your money to see the internet" pages to let only your sunday school students reach the internet?

Most hotels I've been to in the last years in the Nordic countries have had WiFi included in the room charge, but they've all required a login all the same. I assume it's a) so that "everyone else" in nearby buildings can't connect and b) maybe related to some kind of billing between the hotel chain and the wifi provider. It's all a matter of how much management you need, because surely at least one of the patrons is there both for sunday school and for basketball practice and will leak a fixed key to everyone and their dog. Personal accounts means lots of management overhead. I assume he's looking for a simple way to give ad hoc access to the people attending the sunday school, something like a ticketing machine that'll give you a login valid for X hours. Like, you must be in the physical areas for sunday school to get a wifi login or a simple printout the teacher can bring to class that's good for the class(es) that day.

Re:Not sure I understand the point here

[nurb432]

Not all hotels charge. They just force you to agree to a EULA so they don't get into legal hassles.

Small budget with time on your hands?

Try to flash a Linksys:

http://www.polarcloud.com/tomato
http://www.dd-wrt.com/site/index
http://coova.org/

Just turn it off

[Captain+Hook]

If the access point is only meant to be used by the Sunday school, and they only meet at certain times. why not just switch the AP off when the Sunday School meeting isn't running?

Re:Just turn it off

[1u3hr]

If you don't want to turn off then setup the access point to NOT broadcast the SSID (network name).

Don't.

http://www.zdnet.com/blog/ou/the-six-dumbest-ways-to-secure-a-wireless-lan/43 "SSID hiding: There is no such thing as "SSID hiding". You're only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, youre talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all youve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. "

Re:Just turn it off

They're trying to discourage casual freeloaders, not secure their network against tech savvy dorks like you. Turning off SSID broadcast does that very effectively.

Re:Just turn it off

[webheaded]

No, he's saying that not only is it pointless, but that it makes things a pain in the ass. He's also pointing it out so that people don't have a false sense of security. This is all true. I used to hide mine but it made it more of a pain in the ass than it was worth. That's basically security theater. :p

Re:Just turn it off

[fermion]

There is no such thing as locking you house. Most lock can be picked easily, or a window can be broken, so don't do it.

One of my networks in a somewhat public place where the users have a high motivation to get online. Knowing that there is wireless is inherently insecure, i.e. tools are available for harvesting passwords and MAC addresses, turning off the SSID is simply another tool I use. To me it is a no brainer because it does not cause me any significant problems and many casual users don't know how to connect to a 'hidden' network even if they have the name. That is what 'turning off' the SSID does. It does not make the network invisible, it prevents computers from automatically connecting. It says that this is a closed network and we would appreciate it if you did not join in.

I have seen articles like this where somehow 'hiding' the SSID causes problems for roaming. From where I have seen these articles, I suspect this is an OS specific problem as I have never had this problem. All my equipment connects automatically to my networks unless there is a higher power open competing network. I believe this is a case where certain people do not know how to implement the solution, so they say the solution is bad.

To the matter at hand, closing the network may be part of the solution. Time based access control, in which user accounts that require on the fly credential, is another solution. This is where the user provides an email address, and logs onto the network by clicking on an email link agreeing to the terms and conditions. I would also back it up with sa white list that will prevent all proxy access and make the pipe much less valuable for casual users to crack.

Re:Just turn it off

[Zeromous]

Aye it is theatre, but I take objection to this "Don't" bullshit as if that's somehow insightful or helpful to the conversation. It's classic /. "I disagree with the premise so I assassinate the paradigm" bullshit which has driven away many a professional reader, myself included.

Re:Just turn it off

[swv3752]

Turning off Broadcast SSID is like locking the screen door. It does nothing to prevent unauthorized folks from entering, and it hinders many authorized folks.

Simples

try Easy Hotspot - http://easyhotspot.inov.asia/ obviously depending on exactly what you want to do... (we run the authentication system as a VM but it'll work nicley on a cheap PC) also we're using DDWRT on our access points so only using the easyhotspot system as an authentication system.

Here's an idea

[Pikoro]

Try a google search for "Captive WiFi Portal".

That's the term you want. Get yourself a DD-WRT compatible router and install one of these packages: http://www.dd-wrt.com/wiki/index.php/Captive_Portal

Re:Here's an idea

Absolutely. I will throw my (considerable, following Christmas excesses,) weight behind pfSense (pfsense.org) as a captive portal (CP) solution.

An old PC with a (couple of) extra $5 NIC(s) will provide a great, free, robust, easy to setup CP.

Re:Here's an idea

[Lumpy]

Dont use DD-WRT, that project is dead. Last BETA release was 2 years ago. Use OpwnWRT that has many packages for this and is still actively maintained.

No matter what he IS going to have to spend at least 2 weeks learning this stuff, or buy a commercial setup maintained by a It professional.

Re:Here's an idea

[postbigbang]

May I suggest using two APs; one has a strong key WPA 2 PSK and WPS disabled. It serves as the main access point for biz apps. The second one simply connects to the first one, uses a different non-interfering channel, and is the public version of the private one (WPS disabled, 802.11g only to catch the widest denominator of potential user). Route the second AP to the gateway.

And like a good IT admin, make sure that all of the machines on your biz network are fully secured, updated, and turned OFF when not in use.

Re:Here's an idea

[hairyfeet]

Its a shame you posted AC as i'd say your idea is the clear winner and would only add that if you are doing this for a church you should talk to your local mom & pop PC shop. Not only are we packrats and tend to have boxes full of NICs but if its a church or other non profit we'll often work with you to get you something thrown together as close to cost as possible. Since its a non profit I'd not want some big old power sucking P4 blasting through power, i'd use an underclocked Celeron or Sempron, maybe something in the sub 2Ghz range since he won't need that much power for that job, and build it into a nice cheap old Dell or Emachine mini tower and there you are, a dirt cheap CP box. hell if you are lucky they may even have an older SFF office box just sitting in the back they can let you have dirt cheap that would be perfect for the job and if you ask nicely i bet the guy would even be willing to help you set it up.

Captive Portal

It's called a captive portal, and it's not the solution you're looking for. Depending on AP it'll be easier to setup time of day access or only give the WPA2 passpoem to churchgoers.

Re:Captive Portal

From past experience (probably obsolete) - ChilliSpot was a very straightforward captive portal to setup (simplest setup is a beige box with two network cards, plus two configuration scripts).

ChiliSpot appears to be a defunct project, but CoovaChilli has risen from its ashes.

set a password and change it regularly

[acidream]

Seems like you could just set a password and post it somewhere in a room that is not accessible to guests. Change the password every week.

Re:set a password and change it regularly

[Hognoxious]

Don't post the password, post a clue to it like "Judges 5:16 word 10". Anyone who doesn't know the answer doesn't deserve access!

Re:set a password and change it regularly

[sqldr]

If it's from the old testament, there's a 90% chance that the word will always be "begat"

Re:set a password and change it regularly

[dkleinsc]

Not true, not true. You have to remember that before the "begat" there's all the raunchy bits, where some patriarch "knew" his wife, or his wife's maid, or his second wife, or in a couple of cases his daughters.

Seriously, if someone did an unexpurgated film version of the Bible, it would be rated NC-17. Especially the Song of Solomon.

Time-of-day restriction

[bgarcia]

Restrict the wireless router's use to Sunday mornings during class. Don't operate it during the week.

Re:Time-of-day restriction

[Ginger+Unicorn]

or go even lower tech and just ask the sunday school teacher to turn it on and off

Re:StackExchange

[zoloto]

Who knew such unabashed idiocy and bigotry would exist on slashdot? He's asking a tech question for a NPO and you retort with such drivel?

Just use Meraki

[MunkieLife]

Use something like the Meraki MR16 - It sounds like you aren't the most technically savvy in this regard, and even if you were this makes life easy. There are other ways to do this, but this is probably the easiest I've seen. www.meraki.com

a simple policy for a simple situation...

[demerson3]

At my church we have a pretty simple policy: the network is protected with WPA2 encryption, it has an easy-to-remember password, and we give it to everyone who needs it. Make sure staff knows not to tell the password to your basketball guests, etc. We change the password about once a year, and let the new password spread organically. It works pretty well. People in the congregation ask each other for the password (or more likely, ask someone whom they know is on the tech-savvy side) and so those who need it are able to get back on. Another thing that you can do is give the network an essid name like "Sunday School Only" -- that will make your guests less likely to try to gain access, and also the Sunday School patrons will know that they should feel free to ask for the password.

Re:a simple policy for a simple situation...

[portablejim]

+1. Also, with a DD-WRT (or Openwrt) you can easily* enable internet access only on Sunday. * In DD-WRT, it is under "Access Restrictions" => "Days"

Home Brew Captive Portal With OpenBSD

[petval]

Hi, latest BSD mag 1/12 has this article Home Brew Captive Portal With OpenBSD:
Have you ever used a public wireless network that has a splash screen such that you have to agree to certain terms before going to the Internet? The author of this article will show you step by step how to build one of those using OpenBSD’s Packet Filter (pf).

Analysis

[Meneth]

What I think the OP wants is to give people Internet access without simultaneously giving them access to the organization's LAN. He also doesn't want to invest in new hardware, seeing as how they've just done that.

So: how to set up the WLAN APs to block IP packets directed to anything except the gateway (or the Internet) itself?

My router can already do this.

[Computershack]

I can set up a guest wifi network on my router that has a separate WEP/WPA key and does not allow access to the other wired/wifi network unless I specifically say it can. Its a Netgear DGND3300v2 if thats any help...

Re:No thanks.

[JohnnyComeLately]

No, you're not going to answer because you're an absolute idiot. Log in and post that dumb azz crap. Not to mention you had to see the dozens of other a$$ hats who posted the same stupid thing, but no you had to anonymously post exactly the same crap because....??? Fail. Go back to playing your PS2, and mom should have dinner ready in a few minutes. Try not to complain about the free food in your free house.

First things first

[outsider007]

You want to get your hands on a patron saint of wifi figurine to put on top of your router.

Re:StackExchange

I sure agree with you, it hurts to see how a good place to exchange information is slowly dying and becoming less and less worth our attention.

Biblical pass code

[petes_PoV]

Just make the pass phrase a biblical quote. Change it each week and you kill 2 birds. How likely is it that the basketball players will have a bible handy AND your religious classes will have an incentive to read it to find the reference.

Admin

Use enterprise WPA2 with keys. Give each client device a key. Charge $5 to provide a key. Church members who are donating will probably reduce their donation by $5 that month in order to pay for the key.

You can revoke keys individually.

Disclaimer: I don't know what I'm talking about, you might need expensive hotspots to do that, but for large building with more than one hotspot, you probably want special hotspots with decent handover as folk move from one hotspot to another.

That sounds like a great quick-get-the-job-done solution but here's the 'but': adminstration.

Most churches have an admin - one business admin. I don't know how to put it kindley so here's a prediction of what will happen based upon what I've observed with other things that these adminstrators do:

You will be constantly dealing with folks who's key doesn't work. Keys that still work when they shouldn't and a constant searching for keys.

It will be one cluster fuck.

Volunteer IT person?

They turnover fast: they have work projects that take all their time up, can't deal with church committees, they find mega paying jobs on another coast, etc .....

Re:It would be a miracle

This thread makes me embarrassed to be an atheist...

Re:It would be a miracle

[Linzer]

Yup, the amount of atheist bigotry and unpleasantness here is incredible. Now in their defense, these people are probably Americans who endure a lot of religious bigotry in their daily lives. They are just trying to fight back, but this doesn't really help at all.

Coova!

[gregthebunny]

http://coova.org/

Ubuntu Server + CoovaChilli + DD-WRT = an easy and free captive portal system

WARNING: this is not a drop-in solution, some customization and piecing-together required. Throw FreeRADIUS or CoovaRADIUS into the mix for easier user-level authentication.

Re:It would be a miracle

[TheRaven64]

Seriously? Just because some religious people behave like dicks to people of different beliefs to them doesn't mean that you have to join in. He asked a technical question, the fact that it's related to a church is irrelevant.

Captive portal/Hot spot/walled garden hardware

[ldm]

I've used MikroTik hardware in the past to build wifi hotspots for customers. It's pretty easy to use, very friendly command line. You want something like this in an enclosure something like this. They're reasonably robust, and once configured properly, will do what you want (and a whole lot more should you want to change the setup in future) for a good long time.

Re:StackExchange

[buchner.johannes]

Forwarding from superuser.com:

http://superuser.com/questions/183105/hotel-like-wifi-manager (recommends AnchorFree, SputNik)
http://www.macinstruct.com/node/188
https://en.wikipedia.org/wiki/Captive_portal

Re:Catch-and-release?

[WrongSizeGlass]

What's that?>/a>

I think it's something like Pray for a man and you save him once. Teach him to pray for himself and you save him for a lifetime.

Re:StackExchange

I sure agree with you, it hurts to see how a good place to exchange information is slowly dying and becoming less and less worth our attention.

Yes, that happened ever since "I'm too lazy to Google it and perform basic research" turned into the exact same thing as "I really need a community of experts to offer me advice".

Not that Slashdot does anything but try to shut you up with a downmod for pointing it out ... but you know what the REAL difference is? If you really need a community of experts to offer advice it's because you are doing something new and interesting and unique. If you're doing what every hotel and coffee-shop across the country already does on a daily basis ... then it's time to stop being lazy and research it yourself.

Re:Documentation?

[outsider007]

Wrighting? Apparently we need to start you off with a picture book.

Re:ThinkPenguin.gom DD-WRT Router

[galaad2]

actually, they are linked on the site but not on each particular model's page in the database (i think they gave up on updating the links)

1) on the front page click "router database"
2) then on the sub-menu that opens, above the line where you type the router model, click on "Other downloads" ( http://dd-wrt.com/site/support/other-downloads )
result: you're now viewing the ftp space, mapped on the website
e.g.
ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2011/
is mapped on http at:
http://dd-wrt.com/site/support/other-downloads?path=others%2Feko%2FBrainSlayer-V24-preSP2%2F2011%2F

Re:Catch-and-release?

Give a man a fire and he's warm for the day, but set fire to him and he's warm for the rest of his life.

Hire someone!

[Monoman]

Just because churches operate as tax exempt non-profits doesn't mean they can't afford to pay someone to do the work. If your church doesn't have a member that is in the IT business (and willing to do the work for free) then hire a local tech company to set it up for you. Support the local nerd economy!

Re:Catch-and-release?

[Foofoobar]

What's that?>/a>

I think it's something like Pray for a man and you save him once. Teach him to pray for himself and you save him for a lifetime.

actually its more like 'pray for a man and he easily ignores you, brainwash a man and he will pray with you'

Re:StackExchange

[iamhassi]

Are you talking about religion or a certain politic party?

Re:Really?

[realityimpaired]

Posting up here, because it's quite a bit of scrolling before you see answers that don't have something to do with peoples anti-religion bigotry. I do not care what your beliefs are, nor do I think it's my place to comment on them when replying to a technical question.

Why don't you set up a guest wifi? Have the internal wifi that's for your private network, and a guest wifi where you publish the key for people to use, but set up a rule so it's only enabled on Sunday from 7am until 1pm? That should cover the Sunday school's hours, and it won't be there at all during the week, when you don't want people accessing the wifi. It will also segregate your internal network from the wifi you're providing for people to use, which will help secure your private files, or any fileserver you're running.

And if you're hosting some kind of event, like a Parish council meeting, where you want to give people access to the 'net, just turn the guest wifi on manually during the event.

It'll be cheaper, and easier than setting up a catch-and-release system, as a fair number of wireless routers have that ability these days, and if it doesn't, you could always install Tomato or DD-WRT to have access to it.

Re:StackExchange

[TheDarkMaster]

For the asker, maybe is something new and interesting. Not everyone knows how to proper configure wireless internet. And about Google, many times the Google results throws you exactly here or in some obscure forum, where the first response is "Search in the google, moron!". Interesting infinite loop problem.

Re:Catch-and-release?

[deniable]

Give a man a fish and he's gone for a night. Show him how to use the 'net and he won't bug you for weeks.

Re:StackExchange

[deniable]

Somehow, I don't think they're a non-prophet organisation.

Re:It would be a miracle

[ProfBooty]

I'm always amused by some of the comments here as it shows a profound ignorance (not yours). Heck anyone who has seen Bill Maher's "religulous" will hear senior vatican officals saying something like "Its all hooey, people need their stories." Even senior officals in the anglican community say the same thing:

http://religion.blogs.cnn.com/2011/12/29/my-take-the-3-biggest-biblical-misconceptions/

The whole bible being taken literally is a recent phenominom. One should be taking the central message from the bible, not viewing it as a historical truth, a set of laws etc.

As for myself, I am religious but I don't push my faith on other people, nor do I want them pushing other people's faiths on me.

Re:Really?

[sunderland56]

Religion does not imply belief in a god. You are confusing religion with theism.

Re:StackExchange

[g0bshiTe]

I read write up and first thing I thought of was run Linux with IPTABLES/CHAINS. Force proxy through squid set the ACL to only allow surfing during the required hours. What's hard about that? You could even get freaky and set your internal network on a different address and ADD ROUTE for the Guests, then again it would require some reading on the posters part and a bit of googling.

I wish you the best of luck in setting this up and administering the network.

Re:Open-mesh or Trust in God

[trewornan]

Providing an internet connection which a user then misuses does not make you a criminal. Otherwise ISPs could not function.

Re:Really?

[LWATCDR]

maybe I should have post about how atheists like Stalin and Mao killed many millions of people?
You like way too many other people just don't get it point so I will spell it out for you.
Guess what PEOPLE do really great things. Some PEOPLE do really crappy things. The people that do the worst things will use anything they can as an excuse for their acts. It doesn't matter if it is a member of the KKK, or a Bigot on Slashdot bashing someone for going to church. They will find some way that makes them feel like they are better than someone else and give them an excuse to attack.
Then you have the other less than pleasant people that are jumping down this guys throat for even asking this question when he or she could just Google it. Well maybe but it is NOT the authors fault that it is on Slashdot. THE EDITORS DECIDED THAT THIS WAS A QUESTION WORTH ASKING. So those that are complaining about this being a stupid thing to ask should really be complaining to the editors for not well editing what ends up on Slashdot.
So what it comes down to is if YOU HAVE NOTHING TO SAY THAT WILL HELP ANSWER THE QUESTION THEN DO NOT POST. IF YOU THINK THIS QUESTION IS STUPID THEN BLAME SLASHDOT. IF YOU DO NOT CHOOSE TO GO TO CHURCH THEN PRETEND THAT HE IS ASKING ABOUT SETTING IT UP AT A FREAKING HO TRAIN CLUB!