Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Setting Up a Wireless Catch-and-Release

Posted by samzenpus on from the you-don't-have-to-browse-at-home-but-you-can't-surf-here dept.

First time accepted submitter SSG Booraem writes "I'm on the IT committee at my church. We've recently added wireless access points to our Family Life Center, but the committee chair isn't comfortable with allowing unrestricted access to our network. We host a lot of guests during the week for Upwards basketball practices and on Saturdays for games, so we want to restrict internet access to the Sunday school classes held in that building. Unfortunately, neither he, nor I, know anything about setting up a wireless catch-and-release like in hotels. If anyone could point me at good documentation, I would be very grateful."

28 of 332 comments (clear)

  1. Open-mesh by hedwards · · Score: 4, Informative

    Honestly, just use something like open-mesh, it has all the software available to do just that without too much hassle. Additionally they're more easily spaced throughout the building with less interference than you would normally get.

  2. Not sure I understand the point here by Shadow+of+Eternity · · Score: 4, Interesting

    You're trying to set up one of those hotel style "Welcome to our network give us all your money to see the internet" pages to let only your sunday school students reach the internet? Or are you trying to block the guests off your network complete? Since this is tagged as wireless why not just use WPA2 and set up your students, classes, or whatever with access?

    Not sure what the point of one of those hotel pages is here.

    --
    A bullet may have your name on it but splash damage is addressed "To whom it may concern."
    1. Re:Not sure I understand the point here by Kjella · · Score: 4, Informative

      You're trying to set up one of those hotel style "Welcome to our network give us all your money to see the internet" pages to let only your sunday school students reach the internet?

      Most hotels I've been to in the last years in the Nordic countries have had WiFi included in the room charge, but they've all required a login all the same. I assume it's a) so that "everyone else" in nearby buildings can't connect and b) maybe related to some kind of billing between the hotel chain and the wifi provider. It's all a matter of how much management you need, because surely at least one of the patrons is there both for sunday school and for basketball practice and will leak a fixed key to everyone and their dog. Personal accounts means lots of management overhead. I assume he's looking for a simple way to give ad hoc access to the people attending the sunday school, something like a ticketing machine that'll give you a login valid for X hours. Like, you must be in the physical areas for sunday school to get a wifi login or a simple printout the teacher can bring to class that's good for the class(es) that day.

      --
      Live today, because you never know what tomorrow brings
  3. Just turn it off by Captain+Hook · · Score: 4, Insightful

    If the access point is only meant to be used by the Sunday school, and they only meet at certain times. why not just switch the AP off when the Sunday School meeting isn't running?

    --
    These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
    1. Re:Just turn it off by 1u3hr · · Score: 5, Informative

      If you don't want to turn off then setup the access point to NOT broadcast the SSID (network name).

      Don't.

      http://www.zdnet.com/blog/ou/the-six-dumbest-ways-to-secure-a-wireless-lan/43 "SSID hiding: There is no such thing as "SSID hiding". You're only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, youre talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all youve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. "

    2. Re:Just turn it off by Anonymous Coward · · Score: 4, Funny

      They're trying to discourage casual freeloaders, not secure their network against tech savvy dorks like you. Turning off SSID broadcast does that very effectively.

    3. Re:Just turn it off by webheaded · · Score: 4, Insightful

      No, he's saying that not only is it pointless, but that it makes things a pain in the ass. He's also pointing it out so that people don't have a false sense of security. This is all true. I used to hide mine but it made it more of a pain in the ass than it was worth. That's basically security theater. :p

      --
      "Those who would sacrifice essential liberties for a little temporary safety deserve neither liberty nor safety." - BenF
    4. Re:Just turn it off by fermion · · Score: 4, Insightful
      There is no such thing as locking you house. Most lock can be picked easily, or a window can be broken, so don't do it.

      One of my networks in a somewhat public place where the users have a high motivation to get online. Knowing that there is wireless is inherently insecure, i.e. tools are available for harvesting passwords and MAC addresses, turning off the SSID is simply another tool I use. To me it is a no brainer because it does not cause me any significant problems and many casual users don't know how to connect to a 'hidden' network even if they have the name. That is what 'turning off' the SSID does. It does not make the network invisible, it prevents computers from automatically connecting. It says that this is a closed network and we would appreciate it if you did not join in.

      I have seen articles like this where somehow 'hiding' the SSID causes problems for roaming. From where I have seen these articles, I suspect this is an OS specific problem as I have never had this problem. All my equipment connects automatically to my networks unless there is a higher power open competing network. I believe this is a case where certain people do not know how to implement the solution, so they say the solution is bad.

      To the matter at hand, closing the network may be part of the solution. Time based access control, in which user accounts that require on the fly credential, is another solution. This is where the user provides an email address, and logs onto the network by clicking on an email link agreeing to the terms and conditions. I would also back it up with sa white list that will prevent all proxy access and make the pipe much less valuable for casual users to crack.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  4. Here's an idea by Pikoro · · Score: 5, Informative

    Try a google search for "Captive WiFi Portal".

    That's the term you want. Get yourself a DD-WRT compatible router and install one of these packages: http://www.dd-wrt.com/wiki/index.php/Captive_Portal

    --
    "Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
    1. Re:Here's an idea by Lumpy · · Score: 4, Informative

      Dont use DD-WRT, that project is dead. Last BETA release was 2 years ago. Use OpwnWRT that has many packages for this and is still actively maintained.

      No matter what he IS going to have to spend at least 2 weeks learning this stuff, or buy a commercial setup maintained by a It professional.

      --
      Do not look at laser with remaining good eye.
  5. Captive Portal by Anonymous Coward · · Score: 4, Informative

    It's called a captive portal, and it's not the solution you're looking for. Depending on AP it'll be easier to setup time of day access or only give the WPA2 passpoem to churchgoers.

    1. Re:Captive Portal by Anonymous Coward · · Score: 4, Informative

      From past experience (probably obsolete) - ChilliSpot was a very straightforward captive portal to setup (simplest setup is a beige box with two network cards, plus two configuration scripts).

      ChiliSpot appears to be a defunct project, but CoovaChilli has risen from its ashes.

  6. set a password and change it regularly by acidream · · Score: 4, Insightful

    Seems like you could just set a password and post it somewhere in a room that is not accessible to guests. Change the password every week.

    1. Re:set a password and change it regularly by Hognoxious · · Score: 5, Funny

      Don't post the password, post a clue to it like "Judges 5:16 word 10". Anyone who doesn't know the answer doesn't deserve access!

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re:set a password and change it regularly by sqldr · · Score: 4, Funny

      If it's from the old testament, there's a 90% chance that the word will always be "begat"

      --
      I wrote my first program at the age of six, and I still can't work out how this website works.
  7. Time-of-day restriction by bgarcia · · Score: 5, Insightful

    Restrict the wireless router's use to Sunday mornings during class. Don't operate it during the week.

    --
    I'm a leaf on the wind. Watch how I soar.
  8. Re:StackExchange by zoloto · · Score: 5, Insightful

    Who knew such unabashed idiocy and bigotry would exist on slashdot? He's asking a tech question for a NPO and you retort with such drivel?

  9. a simple policy for a simple situation... by demerson3 · · Score: 5, Interesting

    At my church we have a pretty simple policy: the network is protected with WPA2 encryption, it has an easy-to-remember password, and we give it to everyone who needs it. Make sure staff knows not to tell the password to your basketball guests, etc. We change the password about once a year, and let the new password spread organically. It works pretty well. People in the congregation ask each other for the password (or more likely, ask someone whom they know is on the tech-savvy side) and so those who need it are able to get back on. Another thing that you can do is give the network an essid name like "Sunday School Only" -- that will make your guests less likely to try to gain access, and also the Sunday School patrons will know that they should feel free to ask for the password.

  10. Home Brew Captive Portal With OpenBSD by petval · · Score: 4, Interesting

    Hi, latest BSD mag 1/12 has this article Home Brew Captive Portal With OpenBSD:
    Have you ever used a public wireless network that has a splash screen such that you have to agree to certain terms before going to the Internet? The author of this article will show you step by step how to build one of those using OpenBSD’s Packet Filter (pf).

  11. Re:charge 'em by dissy · · Score: 5, Informative

    Another option is to use a Captive Portal built into a routing device.
    If you can throw together a machine with two NIC or some wireless cards, the software side can be handled with ZeroShell, or if you prefer a paid support contract, the previously open source Untangle

    Captive Portal requires registration with a username/password to use the wifi, and can perform metering for if you wish to charge or just limit time. You can also setup different sets of web filters or firewall rules that change on a set schedule.

    The Web Filtering modules will likely make your committee chair happy, as you can easily block most categories like pornography, gambling, hacking, etc.
    It isn't impossible to get around of course, but should be enough for due diligence.

    Good luck!

  12. Re:It would be a miracle by Anonymous Coward · · Score: 5, Insightful

    This thread makes me embarrassed to be an atheist...

  13. Re:It would be a miracle by Linzer · · Score: 4, Insightful

    Yup, the amount of atheist bigotry and unpleasantness here is incredible. Now in their defense, these people are probably Americans who endure a lot of religious bigotry in their daily lives. They are just trying to fight back, but this doesn't really help at all.

    --
    Gravitation is a theory, not a fact.
  14. Re:It would be a miracle by TheRaven64 · · Score: 4, Insightful

    Seriously? Just because some religious people behave like dicks to people of different beliefs to them doesn't mean that you have to join in. He asked a technical question, the fact that it's related to a church is irrelevant.

    --
    I am TheRaven on Soylent News
  15. Re:StackExchange by buchner.johannes · · Score: 5, Informative

    Forwarding from superuser.com:

    http://superuser.com/questions/183105/hotel-like-wifi-manager (recommends AnchorFree, SputNik)
    http://www.macinstruct.com/node/188
    https://en.wikipedia.org/wiki/Captive_portal

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  16. Re:StackExchange by Anonymous Coward · · Score: 4, Insightful

    I sure agree with you, it hurts to see how a good place to exchange information is slowly dying and becoming less and less worth our attention.

    Yes, that happened ever since "I'm too lazy to Google it and perform basic research" turned into the exact same thing as "I really need a community of experts to offer me advice".

    Not that Slashdot does anything but try to shut you up with a downmod for pointing it out ... but you know what the REAL difference is? If you really need a community of experts to offer advice it's because you are doing something new and interesting and unique. If you're doing what every hotel and coffee-shop across the country already does on a daily basis ... then it's time to stop being lazy and research it yourself.

  17. Re:charge 'em by heper · · Score: 4, Informative

    goto www.pfsense.org Pfsense is all you need for this and every other firewall / router / captive portal / ... project and it's opensource with optional paid support if required

  18. Re:charge 'em by Anonymous Coward · · Score: 5, Informative

    Untangle (http://www.untangle.com/Lite-Package the lite package which i think is still free) is what I implemented at my work guest network and implementing at my Church's guest network. Initially we deployed this with the captive portal at my work, we have some policy requirements that require logon and captive portal checks that compliance checkbox.

    For Church we will only be using the transparent proxy features to blacklist or whitelist websites. It keeps it simple, which translates that I don't have to manage it all the time (which i am sure having time to do this is a problem for you as well).

    For the comittee that is concerned about the internet access, give them access to the Untangle webpage so they can see the reports of what sites are being blocked and what is getting the most usage. This should help them be more comfortable that this is being used for good.

    I would also recommend using access points that support multiple VLANs and SSIDs. This avoids placing extra WAP's just for guest and allows you to keep your guest SSID separated away from the church's systems (you will have to configure your firewall, we place the guest VLAN in a simple DMZ) that may have financial information or member on them.

  19. Re:Really? by realityimpaired · · Score: 5, Informative

    Posting up here, because it's quite a bit of scrolling before you see answers that don't have something to do with peoples anti-religion bigotry. I do not care what your beliefs are, nor do I think it's my place to comment on them when replying to a technical question.

    Why don't you set up a guest wifi? Have the internal wifi that's for your private network, and a guest wifi where you publish the key for people to use, but set up a rule so it's only enabled on Sunday from 7am until 1pm? That should cover the Sunday school's hours, and it won't be there at all during the week, when you don't want people accessing the wifi. It will also segregate your internal network from the wifi you're providing for people to use, which will help secure your private files, or any fileserver you're running.

    And if you're hosting some kind of event, like a Parish council meeting, where you want to give people access to the 'net, just turn the guest wifi on manually during the event.

    It'll be cheaper, and easier than setting up a catch-and-release system, as a fair number of wireless routers have that ability these days, and if it doesn't, you could always install Tomato or DD-WRT to have access to it.