Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Setting Up a Wireless Catch-and-Release

Posted by samzenpus on from the you-don't-have-to-browse-at-home-but-you-can't-surf-here dept.

First time accepted submitter SSG Booraem writes "I'm on the IT committee at my church. We've recently added wireless access points to our Family Life Center, but the committee chair isn't comfortable with allowing unrestricted access to our network. We host a lot of guests during the week for Upwards basketball practices and on Saturdays for games, so we want to restrict internet access to the Sunday school classes held in that building. Unfortunately, neither he, nor I, know anything about setting up a wireless catch-and-release like in hotels. If anyone could point me at good documentation, I would be very grateful."

11 of 332 comments (clear)

  1. Here's an idea by Pikoro · · Score: 5, Informative

    Try a google search for "Captive WiFi Portal".

    That's the term you want. Get yourself a DD-WRT compatible router and install one of these packages: http://www.dd-wrt.com/wiki/index.php/Captive_Portal

    --
    "Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
  2. Time-of-day restriction by bgarcia · · Score: 5, Insightful

    Restrict the wireless router's use to Sunday mornings during class. Don't operate it during the week.

    --
    I'm a leaf on the wind. Watch how I soar.
  3. Re:StackExchange by zoloto · · Score: 5, Insightful

    Who knew such unabashed idiocy and bigotry would exist on slashdot? He's asking a tech question for a NPO and you retort with such drivel?

  4. a simple policy for a simple situation... by demerson3 · · Score: 5, Interesting

    At my church we have a pretty simple policy: the network is protected with WPA2 encryption, it has an easy-to-remember password, and we give it to everyone who needs it. Make sure staff knows not to tell the password to your basketball guests, etc. We change the password about once a year, and let the new password spread organically. It works pretty well. People in the congregation ask each other for the password (or more likely, ask someone whom they know is on the tech-savvy side) and so those who need it are able to get back on. Another thing that you can do is give the network an essid name like "Sunday School Only" -- that will make your guests less likely to try to gain access, and also the Sunday School patrons will know that they should feel free to ask for the password.

  5. Re:set a password and change it regularly by Hognoxious · · Score: 5, Funny

    Don't post the password, post a clue to it like "Judges 5:16 word 10". Anyone who doesn't know the answer doesn't deserve access!

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  6. Re:charge 'em by dissy · · Score: 5, Informative

    Another option is to use a Captive Portal built into a routing device.
    If you can throw together a machine with two NIC or some wireless cards, the software side can be handled with ZeroShell, or if you prefer a paid support contract, the previously open source Untangle

    Captive Portal requires registration with a username/password to use the wifi, and can perform metering for if you wish to charge or just limit time. You can also setup different sets of web filters or firewall rules that change on a set schedule.

    The Web Filtering modules will likely make your committee chair happy, as you can easily block most categories like pornography, gambling, hacking, etc.
    It isn't impossible to get around of course, but should be enough for due diligence.

    Good luck!

  7. Re:Just turn it off by 1u3hr · · Score: 5, Informative

    If you don't want to turn off then setup the access point to NOT broadcast the SSID (network name).

    Don't.

    http://www.zdnet.com/blog/ou/the-six-dumbest-ways-to-secure-a-wireless-lan/43 "SSID hiding: There is no such thing as "SSID hiding". You're only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, youre talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all youve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. "

  8. Re:It would be a miracle by Anonymous Coward · · Score: 5, Insightful

    This thread makes me embarrassed to be an atheist...

  9. Re:StackExchange by buchner.johannes · · Score: 5, Informative

    Forwarding from superuser.com:

    http://superuser.com/questions/183105/hotel-like-wifi-manager (recommends AnchorFree, SputNik)
    http://www.macinstruct.com/node/188
    https://en.wikipedia.org/wiki/Captive_portal

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  10. Re:charge 'em by Anonymous Coward · · Score: 5, Informative

    Untangle (http://www.untangle.com/Lite-Package the lite package which i think is still free) is what I implemented at my work guest network and implementing at my Church's guest network. Initially we deployed this with the captive portal at my work, we have some policy requirements that require logon and captive portal checks that compliance checkbox.

    For Church we will only be using the transparent proxy features to blacklist or whitelist websites. It keeps it simple, which translates that I don't have to manage it all the time (which i am sure having time to do this is a problem for you as well).

    For the comittee that is concerned about the internet access, give them access to the Untangle webpage so they can see the reports of what sites are being blocked and what is getting the most usage. This should help them be more comfortable that this is being used for good.

    I would also recommend using access points that support multiple VLANs and SSIDs. This avoids placing extra WAP's just for guest and allows you to keep your guest SSID separated away from the church's systems (you will have to configure your firewall, we place the guest VLAN in a simple DMZ) that may have financial information or member on them.

  11. Re:Really? by realityimpaired · · Score: 5, Informative

    Posting up here, because it's quite a bit of scrolling before you see answers that don't have something to do with peoples anti-religion bigotry. I do not care what your beliefs are, nor do I think it's my place to comment on them when replying to a technical question.

    Why don't you set up a guest wifi? Have the internal wifi that's for your private network, and a guest wifi where you publish the key for people to use, but set up a rule so it's only enabled on Sunday from 7am until 1pm? That should cover the Sunday school's hours, and it won't be there at all during the week, when you don't want people accessing the wifi. It will also segregate your internal network from the wifi you're providing for people to use, which will help secure your private files, or any fileserver you're running.

    And if you're hosting some kind of event, like a Parish council meeting, where you want to give people access to the 'net, just turn the guest wifi on manually during the event.

    It'll be cheaper, and easier than setting up a catch-and-release system, as a fair number of wireless routers have that ability these days, and if it doesn't, you could always install Tomato or DD-WRT to have access to it.