Forgot your password?
typodupeerror
Wireless Networking

Rental Home Wireless Networks? 57

Posted by Cliff
from the keeping-the-tenants-honest dept.
Tangential asks: "I'm looking for advice. I have a rental home at the beach that I've equipped with Cable Modem and WiFi. After trying to use it with WEP for a summer I gave that up (life is far too short for me to talk every renter thru configuring their notebook). I would like a bit of control over who uses my system. I've blocked outbound port 25 (since my ISP doesn't), but what I'd really like to do is run something like hotels do, where you enter a password and activate your MAC address for a certain amount of time, Then I could just tell the renter the password and manage that remotely. I run OSS in my Linksys WRT-54G router at home (from Sveasoft) and I like being able to use a low cost router for such a function. I'd like to know what systems other folks have encountered that do this using OSS and mass market equipment."
This discussion has been archived. No new comments can be posted.

Rental Home Wireless Networks?

Comments Filter:
  • Hassle (Score:5, Insightful)

    by turtled (845180) on Tuesday October 25, 2005 @03:14PM (#13874789)
    Sounds like hassle for people trying to get away from it all. Why not just a wired router/firewall. Does it have to be wireless? I would assume the vacation home isn't that big to warrent wireless... just my 2 cents.
    • Why not just a wired router/firewall. Does it have to be wireless? I would assume the vacation home isn't that big to warrent wireless...

      Some of us do enjoy sitting on the deck and watching the ocean while getting some e-mail, work, or surfing in. In fact, if it's close enough to the beach, I'm all about sitting in my lounge chair (like the movie The Net) and doing stuff on the Internet.

      I have mobile access via GPRS but would love to have a full broadband connection. YMMV.
      • Not to mention that someone might want to check into their flight, see the weather forecast, look up local restaurant reviews, or do any billion fucking other things that people like to do on vacation. There's always someone who says, "DUH, you're on vacation. Like why can't you just enjoy the vacation?" Because IT'S FUCKING BORING EVEN ON VACATION TOO, sometimes.

        Now, granted, that wasn't the issue in the parent, but I know that's what some hanyack is thinking.

  • PUBLICip (Score:5, Informative)

    by SFalcon (809084) on Tuesday October 25, 2005 @03:16PM (#13874815)
    Try this [publicip.net].

    Check out the features [publicip.net] and see if that's what you're looking for. It's free!
  • PublicIP (Score:2, Informative)

    by mr. mulder (204001)
    I've read about Public IP before: http://www.publicip.net/ [publicip.net] Perhaps it will give you the solution you're looking for.
  • Keep in mind.. (Score:4, Interesting)

    by SocialEngineer (673690) <{invertedpanda} {at} {gmail.com}> on Tuesday October 25, 2005 @03:24PM (#13874889) Homepage

    Things like that aren't guaranteed - if you need to ensure that no user is using it for bittorrent, or anything like that, you might as well give up :)

    For instance, if you leave port 22 open, your users will be able to set up a socks proxy through SSH [the-engine.org] (requires a box available on the 'net with SSH tunneling privs, but that isn't hard to get). If you have that blocked, but have ping open, well.. They'd have to have another box on the outside with admin privs, but they could also tunnel all the traffic through ping (I've seen it done before, never tried it myself).

    You probably won't have to worry about the tenants doing this, but always be wary of wardrivers who are looking to leech some wifi.

    If the benefits outweight the risks, go for it.

  • what's the point of trying to control it? just leave it open.
  • On the right track.. (Score:2, Interesting)

    by Anonymous Coward
    I believe that Sveasoft (or somebody else) has a firmware for the WRT54G which will act like a "coffeeshop" type distro. Generate passwords, etc. Keep looking at the firmware.

    Post Google:

    http://www.portless.net/menu/ewrt/ [portless.net]

    and look into software called "nocatauth", which the above has put on a WRT54G

    Luck
  • I would personally recommend running a server connected to both wireless and internet with routing between them turned off, and then log on to the server w/ an ssl tunnel for your outside connection. This lets you give individual accounts to people and prevents someone from sniffing the contents of your traffic to the net from the airwaves. I believe you can also control bandwidth per link, as well, but I'm not sure about that.
  • by JustAnotherBob (811208) on Tuesday October 25, 2005 @03:31PM (#13874963)
    Perhaps you are looking for a solution like this?
    DSA-5100http://www.dlink.com/products/?sec= 0&pid=349/ [dlink.com]

    Product Features: Creates Multiple Public Networks with Five Different

    Authentication Policies

    Supports up to 400 Concurrent Online Users
    Advanced User Management with Traffic Monitoring and Policy Enforcement Product Description:

    D-Link®, the industry leader in innovative networking solutions, introduces another breakthrough in the Airspot family of service gateway products. As the need for on-demand Internet connectivity continues to grow, the D-Link Airspot DSA-5100 Public/Private Hot Spot Gateway provides large establishments a solid solution for adding multiple public access networks while still maintaining the integrity of an existing private network. The DSA-5100 Hot Spot Gateway is a business-class service gateway designed to segment public and private network infrastructures. By adding a managed switch to the integrated public port, network administrators can deploy several public networks over a large-scale establishment such as a university campus or resort. Through the private port on the DSA-5100, the backend private network such as the campus operation centers or central office, can remain completely separate and secure.

    To optimize and maintain network up time and performance, the DSA-5100 Hot Spot Gateway has two built-in WAN ports that support link fail-over in order to provide Internet connection redundancy. In the case that the first ISP's connection fails, the second link (if configured and conencted to a second ISP) will take over to ensure that Hot Spot customers with maintain uninterrrupted Internet access. The DSA-5100 supports virtually all WAN connection types including static, dynamic, and PPPoE Client.

    The DSA-5100 Hot Spot Gateway also offers several advanced features to help manage and support up to 400 public users online at any time. Additional user management controls include bandwidth control, network policy enforcement, customizable user timer, login/logout web-page, online traffic monitoring, and URL redirection.

    To ensure authorized network access, the DSA-5100 supports multiple authentication methods such as POP3, RADIUS, LDAP, internal user database, and external Web (HTTP or HTTPS) authentication. With support for 802.1q VLAN tagging, different authentication policies can be used per administrator-assigned VLAN networks for maximum security. In addition, VLAN tagging helps to segment and prioritize incoming traffic. For the private network, the integrated DHCP server and firewall with Denial of Service (DoS) Protection safeguards the network from malicious attacks and hackers.

    Network administrators can manage the DSA-5100 Hot Spot Gateway and all of its features via the Web-based, CLI, SSH, or SNMP v2 management interfaces. With a wide array of convenient management utilities, the D-Link Airspot DSA-5100 Public/Private Service Gateway is an efficient and powerful hotspot solution.
  • What's the problem? (Score:5, Informative)

    by max born (739948) on Tuesday October 25, 2005 @03:36PM (#13875015)
    You may be anticipating a problem you'll never have. i.e. people sucking your bandwidth and sending spam. Why not leave it open. I do with mine. I think it's important to share bandwidth. I worked for a comany in San Francisco with a DS3. I built a Wi-Fi network for them and convinced them to share it with the public. It was't a problem (however, I did put it the DMZ and block port 25 just in case).

    If you still think you need to have usernames and passwords try nocat [nocat.net]. It handles authentication but I usually use it for a splash page for access points I build from old laptops [osvoip.net].

    Good luck.
  • OpenBSD pf (Score:4, Informative)

    by DrSkwid (118965) on Tuesday October 25, 2005 @03:46PM (#13875130) Homepage Journal
    Run pf on a 486 and use pf as your firewall, then you don't need MAC addresses and shizzle like that.

    http://www.openbsd.org/faq/pf/authpf.html [openbsd.org]

    Authpf(8) is a user shell for authenticating gateways. An authenticating gateway is just like a regular network gateway (a.k.a. a router) except that users must first authenticate themselves to the gateway before it will allow traffic to pass through it. When a user's shell is set to /usr/sbin/authpf (i.e., instead of setting a user's shell to ksh(1), csh(1), etc) and the user logs in using SSH, authpf will make the necessary changes to the active pf(4) ruleset so that the user's traffic is passed through the filter and/or translated using Network Address Translation or redirection. Once the user logs out or their session is disconnected, authpf will remove any rules loaded for the user and kill any stateful connections the user has open. Because of this, the ability of the user to pass traffic through the gateway only exists while the user keeps their SSH session open.

    • So, this guy is concerned about users being too computer-illiterate to configure their wireless cards with the proper WEP key, and for a replacement, you are suggesting that the users be asked to SSH to the firewall prior to going out.
      • for Windows it's two clicks

        one to download putty from the default page on your pf firewall

        one a link to putty.exe

        and one to download & run a batch file from the same webserver that does :

        putty -D 8080 -ssh gatewayIP

        which will also add a SOCKS proxy on localhost:8080 into the mix

        hardly rocket science and it leaves you with one set of instructions for windows without having to know anything about the configuration programs of various Wireless cards
    • Run pf on a 486 and use pf as your firewall, then you don't need MAC addresses and shizzle like that.
      Shizzle? Is that a new networking term?
  • this may sound too simple, but if you've already found hotels that do it like you want, why not ask them? of course the front desk clerk won't know anything but they can direct you to the manager who can direct you to the IT guys. you'll probably get more info that way than a general request on slashdot.
    • Most hotels outsource their networking. I've only been to ONE that had an inhouse solution, and they were just a wide-open network (anyone could connect - no password or anything.)
    • If you start asking people that don't know much about IT or IT Security they tend become wary and usually assume that you're trying to "hack" it and either won't give you info or will try to hand you over to the authorities to "stop you from commiting any more crimes". Some IT people have this much paranoia and lack of understanding as well. Not many people know that almost no one is out to get them or their network/computer(s).
  • I've blocked outbound port 25 (since my ISP doesn't)
    Most ISPs don't block port 25 because they still haven't migrated to SSL SMTP on port 465. Why is this? The last 2 ISPs I've used don't support it, and my complaints fall on deaf ears.
  • I think NoCat [nocat.net] is what you want. Their page mentions that it's ported to the WRT54G in a couple of different versions.
    • I'll second that. NoCat is what you want. It does the "captive portal" that you're talking about quite well. And according to the dox, it can do it on a 486/25 :) I still haven't managed to get the bandwidth throttling working, but that's something w/tc I think so it's not neccessarily a NoCat problem. But doesn't sound like you'd need bandwidth throttling anyway, so it should work perfectly for what you want.
  • ...but what I'd really like to do is run something like hotels do, where you enter a password and activate your MAC address for a certain amount of time...

    I run OSS in my Linksys WRT-54G router at home (from Sveasoft)...

    The firmware you are using has the ability to make a captive portal.

  • My project, macf (Score:5, Insightful)

    by Piquan (49943) on Tuesday October 25, 2005 @04:33PM (#13875701)

    A few years ago, I wrote the skeleton for this sort of thing. It was for a job, the guy never did the paperwork to hire me, so I stopped working on it and put my code on Sourceforge. It worked; I just hadn't polished anything. (The management interface, in particular, sucked.) It pretty much requires FreeBSD to use as your filter box.

    The basic architecture is like this. First, there's a management interface that's just some PHP scripts talking to a MySQL database. That's how you add leases, how long you want them to last, etc. You could also add the leases to the database using any other means you want.

    A daemon is running that frequently sweeps the database and reconfigures the kernel part (described in a minute). The daemon expires old leases, adds new leases, etc. It also watches the traffic (passively, so the traffic isn't going through the daemon) and logs usage stats. (This last was part of the spec the original customer gave me.)

    The kernel part is what actually does the filtering. This doesn't need any custom kernel modules or anything; it's just a netgraph node inbetween the interfaces you're filtering on that uses the built-in BPF netgraph driver. (In those days, the packet filters in FreeBSD didn't support MAC filtering.)

    Anyway, like I said, it all works-- or at least did when I wrote it, and I don't see any reason that anything would have broken seriously. Check it out; it's macf on SourceForge [sourceforge.net].

  • Why does this need a technical solution? Find a competent technician in the area, put his number on the fridge. Let the renters pay him to type in the WEP passkey.
  • by ers81239 (94163) on Tuesday October 25, 2005 @05:20PM (#13876171) Homepage
    Well, I was just going to use my mod points to mod up whoever posted the first link to this site:

    http://nocat.net/ [nocat.net]

    But since nobody did, I posted it myself.
  • by snowsam (557666) <snowsam@NospAM.laurel-point.net> on Tuesday October 25, 2005 @05:34PM (#13876292) Homepage
    Take a look at ChilliSpot, which is an open source captive portal --http://www.chillispot.org/ [chillispot.org] .

    Another option (already mentioned) that would work with the is to run NoCat
    http://nocat.net/ [nocat.net] on a "server" along with NoCatSplash on the WRT54 (see http://nocat.net/~rob/wrt54g/ [nocat.net] ).

    Take a look at http://www.slcwireless.com/ [slcwireless.com] to see how they are providing free wireless to location in Salt Lake City, Utah.

    Good luck!
  • I used Squid with SquidGuard on a transparent proxy (Linux gateway router) combined with a few shell scripts to manipulate the router's IPCHAINS rules upon authentication (it was in the days of IPCHAINS).
  • Once I get a spare WRT54G I'll install an open hotspot using OpenWRT [openwrt.org] and meshdog [openwrt.org]. You can set up OpenWRT in a snap (the Wiki was *very* useful) and the packages are installed using a debian-like tool aptly named ipkg.
  • The DD-WRT [bsr-clan.de] version of the firmware for the Linksys WRT54G wireless router is a similar to the Sveasoft firmware, but includes Chilispot hotspot and NoCatSplash, without any GPL Controversy [wikipedia.org]

    I haven't tried the hotspot features yet, but I like the rest of the DD-WRT software a lot, especially in client mode as a wireless network extender. You can set up firewall rules, time-of-day restrictions, even restrictions on website based on keywords. I don't use most of those features, but they're in there if you
  • m0n0wall (Score:2, Informative)

    by anderiv (176875)
    I'd highly recommend you check out m0n0wall [m0n0.ch]. It's a BSD-based router distro. M0n0 comes in several forms, a hard drive image, a compact flash image, and a bootable cd. I use the bootable cd. The entire thing runs from a RAM disk, storing configuration on a floppy disk. All administration is done from a very robust and feature-complete web interface. You can make m0n0 as simple or complex as you wish - it includes traffic shaping, wireless support, PPTP & IPsec VPN support, multiple interfaces, a c
  • You can do this on freebsd with ipfw, apache and a couple of perl scripts. Here's a little guide I wrote back when I did this: http://wannabe.guru.org/scott/hobbies/wireless.htm l [guru.org]

    Scott
  • It's used at my university to link a user name with a particular IP and MAC address. I imagine it could be used in this scenario as well. http://www.netreg.org/ [netreg.org]
  • I had this problem with a hotel, i made a vb app that does it by checking and everytime a request is made on any port from 1 - 9999 the vb app checks an approved ip list to check does it have any time remaining, if there is time remaining it sends on the traffic over another ethernet interface, basically if there is time remaining for that IP then it forwards the request. the access and time is controlled by the entering a code, which is kept by the admin (in this case the hotel) and the code consists of ho

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...