Forgot your password?
typodupeerror
Wireless Networking Electronic Frontier Foundation Networking The Internet

Ask Slashdot: Best Way To Leave My Router Open? 520

Posted by timothy
from the tomayto-tomahto-ddwrt dept.
generalhavok writes "I read the story on Slashdot earlier about the EFF encouraging people to leave their WiFi open to share the internet. I would like to do this! I don't mind sharing my connection and letting my neighbors check their email or browse the web. However, when I used to leave it open, I quickly found my limited bandwidth dissappearing, as my neighbors started using it heavily by streaming videos, downloading large files, and torrenting. What is an easy way I can share my internet, while enforcing some limits so there is enough bandwidth left for me? What about separating the neighbors from my internal home network? Can this be done with consumer-grade routers? If the average consumer wants to share, what's the easiest and safest way to do it?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Best Way To Leave My Router Open?

Comments Filter:
  • Think again (Score:5, Insightful)

    by Anonymous Coward on Thursday April 28, 2011 @02:25PM (#35967222)

    Wasn't it just this week that we had the lovely account of someone getting the SWAT treatment [slashdot.org] just for leaving their router free and open?

    • Indeed. Looking for a 'safe' way to do this is somewhat akin to looking for a safe way to cross through a raging inferno wearing only a pair of shorts and some sunglasses.
      • by Hultis (1969080)
        IANAL, but if you allowed people in on a guest network and made sure to log EVERYTHING that happened there, maybe those logs would be enough to prove you're innocent?
        • so much for starting off innocent...
        • Two routers (Score:4, Informative)

          by AliasMarlowe (1042386) on Thursday April 28, 2011 @02:49PM (#35967610) Journal

          Here's the way we do it

          We have an old router which is plugged into a spare port on our optical switch (fiber to the home), and has an open wireless G for anyone to use, configured to assign DHCP addresses from 192.168.200.x where x is 175-200, and with SSID of "All Connections Logged". Our newer router is plugged into a different port on the optical switch and assigns DHCP addresses in the range 192.168.100.y where y is 100-125, and our home net is connected to this one by cat6 cables and encrypted wireless N (MAC filters, hidden SSID, long key, blah blah). Each of these routers has a different public IP address assigned by the ISP, and they both maintain logs of MAC addresses connecting to them, so we don't worry too much about misbehaving outsiders - there have been none so far.

          FWIW, we have no usage caps on our 100Mbps fiber connection, so leaving a 54Mbps wireless-G open to passers-by does us no harm economically. In principle we could set it to 11Mbps Wireless-B, but we have never had a bandwidth hog connecting. Incidentally, our ISP gives us up to 8 public IPv4 addresses, of which we use 3-5: the IP-TV box uses the third, and work-related laptops sometimes use one or two more (via cat6 to another port on the optical switch).

          • Re:Two routers (Score:5, Insightful)

            by satoshi1 (794000) <satoshi@nOSpaM.sugardeath.net> on Thursday April 28, 2011 @03:00PM (#35967776) Homepage Journal
            MAC filters, hidden SSID

            Those don't do anything. MACs can be found by outsiders not connected to your network despite how encrypted the network is. Hidden SSIDs aren't anything either. The same tools that will display the MACs will also show all hidden SSIDs within range.

            Sure, they block the average user, but anyone who wants to get in will have no trouble at all.
            • by AliasMarlowe (1042386) on Thursday April 28, 2011 @03:43PM (#35968494) Journal

              MAC filters, hidden SSID

              Those don't do anything. MACs can be found by outsiders not connected to your network despite how encrypted the network is. Hidden SSIDs aren't anything either. The same tools that will display the MACs will also show all hidden SSIDs within range.

              Sure, they block the average user, but anyone who wants to get in will have no trouble at all.

              Ah, but it will block intruders, including the script kiddies you refer to. First, the antenna is unidirectional, and points from a lower corner of the house to the opposite upper corner. The wireless-N field is usually undetectable outside the house near ground level - I've checked - and utterly undetectable outside our garden (which extends more than 20 meters from the house on all sides). So there is no network and no SSID to detect outside our garden. Second, there are only two MACs allowed to connect to the secured wireless, and they are rarely connected, so snooping for MACs would mostly fail even if a snooping device were smuggled inside the house. All other devices connect via the cat6 wires, and if they have wireless, it is disabled. Thirdly, the secure network uses WPA2 with a nontrivial AES key, so bypassing the MAC filter would be useless in any event.

              And why would anyone spend the effort trying to crack our secure wireless-N when we make available a completely open wireless-G which is detectable for over a hundred meters in all directions? Unless they enter our garden and attach permanently-on snooping devices to the walls of our house, they would fail to get past the MAC filter, and even then they would not penetrate the wireless-N encryption anyway. So in our case, your warning is both wrong and wrong-headed. Didn't you ever learn that wireless networks can be secured against anything short of a police/military grade attack?

          • Re: (Score:3, Insightful)

            by Glock27 (446276)

            Here's the way we do it

            We have an old router which is plugged into a spare port on our optical switch (fiber to the home), and has an open wireless G for anyone to use, configured to assign DHCP addresses from 192.168.200.x where x is 175-200, and with SSID of "All Connections Logged".

            What good does it do to "log connections" if the MAC address can be spoofed?

            What you need to watch out for is someone pulling up on the street, downloading mass child porn, and heading off into the sunset. The FBI will be well aware that you could be "spoofing" a MAC address yourself. You might not be convicted, but it sure as heck would be a major hassle - and what is the benefit again? Let the freeloaders buy some bandwidth themselves...

        • Not really. You could use your own guest network to do nefarious things and would remain under suspicion.

        • Oh, officers, you have it all wrong! Those terabytes of k1ddy pr0n on my hard drive prove my innocence!

        • Re:Think again (Score:5, Insightful)

          by SealBeater (143912) on Thursday April 28, 2011 @04:19PM (#35969012) Homepage

          ...prove you are innocent...

          I'm no longer so naive that I can't recognize the futility of saying "You can't prove a negative, and under our system of jurisprudence, the burden lays on them having to prove you are guilty, not you having to prove you are innocent"....but that's no longer true is it, if indeed it ever was. It makes me sad that we are falling into that.

          My other point, if there's any to be made, is that if you allow your router to have open access for all, you can claim common carrier status and be exempt from the actions of your "users". Comcast doesn't get arrested for someone downloading kiddie porn using their network, why should you?

          3rd point and this is the most important, is that there is an increasing digital divide between those who have and those who don't. If you are poor, out of work, etc, it's a lot easier to get a laptop than it is to get internet service. I don't want my bandwidth abused as I am a heavy downloader but I have WRT-DD installed and I'll be looking into segregating and rate limiting my wireless connection.

          The older I get, the more I realize that it's going to be important for the good of all for people to start breaking free of the corporate binds. In the future, I can't help thinking that there might be some poor kid, with an old laptop, and having even a 5k connection (remember that?) might mean the difference between having a future and not having one.

          So, do what you want, all of you but I'm the type of guy who runs tor on his laptop hooked to his iphone all night just to piss off ATT. Flooding our corporate overseers with lots of misleading info is one good way to hide yourself. There's a lot of good reasons to consider doing this but separate VLAN and rate limiting are mandatory first

      • The DMCA protects service providers. If I am deliberately sharing my internet connection, I AM a defacto service provider. There are rules one must follow but most of them apply only to operators of a certain size - which means we enjoy the protections of the DMCA without sharing the burdens like forced record keeping.

        People have been abused by law enforcement for al sorts of reasons. If they go to far, you sue. Of course, if they are led to your house by the actions of a neighbor and then find, through som

        • by Mia'cova (691309)

          Although your ISP's service agreement probably explicitly states that you're not permitted to do this..

          • by Jane Q. Public (1010737) on Thursday April 28, 2011 @04:16PM (#35968972)
            That's a contract with your service provider (and a rather weak one, at that, since it's probably a "contract of adhesion"). It has nothing to do with the legality of sharing your connection.

            Violating your contract with your ISP -- if you have -- is purely a civil matter, and has nothing to do with anything else being discussed here. And it definitely does not make you a criminal.
        • by hellwig (1325869)
          The fact that the law protects service providers doesn't give you back your dignity or any time you lost sitting in a jail cell or any money you spent on a lawyer defending yourself. Remember, your name isn't AT&T or Comcast, the law has no idea that you were not the one downloading the illegal material. If you open your router up, it is your legal responsibility to prove, should something arise, that it was no one in your house that performed the illegal actions. Innocent until proven guilty doesn't
          • by Kagato (116051) on Thursday April 28, 2011 @04:06PM (#35968844)

            I don't think you even have to go through the motions of a straw man arguments you made. Fact is small ISPs get pushed around by law enforcement all the time. I've work for some of the biggest and some of the smallest and it's a night a day difference how law enforcement treats you for the exact same thing. It's not uncommon for law enforcement to threaten to confiscate your data center because you dared to stand up for your legal rights. It's not uncommon for law enforcement to harass your employees or call the larger upstream providers and peers to talk about their theories. Small ISPs have been run out of business by Attorneys, Cops and Feds who knew nothing about technology but had a gut feeling something was off.

            On the other hand working at a large ISP the Cops and Feds are practically at your beck and call. In exchange we processed their wiretap orders (usually dozens to hundreds daily.) And they better have had their paper work in order or we weren't going to do jack squat for them. They wanted to tangle we could lawyer them hard. The cops were going to burn a lot of OT pay in deposition, let alone the other legal fees we could create.

            Star Bucks, McDonalds, Dunkin Donuts, etc, they don't worry about free WiFi. They're big companies.

            The law is not about being right in either a legal or moral sense. It's about resources, connections and power.

        • by pkinetics (549289)
          Try to get that to hold up while you are being arrested. By the time you get to the courts, have a lawyer to cover you, a judge to listen and a jury to understand, let's see that should only cost you about 1.5 years of your life, about $50k, not counting lost time from work, etc. Self righteousness is a wonderful thing, but without deep pockets and a really good attorney, seldom do they go hand in hand.
        • Of course I'm sure your ISP has a TOS that states you can't be a service provider and you are buying service for personal use only.

          • by DM9290 (797337)

            Of course I'm sure your ISP has a TOS that states you can't be a service provider and you are buying service for personal use only.

            Such a clause is not really enforceable. They can't demonstrate any harm if you violate it. At best they can discontinue the contract. contracts are about allowing both parties to protect themselves from harm. It is not about allowing parties to impose a restriction. Its especially not there simply to limit competition in the free market.

            A packet is a packet is a packet. they are alleging to sell you bandwidth, so as long as you don't exceed what they claim to be selling you, they are not harmed.

            I could be

    • by elrous0 (869638) * on Thursday April 28, 2011 @02:32PM (#35967342)

      No problem. After you open it up, just call your local police and let them know that any illegal activity on your IP address is probably not coming from you. Problem solved.

      • by Hultis (1969080)
        This may or may not [edri.org] be a good idea, depending on where you live.
      • by w0mprat (1317953)
        1) Detailed logs - be ready to prove how you didn't download that CP. You'll need to route their connection through a decent transparent proxy.

        2) Get IP blocklists and block a whole lot of IPs. If you use a Windows as a platform for proxy software at any step PeerBlock is a great point and shoot solution with massive lists of IPs (P2P snooping, Spyware, etc) included. Numerous parental filtering software could work here too.

        3) For plausible deniability, perhaps force anyones connection through Tor?
        • Re:Think again (Score:4, Insightful)

          by cjb658 (1235986) on Thursday April 28, 2011 @03:49PM (#35968584) Journal

          I agree with #3, just route all traffic through Tor.

          If you have a Linux server, you could set up Squid to reduce web bandwidth usage. To reduce torrent bandwidth usage, you could also host an FTP server on one of your PCs, so they don't have to go out to the internet. But then that opens up a whole new legal can of worms.

          Reminds me of a time when I worked at my school's I.T. department, and they were considering whether we should block pornography in the dorms because it was consuming a lot of bandwidth. My solution? Host our own porn server!

          My proposal was rejected.

      • Re: (Score:3, Funny)

        Open WiFi is endorsed by both Bruce Schneier and the EFF. That's good enough for me. If anybody asks why I leave my WiFi open, that's all I have to point to for a reason.
    • by poetmatt (793785)

      The answer is seriously very very simple.

      Separate VLANs and don't buy a shitty "home router" that has no options which enable you to keep your connection running smooth while giving people the option of wifi. 99% of the problem is buying a $20-40 router which you end up replacing after 5 years when it falls apart.

      I would strongly suggest a Cisco WRVS4400N [cisco.com] - you can have up to 5 SSID's, separate VLAN's, encrypt your own with a public one unencrypted, and bandwidth controls so that WIFI can't eat all your ba

      • by snsh (968808)

        Cisco-branded enterprise products should not be confused with Cisco-branded SOHO products which are suprisingly sucky. You can do all of the above with a $45 refurbished Linksys E2000 router with dd-wrt installed.

    • by tedgyz (515156) *

      Agreed. I usually respect the EFF, but in this case I think they are crazy.

    • by MarkGriz (520778)

      Don't discourage him. With a name like "generalhavok", he seems the ideal candidate for leaving his wifi open

    • Re:Think again (Score:5, Insightful)

      by ethan0 (746390) on Thursday April 28, 2011 @03:32PM (#35968316)

      You, and the many other commenters who agree with you have it completely backwards. Your linked story is exactly why more people should open up their networks.

      Fear of the police abusing their power is a terrible reason to avoid doing a perfectly legal action. Yes, it's more convenient, but if everybody goes along with the police abusing their power in that manner, it implicitly becomes acceptable. Providing internet to other people is not illegal, and not a good reason to get your door kicked in, and the police should know this. The consequence for the police not knowing this should NOT be more people cowering in fear. It should be that whoever is affected files suit against the police and the police are sanctioned for their actions.

      Nobody wants to go through that, of course. But we should.

      • Re:Think again (Score:5, Insightful)

        by Jane Q. Public (1010737) on Thursday April 28, 2011 @04:52PM (#35969406)
        Mod parent up (more)!

        People really need to stop changing their behavior out of fear, and start standing up like men again.

        If you aren't willing to stand up for what is right, please go somewhere else. I rather liked America when it was the land of the free and independent.
    • Route all the guest traffic through tor, and they won't (practically) be able to track those packets to your network.

      Heck, for that matter run a tor exit node too, to really confuse the courts if they every go after you anyway. :)

    • Re:Think again (Score:5, Insightful)

      by MoonBuggy (611105) on Thursday April 28, 2011 @03:57PM (#35968690) Journal

      To quote the ever-apt XKCD: Fuck. That. Shit.

      The fact that so many technically inclined Slashdot types are crying 'liability' and 'log everything' is almost as saddening as the fact that our government has pushed us to this. That some guy got thrown down the stairs by a rifle-wielding mob from nothing more than an IP address isn't a sign that we should all lock down our precious connections lest the same happen to us, it's a sign that every fucking one of us should open up our connections and tell the government that we refuse to be intimidated. Whether it was just intended as a PR move, allowing the police to say "Look at the nasty paedophile we caught. Aren't we good at our jobs?", whether it was an excuse to give the SWAT team something to do to justify their budget, whether it's a nefarious conspiracy to destroy anonymity, limiting each person to their own easily-surveilled connection, the reason matters far less than the fact that the only reaction that will stop it from continuing is outright defiance.

      Every abuse which we allow to happen, every time we modify our behaviour because of one rather than standing our ground, it only further legitimises the abuse, validates the government in their action, and brings us one more step along the road to greater loss of freedom. For all our sakes, I can't bear to see that happen.

      • by Bob9113 (14996)

        "The fact that so many technically inclined Slashdot types are crying 'liability' and 'log everything' is almost as saddening as the fact that our government has pushed us to this. That some guy got thrown down the stairs by a rifle-wielding mob from nothing more than an IP address isn't a sign that we should all lock down our precious connections lest the same happen to us, it's a sign that every fucking one of us should open up our connections and tell the government that we refuse to be intimidated."

        Damn

  • by Tridus (79566) on Thursday April 28, 2011 @02:26PM (#35967254) Homepage

    The second part (keeping people off your home network) CAN be done by some consumer grade routers that support a Guest Network. My Netgear 37AV has that ability. You set up a second SSID that is open. It can get to the WAN port, but can't see anything on the LAN or the private SSID.

    As for using bandwidth... no I'm not sure you can do a lot there with a standard router. You could turn on QoS to make sure that your traffic has priority on the router over someone elses, but you'll be pretty limited in terms of stopping them from chewing up bandwidth the rest of the time. I really don't recommend this if you're on a metered connection.

    • QoS may help you throttle your guests' upstream bandwidth, which is more important, but it's not going to do anything for downstream, which is the more common problem, because the QoS markings on downstream packets will normally be set to the default value by the websites or bittorrent peers that are sending them.

    • The second part (keeping people off your home network) CAN be done by some consumer grade routers that support a Guest Network. My Netgear 37AV has that ability. You set up a second SSID that is open. It can get to the WAN port, but can't see anything on the LAN or the private SSID.

      I've got to say that I'm pretty fond of Buffalo's WZR-HP-G300NH routers. They come with your choice of "Professional" or "User-Friendly" firmware choices, with the Professional version as default {DD-WRT}. Guest networks are available with both firmware sets. They're good for isolating point-of-sale networks for PCI compliance, too, with QoS features that you mentioned earlier.

      http://buffalotech.com/products/wireless/wireless-n-routers-access-points/airstation-nfiniti-wireless-n-high-power-router-access-p [buffalotech.com]

  • DD-WRT + QoS (Score:5, Informative)

    by seanmcelroy (207852) on Thursday April 28, 2011 @02:26PM (#35967260) Homepage Journal

    It's absolutely possible and fairly easy these days with out of the box router firmwares, or if yours doesn't support QoS (Quality of Service), then you can potentially put on an open-source firmware -- DD-WRT to provide that ability and much more. QoS lets you designate classes of traffic, such as streaming, gaming, and other protocols, or particular devices on a WAN or plugged into the router itself and set priorities for them. Doing this, you can share your WiFi AP (good for you!), but also get the lions' share of your bandwidth when you are wanting to use it.

    • Completely agree. You may want to do some homework first on which routers are best supported by DD-WRT but I use it fairly regularly and the ability to send WOL commands to my home network from any internet connected device has proven to be a godsend.
    • by Phil Urich (841393) on Thursday April 28, 2011 @03:30PM (#35968272) Journal
      I don't even understand why any self-respecting geek would buy a router that couldn't run OpenWRT, Tomato or DD-WRT. The stock firmware of commercial routers is always just rubbish compared to the open source (ish, in the case of DD-WRT) replacements.

      For setting up bandwidth limiting for OpenWRT, well, OpenWRT is for real men (or real women), as this wiki page should make clear [openwrt.org]. Losta commandline and config files; there are web frontends but I'm unsure if any let you fiddle with these kinds of powers. But if you're looking for fine-tuned control, OpenWRT is pretty much a distro in its own right so the possibilities are pretty vast.

      For Tomato (which I use 'cause the graphs are pretty), unlike what SighKoPath has said here, you don't have to set up specific rules for each MAC or IP; just set up the classifications for your own devices, then in QoS -> Basic Settings set the Default Class to something like, say, Class E. Now you can set the bandwidth limits for random strangers in Class E and any device or type of traffic that you don't have an overriding rule for gets categorized in Class E, so any new random neighbor devices will fall into that class. Simple.

      As far as routers go, a lot of existing routers (as long as you didn't buy a really bad one with too little memory to even install anything to) are supported by at least one of the three main firmwares. Tomato is far more restricted in terms of choice, but if you can't find a spare WRT-54Gv1-4 lying around, Linksys deliberately sells the WRT-54GL for the sake of folks who'd like to install Linux-based alternate firmwares. For OpenWRT you can check their Table of Hardware [openwrt.org], random pick, the Buffalo WZR-HP-G300NH is good bang-for-your-buck. DD-WRT's equivalent table is here [dd-wrt.com]; you can actually get some routers, like Buffalo's WHR-HP-G54-DD, which come with DD-WRT pre-installed. Never actually tried DD-WRT myself . . . I'm a bit of an open-source zealot, and DD-WRT has had a somewhat sketchy record. Plus, have I mentioned Tomato has pretty graphs?
    • does dd-wrt do this with a simple user-friendly UI?
      last time I looked, it was going to require fiddling with IP tables and stuff.

      sure, I could probably learn all that - but it would be a pain, and I'd have the nagging doubt that I might have configured things incorrectly...

  • by WiglyWorm (1139035) on Thursday April 28, 2011 @02:26PM (#35967264) Homepage
    It can get you in to trouble [yahoo.com]

    That said, I leave my wifi router open as well, but if you're going to do it you have to do it knowing the risks. Being accused of kiddie porn, for instance, is going to stick with you forever, regardless of guilt or innocence.
    • by antdude (79039)

      What about making the open wifi restricted? Is that even possible? Like block these bad sites.

      • by sabs (255763)

        Black Lists Don't work.

        White Lists are the only real reasonable tool in this case.
        And boy is that a headache.

        • by antdude (79039)

          Ah. Since this is your open wifi, then rules should be applied.

        • Hey, is there anything out there that will automatically add to a whitelist any site I go to, but will restrict others? That would seem like zero headache for me and the neighbors can eat sand if they can't get to facebook or spongebob's magic castle.com
    • The thing that makes me laugh about this submission is heeding the EFF's advice and sharing your ISP connection - most likely against your TOS, then coming here to ask how to control and restrict it in ways that would make the EFF kersplode if the ISP were to do it. I suppose in the same spirit it would be OK if I hacked someone's router and shared the _whole_ connection with everyone else right? I'd like to see the argument against that.

      I can see doing it out of personal convenience, knowing the risks I

  • All new mac-addresses get 24 hours of free access; after that they're blocked for 1 week... Adjust thresholds accordingly...

  • by Kindgott (165758) <soulwound@g o d i s d e a d.com> on Thursday April 28, 2011 @02:27PM (#35967276) Journal

    Your ISP may be none to happy when they find out you're sharing your connection, I'd double check their terms of service just in case.

    • Yup. The biggest concerns I had when picking my ISP were Terms of Service and availability of static routing. Back when I first got consumer broadband, there were many ISPs that didn't want you to run web servers from home, and some major ones that only allowed you to use one computer on the account unless you paid extra. Eventually the ISPs decided to allow multiple home computers (usually with NAT), because they understood that the market had changed and when people got new computers for themselves the

    • Shouldn't the ISP deliver my bits regardless of what they are?

      If someone knocks on my door and asks to borrow my telephone, I don't need the phone company's permission.

      If I type an email on behalf of a friend without a computer, my ISP doesn't get to complain that those weren't "my" bytes.

      But if you're that concerned, just route the guest traffic through TOR and at least through packet sniffing they won't be able to distinguish the guest traffic from your own. All they'll see is encrypted traffic which co

  • I suggest checking this out. I've used it for a few clients. http://www.publicip.net/ [publicip.net]
  • by Animats (122034) on Thursday April 28, 2011 @02:29PM (#35967304) Homepage

    I just posed the same question in another topic, and wrote this:

    WiFi routers should have the option of putting the air link on the outside of the local firewall. Actually, it would make sense if, by default, open WiFi links gave guest access to the outside Internet world, but not the inside LAN world, while encrypted links offered access to the inside world. This allows opening up guest access without exposing local servers and Windows shares.

    A router should support both modes simultaneously, offering itself as two access points. Encrypted links should have higher packet priority over nonencrypted links, so that guest access can't starve out authorized users.

    This seems obvious enough that some routers probably implement it already. Anyone know of one?

  • Sounds like you have a network neutrality problem on your hands. How to provide services while downgrading heavy users through selective throttling...
  • I wouldn't recommend this setup at all, but if you HAD to leave your router "free and open", the D-Link DIR-655 has the ability to broadcast a Guest Network (which limits access of those using it from seeing your machines behind your router) and has QoS (so you can prioritize your packets over your "guests").
  • You've got a couple of choices - get a system that gives you lots of detailed controls so you can do anything you want, at the cost of understanding the complexity yourself, or sticking to simple cookie-cutter tools, but you won't find most of those letting you do bandwidth limitations on some connections. You can probably take DDWRT and convince it to do what you want, or you can take a dedicated BSD or maybe Linux machine and do all sorts of interesting things with it, but either way you'll have to do so

  • by taustin (171655) on Thursday April 28, 2011 @02:34PM (#35967390) Homepage Journal

    You might take a look at IPCop [ipcop.org] or Smoothwall [smoothwall.org]. Both give you access to the Linux command line, so you can use IPtables to do whatever the hell you want. Smoothwall might, possibly, have some sort of add-in to limit bandwidth by bandwidth or zone, though I'm not sure.

    • by Kozz (7764)

      You might take a look at IPCop [ipcop.org] or Smoothwall [smoothwall.org]. Both give you access to the Linux command line, so you can use IPtables to do whatever the hell you want. Smoothwall might, possibly, have some sort of add-in to limit bandwidth by bandwidth or zone, though I'm not sure.

      Ahh, yes. iptables... the intuitive interface of the linux command line combined with the arcane of networking. I used to have an old P133 as a NAT box (slackware) that also did a few other server-related tasks, and I had some iptables rules configured. I think the truth of the matter is that unless you are very, very well versed in networking, you can't write your own rules and end up copying some stale rulesets from things you find on the intarweb, hoping to bend them to your needs. I never knew what

  • I offered public wifi in my apartment complex on a limited pipe. First, I setup a linux firewall with three nics - one for outside, one for my inside stuff+personal wireless, one for the public. On the public wireless side, everything except port 80 was blocked. I included 443 in the blocks because I wanted to limit where people went, so I could mitigate potential trouble like pedo browsers. On port 80, I sent all traffic to a transparent squid proxy. The proxy then checked which URLs were being reques
    • by 0racle (667029)
      You could have saved yourself a whole lot of setup and trouble by simply not having an open connection. By the time you've locked it down that much, there's really no point to having an open connection.
  • You really just need something that either has an extra interface for your wireless network, or can do 802.1Q vlan tagging and a vlan capable switch. I think even with a LInksys and DDWRT, you can put the built-in wireless AP on it's own VLAN. THen you just give the wireless it's own subnet, disallow traffic from the wireless subnet to your personal subnet. I think you can even do multiple SSID's and put each SSID on it's own VLAN, one for the public and one for you. Then just allow egress traffic on po

  • by RedLeg (22564) on Thursday April 28, 2011 @02:37PM (#35967430) Journal

    Forget being a nice guy, and in this case, the EFF's recommendations. Aside from the issues you raise yourself, this story [arstechnica.com] should be all it takes to convince you of the foolishness of such a policy these days.

    To answer your question directly, yes, some consumer AP / Routers can shape traffic like you're asking. You will need to divide your network into multiple VLANs, I would suggest three: One wireless and wide open, one wireless and secure for your use, and one for the wired side. Then, bandwidth limit the free wireless, route appropriately, and apply a security policy to protect yourself. You might also consider logging all that "free" traffic so when the Feds show up with a warrant, you have some kind of audit trail to get yourself out of jail.

    I'm not aware of any consumer grade equipment that will do this out of the box. On the other hand, there are several free / open firmware projects that replace the factory firmware that are linux based, and may be able to meet your needs. A couple (by no means all) of these projects are http://www.dd-wrt.com/site/index [dd-wrt.com]> dd-wrt and https://openwrt.org/ [openwrt.org]> Open-wrt .

    Beware though, that not all of the consumer hardware is created equally internally. Research carefully the hardware / replacement firmware combinations to make sure you can get where you want to be before spending money. You'll also be stressing the hardware far beyond it's original design, so opt for more RAM and a faster embedded processor.

    Gee, this sounds like a PITA.....

    Hope this helps, and that you don't get arrested.

    --Red

    • by city (1189205)
      Yes, the "foolishness of such a policy these days". You people and your foolish liberties! Get a job hippies or we'll send in the SWAT team.
  • But the existing traffic shaping solutions are impenetrable and impossible to use. This makes me very unhappy. I'm also not sure that the traffic shaping policy I want is possible with the existing traffic shaping tools.

    I have a small Linux box I use as a router, and I have 3 LANs + the external link. LAN 1 is my trusted internal network. LAN 2 is the network for any windows box, my gaming systems and any housemates. LAN 3 is the wireless.

    I want a traffic shaping policy that says something like this:

    1. Spare
  • I believe all of this is possible (even multiple SSIDs with one router) with OpenWRT or DD-WRT on certain hardware, but I never got it working right. I just ended up using an two Linksys routers (one with open wifi, one encrypted) and pfSense [pfsense.org] as a router. You can even do this with just pfSense and couple wireless cards. Private wifi bridges to the local network, public is on an isolated subnet. pfSense traffic shaping [pfsense.org] keeps users in check. I have a QOS class for "public" traffic which is limited to a c

  • by roc97007 (608802) on Thursday April 28, 2011 @03:20PM (#35968102) Journal

    But if you must... Where did you live again?

  • As I mentioned in another post (http://slashdot.org/comments.pl?sid=2111634&cid=35964896), I wish that nocat.net was updated

  • by tedgyz (515156) *

    The question is flawed. While you may think you are helping society, you are unlikely to do much good and risk getting hacked. It isn't the robbed bandwidth or the chance of the FBI knocking on your door because somebody downloaded kiddie pr0n. It is because getting into the wi-fi router puts that person's computer inside your intranet. Would you let some random person sleep in the spare room of your house?

    'nuf said

  • Leaving your wifi open is a security nightmare and an invitation for abuse. Someone hogging your bandwidth is the least of your worries. Before long someone is going to hack your own computers and download kiddy porn on your connection. Law enforcement won't accept "intentionally left it open for the good of mankind" as a legitimate excuse. Rather, they'll tell you that you should have known better and you asked for the trouble you got into. Why do you want to make life difficult for yourself?

    If you ha

  • I am not sure what kind of neighborhood you live in or what kind of router you have, but this is almost pointless. With my old G router, which was set in the living room, I could get a signal on my front porch and the bedroom right next to it. My N router has dramatically futher reach, but signal is still weak in many areas. With my N, I can get almost to the street with connection in the front, and about a quarter of the way into my back yard.

    My neighbors on either side of me - well, one is an older couple

One possible reason that things aren't going according to plan is that there never was a plan in the first place.

Working...