Date: Fri, 26 May 2000 12:11:03 -0400 From: "Troy Settle" <troy@picus.com> To: <freebsd-isp@FreeBSD.ORG> Subject: RE: Need advice on software for ISP startup using FreeBDS 4.0 Message-ID: <NIEBLEDADLBOBAJFKPHDIEFACAAA.troy@picus.com> In-Reply-To: <250500146.75583@207.206.68.135>
next in thread | previous in thread | raw e-mail | index | archive | help
** To all that responded: ** ** I would like to say thanks for your input. From your ** responses I have make some decisions on some of the items ** based on what you said. On other items I see from your ** responses I was unclear in my writing so I will try to ** clarify them. ** ** 1. On the subject of connecting to UUnet. My sentence was ** unclear. I did not mean I was connecting to UUnet direct or ** that they were the people I was calling for problem ** resolution. What I meant was that the UUnet backbone was my ** final connect point to the internet. The true of the matter ** is, I an looking real hard at SPRINT as the main provider ** and they will connect me to the internet through their ** access to the UUnet backbone. An full 1.5 T1 connect costs ** $1250. per month with burst mode pricing for start up. If ** you know of better a price that I can get, please let me ** know. I've got 2 T1s to Sprint, it's definately quality bandwidth. Their support has been very good as well. ** 2.On the statement No PAP or CHAP Authentication. There was ** a lot of discussion on this so let me clarify. The FreeBSD ** handbook states there is 3 login Authentication methods ** (PAP, CHAP, and Login) The login method I take is the ** manual entering in the LOGIN USER ID followed by the manual ** entering of the PASSWORD during each login attempt. Since ** this is what is normally see by the Windows95/98/2000 ** internet user and since this is the target group I want to ** service, this just seemed like the correct chose. Please ** jump right in and correct me or add insight now that you ** know where my head is at. ** ** Now this subject has other considerations when the CISCO ** AS5300-CH48 and radius comes into the picture. First I see ** the PPP function (both single and Multi-link) no longer is ** performed by FBSD but by the CISCO AS5300 and it can be ** configured to let the dialup connection choose the ** Authentication mode. Also someone stated that with current ** radius if you use PAP then you can go off the FBSD password ** file but if you use CHAP then you need a line in your users ** file for every person that I want to grant dial in access. ** ** This discussion subject has spawned new questions in my mind. ** What is the sequence of events in the login process from an ** windows dial in user? ** ** Is windows looking for a PAP login behind the scenes? ** ** Who is the master login id/password holder, FBSD or radius or ** what? The user types their username/password into the DUN screen. They click connect, and the computer dials out. When the modem handshake is finished, the connection enters into PPP. The NAS asks for authentication (PAP), Windows responds by sending the username/password provided by the user. The NAS then puts the authentication information into a Radius Authentication Request Packet and sends it to the Radius server. The radius server then authenticates using /etc/raddb/users. If the user is not found here, then the DEFAULT profile is used. Typically, the password will be set to SYSTEM or UNIX, which tells Radius to authenticate off the system's passwd file. Radius sends an ACK back to the NAS, allowing it to assign an IP address and other attributes either passed from Radius or retrieved from the local configuration (time limits might be set by Radius, while a dynamic IP would be gotten from a defined pool on the NAS). The whole process works very well. You can do the same thing with CHAP or even a Login. The disadvantage to CHAP, is that you have to have the users' passwords stored in plaintext on your servers. Not a good idea. The disadvantage to a Login session, is that you'll have to provide your users with a dialup script. Not a fun thing to maintain. ** I would like a webpage where a new subscriber can sign up ** for service. Where he enters his credit card, it gets ** billed and then he selects a id/pw, and it's checked ** against the master file after which he is entered into the ** system automatically. I have read web pages from Merchant ** account software vendors like authorizit.com who offer ** this function. I must leave a door way for this when ** deciding on how to configure CISCO AS5300 / radius world. ** Please help me out here with how you address this. You can do this easily with apache+ssl+php+mysql. You can even get a variant of Cistron Radius that will work directly off a MySQL database, giving you a one-stop place for managing user accounts. In addition, you can easily build a mail system that would also work off a MySQL database. Postfix (MTA) has MySQL support built in. Most common Poppers (cucipop, qpopper, etc...) would be easy to hack to support a MySQL backend for authentication (or you could just use PAM). ** 3. On the question about the T1/24 channel line for dial in ** connection to the CISCO AS5300. First of all I am staying ** with the CISCO AS5300-CH48 for two main reasons, it's ** growth path and it's initial cost of $10K for 48 digital ** 56K modems. This NAS can use ether T1 or PRI lines. The PRI ** line occupies 23 modems per PRI line so after loading the ** first 48 modem card I will always have two modems which are ** not generating revenue. But the big problem with PRI is ** it's over kill, the majority of the subscriber will be ** logging in with a maximum modem speed of 56K and the T1 ** will handle that just fine at a much better price. PRI ** costs $890 per month versus $600 per month. Besides ISDN is ** dead with DSL on the horizon. Let some other ISP handle the ** ISDN and DSL speed for the power hungry user. I want the ** ALO user who is fed up with slow response and wants better ** service. It's easier to attract subscribers from other ** ISP's than to attract first time users. Guess you've done your homework on the 5300. I wish you the best of luck here. ISDN, however, is not even close to dead. Sure, DSL and Cable access are cheaper (for the user), and much faster, but neither has been proven to be more reliable. It's not that you'll have that many ISDN customers, but you may get a few people who are interested. As for your choice between CT1 and PRI, you should be aware that CT1 does NOT provide users with as high as possible. When we still had a CT1, I was typically seeing (true) connect speeds of 19.2 to 24.6, never anything faster. The day we switched to PRI, we got calls from many customers thanking us for letting them connect faster (28.8 and 33.6). Yeah, you loose a channel, but it's worth it to make your customers happier. (happy customers tell friends, which will soon be your customers as well). ** 4. I have changed my desire to host news groups now that I ** know I can out source it. Someone posted that with 13,000 ** subscribers that pay $500 per month for 35 simultaneous ** reader slots for news group service of which the peak ** simultaneous reader count so far has been 16. I would like ** to get in touch with some news groups outsourcers to ** develop prices. Please pass on any info you may have access ** to. Critical Path/Remarq/Supernews (www.supernews.com) provides fairly good news. They're hosted on the Above.net network, and performance is decent. IIRC, they cost $15/month/connection. Newsread is hosted by Net Access (www.newsread.com) is a no-frills news service that costs $7.50/month/connection (IIRC). They've got good bandwidth, and while we were on them, I don't remember having any performance problems (we switched to Remarq for political reasons). Giganews is another, but I have no experience with them. There are a few others, but none that I can name at the moment. ** 5. Apache13 form the FBSD ports collection. From the ** responses it looks like no body is using the ports ** collection as they are out of date. Apache 1.3.12 seems to ** be the version to use as it's stable. A post did say that, ** This will be changing to only 3 base Apache servers ** (apache13,apache13+ipv6, and apache13-ssl). Additional ** functionality would then be added by installing an apache ** module port (mod_ssl, mod_fp, mod_php[34],etc) although 2.0 ** is in its 3rd alpha stage. ** ** Well I am lost again. What functionally does ipv6, ssl, fp, ** php provide? Are these functions something your ISP ** supports? You probably don't need to worry about IPV6 for now. Frontpage is a neat toy, and if you're going to do web hosting as well as dialup, you'll probably want to have it availiable. PHP is an embedded scripting language for web pages. It's extreamly powerful, giving you access to many other applications and services: SQL (many flavors), LDAP, IMAP, GD (png graphics library), SNMP, and other sub systems. Even more modules are sure to be on their way. If you are going to build a web-signup tool, you'll want this. Read more at http://www.php.net. ** 6. On the question, Do I have to use quota to limit disk ** space for web page subscribers. Since the only access to ** the FBSD disk space in my case will come from the ** personal/home web page builders and people who want a ** private FTP site. It seems Quote is the simplest solution. ** I don't want to host business web pages of any sort. If I ** do I have to collect and report taxes on this activity. ** That is just too much red tape for the money. You have to report all your income. The more you make, the more they take. But, know that Web Hosting is almost 100% profit. He who does not host web pages is loosing money. Quotas can be implemented in a few different ways: Filesystem. The OS takes care of the quotas for you. This works, but not always in predictable ways. Application. There are FTP servers (ncftpd) out there with built in quota support that works independantly of the OS. This is a fiarly decent way to maintain order. Some mail systems also have built in quota support (cyrus for example). This is because Cyrus is a totally self-contained system that runs as one user, and makes filesystem quotas useless. Choose your software carefully. ** ** 7. Your responses were real informing on the subject of ** email software. As I now understand it POP3 sends the email ** to the client and deletes the email from the server, ** whereby IMAP does the sending and them keeps the email on ** the server for some set period. The FBSD sendmail comes ** with SMTP and POP3 which is provided by the popper daemon. ** I want access to the mail system to have login ** Authentication. ** ** How does sendmail handle this with radius controlling the dial ** in world? POP3 has a function for leaving messages on the server. I just wiped out a mailbox with 32k messages (200+MB in size). Neither POP3 or IMAP is perfect. If you want to offer any type of Web Messaging solution, you'll most likely want to support IMAP. Reccomendations here, would be for a 10-15MB quota on mailboxes. If users don't keep things clean (POP or IMAP), they'll stop recieving mail. Simple. For authentication, mail and radius are two, totally seperate processes. At their simplest levels of implementation, they both authenticate off the same passwd file, but they don't necessarily have to do this. I for one, am a huge fan of having a unified source for authentication. For the longest time, I had my system set up with all users in a single passwd file, and assigned to one of many different groups. Every account had email access, and I used the following groups to control access to other services: email: no dialup access dialup: single channel, single session dial2: single chanenl, 2 sessions dial3: single channel, 3 sessions mlppp: 2 channels, 1 session mlppp2: 2 channels for each of 2 sessions etc... Cistron Radius handled this method beautifully. With SUDO and a short script to wrap around pw(8), I (almost) never had to do any account maintenance myself (sales and helpdesk did all that). ** ** I see in the MS Windows OS all the email application need ** the POP and SMTP DNS name or IP address. How do I make this ** happen in FBSD sendmail? Not sure what you are asking. When you build your ISP, you'll register a domain name. You'll set up your own DNS server with appropriate enteries in it. For your mail server, it simply looks at each message, determine where it needs to go (foo@domain.com), queries DNS to find out where the heck mail for 'domain.com' is supposed to go, then attempts to connect to the target mail server. For your clients, your NAS (cisco 5300) will assign DNS addresses to your users when they dial up to you. You'll provide your users with the required information (mail, news, home page, etc..) for using the Internet. This can be done manually, or through the use of a setup CD. Good luck again, -Troy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NIEBLEDADLBOBAJFKPHDIEFACAAA.troy>