From owner-freebsd-questions@FreeBSD.ORG Wed Jan 25 16:36:58 2006 Return-Path: X-Original-To: freebsd-questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E51016A42B for ; Wed, 25 Jan 2006 16:36:58 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id AAFE343D73 for ; Wed, 25 Jan 2006 16:36:51 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [172.24.8.84] (generic.atosorigin.es [212.170.156.200]) by strange.daemonsecurity.com (Postfix) with ESMTP id CF5F92E03C; Wed, 25 Jan 2006 17:36:50 +0100 (CET) Message-ID: <43D7A91F.6050606@locolomo.org> Date: Wed, 25 Jan 2006 17:36:47 +0100 From: Erik Norgaard User-Agent: Thunderbird 1.5 (X11/20060118) MIME-Version: 1.0 To: FootballCALL References: <003401c621bf$863099c0$0301a8c0@LAPTOP> In-Reply-To: <003401c621bf$863099c0$0301a8c0@LAPTOP> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@FreeBSD.org Subject: Re: Wireless ISP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2006 16:36:58 -0000 FootballCALL wrote: > Hi, > > I am based in the UK and wish to set up a wireless community broadband service to residents and businesses in my community. From my access point, I would like other users to 'share' my connection through wireless technology and therefore they will pay a nominal amount for their internet access. > > I therefore require a home page/login page so only registered users can use the connection, and also need to manage bandwidth of these users. > > Is this something you can help with? This depends on what kind of access you want to offer and the need for security: A web only? Then set up a proxy with authentication. Create a website for initial registration and maybe allow any connection to a service like paypal to receive payments. If you want to offer more than web-only, then it becomes complicated. You can require registered users to authenticate using putty - each user is given an account with authpf as shell. Depending on setup, this may not limit the number of connections to one, so you risk that people share their credentials. I have created a simple setup that relies on mac addresses. IP is assigned statically and I maintain a static arp table. All other web-address is directed to a default page that shows they don't have access. The advantage is that users are not bothered with authentication, the disadvantage is that mac addresses can be spoofed. The bad thing is that to make new users aware of the AP it is open and unencrypted, so you can get a lease and reach the access-denied page. But, this also means that any one can start sniffing for valid mac/ip address pair and spoof their way to access. For my single AP with only a few users, I think I should be able to catch abuses and if so implement stronger checks. For security, the proper way would be to issue encryption keys and require registered users to open a VPN to the gateway. This will: - force authentication - encrypt traffic - prevent spoofing of traffic - allow the AP to announce itself and be open and likely some more goodies. The disadvantage is the complex setup, in particular for the novice users, and when people get on other networks they might have to reconfigure their computer. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9