From owner-freebsd-questions@FreeBSD.ORG Sun Jan 29 05:54:30 2006 Return-Path: X-Original-To: freebsd-questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 904C916A420 for ; Sun, 29 Jan 2006 05:54:30 +0000 (GMT) (envelope-from v.velox@vvelox.net) Received: from mail07.powweb.com (mail07.powweb.com [66.152.97.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5375D43D45 for ; Sun, 29 Jan 2006 05:54:30 +0000 (GMT) (envelope-from v.velox@vvelox.net) Received: from vixen42.vulpes (24-119-205-114.cpe.cableone.net [24.119.205.114]) by mail07.powweb.com (Postfix) with ESMTP id 5174C14DA6B; Sat, 28 Jan 2006 21:54:27 -0800 (PST) Date: Sun, 29 Jan 2006 00:05:17 -0600 From: Vulpes Velox To: Erik Norgaard Message-ID: <20060129000517.46f1f999@vixen42.vulpes> In-Reply-To: <43D7A91F.6050606@locolomo.org> References: <003401c621bf$863099c0$0301a8c0@LAPTOP> <43D7A91F.6050606@locolomo.org> X-Mailer: Sylpheed-Claws 1.9.100 (GTK+ 2.8.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: FootballCALL , freebsd-questions@FreeBSD.org Subject: Re: Wireless ISP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jan 2006 05:54:30 -0000 On Wed, 25 Jan 2006 17:36:47 +0100 Erik Norgaard wrote: > FootballCALL wrote: > > Hi, > > > > I am based in the UK and wish to set up a wireless community > > broadband service to residents and businesses in my community. > > From my access point, I would like other users to 'share' my > > connection through wireless technology and therefore they will > > pay a nominal amount for their internet access. > > > > I therefore require a home page/login page so only registered > > users can use the connection, and also need to manage bandwidth > > of these users. > > > > Is this something you can help with? > > This depends on what kind of access you want to offer and the need > for security: > > A web only? Then set up a proxy with authentication. Create a > website for initial registration and maybe allow any connection to > a service like paypal to receive payments. > > If you want to offer more than web-only, then it becomes > complicated. You can require registered users to authenticate using > putty - each user is given an account with authpf as shell. > > Depending on setup, this may not limit the number of connections to > one, so you risk that people share their credentials. > > I have created a simple setup that relies on mac addresses. IP is > assigned statically and I maintain a static arp table. All other > web-address is directed to a default page that shows they don't > have access. > > The advantage is that users are not bothered with authentication, > the disadvantage is that mac addresses can be spoofed. > > The bad thing is that to make new users aware of the AP it is open > and unencrypted, so you can get a lease and reach the access-denied > page. But, this also means that any one can start sniffing for > valid mac/ip address pair and spoof their way to access. I though nearly every aviable radio all ready did this as well as frequency hoping? > For my single AP with only a few users, I think I should be able to > catch abuses and if so implement stronger checks. > > For security, the proper way would be to issue encryption keys and > require registered users to open a VPN to the gateway. This will: > > - force authentication > - encrypt traffic > - prevent spoofing of traffic > - allow the AP to announce itself and be open > > and likely some more goodies. The disadvantage is the complex > setup, in particular for the novice users, and when people get on > other networks they might have to reconfigure their computer.