Wireless ISP

Vulpes Velox v.velox at vvelox.net
Sat Jan 28 21:54:30 PST 2006 

On Wed, 25 Jan 2006 17:36:47 +0100
Erik Norgaard <norgaard at locolomo.org> wrote:

> FootballCALL wrote:
> > Hi,
> > 
> > I am based in the UK and wish to set up a wireless community
> > broadband service to residents and businesses in my community.
> > From my access point, I would like other users to 'share' my
> > connection through wireless technology and therefore they will
> > pay a nominal amount for their internet access.
> > 
> > I therefore require a home page/login page so only registered
> > users can use the connection, and also need to manage bandwidth
> > of these users.
> > 
> > Is this something you can help with?
> 
> This depends on what kind of access you want to offer and the need
> for security:
> 
> A web only? Then set up a proxy with authentication. Create a
> website for initial registration and maybe allow any connection to
> a service like paypal to receive payments.
> 
> If you want to offer more than web-only, then it becomes
> complicated. You can require registered users to authenticate using
> putty - each user is given an account with authpf as shell.
> 
> Depending on setup, this may not limit the number of connections to
> one, so you risk that people share their credentials.
> 
> I have created a simple setup that relies on mac addresses. IP is 
> assigned statically and I maintain a static arp table. All other 
> web-address is directed to a default page that shows they don't
> have access.
> 
> The advantage is that users are not bothered with authentication,
> the disadvantage is that mac addresses can be spoofed.
> 
> The bad thing is that to make new users aware of the AP it is open
> and unencrypted, so you can get a lease and reach the access-denied
> page. But, this also means that any one can start sniffing for
> valid mac/ip address pair and spoof their way to access.

I though nearly every aviable radio all ready did this as well as
frequency hoping?
 
> For my single AP with only a few users, I think I should be able to 
> catch abuses and if so implement stronger checks.
> 
> For security, the proper way would be to issue encryption keys and 
> require registered users to open a VPN to the gateway. This will:
> 
> - force authentication
> - encrypt traffic
> - prevent spoofing of traffic
> - allow the AP to announce itself and be open
> 
> and likely some more goodies. The disadvantage is the complex
> setup, in particular for the novice users, and when people get on
> other networks they might have to reconfigure their computer.

More information about the freebsd-questions mailing list