[OpenWireless Tech] Setting up an open network now?

[Russell Senior]

>>>>> "Eugene" == Eugene Smiley <eug.smiley at gmail.com> writes:

>> Display of policy pageA
Eugene>    What you are looking for is called Captive Portal. Examples
Eugene> areA nodogsplash, nocatsplash,A CoovaChilli.

We use NoCatAuth, which amazingly fits on 8meg flash devices with
OpenWrt.

>> A Provide for Termination

Eugene>    This is easier said than done. MAC address filtering is
Eugene> easily bypassed. You'd have to have actual user accounts and
Eugene> maintain a radius server or something like that to have that
Eugene> level of control.

To be 100% effective, that might be true.  But to be 99.99% effective,
it's not too hard.  In our experience, almost no one knows how to
change their mac address.  There are exceptions, and to manage those
might end up feeling like whack-a-mole.  Then it's an endurance test
to see who gives up first.  We have not had this problem in a couple
years.

Our experience has been that people are *really* happy to be doing
normal internetty things.  Things that need our intervention are when
people are bittorrenting or doing something else that is saturating
the upstream capacity for extended periods of time.  Usually the
people causing this problem do NOT realize they are causing a problem,
since it's "working" for them.  So, we *temporarily* block them.  Just
drop all their traffic (by macaddress).  This seems to make a big
impression, and they get the message that they've transgressed
somehow, and the abusive behavior tends to stop.  Again, 99.99% of the
time.

One of the things on our TODO or wish list is to have a way of
redirecting people to a "please stop doing $foo" page, perhaps
integrated with our captive portal, which would be a slightly less
blunt and more direct way of communicating the problem to the user.

If you do NOT provide feedback, users are going to develop the
impression that it's okay and the network will become increasingly
unusable until the host gives up and feels they have to close it off.

To be able to intervene like this, you need management tools on the
gateway device.  Things like ssh to log into the device remotely,
tcpdump so that you can figure out the abusers ip address and mac
address, and iptables so that you can introduce the blocking rule.
I like the iftop utility too.

We would rather not intervene.  We would prefer that abundant backhaul
was available everywhere.  But until it is, empirically, we seem to be
in a region of the solution space that works.

All of that seems pretty "manual" and needs a human brain involved.
Perhaps there's an opportunity to automate this to a greater degree
than we have.  We've left it manual because we want to experience and
understand the problems better.

FWIW.


-- 
Russell Senior, President
russell at personaltelco.net