Forgot your password?
typodupeerror
Networking Wireless Networking

Ask Slashdot: Setting Up a Wireless Catch-and-Release 332

Posted by samzenpus
from the you-don't-have-to-browse-at-home-but-you-can't-surf-here dept.
First time accepted submitter SSG Booraem writes "I'm on the IT committee at my church. We've recently added wireless access points to our Family Life Center, but the committee chair isn't comfortable with allowing unrestricted access to our network. We host a lot of guests during the week for Upwards basketball practices and on Saturdays for games, so we want to restrict internet access to the Sunday school classes held in that building. Unfortunately, neither he, nor I, know anything about setting up a wireless catch-and-release like in hotels. If anyone could point me at good documentation, I would be very grateful."
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Setting Up a Wireless Catch-and-Release

Comments Filter:
  • Open-mesh (Score:5, Informative)

    by hedwards (940851) on Monday January 16, 2012 @06:00AM (#38711806)

    Honestly, just use something like open-mesh, it has all the software available to do just that without too much hassle. Additionally they're more easily spaced throughout the building with less interference than you would normally get.

  • charge 'em (Score:4, Insightful)

    by samjam (256347) on Monday January 16, 2012 @06:00AM (#38711808) Homepage Journal

    Use enterprise WPA2 with keys. Give each client device a key. Charge $5 to provide a key. Church members who are donating will probably reduce their donation by $5 that month in order to pay for the key.

    You can revoke keys individually.

    Disclaimer: I don't know what I'm talking about, you might need expensive hotspots to do that, but for large building with more than one hotspot, you probably want special hotspots with decent handover as folk move from one hotspot to another.

    • Re:charge 'em (Score:5, Informative)

      by dissy (172727) on Monday January 16, 2012 @07:49AM (#38712220)

      Another option is to use a Captive Portal built into a routing device.
      If you can throw together a machine with two NIC or some wireless cards, the software side can be handled with ZeroShell [zeroshell.net], or if you prefer a paid support contract, the previously open source Untangle [untangle.com]

      Captive Portal requires registration with a username/password to use the wifi, and can perform metering for if you wish to charge or just limit time. You can also setup different sets of web filters or firewall rules that change on a set schedule.

      The Web Filtering modules will likely make your committee chair happy, as you can easily block most categories like pornography, gambling, hacking, etc.
      It isn't impossible to get around of course, but should be enough for due diligence.

      Good luck!

      • Re:charge 'em (Score:4, Informative)

        by heper (1031798) on Monday January 16, 2012 @09:34AM (#38712656) Journal
        goto www.pfsense.org Pfsense is all you need for this and every other firewall / router / captive portal / ... project and it's opensource with optional paid support if required
      • Re:charge 'em (Score:5, Informative)

        by Anonymous Coward on Monday January 16, 2012 @09:42AM (#38712720)

        Untangle (http://www.untangle.com/Lite-Package the lite package which i think is still free) is what I implemented at my work guest network and implementing at my Church's guest network. Initially we deployed this with the captive portal at my work, we have some policy requirements that require logon and captive portal checks that compliance checkbox.

        For Church we will only be using the transparent proxy features to blacklist or whitelist websites. It keeps it simple, which translates that I don't have to manage it all the time (which i am sure having time to do this is a problem for you as well).

        For the comittee that is concerned about the internet access, give them access to the Untangle webpage so they can see the reports of what sites are being blocked and what is getting the most usage. This should help them be more comfortable that this is being used for good.

        I would also recommend using access points that support multiple VLANs and SSIDs. This avoids placing extra WAP's just for guest and allows you to keep your guest SSID separated away from the church's systems (you will have to configure your firewall, we place the guest VLAN in a simple DMZ) that may have financial information or member on them.

      • Be aware that the combination of an unsecured wifi connection with a captive portal while conviniant for users is fundamentally insecure. The actual data traffic is unencrypted (unless the particular application/website uses application level encryption) and anyone can gain access by spoofing the IP/MAC of an existing client.

    • Admin (Score:2, Insightful)

      by Anonymous Coward

      Use enterprise WPA2 with keys. Give each client device a key. Charge $5 to provide a key. Church members who are donating will probably reduce their donation by $5 that month in order to pay for the key.

      You can revoke keys individually.

      Disclaimer: I don't know what I'm talking about, you might need expensive hotspots to do that, but for large building with more than one hotspot, you probably want special hotspots with decent handover as folk move from one hotspot to another.

      That sounds like a great quick-get-the-job-done solution but here's the 'but': adminstration.

      Most churches have an admin - one business admin. I don't know how to put it kindley so here's a prediction of what will happen based upon what I've observed with other things that these adminstrators do:

      You will be constantly dealing with folks who's key doesn't work. Keys that still work when they shouldn't and a constant searching for keys.

      It will be one cluster fuck.

      Volunteer IT person?

      They turnover fast: they

  • by Shadow of Eternity (795165) on Monday January 16, 2012 @06:01AM (#38711812)

    You're trying to set up one of those hotel style "Welcome to our network give us all your money to see the internet" pages to let only your sunday school students reach the internet? Or are you trying to block the guests off your network complete? Since this is tagged as wireless why not just use WPA2 and set up your students, classes, or whatever with access?

    Not sure what the point of one of those hotel pages is here.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You could still try to point him in the right direction, if someone asks for the way to the airport it isn't that important if you understand why he wants to leave town!

    • by Kjella (173770) on Monday January 16, 2012 @09:12AM (#38712534) Homepage

      You're trying to set up one of those hotel style "Welcome to our network give us all your money to see the internet" pages to let only your sunday school students reach the internet?

      Most hotels I've been to in the last years in the Nordic countries have had WiFi included in the room charge, but they've all required a login all the same. I assume it's a) so that "everyone else" in nearby buildings can't connect and b) maybe related to some kind of billing between the hotel chain and the wifi provider. It's all a matter of how much management you need, because surely at least one of the patrons is there both for sunday school and for basketball practice and will leak a fixed key to everyone and their dog. Personal accounts means lots of management overhead. I assume he's looking for a simple way to give ad hoc access to the people attending the sunday school, something like a ticketing machine that'll give you a login valid for X hours. Like, you must be in the physical areas for sunday school to get a wifi login or a simple printout the teacher can bring to class that's good for the class(es) that day.

      • It may also stop employees from (ab)using the hotel's internet connection during work house.

      • Most hotels I've been to in the last years in the Nordic countries have had WiFi included in the room charge, but they've all required a login all the same. I assume it's a) so that "everyone else" in nearby buildings can't connect and b) maybe related to some kind of billing between the hotel chain and the wifi provider.

        It's so they can make you agree to their Acceptable Use Policy first, thus waiving all responsibility for their users should one of them do something illegal.

    • by nurb432 (527695) on Monday January 16, 2012 @10:41AM (#38713180) Homepage Journal

      Not all hotels charge. They just force you to agree to a EULA so they don't get into legal hassles.

  • by Anonymous Coward on Monday January 16, 2012 @06:04AM (#38711820)

    Try to flash a Linksys:

    http://www.polarcloud.com/tomato
    http://www.dd-wrt.com/site/index
    http://coova.org/

  • Just turn it off (Score:5, Insightful)

    by Captain Hook (923766) on Monday January 16, 2012 @06:05AM (#38711824)
    If the access point is only meant to be used by the Sunday school, and they only meet at certain times. why not just switch the AP off when the Sunday School meeting isn't running?
  • Simples (Score:3, Informative)

    by Anonymous Coward on Monday January 16, 2012 @06:05AM (#38711826)

    try Easy Hotspot - http://easyhotspot.inov.asia/ obviously depending on exactly what you want to do... (we run the authentication system as a VM but it'll work nicley on a cheap PC) also we're using DDWRT on our access points so only using the easyhotspot system as an authentication system.

  • Here's an idea (Score:5, Informative)

    by Pikoro (844299) <init AT init DOT sh> on Monday January 16, 2012 @06:06AM (#38711830) Homepage Journal

    Try a google search for "Captive WiFi Portal".

    That's the term you want. Get yourself a DD-WRT compatible router and install one of these packages: http://www.dd-wrt.com/wiki/index.php/Captive_Portal [dd-wrt.com]

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Absolutely. I will throw my (considerable, following Christmas excesses,) weight behind pfSense (pfsense.org) as a captive portal (CP) solution.

      An old PC with a (couple of) extra $5 NIC(s) will provide a great, free, robust, easy to setup CP.

      • Re:Here's an idea (Score:4, Informative)

        by hairyfeet (841228) <bassbeast1968@NOsPAM.gmail.com> on Monday January 16, 2012 @08:37AM (#38712408) Journal
        Its a shame you posted AC as i'd say your idea is the clear winner and would only add that if you are doing this for a church you should talk to your local mom & pop PC shop. Not only are we packrats and tend to have boxes full of NICs but if its a church or other non profit we'll often work with you to get you something thrown together as close to cost as possible. Since its a non profit I'd not want some big old power sucking P4 blasting through power, i'd use an underclocked Celeron or Sempron, maybe something in the sub 2Ghz range since he won't need that much power for that job, and build it into a nice cheap old Dell or Emachine mini tower and there you are, a dirt cheap CP box. hell if you are lucky they may even have an older SFF office box just sitting in the back they can let you have dirt cheap that would be perfect for the job and if you ask nicely i bet the guy would even be willing to help you set it up.
    • Re:Here's an idea (Score:5, Informative)

      by Lumpy (12016) on Monday January 16, 2012 @07:24AM (#38712096) Homepage

      Dont use DD-WRT, that project is dead. Last BETA release was 2 years ago. Use OpwnWRT that has many packages for this and is still actively maintained.

      No matter what he IS going to have to spend at least 2 weeks learning this stuff, or buy a commercial setup maintained by a It professional.

      • May I suggest using two APs; one has a strong key WPA 2 PSK and WPS disabled. It serves as the main access point for biz apps. The second one simply connects to the first one, uses a different non-interfering channel, and is the public version of the private one (WPS disabled, 802.11g only to catch the widest denominator of potential user). Route the second AP to the gateway.

        And like a good IT admin, make sure that all of the machines on your biz network are fully secured, updated, and turned OFF when not i

  • Captive Portal (Score:4, Informative)

    by Anonymous Coward on Monday January 16, 2012 @06:07AM (#38711834)

    It's called a captive portal, and it's not the solution you're looking for. Depending on AP it'll be easier to setup time of day access or only give the WPA2 passpoem to churchgoers.

    • Re:Captive Portal (Score:4, Informative)

      by Anonymous Coward on Monday January 16, 2012 @06:57AM (#38712006)

      From past experience (probably obsolete) - ChilliSpot [wikipedia.org] was a very straightforward captive portal to setup (simplest setup is a beige box with two network cards, plus two configuration scripts).

      ChiliSpot appears to be a defunct project, but CoovaChilli [coova.org] has risen from its ashes.

    • *Waves hand over submitter's eyes* These are not the solutions you are looking for...

    • by deniable (76198)
      Exactly. You could even just turn the thing off when not needed. Bonus points: use Sunday school items for the passphrase. Today's password is ..., let's talk about that.
  • by acidream (785987) on Monday January 16, 2012 @06:07AM (#38711838) Homepage
    Seems like you could just set a password and post it somewhere in a room that is not accessible to guests. Change the password every week.
  • by bgarcia (33222) on Monday January 16, 2012 @06:09AM (#38711840) Homepage Journal
    Restrict the wireless router's use to Sunday mornings during class. Don't operate it during the week.
  • Use something like the Meraki MR16 - It sounds like you aren't the most technically savvy in this regard, and even if you were this makes life easy. There are other ways to do this, but this is probably the easiest I've seen. www.meraki.com
  • by demerson3 (1631599) on Monday January 16, 2012 @06:37AM (#38711938)
    At my church we have a pretty simple policy: the network is protected with WPA2 encryption, it has an easy-to-remember password, and we give it to everyone who needs it. Make sure staff knows not to tell the password to your basketball guests, etc. We change the password about once a year, and let the new password spread organically. It works pretty well. People in the congregation ask each other for the password (or more likely, ask someone whom they know is on the tech-savvy side) and so those who need it are able to get back on. Another thing that you can do is give the network an essid name like "Sunday School Only" -- that will make your guests less likely to try to gain access, and also the Sunday School patrons will know that they should feel free to ask for the password.
    • +1. Also, with a DD-WRT (or Openwrt) you can easily* enable internet access only on Sunday. * In DD-WRT, it is under "Access Restrictions" => "Days"
  • by petval (2474520) on Monday January 16, 2012 @06:40AM (#38711950)
    Hi, latest BSD mag 1/12 has this article Home Brew Captive Portal With OpenBSD [bsdmag.org]:
    Have you ever used a public wireless network that has a splash screen such that you have to agree to certain terms before going to the Internet? The author of this article will show you step by step how to build one of those using OpenBSD’s Packet Filter (pf).
  • Whilst the captive-portal system where you login via a HTML form seems to be popular (perceived ease of use?), you can also do per-user password authentication at the WiFi level.
    All you need is a AP that supports EAP (or Enterprise) WPA (all good ones will), and to setup a RADIUS server (http://freeradius.org/ [freeradius.org]) to handle the actual authentication.
    Personally this is much cleaner (AP isn't listed as unsecured, you don't have to wait for the redirection to the portal which is inevitable slow and doesn't work a

  • by Meneth (872868) on Monday January 16, 2012 @06:46AM (#38711962)

    What I think the OP wants is to give people Internet access without simultaneously giving them access to the organization's LAN. He also doesn't want to invest in new hardware, seeing as how they've just done that.

    So: how to set up the WLAN APs to block IP packets directed to anything except the gateway (or the Internet) itself?

    • I can set up a guest wifi network on my router that has a separate WEP/WPA key and does not allow access to the other wired/wifi network unless I specifically say it can. Its a Netgear DGND3300v2 if thats any help...
  • by outsider007 (115534) on Monday January 16, 2012 @07:14AM (#38712052)

    You want to get your hands on a patron saint of wifi [wikipedia.org] figurine to put on top of your router.

  • Biblical pass code (Score:4, Interesting)

    by petes_PoV (912422) on Monday January 16, 2012 @07:53AM (#38712240)
    Just make the pass phrase a biblical quote. Change it each week and you kill 2 birds. How likely is it that the basketball players will have a bible handy AND your religious classes will have an incentive to read it to find the reference.
    • by iamhassi (659463)
      ^--this. You could even have contests to pick the next passphrase and publish the winners in the weekly bulletin. You don't even really need prizes, just the recognition that their bible quote was chosen is probably enough because people love to be recognized for accomplishing something: "yeah, my bible quote was the wifi password last week"
  • by gregthebunny (1502041) on Monday January 16, 2012 @08:28AM (#38712362) Journal

    http://coova.org/ [coova.org]

    Ubuntu Server + CoovaChilli + DD-WRT = an easy and free captive portal system

    WARNING: this is not a drop-in solution, some customization and piecing-together required. Throw FreeRADIUS or CoovaRADIUS into the mix for easier user-level authentication.

  • by ldm (676254) on Monday January 16, 2012 @08:33AM (#38712386)
    I've used MikroTik hardware in the past to build wifi hotspots for customers. It's pretty easy to use, very friendly command line. You want something like this [routerboard.com] in an enclosure something like this [linitx.com]. They're reasonably robust, and once configured properly, will do what you want (and a whole lot more should you want to change the setup in future) for a good long time.
  • You can specify day/time options for wireless access. I know it's on Linksys routers. Probably Netgear too.
  • Hire someone! (Score:4, Insightful)

    by Monoman (8745) on Monday January 16, 2012 @09:28AM (#38712620) Homepage

    Just because churches operate as tax exempt non-profits doesn't mean they can't afford to pay someone to do the work. If your church doesn't have a member that is in the IT business (and willing to do the work for free) then hire a local tech company to set it up for you. Support the local nerd economy!

  • It sounds like what you want is not catch-and-release, but just to allow certain specific machines in your Sunday school to access the net. In that case you can enable the MAC address filter in the router to limit access to only those machines. Everyone else will be blocked. This solution requires no extra hardware or software, it is built into the router.

    http://compnetworking.about.com/cs/wirelessproducts/qt/macaddress.htm [about.com]

  • Is your goal to provide internet access to church members or to charge them for internet access like a hotel?

    How many people do you expect?

    For example the Linksys E class routers have a built in 'guest network' feature that has a second SSID that is broadcast for Guests and allows up to 10 simultaneous users to connect. This gives them internet access only and doesn't allow them access to the actual network. Though it's limited to 10 people. This would be a simple solution but if you had more than ten p

  • just set a password and only list it in the areas that you want people to have the wifi.

    And that does not cost anything to put it.

  • We've recently added wireless access points to our Family Life Center, but the committee chair isn't comfortable with allowing unrestricted access to our network

    Why would you not solve the problem before doing that first bit?

  • Catch and Release? I too have to question that naming, but from the summary, I get that they want to set up some sort of system where you first log in in some way and then you have access to the network.

    Turns out, the type of system is a bit easier than you might think.

    Let's start with the basics:

    DHCPD. It's a process that we're all familiar with... at least in the sense that we all know what it's for. Turns out, you can specify MAC addresses for special treatment and assignment to specific pools. That'

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Working...