Ask Slashdot: Best Way To Leave My Router Open? 520
generalhavok writes "I read the story on Slashdot earlier about the EFF encouraging people to leave their WiFi open to share the internet. I would like to do this! I don't mind sharing my connection and letting my neighbors check their email or browse the web. However, when I used to leave it open, I quickly found my limited bandwidth dissappearing, as my neighbors started using it heavily by streaming videos, downloading large files, and torrenting. What is an easy way I can share my internet, while enforcing some limits so there is enough bandwidth left for me? What about separating the neighbors from my internal home network? Can this be done with consumer-grade routers? If the average consumer wants to share, what's the easiest and safest way to do it?"
Think again (Score:5, Insightful)
Wasn't it just this week that we had the lovely account of someone getting the SWAT treatment [slashdot.org] just for leaving their router free and open?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Two routers (Score:4, Informative)
Here's the way we do it
We have an old router which is plugged into a spare port on our optical switch (fiber to the home), and has an open wireless G for anyone to use, configured to assign DHCP addresses from 192.168.200.x where x is 175-200, and with SSID of "All Connections Logged". Our newer router is plugged into a different port on the optical switch and assigns DHCP addresses in the range 192.168.100.y where y is 100-125, and our home net is connected to this one by cat6 cables and encrypted wireless N (MAC filters, hidden SSID, long key, blah blah). Each of these routers has a different public IP address assigned by the ISP, and they both maintain logs of MAC addresses connecting to them, so we don't worry too much about misbehaving outsiders - there have been none so far.
FWIW, we have no usage caps on our 100Mbps fiber connection, so leaving a 54Mbps wireless-G open to passers-by does us no harm economically. In principle we could set it to 11Mbps Wireless-B, but we have never had a bandwidth hog connecting. Incidentally, our ISP gives us up to 8 public IPv4 addresses, of which we use 3-5: the IP-TV box uses the third, and work-related laptops sometimes use one or two more (via cat6 to another port on the optical switch).
Re:Two routers (Score:5, Insightful)
Those don't do anything. MACs can be found by outsiders not connected to your network despite how encrypted the network is. Hidden SSIDs aren't anything either. The same tools that will display the MACs will also show all hidden SSIDs within range.
Sure, they block the average user, but anyone who wants to get in will have no trouble at all.
Re:Two routers (Score:4)
MAC filters, hidden SSID
Those don't do anything. MACs can be found by outsiders not connected to your network despite how encrypted the network is. Hidden SSIDs aren't anything either. The same tools that will display the MACs will also show all hidden SSIDs within range.
Sure, they block the average user, but anyone who wants to get in will have no trouble at all.
Ah, but it will block intruders, including the script kiddies you refer to. First, the antenna is unidirectional, and points from a lower corner of the house to the opposite upper corner. The wireless-N field is usually undetectable outside the house near ground level - I've checked - and utterly undetectable outside our garden (which extends more than 20 meters from the house on all sides). So there is no network and no SSID to detect outside our garden. Second, there are only two MACs allowed to connect to the secured wireless, and they are rarely connected, so snooping for MACs would mostly fail even if a snooping device were smuggled inside the house. All other devices connect via the cat6 wires, and if they have wireless, it is disabled. Thirdly, the secure network uses WPA2 with a nontrivial AES key, so bypassing the MAC filter would be useless in any event.
And why would anyone spend the effort trying to crack our secure wireless-N when we make available a completely open wireless-G which is detectable for over a hundred meters in all directions? Unless they enter our garden and attach permanently-on snooping devices to the walls of our house, they would fail to get past the MAC filter, and even then they would not penetrate the wireless-N encryption anyway. So in our case, your warning is both wrong and wrong-headed. Didn't you ever learn that wireless networks can be secured against anything short of a police/military grade attack?
Re: (Score:3, Insightful)
Here's the way we do it
We have an old router which is plugged into a spare port on our optical switch (fiber to the home), and has an open wireless G for anyone to use, configured to assign DHCP addresses from 192.168.200.x where x is 175-200, and with SSID of "All Connections Logged".
What good does it do to "log connections" if the MAC address can be spoofed?
What you need to watch out for is someone pulling up on the street, downloading mass child porn, and heading off into the sunset. The FBI will be well aware that you could be "spoofing" a MAC address yourself. You might not be convicted, but it sure as heck would be a major hassle - and what is the benefit again? Let the freeloaders buy some bandwidth themselves...
Re:Two routers (Score:5, Insightful)
and what is the benefit again?
Living in the kind of world where other people might do the same for you.
Re: (Score:3)
Mind posting your country, ISP, plan, monthly rate? Its good to spread the love as much as the hate, and while we often hear about the ones that are terrible you never hear about decent/fair ISPs and plans. Of course, maybe that just means they aren't out there but I'd like not to believe it :)
Finland. DNAinternet/mediakoti. Euro 65/month, including IP TV with basic channels and a package of pay channels. It supposedly includes a telephone service over IP as well, but we never tried it as we all have cellphones.
Re: (Score:2)
Not really. You could use your own guest network to do nefarious things and would remain under suspicion.
Lo (Score:2)
Oh, officers, you have it all wrong! Those terabytes of k1ddy pr0n on my hard drive prove my innocence!
Re:Think again (Score:5, Insightful)
...prove you are innocent...
I'm no longer so naive that I can't recognize the futility of saying "You can't prove a negative, and under our system of jurisprudence, the burden lays on them having to prove you are guilty, not you having to prove you are innocent"....but that's no longer true is it, if indeed it ever was. It makes me sad that we are falling into that.
My other point, if there's any to be made, is that if you allow your router to have open access for all, you can claim common carrier status and be exempt from the actions of your "users". Comcast doesn't get arrested for someone downloading kiddie porn using their network, why should you?
3rd point and this is the most important, is that there is an increasing digital divide between those who have and those who don't. If you are poor, out of work, etc, it's a lot easier to get a laptop than it is to get internet service. I don't want my bandwidth abused as I am a heavy downloader but I have WRT-DD installed and I'll be looking into segregating and rate limiting my wireless connection.
The older I get, the more I realize that it's going to be important for the good of all for people to start breaking free of the corporate binds. In the future, I can't help thinking that there might be some poor kid, with an old laptop, and having even a 5k connection (remember that?) might mean the difference between having a future and not having one.
So, do what you want, all of you but I'm the type of guy who runs tor on his laptop hooked to his iphone all night just to piss off ATT. Flooding our corporate overseers with lots of misleading info is one good way to hide yourself. There's a lot of good reasons to consider doing this but separate VLAN and rate limiting are mandatory first
think again? u aint thunk yet (Score:2, Interesting)
The DMCA protects service providers. If I am deliberately sharing my internet connection, I AM a defacto service provider. There are rules one must follow but most of them apply only to operators of a certain size - which means we enjoy the protections of the DMCA without sharing the burdens like forced record keeping.
People have been abused by law enforcement for al sorts of reasons. If they go to far, you sue. Of course, if they are led to your house by the actions of a neighbor and then find, through som
Re: (Score:2)
Although your ISP's service agreement probably explicitly states that you're not permitted to do this..
Re:think again? u aint thunk yet (Score:5, Informative)
Violating your contract with your ISP -- if you have -- is purely a civil matter, and has nothing to do with anything else being discussed here. And it definitely does not make you a criminal.
Re: (Score:3)
Re:think again? u aint thunk yet (Score:4, Insightful)
I don't think you even have to go through the motions of a straw man arguments you made. Fact is small ISPs get pushed around by law enforcement all the time. I've work for some of the biggest and some of the smallest and it's a night a day difference how law enforcement treats you for the exact same thing. It's not uncommon for law enforcement to threaten to confiscate your data center because you dared to stand up for your legal rights. It's not uncommon for law enforcement to harass your employees or call the larger upstream providers and peers to talk about their theories. Small ISPs have been run out of business by Attorneys, Cops and Feds who knew nothing about technology but had a gut feeling something was off.
On the other hand working at a large ISP the Cops and Feds are practically at your beck and call. In exchange we processed their wiretap orders (usually dozens to hundreds daily.) And they better have had their paper work in order or we weren't going to do jack squat for them. They wanted to tangle we could lawyer them hard. The cops were going to burn a lot of OT pay in deposition, let alone the other legal fees we could create.
Star Bucks, McDonalds, Dunkin Donuts, etc, they don't worry about free WiFi. They're big companies.
The law is not about being right in either a legal or moral sense. It's about resources, connections and power.
Re: (Score:3)
"I'm sorry, are you saying that because of "innocent until proven guilty", it's not in your own best interest to present a defense?"
No, that is not even remotely what I wrote. You wrote that "it is your responsibility" to prove your innocence. It is not. Period. Regardless of how it plays out in court, legally the responsibility of proof rests completely with the state.
"Your analogy lacks on key aspect. The police KNOW that specific IP address was assigned to YOUR account when the illegal actions occurred."
No, it does not lack in that respect. You are forgetting that my wifi router can be accessed from anywhere in the neighborhood, not just from my home. LOTS of people have theoretical access, including residents of a nearby apartment complex.
That means, very clearly, th
Re: (Score:2)
Re: (Score:2)
Of course I'm sure your ISP has a TOS that states you can't be a service provider and you are buying service for personal use only.
Re: (Score:3)
Of course I'm sure your ISP has a TOS that states you can't be a service provider and you are buying service for personal use only.
Such a clause is not really enforceable. They can't demonstrate any harm if you violate it. At best they can discontinue the contract. contracts are about allowing both parties to protect themselves from harm. It is not about allowing parties to impose a restriction. Its especially not there simply to limit competition in the free market.
A packet is a packet is a packet. they are alleging to sell you bandwidth, so as long as you don't exceed what they claim to be selling you, they are not harmed.
I could be
Re: (Score:2)
Only their not going to send you a nice letter asking for logs, they are going to break down your door, point a mp5 in your face and throw you on the ground. Then they take your stuff and check it out for as long as they want.
Re: (Score:2)
Every individual is now assumed to be a dangerous criminal for 'officer safety'.
Re: (Score:3)
John Q. Public never even hears from the cops. That's the thing most people don't seem to get getting about the whole SWAT team thing -- it happens to like six people out of a hundred million. You might as well argue that people shouldn't share their connections because they could be electrocuted while configuring their routers, it's about the same probability.
Re:Think again (Score:5, Funny)
No problem. After you open it up, just call your local police and let them know that any illegal activity on your IP address is probably not coming from you. Problem solved.
Re: (Score:2)
Re: (Score:2)
2) Get IP blocklists and block a whole lot of IPs. If you use a Windows as a platform for proxy software at any step PeerBlock is a great point and shoot solution with massive lists of IPs (P2P snooping, Spyware, etc) included. Numerous parental filtering software could work here too.
3) For plausible deniability, perhaps force anyones connection through Tor?
Re:Think again (Score:4, Insightful)
I agree with #3, just route all traffic through Tor.
If you have a Linux server, you could set up Squid to reduce web bandwidth usage. To reduce torrent bandwidth usage, you could also host an FTP server on one of your PCs, so they don't have to go out to the internet. But then that opens up a whole new legal can of worms.
Reminds me of a time when I worked at my school's I.T. department, and they were considering whether we should block pornography in the dorms because it was consuming a lot of bandwidth. My solution? Host our own porn server!
My proposal was rejected.
Re: (Score:3, Funny)
Re: (Score:3)
The answer is seriously very very simple.
Separate VLANs and don't buy a shitty "home router" that has no options which enable you to keep your connection running smooth while giving people the option of wifi. 99% of the problem is buying a $20-40 router which you end up replacing after 5 years when it falls apart.
I would strongly suggest a Cisco WRVS4400N [cisco.com] - you can have up to 5 SSID's, separate VLAN's, encrypt your own with a public one unencrypted, and bandwidth controls so that WIFI can't eat all your ba
Re: (Score:3)
Cisco-branded enterprise products should not be confused with Cisco-branded SOHO products which are suprisingly sucky. You can do all of the above with a $45 refurbished Linksys E2000 router with dd-wrt installed.
Re: (Score:2)
Agreed. I usually respect the EFF, but in this case I think they are crazy.
Re: (Score:2)
Don't discourage him. With a name like "generalhavok", he seems the ideal candidate for leaving his wifi open
Re:Think again (Score:5, Insightful)
You, and the many other commenters who agree with you have it completely backwards. Your linked story is exactly why more people should open up their networks.
Fear of the police abusing their power is a terrible reason to avoid doing a perfectly legal action. Yes, it's more convenient, but if everybody goes along with the police abusing their power in that manner, it implicitly becomes acceptable. Providing internet to other people is not illegal, and not a good reason to get your door kicked in, and the police should know this. The consequence for the police not knowing this should NOT be more people cowering in fear. It should be that whoever is affected files suit against the police and the police are sanctioned for their actions.
Nobody wants to go through that, of course. But we should.
Re:Think again (Score:5, Insightful)
People really need to stop changing their behavior out of fear, and start standing up like men again.
If you aren't willing to stand up for what is right, please go somewhere else. I rather liked America when it was the land of the free and independent.
Route the guest traffic through tor. (Score:2)
Route all the guest traffic through tor, and they won't (practically) be able to track those packets to your network.
Heck, for that matter run a tor exit node too, to really confuse the courts if they every go after you anyway. :)
Comment removed (Score:5, Insightful)
Re: (Score:3)
"The fact that so many technically inclined Slashdot types are crying 'liability' and 'log everything' is almost as saddening as the fact that our government has pushed us to this. That some guy got thrown down the stairs by a rifle-wielding mob from nothing more than an IP address isn't a sign that we should all lock down our precious connections lest the same happen to us, it's a sign that every fucking one of us should open up our connections and tell the government that we refuse to be intimidated."
Damn
Re: (Score:3)
Re: (Score:2)
What an asinine statement! It may be true, but the offhand way you make it implies that being arrested is no big deal.
In reality, being arrested for child porn, or getting sued by the MPAA, is a very serious and unpleasant matter. Even if the evidence is in your favor, it can require significant time, money, headaches, and effort to clear up. Being arrested will subject you to fingerprinting and, increasingly, DNA sampling, both of which are likely to remain on file f
Re: (Score:2)
Forget finger printing and DNA sampling, how about when they freeze your assets so that you can't make bail long enough to toss you into prison where you are strip searched.
I don't know about you, but I'm a lot more perturbed by that than a fingerprinting.
And that's on a good day, on a bad day some reporter's story runs out so instead they run your name in a headline.
Sounds like a great plan. (Score:2)
Guest network (Score:3)
The second part (keeping people off your home network) CAN be done by some consumer grade routers that support a Guest Network. My Netgear 37AV has that ability. You set up a second SSID that is open. It can get to the WAN port, but can't see anything on the LAN or the private SSID.
As for using bandwidth... no I'm not sure you can do a lot there with a standard router. You could turn on QoS to make sure that your traffic has priority on the router over someone elses, but you'll be pretty limited in terms of stopping them from chewing up bandwidth the rest of the time. I really don't recommend this if you're on a metered connection.
QoS doesn't do the main job here (Score:2)
QoS may help you throttle your guests' upstream bandwidth, which is more important, but it's not going to do anything for downstream, which is the more common problem, because the QoS markings on downstream packets will normally be set to the default value by the websites or bittorrent peers that are sending them.
Re: (Score:2)
The second part (keeping people off your home network) CAN be done by some consumer grade routers that support a Guest Network. My Netgear 37AV has that ability. You set up a second SSID that is open. It can get to the WAN port, but can't see anything on the LAN or the private SSID.
I've got to say that I'm pretty fond of Buffalo's WZR-HP-G300NH routers. They come with your choice of "Professional" or "User-Friendly" firmware choices, with the Professional version as default {DD-WRT}. Guest networks are available with both firmware sets. They're good for isolating point-of-sale networks for PCI compliance, too, with QoS features that you mentioned earlier.
http://buffalotech.com/products/wireless/wireless-n-routers-access-points/airstation-nfiniti-wireless-n-high-power-router-access-p [buffalotech.com]
DD-WRT + QoS (Score:5, Informative)
It's absolutely possible and fairly easy these days with out of the box router firmwares, or if yours doesn't support QoS (Quality of Service), then you can potentially put on an open-source firmware -- DD-WRT to provide that ability and much more. QoS lets you designate classes of traffic, such as streaming, gaming, and other protocols, or particular devices on a WAN or plugged into the router itself and set priorities for them. Doing this, you can share your WiFi AP (good for you!), but also get the lions' share of your bandwidth when you are wanting to use it.
Re: (Score:2)
OpenWRT/Tomato/DD-WRT or bust (Score:4, Interesting)
For setting up bandwidth limiting for OpenWRT, well, OpenWRT is for real men (or real women), as this wiki page should make clear [openwrt.org]. Losta commandline and config files; there are web frontends but I'm unsure if any let you fiddle with these kinds of powers. But if you're looking for fine-tuned control, OpenWRT is pretty much a distro in its own right so the possibilities are pretty vast.
For Tomato (which I use 'cause the graphs are pretty), unlike what SighKoPath has said here, you don't have to set up specific rules for each MAC or IP; just set up the classifications for your own devices, then in QoS -> Basic Settings set the Default Class to something like, say, Class E. Now you can set the bandwidth limits for random strangers in Class E and any device or type of traffic that you don't have an overriding rule for gets categorized in Class E, so any new random neighbor devices will fall into that class. Simple.
As far as routers go, a lot of existing routers (as long as you didn't buy a really bad one with too little memory to even install anything to) are supported by at least one of the three main firmwares. Tomato is far more restricted in terms of choice, but if you can't find a spare WRT-54Gv1-4 lying around, Linksys deliberately sells the WRT-54GL for the sake of folks who'd like to install Linux-based alternate firmwares. For OpenWRT you can check their Table of Hardware [openwrt.org], random pick, the Buffalo WZR-HP-G300NH is good bang-for-your-buck. DD-WRT's equivalent table is here [dd-wrt.com]; you can actually get some routers, like Buffalo's WHR-HP-G54-DD, which come with DD-WRT pre-installed. Never actually tried DD-WRT myself . . . I'm a bit of an open-source zealot, and DD-WRT has had a somewhat sketchy record. Plus, have I mentioned Tomato has pretty graphs?
Re: (Score:3)
does dd-wrt do this with a simple user-friendly UI?
last time I looked, it was going to require fiddling with IP tables and stuff.
sure, I could probably learn all that - but it would be a pain, and I'd have the nagging doubt that I might have configured things incorrectly...
Re: (Score:3)
DD-WRT (and most likely Tomato) also provide Hot Spot software that your neighbors "log in" to get on the net through your connection.
http://www.dd-wrt.com/wiki/index.php/Chillispot [dd-wrt.com]
It may at least give you a possible "out" if the law breaks down your door, but I'm sure it violates your ISP TOS.
Re: (Score:2)
I used to use DD-WRT, and I do remember being able to configure multiple SSIDs on a single router, some with encryption and some without. So i
Just be careful with that (Score:5, Insightful)
That said, I leave my wifi router open as well, but if you're going to do it you have to do it knowing the risks. Being accused of kiddie porn, for instance, is going to stick with you forever, regardless of guilt or innocence.
Re: (Score:2)
What about making the open wifi restricted? Is that even possible? Like block these bad sites.
Re: (Score:2)
Black Lists Don't work.
White Lists are the only real reasonable tool in this case.
And boy is that a headache.
Re: (Score:2)
Ah. Since this is your open wifi, then rules should be applied.
Re: (Score:2)
Re:Just be careful with that (Score:4, Informative)
In your Firefox profile there's a file called
, which has a table with a list of visited URLs. Writing a script to extract those URLs, filtering the domains, removing duplicates and formatting the list in a way that can be read by the filter shouldn't be too hard.
Re: (Score:2)
The thing that makes me laugh about this submission is heeding the EFF's advice and sharing your ISP connection - most likely against your TOS, then coming here to ask how to control and restrict it in ways that would make the EFF kersplode if the ISP were to do it. I suppose in the same spirit it would be OK if I hacked someone's router and shared the _whole_ connection with everyone else right? I'd like to see the argument against that.
I can see doing it out of personal convenience, knowing the risks I
mac-rationing ? (Score:2)
All new mac-addresses get 24 hours of free access; after that they're blocked for 1 week... Adjust thresholds accordingly...
Better check your ISP TOS (Score:3, Insightful)
Your ISP may be none to happy when they find out you're sharing your connection, I'd double check their terms of service just in case.
Check your ISP TOS when you pick your ISP (Score:2)
Yup. The biggest concerns I had when picking my ISP were Terms of Service and availability of static routing. Back when I first got consumer broadband, there were many ISPs that didn't want you to run web servers from home, and some major ones that only allowed you to use one computer on the account unless you paid extra. Eventually the ISPs decided to allow multiple home computers (usually with NAT), because they understood that the market had changed and when people got new computers for themselves the
Why does your ISP have anything to say here? (Score:3)
Shouldn't the ISP deliver my bits regardless of what they are?
If someone knocks on my door and asks to borrow my telephone, I don't need the phone company's permission.
If I type an email on behalf of a friend without a computer, my ISP doesn't get to complain that those weren't "my" bytes.
But if you're that concerned, just route the guest traffic through TOR and at least through packet sniffing they won't be able to distinguish the guest traffic from your own. All they'll see is encrypted traffic which co
Firewall your LAN and setup a guest network (Score:2)
Open access but outside the firewall possible? (Score:3)
I just posed the same question in another topic, and wrote this:
WiFi routers should have the option of putting the air link on the outside of the local firewall. Actually, it would make sense if, by default, open WiFi links gave guest access to the outside Internet world, but not the inside LAN world, while encrypted links offered access to the inside world. This allows opening up guest access without exposing local servers and Windows shares.
A router should support both modes simultaneously, offering itself as two access points. Encrypted links should have higher packet priority over nonencrypted links, so that guest access can't starve out authorized users.
This seems obvious enough that some routers probably implement it already. Anyone know of one?
Re: (Score:2)
Maybe DD-WRT [wikipedia.org] or OpenWRT [wikipedia.org] support this?
Network neutrality? (Score:2)
If you must... (Score:2)
Meeting Complex Requirements is Not That Easy (Score:2)
You've got a couple of choices - get a system that gives you lots of detailed controls so you can do anything you want, at the cost of understanding the complexity yourself, or sticking to simple cookie-cutter tools, but you won't find most of those letting you do bandwidth limitations on some connections. You can probably take DDWRT and convince it to do what you want, or you can take a dedicated BSD or maybe Linux machine and do all sorts of interesting things with it, but either way you'll have to do so
If you've got an old PC around (Score:3)
You might take a look at IPCop [ipcop.org] or Smoothwall [smoothwall.org]. Both give you access to the Linux command line, so you can use IPtables to do whatever the hell you want. Smoothwall might, possibly, have some sort of add-in to limit bandwidth by bandwidth or zone, though I'm not sure.
Re: (Score:3)
You might take a look at IPCop [ipcop.org] or Smoothwall [smoothwall.org]. Both give you access to the Linux command line, so you can use IPtables to do whatever the hell you want. Smoothwall might, possibly, have some sort of add-in to limit bandwidth by bandwidth or zone, though I'm not sure.
Ahh, yes. iptables... the intuitive interface of the linux command line combined with the arcane of networking. I used to have an old P133 as a NAT box (slackware) that also did a few other server-related tasks, and I had some iptables rules configured. I think the truth of the matter is that unless you are very, very well versed in networking, you can't write your own rules and end up copying some stale rulesets from things you find on the intarweb, hoping to bend them to your needs. I never knew what
transparent proxy + traffic shaping (Score:2)
Re: (Score:2)
DDWRT or m0n0wall/PFSense (Score:2)
You really just need something that either has an extra interface for your wireless network, or can do 802.1Q vlan tagging and a vlan capable switch. I think even with a LInksys and DDWRT, you can put the built-in wireless AP on it's own VLAN. THen you just give the wireless it's own subnet, disallow traffic from the wireless subnet to your personal subnet. I think you can even do multiple SSID's and put each SSID on it's own VLAN, one for the public and one for you. Then just allow egress traffic on po
It's a BAD IDEA (Score:3)
Forget being a nice guy, and in this case, the EFF's recommendations. Aside from the issues you raise yourself, this story [arstechnica.com] should be all it takes to convince you of the foolishness of such a policy these days.
To answer your question directly, yes, some consumer AP / Routers can shape traffic like you're asking. You will need to divide your network into multiple VLANs, I would suggest three: One wireless and wide open, one wireless and secure for your use, and one for the wired side. Then, bandwidth limit the free wireless, route appropriately, and apply a security policy to protect yourself. You might also consider logging all that "free" traffic so when the Feds show up with a warrant, you have some kind of audit trail to get yourself out of jail.
I'm not aware of any consumer grade equipment that will do this out of the box. On the other hand, there are several free / open firmware projects that replace the factory firmware that are linux based, and may be able to meet your needs. A couple (by no means all) of these projects are http://www.dd-wrt.com/site/index [dd-wrt.com]> dd-wrt and https://openwrt.org/ [openwrt.org]> Open-wrt .
Beware though, that not all of the consumer hardware is created equally internally. Research carefully the hardware / replacement firmware combinations to make sure you can get where you want to be before spending money. You'll also be stressing the hardware far beyond it's original design, so opt for more RAM and a faster embedded processor.
Gee, this sounds like a PITA.....
Hope this helps, and that you don't get arrested.
--Red
Re: (Score:3)
Traffic shaping (Score:2)
But the existing traffic shaping solutions are impenetrable and impossible to use. This makes me very unhappy. I'm also not sure that the traffic shaping policy I want is possible with the existing traffic shaping tools.
I have a small Linux box I use as a router, and I have 3 LANs + the external link. LAN 1 is my trusted internal network. LAN 2 is the network for any windows box, my gaming systems and any housemates. LAN 3 is the wireless.
I want a traffic shaping policy that says something like this:
pfSense ftw (Score:2)
I believe all of this is possible (even multiple SSIDs with one router) with OpenWRT or DD-WRT on certain hardware, but I never got it working right. I just ended up using an two Linksys routers (one with open wifi, one encrypted) and pfSense [pfsense.org] as a router. You can even do this with just pfSense and couple wireless cards. Private wifi bridges to the local network, public is on an isolated subnet. pfSense traffic shaping [pfsense.org] keeps users in check. I have a QOS class for "public" traffic which is limited to a c
Don't. (Score:3)
But if you must... Where did you live again?
http://nocat.net/ needs updating (Score:2)
As I mentioned in another post (http://slashdot.org/comments.pl?sid=2111634&cid=35964896), I wish that nocat.net was updated
DON'T (Score:2)
The question is flawed. While you may think you are helping society, you are unlikely to do much good and risk getting hacked. It isn't the robbed bandwidth or the chance of the FBI knocking on your door because somebody downloaded kiddie pr0n. It is because getting into the wi-fi router puts that person's computer inside your intranet. Would you let some random person sleep in the spare room of your house?
'nuf said
Screw the EFF (Score:2)
Leaving your wifi open is a security nightmare and an invitation for abuse. Someone hogging your bandwidth is the least of your worries. Before long someone is going to hack your own computers and download kiddy porn on your connection. Law enforcement won't accept "intentionally left it open for the good of mankind" as a legitimate excuse. Rather, they'll tell you that you should have known better and you asked for the trouble you got into. Why do you want to make life difficult for yourself?
If you ha
Don't do it (Score:2)
I am not sure what kind of neighborhood you live in or what kind of router you have, but this is almost pointless. With my old G router, which was set in the living room, I could get a signal on my front porch and the bedroom right next to it. My N router has dramatically futher reach, but signal is still weak in many areas. With my N, I can get almost to the street with connection in the front, and about a quarter of the way into my back yard.
My neighbors on either side of me - well, one is an older couple
Re: (Score:2)
It's the same as someone walking across your property to do something illegal.
We have to train the law that your router != you.
Re: (Score:2)
No, I don't. (Score:3)
http://www.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000512----000-.html [cornell.edu]
Put up a shared wap. Make it so that they have to click through a web page every 24 hours to get access enabled. Make sure there is a contact email address on your web page.
Make the DHCP leases expire, say, every 30 minutes. That will allow sporadic youtube viewing, email checking and all sort of other activity without allowing lengthy file transfers.
Now your neighbors have access, you have good qos, and you may be reasonably pr
Re: (Score:2)
We have to train the law that your router != you.
You first...
Re: (Score:3)
MAC addresses which can be cloned and spoofed so there's really no security at all!
Re:I do this all the time! (Score:5, Insightful)
Yes, and locks can be picked, so it's useless to use locks on doors too! (You aren't stupid enough to lock your door are you?)
I hate that argument. Even a weak lock is a lock which says "unauthorized not welcome." And MAC address filtering requires that someone knows what a MAC address is and how to change theirs. You have to admit, this is not "casual technical knowledge." True what you say, but that depends mostly on what demographic you are speaking about. If you are talking about your average Facebook/twitter/Youtube user on the net, you'd basically be wrong.
Re:I do this all the time! (Score:4, Insightful)
There is a whole world of difference between a pickable lock on a car door and security on a router:
Someone sits there spending 30 minutes by a car door. People eventually will notice and either drop a note to the local gendarmes, or approach the person with pointed questioning. Especially people know the owner of that car.
Someone parked in a car spending 30 minutes on a laptop or cellphone to crack open a WEP protected router, few would notice, much less care about the issue.
MAC address filtering also is a switch flippable by anyone on a router. Yes, it gives a speed bump, but use it for what it is designed for -- keep honest people honest (say after a LAN party, you turn it on to kick everyone off but your stuff before you change your key.)
I highly recommend using MAC address filtering as the icing on the cake, but if you don't use WPA2 (or if forced to, WPA), you are asking to be hacked.
Re: (Score:3)
"Someone sits there spending 30 minutes by a car door."
No, they have or make a "slim jim" and have it open nearly as fast as if the car were locked in many cases. Wedging doors etc is easy too.
That's how wreckers respond to lockouts when you call AAA!
If you have physical access, game is usually over unless owner takes advanced precautions.
Re: (Score:2)
When I first started to use tethering on my phone, it was just called something like "3G internet" and I would get 10-12 people trying to connect to it when I'm at an airport or coffee shop. Then I changed the name to "You_will_get_viruses_from_this", and now only 1-2 try to connect to it. So, while changing the name isn't the best protection, it could still help.
Re: idiotic thing to do? (Score:2)
As with most things, I can see both sides of it.
From an organization like the EFF's point of view? It's in their best interest to get a "critical mass" of individuals sharing their Internet connections via free, open wi-fi, because it weakens the case for law enforcement to hold people responsible for "not properly securing their connection" if something goes wrong. (If I had to come up with a quick analogy for this, I guess I might liken it to the police giving you a ticket or fine for not locking your d
Re:Security - DMZs (Score:2)
Hey, we let you in, Mr. Anonymous Coward!
You may not want any strangers on the "trusted" side of your firewall, but that's a job for a DMZ, which has access controls between it and your trusted side as well as between it and your internet connection.
Re:Security (Score:5, Informative)
To deal with the bandwidth issues, that non-authenticated VLAN should, naturally, have a QoS priority below any authenticated traffic(possibly with a small slice of guaranteed bandwidth, if you are a really nice guy and your authenticated traffic frequently saturates the line..)
Most consumer routers won't let you do that with stock firmware; but openWRT can likely help you out, with the right firmware.
Worst case, it is often possible, with better stock firmwares, to at least set up the VLAN and QoS side of things, and then just hang a $20 cheapy router off the VLANed port on the primary router. Ugly; but cheap and easy and doesn't require any software support for multiple SSIDs or the like.
That's the wrong side of the problem (Score:2)
The objective is to prevent trouble, not to punish the guilty after they've caused it. Sometimes trouble is drive-bys spamming, sometimes it's a regular abuser, like the neighbor's kid downloading too many movies and hogging all your bandwidth. The main things you want to do are keep their bandwidth use limited, and keep them from connecting to any machines you don't want them to access (e.g. visiting friends can access your printer, but strangers can't.)
Re: (Score:2)
Wow... this is a great idea! Providing a Tor or I2P channel for free is an awesome way to contribute to onion routing networks and provide a more "secure" way to run an insecure public setup. I'm curious what would have to be done to expose a Freenet node in this way... such that the interfaces for managing the node were blocked, but regular traffic wasn't impeded.
Re: (Score:2)
Agreed. GP post is a great idea.
Regarding Freenet, if I recall correctly, it's possible to configure who can manage the freenet node by IP address or subnet. It should be in text config file. So, if you put your machines on 192.168.1.0/24 and guests on 192.168.10.0/24, you can allow access from 192.168.0.0/16 but only allow management from 192.168.1.0/24.
Fonera (Score:2)
Re: (Score:2)
Seriously, the astro-turfers are just getting lazy.