Free, open internet portal
-
One of my goals that just recently became a possiblity (thx pfSense and ALIX guys), is an open AP that provides free internet access to everyone in radio range.
So - Captive portal and DHCP is running on OPT1 (for an external AP in bridge mode), my LAN is on a different subnet, with me having access via OpenVPN routing.
My only concern is…the AP is an Apple Airport Express. A quick scan shows that there are three ports open:
PORT STATE SERVICE
5000/tcp open upnp
5009/tcp open airport-admin
10000/tcp open snet-sensor-mgmtand there is no way to close these. what do you think? Should i worry?
Anyway - I'd like to offer internet access to DNS(OpenDNS only), HTTP, HTTPS, IMAPS and SMTPS but I am worried that someone could abuse my free portal by trying to brute force some mail/web accounts. Any ideas on how to make brute force attacks difficult via firewall rules only?
Anything else I should think about? i don't care so much about legal issues if there are any. Thx!
-
I run a captive portal at one of my offices for visitors. In order to 'discourage' the local populous from using this as 'their Internet' (sic) I have the following config:
-
Idle timeout of 30 mins
-
Hard timeout of 180 mins
-
Bandwidth limits 512kb-down/128kb-up - enough for visitors to check their 'mail but not enough to encourage spending the day on Youtube!
-
APs are not in the IP range of the CP network (if I need to configure them I set static IP on my WLAN card, also AP range is nothing like CP range - 10.12.14.16/29 vs 192.168.1.0/24)
-
Disclaimer on the CP login page with VERY CLEAR STATEMENTS - i.e. "This network is monitored and all activity recorded" & "Infringement of this policy or any applicable laws will be reported to the appropriate authority"
As for your AP ports. I'm not familiar with Airport I'm afraid. If it's dedicated to this CP network then I recommend changing the IP address as above - APs bridge at layer 2, so the management IP doesn't need to be in the same range as the network it supports for it to work. That's if you can't close those services down completely. I have noticed that on some kit (Netgear WNR1000v3 specifically), the uPNP port stays 'open' even when uPNP is disabled.
i don't care so much about legal issues if there are any
Really? Going to jail because the ISP says 'those' images were sent from your house - I'd care enough to make sure that verbose logs were retained, at least! Also, OpenDNS - good - I'd recommend http://www.opendns.com/home-solutions/parental-controls/ for that.
As for preventing your network being a stage for attacks - don't make it attractive for that: limited bandwidth, limited ports, hard timeout - make them move on to the coffee shop down the street.
Hope that makes some sense…
-
-
Great advice from jonallport. I'll add one thing.
i don't care so much about legal issues if there are any.
You appear to be in Germany and I'm not sure what the legal situation is like there, but for reasons like this:
http://arstechnica.com/tech-policy/2012/06/swat-team-throws-flashbangs-raids-wrong-home-due-to-open-wifi-network/people in general should be wary of the legal issues unless you want a SWAT team knocking down your door, throwing flashbangs and pointing guns at you. Also depending on the country, you could be liable for other people's copyright infringement and have a hard time proving otherwise.
-
hey thanks! I have moved the AP address into another subnet and added a (virtual) static interface on my computer for configuration. Works like a charm! I was using timeouts and bandwidth limiting already.
One neighboor is already browsing dating sites via his android phone. I am helping people getting together already! :D
for those legal issues - like I said: I really don't care. Most of the media is fear mongering and overall bullshit anyway! I wouldn't agree with a law that forbids internet sharing or that makes me responsible for any damage dealt by a person using it. It just makes no sense…like the anti gun lobby in the US.
-
One more question: I'd like to deny inter-client communication (for privacy reasons).
Currently I use this rule on OPT1 to deny all inter client traffic:
Block * AP Subnet * AP Subnet *since the WLAN is bridged …
clients -> WLAN bridge -> OPT1 (AP Subnet) -> WAN...that rule should do the trick, right? Thx.
-
One more question: I'd like to deny inter-client communication (for privacy reasons).
Currently I use this rule on OPT1 to deny all inter client traffic:
Block * AP Subnet * AP Subnet *since the WLAN is bridged …
clients -> WLAN bridge -> OPT1 (AP Subnet) -> WAN...that rule should do the trick, right? Thx.
Not necessarily. The WLAN clients will be able to talk at layer 2 through the AP, it never hits the OPT1 interface - effectively the AP is a wireless switch/hub. Usually this can be resolved in the AP config, typically called 'wireless isolation' or similar.
-
Thats good to know. Thx. Too bad my AP (Airport Express (802.11n 1st gen) doesn't implement such a feature. Is it part of 802.11?
-
Airport does not support WLAN isolation; it would prevent all of those shiny Apple gadgets seeing each other using Bonjour.
As far as I can see it's not a 'standard' - no RFCs or IEEE docs that it can find - it's just quite common.
Also, back to the earlier 'legal' point. From http://en.wikipedia.org/wiki/Wireless_security#Open_access_points:
…in some countries including Germany, persons providing an open access point may be made (partially) liable for any illegal activity conducted via this access point.
Worth bearing in mind
-
One neighboor is already browsing dating sites via his android phone. I am helping people getting together already! :D
As an alternative, get a 3G jammer. People then might take their eyes from their "smartphones". One doesn't actually need "dating sites" to chat up potential sex partners. :)
Especially if someone conviniently provides an "open WLAN" and sneakily monitors your pickup lines. ;)