Creating a Free Wireless Hotspot
There comes a time in the
life of every wireless fanatic when he or
she wants to share the thrill of wirelessness with every
other human being on the planet, or
at least those who come within range.
Perhaps you have a high-speed Internet
connection at home, which goes unused when you are at work.Why
not let the neighbors use it? Why not let the whole neighborhood
use it? And if your neighbors share with their neighbors...
There are, in fact, several sizable projects
underway based on this vision. As of early 2004:
➤
NYCWireless
(www.nycwireless.net),
dedicated to providing free
wireless Internet service to mobile users in public spaces
throughout metropolitan New York City, had a database of
over 180 nodes or
hotspots.
➤
Houston
Wireless (www.houston-wireless.net),
a community wireless group
promoting pervasive, high-speed wireless
data in urban and suburban Houston, was at 93 nodes and
growing.
➤
Seattle
Wireless network (www.seattlewireless.net),
which envisions a not-for-profit, community-owned
wireless network covering
metropolitan Seattle, had more than 30 nodes operating, and half
a dozen more on the verge of
operating.
➤
The
So Cal Free Net (www.socalfreenet.org)
is rolling out free hotspots and wireless backbone locations in
the San Diego and Los Angeles areas
of Southern California.
➤
The
Personal Telco Project (www.personaltelco.net)
consists of a volunteer group of
Portlanders with over 100 active nodes aiming
to cover the entire city of Portland, Oregon.
➤
The
NoCat network (www.nocat.net),
based in Sebastopol north of San Francisco, listed two-dozen
active sites, almost as many in
progress, and many more that were deemed “interested.”

There are many other free, public wireless
networks all over the world, including Asia, the Middle East,
Australia, New Zealand, the Pacific region, the Caribbean, and
Europe.To get an idea of the magnitude of this phenomenon, check
out the Personal Telco Web site, which lists hundreds of
community wireless groups that are building free and open
networks (
www.personaltelco.net/index.cgi/WirelessCommunities).
The most ambitious of these
envision not just isolated nodes but an interlocking “network of
networks” or
Metropolitan Area Network
(MAN) designed to allow
roaming from site to site within the area
served by the network. Hiccup-free roaming is a technical
challenge that has not been entirely solved at this time,
however.
Figure 10-1 shows a common configuration for an
open wireless “hotspot” network. Users with a laptop computer
log in, click “I agree” or authenticate in some manner. And then
they are allowed to access the Internet.
This community-based approach to networking can
allow you to bring high-speed data to your neighborhood, even if
your local telephone companies or wireless ISPs are moving too
slowly, not moving at all, or have tried and failed due to
financial factors. Because noncommercial services can be much
cheaper in the long run (basically, just the investment in
equipment and expertise), they may garner a wider user base than
commercial services could. If even a small percentage of those
users set up their own free wireless hotspots, a “positive
feedback” loop is created, in which the benefits of joining the
“free” wireless community increase, bringing more users and
still more hotspots. (The network effect says that the value of
a network increases exponentially with the number of users.)
If you want to be part of this wireless
revolution, this chapter is for you! In this chapter, you’ll
build a wireless hotspot that can share your Internet connection
with anyone who comes within range, while giving you the ability
to implement a
splash screen
(the first screen the user sees
when they access the hotspot), and control which sites users can
access. The system is designed to support user IDs and
passwords, as well, so you’ll have the
potential to expand to that in the future.
You’ll need the following hardware:
Wireless access point (AP).
A
PC (486 or better) with at least 10GB disk space, 256MB RAM and
two Ethernet network interface cards (NICs). This computer
serves as a gateway between your local
wireless network and the Internet. It will run the Linux
operating system.
At
least one client computer (usually Windows or Mac) for testing.
Each client must have either a
wireless NIC or a standard Ethernet card and cable to connect
to the AP.
A
high-speed Internet connection such as DSL, with an appropriate
wide area network (WAN) device such as a DSL modem and an
Ethernet cable to connect this device to
the Linux computer.
You’ll also need the following software:
Linux. Ideally, you should have Red Hat 9.x with kernel version
2.4.x, with IPtables and gpgv.
NoCatAuth, the free software that will provide the management
and control capabilities for your
hotspot, uses IPtables to route traffic between the two
NICs.We’ll give instructions for
Red Hat 9 in this chapter. You may have to adapt these
instructions to other flavors of
Linux. Another software-related requirement is root access to
the Linux server. You should do
everything in this chapter as the root user.
The
nightly build of NoCatAuth. Download it from the NoCat network
site (www.nocat.net).
It is standard procedure to warn you that a particular nightly
build could be buggy. Peruse the
mailing list a bit before downloading, to see if people seem to
be having trouble with recent
builds. If so, download the most recent stable build. That being
said, when I downloaded NoCatAuth
in early 2004, it looked like the code hadn’t changed since mid-
2002. (I guess they were on to working on NoCatSplash, a
software package being groomed as
the successor to NoCatAuth. Dates on NoCatSplash files were very
recent.)
DHCP (Dynamic Host Control Protocol) server somewhere on your
network. This could be a DHCP
daemon running on your Linux machine (this seems to work best in
most situations), or it could be on your AP or another
server. In general, implementing a
DHCP server is not a huge stumbling block. For instance, the
default configuration for many
access points includes DHCP service. If your network clients are
configured to obtain an IP address
automatically, and they are able to access the network, then
they already have access to a DHCP
server.
If
you want to set per-user bandwidth limits using throttle.fw, you
will need tc installed on your
server. (This is a standard component of Red Hat 9.x.)
Optionally, you can install a local caching DNS (domain name
service) server. You get an option to install a DNS when you
install Red Hat 9.x from scratch.
Be aware that you are undertaking a challenging
project. There are a lot of things that have to go right for
your hotspot to work, and each one of these things is capable of
going wrong in many different ways. Basically, there are five
areas where you may have to do some tinkering:
the AP, the WAN hardware (such as a DSL
“modem”), Ethernet and TCP/IP networking, the Linux computer,
and the client computer(s). If you’re not a guru in all these
areas, here’s an opportunity to learn, and achieve something
cool in the process.
The centerpiece of the solution described in
this chapter is “captive portal” software, NoCatAuth, which you
download free from the NoCat network site (
www.nocat.net)
and
run on a Linux computer, which thus becomes a gateway.
Just the potential complications associated
with this one piece of software can drive you batty.
It is not unusual for questions on the NoCat
mailing list—especially newbie questions—to go unanswered for
days, or even forever, despite sometimes piteous pleas (“Nobody
will help me?”). There is no official support for the NoCat
software, and if you can find somebody to provide support for a
price, the price could be fairly steep (say, $75 an hour).
NoCat isn’t the only software available for
setting up a free hotspot. If you’re interested in checking out
alternatives, a good starting point is
www.personaltelco.net/
index.cgi/PortalSoftware.
But NoCat seems to be the most popular of the free options.
What Is NoCatAuth?
NoCatAuth is a “captive portal” software. A
portal
is a Web site or
service that offers access to an array of other resources and
services. A captive portal is the one in which users are
initially “captured” and restricted
in what they’re able to do. They may be restricted to just a
login screen, or a screen
describing an acceptable use policy (AUP). In that case, they
must log in or accept the policy
before they can do anything else. Alternatively, the captive
portal may allow users to access a
restricted number of Web sites without logging in or agreeing to
the AUP. It is also possible to
include a Skip button on the login screen, allowing the user to
skip the login process.
In this chapter, you’ll set up two basic
NoCatAuth configurations: One uses NoCatAuth’s “Open” mode to
create a portal that does not allow login using a user name and
password, but does redirect users to a splash screen. Users have
to click a button to continue. The other configuration uses
NoCatAuth’s “Passive” mode to create a portal that allows, but
does not require, a login. The user can press the Skip button,
not provide a user name or password, and be automatically logged
in as “unknown.”
You can create a Passive mode NoCatAuth system
in which the user has to log in—no Skip button allowed. However,
this requires that you install not only the gateway component of
NoCat, but also the authorization server (“auth server”)
component. The gateway component provides (or refuses to
provide) access to the Internet. Every NoCat hotspot is based on
a gateway, which manages local connections, enforces locally
configurable firewall rules (and optionally bandwidth
limitations), and times out idle logins. The auth server
displays the login and logout screens in Passive mode (though
not the splash screen in Open mode—that’s served locally at the
gateway) and handles the “backend” processing for the login.
This chapter does not go into any detail about setting up your
own auth server.
There is an auth server at nocat.net that
everyone is free to use. This chapter assumes that you will use
that. There are some very significant limitations for
“outsiders” using this server. In particular, when it hands out
permissions, the auth server assigns one of three classes of
service: Owner (sometimes called “Priority”), Co-op, or Public.
Outsiders always get Public class access. In other words, you
have to create a one-size-fits-all security configuration.
Setting up your own auth server gives you much more flexibility.
Even if you do plan to eventually set up your
own auth server, you probably want to start by getting a gateway
working with the auth server at nocat.net first. That way,
you’ll have a “known good” gateway for testing, and will not be
trying to debug both the gateway and the auth server at the same
time.
After getting past the splash or login screen
(see Figure 10-2), the user can be redirected to the site
originally requested. In the Open mode configuration, it is also
possible to edit the splash screen to redirect all users to a
site that you specify. (If you have your own auth server, you
can edit the login screen, too.)
In either Open or Passive mode, you can
configure a set of allowed domains, and the user will not be
able to browse any domains other than those. Any attempt to
access nonallowed domains will just bring up the splash screen
or login screen. This can be a bit tricky to configure,
depending on the particular allowed site. The basic
configuration is easy, as explained in

the “Configuring NoCat” section later in this
chapter. However, you may encounter situations where you put a
site into the AllowedWebHosts list and still can’t get through
to it consistently. Instead, you encounter situations where you
are eternally returned to the splash screen or login screen. It
can take some troubleshooting to determine what is wrong and how
to correct it, as you’ll see in the section on “Troubleshooting
NoCat.” Unfortunately, you’ll also see why it is not possible to
guarantee a smooth experience for every user when only a limited
number of domains is allowed.
The NoCat log (
/usr/local/nocat/nocat.log)
records the user’s IP address, the hardware
(MAC) address of the user’s Ethernet card, the URL of the
site that the user originally requested, and what level of
access (class of service) is granted. In Passive mode, the log
also shows the login name, if the
user provides one. Otherwise, it shows “unknown.” All log
entries are time-stamped.
If you were ever required to demonstrate that it
was someone else, not you, who did something on your network
(something illegal, for instance), the MAC address could be
particularly useful, since it is associated with a particular
computer—or, more precisely, with a particular Ethernet card.
This contrasts sharply with IP addresses, which you will
probably be assigning dynamically (using a DHCP server, for
example), so that any given IP address gets used over and over
again for different clients.
Both Open and Passive configurations enforce
idle time-outs. After a configurable period of inactivity, the
user will be forced to go through the splash page or login page
again in order to continue accessing the Internet.
Neither configuration requires any special
client software—just an ordinary browser. This is a major
strength of the captive portal approach. Note that, in addition
to the NoCat software described in this chapter, there is a
NoCat community network operating in Sebastopol, California.
This chapter assumes “outsider” status, as far as this network
goes. That is, I assume that, in the security database
maintained by the NoCat community network, users of your gateway
will not be defined as members of the NoCat community or of any
other group defined in that database.
There is a newer piece of software, NoCatSplash,
which currently did not support authorization at the time I
tested it. It simply displayed a splash screen, forcing the user
to click a button in order to continue. NoCatSplash is billed as
the successor to NoCatAuth. However, when I played with it in
early 2004, NoCatSplash was alpha software, and not as stable as
NoCatAuth. Therefore, I decided to stick with NoCatAuth for this
chapter. However, once you are familiar with NoCatAuth, you will
probably find it very easy to migrate to NoCatSplash, should you
decide to do so.
Risk Management
When you decide to provide wireless data
services, you essentially become a wireless ISP. As such, you
have a responsibility to try to prevent your hotspot from being
used irresponsibly or for illegal purposes. That could mean
anything from spam to child pornography. Although I don’t know
of any cases where a free hotspot operator has been prosecuted
for traffic on his or
her network (and I am not an attorney and do not
mean to offer legal advice), it seems only prudent to take some
basic precautions. Anyway, you’re probably a basically good
person and don’t want your hotspot used for bad purposes. There
are three things you can do to control what happens on your
hotspot, and perhaps cover
yourself if violations of the law or of Internet
etiquette occur:
1.
Make users agree to an
Acceptable Use Policy (AUP). Your “splash” page (the page that
all users are initially redirected to) might say, for example,
that the user will not use your network
to send spam, or access or upload child pornography, and
so on. This doesn’t actually stop
anybody from doing anything, but it demonstrates your good
intentions, and lets “law-abiding”
users know what is expected of them. Either NoCatSplash or
NoCatAuth can ensure that users
click a button before being allowed to do anything else.
Check out the following Personal Telco sites for
more ideas about what exactly you might want to put on your
splash page:
www.personaltelco.net/index.cgi/NodeSplashPages?action=
highlight&value=splash
www.personaltelco.net/splash/
2.
Set up a system that
limits what users can do. Either NoCatSplash or NoCatAuth can
apply some blanket rules to all users. For instance:
As an anti-spam measure, both are configured by
default to prevent outgoing SMTP packets, which prevents most
e-mail clients from sending mail. (Web mail services, such as
Hotmail and Yahoo! Mail, are not affected.) Users can be
restricted to particular Web sites.
In addition, the auth server can place users in
one of the three classes of service (Owner, Co-op, Public),
based on user names and passwords. You can define different
rights and permissions depending on which class they belong to.
For instance, some users can be limited to browsing a few
specific Web sites, while others may be free to browse the whole
Internet. However, you can modify the auth server database in
order to enable the different classes of service. This generally
means setting up your own auth server.
There is also a (“highly experimental”) facility
for throttling bandwidth based on membership in these same
groups. (After you install the NoCatAuth gateway, check out the
throttle.fw file for more information on throttling bandwidth.)
3.
Monitor use. This could
allow you to detect network abuse and take steps to end it. Most
free wireless network operators seem to have done little,
if any, monitoring in the past—a
policy that has been likened to walking around with your eyes
closed. However, both historical
and real-time monitoring are possible.
Historical monitoring involves analyzing the
NoCat log file. Ongoing monitoring of the log file would have to
be automated.Try a Google search on “nocat.log analyzer” to find
out about work that has been done in this area, which you may be
able to take advantage of.
Real-time monitoring could be based on a tool
like MRTG (Multi Router Traffic Grapher), which produces
graphical images at regular intervals (every 5 minutes by
default) representing traffic on network links. You could use
this to detect a user flooding your network with traffic, for
example, either maliciously or unintentionally. (MRTG may come
free with your Linux system.To download it or just to find out
more about it, go to www.mrtg.org.)
To get more detailed information on who is causing the problem
and what exactly they are doing, you could go to the NoCat log.
You might also use a packet capture utility such as
Ethereal, a
free network protocol analyzer for Unix and Windows. (See
www.ethereal.com.) This
type of analyzer gives you the most detailed information, though
not always the easiest to interpret.
You may have reasons other than security for
wanting to monitor your network. For instance, perhaps you want
to be able to limit each user’s free access to a particular
length of time, such as half an hour. Or perhaps you are
starting with free access now, but want to position yourself to
charge in the future. Time limitations (other than time-outs
after a period of idleness) and billing are not standard parts
of the current NoCat implementation.
However, a number of approaches have been
discussed and tried. One approach starts by analyzing the log
file to determine usage. A more flexible and sophisticated
approach is to record information in a MySQL database. Perhaps
the most natural approach, however, is integrating with the
RADIUS authorization and accounting server. To find information
on this, try
www.pogozone.net/projects/nocat/, or do a Google search
on “nocat radius.”