[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Vittore Zen <drzen at gamebox dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Best practices for wifi hotspot with m0n0wall
 Date:  Sat, 15 Jan 2005 22:32:17 -0500
On Fri, 14 Jan 2005 09:21:22 +0100, Vittore Zen <drzen at gamebox dot net> wrote:
> Hi,
> mynetwork  with  <-> m0n0 <-> switch
> radius server &              |  | |
> def. gateway                 ap1 | |
>                                 ap2|
>                                   ap3
> (the same that
> http://www.tomsnetworking.com/Sections-article92-page3.php but more
> access points)
> What is the best practices for wifi hot spot with m0n0wall?
> My choiches are:
> - no WEP in wifi access points
> - captive portal with radius (and https?)

If you're using radius to authenticate users, and have sensitive
passwords (i.e. not one you hand out to anybody) you need to use
https.  Otherwise it's less than trivial for anybody to intercept

> - dhcp server
> - block every ip of mynetwork (to hotsport subnet) except default
> gateway destination.
> - the same SSID on ap1, ap2, ap3 (are linksys)

fine, but might get confusing when troubleshooting and testing link strength.  

> - the same channel on ap1, ap2, ap3

that might cause problems, not sure.  

overall sounds like it'd work fine, try it out and see what happens. 
Remember captive portal isn't going to work as intended unless you set
up those AP's to bridge, not route or NAT.