Re: [m0n0wall] Best practices for wifi hotspot with m0n0wall

From:	Chris Buechler <cbuechler at gmail dot com>
To:	Vittore Zen <drzen at gamebox dot net>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Best practices for wifi hotspot with m0n0wall
Date:	Sat, 15 Jan 2005 22:32:17 -0500

On Fri, 14 Jan 2005 09:21:22 +0100, Vittore Zen <drzen at gamebox dot net> wrote:
> Hi,
> 
> mynetwork  with  <-> m0n0 <-> switch
> radius server &              |  | |
> def. gateway                 ap1 | |
>                                 ap2|
>                                   ap3
> 
> (the same that
> http://www.tomsnetworking.com/Sections-article92-page3.php but more
> access points)
> 
> What is the best practices for wifi hot spot with m0n0wall?
> 
> My choiches are:
> - no WEP in wifi access points
> - captive portal with radius (and https?)

If you're using radius to authenticate users, and have sensitive
passwords (i.e. not one you hand out to anybody) you need to use
https.  Otherwise it's less than trivial for anybody to intercept
those.

> - dhcp server
> - block every ip of mynetwork (to hotsport subnet) except default
> gateway destination.
> - the same SSID on ap1, ap2, ap3 (are linksys)

fine, but might get confusing when troubleshooting and testing link strength.  

> - the same channel on ap1, ap2, ap3
> 

that might cause problems, not sure.  

overall sounds like it'd work fine, try it out and see what happens. 
Remember captive portal isn't going to work as intended unless you set
up those AP's to bridge, not route or NAT.

-Chris