[ previous ] [ next ] [ threads ]
 From:  Dave Warren <maillist at devilsplayground dot net>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  Vittore Zen <drzen at gamebox dot net>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Best practices for wifi hotspot with m0n0wall
 Date:  Sun, 16 Jan 2005 01:17:48 -0700
Chris Buechler wrote:

>On Fri, 14 Jan 2005 09:21:22 +0100, Vittore Zen <drzen at gamebox dot net> wrote:
>>mynetwork  with  <-> m0n0 <-> switch
>>radius server &              |  | |
>>def. gateway                 ap1 | |
>>                                ap2|
>>                                  ap3
>>(the same that
>>http://www.tomsnetworking.com/Sections-article92-page3.php but more
>>access points)
>>What is the best practices for wifi hot spot with m0n0wall?
>>My choiches are:
>>- no WEP in wifi access points
>>- captive portal with radius (and https?)
>If you're using radius to authenticate users, and have sensitive
>passwords (i.e. not one you hand out to anybody) you need to use
>https.  Otherwise it's less than trivial for anybody to intercept
Depending on the intended use, this may or may not be a problem.  If 
you're using one time passwords (printing out a password on each coffee 
receipt, where each password is only good once) then HTTPS isn't 
required, but otherwise HTTPS is definitely required.

Personally I wouldn't bother with WEP since it's so easily cracked.

>>- dhcp server
>>- block every ip of mynetwork (to hotsport subnet) except default
>>gateway destination.
>>- the same SSID on ap1, ap2, ap3 (are linksys)
>fine, but might get confusing when troubleshooting and testing link strength.  
Same SSID is good since it allows roaming between access points.

>>- the same channel on ap1, ap2, ap3
>that might cause problems, not sure.  
This will *definitely* cause a problem.  Put the APs on 2, 6 and 11 -- 
This will allow most wireless NICs to automatically determine which AP 
has the best signal without worrying about overlap or signals canceling 
each other out.

Having two or more APs on the same channel will, at best, cause massive 
packet loss.  More likely it will render the entire network unusable, 
especially if somebody shows up with a stronger-then-average antenna and 
transmitter and two or more APs start thinking they're both receiving 
communication from one client.

Usenet is like a herd of performing elephants with diarrhea --
massive, difficult to redirect, awe-inspiring, entertaining, and a
source of mind-boggling amounts of shit when you least expect it.