Thank you very much Alex for your recomendations. I choose m0n0 for the
captive (that's why i found it, my first selection was for ipcop) and then i
saw how easy and powerful is. I would like to have per-bandwidth client on
the captive options, but it's a setting i read we'll have in the future. In
the meantime i'll use the wizard and the pipes/queues....
For security reasons, i'll use three network cards, one for wan, one for lan
(just to log-in for administration) and the optional for captive, and then
add some rules to block people to not be able to connect directly on the
administration login, using https for the logins (and i know they can use an
sniffer to see what ip and mac are able to connect for the clients). I'll go
for a radius server in the future (isn't a big hotel anyway).
I didn't know about the ip isolation, so right now, i have everything i need
to start with it.
2006/5/22, Alex Neuman van der Hans <alex at nkpanama dot com>:
> I've set up a few. Definitely your best shot would be to use m0n0 for
> your firewall/routing needs, along with a bit of traffic shaping. I'd
> block outgoing port 25 to prevent abuse (and let your clients know that
> they should use a VPN or some other port). By using the "ap isolation"
> feature your clients wouldn't be able to see each other.
> If your m0n0's lan connection is set to, for example, 192.168.20.1, you
> could set your AP to 192.168.20.2 and disable DHCP on it, and hook up
> one of the lan ports on the wrt to the m0n0's lan port. Some people
> might argue that it would be even better to set it to something else,
> like 10.0.0.1, and only switch your PC's address to 10.0.0.2 to log onto
> it and make changes. Depends on how paranoid you are.
> Hotels are good candidates for implementing the captive portal function,
> as well.
> David Rando wrote:
> > Sorry guys if i spoke in spanish, i did because i thought it wouldn't
> > bother
> > anyone ;-) (and to reply the people who talked in spanish too).
> > I have to mount a big wifi network in a hotel, and that question came
> > to my
> > mind. As I see, the AP insolation is a good solution for that (and the
> > best
> > for me because i'm mounting linksys AP WRT54GL btw).
> > I'll try the VLAN thingy too. I don't know what i does, but if it's a
> > solution it's worth to do, not always have the chance to mount good aps.
> > Thanks guys for your replys.
> > 2006/5/22, Alex Neuman van der Hans <alex at nkpanama dot com>:
> >> Oh, and by the way, you may want to post your messages in both
> >> if your English skills are not too good. That way people can try to
> >> and/or translate responses for you.
> >> Oh, y a propósito, quizás sea mejor si escriben los mensajes en ambos
> >> idiomas (español e inglés, aunque no sea muy bueno). Así la gente les
> >> puede intentar ayudar con lo que entiendan, y los demás podemos ayudar
> >> con la traducción.
> >> Saludos / Cheers,
> >> Alex
> >> Alex Neuman van der Hans wrote:
> >> > Alex Neuman van der Hans wrote:
> >> >> Sólo puedes impedir broadcasts entre redes, no entre nodos de una
> >> >> misma red.
> >> >>
> >> >> Por ejemplo, puedes impedir que hagan broadcasts de 192.168.1.1 a
> >> >> 192.168.2.1, pero no de 192.168.1.1 a 192.168.1.2 (porque están
> >> >> dentro de la misma red y del mismo alambre).
> >> >>
> >> >> De no saber el IP puedes usar el "angry ip scanner" (googlealo y lo
> >> >> puedes bajar) para saber, entre otras cosas, el nombre del recurso
> >> >> (igual no lo necesitas), la dirección IP, el mac address, el usuario
> >> >> que usó para entrar, etc.
> >> > For the benefit of the other 60% of the US (those who can't process
> >> > spanish), this is basically a discussion about isolating specific
> >> > users from the rest of the network, which can probably be done
> >> > VLANs (not that I have any idea how to do it). Somebody asked if
> >> > blocking netbios broadcasts would work, and I replied that you can
> >> > prevent broadcasts *across* networks, not *within* a network.
> >> >
> >> > There *is* an option, if you want to isolate your wifi clients, to do
> >> > such a thing. It's called "AP Isolation" or something, and it's
> >> > available in most linksys wifi routers/AP's. Dunno if it's available
> >> > in others, though.
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch