Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Locked thread
Ursoph Haz
Jul 23, 2014



I've been asked if I can set up a wifi hotspot for someone. Details are:

Outdoors (It's a boat yard)
They want to be able to charge people to use it
They want it to be a 'budget' solution.
I believe that laws state that you have to record the email address and details of customers using your public wifi because of terrorism laws?

Any suggestions on hardware / software that I could use for this? I originally quoted for a Rukus solution but they didn't "want to fork out that much money"

*sigh*

Adbot
ADBOT LOVES YOU

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

http://forums.somethingawful.com/sh...hreadid=3460935

For your budget though it's probably going to be UniFi and a lot of hair tearing.

Ursoph Haz
Jul 23, 2014



Thanks Ants posted:

For your budget though it's probably going to be UniFi and a lot of hair tearing.

I'm assuming by that you mean it is a nightmare to configure / maintain?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

In my experience when they work they work well. Any little issues will slowly piss you off more than they should as you hit dead end after dead end attempting to resolve them.

If you're just trying to do a free hotspot for some people then it's not a bad option. I wouldn't want to provide any sort of guaranteed service using them, it would use up more time than just buying better APs would have cost.

Ursoph Haz
Jul 23, 2014



fair enough! I'm waiting for some quotes. it may be that my customer won't even want to open their pockets wide enough for it. But hey ho...

Comatoast
Aug 1, 2003


PfSense can do the captive portal stuff. Combine that with a handful of apple airport extremes in bridge mode for access points and you'll be done lickity split.

skipdogg
Nov 29, 2004
Resident SRT-4 Expert


Just turn the job down. If you do build a solution to meet their 'budget' you'll be miserable supporting it.

You can do it right the first time and spend little time supporting it, or you can half rear end it and bleed them to death charging them by the hour to support it. Either way they're going to pay, so I would stress they should do it right the first time.

edit: Especially if they plan on charging for it. People are pretty tolerant about 'Free WiFi', but if someone pays 14.99 a day or something, they want it to work and work well.

skipdogg fucked around with this message at Sep 2, 2014 around 16:19

wwb
Aug 17, 2004



I would ping the ISPs -- comcast and all are dying to get into this stuff and are rolling out the interesting commercial options. You might be able to get it done as a "we install for free and take a big cut of the profits" thing.

Weird Uncle Dave
Sep 2, 2003

I could do this all day.

Buglord

If you really want to roll-your-own, Mikrotik has a "User Manager" package that could hook into PayPal and authorize.net to accept payments from users. Basically, you get one extra router and install the user-manager package, and it acts as a RADIUS server; you configure all your wireless APs to check with it for AAA purposes. I set this up for a "hotel" (and by "hotel" I mean "hourly rates") a few years ago, and it actually worked, but having not worked for a WISP for a couple years I can't vouch for how well it might work today. The downside is that you'll get the Mikrotik Experience (TM) including all manner of inscrutable bugs and the finest tech support in Latvia.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

They're the only networking equipment vendor that describes their products as "character building".

Sepist
Dec 25, 2005

FUCK BITCHES, ROUTE PACKETS


Gravy Boat 2k

wwb posted:

I would ping the ISPs -- comcast and all are dying to get into this stuff and are rolling out the interesting commercial options. You might be able to get it done as a "we install for free and take a big cut of the profits" thing.

He wants to charge for it though, comcast and the other MSO's are broadcasting Cablewifi and their own branded SSIDs. There are some outdoor venues which have a paid portal but these are large venues (ie: public parks, stadiums, and concert halls). We give business customers a free wifi router to broadcast our SSID but if they want a captive pay portal they need to set their own stuff up.

Sepist fucked around with this message at Sep 2, 2014 around 22:02

MrMoo
Sep 14, 2000



Ursoph Haz posted:

They want to be able to charge people to use it

I just wonder, who pays for WiFi but does not have unlimited 3G/LTE? Are these special areas with no mobile service?

Interesting to note that in Japan whilst the iPhone is booming all the airport free WiFi captive portals really don't work well with iOS: normally iOS detects a captive portal and pops up the registration page. Also with "HTTPS everywhere" the common landing page of Google sites breaks too.

BurgerQuest
Mar 17, 2009


Mikrotik. I've been playing with an RB750 the last week or so and have it running OK as a captive portal hooked up to one of the many third party RADIUS/payment gateways. Pretty straight forward.

Sepist
Dec 25, 2005

FUCK BITCHES, ROUTE PACKETS


Gravy Boat 2k

MrMoo posted:

I just wonder, who pays for WiFi but does not have unlimited 3G/LTE? Are these special areas with no mobile service?

Interesting to note that in Japan whilst the iPhone is booming all the airport free WiFi captive portals really don't work well with iOS: normally iOS detects a captive portal and pops up the registration page. Also with "HTTPS everywhere" the common landing page of Google sites breaks too.

We make about 3k a day in the NY metro area with paid wifi sales actually.

MrMoo
Sep 14, 2000



NY metro area = terrible 3G/LTE service already, plus the users are probably expensing it anyway. Similarly I'm looking forward for iOS 8 so I can use WiFi calling in NY and CT precisely because of terrible signal issues.

Sepist
Dec 25, 2005

FUCK BITCHES, ROUTE PACKETS


Gravy Boat 2k

WiFi calling is nice, there are some performance issues though when it comes to the congested 2.4ghz spectrum compared to the less crowded 5ghz. On 2.4ghz, any overlap or co-channeling that is using a decent chunk of duty cycle is going to cause one way audio or dropped calls, and 5ghz we have been seeing performance issues when you exceed -60dBm signal strength. It's better in single family homes but apartment complexes have a lot more competing noise in the air.

Sepist fucked around with this message at Sep 3, 2014 around 14:11

Mr. Clark2
Sep 17, 2003

Rocco sez: Oh man, what a bummer. Woof.


We recently purchased and deployed several Unifi APs, and here are some things that might not be totally obvious before purchase. You might already know this stuff, I'm just putting it out there in case you dont.

- In order to do pretty much anything with these devices you need to use their controller software. You can also SSH into them and do some stuff, but the bulk of your configuration and mangement will be done with the controller software.

- The controller software runs in a browser and requires both Flash and Java. You're probably thinking, "ok, not so bad so far, I can just install the sofware on my workstation and be done with it". See the next point to find out why you're wrong

- If you want to use any of the captive portal features, the software must be running in order for those features to work. So, you're going to need a dedicated machine for the controller software if you're using captive portal features. And that machine needs to be running Flash. And Java. And running 24/7. Yep, pretty boneheaded. Let's hope that machine isnt internet facing

- No ability to whitelist MAC addresses. Blacklist yes, whitelist no. Dont know why they made that decision. We can debate the efficacy of MAC address blocking, but when employed as part of a defense in depth, it's a legitimate layer of defense.

- Want to use the cool "Zero Hand Off" feature they advertise prominently? Looks like you have to enable SSID broadcasting in order for it to work. I have not yet confirmed this last bullet point, but I'm testing it today. Again, this is a legitimate layer of defense when used in conjunction with other layers.

ate shit on live tv
Feb 15, 2004

LBGT United
Did nothing wrong.

No! NEVER, NEVER, NEVER, use a Hidden SSID for public use all it does is create frustration and confusion. The only legitimate use for a hidden SSID is in a corporate setting where you have a publicly available one for general use, and a hidden one that uses 802.1x certificates so that it will automatically be joined, it's hidden to reduce confusion.

White-listing is only good if you want to increase administrative overhead, pro-tip you don't.

BurgerQuest
Mar 17, 2009


Mr. Clark2 posted:

We recently purchased and deployed several Unifi APs, and here are some things that might not be totally obvious before purchase. You might already know this stuff, I'm just putting it out there in case you dont.

- In order to do pretty much anything with these devices you need to use their controller software. You can also SSH into them and do some stuff, but the bulk of your configuration and mangement will be done with the controller software.

- The controller software runs in a browser and requires both Flash and Java. You're probably thinking, "ok, not so bad so far, I can just install the sofware on my workstation and be done with it". See the next point to find out why you're wrong

- If you want to use any of the captive portal features, the software must be running in order for those features to work. So, you're going to need a dedicated machine for the controller software if you're using captive portal features. And that machine needs to be running Flash. And Java. And running 24/7. Yep, pretty boneheaded. Let's hope that machine isnt internet facing

- No ability to whitelist MAC addresses. Blacklist yes, whitelist no. Dont know why they made that decision. We can debate the efficacy of MAC address blocking, but when employed as part of a defense in depth, it's a legitimate layer of defense.

- Want to use the cool "Zero Hand Off" feature they advertise prominently? Looks like you have to enable SSID broadcasting in order for it to work. I have not yet confirmed this last bullet point, but I'm testing it today. Again, this is a legitimate layer of defense when used in conjunction with other layers.

And putting a cheap mikrotik in front of your APs or the public VLAN will sidestep all this.

BlueBlazer
Apr 1, 2010

Progress over Protocol


I prefer to split a project like that into working pieces before trying to add a monetizing value to it. Especially if you are the one man army and don't already have a working model to deploy.

I'm with everyone saying either they will pay or you will.

MrMoo
Sep 14, 2000



Mr. Clark2 posted:

- The controller software runs in a browser and requires both Flash and Java. You're probably thinking, "ok, not so bad so far, I can just install the sofware on my workstation and be done with it". See the next point to find out why you're wrong

The controller is a Java server app, the GUI to configure it is Flash in a browser. Normally you stick the controller on a Linux box or VM somewhere, also well documented is sticking it in Amazon.

The biggest problem I have is that you can run UniFi devices without a controller for basic functionality but with a power outage they always factory reset. What's nuts is that I have the devices behind a surge protecting UPS and it still happens and I cannot reproduce by simply pulling out the power.

Adbot
ADBOT LOVES YOU

wolrah
May 8, 2006
what?


Mr. Clark2 posted:

- The controller software runs in a browser and requires both Flash and Java. You're probably thinking, "ok, not so bad so far, I can just install the sofware on my workstation and be done with it". See the next point to find out why you're wrong

Not entirely correct. The controller software is Java-based to make it easily cross-platform. It'll run on pretty much anything (there are numerous people running it on Raspberry Pi or similar devices).

It's administered via a web browser, and the map overview display requires Flash. Everything that actually matters works fine without it, you just lose a fancy map. No Java at this end.

quote:

- If you want to use any of the captive portal features, the software must be running in order for those features to work. So, you're going to need a dedicated machine for the controller software if you're using captive portal features. And that machine needs to be running Flash. And Java. And running 24/7. Yep, pretty boneheaded. Let's hope that machine isnt internet facing

This part is mostly correct, again other than thinking the machine running the controller needs Flash. Only Java, and any Java will do, you don't need Oracle's version if you're on an OpenJDK-supported platform. Java itself is not a security hole when it's not attached to a web browser.

I strongly recommend NOT running the controller on Windows. It's "quirky" at best to get set up as a service. I have built mini Debian VMs in Hyper-V to run the controller for my customers who only run Windows servers to get it to work more reliably.

quote:

- No ability to whitelist MAC addresses. Blacklist yes, whitelist no. Dont know why they made that decision. We can debate the efficacy of MAC address blocking, but when employed as part of a defense in depth, it's a legitimate layer of defense.

- Want to use the cool "Zero Hand Off" feature they advertise prominently? Looks like you have to enable SSID broadcasting in order for it to work. I have not yet confirmed this last bullet point, but I'm testing it today. Again, this is a legitimate layer of defense when used in conjunction with other layers.

Neither of these add anything over any form of encryption, even WEP64. Anyone who can break WEP can sniff the traffic over the air, and guess what that shows? The MAC addresses of anything communicating on the network and the SSID!

You're only making it harder for legitimate users while doing absolutely nothing to stop attackers. Personally if I was an attacker I'd specifically focus on networks that have the SSID "hidden" because that tells me two things.

1. Someone thinks this network deserves special "protection".
2. That someone has no idea about wireless security.

Anyways OP is talking about a captive portaled guest network, so regardless of effectiveness none of this is relevant to the topic.


OP, I'd do this using UniFi Outdoor units and pfSense as the internet gateway. You can run the controller on the pfSense box (do a full install, appliance builds are a pain in the rear end to install third party software on) and if you don't like UniFi's captive portal pfSense offers one of its own. That said I also agree with those saying that a cheap-rear end customer is likely to be a bitchy customer when it doesn't work.

MrMoo posted:

The biggest problem I have is that you can run UniFi devices without a controller for basic functionality but with a power outage they always factory reset. What's nuts is that I have the devices behind a surge protecting UPS and it still happens and I cannot reproduce by simply pulling out the power.

Can't say I've seen this behavior myself. Two of my sites had the controller running very intermittently for months due to the aforementioned shittiness on Windows and went through numerous power outages without any problems. I've had three UAP-LRs just straight up die on me but never had any factory reset.

wolrah fucked around with this message at Sep 5, 2014 around 03:39

  • Locked thread