Thursday, April 05, 2012

Gift Wi-Fi

I believe in free Wi-Fi.

Specifically, I wish that everyone with an unlimited internet connection would open it up for anyone to use. The public good would be substantial. The cost would be minimal. I wish Wi-Fi equipment from the telco & cable company came configured this way by default.

What are the downsides to opening your Wi-Fi up?

The first is security: the most common home Wi-Fi setup includes a firewall, making your computer inaccessible to the internet. If you open your Wi-Fi, then someone near you can get past your firewall. It's not as scary as it sounds. Your computer probably has a built-in firewall running. If you install security updates, you're pretty well protected. If you plan to take your laptop to a a coffee shop's free Wi-Fi, you better deal with this anyway.

Most of the risk comes from strangers 1/2-way around the world, protected by distance, anonymity, and the difficulty of extradition. Your neighbors are less of a concern.

In my case, however, I have some unsecured network resources behind my firewall. Most people don't, but I'm an exception. So I want a mechanism to protect internal resources from guest users.

The other concern is speed. If guest users eat a lot of bandwidth, it can stop you from doing the same. If all you do is check your email, you'll probably never have a problem. In some cases you can use QoS to address this, although if your upstream bandwidth is unreliable, it's hard to make QoS work.

My first attempt at an open guest network involved double-NAT. My DSL modem had built-in Wi-Fi and 4 Ethernet ports. I left the Wi-Fi unsecured. I plugged in a Linksys Wi-Fi router to the Ethernet, and set its Wi-Fi to be secured. I gave the Linksys a static IP address, and set the DSL modem to DMZ to the linksys. UPnP port forwarding still works.

Now that I live in Rural, I thought there was no point in having open Wi-Fi. Demand for such things is pretty low even in densely populated areas; the chances of anyone around here ever using mine is even smaller. I was wrong: I have 1 neighbor in range of my Wi-Fi, and he wants to use it. He's off-grid enough that he can't get DSL like I can, so even a little of my Internet would be awesome for him.

He had a really hard time making a connection to the Wi-Fi, because of distance (about 200 feet) and obstructions (trees, brush, and the foil-face insulation in the walls of my yurt. He could see the Wi-Fi, but he couldn't stay connected. We tried moving equipment around, but the signal was not quite strong enough. He bought a cheap but modern 802.11n AP, in the hopes that it would do better than my ancient DSL modem's Wi-Fi, but it still wasn't enough.

I ended up swapping equipment - my Linksys for his AP. My Linksys runs DD-WRT, which supports repeater mode. I moved the Linksys in to another building closer to my neighbor, and now he can connect. You still with me?

There are a couple things I don't like:

  • My DSL modem is quite old. The web interface is clunky. The feature set is limited. I can't install DD-WRT.
  • Double-NAT is annoying.
  • I don't like the cheapo AP; its DNS is a bit buggy; it can't run DD-WRT.
I have a more modern DSL modem that is minimal - it's a tiny box with just a single Ethernet port. But I am relying on the old one's Wi-Fi for the guest access.


Some routers have a "guest access" feature built in. I picked up a refurbished Cisco Linksys E2500 router for $40, in part because it has this feature. I was disappointed with the implementation. When you connect to the guest Wi-Fi network, you have to type in a password. There's no way to disable this password. The prevents my repeater from connecting. Damn.

I like the power of DD-WRT, but I hate the risk of bricking a device. Finding answers about DD-WRT is hard. There's a web site with a router database, but the answers it gives are sometimes dangerously wrong. There's a wiki with a lot of useful information, and lots of bad writing, and some bad errors. Then there's the forum, where all answers can be found, if you like pain. Imagine many pages of forum posts, where page 1 says "do this" and page 3 says "don't do that thing you saw on page 1, or you'll brick your device." This is infuriating. This is why stackoverflow started, with the mission to "make the internet better".

I was hoping modern Linksys firmware would be rich enough that I didn't need to go to DD-WRT again, but alas: the guest access is sucky. So off to DD-WRT land I went.

Sure enough, there's an 11-page thread, with a title that says "look at page 9", where you can find a link to a usable DD-WRT build. It turns out that the build on page 4 will brick your device. Pity anyone who reads from the front.

Setting up guest networks in DD-WRT is a bit tricky. I found instructions online but they are incomplete, as they don't tell you to configure the firewall to completely isolate the private and guest networks. I worked on it for a day, and was never completely successful. I found that the power plug on this refurb device has a lose connection - if you push on it sideways, the device turns off. So I'm sending it back.

One additional barrier is the criticality of our network. You might say "it's just a home network" but we have 5 people who use the Internet all day, every day. If I bring the system down for maintenance, I hear a lot of complaints. I have to do it overnight. Just like an enterprise IT department, but I'm not getting paid overtime.

Will you open your Wi-Fi?

3 comments:

Sandy Bazuzi said...

I would provide a guest network, and just like an enterprise offering I'd close everything except port 80 and 443.

If you want an enterprise grade solution, you may have purchase enterprise grade hardware. This can include a wireless controller and several APs, if you have a large coverage area and especially if you want to offer WiFi to your neighbors.

Jeremy Stein said...

The one security risk you didn't mention is that of a drive-by user doing something bad with your IP address. It could be a hassle to have the FBI show up at your door.

Jay Bazuzi said...

Yes, the FBI would be a hassle. I wonder if I can force all guest Wi-Fi to go through Tor?

 
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.