Hi chaps,

I'm looking after the wireless networking for a local bar. They want customers to be able to surf the net upon being issued with the network key. Initially I have given them a wep setup and am aware that this should really be upgraded to wpa. I didn't do this initially for fear that some of the customers laptops may not be able to handle wpa encryption.

The thing is, it seems SOME are not presently able to connect even using wep?? So I'm thinking I may as well change it.

What would the best setup be bearing my concerns about connectability?

Also, not only are a few laptops not able to connect at the moment but apparently ALL Iphones are incapable of connecting. Any ideas as to why that should be please?

Many thanx - Fowler

No idea, but just to say that my PDA acts as a very good wifi detector. A message pops up with all the network names in range, secured or not, and lists security type - wep, wpa, wpa2. It has a significant range and keeps firing off as I drive down the road.

In other words put security above convenience.

For public access I would always implement a solution where the wifi network itself is totally open, but there is a secure gateway between the wifi network and the upstream network.

This gateway controls access to any resources, and manages authentication and authorization - whether or not the access is free or paid for.

I guess you don't have the budget to do this.

You will never be able to overcome the incompatibilities and user configuration issues with wifi (particularly secure wifi), unless you are managing a corporate environment with uniform hardware and software, and a managed key-sharing infrastructure.

All you can do is set as much as possible to "auto" and hope for the best. If it works for one laptop it "should" work for all, unless you have inadvertently limited the number of IP addresses allocated by DHCP or something like that.

One thing to confirm is that all devices are set to work with the same network speed - 802.11a / b / g / n as appropriate.

If your network is set to work at 802.11g only, then devices set to 802.11b only (or incapable of faster) will be unable to connect. Safest is to set the WAP to both b/g, although I have found that the most reliable is to set the WAP to b only - at an obvious performance penalty.

How many people are accessing the wifi network at any one time? if you have more than 10 or a dozen people connecting to a wifi router designed for home use it may well be just working too hard with the encryption overhead.

You could try adding a second WAP to the LAN side of the existing WAP to increase capacity. Even better make it a different brand! You can have the same network key even with a different SSID (e.g. SSID1, SSID2).

Can you get any of the non-connecting devices to function with encryption switched off on the WAP?

Can all the devices see the SSID? What is the signal strength like? Is there interference from other nearby networks? You can experiment with the channel (made easier if you know what channels other networks are using) to improve reception - also the orientation or location of the aerial.

SD

You will never be able to overcome the incompatibilities and user configuration issues with wifi (particularly secure wifi), unless you are managing a corporate environment with uniform hardware and software, and a managed key-sharing infrastructure.

Very much agree.

A lot of portable devices do not support WPA.

All should support plain 64-bit WEP but there are several ways of entering the password/key. I've been to numerous hotels where they give you the key for their private wifi network, but I could not get it to work despite trying it as both ASCII or hex, and replacing 0s with Os, trying upper/lowercase, etc.

The best way is to leave it wide open, IMHO.

I believe cafes etc use commercial software which uses the MAC address of the device as the user ID and allows him X amount of time, potentially purchased with a credit card etc. No encryption involved at all; much more compatible. Whether there is a free or cheap way of doing this I don't know.

If you don't mind linux, there's plenty of free/open source public wifi hotspot captive portal systems available. I've used NoCatNet in the past, but there seems to be plenty of other alternatives now.
Have a quick search on google for captive portal (http://www.google.com/search?hl=en&client=safari&rls=en-us&q=captive+portal&btnG=Search)/captive portal livecd. (http://www.google.com/search?hl=en&client=safari&rls=en-us&q=captive+portal+livecd&btnG=Search)

Hmmmm thanx guys. Pontius it's not a matter of convenience - they are offering a service and its the requirement of that service to work which is the issue.

Saab - pretty much as I thought thanx. I may try to get them to leave it open. I doubt that they would lose much business to people too tight fisted to even buy a cup of coffee at €1.50!!! As long as customers know its open and behave accordingly it's their risk I suppose.

So, that's it!

Thanx again to all!

Fowler.

Hmmmm thanx guys. Pontius it's not a matter of convenience - they are offering a service and its the requirement of that service to work which is the issue.



I may have phrased it poorly. What I mean is that the open system should not compromise the users computers.

Our local hotel has an open wifi which enables you to browse the hotel website from the car park and decide if you want to stay there :) But to access the web you need the access code.

Another hotel we visited on Sunday had a little card in the hall that had the access code. One can guess the former charged and the latter was free.

If you did go for an access code then it would soon become common knowledge so perhaps Open/Disabled is the way to go.

It's easy to limit a wifi access point to only allow some ports, or blocks of ports.

I have a Linksys WRT54GC which can be configured to ban 2 or 3 blocks of ports. So, to prevent obvious abuse, you would block everything below 59 and everything above 443, and if possible everything between 80 and 443.

That will allow HTTP and HTTPS, and DHCP, and will stop POP, SMTP (spamming), anybody but clever P2P users.

I hope I got the above ports right. For a usable "internet cafe" usage, you need 80, 443, and DNS and DHCP and I don't have the last two handy.

But the point is that by blocking ports like 137-139 (IIRC) you stop windoze networking protocols so even if you have other PCs on the wired network, nobody should be able to see them, never mind connect to them. Unless, that is, they can work out a port 80 attack; for that they would need to guess which IP they are on, and try to find a back door in windoze that responds on port 80.

Another easy thing is to limit the max # of DHCP clients to say 10.

And if you got some idiot taking advantage, you just block his MAC address; that will stop him until he gets another laptop...

I have done all the above on the wifi AP I have here, to provide internet access for my teenage son (and his mates, whose laptop(s) is regularly infected with every virus imaginable, and I don't want the stuff to spread.

And if you got some idiot taking advantage, you just block his MAC address; that will stop him until he gets another laptop...

MAC addresses are ridiculously easy to spoof on most of todays operating systems - directly on Solaris, Linux, MacOS X and either directly or via freely available utilities on Win32 platforms, so should not be relied on.

I have a Linksys WRT54GC which can be configured to ban 2 or 3 blocks of ports.

Does this not block ports between inside (wired and wireless) and outside the firewall rather than between wired and wireless?

SD

Sorry chaps - I lied!!!

Its wpa-personal with TKIP.

Does that explain anything particularly regarding the i-phones at all?

Cheers

No - it is what one would expect, and still requires you to enter the WPA access code in the wifi connection settings for the iphone (or any devices).

SD

Does this not block ports between inside (wired and wireless) and outside the firewall rather than between wired and wireless?

It blocks those ports on the wireless subsystem - exactly what one wants.

This AP has only the one ethernet connector.

This AP has only the one ethernet connector.

Strange, the WRT54GC has a 4-port LAN switch built in...?

If you have a WAP only (e.g. WAP54G), then it will have a single uplink ethernet port to connect to another ethernet network switch. However, this is a Layer 2 connection only, and as such it knows nothing about layer 3 protocols such as TCP/IP where ports are defined.

Perhaps we are talking at cross-purposes here?

SD

Dammit, SD, you are quite right.

I am just not using the four-port ethernet switch. I guess I am connecting to what is called the "WAN" ethernet port.

The port number block limits I referred to do operate on the wifi connection. I can confirm this because if say you block ports 137-139 it kills windoze networking for any wifi connected PC (exactly what is wanted). Similarly you can kill off POP/SMTP etc.

I have a WRT54G Linksys router at work which also has an ethernet WAN port, a 4-port ethernet switch, and wifi. But this router is different - it has config options for port forwarding etc between the WAN port and the four-port switch, but (from memory) no port number blocks on the wifi subsystem. We use it as a simple NAT firewall.

Linksys built most of their products on Linux and various open source code, AFAIK.