Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Wireless Networking Hardware

Wireless APs in Homebrew Coffee Shops? 523

Posted by Cliff
from the instant-cybercybercafe:-just-add-water dept.
An anonymous reader writes "Having seen lots of complaints about the overpriced T-Mobile Wireless APs in Starbucks ($10/hr) got me thinking about setting up a wireless AP for the small, family-owned coffeeshop in my town under the tip jar model. I'm assuming ~$100 for the router, ~$500 for a PC to use to control quotas (to prevent over-zealous Kazaa users, block spammers and script kiddies and other would-be abusers) - but what software should I be using? Do enough people have 802.11a/g cards that it would be worth it to invest in that rather than an 802.11b router?" Has anyone considered making a Linux distribution for use by cybercafes, to handle wireless access and anything else such an outfit might need?

"Since this is a medium (50,000-ish) size town, and pretty much everyone in the coffee shop is a regular, would a tip jar model work? I'm figuring suggest a donation - what should I set that at?

Finally, keep in mind that the owner is not a geek - I'd be doing this when not studying (I'm a college student), so this would be set up over the summer, and most of the maintenance would be done on the weekends and/or via SSH.

Any other thoughts would be appreciated."

This discussion has been archived. No new comments can be posted.

Wireless APs in Homebrew Coffee Shops?

Comments Filter:
  • by yar (170650) * on Monday December 29, 2003 @12:07PM (#7828263)
    http://www.austinwireless.net/cgi-bin/index.cgi
    T hey've got several low-cost setups all around the Austin area.
  • router (Score:3, Informative)

    by Anarke_Incarnate (733529) on Monday December 29, 2003 @12:08PM (#7828272)
    Well....figure on it this way. Each router or access point does not give 11mb (more like 3-6mb in actuality) to each node, but they end up sharing it. I suggest you invest in a switch, a regular router and some access points.
  • Try Sputnik... (Score:2, Informative)

    by drdreff (715277) on Monday December 29, 2003 @12:10PM (#7828291) Homepage Journal
    http://www.sputnik.com/ has more of what they are doing now, but 18 months ago I was using their boot-cd linux distro on a laptop to create an AP.
  • by Anonymous Coward on Monday December 29, 2003 @12:10PM (#7828293)
    The later versions even do throttling.

  • by The One KEA (707661) on Monday December 29, 2003 @12:10PM (#7828294) Journal
    That sounds reasonable - I run a dedicated Linux firewall on a P-!!! 933MHz with 512MB PC133 SDRAM on a Soyo SY-7VEM, and it works quite nicely as a firewall, Samba master browser and DNS server. The processor, mobo, and case (with PSU) came out to approx. $300, IIRC.

    The parent was right - try going to a nearby computer show, you'll probably find something fairly cheap that will do the trick.
  • Kazaa? (Score:1, Informative)

    by Anonymous Coward on Monday December 29, 2003 @12:10PM (#7828298)
    I'd block Kazaa altogether. Freedom of whatever, blah, blah, but you're setting yourself up for legal action if you're knowingly letting your customers do this... and they're eating YOUR bandwidth for free.

    Personally, I'd use OpenBSD to do the firewalling/routing.

    HOWEVER, DO NOT USE AN OPEN AP --- FORGET WEP KEYS TOO!

    Set up a proxy server for all net access. Rotate the UN/PW combo and as someone else similarly suggested, PRINT THE PROXY SERVER PW on the receipt. This way you'll be protected from MALICIOUS WARDRIVERS.
  • by Binestar (28861) on Monday December 29, 2003 @12:12PM (#7828312) Homepage
    You can do what you are looking to do very inexpensively (not counting time) if you get a Linux supported PCMCIA card and a Toshiba SG-20. The SG-20's are available for ~$200 (Cheaper on ebay I'm sure) and they have a built in 7 port hub, 1 external interface, and a PCMCIA slot which you can put the wireless card into and setup an ad-hoc network for wireless users.

    I currently use the SG-20's for a managed firewall solution for small businesses which I run Gentoo on. (You can substitute your Distribution of choice of course)
  • Re: Popularity (Score:2, Informative)

    by Silverkm (562018) * on Monday December 29, 2003 @12:12PM (#7828322)
    What kind of popularity are you expecting?
    20 people sharing a single dsl/cable line would not be very practical, so you would have to factor in the cost of a faster internet connection.

    Do enough people have 802.11a/g

    If you go with 802.11g router it will support both b/g and if you go for a 802.11b router, almost all 802.11g cards will support it.
    Although, 802.11g built in cards, (most new notebooks) from my experiance have a hard time connecting to 802.11b. As for 802.11a, forget it, because no one will have a card for this, and it's rare that there is any compatability, because it using the 5 ghz frequency

  • by aheath (628369) * <adam.heath@c[ ]ast.net ['omc' in gap]> on Monday December 29, 2003 @12:13PM (#7828325)
    O'Reilly Associates [oreilly.com] has a book on this topic called Building Wireless Community Networks [yahoo.com]. The Second Editon was published last June. The ISBN is 0-596-00502-4.

    I have not read the book, but I have looked at the table of contents and the index. The book looks to be a designed to answer many of the questions that you have asked. Hopefully someone on Slashdot has read the book and can tell you if it will help you in your effort to set up a wireless network at your local coffee shop.

  • by Chuck Bucket (142633) on Monday December 29, 2003 @12:13PM (#7828326) Homepage Journal
    Get a WiFi card (I got a Netgear MA311 refurb from Fry's for 30$), an old PC, configure it running FreeBSD to serve as an access point for your wireless network. Here's a great HOWTO:

    Configuring a FreeBSD Access Point for Your Wireless Network [samag.com]

    CB
  • by specht (13174) on Monday December 29, 2003 @12:13PM (#7828329) Homepage
    See the Linux Journal article at http://www.linuxjournal.com/article.php?sid=6887 [linuxjournal.com]
  • Soekris (Score:1, Informative)

    by Anonymous Coward on Monday December 29, 2003 @12:14PM (#7828344)
    Why spend $500 on a noisy, failure prone PC when you can buy a small embedded computer that acts as an access point and a router? A Soekris net4521 [soekris.com] is an excellent choice at $235. You can even get a high power 802.11b PCMCIA card, pigtail, and antenna kit [netgate.com]

    The OS work is already done for you as well, check out m0n0wall [m0n0.ch] for a complete FreeBSD solution with a fancy GUI config system, or one of the small Linux AP distros, or roll your own. I run OpenBSD on mine.
  • by tallman68 (586637) on Monday December 29, 2003 @12:16PM (#7828371)
    Might as well stick with b, if a b/g radio sees a b signal, the speed drops for all. Unless you hard set it to "g-only" then you lose most of your "customers".

    Unless you want to put in 2 radios, but this is tip jar.
  • by tomwhore (10233) on Monday December 29, 2003 @12:19PM (#7828397) Homepage Journal
    A lot of what your talking about has been deployed to over 20 buisness locations and a horde more home sites here in Portland Oregon by a group called the Personal Telco Project.

    http://www.personaltelco.net

    We use NoCat on linux based boxes and it covers most of what your looking to do. You can set up Auth or simply a Splash, you can do throttling, shaping and the like, you can set up local content areas for biz and community use.

    Its amazing what older PCs and low cost APs can do. Most of the stuff is easy to install, the few rough spots, like NoCat, have been feild tested and methodologies have been crafted to make it easier to set and and maintain.

    Come on over to the url posted above for more information or head to #ptp on irc.freenode.net and ask for more info.
  • Plug Plug Plug (Score:3, Informative)

    by FatRatBastard (7583) on Monday December 29, 2003 @12:20PM (#7828400) Homepage
    In my old neighborhood the local indi coffee house is Common Grounds [commongrou...ington.com]. They have set up something similar (free access, tip jar to help pay). It couldn't hurt to drop them an e-mail and see how they've set things up.
  • by Aardpig (622459) on Monday December 29, 2003 @12:20PM (#7828405)

    Further, it probably doesn't even require $500 for a PC capable enough to do the job...if you have any computer shows in your area, you could probably just pick up an old (but reasonably loaded) PIII box for ~$100-$150.

    One caveat, however, which has bitten me on the ass before. Some wireless cards (esp. ones made by D-Link) are designed for use with PCI 2 compliant motherboards. Unfortunately, most Pentium III motherboards are based on PCI 1, and won't even "see" a PCI 2 card. Accordingly, before you shell out on a 802.11b PCI card, check that it will work in your "legacy" machine.

  • OpenBSD, pf, ALTQ (Score:5, Informative)

    by Beryllium Sphere(tm) (193358) on Monday December 29, 2003 @12:20PM (#7828408) Homepage Journal
    Traffic shaping is available by default and pretty easy to set up, and it runs well on cheap old hardware. You could invest a lot of effort hardening a Linux install to match what OpenBSD has by default.

    There's provision for requiring authentication on wireless connections. Even with a tip jar model you may want that.

    Keep WEP turned off (yes, you just heard that from a security consultant!). WEP doesn't match your security model 'cause it assumes everyone using the same key trusts each other. Since it doesn't do what you need, it's not worth the cost in inconveniencing the customers.

    Turn the power down on the access point. No need to provide service to people across the street or down the block.
  • by stienman (51024) <adavis AT ubasics DOT com> on Monday December 29, 2003 @12:22PM (#7828422) Homepage Journal
    I don't think the tip jar will pay for the setup, but I suspect customers may come and drink more coffee, so it'll be worthwhile even as a learning experience.

    Go with 802.11b. Your internet connection isn't nearly fast enough to saturate 11Mb/s. Use an access point that goes to an ethernet card on the computer, which has another card that goes to the internet. If you want to run a wired or private network as well, hang a third card off the computer and make sure no one can go from the public network to the private one, only to the internet.

    Then go wild with the linux. Be aware that the more programs you run, the more vulnerable you are to attacks. You'll be ssh'ing in every month to update the software if you use any new software that hasn't undergone the rigors of years of public internet testing.

    Alternately, use an AP/Router combination. Make sure you don't skimp. Many have ability to block ports, limit usage, etc. You won't be able to prevent spammers as easily, but your ISP will tell you if that' becoming an issue. If so, put in a box later.

    -Adam
  • by maya (90492) on Monday December 29, 2003 @12:24PM (#7828442) Homepage
    I set up a wireless system at the Brew House [brewhouse.com] in Cincinnati, which gets a fair amount of use and which has helped bring new customers into a neat neighborhood bar. When we first set the system up, we had all sorts of rules and regulations, and we were putting considerable effort into keeping track of who was allowed to use the system and making sure that users were "registered". We dropped all that, because it just wasn't worth it. Our costs for the connection are fixed, and the more people who use it, the better we like it. Now there are just four rules: keep it legal, keep it clean, keep it civil, and have fun. And we rely on the honor system to enforce those.

    With regard to 'g' vs 'b' standards, the only purpose for the wireless router in a pub or cafe is to connect to the Internet, and a faster network doesn't improve that connection. Even at cable modem speeds, the Internet connection is still considerably slower than an 802.11b LAN.

    For the Brewhouse system, we scavenged a couple of old PCs from customers and loaded Linux on them, and we got a wireless router on sale at MicroCenter for $40. The cost of a business connection to our local cable is the most significant cost we incur, and the proprietor thinks that is worth the buzz it creates, even if it didn't attract new customers.

    Richard
  • by jafo (11982) on Monday December 29, 2003 @12:25PM (#7828453) Homepage
    You clearly want to look at the Soekris [soekris.com] small form factor computer like the 4801, mini-PCI WiFi cards such as the kits available for the Soekris at NetGate [netgate.com], and set them up with a 128MB CF card instead of a hard drive and install Pebble Linux [nycwireless.net] on it.

    The end result of this is a small integrated PC with no moving parts, and mounts it's file-system read-only so no worries about corruption, with a built-in access point. These work great, and are a bit larger than the size of a VHS casette.

    I've deployed a number of these, and they are rock solid. Plus, they have advanced routing capabilities thanks to Linux, and the ability to block infected or abusive users from re-associating with the AP.

    As far as going with 802.11 a or g... You must be pulling in some pretty mighty bandwidth to need to use something faster than 802.11g. Pebble includes "MadWiFi", a driver for some a/g cards, but I haven't used it.

    Sean

  • by squarefish (561836) * on Monday December 29, 2003 @12:29PM (#7828496)
    But we're not charging and the isp (covad) requires email authentication through their servers for any smtp traffic- it would be very difficult to control web based mail.

    we basically set it up as a free spot, as the owner didn't want to take any time away from the bartenders [quenchers.com] serving beer.

    it's just a 1.5/384 adsl line from covad with a zyxel prestige 645 and a linksys wap54g- g is easy because it's fully compatble with b and only a slight price increase, I wouldn't mess with a.

    zyxel makes a great 'hotspot in a box' [eweek.com] that features the reciept printer and seems to do a great job overall. I think it was about $600 at that time.

    funny, I submitted a very similar 'ask slashdot' in july and it was rejected- I don't even attept to submit stories anymore, I know someone else will eventually and it will be accepted.
  • by Lumpy (12016) on Monday December 29, 2003 @12:33PM (#7828526) Homepage
    you can do it with far less hardware.

    802.11b is the absolute maximum you should go. it's silly to go higher when your Internet access is slower than 802.11b with 10 users on that same access point.

    next you need a firewall, a P-1 166 will do it perfecly and handle twice the load that you will ever see ... this is a freebie most anywhere... no hard drive needed just get frasierwall or freesco single floppy firewall distros... you MUST firewall off your wireless from you and your internet... consider it more hostile than the internet ever could be.

    now go to here [nocat.net] and get their system that works great and will solve most all your worries.

    Oh and be sure to survey your entire area to be sure there is good access in every sitting location but not much available outside your desired coverage area.

    basically, if you already have a commercial T-1 or other business level internet access in your building you can get it installed and running for less than $200.00 in hardware and a couple of weekends of time.

  • by supremebob (574732) <themejunky AT geocities DOT com> on Monday December 29, 2003 @12:34PM (#7828544) Journal
    ZyXEL [tomshardware.com] has already made a WAP that was designed for small business owners who want to build and bill for their own WiFi Hotspot.

    It's relatively cheap, and your local coffee shop won't need a geek on-site to set up and maintain it.

  • by hodet (620484) on Monday December 29, 2003 @12:35PM (#7828556)
    Article in Linux Journal describes the whole thing and just may be the ticket you are looking for.

    http://www.linuxjournal.com/article.php?sid=6887 [linuxjournal.com]

  • Read this first (Score:3, Informative)

    by mike260 (224212) on Monday December 29, 2003 @12:41PM (#7828599)
    This [oreillynet.com] may affect your decision.
  • by possible (123857) on Monday December 29, 2003 @12:41PM (#7828600)
    People have had good luck with the Soekris [soekris.com] hardware for these types of applications. In particular, they make tiny x86 computers that you can mount on the wall, they are optimized for wireless applications (they run Linux, *BSD) and they have very low power consumption and no moving parts. TechTV ran an article [techtv.com] on how to build a Linux-based WAP with the Soekris Net4521.

    I've been using one of their older models, the Net4501, for over a year now as an OpenBSD firewall. It's nice to have a configurable firewall in my home office that makes zero noise whatsoever.

  • by arth1 (260657) on Monday December 29, 2003 @12:43PM (#7828619) Homepage Journal
    Might as well stick with b, if a b/g radio sees a b signal, the speed drops for all. Unless you hard set it to "g-only" then you lose most of your "customers".

    Modern 802.11g equipment, i.e. everything made or flashed after the standard was finalized, will support CTS. In a mixed b/g environment, this ensures that any device being cleared to send will be able to do so at its full speed.

    What's more detrimental to speed is if someone talks on a 2.4GHz cordless phone or nukes something in the microwave.

    Regards,
    --
    *Art
  • by Anonymous Coward on Monday December 29, 2003 @12:45PM (#7828633)
    I would agree with you if the customers could benefit from the encryption, but since WEP doesn't support per-connection keys, they gain no security. A WEP key is (registration key kind of) long, so even if the customers know how to set it, it is an unnecessary burden. I'd hand out short simple one-time passwords with every beverage. Then redirect new/expired MAC addresses to a webpage where the customer enters the password (use HTTPS), upon which the webserver grants access for a limited time. This way you keep complete freeloaders and people who would make camels proud out. Don't use WEP, it creates a false sense of security.
  • by sunryder (192810) <nathanlaan&hotmail,com> on Monday December 29, 2003 @12:51PM (#7828681) Homepage
    Here is *exactly* what you need :
    http://www4.tomshardware.com/network/20031016/i nde x.html

    According to the review, it is a "802.11b Hotspot router aimed at the wireless-with-your-latte Mom 'n Pop store-owner. Includes receipt printer"
  • Re: block IP ports (Score:5, Informative)

    by RT Alec (608475) * <alec@NOspaM.slashdot.chuckle.com> on Monday December 29, 2003 @12:52PM (#7828694) Homepage Journal

    This is exactly the approach I took when setting up a similar hotspot. I published some of the technical details here [lakeanne.net]. We use mostly Netgear wireless routers, and a FreeBSD box for the core firewall/gateway.

  • by Anonymous Coward on Monday December 29, 2003 @12:53PM (#7828711)
    TC WiFi relies mostly on donations from the community (old machines, bandwidth, etc.)

    Not sure of the town the poster is in, but Traverse City does a great deal of tourist business in the summer; WiFi is brought to some of the more popular parks and the main marina in the summer.

    Unfortunately, each of the 1,000 new coffee places springing up over town (and, of course, our existing Borders) thinks that they will make money off the wifi rather than using the existing (free) infrastructure and minimal advertising.

    FYI -- The only decent cup of coffee in downtown TC is Crema/Good Harbor. Starbucks doesn't have a downtown location ... yet!
  • by Anonymous Coward on Monday December 29, 2003 @12:55PM (#7828722)
    Don't block UDP/500<->UDP/500 (ISAKMP), UDP/4500<->UDP/4500 (NAT-T), IP protocol 50 (ESP) and IP protocol 51 (AH). Same goes for TCP/1723 and IP protocol 47 (GRE). You don't want to keep out business people who need to access the company (IPSec/PPTP) VPN.
  • by kenjib (729640) on Monday December 29, 2003 @12:57PM (#7828737)
    One thing to consider is that there is a problem with using a 802.11g card in that the backward compatibility with 802.11b works such that only one standard can be in use at a time. So, a single 802.11b NIC on the wireless network will make the router drop to 802.11b standard and all of the 802.11g NICs will be stuck with the slower speed as well. This means you only get the added speed gains for 802.11g if every single device in range is using that standard. I believe the manufacturers are looking into addressing this with a possible firmware upgrade, but I'm not sure where that stands currently.
  • Go cheap (Score:3, Informative)

    by anaphora (680342) * on Monday December 29, 2003 @01:05PM (#7828789) Journal
    I don't think the tip jar will pay for the setup, but I suspect customers may come and drink more coffee, so it'll be worthwhile even as a learning experience.

    Go with 802.11b. Your internet connection isn't nearly fast enough to saturate 11Mb/s. Use an access point that goes to an ethernet card on the computer, which has another card that goes to the internet. If you want to run a wired or private network as well, hang a third card off the computer and make sure no one can go from the public network to the private one, only to the internet.

    Then go wild with the linux. Be aware that the more programs you run, the more vulnerable you are to attacks. You'll be ssh'ing in every month to update the software if you use any new software that hasn't undergone the rigors of years of public internet testing.

    Alternately, use an AP/Router combination. Make sure you don't skimp. Many have ability to block ports, limit usage, etc. You won't be able to prevent spammers as easily, but your ISP will tell you if that' becoming an issue. If so, put in a box later.
  • nocat.net (Score:2, Informative)

    by SenatorTreason (640653) <senatortreason@NOspAM.gmail.com> on Monday December 29, 2003 @01:10PM (#7828833)
    Check out these folks [nocat.net]. They have everything you need for your purposes. Here is their wiki for some more info about the actual softare involved. [nocat.net].
  • Misleading write-up (Score:3, Informative)

    by Nexus7 (2919) on Monday December 29, 2003 @01:19PM (#7828889)
    It's misleading to quote this $10 number for Starbucks. Monthly all-you-can-eat is $30 ($20 for T-mobile cell phone subscribers). For this price, you're getting the use of every Starbucks and Borders hot-spot out there and you know there are a few around. If you're in any place of a reasonable size, you know you can find one pretty easily, and you know you can hop on with no hassles. If you go by the hour, then sure you're going to pay more, but unless you surf like once a month, you're not going to go that route. That'd be for people on travel and it's worth more that $10 to the business for the connectivity.

    There are many things family-owned coffee-shops are good or better for, but let's not knock *$ gratuitously. And there are things definitely lacking in *$ HotSpot service, but clearly you're not interested in addressing connectivity issues, you're interested in a business model for hot-spot service. And to qualify that, the issues with HotSpot service are mainly due to it being platform-independent (read "works with Linux").
  • by Glonoinha (587375) on Monday December 29, 2003 @01:22PM (#7828914) Journal
    Whatever else you do, change the default password on the router.
  • by Anonymous Coward on Monday December 29, 2003 @01:58PM (#7829222)
    I used to hang out in a coffee shop called Bean Trader's [beantraders.net] in the Durham area, which has had free Wi-Fi at two locations for about a year and a half now. You should definitely check it out if you're in the area. Or, if you just want advice, call the owners, Dave and Christy, they are very friendly, and I'm sure they would be happy to tell you about their real-world expierience with this. (Tell them David and Amber say "hi.")

    The owners are NOT techies, and installed Wi-Fi in their forst location basically as a favor for me and another customer (since then I moved, and he went to jail, but that's another sotry). Since then, however, thay have had no trouble maintaining it themselves, and have found it so successful, that they are planning to make it a permanent fixture at every store they open in the future.

    Here's the formula they have found sucessful: A DSL connection for broadband internet (though a cable connection should work as well), and a combination wireless router/access point (they use Apple AirPorts, but there are cheaper models which would work fine too). That's it.

    Yup, you heard me right - they don't even have a computer! The Wi-Fi is wide open, 24-7, for everyone to use for free. If the connection drops, they unplug the router and plug it back in, and if it that doesn't fix it, they call the DSL company and have them fix it. It cost them about $100 to start (for the router), and $50 a month for the access. They've told me that the increased business has paid for those expenses MANY times over, so even while their customers see it as a gift, the truth is it makes them lots of money. They have had almost no trouble at all with people hogging the line, or any of the other things which you might expect to go wrong.

    And that business model actually makes sense if you think about it. Consider McDonalds playlands, for example. McDonalds is ALL about making money, yet the playlands are free. Why? Wouldn't it be more logical to charge a small fee to cover the cost of the playland? Logical, perhaps, but not profitable. Making the playland free brings more customers into McDonalds, and they make far more moneyu selling food to those customers than they ever would if they charged admission to the playland. It's the same deal at a coffee shop. Just think of Wi-Fi as a playland for adults, and the business model is identical.

    Also, making it free has other perks for the business owner. When people pay for something, they expect a certain level of service. But it's not reasonable to expect coffee servers to do tech support of any kind. When the service is free, if someone has a technical problem, the server can say "sorry, its free, so we don't support it - try asking one of the other customers." I know it sounds odd, but it actually works well. When I used to hang out there, just a customer myself, I probably helped someone new configure their laptop wireless card at least two or three times a week. And it was a great way to break the ice and meet new people too.

    Trust me, just throw a router/access point on a broadband connection and call it done. I've seen it first hand, and it works better than you think.
  • Re:Your mom. (Score:2, Informative)

    by Golias (176380) on Monday December 29, 2003 @02:15PM (#7829343)
    ... So does anyone else who has a recent Mac...
    ... she would surely be able to handle a simple web proxy form, but not a WEP password.

    Have you ever used a Mac's "Airport" connection with a WEP!? It's less work that setting up web proxy settings.

  • by jroysdon (201893) on Monday December 29, 2003 @03:02PM (#7829706) Homepage
    I'd never consider 802.11a at this point, the marketshare is all in 802.11b.

    So, the next question is, should you go 802.11g (~54mbit), which is backward compatible with 802.11b?

    How fast is your internet access going to be? Is it even going to be faster than 802.11b will provide (11mbit)? If users want to do laptop to laptop transfers, they should just use a crossover ethernet cable (100mbit). Hint: Most ADSL is 384kbit and will let you grab ~1mbit when things aren't busy at the ISP. 1mbit is "fast" for most folks.

    IHMO, the owner should just see is as a way to increase his customer base for his existing revenue model, and have a cool thing to do when things are slow (but need to keep the other employees in check if things aren't getting done and he's not there all the time).

    Futher, I'd suggest a caching engine like Squid [squid-cache.org], which can help with content filtering as well (say for employees, make them login before they can surf so you can track their time, etc.). Squidguard [squidguard.org] is my filter preference for filtering and there are many free content DBs online.

    I'd be filtering porn sites, probably gambling, probably hate sites, etc., as I'd not want one customer offending another with graphic images. Of course, you could say MYOB and tell the guy to sit where no one can see his laptop, whatever...

    NoCat [nocat.net] is a good authentication model as well just so you can track folks in case something illegal is taking place.
  • by austad (22163) on Monday December 29, 2003 @03:56PM (#7830175) Homepage
    Don't block UDP/500UDP/500 (ISAKMP), UDP/4500UDP/4500 (NAT-T)

    Actually, NAT-T ports vary between vendors. Cisco uses 10000, Nortel uses 10001 or 10002. And the admin of the VPN concentrator can change that to whatever port he wants. Just allow all UDP through and it will work fine.
  • by Angst Badger (8636) on Monday December 29, 2003 @04:03PM (#7830228)
    Hell block everything except http,https,ftp and DNS.

    Great, so you can browse the web and transfer files to insecure sites. But then you can't send or receive mail, make secure file transfer (scp) or shell (ssh) connections, or use any kind of instant messaging client. In other words, if your idea of internet access is limited to passively absorbing web pages, you're covered, but if you were thinking of actually doing anything, it's useless.

    If you want to avoid abuse of a tiny wireless network, what you're mostly going to be concerned about is bandwidth consumption. There are quite a few [freshmeat.net] tools for controlling bandwidth consumption under Linux; check them out. If you aren't providing all available bandwidth to the first user who tries to hog it, neither Kazaa abusers or coffee-swilling part-time spammers are going to cause you much grief.

    If you want to get a bit more fine-grained than that, there are a buttload [freshmeat.net] of tools to help you monitor what your users are doing, and many of them are scriptable and can set off some kind of alarm if someone is behaving badly.

    In any event, you'll offer a much better service if you block only those things which you want to always avoid from the outset, and install tools to help you detect and interrupt the occasional abuse of otherwise innocuous services.
  • by leapis (89780) * on Monday December 29, 2003 @04:11PM (#7830298)
    You can probably go with 802.11b to do this, too. There is not a DSL or cablemodem link that you can get which is going to saturate a 11 Mbps 802.11b, and I have yet to see an a/g card on the market which is not backwards compatible with b. When in doubt, definately go with the most reliable technology, as b has been out the longest and its implementations seem to have the fewest problems.

  • m0n0wall (Score:3, Informative)

    by adamsc (985) on Monday December 29, 2003 @04:29PM (#7830452) Homepage

    You can setup a Soekris [soekris.com] box running m0n0wall [m0n0.ch] and do everything in a single small box with no moving parts. Alternately you can save some cash using an old PC and either a CD-R or some sort of bootable flash drive.

    It's embedded FreeBSD and will do all of the basic AP functions plus firewalling, traffic-shaping to keep P2P hogs from becoming nuisances, local DNS registration, etc.

System going down in 5 minutes.

Working...