How to share a public wireless connection and maintain a seperate, private wireless connection
August 23, 2006 9:19 PM   Subscribe

How do I share wifi and maintain a secure personal wireless network at the same time?

I would like to offer a rationed wifi to the street I just moved onto, but I would also like to have a full-speed personal wifi. I do not want people on the shared wifi to be able to access the personal wifi network.

I have a linksys WRT54G as well as a couple of nice Buffalo routers, and an older machine running ubuntu.

I really like the idea of installing Neighborhood Node on the WRT54G, while using the Buffalo routers as my personal, unadvertised-SSID wireless network. I thought I could somehow route these through the ubuntu machine, but google searches don't pull up too much along these lines.
posted by beelerspace to Computers & Internet (8 answers total) 9 users marked this as a favorite
 
VPN.....One of these will do the trick......

HotspotVPN.com

PublicVPN.com

Witopia Personal VPN

Well worth the money and they are not at all expensive.

BTW....I have no relationship with any of the above whatsoever.
posted by Gerard Sorme at 9:46 PM on August 23, 2006


I have a similar setup. I have the open wireless hanging off a cheap Zyxel router that's set to only run 802.11b, no encryption. (This way, I hope, nobody will be able to bogart my entire 10mbps bandwidth.) it's hooked into my main router, the D-Link DGL-4300. I set up the routing table on the Zyxel to route all packets destined for machines on my LAN (192.168.100.2-.15) to the twilight zone (192.168.100.254), and also set the firewall to block port 25 to protect against drive-by spamming. I also enabled remote admin (which means you can access admin from the WAN port, which is actually connected to my LAN) but disabled local admin, so people using the wireless can't get to the Zyxel's admin page. Also blocked (using the Zyxel's URL filter) access to my D-Link router's admin page. So, it's definitely doable.
posted by kindall at 10:12 PM on August 23, 2006


There are two issues here: bandwidth, and network access. You don't want people to be able to get from the public AP back into your private LAN and WLAN, but, if possible, you don't want to have your private LAN *double* NATted, either.

The "right" way to do this is to get a second dynamic address from your provider (which usually is not a problem; if they fuss, tell them you have an XBOX or something that isn't happy with your router -- since actually *running* an open AP probably violates your ToS); this way, both networks are only single NATted.

The alternative is to set the Ubuntu machine up as your NAT and firewall, and hang two WAPs off the back of it, on separate ethernet interfaces (for best security). This will, at the expense of a little more complexity, give you complete control of what you allow whom to do. Course, it ties up the Linux box as an appliance; you don't want to actually *use* it, if you can avoid it...
posted by baylink at 8:31 AM on August 24, 2006


Use your linux box and leet skills to set up two NATed networks. Set your WAP up as a boring old bridge. Now, you allow DHCP through the WAP to give "public" addresses using the first NATed network. You should, of course, set up some speed limiting, or at least QOS-type firewalling on this network.

Now, set up a VPN on the second NATed network using your favourite VPN software (for ease of installation with not too much security I would reccomend PoPToP, for good solid security, use IPSec). Your machines connect to the WAP and get one of the public addresses. Now you VPN into your secondary private network (which, of course, has no limits) and voila! you have your unlimited access.

Your machine is still "exposed" to the public address, so firewall it if you feel that's a problem. If you want to share anything to the public, well, that's easy, don't firewall that.

No double NATing, no weirdness. And, most importantly, high security (you don't want to worry about someone hacking the WEP on the second router!)

Yes, I've tested this setup, and yes, it works very well. I suppose, though, there will be overhead to pay for the VPNing, but unless you're playing video games, feh. :-)
posted by shepd at 11:38 AM on August 24, 2006


Response by poster: I wonder if there's a way to use an old PC to act as intermediary...so have cable modem -> main wireless router which provides private net -> old PC on LAN to main -> wireless public.

I guess what I'm asking with regards to that set up is whether there is a way to allow internet traffic back and forth through the old PC, but not allow browsing ABOVE the old PC (and into the private network).

These are good answers though - thanks so far.
posted by beelerspace at 10:11 PM on August 27, 2006


I guess what I'm asking with regards to that set up is whether there is a way to allow internet traffic back and forth through the old PC, but not allow browsing ABOVE the old PC (and into the private network).

You don't need another PC for this, just another wireless router. As I explained above, this is pretty much exactly what I have done. Use static routing entries on the open-access router to block access to your private LAN.
posted by kindall at 10:39 PM on August 27, 2006


Response by poster: Your solution is good kindall, but it doesn't incorporate bandwidth throttling. I could care less about the internal 10mb connection - what I don't want is someone sucking down my cable modem connection with bittorrent or voip, all of which could be easily accomplished via 802.11b.
posted by beelerspace at 7:44 PM on September 2, 2006


Yeah, but nobody's going to be able to suck up your whole bandwidth over 802.11b. The 10 Mbps of 802.11b is theoretical; they'd never get even close to that much bandwidth if they weren't in the same room with the access point.

In any case, why bother solving a problem that doesn't exist yet? If someone starts soaking up all your bandwidth, then expend the effort to prevent it. I'd block a few ports and keep an eye on bandwidth use, and if it gets out of hand then take a look at it.

(Some routers let you choose the maximum bitrate for the wireless too... that could help.)
posted by kindall at 9:43 PM on September 2, 2006


« Older stereo   |   Dammit Jim, I'm a physicist, not a neurosurgeon! Newer »
This thread is closed to new comments.