How to share a public wireless connection and maintain a seperate, private wireless connection
August 23, 2006 9:19 PM   Subscribe

VPN.....One of these will do the trick......

HotspotVPN.com

PublicVPN.com

Witopia Personal VPN

Well worth the money and they are not at all expensive.

BTW....I have no relationship with any of the above whatsoever.
posted by Gerard Sorme at 9:46 PM on August 23, 2006

I have a similar setup. I have the open wireless hanging off a cheap Zyxel router that's set to only run 802.11b, no encryption. (This way, I hope, nobody will be able to bogart my entire 10mbps bandwidth.) it's hooked into my main router, the D-Link DGL-4300. I set up the routing table on the Zyxel to route all packets destined for machines on my LAN (192.168.100.2-.15) to the twilight zone (192.168.100.254), and also set the firewall to block port 25 to protect against drive-by spamming. I also enabled remote admin (which means you can access admin from the WAN port, which is actually connected to my LAN) but disabled local admin, so people using the wireless can't get to the Zyxel's admin page. Also blocked (using the Zyxel's URL filter) access to my D-Link router's admin page. So, it's definitely doable.
posted by kindall at 10:12 PM on August 23, 2006

There are two issues here: bandwidth, and network access. You don't want people to be able to get from the public AP back into your private LAN and WLAN, but, if possible, you don't want to have your private LAN *double* NATted, either.

The "right" way to do this is to get a second dynamic address from your provider (which usually is not a problem; if they fuss, tell them you have an XBOX or something that isn't happy with your router -- since actually *running* an open AP probably violates your ToS); this way, both networks are only single NATted.

The alternative is to set the Ubuntu machine up as your NAT and firewall, and hang two WAPs off the back of it, on separate ethernet interfaces (for best security). This will, at the expense of a little more complexity, give you complete control of what you allow whom to do. Course, it ties up the Linux box as an appliance; you don't want to actually *use* it, if you can avoid it...
posted by baylink at 8:31 AM on August 24, 2006

Use your linux box and leet skills to set up two NATed networks. Set your WAP up as a boring old bridge. Now, you allow DHCP through the WAP to give "public" addresses using the first NATed network. You should, of course, set up some speed limiting, or at least QOS-type firewalling on this network.

Now, set up a VPN on the second NATed network using your favourite VPN software (for ease of installation with not too much security I would reccomend PoPToP, for good solid security, use IPSec). Your machines connect to the WAP and get one of the public addresses. Now you VPN into your secondary private network (which, of course, has no limits) and voila! you have your unlimited access.

Your machine is still "exposed" to the public address, so firewall it if you feel that's a problem. If you want to share anything to the public, well, that's easy, don't firewall that.

No double NATing, no weirdness. And, most importantly, high security (you don't want to worry about someone hacking the WEP on the second router!)

Yes, I've tested this setup, and yes, it works very well. I suppose, though, there will be overhead to pay for the VPNing, but unless you're playing video games, feh. :-)
posted by shepd at 11:38 AM on August 24, 2006

I guess what I'm asking with regards to that set up is whether there is a way to allow internet traffic back and forth through the old PC, but not allow browsing ABOVE the old PC (and into the private network).

You don't need another PC for this, just another wireless router. As I explained above, this is pretty much exactly what I have done. Use static routing entries on the open-access router to block access to your private LAN.
posted by kindall at 10:39 PM on August 27, 2006

Yeah, but nobody's going to be able to suck up your whole bandwidth over 802.11b. The 10 Mbps of 802.11b is theoretical; they'd never get even close to that much bandwidth if they weren't in the same room with the access point.

In any case, why bother solving a problem that doesn't exist yet? If someone starts soaking up all your bandwidth, then expend the effort to prevent it. I'd block a few ports and keep an eye on bandwidth use, and if it gets out of hand then take a look at it.

(Some routers let you choose the maximum bitrate for the wireless too... that could help.)
posted by kindall at 9:43 PM on September 2, 2006

« Older Why don't more songs use total...   |   Does anyone know a good lower ... Newer »

This thread is closed to new comments.