[CUWiN-Dev] Re: captive portal
Quantum Scientific
Info at Quantum-Sci.com
Sun Jan 30 09:58:38 CST 2005
On Sunday 30 January 2005 3:16, David Young wrote:
> On Sat, Jan 29, 2005 at 04:09:38PM -0600, Quantum Scientific wrote:
> > As far as NoCatSplash, I am vascillating between Qorvus and CUWin at the
> > moment. I am torn between being gravely concerned about the band-aids
> > necessary to make AODV half-assed work, and my likelihood of having
> > time/success in grafting in NoCatSplash + deploying CUWin. Seems like a
> > hardware platform isn't established yet, and wondering when/if you'll run
out
> > of funding?
>
> It doesn't look to me like the price of Qorvus compares favorably w/
> CUWiN (free) + Metrix (low cost), although Qorvus probably sells support.
> I must say, their web interface sure is purty. It seems to contain the
> boneheaded "phone home" aspect of LocustWorld/WIANA.org, though.
True about the price (QCode=$100/node), but I've seen nothing but positive
user reviews of it. Yes, their web interface is a great feature, and is the
first step to allowing the system to run free of WIANA. Nobody likes to hand
over their customer list to a third party, and nobody likes a single point of
failure.
I suggest that a web interface can be easy to implement using PHP, as per the
m0n0wall system: http://m0n0.ch/wall/ (Thanks go to PCEngines for
originally suggesting this) So maybe a web setup on each gateway which
allows setup of constituent nodes? It is important to be able to SSH
directly to each node as well, from remote, and it is important to be able to
identify given users easily, in case of abuse. (There *will* be abuse) Lack
of this latter is a major drawback of using LW. (multi-NATting gets in the
way) A requirement to set up each individual node by web interface may be
too much work, and prone to error, so consolidating this on a gateway may be
nice.
The major benefit of phone-home is to alert you when a node goes down, to do
Radius authentication of users, and to report statistics. But maybe there's
no reason a *gateway* couldn't page your
http://www.fwd.pulver.com/index.php?section_id=9 account.
... but if multiple gateways on a cloud, which one should page? A technical
decision.
> Re: captive portal, what do you need for it to do? Do you need for it
> to be in every node? Any reason you can't put it at the gateways?
This is one area I'm not clear about CUWin. My perception is that this will
be a system of tiny nodes, comprising a cloud. These must somehow connect to
the internet, but how would CUWin do this? There doesn't seem to be seperate
CUWin gateway software.
I'm thinking about a system that taps into a fiber PoP (XO Comm, 100Mbps,
$1k/mo) on the edge of a city, does a microwave shot 10-40 miles to a bridge,
which
- Passes the bandwidth along the next microwave shot; *and*
- Shines the signal down on a community edge (or center) using a sector (or
omni) antenna.
The big picture is you extend the fiber connection across the landscape, like
a string of pearls. This is why AODV is so questionable -- completely
non-functional after 4 hops.
The nodes would swarm around in the community, passing outbound packets back
to the bridge, which passes them upstream in the backhaul. So in this case
the bridge would be the gateway; how much should it do? This may be just a
WRAP board on a tower. Should it Squid, ad-bust, firewall, Asterisk, serve
web Setup, Radius serve, etc. or should some of this functionality be
offloaded to some master server? A policy question.
The captive portal authenticates users on three levels: Guest, which can only
(say) reach Switchboard/Vivisimo/MapQuest/M-W.com; Community, which user has
made some contribution, and has full internet access but bandwidth-throttled
to 200Kbps; and Registered, a paying customer with full access up to 1Mbps.
Where the captive portal should be and what it should do is a policy
question. I wil be a rapacious WISP, and so must have secure authentication
and full encryption throughout the system. Maybe it would be best to use the
existing hardware for encryption, WPA/AES, to ease processor load, rather
than tunnelling? This addition does not harm community deployments, and does
ensure user privacy plus allow use of the system by WISPs. I doubt Madwifi
can do WPA yet, but the Winduhs drivers sure can, and they work great in
Linux (NDISWrapper) anyway, if not NetBSD. If NoCatSplash is on the gateway,
I believe there must be a captive portal daemon on each node in order to pass
execution. The captive portal must present a webpage that's -fully-
customizable by the operator.
But should web Setup be three-tiered (node/gateway/central server), two-tiered
(node/gateway or gateway/central server with SSH to all nodes), or one-tiered
(gateway with SSH to all nodes). A CUWin policy question. I advocate the
last, but doubt that Soekris/WRAP gateway hardware can handle all admin
functions in a busy network. I would suggest though, that the WRAP 1C-1,2
board has 2 mPCI and 2 RJ45, opposed to Soekris' 2mPCI and 1 RJ45. Two
ethernet ports means that a bridge on a tower could be set up with three
WRAPs networked together serving 4 sector antennas, and two parabolics. (If
only there were a board with three mPCI's)
Best,
Carl Cook
More information about the CU-Wireless-Dev
mailing list