[CUWiN-Dev] Re: captive portal

Quantum Scientific Info at Quantum-Sci.com
Sun Jan 30 09:58:38 CST 2005 

On Sunday 30 January 2005 3:16, David Young wrote:
> On Sat, Jan 29, 2005 at 04:09:38PM -0600, Quantum Scientific wrote:
> > As far as NoCatSplash, I am vascillating between Qorvus and CUWin at the 
> > moment.  I am torn between being gravely concerned about the band-aids 
> > necessary to make AODV half-assed work, and my likelihood of having 
> > time/success in grafting in NoCatSplash + deploying CUWin.  Seems like a 
> > hardware platform isn't established yet, and wondering when/if you'll run 
out 
> > of funding?
> 
> It doesn't look to me like the price of Qorvus compares favorably w/
> CUWiN (free) + Metrix (low cost), although Qorvus probably sells support.
> I must say, their web interface sure is purty.  It seems to contain the
> boneheaded "phone home" aspect of LocustWorld/WIANA.org, though.

True about the price (QCode=$100/node), but I've seen nothing but positive 
user reviews of it.  Yes, their web interface is a great feature, and is the 
first step to allowing the system to run free of WIANA.  Nobody likes to hand 
over their customer list to a third party, and nobody likes a single point of 
failure.  

I suggest that a web interface can be easy to implement using PHP, as per the 
m0n0wall system:  http://m0n0.ch/wall/  (Thanks go to PCEngines for 
originally suggesting this)  So maybe a web setup on each gateway which 
allows setup of constituent nodes?  It is important to be able to SSH 
directly to each node as well, from remote, and it is important to be able to 
identify given users easily, in case of abuse.  (There *will* be abuse)  Lack 
of this latter is a major drawback of using LW. (multi-NATting gets in the 
way)  A requirement to set up each individual node by web interface may be 
too much work, and prone to error, so consolidating this on a gateway may be 
nice.

The major benefit of phone-home is to alert you when a node goes down, to do 
Radius authentication of users, and to report statistics.  But maybe there's 
no reason a *gateway* couldn't page your 
http://www.fwd.pulver.com/index.php?section_id=9   account.
... but if multiple gateways on a cloud, which one should page?  A technical 
decision.

 
> Re: captive portal, what do you need for it to do?  Do you need for it
> to be in every node?  Any reason you can't put it at the gateways?

This is one area I'm not clear about CUWin.  My perception is that this will 
be a system of tiny nodes, comprising a cloud.  These must somehow connect to 
the internet, but how would CUWin do this?  There doesn't seem to be seperate 
CUWin gateway software.

I'm thinking about a system that taps into a fiber PoP (XO Comm, 100Mbps, 
$1k/mo) on the edge of a city, does a microwave shot 10-40 miles to a bridge, 
which 
- Passes the bandwidth along the next microwave shot; *and*
- Shines the signal down on a community edge (or center) using a sector (or 
omni) antenna.

The big picture is you extend the fiber connection across the landscape, like 
a string of pearls.  This is why AODV is so questionable -- completely 
non-functional after 4 hops.

The nodes would swarm around in the community, passing outbound packets back 
to the bridge, which passes them upstream in the backhaul.  So in this case 
the bridge would be the gateway;  how much should it do?  This may be just a 
WRAP board on a tower.  Should it Squid, ad-bust, firewall, Asterisk, serve 
web Setup, Radius serve, etc. or should some of this functionality be 
offloaded to some master server?  A policy question.

The captive portal authenticates users on three levels:  Guest, which can only 
(say) reach Switchboard/Vivisimo/MapQuest/M-W.com;  Community, which user has 
made some contribution, and has full internet access but bandwidth-throttled 
to 200Kbps; and Registered, a paying customer with full access up to 1Mbps.  
Where the captive portal should be and what it should do is a policy 
question.  I wil be a rapacious WISP, and so must have secure authentication 
and full encryption throughout the system.  Maybe it would be best to use the 
existing hardware for encryption, WPA/AES, to ease processor load, rather 
than tunnelling?  This addition does not harm community deployments, and does 
ensure user privacy plus allow use of the system by WISPs.  I doubt Madwifi 
can do WPA yet, but the Winduhs drivers sure can, and they work great in 
Linux (NDISWrapper) anyway, if not NetBSD.  If NoCatSplash is on the gateway, 
I believe there must be a captive portal daemon on each node in order to pass 
execution.  The captive portal must present a webpage that's -fully- 
customizable by the operator.

But should web Setup be three-tiered (node/gateway/central server), two-tiered 
(node/gateway or gateway/central server with SSH to all nodes), or one-tiered 
(gateway with SSH to all nodes).  A CUWin policy question.  I advocate the 
last, but doubt that Soekris/WRAP gateway hardware can handle all admin 
functions in a busy network.  I would suggest though, that the WRAP 1C-1,2 
board has 2 mPCI and 2 RJ45, opposed to Soekris' 2mPCI and 1 RJ45.  Two 
ethernet ports means that a bridge on a tower could be set up with three 
WRAPs networked together serving 4 sector antennas, and two parabolics.  (If 
only there were a board with three mPCI's)

Best,

Carl Cook

More information about the CU-Wireless-Dev mailing list