This is a long geeky story that starts with pure ENVY. Yes it’s a deadly sin, and yet it’s one of those that I sometimes engage in, despite no deathwish. My envious feelings are a bit different than most so.
This all starts when Karey & I moved into our new apartment last month. The first night we were here, I took a quick peek at the SSID list – after all, apartment buildings provide a number of interesting entries. I saw quite a number of entries that looked like this:
And was intrigued. Who was this Rick Ray, and why was he running a guest network? Was he some sort of “those without internet” savior? So I hooked up to his network (a deadly sin in and of itself, but hey, maybe I’m the sort of guest he wants) and saw this:
Yep – a guest access splash page with a Cisco logo on it. Knowing Rick Ray probably wasn’t a network tech with an industrial grade router at home, I realized that Cisco/Linksys must be adding this as a pretty logical feature on their newer APs / Routers. And here I was with just a regular old WPA-protected network that I told people the password to as they needed it. This put my Geek card in real jeopardy. Read on to hear how I fixed this the only way I know how: Overkill!
Enter Router Zilla
3 years ago when I moved to NYC I dug up a WRT54G that I had purchased years ago and was psyched to make it my primary router. Why? Because I’d flashed a new firmware on it years back, DD-WRT, and finally I could use it full-time (Previously I was forced to use a Linksys router with a wireless card built in, no alternate firmware there).
DD-WRT is immensely powerful compared to your router’s stock firmware. It can do SO MANY MORE THINGS!! Unfortunately, hardly any of these is vital to a non-geek, so nobody much minds their crappy Netgear or Linksys is missing them. For about 2 years I used the WRT54G and about 1.5 years ago I splurged and bought a Asus RT-N16. The Asus is sorta like Router Zilla – it had 3 antennae, 2 USB ports, and can be quite badass when you install DD-WRT on it.
I set up some basic stuff on my Asus but never really fleshed it out that much (Darn work taking up my time…). The most I did with it in NYC was to get the VPN functionality set up, so I could VPN into my home network (which is nice when you’re at the office but want to RDP into one of your home machines). Once I moved here I figured I’d use my extra time to really kick this thing into high gear.
Your Router Runs What?!?
So you recall that I said the Asus had 2 USB ports, right? Well the first step in Kicking Linksys Butt was getting some local storage hooked up onto that thing. I followed the first of many tutorials on setting up Optware – a collection of scripts and utilities that more or less give you a working Linux operating system (DD-WRT includes a basic shell, however with only 20 MB or so of free and volatile space, your options are limited). Optware has a massive amount of packages, which made it very attractive.
The basics of this part were pretty mundane. First I dug up an old USB stick (1 GB in size) that I hadn’t used in awhile and formatted it using a Linux virtual machine (A Ubuntu Live CD specifically). Then I followed the tutorial and added in a few of the cool scripts at the bottom, including…
- Automated backup/restore
- Relocating Syslog to the USB stick so it could log more than just startup messages.
- Asiablock – I love my asian friends, but I hate asian hackers.
- Stophammer – I hate people who scan my ports too! (Note: No innuendo is meant by that statement).
So that was pretty neat to have up and running. I also took the time to properly set up DNSMasq so that all of my networking equipment and computers got reliable names (router.jw, toshiba.jw, etc…) and all of my DNS routing was sent through OpenDNS for security’s sake.
OK, That’s Nice, But It’s No Guest Network
Ah, you are correct heading – I had a lot of stuff going on in my router (and was taking a variety of backups to keep it all there in case my router lost it’s frickin’ mind – which DD-WRT routers can do if they suffer a memory overload – they revert to factory settings), but no guest network. That was all about to change though.
I started exploring Captive Portal systems. If you’re not familiar with that term, I’m sure you’re familiar with the technology. Ever log into a wireless network and have a splash screen pop up either asking you to accept some terms, or pay some money, or something so that you could browse the net? Yea – that’s captive portal. You’re held captive until the portal says you can go through.
One of the most common captive portals is Chillispot, which is open source and thus in my price range. Normally a DD-WRT router can connect to Chillispot with little effort, especially since most of the heavy lifting is done by a Chillispot Service Provider (CSP). Most CSPs on the web offer free tiers of service, but I would have given up a lot of flexibility by using them. A CSP essentially just provides a webserver and a RADIUS server. I’m a pretty tech-savvy guy, why don’t I set those up on my own network and bypass a third-party? Well I had two limitations:
- I like to keep all non-essential computers turned off on my network, but want maximum flexibility. For this reason I keep my big Toshiba laptop/server turned off most of the time, but use Wake-on-LAN to power it on remotely so I can use it when I need it (from wherever in the world I happen to be). If I wanted to run a web server and a RADIUS server (RADIUS servers provide authentication), it would need to be on an “always on” system. Something I don’t usually have.
- I’ve never set up a RADIUS server before. But then again, I like doing new things.
The answer to #1 came via DD-WRT and Optware. You see, the Router is always turned on – so why not run the web server and the authentication server ON THE ROUTER? Because it’s difficult – that’s why… but I like a challenge. I sat down and came up with my requirements for the ultimate Guest network:
- It had to run fully self-contained on my DD-WRT powered router.
- It had to give me flexibility in how the splash screens looked, the usernames/passwords, etc..
- It had to create a separate Wireless network from my main JWNet network. I didn’t want to mess with any stupid splash screens on a regular basis.
Breaking the Band Up
The first necessity was to get a separate wireless network going on my router. DD-WRT allows these Virtual Access Points (VAP), and I found a great tutorial on setting up Multiple WLANs. I created JWNet Guest, unhooked it from my main wireless and wired network (so it was it’s own ‘thing’) and could be logged into separately. Around this time, I got one of the points of envy out of the way – my network list showed two networks for the whole apartment building to see!
Moving right along, I installed FreeRADIUS and Lighttpd on my DD-WRT box. It took a bit of fiddling to get it up and running, but eventually I got them to play nice. I then turned to the Chillispot config on my router. I consulted a number of Web pages at this step – like this one, this one, and this one (if you check out these, you’ll notice they’re all doing similar things to me, but not exactly the same), and in theory it should have been a pretty easy configuration on the router. however when I flipped the switches, I ran into one problem.
My JWNet Guest worked as expected – it popped up a login screen (Authentication didn’t quite work yet… but I was on that one). JWNet, though, was broken. Yep – I had created what I wanted at the expense of the regular network. I won’t bore you with the technical details, but think of it this way: The on-ramp for my wireless network to the Internet Super Highway was closed… and I couldn’t force it open!). So I did what any sane person would do…
I download Chillispot’s code myself and installed it using Optware. I basically ditched the version that came with DD-WRT and just ran my own. This required quite a bit of tinkering to get the scripts correct, but once it was done, both networks were working.
The Final Piece: Learning RADIUS
So I knew what a RADIUS server did before starting this project, but I’d never bothered to learn how to set one up. After about 5 hours playing with the configuration files, following bunches of tutorials, and messing around with a bunch of SQL stuff, I got the hang of it. I could now create users, limit the amount of time / data they could use, and other neat stuff (like limiting their bandwidth).
After about 2 weeks off-and-on playing with this stuff I was done. I had achieved Victory (or more appropriately, this:)
So there you have it – if you come visit me, I can give you your own username and password, just like the crappy hotel down the street (and I can make your internet just as slow too, if you’d like!).
Needless to say, if you’re trying to set this up on your own system, and running into a bunch of problems, please email me!! I’m more than happy to help by sharing my config files, my experiences, etc…
And let it never be said that my Geek card is in jeopardy!