I would love to share my wifi connection so that people could have access o the restaurant nearby to where I live.... But I would like to restrict the speed and restrict access to illegal websites...

I don't want anyone going to terrorist websites, child porn or anything of that nature or even close to that...

Is there some sort of software or router firmware that will allow me to share my connection without sharing the part of the internet that could get me into trouble?

I would love to share my wifi connection so that people could have access o the restaurant nearby to where I live.... But I would like to restrict the speed and restrict access to illegal websites...

I don't want anyone going to terrorist websites, child porn or anything of that nature or even close to that...

Is there some sort of software or router firmware that will allow me to share my connection without sharing the part of the internet that could get me into trouble?

If your router supports DD-WRT (http://www.dd-wrt.com/dd-wrtv3/index.php), Tomato (http://www.polarcloud.com/tomato), or OpenWRT (http://openwrt.org/) I would look into those options, specifically the implementation of QoS.

Also OpenDNS (http://www.opendns.com/) can help restrict websites that users can look up (see below).

http://i32.photobucket.com/albums/d6/VinnyTAMU/opendns.jpg

Also, it may be worth taking a second look at the contract terms from your ISP - most ISP's are restrictive and limit the connection to a single home. Sharing it with a neighbor usually violates the contract terms.

I would love to share my wifi connection so that people could have access o the restaurant nearby to where I live.... But I would like to restrict the speed and restrict access to illegal websites...

I don't want anyone going to terrorist websites, child porn or anything of that nature or even close to that...

Is there some sort of software or router firmware that will allow me to share my connection without sharing the part of the internet that could get me into trouble?

I wouldn't do it. You would be opening yourself up for considerable potential liability for uncertain gains (other than promoting the cause of (almost but not quite) free and open access to the tubes, of course). Your ISP would probably take a dim view of it, as mentioned above.

If you were to do so, however, I'd recommend blocking all ports outbound except TCP 80, TCP 8080 and TCP 443. You might even consider blocking 8080 (http-alt, http-proxy) outbound, just to limit the use of proxies...

Note that the amount of badness on the Internet now drastically exceeds the amount of goodness. To wit, it's easier to enumerate goodness than it is to enumerate badness. (Enumerating badness is stupid: you will never manage to do it, since the amount of crap on the tubes increases drastically every day. Enumerating goodness is much, much easier.) I'd also deny access to social networking sites (a la what the Apple Store does) so that teen-aged emo kids can't check their profiles.

This is not a good idea, sorry, don't do it.

There is no way to fully protect yourself.
DNS protection won't help if someone types in an IP address.

Don't do it.

If your router supports DD-WRT (http://www.dd-wrt.com/dd-wrtv3/index.php), Tomato (http://www.polarcloud.com/tomato), or OpenWRT (http://openwrt.org/) I would look into those options, specifically the implementation of QoS.

Also OpenDNS (http://www.opendns.com/) can help restrict websites that users can look up (see below).

http://i32.photobucket.com/albums/d6/VinnyTAMU/opendns.jpg

cool! i currently use tomato

i'm trying to get dnsmasq to work so that I can have everyone else run through open dns and only I on my isp's normal dns servers... so far unsucessfull, I'm trhing this method:

http://www.dslreports.com/forum/r20972225-Tomato-Using-OpenDNS-for-select-mac-addresses

I just thought of something... how do i prevent these people who will get my free internet access to try to hack into the other computers on the network? Can i restrict access from all other ip addresses on the network? how do i do that?

IE 192.168.1.27 can't see or access 192.168.1.XXX (any other 192.168 address)

Put the wireless freeloaders on a virtual lan?

I just thought of something... how do i prevent these people who will get my free internet access to try to hack into the other computers on the network? Can i restrict access from all other ip addresses on the network? how do i do that?

IE 192.168.1.27 can't see or access 192.168.1.XXX (any other 192.168 address)
AP isolation setting

AP isolation setting

Setting enabled, I didn't think it was going to be THAT easy!

Thanks a ton!

Side note: did some research on it, it says it keeps one wireless client from accessing another wireless client...
So does that mean a wireless client can access a connected client? (one connected via a wire to the router) ?

I believe the way AP isolation works it only affects the wireless clients, and wireless clients would still have access to wired machines.

To isolate the wired machines from the wireless, you may be looking at setting up seperate subnets which can't talk to eachother. AP isolation does not achieve anything for wired clients.

I just thought of something... how do i prevent these people who will get my free internet access to try to hack into the other computers on the network? Can i restrict access from all other ip addresses on the network? how do i do that?

IE 192.168.1.27 can't see or access 192.168.1.XXX (any other 192.168 address)




only way to acheive this is to set up vlans as neru0 mentioned. what kind of router do you have currenlty? most open sourced firmwares let you use vlans and even add more than one SSID

only way to acheive this is to set up vlans as neru0 mentioned. what kind of router do you have currenlty? most open sourced firmwares let you use vlans and even add more than one SSID

WRT54GL

The only problem I have with DD-WRT is that its QOS dosen't really work.... and I use it heavily cause I like to torrent and host games, and the QOS dosen't really cut it... which is why I use tomato...

are there others that have great QoS with vlans also? i dont know really to be honest

are there others that have great QoS with vlans also? i dont know really to be honest

I honestly don't know, thought there is OpenWRT, but that is command line only and I really can't deal without a GUI.

As of right now, my network is open, restrictions are in place. All ports except 52 and 80 are closed. OpenDNS is enforced.

You cannot restrict people from accessing "bad" sites (or outright illegal ones like child pornography): not technically possible even when lots of filter vendors say differently. They are all snakeoil salesmen. They might block _some_ bad sites (and block legitimate sites too usually) but never ever all. And one bad site accessed and you are legally liable.

I've come up on a different problem...

Now that my wireless network is unsecure, I'm afraid of logging into my email and other places using my password.... won't my password be going through the air unencrypted allowing would-be sniffers to pick it up and get into my email? Is there some way of opening up my network and still encrypting the data sent and recieved?

yeah, if you run somethign like an Ipcop or Smoothwall router, you can have a seperate interface for wireless, and it won't be on the same network so you should be pretty safe.

Nick

I've come up on a different problem...

Now that my wireless network is unsecure, I'm afraid of logging into my email and other places using my password.... won't my password be going through the air unencrypted allowing would-be sniffers to pick it up and get into my email? Is there some way of opening up my network and still encrypting the data sent and recieved?

as long as its using a SSL cert you should be allright, however, those can be spoofed too, so make sure your cert is what its supposed to be. your passwords will be sent encrypted during transmission if i recall as long as your login screen has established a SSL connection.


if you want to do a quick test, run Wireshark on your network and login with a laptop or wifi connection and see. thats the best way you will see things happening on your network.

no SSL connection will mean passwords will be sent in the clear, keep that in mind.

I found that I can simply force an IP on my laptop outside of the DHCP range that I Set, allowing me to bypass all the restrictions I have set up, how do I stop people from manually setting their IP and getting around all the restrictions?

i dont think you can

Easy answer with poor security? Set the static pool very small, so that the only ips available are in the dhcp pool you've configured for the public, except for the one (or two) you've reserved for yourself.

The odds of someone picking the one or two addresses available in the static pool will be pretty low, and they could only find it thru trial and error.

Alternatively, you could setup different vlans, and the only one which would allow unsecured connections would be the one you've configured for public access. Your private vlan could be secured and you shouldn't have this problem. This depends on the robustness of the software your running on your router, and I'm unfamiliar with running ddwrt/tomato/etc.