Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Best Way To Leave My Router Open?

timothy posted more than 3 years ago | from the tomayto-tomahto-ddwrt dept.

Wireless Networking 520

generalhavok writes "I read the story on Slashdot earlier about the EFF encouraging people to leave their WiFi open to share the internet. I would like to do this! I don't mind sharing my connection and letting my neighbors check their email or browse the web. However, when I used to leave it open, I quickly found my limited bandwidth dissappearing, as my neighbors started using it heavily by streaming videos, downloading large files, and torrenting. What is an easy way I can share my internet, while enforcing some limits so there is enough bandwidth left for me? What about separating the neighbors from my internal home network? Can this be done with consumer-grade routers? If the average consumer wants to share, what's the easiest and safest way to do it?"

Sorry! There are no comments related to the filter you selected.

CmdrTaco has a tiny dick (-1)

Anonymous Coward | more than 3 years ago | (#35967208)

Hopefully your dick isn't as tiny as CmdrTaco's. His is less than a millimeter at fully erect state.

Re:CmdrTaco has a tiny dick (0, Troll)

dmgxmichael (1219692) | more than 3 years ago | (#35967230)


Re:CmdrTaco has a tiny dick (-1)

Anonymous Coward | more than 3 years ago | (#35967492)

yeah, her cameltoe is ten times that size!

Re:CmdrTaco has a tiny dick (0)

Anonymous Coward | more than 3 years ago | (#35967652)

So what if I am? What are you going to do about it?

open like goatse! (-1)

Anonymous Coward | more than 3 years ago | (#35967216)

stretch that asshole!

Think again (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35967222)

Wasn't it just this week that we had the lovely account of someone getting the SWAT treatment [] just for leaving their router free and open?

Re:Think again (2)

PipeToDevNull (1362431) | more than 3 years ago | (#35967284)

Indeed. Looking for a 'safe' way to do this is somewhat akin to looking for a safe way to cross through a raging inferno wearing only a pair of shorts and some sunglasses.

Re:Think again (2)

Hultis (1969080) | more than 3 years ago | (#35967378)

IANAL, but if you allowed people in on a guest network and made sure to log EVERYTHING that happened there, maybe those logs would be enough to prove you're innocent?

Re:Think again (2)

softWare3ngineer (2007302) | more than 3 years ago | (#35967484)

so much for starting off innocent...

Two routers (3, Informative)

AliasMarlowe (1042386) | more than 3 years ago | (#35967610)

Here's the way we do it

We have an old router which is plugged into a spare port on our optical switch (fiber to the home), and has an open wireless G for anyone to use, configured to assign DHCP addresses from 192.168.200.x where x is 175-200, and with SSID of "All Connections Logged". Our newer router is plugged into a different port on the optical switch and assigns DHCP addresses in the range 192.168.100.y where y is 100-125, and our home net is connected to this one by cat6 cables and encrypted wireless N (MAC filters, hidden SSID, long key, blah blah). Each of these routers has a different public IP address assigned by the ISP, and they both maintain logs of MAC addresses connecting to them, so we don't worry too much about misbehaving outsiders - there have been none so far.

FWIW, we have no usage caps on our 100Mbps fiber connection, so leaving a 54Mbps wireless-G open to passers-by does us no harm economically. In principle we could set it to 11Mbps Wireless-B, but we have never had a bandwidth hog connecting. Incidentally, our ISP gives us up to 8 public IPv4 addresses, of which we use 3-5: the IP-TV box uses the third, and work-related laptops sometimes use one or two more (via cat6 to another port on the optical switch).

think again? u aint thunk yet (1, Interesting)

poptones (653660) | more than 3 years ago | (#35967532)

The DMCA protects service providers. If I am deliberately sharing my internet connection, I AM a defacto service provider. There are rules one must follow but most of them apply only to operators of a certain size - which means we enjoy the protections of the DMCA without sharing the burdens like forced record keeping.

People have been abused by law enforcement for al sorts of reasons. If they go to far, you sue. Of course, if they are led to your house by the actions of a neighbor and then find, through some poetic justice, that you are in fact doing what they suspected even though it wasn't your actions that directly led to the raid, well then it sucks to be you.

Re:think again? u aint thunk yet (0)

Anonymous Coward | more than 3 years ago | (#35967720)

There's an old saying, "You may beat the rap, but you won't beat the ride".

If it means never being arrested, having your computers confiscated, having the neighbors talk about you, going to jail, missing work, having to post bail, hiring a lawyer, going to court, missing work, just to have my case dismissed, then I'll just keep being stingy with the Internet access I pay for.

Re:Think again (4, Funny)

elrous0 (869638) | more than 3 years ago | (#35967342)

No problem. After you open it up, just call your local police and let them know that any illegal activity on your IP address is probably not coming from you. Problem solved.

Re:Think again (2)

Hultis (1969080) | more than 3 years ago | (#35967450)

This may or may not [] be a good idea, depending on where you live.

Re:Think again (1)

BiggoronSword (1135013) | more than 3 years ago | (#35967514)

Arrest doesn't mean conviction

Re:Think again (1)

Anonymous Coward | more than 3 years ago | (#35967568)

It does mean money out of your pocket.

And I'm sure your time isn't worth anything either.

I do this all the time! (0)

Anonymous Coward | more than 3 years ago | (#35967234)

Just restrict access by MAC address!

Re:I do this all the time! (2)

nschubach (922175) | more than 3 years ago | (#35967348)

MAC addresses which can be cloned and spoofed so there's really no security at all!

Re:I do this all the time! (4, Insightful)

erroneus (253617) | more than 3 years ago | (#35967444)

Yes, and locks can be picked, so it's useless to use locks on doors too! (You aren't stupid enough to lock your door are you?)

I hate that argument. Even a weak lock is a lock which says "unauthorized not welcome." And MAC address filtering requires that someone knows what a MAC address is and how to change theirs. You have to admit, this is not "casual technical knowledge." True what you say, but that depends mostly on what demographic you are speaking about. If you are talking about your average Facebook/twitter/Youtube user on the net, you'd basically be wrong.

Re:I do this all the time! (1)

ThatsMyNick (2004126) | more than 3 years ago | (#35967550)

Ok, I will name my WiFi, "unauthorized not welcome, trespassers will be prosecuted". That should do the trick right?

Re:I do this all the time! (2)

froggymana (1896008) | more than 3 years ago | (#35967714)

When I first started to use tethering on my phone, it was just called something like "3G internet" and I would get 10-12 people trying to connect to it when I'm at an airport or coffee shop. Then I changed the name to "You_will_get_viruses_from_this", and now only 1-2 try to connect to it. So, while changing the name isn't the best protection, it could still help.

Re:I do this all the time! (3, Insightful)

mlts (1038732) | more than 3 years ago | (#35967612)

There is a whole world of difference between a pickable lock on a car door and security on a router:

Someone sits there spending 30 minutes by a car door. People eventually will notice and either drop a note to the local gendarmes, or approach the person with pointed questioning. Especially people know the owner of that car.

Someone parked in a car spending 30 minutes on a laptop or cellphone to crack open a WEP protected router, few would notice, much less care about the issue.

MAC address filtering also is a switch flippable by anyone on a router. Yes, it gives a speed bump, but use it for what it is designed for -- keep honest people honest (say after a LAN party, you turn it on to kick everyone off but your stuff before you change your key.)

I highly recommend using MAC address filtering as the icing on the cake, but if you don't use WPA2 (or if forced to, WPA), you are asking to be hacked.

Security (0)

Anonymous Coward | more than 3 years ago | (#35967238)

Are you not concerned about security. Sharing is fine and dandy, but I don't want anyone behind my network firewall that I don't know.

Re:Security (1)

bluelip (123578) | more than 3 years ago | (#35967462)

Move the firewall deeper into your home network.

Re:Security - DMZs (1)

billstewart (78916) | more than 3 years ago | (#35967662)

Hey, we let you in, Mr. Anonymous Coward!

You may not want any strangers on the "trusted" side of your firewall, but that's a job for a DMZ, which has access controls between it and your trusted side as well as between it and your internet connection.

Re:Security (4, Informative)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35967706)

In any sharing setup, which is the advice the poster is looking for, non-authenticated traffic should always be on a distinct VLAN, with no access to the network used by authenticated traffic, or any ability to access the router config interface(s). All they need to see is their own system and the public internet. Segregating each non-authenticated user from other non-authenticated users isn't a personal security imperative; but it is polite.

To deal with the bandwidth issues, that non-authenticated VLAN should, naturally, have a QoS priority below any authenticated traffic(possibly with a small slice of guaranteed bandwidth, if you are a really nice guy and your authenticated traffic frequently saturates the line..)

Most consumer routers won't let you do that with stock firmware; but openWRT can likely help you out, with the right firmware.

Worst case, it is often possible, with better stock firmwares, to at least set up the VLAN and QoS side of things, and then just hang a $20 cheapy router off the VLANed port on the primary router. Ugly; but cheap and easy and doesn't require any software support for multiple SSIDs or the like.

Get creative (0)

Iphtashu Fitz (263795) | more than 3 years ago | (#35967250)

Well if you can identify the culprits (the IP and/or MAC of whoever is doing the most damage) you can have some fun with them by creating an upside-down-ternet [] . That might discourage them.

That's the wrong side of the problem (1)

billstewart (78916) | more than 3 years ago | (#35967718)

The objective is to prevent trouble, not to punish the guilty after they've caused it. Sometimes trouble is drive-bys spamming, sometimes it's a regular abuser, like the neighbor's kid downloading too many movies and hogging all your bandwidth. The main things you want to do are keep their bandwidth use limited, and keep them from connecting to any machines you don't want them to access (e.g. visiting friends can access your printer, but strangers can't.)

Guest network (2)

Tridus (79566) | more than 3 years ago | (#35967254)

The second part (keeping people off your home network) CAN be done by some consumer grade routers that support a Guest Network. My Netgear 37AV has that ability. You set up a second SSID that is open. It can get to the WAN port, but can't see anything on the LAN or the private SSID.

As for using bandwidth... no I'm not sure you can do a lot there with a standard router. You could turn on QoS to make sure that your traffic has priority on the router over someone elses, but you'll be pretty limited in terms of stopping them from chewing up bandwidth the rest of the time. I really don't recommend this if you're on a metered connection.

QoS doesn't do the main job here (1)

billstewart (78916) | more than 3 years ago | (#35967420)

QoS may help you throttle your guests' upstream bandwidth, which is more important, but it's not going to do anything for downstream, which is the more common problem, because the QoS markings on downstream packets will normally be set to the default value by the websites or bittorrent peers that are sending them.

Re:QoS doesn't do the main job here (0)

Anonymous Coward | more than 3 years ago | (#35967546)

It works both ways. If you throttle downstream to 1 Mbit/s, thats what they will be getting and TCP will adapt to that. QoS tagging? Not needed for a single choke point. Just have different service classes depending on e.g. mac address.

Re:QoS doesn't do the main job here (1)

iRommel (1684036) | more than 3 years ago | (#35967552)

Surely anyone with a decent router (read Draytek) can just limit all external IPs to a set up/down bandwidth. I negate the effects of my other half's adventures on the internet like this.. As for people downloading naughty things and you getting the blame, it's sort of always going to happen with an open network I guess.

DD-WRT + QoS (5, Informative)

seanmcelroy (207852) | more than 3 years ago | (#35967260)

It's absolutely possible and fairly easy these days with out of the box router firmwares, or if yours doesn't support QoS (Quality of Service), then you can potentially put on an open-source firmware -- DD-WRT to provide that ability and much more. QoS lets you designate classes of traffic, such as streaming, gaming, and other protocols, or particular devices on a WAN or plugged into the router itself and set priorities for them. Doing this, you can share your WiFi AP (good for you!), but also get the lions' share of your bandwidth when you are wanting to use it.

Re:DD-WRT + QoS (0)

Anonymous Coward | more than 3 years ago | (#35967320)

This is the answer. Just takes some learning and buying a product that supports it. Same maybe for TOmato or other Open Source Firmware project.

Re:DD-WRT + QoS (2)

nschubach (922175) | more than 3 years ago | (#35967424)

DD-WRT (and most likely Tomato) also provide Hot Spot software that your neighbors "log in" to get on the net through your connection. []

It may at least give you a possible "out" if the law breaks down your door, but I'm sure it violates your ISP TOS.

Re:DD-WRT + QoS (1)

SighKoPath (956085) | more than 3 years ago | (#35967658)

I'm using Tomato right now, and the QoS implementation does now allow you to set classifications based on SSID or Wireless vs Wired - it allows classification by specific IP or MAC, but that would mean tweaking the classifications every time a new device shows up. That's not a practical solution. Additionally, I don't see a way to enable multiple SSIDs using Tomato.

I used to use DD-WRT, and I do remember being able to configure multiple SSIDs on a single router, some with encryption and some without. So if DD-WRT allows configuring QoS based on which SSID a user is connected to, that would certainly be a good solution. I just don't remember their QoS all that well.

Re:DD-WRT + QoS (1)

Mordok-DestroyerOfWo (1000167) | more than 3 years ago | (#35967408)

Completely agree. You may want to do some homework first on which routers are best supported by DD-WRT but I use it fairly regularly and the ability to send WOL commands to my home network from any internet connected device has proven to be a godsend.

Re:DD-WRT + QoS (0)

Anonymous Coward | more than 3 years ago | (#35967466)

To expand on that, you should create a separate SSID and subnet for the public to use so that your main LAN is protected from them.

You can then use QoS to limit only the guest network by creating a QoS rule to Exempt your main subnet.

Some very recent stock firmwares also support "guest networks" but I'm not sure how much control they give you to limit the guest networks.

Re:DD-WRT + QoS (1)

softWare3ngineer (2007302) | more than 3 years ago | (#35967654)

mod parent up. one of the more informative answers that ive seen on slashdot.

This just doesn't sound like a good idea. (1)

jgheld (714826) | more than 3 years ago | (#35967262)

The ramifications of someone looking at, downloading, or even uploading something illegal with your internet can get you in serious trouble, I would think. I appreciated the kind-heartedness of the idea, but I would recommend against it personally.

Re:This just doesn't sound like a good idea. (1)

ErikZ (55491) | more than 3 years ago | (#35967298)

It's the same as someone walking across your property to do something illegal.

We have to train the law that your router != you.

Re:This just doesn't sound like a good idea. (1)

El Lobo (994537) | more than 3 years ago | (#35967402)

Your router != you but YOU have the responsibility for what happenings behind **your** router. This is the kind of /. romanticism that is so hard to kill, unfortunately... You cannot let people use your house as a sacrifice place to offer children to Ra and get away with it just because your house != you.

Re:This just doesn't sound like a good idea. (1)

Threni (635302) | more than 3 years ago | (#35967438)

No matter what the law (courts) say, the police *are* going to kick your door in if your connection is being used to up/download kiddy porn, warez, terrorist stuff or whatever else leaves tor exit nodes these days. Your wife/husband etc are probably not going to appreciate civil mindedness at 5am when her children have fat, unsympathetic pigs pointing their guns at them.

Re:This just doesn't sound like a good idea. (1)

tripleevenfall (1990004) | more than 3 years ago | (#35967510)

We have to train the law that your router != you.

You first...

Re:This just doesn't sound like a good idea. (0)

Anonymous Coward | more than 3 years ago | (#35967520)

It's the same as someone walking across your property to do something illegal.

We have to train the law that your router != you.

Exactly, it's like letting someone use your property to commit a crime.

Depending on the circumstances, yah, you can be in trouble. You can even get in trouble for uninvited guests coming over and hurting themselves on your property while you're not there.

If a yard implement from a shed in your yard is used to commit a crime and that tool gets traced back to you, why WOULDN'T the police investigate you? At the very least they are going to intrude in your home, ask where you've been, and in the router case, take it and your PCs.


Just be careful with that (5, Insightful)

WiglyWorm (1139035) | more than 3 years ago | (#35967264)

It can get you in to trouble []

That said, I leave my wifi router open as well, but if you're going to do it you have to do it knowing the risks. Being accused of kiddie porn, for instance, is going to stick with you forever, regardless of guilt or innocence.

Re:Just be careful with that (1)

antdude (79039) | more than 3 years ago | (#35967674)

What about making the open wifi restricted? Is that even possible? Like block these bad sites.

mac-rationing ? (1)

nblender (741424) | more than 3 years ago | (#35967274)

All new mac-addresses get 24 hours of free access; after that they're blocked for 1 week... Adjust thresholds accordingly...

Better check your ISP TOS (2, Insightful)

Kindgott (165758) | more than 3 years ago | (#35967276)

Your ISP may be none to happy when they find out you're sharing your connection, I'd double check their terms of service just in case.

Check your ISP TOS when you pick your ISP (1)

billstewart (78916) | more than 3 years ago | (#35967536)

Yup. The biggest concerns I had when picking my ISP were Terms of Service and availability of static routing. Back when I first got consumer broadband, there were many ISPs that didn't want you to run web servers from home, and some major ones that only allowed you to use one computer on the account unless you paid extra. Eventually the ISPs decided to allow multiple home computers (usually with NAT), because they understood that the market had changed and when people got new computers for themselves their kids got the old ones, but some of them still don't like the idea of guests. The real concern for ISPs was to make sure that you didn't buy one set of cable modem service and share it with your neighbors, instead of them each buying their own. They've pretty much accomplished that by now, but they're not going to let up on the scare stories.

My ISP's approach to ToS was "We're selling you a connection to the Internet, that means you've got a connection to the Internet. Do anything you want except for spam. If you want to share it with other people, we'll be happy to sell you extra email addresses for a small extra price."

Firewall your LAN and setup a guest network (1)

OriginalSpaceMan (695146) | more than 3 years ago | (#35967280)

I suggest checking this out. I've used it for a few clients. []

How about talk to your neighbors? (0)

Anonymous Coward | more than 3 years ago | (#35967292)

How about talk to your neighbors? You can share bandwidth without leaving your WiFI open.

Why Share Only Your Wifi??!! (0)

Anonymous Coward | more than 3 years ago | (#35967294)

C'mon, let's go all the way with this. Leave your door unlocked so I may go in anytime and help myself to a snack from your refridgerator. Leave your key in your car so I may borrow it for a quick milk run.

We're all just sharing everything now, right? Right? Yeah I thought so.


Anonymous Coward | more than 3 years ago | (#35967302)

Don't bother. Secure your wifi. I used to keep my wifi open to the public... Then my home was raided by the FBI. Don't make the same silly mistake I did, it really isn't worth the risk.

Re:DONT DO IT! (0)

Anonymous Coward | more than 3 years ago | (#35967686)

That sucks. Could you post more details?

Open access but outside the firewall possible? (2)

Animats (122034) | more than 3 years ago | (#35967304)

I just posed the same question in another topic, and wrote this:

WiFi routers should have the option of putting the air link on the outside of the local firewall. Actually, it would make sense if, by default, open WiFi links gave guest access to the outside Internet world, but not the inside LAN world, while encrypted links offered access to the inside world. This allows opening up guest access without exposing local servers and Windows shares.

A router should support both modes simultaneously, offering itself as two access points. Encrypted links should have higher packet priority over nonencrypted links, so that guest access can't starve out authorized users.

This seems obvious enough that some routers probably implement it already. Anyone know of one?

Re:Open access but outside the firewall possible? (1)

heitikender (655816) | more than 3 years ago | (#35967464)

Apple Airport Extreme does it extremely well.

Re:Open access but outside the firewall possible? (1)

Anonymous Coward | more than 3 years ago | (#35967478)

A router should support both modes simultaneously, offering itself as two access points. Encrypted links should have higher packet priority over nonencrypted links, so that guest access can't starve out authorized users.

You can also do this without having two access points.
I would use OpenWRT on a cheap consumer-grade router.If you want to provide a guest network as well as a secure, encrypted network for yourself, you could install a VPN solution on the router, e.g. OpenVPN [] . You would then connect to your unencrypted WiFi but then tunnel all your traffic over the VPN. The guest user can just connect normally. That also allows you to restrict guest users to some services, as well as using different QoS and traffic shaping (bandwith throttling) settings. Some info on traffic shaping on Linux routers can be found here [] , as well as here (specific to openwrt). [] .

There is a nice table of hardware supported by OpenWRT here [] .
I wouldn't say that is an easy way the average consumer could do though. It requires some knowledge of Linux as well as Networking.

Re:Open access but outside the firewall possible? (1)

onezan (908534) | more than 3 years ago | (#35967486)

i have the DLink DIR-655 and it can do this. i have my local wireless and a "guest" wireless and neither can see each other. i also have QOS on the guest line to throttle down the speeds. guests (and neighbours) can use it, but it's not going to be a great "long-term" solution.

Re:Open access but outside the firewall possible? (0)

Anonymous Coward | more than 3 years ago | (#35967572)

Cisco/netgear E series does this i believe. My father had an e1000 router and when i visited his home i was surprised to see a guest network already created. Had a hard time trying to figure out how to disable it. It can't be disabled via the router's web management interface. You have to use cisco/netgears crappy desktop software.

Re:Open access but outside the firewall possible? (1)

phizi0n (1237812) | more than 3 years ago | (#35967630)

Pretty much any router supported by DD-WRT (and some other 3rd party firmwares) can do this. There are also some recent models with "guest networks" such as all of Cisco Linksys's E series models. []

Network neutrality? (1)

captaindomon (870655) | more than 3 years ago | (#35967314)

Sounds like you have a network neutrality problem on your hands. How to provide services while downgrading heavy users through selective throttling...

Re:Network neutrality? (0)

Anonymous Coward | more than 3 years ago | (#35967596)

Sounds like you have a network neutrality problem on your hands. How to provide services while downgrading heavy users through selective throttling...

I'm not sure how this would be a net neutrality issue since Animats is trying to offer a free service and not operating as an ISP but merely an access point.

It's not the neighbors... (0)

mholve (1101) | more than 3 years ago | (#35967318)

...You should be worrying about, but rather anyone that happens by looking to do devious things (e.g. download kiddy pr0n on your line).

The FBI will be knocking on YOUR do

Tomato + VLANS? (0)

Anonymous Coward | more than 3 years ago | (#35967324)

My plan at the office was similar:

- One SSID for client access
- One SSID for local network access
- VLAN tagging

DD-WRT has an issue with tagging and enabling encryption on both, but if you are doing one open, it should work. It is a world of hurt to set up, not being very well documented, for something that would be trivial with a soekris + BSD/linux.

I'm planning to try this again with Tomato USB one day.

Basically the Open SSID is relegated to a VLAN that can only access a VLAN interface on my router. The router runs DHCP on that interface, recommending upstream DNS. Traffic to/from this subnet is lowest priority in QoS.

Hmmm. (1)

Slutticus (1237534) | more than 3 years ago | (#35967326)

Being stupid is one thing. Being intentionally stupid?...well that's just a different level of stupid.

Don't do it. The world is just not ready.

Yes (0)

Anonymous Coward | more than 3 years ago | (#35967332)


Yes, it can be done, just like the FON network. My ISP here in Portugal partnered with FON, each router they install in your has 2 separated networks each with different IP addresses. It is also a different connection and it wont affect your bandwidth. If you chose to register to the service all the shared hot spots.

DD-WRT or Tomato (0)

Anonymous Coward | more than 3 years ago | (#35967334)

A $50 linksys router with one of these free custom firmwares can do QoS, allowing you to give priority to certain types of traffic (DNS > SSH > HTTP > Bittorren, etc).

And the best way is: Don't. (0, Flamebait)

Chris Mattern (191822) | more than 3 years ago | (#35967336)

You'll be liable for any excess traffic charges your ISP puts on you. You're letting total strangers into your LAN, which is a security risk. And there's no guarantee at all that the cops will leave you alone. It's an idiotic thing to do.

Re: idiotic thing to do? (1)

King_TJ (85913) | more than 3 years ago | (#35967526)

As with most things, I can see both sides of it.

From an organization like the EFF's point of view? It's in their best interest to get a "critical mass" of individuals sharing their Internet connections via free, open wi-fi, because it weakens the case for law enforcement to hold people responsible for "not properly securing their connection" if something goes wrong. (If I had to come up with a quick analogy for this, I guess I might liken it to the police giving you a ticket or fine for not locking your doors or windows, after someone breaks in and they're called to the scene. It just seems a bit like punishing the victims.)

So from a "freedom" standpoint, it's perfectly understandable. Wouldn't you like to retain the right to share your Internet connection with your friends and neighbors, if you so choose? Or do you prefer an authoritarian society where despite you paying for your own connection and wireless router, government can dictate the way you actually use it?

On the other hand, you're probably opening yourself up to a lot of potential headaches and liabilities if you go this route. Even the hotels and restaurants I've visited that offer "free wi-fi" for their customers tend to make you click past some sort of opening "terms of service" agreement page before using it. At least then, they can claim they only offered said access subject to certain usage terms and conditions that you, the user, agreed to before using it.

IMHO, the best solution is to use one of the wi-fi routers that offers a "guest" network (makes sure the people using it are firewalled off from any of the hardware on your own local LAN), and place a good, strong WPA/WPA2 password on it. Then, give the password out to your neighbors and friends you trust to use your connection. No random strangers will be able to stumble onto it and use/abuse it that way, and if your neighbors or friends start abusing it? You can always change the password on them and lock them out until you determine who the culprit was. (Or change it and only give it out to 1 or 2 people for a while and see if things are ok. Keep adding one more user until you find out which person is hogging the bandwidth or what-not.)

Easy (0)

Anonymous Coward | more than 3 years ago | (#35967344)

Try and use your open router to get private info on your neighbours. Then extortion, then business class connection, then expand to even more neighbours, and voila, you're an entrepreneur!

use a anonymous vpn for your guests (1)

allo (1728082) | more than 3 years ago | (#35967346)

you can get an anonymous vpn for as cheap as 5 eur per month. just route all external traffic through the vpn-tunnel.

If you must... (1)

bytethese (1372715) | more than 3 years ago | (#35967354)

I wouldn't recommend this setup at all, but if you HAD to leave your router "free and open", the D-Link DIR-655 has the ability to broadcast a Guest Network (which limits access of those using it from seeing your machines behind your router) and has QoS (so you can prioritize your packets over your "guests").

Meeting Complex Requirements is Not That Easy (1)

billstewart (78916) | more than 3 years ago | (#35967358)

You've got a couple of choices - get a system that gives you lots of detailed controls so you can do anything you want, at the cost of understanding the complexity yourself, or sticking to simple cookie-cutter tools, but you won't find most of those letting you do bandwidth limitations on some connections. You can probably take DDWRT and convince it to do what you want, or you can take a dedicated BSD or maybe Linux machine and do all sorts of interesting things with it, but either way you'll have to do some work. But even if you take a commercial Cisco router, which can do fancy prioritization and rate-limiting, you'll find yourself burning a lot of its limited CPU.

I usually run into higher-bandwidth versions of this problem, where the one easy kluge is to put in a 10 Mbps Ethernet segment, so the speed limit happens in hardware and the priority queueing works naturally. If your home DSL is more than 2 Mbps, I suppose you could get an old 802.11b or maybe 802.11g wireless router, limit it to 2 Mbps per channel, and put it on a different radio channel than the one you use for yourself (e.g. put it on Channel 1 and use Channel 11.)

If you've got an old PC around (2)

taustin (171655) | more than 3 years ago | (#35967390)

You might take a look at IPCop [] or Smoothwall [] . Both give you access to the Linux command line, so you can use IPtables to do whatever the hell you want. Smoothwall might, possibly, have some sort of add-in to limit bandwidth by bandwidth or zone, though I'm not sure.

Re:If you've got an old PC around (1)

Anonymous Coward | more than 3 years ago | (#35967632)

All the best answers start with "if you've got an old PC around".

Try pfsense ( you could build a firewall, put a wireless router on a different subnet with no access to your lan, run it through a proxy to log all the traffic and viola!

Then ask youself if this is all worth the risk.....

transparent proxy + traffic shaping (2)

Zine (989213) | more than 3 years ago | (#35967404)

I offered public wifi in my apartment complex on a limited pipe. First, I setup a linux firewall with three nics - one for outside, one for my inside stuff+personal wireless, one for the public. On the public wireless side, everything except port 80 was blocked. I included 443 in the blocks because I wanted to limit where people went, so I could mitigate potential trouble like pedo browsers. On port 80, I sent all traffic to a transparent squid proxy. The proxy then checked which URLs were being requested and if they were in my allowed list. If not allowed, I rewrote the URL and sent people to (I'm sure you could find an equally evil site to send if that isn't your preference). I did add in an html frame on the left side (right side was kittenwars) when people tried going to a site that explained here are all the sites you can go to, and the dangers of using someone else's unencrypted access point. Allowed URLs were fairly small, but from the usage the access point was still popular. wikipedia, Microsoft patches, PBS,, local government sites. I'm sure you could find more, but I wanted a very limited set that probably won't attract trouble. Then finally I limited people from soaking up my pipe using linux traffic shaping on the transparent proxy.

DDWRT or m0n0wall/PFSense (2)

matty619 (630957) | more than 3 years ago | (#35967428)

You really just need something that either has an extra interface for your wireless network, or can do 802.1Q vlan tagging and a vlan capable switch. I think even with a LInksys and DDWRT, you can put the built-in wireless AP on it's own VLAN. THen you just give the wireless it's own subnet, disallow traffic from the wireless subnet to your personal subnet. I think you can even do multiple SSID's and put each SSID on it's own VLAN, one for the public and one for you. Then just allow egress traffic on port 53,80, and 443 for your guest subnet, set up the traffic shaping queues with whatever amount of traffic you want to donate, and set it and forget it.

Of course, this doesn't address the issue of people using the connection to do illegal things, but I've been doing exactly what I described above in a very densly populated are of San Diego since 2002 and haven't had any problems yet *knock on wood*

Also, keep in mind, that this violates the TOS of most ISP's. I have a business class cable connection at home, which has a much less restrictive TOS, which makes it legal. I also have multiple public IP addresses, and run all my guest wireless traffic over it's own IP, so if anyone gets banned from say Ebay or something for fraud, it won't effect me.

But to answer your question, no, I don't think you can do this on many consumer grade router/AP's without flashing the firmware with DDWRT, and not all consumer routers are flashable. I think Buffalo sells a model that comes with DDWRT preloaded.

If you wanted to make a project out of it, you could buy a used Cisco Aironet [] for $50 and pair it up with an old PC with multiple NICs and install PFSense [] on it and have yourself a grand old time. The tools in PFSense can actually be quite entertaining when you collect anonymous statistics about what sort of things your neighbors do with your connection. NTOP will entertain you for hours :)

It's a BAD IDEA (2)

RedLeg (22564) | more than 3 years ago | (#35967430)

Forget being a nice guy, and in this case, the EFF's recommendations. Aside from the issues you raise yourself, this story [] should be all it takes to convince you of the foolishness of such a policy these days.

To answer your question directly, yes, some consumer AP / Routers can shape traffic like you're asking. You will need to divide your network into multiple VLANs, I would suggest three: One wireless and wide open, one wireless and secure for your use, and one for the wired side. Then, bandwidth limit the free wireless, route appropriately, and apply a security policy to protect yourself. You might also consider logging all that "free" traffic so when the Feds show up with a warrant, you have some kind of audit trail to get yourself out of jail.

I'm not aware of any consumer grade equipment that will do this out of the box. On the other hand, there are several free / open firmware projects that replace the factory firmware that are linux based, and may be able to meet your needs. A couple (by no means all) of these projects are [] > dd-wrt and [] > Open-wrt .

Beware though, that not all of the consumer hardware is created equally internally. Research carefully the hardware / replacement firmware combinations to make sure you can get where you want to be before spending money. You'll also be stressing the hardware far beyond it's original design, so opt for more RAM and a faster embedded processor.

Gee, this sounds like a PITA.....

Hope this helps, and that you don't get arrested.


Be careful (0)

Anonymous Coward | more than 3 years ago | (#35967432)

After I read a recent story on Slashdot about people being apprehended for downloading child porn when not they but someone outside the house was downloading it, I would be very careful. I would only share it with people I know and base it on some pre-shared authentication scheme.

Be Nice But Not Too Nice (1)

Quantum_Infinity (2038086) | more than 3 years ago | (#35967442)

Whenever I have tried to be too nice, I have always ended up getting hurt. The lesson I have learnt is - be nice as much as is needed, but do not over do it. You are overdoing it and will learn the same lesson the hard way.

OpenWRT/Captive portal or just (0)

Anonymous Coward | more than 3 years ago | (#35967482)

I assumed this would have already been mentioned, but I don't see it,

Using OpenWRT and several other FOSS packages was able to cobble together a nice captive portal that logs everything, warns users that it logs everything, and requires an email-verification to ensure you have some form of contact information to go with all that lovely logged information. It also allowed me to throttle down the public side of the wifi and keep them from using up my bandwidth. has a firmware for their devices (I'm rocking a handful of the mr302a's or whatever) that lets you do all of this through their nifty dashboard.

Now, IANAL and have never had to defend against accusations such as those in the kiddie-porn raid link above, but it definitely was enough to get my ISP off my back for a DMCA violation once I disabled that persons mac from continuing to access the open network.

I suggest... (0)

Anonymous Coward | more than 3 years ago | (#35967506)

the NOT method.

Route their traffic through Tor (0)

Anonymous Coward | more than 3 years ago | (#35967544)

I used to have this setup. It was pretty easy to do.

All traffic from the public ssid was sent through redsocks via iptables. all DNS requests from the public ssid were sent via a small daemon that was 99.9% python code pulled from another socks proxy project (name escapes me right now)-- took a few minutes to make it into a proper daemon.

Hostapd had multiple ssids, which were isolated to diff bridge interfaces, so traffic didn't mix.

If you don't care about leaking DNS requests, redsocks + iptables is enough.

Ile Sans Fil (1)

Derf_X (651876) | more than 3 years ago | (#35967558)

Do it like Ile Sans Fil does it:
  • Access control
  • Control of bandwidth usage
  • Protection of your private network,PCs

More details here: []

use a firewall (0)

Anonymous Coward | more than 3 years ago | (#35967562) m0n0wall, for example

Fon might be easiest (1)

dennish00a (1411367) | more than 3 years ago | (#35967576)

What say we try to answer the question for this person? I'd suggest that Fon is the simplest way to share your network, though I believe that only Foneras will then be able to use it. However, for somebody who is not a sysadmin, Fon provides a simple way for the "average consumer" to set up separate public and private SSIDs and to throttle traffic.

Look at replacing the firmware. (1)

chaboud (231590) | more than 3 years ago | (#35967592)

You can do more sophisticated traffic management with DD-WRT [] than with the stock router firmware.

Take care, though. There have been several cases of the FBI busting in and making life hard because of child porn traffic on open routers. You could also look at a FON [] router. They allow for some management of traffic (and cashing in).

Traffic shaping (1)

Omnifarious (11933) | more than 3 years ago | (#35967608)

But the existing traffic shaping solutions are impenetrable and impossible to use. This makes me very unhappy. I'm also not sure that the traffic shaping policy I want is possible with the existing traffic shaping tools.

I have a small Linux box I use as a router, and I have 3 LANs + the external link. LAN 1 is my trusted internal network. LAN 2 is the network for any windows box, my gaming systems and any housemates. LAN 3 is the wireless.

I want a traffic shaping policy that says something like this:

  1. Spare bandwidth is up for grabs, but allocated in a priority order.
  2. My trusted network (LAN 1) has first dibs on any spare bandwidth above as long as everybody else is getting the guaranteed minimums.
  3. My not-very-trusted network (LAN 2) has the next priority on any spare bandwidth, but has a guaranteed minimum incoming of 2mbits, and a guaranteed outgoing of 150kbits.
  4. Outgoing bandwidth from my webserver on my trusted network is next in line for spare outgoing bandwidth, and has a guaranteed minimum of 400kbits outgoing.
  5. The very untrusted network (LAN 3) has the lowest priority on any spare bandwidth, and has a guaranteed minimum incoming of 100kbits and a guaranateed minimum outgoing of 15kbits

This is complicated by the fact that I want intra-LAN traffic to be essentially unlimited. If someone somehow manages to saturate the 1Gb backbone on my internal network, I'll figure out how to deal with it outside the traffic shaping policy.

I already have a firewall policy that treats my wireless network as being as untrustworthy as the Internet.

Guest Network (1)

ase (39429) | more than 3 years ago | (#35967622)

Apple Airport Extreme Base Station lets you set up a well protected separate guest network. Used it with no troubles for a while now.

pfSense ftw (1)

petree (16551) | more than 3 years ago | (#35967646)

I believe all of this is possible (even multiple SSIDs with one router) with OpenWRT or DD-WRT on certain hardware, but I never got it working right. I just ended up using an two Linksys routers (one with open wifi, one encrypted) and pfSense [] as a router. You can even do this with just pfSense and couple wireless cards. Private wifi bridges to the local network, public is on an isolated subnet. pfSense traffic shaping [] keeps users in check. I have a QOS class for "public" traffic which is limited to a couple mbit/sec down and few dozen kb/sec up. Rock solid, more than I can ever say for either of the Linksys routers.

I found pfSense: The Definitive Guide [] to be a decent dead trees source for getting started with pfSense.

Be careful (0)

Anonymous Coward | more than 3 years ago | (#35967660)

I read a comment here a while back to use encryption and put your phone number in the SSID. That way you can identify who wants to use it and this will prevent abuse better than anything else.

And as mentioned, being dragged out of bed and arrested on Child Pornography charges will ruin your life, even if you are found innocent (most likely years later)

AP Isolation (1)

Halifax Samuels (1124719) | more than 3 years ago | (#35967666)

AP Isolation is a nice DD-WRT option that prevents wireless clients from communicating with each other. Best to disable wireless GUI access to the router, as well. I've had a DD-WRT router for years and I've never looked through all these settings until now.

Re:AP Isolation (1)

Halifax Samuels (1124719) | more than 3 years ago | (#35967682)

That kinda sounds like I was thinking out loud to myself. It was supposed to be one of those: "If you're going to do this you should also consider this" type of comments.

Yes (1)

flghtmstr1 (1038678) | more than 3 years ago | (#35967668)

Many modern routers can be configured to broadcast a "guest connection" with its own SSID that you can then throttle as you see fit.

Fon? (0)

Anonymous Coward | more than 3 years ago | (#35967678)

I'm not sure if this option will be avalible to you, but currently I have a router built to support FON so other FON user can use a low connection for free. Might be worth a look. link:

Amish (0)

Anonymous Coward | more than 3 years ago | (#35967690)

Hmmm..... with all this no-knock SWAT raids over open wifi routers, your car's GPS automatically sending your speed data to teh cops, your cellphones tracking your every move, and runaway inflation jacking up the prices of gasoline, electricity and store-bought groceries... then maybe the Amish way of life ain't so bad after all.

One solution... (0)

Anonymous Coward | more than 3 years ago | (#35967696)

Monowall is a nice BSD based software firewall. It is a captive portal that can be used to set usage terms by redirecting the web user to a page you can require they agree to before they can use the connection. It also includes QOS controls that can help you limit use of the connection to users on the open network. I've used this myself before for this very thing, and used the page to tell the user they had no privacy. I also made mention that I would be VERY helpful to anyone with warrant in hand. I found this made misuse far less likely, but your usage may vary.

A few points however. To be legally binding you'd have to have a usage agreement likely designed for your state by a lawyer. Just because such statements of cooperation with the authorities might scare off some; the worst of abusers wont care a bit about your silly little agreement. If I'm going to commit wire fraud on your connection, to conceal my identity, I wont be back and I'm faking my MAC. So depending on the crime they may still burst in machine guns in hand.

Just because you can technically do it may not mean you should. Do be sure to properly research this completely, and with your state's laws in mind. It would be nice if the EFF continued to work on this and generated user agreements for us to use.

In a side note Monowall is highly versatile and there are several commercial solutions based on it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?