Internal (self, family, employees) -- share a network ("Network A")
that includes secure machines and resources (file servers, printers, backup)
External (neighbors, paying customers) -- share a distinct network
("Network B") that is walled-off from the secure one
Equipment
Access point #1
Colubris CN-3000 (approx $650)
Wireless signal for Network B users
Not encrypted
Authenticated by Radius server (see below)
Can forward requests to a proxy (feature not enabled)
Provides DHCP service to clients on Networks A and B
Forwards DNS service to clients on Networks A and B
(note: I found Covad's DNS service to be unreliable which
was causing my network to fail and me to tear my hair
so now I provide my own DNS from a Sun/Cobalt Linux
server I operate from a co-lo in downtown San Francisco.
For backup DNS service I use, without permission, some
server from some nameless large corporation nearby...)
Access point #2
D-Link 900 AP+ (approx $80)
Wireless signal for Network A users
WEP-encrypted
Authenticated by Radius server (see below)
Forwards to wireless users the services provided by the Colubris
Radius server
Runs on a Linux box in the Wifi-Texas NOC
(network operations center) in Austin
Authenticates users on Network A -- automatic, looks up
their MAC addresses in a MySQL database which I maintain
through a browser-based administrative interface. If the MAC
address is not recognized, it opens a browser window with a
form in which it demands a user ID and a password which it
looks up in the database.
Authenticates users on Network B -- by user ID and password
as above. When I sign up a new customer, I create a new user ID
and password in the database. So far I have one customer.
Performs usage accounting. Keeps a log of user sessions.
Performs network monitoring. Periodically pings each access point and
sends me an e-mail when one fails to respond.
Prevents abuse on Network B. If a customer attempts to
run kazaa, make spam floods, etc., the bandwidth-hogging is
detected and their conection is terminated.
Additional features
(which I have not chosen to activate):
Content filtering. User accesses can be passed through a proxy
that compares them to a third-party-maintained list of porn sites
and denies the request if there's a match.
Unattended sign-ups. Users who want to buy wireless access could
enter their credit card information and pay according to a fee
schedule which I would design. The access permissions thus
selected would be entered into the database along with the new user account
information. When the access permissions expired, the account would
be deleted and the customer would need to sign-up again.
Zyxel 645 ADSL modem
Interfaces the Covad service (on POTS copper)
to the Colubris.
Range extender antenna
Attached to the Colubris. My Network B
signal reaches nearby buildings.
