Wireless AAA for a small, bandwidth-limited hotel

Question

We (the tech I work with and myself) live in a remote northern town where Internet access is somewhat of a luxury, and bandwidth is quite limited. Here, overage charges ranging from few hundreds, to few thousands of dollars a month, is not uncommon. I myself incur regular monthly charges just through my regular Internet usage at home (I am allowed 10G for $60CAD!)

As part of my work, I have found myself involved with several hotels that are feeling this. I know that I can come up with something to solve this problem, but I am relatively new to system administration and I don't want my dreams to overcome reality.

So, I pass these ideas on to you, those with much more experience than I, in hopes you will share some of your thoughts and concerns.

This system must be cost effective, yes the charges are high here, but the trust in technology is the lowest I've ever seen.

• Must be capable of helping client reduce their usage (squid)
• Allow a limited (throughput and total usage) amount of free Internet, as this is often franchise policy.
• Allow a user to track their bandwidth usage
• Allow (optional) higher speed and/or usage for an additional charge. This fee can be obtained at the front desk on checkout and should not require the use of PayPal or Credit Card.
• Unfortunately some franchises have ridiculous policies that require the use of a
  third party remote service to authenticate guests to your network. This means WPA is out, and it also means that I do not auth before Internet usage, that will be their job. However, I do require the ABILITY to perform authentication for Internet access if a hotel does not have this policy. I will still have to track bandwidth (under a guest account by default) and provide the same limiting, however the guest often will require a complete 'unlimited' access, in terms of existence, not throughput.
• Provide firewalling capabilities for hotels that have nothing, Office, and Guest network segregation (some of these guys are running their office on the guest network, with no encryption, and a simple TOS to get on!)
• Prevent guests from connecting to other guests, however provide a means to allow this to happen. IE. Each guest connects to a page and allows the other guest, this writes a iptables rule (with python-netfilter) and allows two rooms to play a game, for instance.

My thoughts on how to implement this. One decent box (we'll call it a router now) with a lot of ram, and 3 NIC's:

1. Internet
2. Office
3. Guests (AP's + In Room Ethernet)

Router Firewall Rules

• Guest can talk to router only, through which they are routed to where they need to go, including Internet services.
• Office can be used to bridge Office to Internet if an existing solution is not in place, otherwise, it simply works for a network accessible web (webmin+python-webmin?) interface.

Router Software:

• OpenVZ provides virtualization for a few services I don't really trust. Squid, FreeRADIUS and Apache. The only service directly accessible to guests is Apache.
• Apache has mod_wsgi and django, because I can write quickly using django and my needs are low. It also potentially has the FreeRADIUS mod, but there seems to be some caveats with this.
• Firewall rules are handled on the router with iptables.
• Webmin (or a custom django app maybe) provides abstracted control over any features that the staff may need to access.
• Python, if you haven't guessed it's the language I feel most comfortable in, and I use it for almost everything.

And finally, has this been done, is it a overly massive project not worth taking on for one guy, and/or is there some tools I'm missing that could be making my life easier?

For the record, I am fairly good with Python, but not very familiar with many other languages (I can struggle through PHP, it's a cosmetic issue there). I am also an avid linux user, and comfortable with config files and command line.

Thank you for your time, I look forward to reading your responses.

Edit: My apologies if this is not a Q&A in the sense that some were expecting, I'm just looking for ideas and to make sure I'm not trying to do something that's been done. I'm looking at pfSense now as a possible start for what I need.

Answer 1

After looking at the pfSense project now, I think it will provide a lot of what I need with a bit of configurations. It supports Captive Portal, and does this with Radius servers, can be setup with Squid for transparent proxying, and seems like it has a LOT of control over the traffic. I'm still open to any more ideas that may help. Thanks!

Answer 2

Random thoughts:

• First, start with a network diagram. Don't worry about firing up Visio; just draw one on paper. Once you figure out where to start, repost some specific questions here. This posting is way too dense. Making it bite-sized will get you better, more thoughtful answers that address specific questions.

• "Prevent guests from connecting to other guests..." You're not going to be able to do this at the firewall because everyone is on the same, internal LAN. You'll have to do it at the switch, so you'll need to get a managed (smart) switch.

• Python is the ideal language for something like this. Don't worry about not knowing PHP. PHP is not the right language. PHP is never the right language. For anything.

• You're not going to want to maintain your iptables rules by hand unless you're masochistic. Look into using Shorewall instead. It's simply a thin configuration layer on top of iptables that makes it much easier to manage.

Answer 3

There are ready made installs for providing the kind of service that you are talking about. Usually a mini-itx system with the OS already setup on compact flash. Often giving you the option between free access and a payment system that works across APs at many different locations. I'm assuming you are from Canada but I only know specific examples that are for Britain.

Answer 4

A Mikrotik Hotspot will do everything you have listed. You should be able to run each location off a 450G or similar.