3

I'd like to set up and administer a small network which would supply a captive portal where users type in a unique password and/or username to connect to the internet and to each others' computers, and which would subsequently allow an administrator (myself) to monitor/log browsing history.

I'm imagining a captive portal like the network at a coffee shop, or, on a bigger scale, at an airport, for which you must supply your email address before you can connect to the global internet. At school, we used the Bluesocket network (and we all hated it, but I think we were pushing the capacity to the max), which presented a login page something like this one - You've all seen it. Attempting to browse to another page simply caused a redirect to the original page. I understand that this setup allows my school (and the coffee shop, and airport) to track and manage users on a per-user basis.

I'd like to connect a dozen or fewer users. Right now, I have a small wireless LAN that simply provides a network with a hidden SSID and WPA encryption to prevent unauthorized use. There's a short list of simple logged in, logged out, and error messages provided by the router, but that's about it.

For now, let's assume that I can establish a captive portal to allow login/logout. This seems fairly well documented. What must I do after this to record browsing history?

I'm open to suggestions ranging from

  • Buy this better router (And load some sweet firmware), to
  • Install this free software and share your connection through any always-on PC, to
  • Dig up an old PC and use it as a dedicated server, configured thus.

The users would often be working from shared computers, so a MAC-address based approach won't work. Typical load would be 1-5 users at a time, but more users would be registered with the system. Let's try to keep the cost at or below $200.

EDIT: Two new terms I've learned are "captive portal" and "transparent caching/proxying". This, as I understand it, is how the coffeeshop/airport/university system works. Since that appears to be under control, let's move off of beginner networking terminology (sorry) and focus on implementations of these techniques for the small business or home.

FYI: I'm a computer engineer with experience in C and embedded systems. I'm computer literate, and enjoy learning new things, but I'm completely without experience in the networking sector.

Desperatuss0ccus
  • 252
  • 1
  • 4
  • 9
Kevin Vermeer
  • 192
  • 9

2 Answers2

2

The term you're looking for is a Captive Portal. PFSense has a good one. I believe the one in the 2.0 Beta is even better.

PFSense also gives you transparent caching, multi-WAN load balancing, IPSec tunnels and all the fun stuff that comes in a fully-fledged firewall appliance.

I've had (have, actually) it running on a Celeron 1.1 with 128Mb of RAM. Without using the caching functionality it runs just fine.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • Thanks for the tip, but I was already reading the OpenWRT docs, and had just found the term and edited it while you were writing your answer. But the use of a PC instead of custom firmware on a wifi gateway is interesting... – Kevin Vermeer Jul 22 '10 at 01:27
  • If you go out and spend $1000 or more on a firewall (like a Cisco PIX) what you'll find is that it's actually just a normal, rack-mounted server, often several generations old (like a P3 or an 400Mhz FSB Xeon) running a custom operating system. PFSense gives you the Operating System for free, and by using BYO hardware you can have an excellent fully functional corporate level firewall for virutally no hardware costs. – Mark Henderson Jul 22 '10 at 01:43
1

Your cheapest & most flexible option is to get a Linksys WRT54G based wifi gateway & try one of the open source firmwares such as OpenWrt, Tomato or DD-WRTwhich suits your needs best.

EDIT: You will also want to use squid to do transparent proxying so you can log/password protect web traffic.

PFSense is a much more userfriendly/configurable solution for this.

Nick Kavadias
  • 10,758
  • 7
  • 36
  • 47
  • Oooh firmware. This I can do! ...Can such a router allow me to connect over Ethernet and wifi with the same restrictions? I don't really like the idea of router -> WRT54G -> wifi -> Wireless/ethernet bridge -> Ethernet switch – Kevin Vermeer Jul 22 '10 at 00:53
  • i'm sure it's configurable. – Nick Kavadias Jul 22 '10 at 01:14
  • OK - It hasn't been on (the few) gateways I've owned - security over wifi, direct connect over ethernet. – Kevin Vermeer Jul 22 '10 at 01:29
  • *squid to the transparent proxying*?!?!? <- What language is this? Off to Google... – Kevin Vermeer Jul 22 '10 at 01:31
  • Yes, but PFSense (as far as I can tell) requires a power-hungry, expensive PC. DD-WRT only requires a ubiquitous little router. – Kevin Vermeer Jul 22 '10 at 01:32
  • This is false. To make use of the plugins (like Squid, etc.) you need the full version instead of the embedded version, but you don't need an expensive machine to do this. A 4 or 5 year old Pentium 4 with a couple GB of RAM would be more than enough to run everything you need; you can pick up a P4 desktop for < $200 off-lease. – gravyface Jul 22 '10 at 02:13
  • Can't argue with "power hungry" though – Mark Henderson Jul 22 '10 at 05:07
  • fixed up my english. sorry, this is what happens when you try to answer SF questions when trying to do your day job simultaneously – Nick Kavadias Jul 22 '10 at 05:23
  • so squid may be overkill to run on WRT54 to do http logging, but there are things like DansGuardian that are much more lightweight – Nick Kavadias Jul 22 '10 at 05:46
  • @Farseeker: true, and the AMD Sempron 140 Sargas is quite a bit cooler/greener than the P4s and is ~30 bucks on NewEgg right now. – gravyface Jul 24 '10 at 20:39