From the department of “everything you need to know you learned in kindergarten,” it is good to share. It can even be good for business. But sharing your wireless Internet access out-of-the-box can leave your network vulnerable and without any controls over user activity.
Whether you want to share with family, neighbors, co-workers, or customers, a wireless hotspot can give you say over how and when your wireless access is used. You can also use the opportunity to promote products or services to guests of your wireless system or, in some setups, even bill them for their usage.
Any wireless router will typically “share” your Internet connection with nearby wireless users, but if you want to regulate sharing, you need a hotspot. One way to create a hotspot is by using the powerful, free, and open source DD-WRT firmware loaded onto a compatible router, such as the Linksys WRT54G.
Version alert
Although DD-WRT provides lots of advanced features for a consumer-grade router, it can be confusing to select a version. Officially, the latest stable release is V23 SP2, released in 2006. V24 development is well-along, and many beta and RC versions are already available.
Unfortunately, one quirk of DD-WRT development is that new does not always mean better, at least not during development cycles. When it comes to hotspots, experience suggests that V23 SP2 is the most usable version, because some hotspot features do not work reliably in newer V24 releases. Hopefully this will be fixed when a stable V24 release is made available in the future. This tutorial is written for a router running DD-WRT V23 SP2.
Hotspot horticulture
Many hotspots are known as “captive portals.” You’ve probably used a captive portal at your local coffee shop or while staying at a hotel. After associating with the wireless network, you try to connect to a Web site but are redirected to a wireless “landing” page hosted by the hotspot owner.
From here, several things can happen. The simplest kind of captive portal will simply display information about your hotspot owner, like “Welcome to the Coffee Cafe!”, perhaps with some advertising. There will be a button to connect, which authorizes you to freely browse the Web.
A more sophisticated captive portal may enforce some usage policies on the guest, such as connect time. A cafe, for example, might want to discourage visitors from buying a $1 coffee and then surfing the Web for three hours. One popular approach is to charge more than $1 for a coffee. Another is to limit guest access to, say, 60 minutes, which is done using a suitable captive portal server.
The most advanced captive portals can enforce a wider range of policies, such as connection speed and transfer limits, plus billing systems like those commonly found in chain hotels, restaurants, and airports.
DD-WRT V23 SP2 supports three kinds of hotspots:
1. NoCatSplash: A simple captive portal with a custom landing page.
2. ChilliSpot: An open source captive portal client/server, which can support guest usage policies and billing. (Pictured above.)
3. Sputnik: A commercial captive portal client/server similar to ChilliSpot, but backed by subscription fees and a slick, full-featured management interface.
To avoid confusion, note that you should enable only one of these hotspots in DD-WRT, leaving the others disabled.
The simple hotspot: NoCatSplash
When you enable and configure NoCatSplash, clients who connect to your wireless network will be redirected to a Web page you have hosted on an accessible Web server. That page must contain a form, which returns specified values back to the router to authorize the client to access the network. Of course, the page may also contain any other information, policies, or advertising you wish visitors to see.
The three starred steps below are the only items you must set, since the remaining defaults are good for most configurations. (Steps 4, 6, and 7)
1. Open a browser to your router’s DD-WRT administration page, default address http://192.168.1.1 unless you’ve configured a different LAN IP.
2. Click to Administration, Hotspot to open the Hotspot configuration page.
3. Be sure that you have disabled Sputnik, Chillispot, and HTTP Redirect, and scroll down to the section for NoCatSplash.
4. Click Enable.
5. Enter a Gateway Name for your hotspot, such as “Coffee Cafe.” In the HTML for your landing page, you can insert $GatewayName to display the value of this field.
6. Enter the Home Page URL that visitors should be redirect to after clicking through your landing page. If you find this does not work, see the example below where we include this value in the landing page itself.
7. Enter the domain names for Allowed Web Hosts that visitors can access without being redirected to your landing page. Separate domains with spaces.Important: This field must include the domain name for the server where your landing page is hosted!
8. Do not change Document Root. This field is used if you store your landing page within the router filesystem itself, rather than an external Web host. (Accessing the router filesystem is for advanced users only and is beyond the scope of this article.)
9. Enter the Splash URL where your landing page resides. Remember, this should be a publicly accessible Web server and its domain must be listed in Step 7.
10. You can restrict network activity using Exclude Ports. By default, NoCatSplash excludes port 25, the SMTP port, to prevent visitors from sending spam. You can list other ports—separated with spaces—such as 21 and 23 to block FTP and telnet, respectively.
11. You can use the Mac White List to allow individual wireless clients unrestricted network access without being redirected to your landing page. Separate multiple MAC addresses with spaces.
12. Set the Login Timeout to the duration, in seconds, a visitor should be authorized before they are forced back to your landing page. The default value of 86400 represents 24 hours. A value of 3600 would represent one hour.
13. The Verbosity menu selects how much information NoCatSplash should log to the router’s syslogd server. (Only useful if you use the syslogd server.)
14. Do not change Route Only, which is disabled by default. The enabled state is supposed to suppress NAT on the hotspot, which could make your network vulnerable.
15. Click Save at the bottom of the configuration page. You will also need to reboot the router (click Reboot, also at the bottom of the page) for the NoCatSplash to stick. But before you reboot, create your landing page as described below.
In Step 9, you entered the URL for your landing page. You need to make that landing page. The landing page can contain anything you want, but it must contain an HTML form like this:
<form name=”login” method=”post” action=”http://192.168.1.1:5280/”>
<div align=”center”>
<input type=”hidden” name=”accept_terms” value=”yes” /> <input type=”hidden” name=”redirect” value=”http://yoursite.com”>
<input type=”hidden” name=”mode_login”>
<input type=”submit” value=”enter”>
</div>
</form>
Notes:
1. The form tag’s action attribute should point to the IP address of your router, in case you have configured it to something other than the default.
2. The input field named redirect should be set to whatever page you want visitors to see after they click through your landing page. This will override Step 6 in the router configuration. It also seems to work more reliably when included here.
(Click here to read page 3 of 3.)
The open source hotspot: ChilliSpot
ChilliSpot is a hotspot that provides more user authentication and management options than simple NoCatSplash. However, it is also more complicated to setup.
ChilliSpot requires a client and a server. The client is what you configure through DD-WRT. On the server side, you need both a Web server and a RADIUS authentication server.
You can create a ChilliSpot hotspot for free by installing ChilliSpot, plus a free Web server, like Apache, and a free RADIUS server, like the aptly named FreeRADIUS. These software packages run on all major platforms including Linux, Windows, and OS X, but setting up such a server is well beyond the scope of this article.
The alternative to setting up your own free ChilliSpot backend is to use a third-party hosted ChilliSpot provider. One such provider is WorldSpot.net, which offers a feature-limited free ChilliSpot service, along with more feature-filled paid ChilliSpot hosting.
For this tutorial we will setup free ChilliSpot hosting through WorldSpot, but note that there are other competing providers and this is not an endorsement for any one.
1. Sign up for an account at http://worldspot.net/wk/Register.
2. Once your account is confirmed, you can log into WorldSpot. Under “Manage my Hotspot”, click on Hotspots, Display config info. You will see a page with all the fields you need to enter in DD-WRT.
3. Open a browser to your router’s DD-WRT administration page, default address http://192.168.1.1 unless you’ve configured a different LAN IP.
4. Click to Administration, Hotspot to open the Hotspot configuration page.
5. Click Enable for Chillispot.
6. Click Enable for “Separate Wifi from the LAN Bridge.” This will isolate your wireless clients from any wired clients.
7. Enter all the info exactly as provided on the WorldSpot config info page. You will need your ISP’s DNS address, which you may be able to find on the DD-WRT Status page.
8. Click Save at the bottom of the configuration page, and then Reboot the router.
When you reconnect to the Internet through your router, your browser will be redirected to the Worldspot site. Log in and, under “Manage my Hotspot,” click on Hotspots, Configure Hotspot.
On this page, you set up the basic policies and landing page for your hotspot. There are limitations on the policies you can select using a free account. Refer to WorldSpot’s help page for the details of their configuration choices.
At the bottom of the page, you must click the link to setup access profiles. Without an access profile, your visitors will not get an authorization button to click.
Your access profile lets you further define usage restrictions, such as session duration, and traffic quotas. At the very bottom of the access profile page, be sure to click “Select which hotspots this profile applies on” to activate the profile for your hotspot.
Now you can connect open a new browser to the web. Like your visitors, you will be directed to the WorldSpot-hosted landing page you’ve just configured. You can click through to authorize yourself for access.
As the hotspot owner, you can log in to your WorldSpot account and view visitor activity by clicking on Hotspots, Display session history.
To setup a billing system for your hotspot visitors using WorldSpot, you must upgrade to a fee-based account, in which you will be charged to use advanced ChilliSpot features. If billing is an important part of your hotspot business model, it may make sense to setup your own ChilliSpot server as described earlier.
The commercial hotspot: Sputnik
Much like ChilliSpot, Sputnik provides hotspot owners with a full slate of user management, authentication, billing, and logging features. Sputnik sells its services in a variety of bundles, including wireless hardware, subscription access to their web-based hotspot management, and software for installation on local servers.
DD-WRT users already have a Sputnik-capable wireless router. The company also offers a slimmed-down free hotspot management service called SputnikNet Express. Like WorldSpot’s free ChilliSpot hotspot, SputnikNet Express offers an easy way to create a customizable landing page with limited user management.
Enabling SputnikNet Express in DD-WRT is a simple point and click affair. Virtually everything is handled by the step-by-step walkthrough on the Sputnik server.
1. Open a browser to your router’s DD-WRT administration page, default address http://192.168.1.1 unless you’ve configured a different LAN IP.
2. Click to Administration, Hotspot to open the Hotspot configuration page.
3. Click Enable for Sputnik Agent.
4. Click Use SputnikNet Express for Sputnik Server ID. If you don’t see this option, save the settings from Step 3 and reboot the router.Alternatively, you can click Use Sputnik Instant Setup to setup a paid subscription account with Sputnik.
5. Click Save at the bottom of the configuration page, and then Reboot the router.
When you reboot and connect to a web site through your router, the browser will be redirected to Sputnik’s web-based setup wizard. From there you can configure your free or paid hotspot account.
For the future
Although DD-WRT V24 does not always work reliably with NoCatSplash and ChilliSpot, the developers have added support for Wifidog, another open source captive portal. Like ChilliSpot, it requires some software to be installed on an external server, but may be easier to setup than ChilliSpot.
Unless you want to experiment with Wifidog as an alternative hotspot to those discussed here, it would be prudent to stick with V23 SP2 until V24 is released as stable.
For more on DD-WRT, read “DD-WRT Tutorial 1: Static DHCP,” “DD-WRT Tutorial 2: Extend Range with WDS,” “DD-WRT Tutorial 3: Building a Wireless Bridge,” or search our archives for “DD-WRT” to discover dozens of other helpful articles.
Aaron Weiss is a frequent contributor to Wi-FiPlanet.com.
