You make a claim so you have to provide evidence for it otherwise it is just your opinion.
Here is my suggestion. Instead of a single preshared key, use enterprise WPA. Give each person a login, you can even print them up on cards and pass them out. Set up freeradius to handle the authenication and accounting.
Now when YOU log in other users get authorization for 24 hrs say. This means if you're not around people don't slurp up your data.
If you want to give people slow access at other times use dynamic vlans. So when you are logged in people get steered to say vlan 3 and when they're on their own steered to vlan 4. Now put QoS on vlan 3 for full download rate and on 4 so max download rate is small.
1 Like
Thanks for the suggestion! I'll look into it!
Okay, cool! That's not a bad idea actually! Also I don't necessarily need the speed to slow down a lot once they hit a specified data rate, I could maybe just have the entire vlan a little slower than the unlimited users, and have them kicked off in even just a few hours. This would likely make the entire coding a lot simpler rather than tracking each data packet.
Also I like the idea of having a bunch of cards, maybe I'll build some sort of device so they can "take a number" sort of thing but with wifi haha.
I'm not hard set on these rules by any mean, and I'm all for making it more simple with different rules! Let me know if you guys have any other suggestions!
You could definitely do something like this, also you could have the whole guest vlan have a daily quota and then slow the whole vlan after the quota. Say 1GB /day at full speed and 500kbps after. With a large number of guests I think the take a number approach is best. It lets you change the password for just users who are problematic without causing everyone to need a new password. I'd also expire the passwords after say 6mo, just so you know what's up.
1 Like
Smart. So is this easily implemented in a specific router? Or will it still likely need to be hard coded as well?
You'll have to read up on freeradius and probably set up a small database, maybe sqlite. The only thing not out of the box will be the decision about who is special and who is not, maybe the quota stuff which can be done with some iptables rules, SQM can do the shaping as long as you're shaping a whole vlan, you just run a Cron job to check the quota and change the SQM speed... It's all pretty straightforward if a little bit specialized. Tracking quotas per user is much harder than a quota for the whole guest vlan
1 Like
Okay thanks! Good to know! I wonder if I could maybe even create a new vlan for each user lol. Haha I'll read up on it!
Start out with the wpa Enterprise stuff, get a user database set up and the dynamic vlans, one for unlimited and one for guests. Log every authentication in the database with the time. Then you can probably move from there to a few scripts that make decisions based on the data logged in the database.
1 Like
Will do! Thanks!
Useful hints. Radius has many EAP types (protocols for authentication).. Most of them are insecure or broken. What you really want is EAP-PWD https://dustri.org/b/eap-pwd-wifi-security-done-right.html
I know it works on Android, and Linux with network manager but beyond that I don't think windows, Mac, or iPhones support it. I'd enable it as an option though and encourage Android users to use it. Maybe in next few years iOS and Windows will support it.
What fallback works best? It seems like peap with mschapv2 works for iPhones and Windows. Less good security but workable.
Your little guest Network is not very likely to be subject to active attack like this, and you're handing out random passwords that only get you access to your wifi anyway. Generate usernames like wifiuser0035 and random passwords to print on your cards. Command line util pwgen is helpful here. Worst case someone goes to a lot of trouble to get something you're handing out free 
1 Like
Hi there,
whole I can not offer a solution for your request, I can sketch out a simple proposal for a stop-gap measure...
I would use two wifi-routers in series, both running sqm in per-internal-IP-fairness mode.
The first router is for trusted users, while the second is for guests.
SQM on the first router should be configured to keep wan-bufferbloat under control (which might be tricky for a 4g-link, but still /I think it is worth trying) and to treat all internal IP-addresses fairly (so no IP can monopolize the link if there are other users).
Now the second router should be set-up as a router performing a second layer of NAT, that way all guest computers will be treated as a single IP-address by the primary router, in addition I would set up SQM on the second router to put in ceiling for the aggregated bandwidth consumed by all guest devices.
The last thing to do would be to isolate the port that connects the primary with the secondary router so that guests can not reach internal devices on the primary's internal network.
Again this does not solve your problem properly, but might buy you enough time to fully research the proper solution while already serving your guests...
Have a look at this script, posted by this thread OP.
This script will do you bandwidth speed limiting per mac address, you can set it according to your needs.
This is awesome, thanks! I'll try modifying this when I get a chance to work a little closer to my needs!
1 Like
Another idea:
- you can use iptables conntrack; this will track the whole connection based on src ip or dst ip, it will auto
match dst if you use src ip and will auto match src based on dst ip. - you can use iptables connmark; this let you mark a connection, so you can later drop it or slow it down!
- connbytes, you can use it to do something with connection when it's reached a certain size ex: 100MB of
download data or uploaded.
you can gathering all ideas into one, then tell us what will suit you!
The big problem with MAC based solutions here is that you probably have to add each MAC manually as people try to connect, also quotas will be per-connection not per MAC, and some mobile OSes alter the MAC for privacy reasons. I do think ultimately the WPA enterprise technique will be useful.
I have another idea:
1.you can use this modified wrtbwmon from here, you have to compile it first. also old version is not working.
2.wrtbwmon will create a text based db, this db will not lost if you reboot your router, you can use some bash commands to read the used bytes and mac address by each mac.
3.use a function like if:
if mac1-d=100000 #user 1 that consumed 10MB of data, mark his mac with a $SlowMark.
iptables -t nat -A prerouting_rule -m mac --mac-source $S1MAC -j MARK --set-mark $SlowMark -m comment --comment "$S1Name"
iptables -A forwarding_rule -m mark --mark $SlowMark -m conntrack --ctstate ESTABLISHED,RELATED -m hashlimit --hashlimit-name "$Group1Name" --hashlimit-above $SlowInternet -j DROP
else
you decide here
end
4.save it to a script and do this for all of your limited users.
5.you can use crontab to change limit based on the time of the day.
another idea is to create guest wifi then use nft-qos limit all guest wifi to specified speed limit, a long with
crontab to reset limits etc.
1 Like
Awesome, any wy that new version of wrtbwmon you linked can be brought up to the packages included in openwrt?
Wrtbwmon still not included in the package repo, i don't know why.
but maybe someone will compile it and share on github!
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.