I know it works on Android, and Linux with network manager but beyond that I don't think windows, Mac, or iPhones support it. I'd enable it as an option though and encourage Android users to use it. Maybe in next few years iOS and Windows will support it.
What fallback works best? It seems like peap with mschapv2 works for iPhones and Windows. Less good security but workable.
Your little guest Network is not very likely to be subject to active attack like this, and you're handing out random passwords that only get you access to your wifi anyway. Generate usernames like wifiuser0035 and random passwords to print on your cards. Command line util pwgen is helpful here. Worst case someone goes to a lot of trouble to get something you're handing out free
whole I can not offer a solution for your request, I can sketch out a simple proposal for a stop-gap measure...
I would use two wifi-routers in series, both running sqm in per-internal-IP-fairness mode.
The first router is for trusted users, while the second is for guests.
SQM on the first router should be configured to keep wan-bufferbloat under control (which might be tricky for a 4g-link, but still /I think it is worth trying) and to treat all internal IP-addresses fairly (so no IP can monopolize the link if there are other users).
Now the second router should be set-up as a router performing a second layer of NAT, that way all guest computers will be treated as a single IP-address by the primary router, in addition I would set up SQM on the second router to put in ceiling for the aggregated bandwidth consumed by all guest devices.
The last thing to do would be to isolate the port that connects the primary with the secondary router so that guests can not reach internal devices on the primary's internal network.
Again this does not solve your problem properly, but might buy you enough time to fully research the proper solution while already serving your guests...
Have a look at this script, posted by this thread OP.
This script will do you bandwidth speed limiting per mac address, you can set it according to your needs.
you can use iptables conntrack; this will track the whole connection based on src ip or dst ip, it will auto
match dst if you use src ip and will auto match src based on dst ip.
you can use iptables connmark; this let you mark a connection, so you can later drop it or slow it down!
connbytes, you can use it to do something with connection when it's reached a certain size ex: 100MB of
download data or uploaded.
you can gathering all ideas into one, then tell us what will suit you!
The big problem with MAC based solutions here is that you probably have to add each MAC manually as people try to connect, also quotas will be per-connection not per MAC, and some mobile OSes alter the MAC for privacy reasons. I do think ultimately the WPA enterprise technique will be useful.
I have another idea:
1.you can use this modified wrtbwmon from here, you have to compile it first. also old version is not working.
2.wrtbwmon will create a text based db, this db will not lost if you reboot your router, you can use some bash commands to read the used bytes and mac address by each mac.
3.use a function like if:
if mac1-d=100000 #user 1 that consumed 10MB of data, mark his mac with a $SlowMark.
iptables -t nat -A prerouting_rule -m mac --mac-source $S1MAC -j MARK --set-mark $SlowMark -m comment --comment "$S1Name"
iptables -A forwarding_rule -m mark --mark $SlowMark -m conntrack --ctstate ESTABLISHED,RELATED -m hashlimit --hashlimit-name "$Group1Name" --hashlimit-above $SlowInternet -j DROP
else
you decide here
end
4.save it to a script and do this for all of your limited users.
5.you can use crontab to change limit based on the time of the day.
another idea is to create guest wifi then use nft-qos limit all guest wifi to specified speed limit, a long with
crontab to reset limits etc.
