Good day. I am working on a boat that does not have internet connection so I took it upon myself to somewhat connect my mates and I to the internet with the extremely limited knowledge I have regarding this topic. I have been only following guides and I am not an IT person but now I am lost and would just like to have a somewhat working network management tool so that each of us can enjoy the connection responsibly. Our boat has a data cap and I just made a somewhat usable network where in I put three routers (Archer C7 v5) as access points (an option in the router itself) to the main router (Archer C7 v5 flashed with the Openwrt), so I would like to ask is it possible and if so how can I do the below:
a Log the total usage per device connected to the entirety of the network to wherever router they may be connected in a daily, weekly, and monthly manner;
b Rename each device a person uses with his name so we know its him that uses that device;
c Whitelist devices so we can ensure that only one person’s device can connect to the network;
d Stop the device’s internet connection once it reaches a specific number of gb consumed.
Im sure this is a tall ask but as of the moment I’m running out of ideas and am welcome to any suggestion that can help me regarding this topic. Thank you for your time in reading this. Sorry if this all comes out wonky with the formatting and everything.
If it is a small pre-determined group of users, traditional Enterprise authentication could be used. In this system the APs don't really store or compute anything, they forward the user's credentials to a central system. Each user has a unique username and password. The central system can also limit how many (if any) devices the username and password can be simultaneously used on. Also the APs report bytes used by each connected device to the central system which will keep a total count that can be used to prepare individual bills or block an account which is over-using.
The protocol for the link between the APs and the central system is called RADIUS this something to search for. Technically an Archer C7 has enough computing power to run a RADIUS server but it is almost always done on larger hardware. I don't know if there are any free systems that are easy to set up. There are lots of (paid) cloud-based services which would take RADIUS over the Internet so you don't need your own server on site. An issue there is if you are using satellite Internet which is expensive per byte, the RADIUS traffic would add to it.
Captive portals are another layer on top of this concept. Instead of issuing users pre-determined accounts out of band, the captive portal allows a new user to access a single website where they set up their account and make payment themselves. This is typical in hotels etc where members of the public will be joining the system.
Traditionally, that was the case, but modern captive portals provide a Network Demarcation Service - hence the name of openNDS - and do everything legacy radius did plus much more.
On the small non-commercial scale, like sharing an Internet feed with neighbours, no external "server" is required and a 16/128 low end router is perfectly adequate.
Is that the 50GB Roam/$50/month?
Make sure you have your employer's permission! There are some well known instances where this was not obtained......
There is a comprehensive technical reference, openNDS Documentation, but in the first instance it would be better to either open a new topic here, or open a Github Issue where you will be able to discuss it all in more detail.
We opted for the Global Priority of 500 GB.
I would take a look and read on how to apply the tool to the existing network.
We have to take matters in our own hand as we have contacted our employer multiple times about having connection onboard but they have yet to provide any concrete solution for months now.
Yes, particularly when @modernbaseball has 500GB per month to play with.
OpenNDS implements bursty rate limiting, where for a short interval you can download at full speed before everything afterwards goes into a bucket filter for rate limiting. This means browsing and emails are lightning fast but a 4k video will get throttled right back.
In addition you can enable a fair usage policy where, if the volume exceeds a set amount, the user gets throttled for everything for a period of time.
I have tried installing it on my router via the ssh terminal now I cannot access the internet and cannot access the ssh terminal by logging in with the password saying permission is denied.
With a fixed set of users who are not adversarial, I'd be tempted to do this much more simply. Just give out a WPA2/3 pre-shared key to everyone, then record each person's device MAC addresses. They can have multiple devices. Allow-list those devices into MAC sets for each person, and account the traffic in nftables with a quota daily. Don't allow any other devices to route data to /from the internet. Each night at midnight reload the firewall to reset the quotas.
(if you're talking about Android devices you can configure them to "use device mac" in the wifi settings so that randomized macs won't be used, randomized mac would result in zero internet connection because you're allow-listing only the device macs)
I think you would do this in postrouting for internet -> LAN direction, and that's probably enough. upload data can probably be ignored if the concern is streaming movies and such.
You could also post-quota allow through a very small dribble of packets, say 0.5Mbps which would enable people to always be able to use Signal messenger and send small emails etc.
Note, you can do this with NO extra packages from a default OpenWrt install by just creating a custom table in nftables. If you want to go this direction I'm sure people can help you write the custom table.
Another benefit of this route is that it's only dealing with internet traffic. If people want to play games with each other on the boat, all local traffic is un-restricted. (Or if people want to stream movies off disk storage to each other)
The best way is to run: ndsctl status and show it here too!
As you are probably running an old version and have Starlink, you will have a problem with ipv6 that is resulting in the captive portal not popping up.
There is a quick workaround (and it is fixed in the next version not backported from snapshot yet but soon will be).
root@OpenWrt:~# service opennds start
root@OpenWrt:~# /etc/init.d/opennds status
running
root@OpenWrt:~# ndsctl status
ndsctl: opennds probably not yet started (Error: No such file or directory)
It is failing to start for some reason, but procd is respawning so saying it is running.
This is usually caused by a simple config error somewhere.....
That is the main benefit of doing it this way, at least for devices with severe resource problems.
Otherwise you are roughly describing how openNDS works
