uscomputing
join:2005-01-26
Buffalo, NY
| reply to Airplane777
Re: Monowall WISP client's data gets past my captive portal ?
Unfortunatly they are all about their bottom line. The would rather lose one customer than spend lots of labor hours trying to resolve your issue. Most people don't even know what latency on their line is, and that's the kind of low maintenance customer they are looking for. The nice thing about being a WISP is that your customers do notice when you go the extra mile to solve a problem they are having and they won't hesitate to tell everyone they know about the good service they are getting from you. |
|
Airplane777
join:2004-06-20
4 edits | reply to John Galt
Hi John:
I wanted to let neighbors on, just to see how well my system worked. Especially since I'm homing in on getting my Monowall set up properly. At least I think I'm getting it pretty much set up...lol.
But I didn't like it when I saw the one or two neighbors that seemed to be using up tons of data recently. But now that has stopped...seems to be as of yesterday early.
When my new ISP finally gets my new dsl installed, thats when I'll hand out my door hangers. Then I'll turn off the Captive Portal and DHCP. Then I'll only let people on that pay and give them private static IP addresses.
It's been about 2 months since I started trying to get this new ISP to install my dsl. This co. has its own dslam. I had intermittancy problems with the Covad dslam...I still do. Basically Covad gave up on trying to fix the intermittancy problem. So I'm switching to another ISP.
EDIT: I should mention that SE was my ISP and Covad the CLEC. SE wanted to keep trying to fix it, but Covad told SE they would stop trying. They never would agree to a meeting with Verizon at my location to look at the problem together. They may have come to my place one time to check it out.
I don't think much of a company that just gives up like that. When I was in cellular, and we had a problem, we kept trying til we fixed it...no matter if it was a cell site problem or a microwave problem, etc...we kept at it til we fixed it. That doesn't seem to be the mentality of Covad. I realize Covad might do a good job for many customers...but it seems when there is an elusive intermittant problem...they give up way to quick. |
|
lutful
Premium
join:2005-06-16
Ottawa, ON
 ·TekSavvy Solutions..
| reply to John Galt
This is my suggestion for a very secure HotSpot solution:
1. One SSID runs captive portal but firewall rules provide access to only a https site where a valid IEEE 802.1x certificate can be downloaded.
2. Users install the certificate and use a second SSID with firewall rules that allow access to the internet. |
|
John Galt
Forward, March
Premium
join:2004-09-30
Happy Camp
·CenturyLink
| reply to Airplane777
said by Airplane777  :I came home today and noticed someone else authenticated past the captive portal page. Since the authentication has been raised, what method can be used here to restrict access by users (using any protocol)...in any regard?
In other words...no pay, no play?
--
A is A |
|
Airplane777
join:2004-06-20
| reply to uscomputing
Hi uscomputing:
I'm not sure about that. Could be a teenager trying something...lol.
I came home today and noticed someone else authenticated past the captive portal page. They didn't seem to be using all that much data though. Not like several days earlier. They didn't stay on real long. |
|
uscomputing
join:2005-01-26
Buffalo, NY | reply to Airplane777
Are you sure your neighbor who is using the connection isn't a teenage jr. hacker who is trying to run a port sniffer on his newly found free internet connection so he tell his friends how much of a hax0r he is? |
|
Airplane777
join:2004-06-20
3 edits | reply to Airplane777
Something very interesting...
Starting sometime early yesterday, my neighbors computers no longer try to get on my system...even when I take off captive portal.
I did notice that two of these neighbors authenticated into my captive portal about 2 days ago. The captive portal page is set up so that after they click on the continue button, they will have a URL redirection to the Kim Komando security web page. On my captive portal I told them specifically to get AdAware, SpyBot, ZoneAlarm, and AVG Antivirus off of Kim Komando's web site.
Since my neighbors computers haven't been trying to get into my WISP interface for about the last day, I can only assume that they might have downloaded this software and used it.
Maybe they had some nasty application on their computer that automatically turned on their WiFi card and tried to associate with any AP it found...unknown to the owner. For many days it was associating to my AP. And after associating, if I didn't have captive portal turned on, it would pass data to the Internet. |
|
Airplane777
join:2004-06-20
2 edits | reply to sporkme
Hi sporkme:
Thanks for your thoughts here.
Opening up just the ports you mentioned seems reasonable since it is gratis. If I have an actual WISP customer, I will know which IP address goes to which customer, since I'll give them private static IP addresses.
For my DHCP IP range, I can have just those ports opened that you mentioned. But for any paying customers, I can allow more leeway for my paying customers. I'll probably turn off DHCP when I start putting paying customers on my AP. I'll try to probably allow p2p for my paying customers, but I will put a very low weight on it and have it in my "catch all" queue.
If I can find out the neighbor who seems to have the infected computer, I'll let him know. I know his MAC address. Too bad my Netstumbler doesn't pick up wireless laptops, like it picks up APs. I could use a directional antenna to find this neighbor. I understand there are applications that will let me pick up the signal from the laptop. I need to find out more about those.
Right now I don't know which neighbor was on, since it was opened up to all in the neighborhood. I think it probably wss a nearby neighbor, due to the high signal strength that I saw.
I'll ask my WISP customers to use Spybot, and AdAware, Zone Alarm, etc. to keep their computers clean. So that might be a good solution. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| reply to Airplane777
I'm just going to jump in real quick and say this:
If I were running a captive portal, I would likely have rules on the interface that the AP is attached to that would block everything but the most common ports (21, 25, 53, 80, 110, 143, 443, 993, 995). If you are giving gratis access, why even bother with anything beyond the "basics"? Ideally, 25 would redirect to an smtp proxy with some basic rate limiting as well.
I'd guess that your friend is likely infected with some type of nasty that is either trying to infect other machines or to "phone home". |
|
lutful
Premium
join:2005-06-16
Ottawa, ON | reply to Airplane777
Rather than P2P, I suspect adware/trojan trying to send some info back to home server. Ask them to check/clean their PC using Spybot search and destroy. The log will show what was there. |
|
Airplane777
join:2004-06-20
1 edit | reply to lutful
Hi Lutful:
Wow. I get so much info coming at me I can forget some of what I have read in the past.
So then this incrimenting of port numbers in my case probably is normal, as my computer tries to connect to a web site.
But...in the case of my neighbors computers that were trying to connect to Asia web sites, their computers also tried to incriment port numbers at times. But maybe they could have been p2p or spyware, etc? |
|
lutful
Premium
join:2005-06-16
Ottawa, ON | reply to Airplane777
This is how TCP/IP works. I recall cmaenginsb provided good explanations in your early posts.  |
|
Airplane777
join:2004-06-20
2 edits | reply to Airplane777
Hi all:
The above screen shot is from my own laptop computer. Notice that there is also a lot of incrimenting of port numbers attached to the IP address that DHCP assigned to my laptop.
I noticed there are two destination IP addresses. First my compuyter tried to go to 66.210.246.140 port 80. It turns out that this is the web URL redirection web site that I have set up in Monowall. Why would my computer try to go to that web site by incrimenting a whole bunch of port numbers?
Then notice that there is another IP address of 69.95.90.67 port 80. There are two of those destination addresses. And that is correct. That is the web address I went to after the URL redirection web site.
So why does my computer have to incriment port numbers when it is trying to go to web sites. Maybe that is normal? If it is normal, I'm not sure why.
I think I'm operating a clean computer...but that screen makes me wonder whats going on. This might make me look like I don't know whats going on...lol. But I wanted to tell you guys anyway. I wasn't going to hold this info back...even if it might make me look like I don't know whats going on...lol.
I thought I'd show that screen to you guys, since it makes my computer act similiar to my neighbors, whose computer also incrimented port numbers. And I'm not doing any p2p that I know of. I even ran AdAWare and Spybot to check things out. My neighbors computers seem to be going to Asia web sites. I was going to a web site in the USA.
I hope this might help put more light on whats going on here with this port incrimenting. |
|
lutful
Premium
join:2005-06-16
Ottawa, ON | reply to Airplane777
Often all unknown traffic is lumped as P2P including some ports used by emergency health monitors.  |
|
Airplane777
join:2004-06-20
| reply to robbin
said by robbin :You seem to have the idea that all P2P is bad. P2P is possibly the future of distributing data on the internet. It spreads out the load. I did have the idea that p2p is pretty bad...at least for WISPs.
If I can see that I can allow p2p along with my other traffic, I'll feel better about it. But I'll probably just have to give is a veeeery low traffic weight, so it doesn't hog up the BW from more desirable applications. |
|
Airplane777
join:2004-06-20
4 edits | reply to lutful
BTW, I still love Monowall from all that I have learned from you all.
Monowall is still my first choice for router/firewall/traffic shaper.
I admit I still still have a lot to learn about fine tuning Monowall to my needs. I guess I'm at an impass here trying to figure what to do with that data the is trying to get into my WISP interface.
I won't be using captive portal or DHCP when I actually start selling to WISP customers. I'll assign static IP addresses, so I'll know who has what IP address.
From what I can see, I'm leaning towards just mitigating any p2p applications...as I'm starting to think that I don't want to lose customers who want to do p2p. I just want to give them the lowest traffic shaping weight possible.
I already have a "catch all" in my Monowall now, that I'm hoping is catching any p2p. I'm using "catch all" because I realize that p2p changes Ip and port addresses all the time. My catch-all should get them all. Gee...if I see that works real good for me, then I shouldn't need NetEnforcer at all...maybe?
So my Monowall passes p2p...I just am trying to give it a veeeery low weight.
Gee...with all that in mind...maybe I'm too overly worried about anyone on my network that is using p2p...like this neighbor.
So I should get BT and do some testing, to be sure that the low traffic shaping weight of 1, stops the bad effects of p2p on my high priority applications. |
|
robbin
Premium,MVM
join:2000-09-21
Leander, TX
| reply to Airplane777
said by Airplane777 :I'm sorry. I have such a dislike for p2p, that I guess I thought of it as malware also... You seem to have the idea that all P2P is bad. P2P is possibly the future of distributing data on the internet. It spreads out the load. Here is a link to a linux distribution from Duke University as an example. The important point is that there are legitimate uses -- just as legitimate as VOIP or email or surfing the web! |
|
lutful
Premium
join:2005-06-16
Ottawa, ON
·TekSavvy Solutions..
| reply to Airplane777
You can allow a dozen ports to go through with higher priority and doom the rest to very low bit rates.
Although m0n0wall is considered by many to be one of the easiest firewalls, I think a few WISP and HotSpot specific config.xml files will be a good addition. I will ask some m0n0wall gurus. |
|
Airplane777
join:2004-06-20
2 edits | reply to robbin
I'm sorry. I have such a dislike for p2p, that I guess I thought of it as malware also...lol.
Thanks for those links.
So you think all that data trying to get into my WISP interface is p2p?
If I was to take the captive portal off, then that data would flow out my WAN interface. |
|
Airplane777
join:2004-06-20
2 edits | reply to lutful
Lutful:
What you posted here...thats not mine data is it?
I'll relook to see if I can find it in my config file. Although I still don't know of a firewall rule to stop all this data on Monowall.
Reason being, I understand that I could put in place firewall rules for BT, Kazza, and the other p2p applications. But I understand they will migrate to port 80...and I can't stop data flowng in port 80.
I do have a catch-all that encompases p2p on my traffic shaper. Since I can't stop the p2p, I gave it a weight of 1. |
|
