Sorry again, I found connlimit in iptables-mod-conntrack-extra. I'll investigate further about a simple portal and not make it too intrusive, just more of a warning that they're not on their (faster) home WiFi. On Wed, Apr 8, 2015 at 4:25 PM, leetminiwheat wrote: > Sorry to open a can of worms, I see where you're coming from and I totally > understand your POV. My main reasoning here is peoples mobile devices auto > connect to my WiFi whenever it sees an open network and they don't even > know it, when they have their own home WiFi they can use. A simple splash > page would at least let them be more aware of it. > > Security-wise, I'd like to implement a connlimit on gw00 and gw10 so > people can't flood my network with connections even if it's bandwidth > limited, but still trying to figure out how to build the module. > > So, nothing special I need to be aware of in Cero's firewall rules in > regards to captive portals? > > Thanks, and I thank you and all the contributors for all the work to make > the internet better. > > On Wed, Apr 8, 2015 at 4:02 PM, Dave Taht wrote: > >> On Wed, Apr 8, 2015 at 11:01 AM, leetminiwheat >> wrote: >> > Sorry if this is an inappropriate place to ask this, but does anyone >> have >> > suggestions for a captive portal to use? And is there anything specific >> I >> > need to be aware of when implementing a captive portal package from >> OpenWRT? >> > I know Cero does firewall rules and zones a bit differently and >> admittedly I >> > still don't fully understand it all. I just need a simple splash page >> that >> > has an agree to terms type thing. >> >> This is one of the few places where I have let my politics interfere >> with the science or the perceived needs of cerowrt´s userbase. >> >> There is ZERO sign that the captive portal feature has saved anyone a >> lawsuit. It has all been a useless shuck to make wifi even less usable >> than it already is, and create a new entry point to the wholesale >> corruption of the public´s airspace by commercial entities like >> xfiniti, etc and further encroachments planned by the LTE providers >> into the 5Ghz spectrum. >> >> Captive portals creates a barrier to what bob frankston calls ambient >> connectivity[1], and for my whole life, that is what I have worked for >> as a goal - expecting, by now, for that to happen, and for internet on >> the move - to be essentially free, to all, with no metering, and no >> barriers to accepting a phone or videocall or file transfer from >> anywhere from any device on my person, anywhere there was a signal. >> >> I will have no part of captive portals for cerowrt. There is at least >> one captive portal in openwrt. Use that. >> >> I am also bugged by the total insecurity built into WPA that has also >> led to this decline in ambient connectivity over the last 10 years. >> Anyone can capture a key exchange, or force one, to gain full access >> to that nodes wifi traffic - and people NOT co-operating on channel >> access and locking off their individual sessions with useless crypto >> keys, instead of something that works, while delusionally thinking >> they were "secure" - are helping *ruin* wifi for everyone. >> >> e2d encryption is far, far saner than basic WPA2. [2]. People are >> under the delusion that this form of crypto helps, it doesnt, all it >> is doing is messing up the air with management frames and blocking >> ambient connectivity. >> >> Wifi is a commons. No amount of locking it down can prevent the waves >> from escaping or interfering. All people - even the corporations >> trying to repurpose it for their purposes - need to understand that. I >> worked REALLY HARD in 1998-2004 to convince multiple VCs to not use up >> this precious spectrum with another metricom - and thus, in part due >> to that effort, we ALL have wifi, it is uncontrolled, and nearly >> unregulated, and the world is a vastly freer better place for that. >> >> And it is going to hell, because no-one understands it or cares about >> it, enough. I have loved being freed from wires for 17 years now, >> haven´t you? Isn´t wifi worth saving? >> >> So, please, dont use captive portals. In a system with a decent and >> secure guest network implementation, as cerowrt has, please share your >> access with open APs or a simple shared certificate. Please >> co-ordinate with your neighbors on channel selection - and radio >> placement - or pool your resources to get one big fast internet >> connect to share, fairly - now that the fq_codel technology is widely >> available to make that transparent. Build meshy networks. Take back >> the internet w e once had.... >> >> Lastly - there are only 24 hours left on this kickstarter - we CAN >> start to take back the edge of the internet - if we can only find >> another 12k of funding. >> >> >> https://www.kickstarter.com/projects/onetswitch/onetswitch-open-source-hardware-for-networking >> >> The same FPGA is also useful for SDR applications, but it is the pcie >> interface and switch design - and reducing the cost from 7000 to 700 >> bucks - that is the important part of getting this board completed - >> so that more of htb + fq_codel can move into hardware that anyone can >> build and use. >> >> There is a get one give one program that I asked meshsr to put in. >> There are people on these lists with money, and there are those with >> time, and it would be great if more of those people could line up with >> each other. I put in all I could spare (8500 dollars). I have one of >> their high end boards, already. It´s great. >> >> > >> > Also, does anyone have a connlimit module for the 3.10-50-1 kernel? I'd >> like >> > to limit max connections per IP on guest wireless. Or can someone point >> me >> > in the right direction to build one? OpenWRT's build instructions are >> hard >> > to follow and/or really outdated. >> >> CeroWrt is effectively dead so long as it remains unfunded. What >> little time, funding, and energy I can spare I am pouring into >> make-wifi-fast and openwrt chaos calmer. >> >> [1] http://frankston.com/public/?n=IAC.UAC >> [2] Take an aircap, then take it apart via wireshark: >> https://wiki.wireshark.org/HowToDecrypt802.11 >> >> > >> > Thanks >> > >> > P.S. Solid uptime on 3.10.50-1, and my SQM bugs fixed with latest >> > sqm-scripts. (using ones from late march 2015) on default scripts, >> egress >> > wasn't getting throttled sometimes and many duplicate interfaces on SQM >> > restarts. Also, dnscrypt-proxy packages from >> > https://github.com/black-roland/exOpenWrt working great. >> > >> > _______________________________________________ >> > Cerowrt-devel mailing list >> > Cerowrt-devel@lists.bufferbloat.net >> > https://lists.bufferbloat.net/listinfo/cerowrt-devel >> > >> >> >> >> -- >> Dave Täht >> We CAN make better hardware, ourselves, beat bufferbloat, and take >> back control of the edge of the internet! If we work together, on >> making it: >> >> >> https://www.kickstarter.com/projects/onetswitch/onetswitch-open-source-hardware-for-networking >> > >