I'm looking for something that accomplishes (as much as possible of) the following:
- provides a WLAN access point for public use (for example, in a bar)
- serves as a transparent proxy forcing users to get their own login before they can begin surfing
- secure (as in: users can't get into the attached LAN & can do allowed protocols only)
- easy to install (monolithic/self-contained Linux distro?)
- easy to configure, preferably per web-interface
- possibly bandwidth-managed so users can't soak up all available bandwidth
- possibly with expiring access (time-limited logins, or one-time passwords)
- free of charge :-)
I know that ChilliSpot can do things from that list, maybe one could use dd-wrt to modify a router… But maybe I'm just missing the ideal "fire-and-forget" solution that I've just never heard of.
What are your ideas?
Much of this wouldn't necessarily be in the wireless access point; if you have a LAN, you can attach the access point to a port that is configured on a separate VLAN, and that would shield access to systems that are on your wired network.
You can configure your router/firewall to allow or disallow particular egress and ingress points from the VLAN range. You can also manage bandwidth quotas and QoS from the firewall. Alternatively you can put a managed firewall like smoothwall in between the access point and the switch if you want to further separate things. Without knowing what physical setting you're working in then it's hard to really suggest ideas (like, are you in need of bridging multiple access points like Apple's Airports can do? Or something high end, like Cisco WAPs? Or are you trying to rig something up with cheap SOHO access points which usually burn out in six months to a year by exposing them to air?)
That would simplify your requirements on the access point, as you could use just about anything at that point plugged into it and the router, firewall, and switch are doing the heavy work.
For expiring access and login information you'd have to probably have a solution from Cisco or another vendor similar to what other coffee shops use. I think there are some open-source Internet cafe-style servers that handle this sort of function, where all access is first redirected to an "agreement acceptance" server before allowing outgoing access, or you can rely on logs that monitor MAC addresses and IP's for monitoring access (again, you don't specify the venue, how permanent this is, load on the wireless infrastructure, etc.)
If you are covering a large or loaded area, just do a favor and make sure you're not using ten access points with ten SSID's. You should have one SSID, the other systems are online via extenders and bridges. I was in a hotel recently that had multiple SSID's showing up and it screams unprofessional (or hack...other people in the hotel could have been sniffing connected users masquerading as the hotel access point).
Scaling wireless access properly is hard. If you are looking for a small-time setup, that's one thing, but if you have hard needs, you need to plan for it in advance.
I know you're looking for a way to configure a WAP that you just drop in and it all works automagically; I just don't know of any solution like that that scales well. The easiest thing to do in my experiences is to have a reliable infrastructure handling the hard work and manage it from there. Otherwise you have to manage a number of individual nodes and make sure they're all working properly. If you have a firewall and VLAN configuration in your wired setup, you can replace WAP or expand your wireless setup with very little worry other than making sure it's plugged into a VLAN'ed port on the switch, which is the ultimate plug and play easy solution. Just means more hard work initially to get it right.
On the other hand, are you trying for a temporary or semi-mobile wireless structure? A mesh network? Large field of coverage, or a single WAP (in which case why a config-and-forget solution)? I am doing this with the assumption that you have a configured business network and wanted to add multiple nodes for public access separate from your wired network.
EDIT - I'd be tempted to look at coova.org, the branch that appears to be a maintained fork of chili, to get most of what you sounded like you were looking for and offload the QoS/Bandwidth monitoring and shaping and VLAN's on to your switch/firewwall.
You can have most of this using the PFsense firewall distribution. It allows you to easily setup a captive portal, manage a proxy for the users, block them with firewall rules.
All is configurable through an easy to use web interface, and if you want more advanced features, you can always go deeper with command line.
And all the hardware you'll need is a cheap computer with a wireless network card :D