Setting Up a Wi-Fi Hotspot Using m0n0wall

Date: Mar 9, 2007 By Kulvir Singh Bhogal.
Need to set up a Wi-Fi hotspot that requires your patrons to authenticate? Sounds too expensive? On the contrary. Kulvir Singh Bhogal shows you how to set up the hotspot on the dirt-cheap.

Being a techie has its benefits, but it also has its pitfalls. As a techie, my friends and family consider me to be their technical support person for whatever electronic gizmo they may own, regardless of whether or not I have come across said gizmo. Recently, one of my friends started up a coffee shop. Wanting to be a modern-day location, he wanted to provide free Wi-Fi Internet service to his customers so they could surf the web for hours while imbibing his overpriced coffee. As you may have guessed, I was drafted to set up his Wi-Fi hotspot. This article covers how I used a free offering named m0n0wall to set up the Wi-Fi hotspot.

I Encountered Some Problems at First...

At first when I tried setting up my friend's hotspot, I thought I could get away with setting up a wireless router for him and disabling encryption on the wireless router. Unfortunately, shortly after I set up the wireless router in my friend's coffee shop, I realized that neighboring shops soon discovered that they could use my friend's bandwidth. Because the wireless signal of the router I installed was unencrypted, it was easy for them to connect to the router without any password.

I considered setting up encryption on the router, but doing so would make it too tedious for customers to connect to the hotspot. That's when I decided it was time to browse the web and look for a viable solution.

I found a number of commercial solutions. The problem was that these solutions would cost my friend a significant monthly fee. No offense to my friend, but he is as cheap as they get. He wanted to set up the hotspot for next to nothing, leaning more towards the nothing. Consequently, a monthly fee was out of the question.

At first I considered using Public IP's free ZoneCD offering. The ZoneCD allows for a person to connect two routers together. One of the routers is unencrypted and can power the hotspot, while the other can be encrypted and allows for a person to connect computers that run day–to-day operations of your shop. When a user connects to the unencrypted router and tries to visit a site, he is redirected to a http://www.publicip.net web site. There he must provide a user name and password that you as the administrator have designated for your site. After properly authenticating, the user is able to surf the web. If the user is not authenticated properly, he can't. I liked this offering. The only problem was that I didn't like the idea of having to rely on http://www.publicip.net being up all the time. I seemed to be at the mercy of other's equipment.

After some more browsing, I stumbled on m0n0wall.

Some Words About m0n0wall

m0n0wall is a project that is, according to its website (http://m0n0.ch/wall/), "aimed at creating a complete, embedded firewall software package that, when used together with an embedded PC, provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software)."

m0n0wall is based on a stripped-down version of the FreeBSD operating system. It comes with a web server and PHP engine, as well as some other utilities.

m0n0wall can do a lot of things. In particular, I was only interested in its "captive portal" features. Just like publicip.net's offering, the captive portal can make sure that a customer who wants to use the hotspot will first provide a password using a simple web page (compare this to having to enter Wired Equivalent Privacy, or WEP, keys...think much easier). If users properly authenticate, then they can move on to surf using the hotspot's bandwidth. Without doing so, they would go nowhere.

NOTE

The hotspot user's traffic is unencrypted, but this is the status quo for most hotspots.

Hardware Requirements

As you probably guessed by now, my frugal friend constantly inundated me with mantras of "Save me money" when building the hotspot. To run the m0n0wall software, I needed a PC. This PC running m0n0wall acts as a policeman, making sure a hotspot user has authenticated. The policeman analogy is further appropriate considering m0n0wall has some pretty sophisticated firewall features (beyond the scope of this article) that allow for the owner to even restrict what web sites patrons can and cannot visit. Fortunately for my friend, the PC that I needed was fairly low-powered (translated for him—low cost). The m0n0wall documentation points out that a 486 or higher processor (any Pentium PC will do) is sufficient to run m0n0wall for most deployments. You can opt to run m0n0wall off a hard drive, but because I wanted to keep costs down, I decided to run m0n0wall off a CD-ROM and used a floppy drive to store m0n0wall's configuration data. That's right—you can run m0n0wall without a hard drive!

The amount of RAM required is listed at only 64MB. Considering that today's modern-day PCs usually have about 512MB, the memory requirement for m0n0wall was also pretty slim. I picked up the PC I needed for my friend at a vintage PC shop for $35.

The m0n0wall PC needs to have two network cards (otherwise known as NIC cards). Because the PC already had one built in, I just had to add one, which I picked up for $10 at my favorite PC accessories store. Virtually any modern-day NIC card will do, as m0n0wall has built-in driver support that recognizes most popular NICs available at the local electronics store.

Another thing I did have to pick up for the hotspot setup was an additional wireless router. My friend already had one, but I needed another so that my friend could wirelessly connect his shop's PCs to a router whose wireless connection is encrypted, while the captive portal's router would remain unencrypted but protected by m0n0wall.

The second router isn't going to be used as a router but, as you'll see, we'll cripple its functionality and use it only as an access point. Oddly enough, in my experience I can buy wireless routers for cheaper than access points, so I decided to use a wireless router and configure it as an access point.

The setup I implemented is shown in Figure 1.

Figure 1

Figure 1 The m0n0wall setup.

You need to configure your Wireless Router #2 as an access point. Also, you need to turn off the router's built-in DHCP server because the m0n0wall box acts as a DHCP server. How to turn off the DHCP server will vary from wireless router to wireless router. I suggest you check out your product manual to find out how to do it for your particular router. Give your second router a service set identifier (SSID) something like "HOTSPOT" so your customer's can readily recognize is as a hotspot. Also, turn off wireless encryption on the second router. You want your hotspot patrons to be able to connect without the tribulations of entering a WEP key!

In my setup, I had the first router acting as a DHCP server. Accordingly, the m0n0wall server is granted an IP address by the first router. It uses this IP address to make connections to the outside world, via the first router.

NOTE

Before you venture out and set up your own Wi-Fi hotspot, it is important that you clearly read your internet service provider's (ISP's) restrictions. Many ISPs restrict users from sharing bandwidth. Be forewarned!

Obtaining m0n0wall

Before dealing with m0n0wall, I had never played with the FreeBSD operating system. Accordingly, I wasn't looking forward to having to learn a new OS for my friend's coffee shop, regardless of him offering me free coffee for life. Fortunately, m0n0wall pretty much insulated me from the intricacies of the OS. You can obtain m0n0wall from http://m0n0.ch/wall/downloads.php. I obtained the ISO image of version 1.22 and burned it using my favorite CD burning software to a blank CD. You also need to get your hands on a formatted floppy disk (which will be used by m0n0wall to house its configuration).

Preparing the m0n0wall Computer

To prepare your computer for using m0n0wall:

  1. Go into your CMOS setup and set your machine to boot up off the CD-ROM drive. The boot-up sequence should be set by placing the CD-ROM higher than your floppy drive.
  2. Insert the m0n0wall CD that you burned earlier into the CD-ROM drive and place the floppy disk in the floppy drive.
  3. Turn on your computer and watch m0n0wall start up.

Firing Up m0n0wall

As m0n0wall is fired up, you will see a flurry of messages pass by. You should be able to ignore most of these messages under normal circumstances. After a short while, you should be presented with the m0n0wall console screen. For our purposes, directly preceding the Console Setup menu, you should see a port configuration acknowledging the presence of your two network interfaces: one assigned to the LAN and one assigned to the WAN as pointed out in Figure 2.

Figure 2

Figure 2 m0n0wall's Console Setup screen.

At this point, assume that you have plugged in your cables as shown in Figure 1 to the correct NICs. In a short while, you’ll need to connect to the m0n0wall web administration console. If you are unable to do that, it’s likely your LAN and WAN cables are swapped. No worries. You can just unswap them and try again. Alternatively, you can use the Automatic Detection feature found in the Set Up LAN IP Address Console Setup option.

Using the webGUI Configuration

Assuming that m0n0wall correctly recognized the NICs of your machine, you are now ready to set up m0n0wall. To do so, you use a web user interface, much like one you would use to interact with most broadband routers:

  1. Connect a PC to the first router of your setup (refer to Figure 1) via an ethernet cable. The PC you connect should be enabled for DHCP.
  2. To get to the webGUI, open up your browser on the computer you just connected to, and go to the URL assigned to the LAN IP address. In my case, I assigned it to http://192.168.0.200. Note that the address you need to go to is shown to you when m0n0wall starts up (see Figure 2).
  3. You are asked to enter a user name and password. The default user name and password are admin and mono, respectively.
  4. After entering the user name and password, you are presented with the m0n0wall webGUI configuration, as shown in Figure 3. If not, the culprit might be that your cables were swapped (as explained earlier).
    Figure 3

    Figure 3 m0n0wall's webGUI configuration.

  5. Once you are able to reach the webGUI, one of the first steps you want to take is to make sure that no one else except for you can interact with this webGUI in the future. To do this, assign a new password to m0n0wall by doing so on the General Setup panel, as shown in Figure 4.
    Figure 4

    Figure 4 Changing the m0n0wall server password.

    Now try going to an external URL, such as http://www.informit.com. If you are able to reach this site, congratulations—you are now past the majority of the setup involved. I would disconnect the computer with which you've been using to configure the m0n0wall server at this point, and try to connect wirelessly using the same computer to the hotspot wireless router (Router #2 in Figure 1).

    Hint: look for the SSID you assigned earlier to the second router. If all is well, you should be able to connect to sites like http://www.informit.com without any problem.

    If you weren't able to connect, then you might need to configure the WAN interface of your m0n0wall box. Refer to m0n0wall's extensive Help documentation on how to do so. If you were able to connect, then you are now ready to move on to securing the hotspot via a password and turning on the captive portal.

Securing Your Hotspot

To activate the captive portal, fire up the webGUI as you did earlier and follow these steps:

  1. From the left-hand navigation, choose Captive Portal under Services. You are presented with the Captive portal configuration screen.
  2. Check the Enable Captive Portal check box as shown in Figure 5.
    Figure 5

    Figure 5 Enabling m0n0wall's Captive Portal service.

  3. For the Portal Page contents, use the prompt.html file I have provided in the html.zip download.
  4. Similarly, for the Authentication Error Page contents, choose the file named error.html from the html.zip download provided.

    These files are both pretty simple HTML files which can serve as placeholders until you swap them out with something to your liking. The key thing to realize is that when a user first tries to access a web site after connecting to the hotspot router, she will be redirected and asked to authenticate by m0n0wall, using the prompt.html file as the captive portal front page.

    The file prompt.html (shown below) contains a form that sends a couple of variables to m0n0wall as populated by a user trying to authenticate. Namely, the form fields auth_user and auth_pass are populated. 

    <body>
<center>
Welcome to the El Cheapo Coffee Shop<br>
Please enter your username and password. Visit the front desk to obtain this info.
<form method="post" action="$PORTAL_ACTION$">
Username: <input name="auth_user" type="text"><br>
Password: <input name="auth_pass" type="password"><br>
  <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$">
  <input name="accept" type="submit" value="Submit">
</form>
</center>
</body>

    If the values provided by a captive portal user equal to ones recognized by m0n0wall, then the user will be allowed to go on her merry way and surf, else she will be presented with the error page (the HTML source of which is shown below). In short: no pass, no play. 

    <body>
<center>
The username and password you provided are invalid. Please use the back button to try again.<br>
<a href="javascript:history.go(-1)" onMouseOver="self.status=document.referrer;return true">Go Back</a>
</center>
</body>
  5. To enforce authentication, click the Local User Manager option in the Authentication section as shown in Figure 6.
  6. Save your changes to the configuration before moving on.
    Figure 6

    Figure 6 Enabling authentication using the local user manager.

Adding a User

Next, you need to add a username and password that is allowed to use the hotspot:

  1. Click the Users tab in the Services: Captive Portal screen, then click the plus icon as shown in Figure 7.
    Figure 7

    Figure 7 Opting to add a new Captive Portal user.

  2. Enter a user name. For example, use a user name of customer with a password of ilovejava (see Figure 8). To reiterate, this username is the one that customers will use to authenticate as trusted users of your hotspot.
  3. Leave the Expiration Data blank and click Save.
    Figure 8

    Figure 8 Specify the username and password issue of the user you are creating.

  4. You'll need to manually provide your customers with the info of what username and password is required to use the hotspot. If you noticed, the login screen that I provided you with actually asks the user to visit the front desk for the username and password.

My coffee shop owner friend has little pieces of paper with the connection info he printed for his customers. Customers seem to be comfortable with this approach.

NOTE

If using a setup like I described in this article, I would suggest changing the password you assigned to your user every so often (maybe every week), just in case one of your pesky neighbors figures out your password and decides to leech off your Wi-Fi spot.

Acting Like a Patron Wanting to Surf the Web

So at this point, you are ready to test the Wi-Fi m0n0wall-powered hotspot by acting like a shop patron would. Simply connect to the network name (SSID) associated to your hotspot's router and follow these steps:

  1. Open up a browser and visit any web site (for example, http://www.informit.com). At this point, rather than going to the requested site, you should be directed to the m0n0wall Captive Portal entry page (as shown in Figure 9). <
    Figure 9

    Figure 9 Specify the username and password as a hotspot user.

  2. Enter the username and password you assigned earlier for the hotspot users, and you should be redirected to the site you requested. If you fail authentication, you should be presented with the error page (see Figure 10).
    Figure 10

    Figure 10 Being presented with an error page when the username and/or password you specify are invalid.

To recap, before you can go anywhere using the hotspot, you have to authenticate, thereby barring leeching of the hotspot's bandwidth from pesky neighbors who aren't buying!

Conclusion

In this article, I showed you how I set up a hotspot using two routers, a vintage PC with two NIC cards and m0n0wall software. m0n0wall is quite powerful, and I have been pretty impressed by its offerings, especially considering I was able to use it to set up a pretty low-cost Wi-Fi hotspot for my stingy coffeeshop-owning friend.

I haven't played with m0n0wall as much as I'd like to, but it even has the ability to shape traffic going through the m0n0wall box. Using the Magic Shaper Wizard of the m0n0wall GUI, you can do such things as set P2P traffic to the lowest priority, or even set things to share bandwidth evenly across all of your LAN users.

If you run into problems, or have the itch to play with some of m0n0wall's advanced features not covered in this introductory article, the good news is that m0n0wall has a very active e-mail support group that can help you support your newfound m0n0wall habit.