Getting Around the Quota

[heuristic]

In such environments having a locked room or cupboard for your routers/wan devices makes real sense. That's the norm in the Corporate world... This prevents wiring in. Again, low-tech, but effective. We considered the second router idea at my son's place as he had an abusive tenant, what finally happened after all the polite methods failed, was the tenant chose to get his own Internet. End of!

[ispyisail]

I'm sorry, it was more of a joke. It wasn't a serious answer.

I was trying to imply you could play some tricks on him.

CoovaChilli is a serious answer though

[uncle john]

...Get another router, and put the problematic individual behind it....

...
CoovaChilli is a serious answer though

I'm wondering if we can somehow marry these ideas. CoovaAP is a router that has an internal captive portal. It would be quite a hack but perhaps there is a way of getting the thing to operate in bridge mode and having Gargoyle operate in wire only mode. That way everyone gets their own login.
The down side would probably be that users may not be able to monitor usage.
Any thoughts?

[uncle john]

Found some NVRAM commands/settings here that seem to do what is needed.
From what I can gather the IP would not be handed out by the CoovaAP DHCP server and the client would need to be configured manually before the start of any session. This would be a pain. Are there some other commands/settings which would tell the CoovaAP DHCP server to assign particular IPs for particular MACs (as in Gargoyle)?
The above vlan commands referred to above seem to indicate that MAC and IP addresses would be hidden from scanners. Please tell me if I'm wrong here.

[uncle john]

Yep I was wrong.
I was looking at this picture and it dawned on me that you can only have one vlan per WiFi access point.
So much for that idea.

[Gargoyle87]

I solved my problem using the shortest way: banning any user getting around the quota.

Returning to the technological solutions... I think that implementing a captive portal system is the best solution, but I have an idea to prevent the scanners. I do not know how the scanning software exactly works, but I think that the scanner computer tries to connect to all IP addresses in the private range, and when it gets a response from any IP address the scanner computer will know the mac of that active computer.

So if a good firewall was installed on any computer using the network, and the firewall was configured so that the computer will not respond to any private IP address, then that computer will be invisible to all other users. Does this solution make any sense? Does it work?

[uncle john]

...
So if a good firewall was installed on any computer using the network, and the firewall was configured so that the computer will not respond to any private IP address, then that computer will be invisible to all other users. Does this solution make any sense? Does it work?

No. Clients sharing the common LAN would have access to each others MAC data.
I think you could best achieve isolation between clients with "per Client VLANS".
However I don't think Eric would be interested in supporting a solution that only works for MadWiFi.
However using PPPoE seems like an elegant solution that he might be interested in.

[uncle john]

...
However using PPPoE seems like an elegant solution that he might be interested in.

Did a little more reading. Seems the PPPoE + per client vlan idea is not quite as elegant as I thought. Apparently it would be quite a resource hog.
Also although PPPoE over WiFi is supported in Apple Macs. The same is not the case for Windows machines.
Some recent devices include two vlans (e.g. one for private use and one for public use). This seems to be the most reasonable application for this multiple vlan idea.

[Gargoyle87]

I think that the best way to prevent getting around the quota is the captive portal, and even if it will require more resources, it will be an amazing option .

The captive portal does not need to be very complicated, because it is made for home and office users (a place where annoying quota thieves may be found, but not advanced evil hackers ). Then, I imagine the captive portal as an authorization code (no need for any kind of data encryption) that will restrict any local IP from connecting to the Internet unless it inserts a username and a password, and the quotas will be for usernames not IPs.

I will be very happy to see the captive portal implemented in gargoyle , and the next step will be getting rid of my WRT54GL (4 MB Flash/16 MB Ram), and buying an Asus WL-500GP (8 MB Flash/32 MB Ram) .

[uncle john]

Gargoyle87: It was very nice to read your comments about linking quota with username rather than IP. I've had the same idea for a while but seeing that most of the members of this forum are interested in other issues (such usage graphs, pie charts and tables etc.) I thought I'd keep my ideas to myself for a while.
Many of these members would be IT professionals and using these sorts of tools would occupy most of their waking hours. So their interest in these things is understandable.
So will a captive portal be implemented any time soon (ie. in the next year or so)? I don't know.
In the meantime I'm trying to add CoovaAP as a front end to Gargoyle. The idea is that the user would use their MAC address as their username while their password will remain known only to themselves. This means users would have to alter MAC settings for devices they share with others etc. It would be somewhat inconvenient but it would be secure.