Getting Around the Quota

[Gargoyle87]

Gargoyle87: It was very nice to read your comments about linking quota with username rather than IP. I've had the same idea for a while but seeing that most of the members of this forum are interested in other issues (such usage graphs, pie charts and tables etc.) I thought I'd keep my ideas to myself for a while.

Captive portal is much more important (at least for me ) than usage graphs, pie charts and tables... I do not use these things at all . If I want to list what is the most important (and special) in Gargoyle, the "Quotas" will be first, the amassing "QoS" (traffic shaping) will be second, and the "future captive portal" will be third .

Many of these members would be IT professionals and using these sorts of tools would occupy most of their waking hours. So their interest in these things is understandable.

I think that Gargoyle's first goal (check the "Project Summary" at the home page of this website) is usability, and is meant for average users (not just power users).

As you can notice that this firmware is made for home and office routers, so if an IT professional wants to manage a network I do not imagine him (or her) using a small 50$ router to do his job , instead you will see a 1000$ Cisco router, or a Linux Router software installed on a computer .

The routers that Gargoyle is installed on have a limited capability, and they are meant to be for small limited number of users (In my network, we are 6 users using the wrt54gl, and when all users are downloading and uploading heavy loads the router becomes hot).

So will a captive portal be implemented any time soon (ie. in the next year or so)? I don't know.

The next year?? I also do not know, but as I read in this forum that the project founder and developer have added the "captive portal" to his "to do" list!

In the meantime I'm trying to add CoovaAP as a front end to Gargoyle. The idea is that the user would use their MAC address as their username while their password will remain known only to themselves. This means users would have to alter MAC settings for devices they share with others etc. It would be somewhat inconvenient but it would be secure.

It is inconvenient to change the MAC address each time you want to use the internet.

[Eric]

First, do be aware of the limitations of a captive portal. After a user has authenticated with a captive portal their MAC/IP combination then gives them access. If while a user is logged in their MAC/IP is sniffed, and forged, the hacker who sniffed the MAC/IP can still break in. The advantage is that after the original users logs out this combination is de-authenticated and anyone trying to use this combination no longer has access. So.. it will help the problem of MAC cloning but not entirely solve it.

The main advantage of captive portal is authentication based on user instead of IP, which works well if multiple people use one computer or one person has multiple systems.

Next, don't get too excited that this is on my to-do list. That list is longer than my arm. I'll likely get to this within a year... but don't expect it next month.

Finally, regarding hardware.... I've been playing with versions of Gargoyle for some more powerful hardware -- namely alix boxes (x86) and ar71xx devices. These aren't quite ready/polished yet, but here's my plan: Since Gargoyle is open-source, the source code for these will be freely available. However, I'm going to charge a nominal fee for the binaries -- I figure users that can afford a $300 piece of hardware can afford $10-$15 for the service of compiling all that ugly code Don't worry -- brcm/atheros binaries will always be available for free.

I'm also investigating selling some more powerful hardware like this on my site, with Gargoyle pre-installed. I'm therefore very curious how much interest there is in this.

[uncle john]

...
Finally, regarding hardware.... I've been playing with versions of Gargoyle for some more powerful hardware -- namely alix boxes (x86) and ar71xx devices. These aren't quite ready/polished yet, but here's my plan: Since Gargoyle is open-source, the source code for these will be freely available. However, I'm going to charge a nominal fee for the binaries -- I figure users that can afford a $300 piece of hardware can afford $10-$15 for the service of compiling all that ugly code Don't worry -- brcm/atheros binaries will always be available for free.

I'm also investigating selling some more powerful hardware like this on my site, with Gargoyle pre-installed. I'm therefore very curious how much interest there is in this.

Thanks for your comments Eric.
Are you saying that the captive portal feature will only be available for the more powerful hardware?
In any case I consider a Gargoyle Router (with pre-installed firmware) would be desirable product. I'd certainly buy one.

[Eric]

I'd like captive portal to be available on all models, at least that's what I'm aiming for. I have no intention of making it an exclusive feature to paid versions, but it may require extra CPU/RAM to work properly.

It depends how I work the authentication. If I make it depend on RADIUS authentication I may need to require more powerful hardware, but if I implement a paired down authenticator by default I may be able to squeeze it into the default image, which should work with 16MB of RAM/4MB of flash.

Also, since this is a fairly complex feature, and will take some time, I don't know which will come first: implementation of captive portal or routers for sale on this web site. Both require a lot of effort, and you probably won't see either for at least a few months.

[Gargoyle87]

First, do be aware of the limitations of a captive portal. After a user has authenticated with a captive portal their MAC/IP combination then gives them access. If while a user is logged in their MAC/IP is sniffed, and forged, the hacker who sniffed the MAC/IP can still break in. The advantage is that after the original users logs out this combination is de-authenticated and anyone trying to use this combination no longer has access. So.. it will help the problem of MAC cloning but not entirely solve it.

The main advantage of captive portal is authentication based on user instead of IP, which works well if multiple people use one computer or one person has multiple systems.

Next, don't get too excited that this is on my to-do list. That list is longer than my arm. I'll likely get to this within a year... but don't expect it next month.

Finally, regarding hardware.... I've been playing with versions of Gargoyle for some more powerful hardware -- namely alix boxes (x86) and ar71xx devices. These aren't quite ready/polished yet, but here's my plan: Since Gargoyle is open-source, the source code for these will be freely available. However, I'm going to charge a nominal fee for the binaries -- I figure users that can afford a $300 piece of hardware can afford $10-$15 for the service of compiling all that ugly code Don't worry -- brcm/atheros binaries will always be available for free.

I'm also investigating selling some more powerful hardware like this on my site, with Gargoyle pre-installed. I'm therefore very curious how much interest there is in this.

Thank you very much for your great information !

I know it is too early to talk about that (maybe I should post this after one year), but I want to ask:

In the captive portal system, the hacker should know both the MAC address and the IP address of the authorized user and that authorized user should be logged in, but if that happened would that cause the network to crash (two users with the same IP and the same MAC)??

Also, if we combine: captive portal + changing manually or automatically the IP frequently (and then logging in again) will that make the hacking much more difficult?? (I noticed that network scanning software scans the IPs in a specific range one by one in order to know the active IPs, and that takes time).

----------------------------------------------------------------------------

Regarding selling hardware, I think that the best idea is to sell the binaries online (all binaries including the Broadcom and Atheros binaries) instead of selling hardware.

If the price was small (like 10$ with free updates and free forum membership) people will not hesitate buying the binaries.

[uncle john]

...
Also, since this is a fairly complex feature, and will take some time, I don't know which will come first: implementation of captive portal or routers for sale on this web site. Both require a lot of effort, and you probably won't see either for at least a few months.

I know I said I'd welcome the ability to buy a Gargoyle Router but I've given a little more thought regarding what the implications would be for you.
Providing such routers to the mass market would inevitably take your attention in directions other than product development (e.g. running a sizable business and all that that entails).
Perhaps it would be better to just make the binaries available for sale online. If another business wants to sell routers you could perhaps enter into a licensing arrangement with them.
The advantage would be that you could focus on what you do best: product development. Similarly this web site could also remain focused on product development.

[ispyisail]

nice guys

You forget the binaries are open source

Eric could sell the binaries

I could ( I wouldn't ) download and compile and distribute the same binary's for free.

I think Eric's plan is good

[uncle john]

...
It depends how I work the authentication. If I make it depend on RADIUS authentication I may need to require more powerful hardware, but if I implement a paired down authenticator by default I may be able to squeeze it into the default image, which should work with 16MB of RAM/4MB of flash.
...

RADIUS is as you've said in another posting "a resource hog". I've also seen that it can become a real quagmire for admins and developers (no pun intended). I therefore think the pared down authenticator approach based on MAC/username pairing would be the way to go.
I think you could achieve what most people need much more simply based on MAC/username pairing. For instance if you want limit the quota for a particular user put in a little algorithm that regularly totals up all the MACs assigned to that particular username. The accuracy of this sort of approach would of course be limited by the frequency of the polling which would be limited by the hardware. If people wanted better accuracy they could choose their hardware accordingly.
I also suggest that binaries should be priced according to the maximum number of users they can accommodate.

[uncle john]

...
Perhaps it would be better to just make the binaries available for sale online. If another business wants to sell routers you could perhaps enter into a licensing arrangement with them.
The advantage would be that you could focus on what you do best: product development. Similarly this web site could also remain focused on product development.

Thought I should flesh-out my ideas a bit more..
I figure the biggest burden when bringing products like this to the general market is support. Imagine countless mums and dads with even less technical knowledge than me hounding you to fix their "broken" router.
So the ecosystem I had in mind goes something like this:
Gargoyle "licences" a re-seller to sell "badge engineered" binaries/routers. Customers then contact the re-seller for support and relieve Gargoyle/Eric of this burden. The licencees would benefit by being able to buy their "badge engineered" binaries from Gargoyle at a lower price than the general public could buy Gargoyle binaries. Everyone wins.
I notice a lot of visitors are reading this topic. It would be nice to get a bit of feedback.

[Eric]

I suspect this topic is popular because people are interested in weaknesses in the quota system (which is what the title refers to), not necessarily my commercialization plans. The thread topic has shifted a bit...

Anyway, I still intend to eventually sell hardware. My plan is to start selling the binaries for larger routers first (since it's obviously easier to do), but I anticipate that actually selling the hardware will yield MUCH higher revenue, and is therefore worth it.

The problem with trying to outsource the hardware is the open-source nature of Gargoyle which I really don't want to give up. The open source license IS the license agreement -- I don't intend to create another one. However, by embodying the software in a physical product, I provide a valuable service beyond the source code (going from firmware->installed on router is the biggest barrier someone wanting to use gargoyle faces. While it's not too hard, it's a huge barrier for a lot of people, especially people who are worried about bricking an expensive piece of hardware. Whoever controls the hardware will control the revenue stream. If I outsource it, I'm putting myself at huge risk, since I think this is where the real value lies.