When I started the company, we used the RPi as the WiFi Access Point. The trouble with them is that the built in WiFi module is pretty limited in its ability to handle many simultaneous users and to provide a robust signal throughout a space. You can buy 3rd party USB WiFi dongles, but I found that they have a high failure rate over their lifetime. i.e. not the most robust solution.
If you go the RPi route, you may find the following script helpful. This will bridge the 3rd party dongle to the local network, isolate devices from communicating to private network IPs, and forward HTTP/S traffic through the Squid HTTP proxy service. (sorry about the formatting):
#!/bin/bash
set -e
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
# Set the proxy interface based on the presence of wlan0 or not
if [ -e "/sys/class/net/wlan0/operstate" ] ; then
PROXY_INTERFACE=wlan0
else
PROXY_INTERFACE=eth0
fi
PROXY_HTTP=3128
PROXY_HTTPS=3129
PROXY_NETWORK=`ip address show $PROXY_INTERFACE | grep 'inet .* brd ' | head -1 | sed -e 's/inet \(.\) brd.$/\1/' | sed -e 's/ //g'`
# Allow traffic to the proxy's network
iptables -A FORWARD -d ${PROXY_NETWORK} -j ACCEPT
# Drop traffic forwarded to all other class A, B, and C private networks
iptables -A FORWARD -m iprange --dst-range 10.0.0.0-10.255.255.255 -j REJECT
iptables -A FORWARD -m iprange --dst-range 172.16.0.0-172.31.255.255 -j REJECT
iptables -A FORWARD -m iprange --dst-range 192.168.0.0-192.168.255.255 -j REJECT
# WiFi AP Only; Bridge WLAN to eth0
if [ $PROXY_INTERFACE = "wlan0" ]; then
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o $PROXY_INTERFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $PROXY_INTERFACE -o eth0 -j ACCEPT
2₵s: The wording of this title is extremely misleading. "Biden Crime Record", refers to controversial legislation Biden was involved with, not a record of crimes he is accused of.
The actual article about Instagram suppressing opinions about that controversial legislation is interesting.
Aside from being easier to automate, getting IP's via the ASN lookup is also better for blocking HTTPS requests when you are MITM, since the HTTPS request will only contain the IP and not the FQDN.
Also, many firewalls do a 1-time DNS lookup of a given FQDN to resolve a single IP address when a FQDN based rule is created. This doesn't work well if you have an FQDN that can resolve to many different IP's, which is typical for cloud services.
This is an issue across many EU countries, that require by law that WiFi providers track what their users do online, and to keep a permanent record of it. Its onerous to implement and support. I believe it arose from anti-terrorism legislation.