When I started the company, we used the RPi as the WiFi Access Point. The trouble with them is that the built in WiFi module is pretty limited in its ability to handle many simultaneous users and to provide a robust signal throughout a space. You can buy 3rd party USB WiFi dongles, but I found that they have a high failure rate over their lifetime. i.e. not the most robust solution.
If you go the RPi route, you may find the following script helpful. This will bridge the 3rd party dongle to the local network, isolate devices from communicating to private network IPs, and forward HTTP/S traffic through the Squid HTTP proxy service. (sorry about the formatting):
#!/bin/bash
set -e
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
# Set the proxy interface based on the presence of wlan0 or not
if [ -e "/sys/class/net/wlan0/operstate" ] ; then
PROXY_INTERFACE=wlan0
else
PROXY_INTERFACE=eth0
fi
PROXY_HTTP=3128
PROXY_HTTPS=3129
PROXY_NETWORK=`ip address show $PROXY_INTERFACE | grep 'inet .* brd ' | head -1 | sed -e 's/inet \(.\) brd.$/\1/' | sed -e 's/ //g'`
# Allow traffic to the proxy's network
iptables -A FORWARD -d ${PROXY_NETWORK} -j ACCEPT
# Drop traffic forwarded to all other class A, B, and C private networks
iptables -A FORWARD -m iprange --dst-range 10.0.0.0-10.255.255.255 -j REJECT
iptables -A FORWARD -m iprange --dst-range 172.16.0.0-172.31.255.255 -j REJECT
iptables -A FORWARD -m iprange --dst-range 192.168.0.0-192.168.255.255 -j REJECT
# WiFi AP Only; Bridge WLAN to eth0
if [ $PROXY_INTERFACE = "wlan0" ]; then
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o $PROXY_INTERFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $PROXY_INTERFACE -o eth0 -j ACCEPT
2₵s: The wording of this title is extremely misleading. "Biden Crime Record", refers to controversial legislation Biden was involved with, not a record of crimes he is accused of.
The actual article about Instagram suppressing opinions about that controversial legislation is interesting.
Aside from being easier to automate, getting IP's via the ASN lookup is also better for blocking HTTPS requests when you are MITM, since the HTTPS request will only contain the IP and not the FQDN.
Also, many firewalls do a 1-time DNS lookup of a given FQDN to resolve a single IP address when a FQDN based rule is created. This doesn't work well if you have an FQDN that can resolve to many different IP's, which is typical for cloud services.
This is an issue across many EU countries, that require by law that WiFi providers track what their users do online, and to keep a permanent record of it. Its onerous to implement and support. I believe it arose from anti-terrorism legislation.
They usually have a guest speaker or two or three who has built something on Meteor.
Personally, I've enjoyed working with it over the last two years. It comes with a lot of powerful functionality built in (too much to list here).
But, it is still changing. They just got to 1.0 in September, I think. I know a big red flag for many is its immature testing framework, which is not up to par yet.
Even w/ WPA encryption enabled, a malicious user merely needs to get the network password/access to sit on the network and sniff packets as they fly by. This could be achieved thru various network sniffing tools, or some surreptitious people hacking. So relying on encryption alone does not solve anything.
If your guest WiFi is un-encrypted, i.e. no password/WPA, there is still transport layer encryption like HTTPS, that will secure the connection between the client and server, i.e. your web browser and your bank website. HTTPS assumes that you are on an insecure connection, that's what it was designed for!
Finally, many guest networks implement client isolation, which prevents clients on the LAN from communicating directly with each other or to other private LAN's connected to the guest network. Often network admins setup wholly separate network infrastructure for guest access, totally isolating their private back office LAN from the guest LAN.
Anyways, this stuff is hard, and probably beyond the comprehension of your average business that needs to implement guest WiFi.