Over the past couple years, we have been using Pebble Linux, as the main OS for our deployments. Pebble Linux is based off of Debian GNU/Linux, which is the OS the majority of our servers run on. Pebble is meant for embedded systems, offering a very small file system footprint. Once extracted to a Compact Flash memory card, total usage weighs in around 60MB. After a few custom additions, final install sits around 80MB. A custom kernel is built, which includes the latest kernel, Host AP drivers, ebtables (Bridging firewall), and a few other Netfilter patches.

Recently we started deploying Linksys WRT54GS's, instead of the custom PC's running Pebble. A few reasons for doing so were: Linux OS, decent range, all in one package, and cheap price. At the time a few third party firmwares had come out. One of which, Sveaosft, had the right type of features, including bootup scripts that were required. Bootup scripts, written in nvram, allowed for persistency after a reboot. The scripts issue a wget, which would then download an expanded startup script, fix permissions, and finally execute it. From there it would download additional programs, add additional iptable rules, and startup the captive portal.

The majority of new WRT54GS's deployed during the end of 2005, and now 2006 use OpenWrt. The ImageBuilder for the White Russian RC's makes building images a snap. Eventually most, if not all of the WRT54GS's deployed will be converted over.

Captive Portal:

NoCat, running in Open Mode, was our desired functionality. A custom welcome page was created for each location, which includes a disclaimer/AUP that users must agree to if they wish to gain access to the Internet. Other than upgrading to the latest release, and adding a few custom MARK's, this has worked great for all the custom PC deployments.

Once the Linksys WRT54GS's came into the picture, a compiled captive portal was needed. NoCatSplash, compiled for a mips processor was found, and setup. The only problem that was experienced, was with a Sony Clie, which when submitting the form POST, the Content-Length would get munged in NoCatSplash, and not grant access. A tcpdump confirmed it was getting passed correctly. Since this was only deployed at one location, it was just left as is.

A few months had passed, during which Sveasoft was in the middle of the Alchemy beta, and had included ChilliSpot into the build. With NoCatSplash having an issue, a different captive portal was required. A couple new WRT54GS HotSpots were about to be deployed, and it needed to work flawlessly. After creating a ChilliSpot config designed for the WRT54GS, it's cgi script were installed on a secure Apache server, and the Radius server was setup. It nearly worked first try, except when the older version of ChilliSpot on the WRT54GS, clashed with the cgi script which was the latest version. Once the cgi script was fixed to allow for the old result's, everything worked perfectly. A few code additions were also added that allowed for centralized custom welcome screens (using REMOTE_ADDR & NASID), controlled by a MySQL backend.

A few of the impressive features of ChilliSpot is it's built-in rate limiting (Max Up/Down throttles & Max Session Up/Down), Session-Timeout's, Acct-Interim-Interval, and Framed-IP-Address. Rate limiting is used to give public access a slower rate, versus a XM customer who will get a higher rate. Session-Timeout's for forcing a logout (although unlimited logins). Framed-IP-Address is handy for giving out preauthenticated static IP's to machines that belong to the HotSpot location (bypassing the portal). Acct-Interim-Interval is handy for getting up to the minute usage statistics on all authenticated clients.

Embedded Software:

For the WRAP boards, I evaluated a few different offerings. The two primary packages were m0n0wall and StarOS. m0n0wall had just released version 1.2b5 which included Atheros support, and worked nicely on the WRAP board. After playing with it for a while, I determined that it was missing a few things I required. StarOS was then installed, and after tinkering with it for a while, I found it did everything I required, and had some impressive Atheros drivers. The two main downsides about StarOS was having to license it, and no root access. But in the end I chose StarOS. It's admin interface is accessed via ssh, which ties into a curses interface. Most features are available to change, except for a couple things (ip policy routing please).

Custom Scripts:

Quite a few custom scripts have been created to handle a wide variety of tasks. Some of these include:

  • Custom PC - /proc/net/dev & /proc/net/hostap/wlan0/ parsers, syslog or SSL feed, and then added into MySQL.
  • Custom PC - Remote cmd/control (BAN clients, disconnect clients, restart services, monitor, get vitals, reboot)
  • WRT54GS - /proc/net/dev & wl assoclist/wds/rssi parsers, syslog or SSL feed, and then added into MySQL.
  • WRT54GS - Remote cmd/control (BAN clients, disconnect clients, restart services, monitor, get vitals, reboot)
  • MySQL to Cricket - Export steppings from MySQL into Cricket RRD stats
  • MySQL to RRD - Generate bandwidth usage and SNR level for each MAC address (continually rolling forward)
  • status.cgi - Provides detailed vitals about each clients wireless connection (Troubleshooting for XM techs)