My uncle just emailed me and told me that he wants me to install wireless internet access in one of his resturants!

At first I wanted to just throw a copy of smoothwall on an old box and put it on that network with a couple wireless access points. Easy. But my uncle gets the idea from a friend that he needs a couple of extra little features and I'm not sure if any router distros out there currently have any of these without having to pay for them!

List of what he's looking for:

Ability to remotely monitor traffic. Be emailed or SMS'd if an access point goes down.

VPN so he can admin the access points remotely

Bandwidth management. So we can limit bandwidth based on mac or IP Address.

Login page so that just visitors see a page with info on the access being provided that will have a login and a short disclaimer or terms of use section. Like it blocks internet access until they see the terms of use page then click "AGREE". Then once they click that, the internet is active for their mac address.

Page redirect. So that it redirects to a certain page when that person logs in

I know it's asking a lot. But I guess he stayed in a hotel once that had stuff like this and agreed with his friend when he suggested it.

I researched some gateways on ebay and they're like $300-$600 and some are even $1,000 for these features! Is there any FREE distro out there that has these features without having to configure the hell out of an install or with easy package upgrades? Like. I don't want to spend forever trying to figure out how to play around with radius or anything like that because I still don't get it (how to use radius or configure it).

Does anyone have any suggestions? My uncle seems hell bent on this kind of install. I'll do it for him but only if I can find the proper router distro.

Everything can be done outside of a specific distribution.... most distro's will even include the needed tools.

I've already done most of it (with the exception of a login page) That really just sounds like it could be implemented with a CGI script that kicks in an ipfilter script to allow that address access to the external network. So by default, your routing everything on port 80 to your local server and changing that rule once someone clicks a button.

Traffic monitoring is simply done via ipfilter rule sets and your flavor of graph generation. Probably by now someone has already rolled a utility to handle this (I had to do mine by myself some time ago

For failure detection, you simple implement some monitoring for the ip addresses. MIDAS is probably over kill for this, but it does a good bit of stuff. Instead, if NetSaint is still under active development you can give it a whirl. (be prepared to get your hands dirty as the last time I looked at it there was no gui installed).

Instead of VPN, you could simply use SSH tunneling and a simple utility to redirect needed ports. (Just some web based monitoring should do and all that entails is port 80) SSH will give you more flexibility if you need more ports or maybe just https available to a specific IP range.

Everything else is just simple reports and the medium is not difficult.

You are just going to be pooling a little bit of knowledge from here and there.

But as far as I understand, there is no distribution which does exactly what you are asking for.

I might be wrong....

Thanks for the reply. Does anyone else have any suggestions also??

I'll go ahead and break things down...

netsaint - monitor ap's, send email when down, you could even configure a modem to page you.

login license:

default ipfilter rule: redirect all port 80 traffic to say 8080 to apache which serves up a cgi script.
The cgi script takes your ip address and adds an ipfilter rule to exclude you from this default ruleset.

Now here is where it gets fuzzy. ipfilter doesn't seem to care about time at least, not that I can tell, so here is where you can do some script magic. You could add the ip address and logon time. Then a script can come in from cron and check to see if their time allotment is up. At that point it could easily remove them from the exclusion list or normal forward rule. Ideally, you would also want a logoff option. (I would recommend implementing a quick way to create an account linked to some email address)

Another idea is to configure squid with logins. You get the benefit of not worrying about firewall rule sets and the bonus of caching to save some bandwidth. I'm sure there is some squid magic to log them off or time out.

remote monitoring - again, just keep it simple, there are free clients available and you could setup a quick easy logon to forward the localport of say 4501 to your local network of port 80. (or just allow remote access to netsaints web monitor)

bandwidth utilization - mrtg and ipfilter rules for accounting. if you want to get funky you could break bandwidth down by username (but that would be more work)

The more I look at your requests, the easier it seems to be to implement them, but I can't really sit down for a day and write up a howto. (Their are enough collections around and probably tools to do a lot of this)