Originally Posted by henrikwidth
The setup will be something like this:
three nic (Wan, Wireless, Wired)
two nics (In, Out), url-redirecting of some sort++
I'm not exactly sure what you are trying to say here.
-WWW------[ Firewall/Router ]----[WAP]******[ Clients ]
Then your wireless and wired clients will be on different subnets (recommended). You can do a transparent proxy a few ways:
- Have one machine to do everything (NATing, Routing, proxying, authenticating, etc.)
- Have a netfilter-based firewall and a separate proxy box
The benefit of the first is that there is a slight reduction of latency. But it has a few downsides:
It is a better security practice to have many small devices that do one thing and do that thing well rather than one device that does everything. Not only is it a bad security practice, it is harder to maintain/upgrade (especially if you -- the designer -- will not be able to administer it.
So I'll talk about the second way. You set up your firewall to manage two subnets (who shouldn't be able to directly talk to each other). All traffic from your wired LAN to the internet will be NATed by this firewall. All traffic from the wireless subnet will be forwarded to the proxy. This way, the firewall knows nothing about authentication (and it shouldn't need to).
On the proxy box you should probably set up squid, since it has a very flexible access control/authentication system (you might as well do some caching with it also). Assuming the proxy box also has basic netfilter capability, you can implement a keying system in which certain machine(s) on your LAN is able to generate and see keys. You'd probably need to write a CGI script or something to make this `user-friendly' for the librarian. Read the squid documentation to get an idea of the kinds of authentication schemes you can use.
P.S. What's the difference between HotSpot and AP?