Chances are you’ve “shared” a neighbor’s wireless connection at one time or another, or discovered that your own network reaches to the laundromat next door, conveniently allowing you to work while you wash. Why not make all this sharing official? Whether you want to entice customers to your hip café or simplify life for everyone in your apartment building, it makes sense to set up a wireless hotspot.
Make it legal
First you need to ensure that your Internet service provider (ISP) allows this kind of sharing. Many ISPs limit how you can use their least-expensive DSL or cable-modem connections. Your service contract’s fine print typically states that a connection is intended for a single household or office, so you may have to pony up for a higher-priced service or a business-oriented solution such as a T1 line.
Data-transfer fees are also an issue. Because you’re opening up your network to all comers, you can’t control how much they download. Some ISPs impose a monthly data-transfer limit, often between 1GB and 10GB. Exceed that, and you might have to pay $20 or more per extra gigabyte transferred.
If you don’t like what your ISP has to say on either topic, then consider Speakeasy. Speakeasy actively encourages network sharing, and it doesn’t impose any data-transfer limits. It’ll even set up accounts, handle billing, and credit revenue against your charges if you want your neighbors to help pay for the service. Speakeasy offers DSL and T1 lines via partners throughout the United States.
Secure your stuff
Once you’ve got your ISP on board, it’s time to decide on security options, from whether to password-protect your network to how to secure your own data.
To Encrypt or Not? Most hotspots feature no password protection or encryption. If you want to set the bar a little higher for access, you can create a WEP (Wired Equivalent Privacy) or WPA (Wi-Fi Protected Access) key. WPA is preferable, as hackers can easily extract a WEP key by using a packet sniffer such as binaervarianz’s KisMac (free) to watch encrypted data as it flows by. (Hotspot visitors must be running at least Mac OS X 10.3 or Windows XP Service Pack 1 in order to log on to a WPA-encrypted network.)
Protecting Yourself There’s a problem with Wi-Fi gateways that allow other users to connect: they don’t protect data moving across your network, either between computers or to and from the Internet. So if you’re using your own computers on the network, your data ends up mingling with that of hotspot habitués. Firewalls restrict connections to your computer, but hackers can still intercept data.
There are three options for protecting your computers:
Set up a separate Internet connection for the hotspot. This is a good solution for some businesses, but it’s expensive.
Use a Virtual Private Network (VPN) service. This encrypts all data that goes between your computer and the service’s servers on the Internet. But this solution doesn’t help you with connected local computers—hackers can still sniff out data that passes between them.
Connect two Wi-Fi gateways. The inner gateway connects all of your computers; the outer gateway joins your inner gateway to the Internet and allows Wi-Fi connections from passersby. This is the option I recommend: it’s the simplest way to achieve the greatest security at the lowest cost. Also, it protects Windows machines on your network against infection from worms that hotspot users might bring in. I’ll explain how to set up a two-gateway system in the next section. (For more-advanced hotspot setups, see “High-End Hotspots.” below)
Separate your networks
Technically, you can use any two routers for your connected gateways, including Apple’s AirPort Extreme Base Station ($199). If you go with a Base Station, I suggest using it as your inner gateway and purchasing a product such as the Buffalo WHR-G54S for your outer gateway. It not only has a low price—you can buy it online for as little as $50—but also includes a Privacy Separator feature, which ensures that your data won’t become visible to others as it travels from your protected inner gateway to the public outer gateway, on its way to the Internet.
The Public Arena First configure the outer gateway (your publicly accessible router). Give it a descriptive name, such as Open or the title of your business.
Next, configure the gateway’s network addresses. Open your router’s administrative tool and set your gateway’s LAN address to
192.168.101.1. If it also lets you set the starting address of automati-cally assigned DHCP numbers, change that to
192.168.101.2. Configure your Internet connection on the WAN (wide area network) side using instructions from your ISP.
If you’re using the Buffalo router, you can set the LAN (local area network) and starting DHCP addresses by going into the Advanced setup screen and selecting LAN Config. While you’re in the Advanced setup, enable the Privacy Separator option (under Wireless Config: 802.11g: Security). Test to confirm that your outer gateway is working.
Make sure you change the administrative password. If you don’t, someone could log on and tweak your router configuration.
The Flow of Info
By connecting two gateways, you can create a secure personal network and an open public network.
Your Private Enclave Now it’s time to set up the inner gateway (your personal network). Choose an appropriate name, such as Private Network. Next, turn encryption on. To do this, look for the wireless security panel in your router’s configuration menu—it may be a subsection of the wireless settings. If all of your computers can handle it, set the encryption type to the home version of WPA (sometimes listed as WPA-PSK or WPA Personal); otherwise, choose WEP.
If you’re using an AirPort Base Station, set encryption by launching AirPort Admin Utility (/Applications/Utilities), connecting to the Base Station, and clicking on the Change Wireless Security button in the AirPort tab. Choose your preferred encryption method and enter a password.
Now you’ll need to configure the LAN so your local computers have their own private set of network addresses. Start by setting your router’s address to
192.168.100.1. If there’s a field for setting the starting address of automatically assigned DHCP addresses, change that to
192.168.100.2. Next, configure the router to obtain an Internet address from its WAN port via DHCP—this allows the inner gateway to send traffic through the outer gateway and on to the Internet.
Apple hides the setting for changing a LAN network number deep inside AirPort Admin Utility. Under the Network tab, select Share A Single IP Address (Using DHCP And NAT). In the pop-up menu that appears, choose Other and set the gateway’s LAN address to
192.168.100.1. (Doing so automatically sets the DHCP pool to start at the next number.) Then, under the Internet tab, choose Using DHCP from the Configure pop-up menu.
Merging Private and Public Finally, connect the gateways by plugging an Ethernet cable into the WAN port of the inner gateway and into any LAN Ethernet port on the outer one. Connect your Mac to the inner gateway’s LAN port and your modem to the outer gateway’s WAN port (see “The Flow of Info”). Voilà! You’ve now got an isolated inner network, accessible only by password. Take a bow, alert the neighbors, and start sharing.
If you want to offer user accounts or collect access fees, consider the following hardware and services. They can help you take your hotspots to the next level.
Corriente The $300 Elektron Server lets you set up user accounts and passwords, making this a good option for small offices that want more security or the ability to control access.
SputnikNet Managed service providers, such as SputnikNet, help you serve up a hotspot by recommending or installing hardware and running the service for you. For a onetime fee of $50, you can set up a hotspot with a single gateway. For a larger network, you’ll have to pay additional monthly charges, but even the basic account lets you use PayPal to collect fees.
Fon This new service provides free firmware that you can install in certain compatible Wi-Fi gateways, turning them into outposts on the network. There’s no cost to join the network, and you can even keep a portion of the fees collected.
[ Glenn Fleishman writes about wireless networking for the New York Times, The Economist, and his Wi-Fi Networking News Weblog.]