What to filter when providing very limited open WiFi to a small conference or meeting?
Executive Summary
The basic question is: if you have a very limited bandwidth WiFi to provide Internet for a small meeting of only a day or two, how do you set the filters on the router to avoid one or two users monopolizing all the available bandwidth?
For folks who don't have the time to read the details below, I am NOT looking for any of these answers:
- Secure the router and only let a few trusted people use it
- Tell everyone to turn off unused services & generally police themselves
- Monitor the traffic with a sniffer and add filters as needed
I am aware of all of that. None are appropriate for reasons that will become clear.
ALSO NOTE: There is already a question concerning providing adequate WiFi at large (>500 attendees) conferences here. This question concerns SMALL meetings of less than 200 people, typically with less than half that using the WiFi. Something that can be handled with a single home or small office router.
Background
I've used a 3G/4G router device to provide WiFi to small meetings in the past with some success. By small I mean single-room conferences or meetings on the order of a barcamp or Skepticamp or user group meeting. These meetings sometimes have technical attendees there, but not exclusively. Usually less than half to a third of the attendees will actually use the WiFi. Maximum meeting size I'm talking about is 100 to 200 people.
I typically use a Cradlepoint MBR-1000 but many other devices exist, especially all-in-one units supplied by 3G and/or 4G vendors like Verizon, Sprint and Clear. These devices take a 3G or 4G internet connection and fan it out to multiple users using WiFi.
One key aspect of providing net access this way is the limited bandwidth available over 3G/4G. Even with something like the Cradlepoint which can load-balance multiple radios, you are only going to achieve a few megabits of download speed and maybe a megabit or so of upload speed. That's a best case scenario. Often it is considerably slower.
The goal in most of these meeting situations is to allow folks access to services like email, web, social media, chat services and so on. This is so they can live-blog or live-tweet the proceedings, or simply chat online or otherwise stay in touch (with both attendees and non-attendees) while the meeting proceeds. I would like to limit the services provided by the router to just those services that meet those needs.
Problems
In particular I have noticed a couple of scenarios where particular users end up abusing most of the bandwidth on the router, to the detriment of everyone. These boil into two areas:
Intentional use. Folks looking at YouTube videos, downloading podcasts to their iPod, and otherwise using the bandwidth for things that really aren't appropriate in a meeting room where you should be paying attention to the speaker and/or interacting.
At one meeting that we were live-streaming (over a separate, dedicated connection) via UStream, I noticed several folks in the room that had the UStream page up so they could interact with the meeting chat - apparently oblivious that they were wasting bandwidth streaming back video of something that was taking place right in front of them.Unintentional use. There are a variety of software utilities that will make extensive use of bandwidth in the background, that folks often have installed on their laptops and smartphones, perhaps without realizing.
Examples:Peer to peer downloading programs such as Bittorrent that run in the background
Automatic software update services. These are legion, as every major software vendor has their own, so one can easily have Microsoft, Apple, Mozilla, Adobe, Google and others all trying to download updates in the background.
Security software that downloads new signatures such as anti-virus, anti-malware, etc.
Backup software and other software that "syncs" in the background to cloud services.
For some numbers on how much network bandwidth gets sucked up by these non-web, non-email type services, check out this recent Wired article. Apparently web, email and chat all together are less than one quarter of the Internet traffic now. If the numbers in that article are correct, by filtering out all the other stuff I should be able to increase the usefulness of the WiFi four-fold.
Now, in some situations I've been able to control access using security on the router to limit it to a very small group of people (typically the organizers of the meeting). But that's not always appropriate. At an upcoming meeting I would like to run the WiFi without security and let anyone use it, because it happens at the meeting location the 4G coverage in my town is particularly excellent. In a recent test I got 10 Megabits down at the meeting site.
The "tell people to police themselves" solution mentioned at top is not appropriate because of (a) a largely non-technical audience and (b) the unintentional nature of much of the usage as described above.
The "run a sniffer and filter as needed" solution is not useful because these meetings typically only last a couple of days, often only one day, and have a very small volunteer staff. I don't have a person to dedicate to network monitoring, and by the time we got the rules tweaked completely the meeting will be over.
What I've Got
First thing, I figured I would use OpenDNS's domain filtering rules to filter out whole classes of sites. A number of video and peer-to-peer sites can be wiped out using this. (Yes, I am aware that filtering via DNS technically leaves the services accessible - remember, these are largely non-technical users attending a 2 day meeting. It's enough). I figured I would start with these selections in OpenDNS's UI:
I figure I will probably also block DNS (port 53) to anything other than the router itself, so that folks can't bypass my DNS configuration. A savvy user could get around this, because I'm not going to put a lot of elaborate filters on the firewall, but I don't care too much. Because these meetings don't last very long, its probably not going to be worth the trouble.
This should cover the bulk of the non-web traffic, i.e. peer-to-peer and video if that Wired article is correct. Please advise if you think there are severe limitations to the OpenDNS approach.
What I Need
Note that OpenDNS focuses on things that are "objectionable" in some context or another. Video, music, radio and peer-to-peer all get covered. I still need to cover a number of perfectly reasonable things that we just want to block because they aren't needed in a meeting. Most of these are utilities that upload or download legit things in the background.
Specifically, I'd like to know port numbers or DNS names to filter in order to effectively disable the following services:
- Microsoft automatic updates
- Apple automatic updates
- Adobe automatic updates
- Google automatic updates
- Other major software update services
- Major virus/malware/security signature updates
- Major background backup services
- Other services that run in the background and can eat lots of bandwidth
I also would like any other suggestions you might have that would be applicable.
Sorry to be so verbose, but I find it helps to be very, very clear on questions of this nature, and I already have half a solution with the OpenDNS thing.
Solution 1:
For starters, be very specific about the type of traffic you want to allow. Have a default deny rule then allow ports like 80, 443, 993, 587, 143, 110, 995, 465, 25 (I personally would rather not open this, but you probably will get a ton of complaints if you don't). Also permit UDP connections to port 53 on OpenDNS' servers.
This will give you a great start. It'll kill most of the bandwidth hogging protocols. It'll also block a lot of VPN connections (not ssl vpns though) which should help prevent people from bypassing your security.
If you have a firewall capable of blocking filetypes, you should probably also block exe, bin, com, bat, avi, mpeg, mp3, mpg, zip, bz2, gz, tgz, dll, rar, tar and probably a bunch of others I'm leaving out.
Other than that, your current restrictions are probably decent enough. You can add updates to the list. Personally, I wouldn't block A/V updates. If you really want to, you can block their entire domains (*.symantec.com, *.mcafee.com, *.trendmicro.com, etc). Microsoft update URLs are available at http://technet.microsoft.com/en-us/library/bb693717.aspx
Solution 2:
Using OpenDNS will not block torrents.
It will only block their ability to find new torrents online and add them to their queue.
If they walk in with 5 torrents halfway done, and then link to the LAN via WiFi, wham, all of the torrents will resume and take all available bandwidth. A careful read of the OpenDNS website points this out. And if you think about how DNS works, it makes sense.
Blocking existing torrents is difficult. Your smartest move is to limit the number of maximum connections to 60-100 per user, right in the radio. iTunes and Torrent open thousands.
Solution 3:
First off, any one wifi router is really only good for around 60 or so connections, so the worst case of your 'less than 200 people with less than half using wifi' (99 users) may still require at least one more router.
Secondly, you should look into traffic shaping... ideally you want to give every IP on the inside the same guaranteed minimum bandwidth and let them fight over the extra... that way no one gets shut out but anyone can still burst to full capacity.