How to create an open wireless along with private wireless?

I am working in a restaurant and we got our own 10Mbps speed Internet connection. The high speed is intended for our servers and credit card phone line. We recently decided to open wireless up to customers who visit us. However, other neighbor stores keep stealing our connection and it lag our servers' connection. Even though we WEP our wireless connection, because we are a restaurant, we have to give out the password to customers for them to use our free WiFi connection.

My concern is it is just a matter of time until our neighbor stores know the password and steal our connection again. Additional information: our employees also use this connection and it is SLOOOOWW~ Plus, we only get 1-2 bars (our of 5) of signal when we are upfront while the router is located in the office in the back. (Around 20~40 ft away with around 6-7 walls/2-3 rooms) The first day I created a WEP, speed is at 4-5mbs (tested with http://www.speakeasy.net/speedtest/) but after 2 months it drop down to 1-2mbps. Sometimes it was even below 1mbps. So I want two network access on one service line.

Here is what I have done:

1. Set up the password WEP. No, I do not want to reset the password everyday~
2. I've create a password so outsiders cannot access our router information. But I feel this is not safe enough when more than 20 new strangers know our WEP daily.

This is what I want to know (or do):

1. Create 2 access on one service line. Might need 2 routers (?)
2. Increase the range to the connection. Router modifications are welcome but please with CLEARLY step-to-step or video demonstration.
3. Limit bandwidth for "guest" (around 20% of max speed) and Max "Private" bandwidth

What I want to accomplish from this:

1. I want to create one connection for guests so they can surf internet during their visit. I don't care if our neighbor steal our connection as long as we still have our MAIN connection for personal and server usage.
2. Limited usage for guest
3. Increase range (and speed if possible) for our guest and personal usages (modifications are welcome)

Let me know if you need any additional information.

Solution 1:

First of all, I would highly advise using WPA2 encryption, not WEP. WEP is easily cracked with consumer hardware and tools. WPA2 is much more secure.

In order to set up advanced configuration on your router, it will be helpful to have router firmware like DD-WRT or Tomato. If your router isn't supported by one of those distros, it might be a good idea to get a router which is.

To deal with your bandwidth hogging guests, you should set up QoS (quality of service) on your router. In order to only restrict your guests, and not yourself, you will need to know the MAC addresses of all of your computers' wireless adapters. If you don't know how to find the MAC address, there are instructions on the internet for how to do so.

Configuring QoS will be different depending on your router's firmware. Find a section labeled either QoS, Quality of Service, Prioritization,or something to that effect. Turn on QoS, then add rules to give each of your computers' MAC addresses highest priority for all ports/services. Then, add a rule setting all other traffic to a lower priority level. You'll have to do some looking around in the config interface, but you should be able to either limit them to a certain percantage of the total bandwidth, or to a certain Kbps max up/down speed.

That should deal with the issue of prioritizing speed on your network. If you want to have a completely separate connection for your guests from your personal computers, DD-WRT supports multiple virtual wireless networks running from a single router, though this feature only works on some routers, so check ahead if you buy a new router. This would let you set up a private and public wireless network separate from eachother completely. You could then apply QoS only to the public network.

In terms of extending the wireless signal, see if moving your router's position relative to walls and other obstacles improves the signal. Changing the channel can also help, especially if there is interference from other WiFi networks. Finally, if you must get a second router to cover everything, look into finding a router which supports WDS. WDS creates a meshed network between multiple routers which clients can move between seamlessly. This will make it much smoother moving back and forth between the two routers. This requires having two routers by the same manufacturer with compatible chipsets. Details are available for DD-WRT and Tomato.

Solution 2:

One option you may want to consider using is the installation of a directional antenna or two in the ceiling pointing down, instead of using an omnidirectional antenna. There are all sorts of different external antennas you can get which have beam widths of, say 90 degrees. You could put this in the upper corner of your establishment, pointing down and back towards where you want coverage.

This is like putting blinders on the wireless access point, so that it can't "see" people that aren't in your business. It can also improve performance by increasing the signal within your business (the same radio energy is concentrated to a smaller space, increase penetration through walls, and reduce interference from surrounding businesses that may have wireless networks, cordless phones, or other devices on the same frequencies.

People in neighboring businesses will get a weak signal if they get any signal at all.

You could also try installing a second AP in the dining room, and turning down the power on both wireless APs. This will also reduce the coverage area.

These techniques may be able to reduce or eliminate the amount of "stealing" of your wireless that goes on, without requiring that you change the network password regularly. However, if you have an oddly shaped coverage area it may require several APs and antennas.

So now that you are sure that it's only people in your business using it, you can deal with using shaping or quality of service to limit the amount of impact they have on your business critical network services as mentioned by other folks here. Remember that you not only have to limit incoming bandwidth but also outgoing. I've often found that when network performance really gets bad, it's because of someone saturating the outbound bandwidth (usually a small fraction of the incoming) with file sharing or a virus or worm.

One thing you may want to consider is getting another network connection for customers. Your credit card services may not need that much bandwidth, but you really want them to work no matter if someone is doing file sharing or not. So an inexpensive line for that, and then another line that is independent that the customers can share.

Solution 3:

If you want a degree of control and security over who is using your connection, you need to have some form of access ticketing system. This is easy to setup and the wonderful folks at http://www.worldspot.net will give you a free account for this provided that you offer your hotspot free of charge.

Use this in conjunction with a router running dd-wrt firmware with chillispot and you have a fully managed, controlled public wifi system with a customisable opening page and (very important) you can ensure that people using your service click to agree to your terms and conditions of use before proceeding.