I have been looking at some kit to work with WiFi which you may find in a public hot spot of some sort, or, for example, a cruise ship.
Obviously, the simple answer is just point your phone or laptop WiFi at the service. But sadly, in spite of net neutrality in the EU, it is not always that simple. Some times the service will have loads of things blocked. Not just web sites, but ports and protocols so making things like IPsec unavailable. Of course, if you are being really special you may have something that does not have WiFi such as a VoIP PoE desk phone, which Simon has been using!
The answer is to bring along The Internet. I am far from the first to do this, as a friend of mine (Kev) had a cunning set up with a FireBrick and two access points strapped together, and (if I recall correctly) a way they ran off one power supply. To be fair, it is more compact than what I have done.
Mikrotik mAP light
The first solution used a FireBrick and the tiny Mirotik mAP light which can literally stick to the lid of the FireBrick. Powered by the USB on the FireBrick (which worked, to our surprise). However, not enough juice to power two of them. It did, however, have a cunning mode where it could be a client WiFi, and on the same channel it can be an AP as well. This is not perfect but I have to say it is very clever. The result is very small and neat. I did, however, have a Mikrotik die on me, and I found it very fiddly to configure. But well worth a try.
HPE/Aruba 501
I have now found a rather curious device that is a dedicated WiFi client bridge, the Aruba 501. I would have to say it is much more industrial than the Mikrotik (which matters to some customers, obviously), and it even has DIN rail mounting.
It has all the bells and whistles - multiple antennae, 2.4GHz and 5GHz, 802.11a/b/g/n/ac, roaming, etc. It is intended to allow a device that does not have WiFi to effectively have WiFi via Ethernet.
It even goes a tad further and even has an old school serial port which you can configure to connect to an IP address and port to pass serial data. This is ideal for old PoS (Point of Sale) terminals and things like console ports.
However, the big thing for me was that it can do "MAC cloning". This is where it connects on the WiFI using a MAC address of your choice, and passes packets to/from the device with that MAC on the Ethernet connection. The only down side is it stops answering ARPs for its internal IP when in that mode. Thankfully if you have the ARP cached you can still talk to it, but it does seem an oddity.
The reason this is important is that a lot of public access points are locked down so that only the MAC of the WiFi/radio side is allowed to send or receive packets. The MAC cloning allowed me to make the FireBrick appear as the WiFi device.
Where the FireBrick comes in to play
The reason for a FireBrick, apart from how cool they are, is that they are very good at being an endpoint on the WiFi and working in a variety of ways - such as NAT out to the Internet for locally connected devices on Ethernet, but also as an endpoint for various tunnels. These can include standard things like IPsec (which, as I say, may be blocked), or things like L2TP (not blocked) or even custom FB105 tunnel protocol, which can be configured on any UDP port.
It is even set up to flash its LED red if no connection, and solid green when L2TP is up, which is handy as you navigate a fjord.
The end result...
 |
| Actually, Jen, this is The Internet! |
- Top left: Aruba 501 WiFi Bridge Client
- Bottom left: Aruba 305 WiFi AP
- Top: Aruba 2580 PoE switch
- Top right: FireBrick FB2900
The switch was mainly for simplicity - the FireBrick has enough ports, but the Aruba 501 and 305 are both PoE. But I also used a Snom on PoE off the switch as well.
Why the fibre: Well, just because - this is all testing stuff, and it was interesting as the switch would initially not talk to it. I had to find a CLI command to not check the manufacturer of the SFP. It was expecting it to be "genuine hp" and not a Flexoptics unconfigured SFP. But that worked. Fibre to the ship :-)
So now we have a LAN here, and WiFi, on fixed IPv4 and IPv6 addresses, all working. We ended up using L2TP with lower MTU as the tunnel solution that worked. And when we had some people we met come round for drinks they were saying "wow, this is way better than the ship wifi", which sort of makes no sense as it is the ship wifi!!!
And just to clarify, this is not some nasty hack too use WiFi for which we have not paid! We have paid for the premium WiFi 24/7 for the whole cruise which is listed as "unlimited" and allows streaming. In practice, it is around 2Mb/s up/down with 800ms latency. But this works, even for VoIP.
Obviously, as above, there are less "industrial" solutions to this. But I like "industrial", and some people demand it, so always useful to understand what is possible even if it is rather overkill for a holiday.
