Here’s what’s changed in two years: Meraki has since redefined their entire business and offers much more expensive solutions, and no Meraki Minis. Also, the campground can now get DSL and not just satellite internet, which is awesome. And although Meraki is for my purposes defunct, Open-Mesh has taken over where Meraki left off and has a similar device at the same price, with better accessories and more power!

This time, we’re covering more ground as well. So I just ordered nine Open-Mesh OM1P Professional Mini Routers. And six 7 dbi antennas, plus three Indoor Wallplug Enclosures. This time I’m going to be covering more area, and I’m hoping that using some larger antennas as well as the reports I’ve heard that the Open-Mesh devices have better range than the Meraki units out of the box mean that we’ll have a very successful network this time! We’ll also have two or three DSL lines to serve as injection gateways, which should be a major improvement over the horrendous satellite connection we had before (if you could call it a connection half of the time when it wasn’t, you know, connected :-)

I plan on taking some pictures and documenting the setup more than last time, and if I find the time I might even blog some of it!

Did I mention my whole order including shipping was under $550? That’s cool.

If a laptop user establishes a VPN connection to your corporate VPN server, and doesn’t use split tunneling (in other words, from the time they’re connected, all traffic goes through the VPN as its default gateway no matter what), assuming that you’re using a VPN client that verifies the identity of the server (rather than blindly trusting DNS, which is easily spoofable on a wireless network), the user moves from the realm of insecurity into a much more secure environment, similar to being plugged into your wired network at the office. Of course, then your office WAN connection has to support everything they do, including web browsing!

However, using a free or paid “VPN” service from a company that just turns your wireless connection into a VPN-enabled “wired” connection is only going to help thwart unencrypted wifi sniffing and other such attacks. Unless you also use SSL and other encryption technologies, those services are just giving you a wired internet connection just like your home connection rather than the easier-to-sniff unencrypted wireless. It’s better than nothing, but it’s not like an encrypted pipe into your own network.

Don’t discount unencrypted wireless attacks. It’s never happened to me, but if you hop over and read some of Security Monkey’s case files at you’ll discover that there’s a lot of bad stuff going on in the world on computers :-) Those case files are slightly modified true stories from this guy’s career! His old 2005-2007 podcast episodes are worth listening to for some cool security tips and tools as well, to digress for a moment!

I don’t have a good answer; VPN connections to the office make internet run very slowly unless you have the WAN bandwidth to support fast throughput to and from all your remote users including web browsing! But that’s a much more secure way to operate. The number of ways wireless can be hijacked, sniffed, spoofed, and hacked, especially if it’s unencrypted to begin with, is downright scary! At the very least use SSL with verified certificates for anything you do of any importance (or if passwords are transmitted) on an encrypted wireless connection. As an IT guy, I can tell you (or myself) whether a particular session (POP3, IMAP, RPC over HTTP, HTTPS, etc.) is happening over an encrypted connection or not and can be careful. However, the average user is, obviously, not going to know or even care necessarily if Outlook is using POP3 unencrypted or via SSL, or using RPC over HTTPS securely. And if they log into Gmail, they’re not likely to know that although their password is always encrypted on login, their email is transmitted in the clear unless they initiate the session using SSL from the start (using https://mail.google.com/ rather than http://mail.google.com)./ Even if their email contains passwords and confirmations for other accounts!

Stuart mentioned WiTopia on his comment to Tony’s original post. I’d never heard of them before, but I’ve seen similar services to their personalVPN product. That service appears to be, like I mentioned above, just a way to get a “wired quality” connection to the internet over unsecured wireless. An admirable service and a worthy goal even with its limitations, but what caught my eye even more was their SecureMyWifi service. It’s still a wireless service but it has to do with your own on-campus wireless access. It lets you move away from using WPA with a Pre-Shared Key (PSK), also known as WPA-Personal, and use their RADIUS services to authenticate users individually to your encrypted wireless access points. It seems a bit pricey (to me–it’s currently a $99 setup fee, $99/year for one access point, and $14.95/year for each additional access point), but we have the same thing set up using Microsoft’s free (built-in on Windows Server 2003) IAS RADIUS server in-house. If you aren’t familiar with how to set it all up, the WiTopia service could be quite beneficial! They charge per access point, but at Lakeview we have a centrally-managed access points system with one controller that takes care of authentication. I assume that the WiTopia service is based on unique RADIUS keys for each access point client; since the central controller (currently running 12 access points) acts as a single client, it should look like “one” access point to the service. Whether or not this is allowed with their terms of service I have no idea; we are not likely going to use the service since I already do this in-house for free, but I would recommend reading the terms and/or contacting them if you plan on doing something similar to remain in the spirit of their offering.

There’s not even that much to tell. The setup was the easiest part: unpack, plug in to power. Place near window for best signal. Plug internet line into the one next to the satellite modem. And that part had been done for us! We primarily tested the existing network using VisiWave to document signal strength, and moved the fourth access point around to various locations to make sure when we order four more, they will cover what we want them to (they will). The VisiWave mapping was the most time-consuming part of the trip (besides waiting for the slow/disconnected internet), but I haven’t had time to pull useful reports out of that data yet.

The Meraki Dashboard is the truly novel and useful tool. You can place your nodes on a map, view how they are interconnected, monitor bandwidth usage and speeds by node and by user, block or whitelist users, set up a splash page, security, and quite a few other nice tweaks that I wouldn’t have thought of but make perfect sense when you see them!

I took a couple of screenshots of the node map overview, using standard and satellite maps:

If you hold your mouse over a node (in the real Dashboard, not these pictures of course! But you knew that…), the route to the internet turns green (one of the gray lines between nodes in the standard map), and some external text shows some additional status information. The number on a node is the number of users in the last 24 hours. These pictures just scratch the surface of the control interface, which is well thought out and feature rich. But that’s all I have time for, so you’ll have to grab some of your own Minis and mess around!

Oh yeah…sorry for the joke in the title. I do love my bad puns…

UPDATE: On Feb. 21st, 2012, after a new comment and response below, I wrote a post that’s a bit of a followup to this one, over at my current (though still infrequently-updated) blog: Ubiquity UniFi vs. Open Mesh.

If they had a second internet connection, “injecting” another point of internet access would be an option, and the network would automatically send traffic to the best internet access point. Thus, the mesh part of mesh networking. I’ve been wanting to try the Meraki products for a while, so I’m excited! More details to come when we’re done!

The trip to the campgrounds is about two hours each way, so we’ll only have three or four hours of actual set up and testing time.

I’m using the built-into-Windows-Server IAS, which is the Microsoft implementation of a RADIUS server. Basically, I set up a profile in the IAS configuration to allow specific Windows Active Directory groups to be allowed “dial-up” access through a Wireless port type. Then I created a new client in IAS with its IP address and a secret key that I also enter in the wireless access point (AP) where it asks for a RADIUS server (while setting up WPA/WPA2 authentication, not the Pre-Shared Key (PSK) kind). If I did everything right (insert hours of testing and learning here), I can connect to the wireless SSID I configured by specifying a username and password (or to use the Windows logon credentials) in the settings, rather than needing a pre-shared key that’s the same for everyone.

If I go a step further and put a certificate on the server that the clients trust, I can also authenticate with the certificates rather than the username/password credentials, which is actually more secure due to the certificate being longer, more random, and harder to obtain than a username and password (this is why I limit access for now to users in the Active Directory group I specify, creating fewer users with wireless login privileges). I haven’t completed the certificate step of the process, and I’m still running a WPA-PSK SSID as an alternate connection method until I’m sure I have everyone switched over to the RADIUS-based SSID. But once I deactivate the WPA-PSK network, security should go up because now you can’t just share the PSK key, which has a way of getting out no matter how hard you try and protect it (having free wi-fi now helps this as well, since if someone just wants internet access, they don’t need the internal network key!). And your keys get changed every time your passwords change, rather than coordinating updating the PSK and then making sure everyone needing wireless access has the new key (if they don’t, expect cell phone calls asking for it pretty quickly).

That’s the high level why and how. I sleep now :-)

I checked on the stats of how many people were connected at a time throughout the day (the stats-gathering was a bit random but better than nothing) and it looks like the highest number of connections I saw was this afternoon, at about 18 simultaneous users. Yesterday one man I talked to came up to me later and said he was glad there was wireless access and was very appreciative! Given that wireless access was not announced prior to the event, the turnout of people with laptops was still pretty high. Right about right, I’m not sure I would want to support more users than that on the first test. Better a successful slow ramp-up than an all-out crash-and-burn, in my opinion.

While making the rounds on Monday afternoon, I ended up talking to a speaker who had a booth at the Council and ended up showing him how to remove some annoying spyware someone had hacked into showing up on his website, and giving him a pointer to Google Analytics for some more useful stats than the tools his cPanel installation provided.

So…success! There wasn’t a single issue that was made aware of with the wireless the entire time. No complaints, no issues with speed throttling, no issues connecting even though it required a password from the brochure and going through a portal page (I’ll get some more details on how I have this set up when I get a chance). And no issues with things being blocked that shouldn’t have been through ScrubIT. Well, I take it back, there was one issue. One of our volunteers was trying to use a PPTP VPN to connect to her workplace and do some work on downtime. The connection kept timing out and would never connect. The VPN connectoid kept throwing Error 619. Google didn’t turn up anything related, but I suspect it has to do with the connection being double-NATted. I did see someone else’s Cisco VPN connecter work just fine, but that’s just a success story, not related to the PPTP error I’m sure.

But if that’s the worst that happened (and it was)…I’m happy! It’s been a long process through to the release, since I ordered the equipment at the end of last October!

VisiWave is easy to use, even without the Pro version (the SO version, for Software Only, is the one we purchased, and is significantly less expensive). You need a floor plan of some sort for your facility (whatever area you’re going to survey). Import this into the survey half of the VisiWave software (the other half is a separate reporting application for creating a report from the data collected by the collection tool), and then walk around your facility clicking at key spots where you’re located on the map on the laptop you’re carrying with you (a Pocket PC is an option as well, but we used a laptop). A time-saving feature lets you switch to a mode where you can click on your current location, walk at a steady pace in a straight line, and click your ending location, and it will distribute the data points collected evenly over the line you walked. It sounds simple, but it saved me a lot of time! The VisiWave website has good instructions and example reports.

I’ll most more example of the survey report and such in the future (our initial survey was last October), but this has proved to be a very useful tool that we can use over and over again, rather than hiring someone to do a site survey once. I did the survey before placing new access points, but I haven’t had time to re-survey since we installed the new APs, and there are four I haven’t installed yet. We do have very good coverage based on the 9 that I have installed based on the original survey already, however! I’m looking forward to the final survey and report, and to fine-tuning based on those results. Our grand opening is the week after Easter next month. I may or may not have the public internet stuff set up by then (using a Nomadix AG 3000) but the equipment will be there for when I figure out the software and the filtering solution to use, so it should be ready shortly thereafter.