For some time I've been a serious promoter of free internet everywhere. Nobody can deny how practical it is to take your laptop/phone and be able to browse the web without extra UMTS/3G connection.

Being from the principle that you can't get what you don't give I share my internet for a few years. For simplicity and laziness I did it the dirty way: Two wireless SSIDs , WPA2 and unencrypted, connected to the same LAN. My own traffic being fully encrypted from the laptop to the AP, but anonymous people would have full access to my network. It was not something I really liked.

As I just moved in and have brand new internet it was time to configure this correctly.
The plan is the following:

• Create two networks: one private, one public
• The networks should not be able to communicate
• Don't buy extra hardware (aka use only my Linksys)

Change firmware to DD-WRT

I did this a long time ago, but if you didn't do it yet check out the official DD-WRT website for the firmware and manuals.

The two SSIDs

In the Wireless > Basic Settings page click on Add in the Virtual Interfaces section. Your newly created interface will have the name wl0.1. The primary wireless is still called wl0.

Don't forget to configure encryption on your primary wireless in the Wireless > Wireless Security page.

Splitting the private and public network

On the Setup > Networking page create a bridge called br2. Enter the IP address of the router in that network. (this should be a different network than your private net.). Apply Settings.

In the Assign to Bridge section of the same page click on Add and choose br2 then wl0.1. Apply Settings.

Activating a DHCP on the public network

At the bottom of the Wireless > Basic Settings page you can add another DHCP server. Make sure it's connected to the br2 interface.

Firewall changes

We need to add a few rules to our firewall to allow and block traffic.
To make sure this is executed at boot I added the following rules in Administration > Commands of the webinterface.

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -I FORWARD -i br2 -o ppp0 -s 192.168.107.0/24 -j ACCEPT
iptables -I FORWARD -i br0  -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -j ACCEPT
iptables -I OUTPUT -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

Now is the time to test everything. Try to connect to your private network, browse the web. Now join the free-internet SSID and try the same. Try connecting to a host in your private-net, this shouldn't work.
It's not a bad idea to reboot your router once more, just to be certain everything is set correctly the day you have a power outage.

Consequences

There are a few consequences by opening your internet connection to outsiders. Here's an exhaustive incomplete list:

• Limited download: a visitor can download a ton of traffic on your account. Make sure you don't have to low limits. I've never had issues with this.
• Limited speed: someone else can slow down your internet. I've never had issues with this. You could solve this with the QoS features of DD-WRT.
• Illegal behavior: people could use your connection for illegal activities

To protect myself from the illegal activities I plan to set up a portal page using the NoCatSplash feature of DD-WRT. I also plan to log every mac-address that connect to my wireless and the timestamp.