Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How can I prevent neighbors from accessing the open WiFi hotspot I provide to my customers?

Question:

I have a Laundromat and provide free Wi-Fi for my active customers. I also
have a neighboring apartment and houses that may be using it also. All they
would have to do is visit the laundry and get the password off the wall. How
can I block, let’s say, the neighbors behind the Laundromat? How about a lead
shield?

In this excerpt from
Answercast #97
I look at ways a Laundromat could protect the free WiFi
access point it is providing for it’s customers.

]]>

Neighbors access WiFi hotspot

The short answer is no, certainly not a lead shield.

I mean you’d be throwing a lead shield up against one wall, or something like that, and even then I’m not sure that it would actually block things sufficiently. Wireless connections go out in several different directions.

Constantly change password

Unfortunately, I really don’t have a good answer for you. What I would do personally in your situation is change the password daily; potentially even multiple times a day if things are really bad. Changing the password daily is probably the simplest way to keep people from connecting. They couldn’t come down, see the password once and then connect forever after.

It makes it inconvenient to reconnect to your hotspot. It doesn’t make it impossible; I get that – all somebody has to do is walk down read the password and then go back to their home and connect.

That’s why I say maybe you want to do it a couple times a day.

Make the password inaccessible

The thing to do of course is to make sure that the password is visible to your patrons but not visible, for example, from the street. Then people who are just walking by can’t see the password and therefore can’t connect. People actually have to come in.

The other approach is to not post it. Actually change it on a regular basis but only tell it to people who come up to the counter and ask. This is actually what a lot of hotels will do. They will change the password on a regular basis and they will only give the password when someone checks in. They’ll give it to them on a piece of paper right then and there.

So that’s another alternative that could again make it somewhat more difficult, yet not impossible, for nearby neighbors to use this service that you’re providing to your customers.

Problems with open access

Ultimately, it is one of the drawbacks of providing open Wi-Fi access. There is no way of drawing a physical line or ensuring that only those people inside the place can actually use it.

The only other solution that I’m aware of is not use Wi-Fi at all – but actually provide wired internet connectivity.

Unfortunately, especially with all of the different wireless devices that are out there right now, including tablets and iPads and phones and such, that doesn’t even solve the problem for a lot of people.

So, ultimately I’d have to just come down on the side of changing the password on a semi-regular basis, probably daily to begin with, and if it continues to be a problem then take the password down off the wall and have people ask for it at the counter.

(Transcript lightly edited for readability.)

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

10 comments on “How can I prevent neighbors from accessing the open WiFi hotspot I provide to my customers?”

  1. One could also log the Mac addresses that are connecting, and reject any ‘frequent flyers’ using the router’s “Deny Mac Address” feature.

    Reply
  2. Many routers have “MAC address filtering” as part of their security settings. The typical use is to give a list of “allowed” computers, and deny access to everything else. Obviously, this is not what you want if you’re providing an open hotspot for your customers. However, I just checked our router, and it also has the option to give a list of MAC addresses to deny access to. (In other words, allow all computers *except* those listed.)

    Note: The specifics on *how* to do the following varies from router to router, so I can’t give specifics w/o knowing the exact make and model.

    Set the DHCP “life” to something short (but not “too short”), such as 60 minutes. This basically means that the router will “drop” any connection that isn’t used for over an hour. (It’s actually more involved than this, but at the most basic level, it means that the router won’t keep a connection for a customer that left some time ago. Customers who are there for more than an hour, and keep using the connection will never notice anything, since the DHCP connection will be automatically renewed.)

    At some point, if you check the router’s DHCP client list, you’ll notice the same MAC address just seems to hang around, even though your customers keep coming and going throughout the day. This would either be your own computer(s), or your neighbor’s.

    You can check your own computer’s MAC address by opening up a command prompt (start / run / “cmd”), and typing the command “ipconfig /all | more”. The MAC address is listed as “physical address”. You may have more than one adapter listed with an address, so write them all down. (Type “exit” to exit the command prompt.)

    Once you have your neighbor’s MAC address, simply add it to the ban list.

    One more thing to add: Today’s computers allow you to change your MAC address, so it’s possible for your neighbor to connect again if he finds out how you blocked him. If that happens, find the new MAC address and block it. Repeat until your neighbor gets tired and sponges off someone else.

    Reply
  3. If you have the capability, you can have the cash register print the current password on the receipt. Of course, that probably wouldn’t work in a laundromat, but if someone reading this wants to protect internet access in a coffee shop of something like that.

    Reply
  4. I agree that mac filtering is a good first step and may solve the problem.

    Instead of a lead shield it may be possible to place the wifi base station such that the signal outside your laundromat is minimized.

    A box with aluminum foil placed along the bottom and sides and then placed upside down over the wifi base station should attenuate the signal noticably and may make it difficult or impossible to access the wifi base station outside of the laundromat. Make the box big enough so that the wifi base station doesn’t get too hot.

    If you have a basement, put the wifi base station in the basement.

    Once you have taken steps to minimize the signal outside of your business, the next step is to take a notebook computer and check and see how far outside the signal is accessable to determine if you need to do more work or if the signal is weak enough to minimize the chance of anyone unauthorized is connecting to it.

    Of course, after hours, you’ll want to keep an eye on who connects to the base station. You can do this remotely by logging into the base station. If you have people connected and your business is closed, MAC filter them out.

    Some base stations can be set to automatically turn off the wifi or seriously restrict access on a time of day basis. Thus you may want to look into this feature and shut off wifi or shut off web access after business hours. That way if someone does connect, they won’t be able to do much.

    Reply
  5. One last thing, I have seen in the past wifi base stations that were designed with this application in mind. One had a port for a label printer that would print each customer a unique password. I did a search and unfortunately couldn’t find any such routers but I am sure they are still available.

    In the meantime, I would look at router placement as well as steps to attenuate the signal to a point where outside the laundromat it’s very weak. Couple that with Mac filtering if it’s requried and you should be all set.

    If I were in your position I would also look for a base station that allows you to vary the power output. The typical power output of a wifi base station is about 20mw. If you could cut that down to 2mw that would be a 10db decrease in signal strength. The signal in the laundromat should still be usable but outside it’s going to be 10db weaker. The Ubiquity Nano Stations allow you to adjust power but I am not sure how low they go.

    If the wifi base station has an external antenna I would start by unscrewing the antenna and checking range. Chances are it’s not going to be. So, you use a small pice of solid copper wire or even a paper clip as your antenna making it big enough to barely cover the laundromat.

    Mind you, at 2.4 gHz the antenna is likely only to need to be an inch or so. Very small.

    Doing this is very bad practice and purists would jump up and down but due to the low power levels involved I doubt that you’re going to damage the transmitter. If you do, so what, base stations are available for under 20 bucks. We’re not talking a lot of money.

    With a poor enough antenna you should be able to create a cell size of 20 or 30 feet from the base station which should be adequate.

    When you do your testing, use a notebook computer with built in wifi. The wifi built into phones typically isn’t very good and while the phone may show no signal at 30 feet, a notebook with a good wifi antenna built into the screen may show signal at 100 feet or more.

    If you need greater wifi range for your employees or yourself, use a separate base station for your own use and protect it with it’s own key.

    One last option. If you don’t care that some people won’t be able to connect. Use a dual band base station and shut off the 2.4 gHz access point and use only 5 gHz. 5gHz does not have nearly the range of 2.4 and you may find that there are no 5 gHz users within range outside of the Laundromat. More and more devices are supporting 5 gHz. As time goes on, the option of dropping 2.4 and using only 5 gHz will be more and more attractive if you want to tailor the cell size of your wifi to match that of your property or business.

    Good luck.

    Reply
  6. On the other hand, you could just ignore your sponging neighbours (on their conscience be it…) and spend your time on something more fruitful and carefree.

    If you’re not quite prepared to ddo that, why not engage the graspy neighbours with a cheery greeting and a few minutes’ idle chitchat (but let it be know that you are the operator of the nearby laundromat). I bet the surreptitious poaching dramatically decreases once they have a human face in mind.

    You could also rename your connection something like “You’re welcome to use this network. In return, please patronise Such-and-such laundromat.”

    Reply
  7. What about using directional antennas instead of antennas that send the signal out in all directions?

    I also agree with the comment that you might just want to ignore it and spend your time on something more fruitful. Solving this problem may be more trouble than it is worth. However, maybe the reason you’re trying to solve it is the connection gets really slow from so many people using it? If that is the case, many routers can block certain sites or sites based on keywords, so you could filter out adult sites or sites that take a lot of bandwidth like YouTube.

    Reply
  8. OK,
    1) A shield does not have to be lead, it can be foil or foil-faced foam for example, or a wire mesh and it will help a lot. This is not an altogether bad idea, I would consider it.

    2) You are probably concerned about excessive use of bandwidth. You could usea Gargoyle equipped router (look it up) to put quotas and/or bandwidth limits on each connection. You could also set times for it to work on the laundrymat’s password so that when closed, the system is shut down. You could then setup a additional router/AP and password for the apartments which will have their own passwords that are not published and are not on a time limit.

    3) MAC address filtering is a favorite tool/technique of the partially informed. Forget it, ok? For several reasons, it’s not practical in most cases, nor effective. Do the research if you really, really need to understand why, or just ignore the suggestion (my suggestion!).

    Reply
  9. I have a router (Cisco) that we use at home, and not for the neighbors. One thing the setup allows you to do is set how many users can have an address. I would think that changing the password daily/and or having customers ask for it, adjusting antenna power, potentially trying a shield, having a set time its on would really help control who gets to enjoy it and who can’t be mooching off of you. The default for our router I think had like a hundred different addresses available? (Linksys E900), and I changed it to like 10 addresses available. I think I can also adjust the power output on the router. Checking specs could maybe make life a lot easier? What do you think Leo?

    Reply
  10. For a shield you can use aluminum foil. Cover one side of piece of cardboard, place it behind/around the router’s antenna(s) to focus/isolate the signal away from the apartments. A shield could also be made from wire screen.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.