====== Hamnet Hotspots ====== Hamnet hotspots' goal is to provide fellow amateur radio operators simple, easy, secure connectivity to your local (and/or to global) Hamnet resources, through the use of unlicensed Wi-Fi networks (the access radio is to be operated within the rules of FCC part 15, but it grants access to Part 97 resources). To ensure inter-operation: * The SSID of Hamnet hotspots SHALL be set ''Hamnet''. * Security SHALL be set with WPA2-Enterprise or WPA3-Enterprise, with backwards compatibility with WPA2-Enterprise. * When possible, the beacon interval SHOULD be set to ''100ms'', and DTIM SHOULD be set to ''3''. ===== Freeradius ===== ==== Generic Realm ==== The generic (or null) realm is used to accept ham connections using their APRS-IS credentials. You can rely on [[https://github.com/ggramaize/rlm_aprsis|rlm_aprsis]] to do this. Note: APRS-IS is a basic mechanism which doesn't provide reliable authentication. You shouldn't rely on such an authentication for privileged access to resources (internet access). ==== Membership realm ==== If members of an amateur radio association/club are to be granted access to the Internet, you can delegate the authentication to a third party RADIUS server hosted by them. To tell apart registered members and generic hams, you can use a UAM/Captive Portal solution to filter access to restricted services. ===== Coovachilli (UAM) ===== ==== Example config ==== TODO ==== List of open services ==== If you choose to provide restricted unauthenticated online access, you should grant access to the following list of services: * ''*.ampr.org'' => Domain name for Hamnet resources * ''%%44.0.0.0/9,44.128.0.0/10%%'' => Network scope for Hamnet * ''winlink.org, server.winlink.org, webmail.winlink.org'' => Access to the WL2K network Additionally, you should also serve your local resources in a subdomain such as ".hnet.yourdomain.org", so that your services stay reachable, shall your connectivity to ''ampr.org'' be disrupted. ===== Well-known local services ===== Below, you'll find a list of "well-known" dns records that you SHOULD set up, if you're providing one of those services (to allow automatic discovery). * ''%%__aprs.__tcp.lan%%'' => APRS message server (may be connected to the APRS Tier 2 network). * ''%%__irc.__tcp.lan%%'' => Instant messaging server (may be connected to other networks). * ''%%__dextra.__udp.lan%%'' => DPlus local DSTAR reflector * ''%%__dplus.__udp.lan%%'' => DExtra local DSTAR reflector On top of that, your DNS server should reply with your NTP server(s) when queried for ''%%*.pool.ntp.org%%''.