Last summer, I attended a music festival out in the middle of nowhere. No cell reception, no Internet, no connectivity whatsoever. Which is great if you’re looking to ‘get away from it all’ for a while, but I’m the kind of guy who prefers to stay connected…even if that just means checking in on emails to make sure nothing at work has caught on fire.
There was one booth at the festival selling Internet, and the cost was $20.00 per 10 minutes of Internet – absolutely ridiculous. I definitely wasn’t planning on trying that out, but it did get me thinking. Had I just thought ahead, I could have easily created a small portable network with an Internet connection, popped up a captive portal, and charged $10 bucks per day per device for people to hop onto the SSID and use it.
Doing some quick math here – if there were 10,000 people at that music festival, and just 1% of those people per day wanted to get online at $9.99 for 24 hours, I’d make somewhere between $3000-4000 bucks over the course of the 4-day festival. That would more than pay for my trip to the festival!
So now where else could this be used? Tailgating at ballgames? Campgrounds? Marinas? Basically anywhere where you can get an Internet connection and most other people can’t becomes a potential source of revenue. I’d love to hear your ideas about this in the comments below.
So let’s get started – there are basically 4 components to this project: 1. the Internet connection, 2. the equipment, and 3. the power needed, and 4. the pricing and configuration (including possible Layer 7 application filtering, which we will definitely talk about).
The Internet Connection
Now, I’m calling this article ‘Starlink Side Hustle’ because Starlink really is the ideal platform for this kind of setup. It’s portable, provides great bandwidth and latency, and is super easy to set up even in the most remote of locations. There is one major problem with using Starlink however – their terms and conditions specifically prohibit resale.
So – while I’m going to be using Starlink as the Internet connection for this tutorial, it’s just a proof of concept. I very specifically do not recommend breaking the Starlink terms and conditions by reselling their Internet service in this fashion. You can decide if your own moral compass allows for bending of these rules.
Another issue with Starlink is the recently implemented data caps. This may or may not affect your Starlink experience depending on the dish and service plan that you signed up for. It breaks down like this:
| Fixed Residential | Starlink for RVs | |
| Monthly cost | $110/mo. | $135/mo. |
| Portable? | YES – $25/mo. additional | YES |
| Standard service / Priority access | 20-100 Mbps Download / 5-15 Mbps Upload | N/A – no priority access |
| RV service / Best Effort service | 5-50 Mbps Download / 2-10 Mbps Upload | 5-50 Mbps Download / 2-10 Mbps Upload |
| Data Cap? | 1TB Standard service then switches to Best Effort | N/A – no priority access |
| Pause service plan? | NO | YES |
In my opinion, the best service to go with here would be the Starlink for RV service. The downside to that service is that you’re always lower priority on the Starlink network, but it has some distinct advantages over the fixed residential service. First, it allows you to pause the service plan, which can save you money in the months you’re not using it. The portability features are also more baked into the RV service making it easier to move from location to location.
Internet Beyond Starlink
The ubiquitous nature of Starlink being deployable anywhere is really a humungous advantage. But of course – those terms and conditions. So what are other Internet options besides Starlink?
LTE – You can get an unlimited LTE SIM card and use it with something like a Pepwave MAX BR1 Mini ($479) or MAX BR1 ENT ($649) LTE modem/router device (there are numerous other options for LTE modem/router models as well – I’m just mostly familiar with Pepwave devices since we sell them on the business side of the house). These devices offer a bunch of options in terms of hardware and software configurations, and work really well – they’re pretty rugged. Some of them even have redundant SIM slots for failover and/or bonding of your LTE connections.
There’s one super obvious issue with LTE though – you have to be within range of an LTE tower! It won’t work ‘just anywhere.’ This can be potentially mitigated if you’re ‘close enough’ with different antenna types.
For instance, another LTE modem/router product that I’ve worked with is the Insty Connect. The Insty Connect is made for RV life – and has both an omnidirectional antenna and an optional binoculars antenna. You can check out my full review of the Insty Connect and its various antennas in the video below.
Crosstalk also offers an unlimited AT&T SIM card – it’s $119/mo. with no throttling or bandwidth caps. You can read more about it HERE. But – here’s the thing…much like Starlink, AT&T’s Terms and Conditions prohibit the resale of bandwidth to other people. And they are much more apt to send out nasty letters to offenders, which could get your service completely disconnected. Especially if one of your users starts torrenting pirated movies or something. We’ll cover how to prevent certain types of traffic later in this tutorial.
What else can you do for Internet? Really, you’ll just have to get creative. Bringing Internet to remote locations is more of an art than a science – perhaps you’re close enough to an Internet connection that you’re allowed to use that you can set up a Point to Point (PTP) wireless bridge to your remote location – much like I did in the video below.
It’s also possible to use a NanoStation to grab onto a different SSID without the need for a wireless bridge. Again though – get creative! However you can get stable, reliable Internet to a remote location will work. You just have to sort through how to get it done, and whether you’re authorized to resell that Internet to others (or maybe you don’t care about that – I make no judgement).
What About Free Internet?
The setup I’m describing in this article has to do with reselling Internet service for profit. But guess what? You don’t HAVE to sell it! This exact same setup works great as a portable emergency Internet solution after a disaster, similar to the solutions provided by the ITDRC (an excellent non-profit organization). Or, if you want to provide Internet to folks you’re camping with. Or if you’re tailgating at a game and want to give the parking lot folks some pre-game Internet. This same exact setup – including the captive portal – can be used without charging for it. ‘Starlink Side Hustle’ is admittedly a pretty click-bait title – but this doesn’t have to be a side hustle. It also works as portable Internet for any occasion.
The Equipment
When I first sat down to come up with a nice portable solution for a ‘network in a box,’ I started with what I had lying around. My criteria for this network were pretty basic – I wanted to try to get everything working with a single power plug (using as little power as possible), and I wanted it to be relatively inexpensive.
Configuration A
Here’s the first option that I came up with:
UISP EdgeRouter X – ER-X – I picked this $59.00 router because of a few reasons – first, it can be powered with PoE (24V passive). Second, it’s actually a pretty robust router, and more than powerful enough for our purposes – plus it’s small and cheap.
Instant PoE Converter – INS-3AF-I-G – $20.00
This device is needed because the ER-X runs on 24V Passive PoE, but the switch that I’m using only puts out 802.3af PoE. This converts 802.3af to 24V passive PoE and is able to power up the ER-X no problem.
Switch Lite 8 PoE – USW-Lite-8-PoE – $109.00
I went with this 8 port switch because it has 4 802.3af PoE ports which is exactly the number that I needed for this project. The power draw isn’t too bad, and it’s the only device that I actually have to plug in (besides any Internet stuff). Everything else in this setup runs off of this switch.
Cloud Key Gen2 Plus – UCK-G2-PLUS – $199.00
We need a controller to manage our UniFi equipment and also provide the captive portal that our users will connect to in order to purchase Internet services. This UCK-G2-Plus will work great for that purpose. Since it’s the Plus version, it also has a hard drive that we can use for a camera – just to keep an eye on our setup while it’s deployed.
Access Point AC Mesh – UAP-AC-M – $99.00
You can basically pick any access point for this network, but I like the UAP-AC-M for a number of reasons. It’s relatively inexpensive, it has a great form factor for a variety of mounting options, and it’s designed to be outdoors in the elements. It’s only WiFi 5, but for our purposes, we really don’t need WiFi 6 – unless you’re scaling this network up to multi-hundreds of users.
Camera G3 Flex – UVC-G3-Flex – $79.00
Since we have Protect on the Cloud Key, I felt it would be a good idea to have a camera keeping an eye on our equipment. The G3 Flex is an inexpensive indoor/outdoor camera that functions as a theft deterrent more than anything else – if people know they’re on camera, they’re going to be less apt to steal your network.
Here’s a layout of how all of this will connect together – we’ll cover the power aspect next.
And here’s a look at that network stuffed into a storage bin.
A few notes about the picture above. I used velcro to put most of the pieces in place, and I 3D printed a mounting bracket for the UCK-G2-Plus. The G3-Flex camera and UAP-AC-M access point I would give 25′ Ethernet cables to be more flexible – the longer length cables should still fit into this box just fine.
One improvement would be to add a fan and perhaps a couple of holes on the opposite side of the fan to create some airflow that can evacuate heat – the UCK-G2-Plus and USW-Lite-8-PoE switch both get decently hot, and could fail if left in the box with the lid on in hot weather.
This setup is pretty good – but it’s not perfect. Why? Because there is no Layer 7 filtering or control over what users can surf to. You could force the users to use DNS servers that filter malware/ad/adult content which would be a nice start, but you still wouldn’t be able to monitor network traffic to block peer to peer file sharing or anything else. You may for example not want users connecting to this network to use Netflix/Hulu/Disney+ type streaming apps. No way to do that kind of filtering here. Check out Configuration B below for an alternative.
Configuration A Setup
The setup of this network is fairly straight forward, but there are a few considerations. Let’s start with the router. The EdgeRouter X (ER-X) can be powered up via port ETH0 with 24V Passive PoE. Because of that requirement, I had to use one of the 802.3af to 24V Passive PoE adapters to get it powered up, but I also had to ensure that the WAN port was not ETH0. When you run through the initial setup wizard, you can choose to make the WAN port ETH0 or ETH4 – so in this case, ETH4 was the right answer.
Besides that the rest of the ports are combined into interface SWITCH0 which I set up to respond to DNS queries and gave it a DHCP server. This is my ‘secure’ LAN segment. I also created SWITCH0.51 (VLAN ID 51) and called it GUESTS. I configured the SWITCH0.51 VLAN with a DHCP server that hands out Cisco’s FamilyShield name servers (208.67.222.123 & 208.67.220.123) to clients for DNS. These DNS resolvers block both malware and adult content. I should further lock down the firewall rules so that these are the ONLY allowed DNS servers, but I did not do that in this proof of concept.
Now – is this perfect? Absolutely not. But it’s a decent start. The one thing that you do have to do is pre-authorize these DNS servers in the Hotspot profile which we’ll cover next.
UniFi Configuration
I started by creating 2 networks – one for the main ‘Secure’ LAN, and then another VLAN-only network for GUESTS. While I created the ‘Secure’ LAN network as an actual network, I disabled DHCP and all other services since the ER-X is handling all of that (UniFi wouldn’t be able to do anything with DHCP anyway since I don’t have a UniFi firewall).
Clicking on the GUESTS network, we can see a very simple VLAN-only setup.
I also created two separate wireless networks. Once is a WPA2 password protected ‘unthrottled’ network for the secure LAN, and the second one is our ‘Public Internet’ Guest WiFi that we’re going to focus on here in this tutorial.
Digging into my ‘Public Internet’ SSID, we can see that I set the VLAN to GUESTS (VLAN 51).
A few other settings after we change ‘Advanced’ from Auto to Manual.
First, I set the WiFi Type to ‘Guest Hotspot.’ We’ll go over our Guest Hotspot portal settings in a moment. I also set Bandwidth Profile to ‘Guests’ though I’m not sure that actually makes any difference (we can throttle our users’ bandwidth in the Guest Hotspot settings, so I think that overrides the Bandwidth Profile setting).
I also made sure to enable Client Device Isolation so that users on the network can’t communicate with any other devices other than the Internet.
Next, let’s head over to Profiles and click on the ‘Default’ profile under Guest Hotspot. There are numerous settings here starting with Authentication Type, which I am only using Payment. This allows me to connect the captive portal to a payment processor (in my case, Stripe) in order to collect payments from users’ credit cards.
I then set up 3 different packages – these are just for testing – you can adjust your Internet packages to suit your own situation. In my case however, I have a free 10 minute option (first 10 mins free just to get ya hooked), a 4 hour option for $5.99, and a 24 hour option for $9.99.
Within each of these options, I have throttled the total bandwidth per user down to 10Mbps download and 5Mbps upload. As far as what data I’m collecting from users, it’s basically everything available (name/address/email/etc.), but I’m only requiring Country (required by default), and email address. Everything else is optional.
Since I’m not testing this live, I may have to adjust which fields are mandatory – address and/or Zip/Postal code for instance may be needed in order to process credit card payments. But these settings do work fine when testing with Stripe’s test API and fake credit card numbers.
NOTE: There are some issues with UniFi’s new interface and the Guest Hotspot settings. Sometimes you can make changes and hit ‘Apply’ and it works fine – other times, hitting ‘Apply’ does nothing (including not saving any of your changes). This is incredibly frustrating, but there is a workaround – you just have to go to System –> Advanced, and then switch Interface to ‘Legacy.’ Once you’re in the Legacy interface, you can go to Settings –> Guest Control and make whatever changes you need.
I turned the Guest Landing Page ‘on’ and then picked one of the images out of the Unsplash gallery. Uploaded a logo, enabled Terms and Conditions, and that was basically it for a super simple captive portal. You could certainly spend a lot of time making this look at heck of a lot more professional, but for our testing purposes, this works great.
The final setting that I configured was down under ‘Advanced,’ which I switched to ‘Manual.’ Since we’re using the Cisco FamilyShield name servers from our DHCP configuration, we need to authorize those name servers so that they can be accessed before our users pay for their Internet service.
Notice in those manual settings that you can also set up your own redirect page after a successful authentication – another option you may want to consider.
That’s basically it for our captive portal – now, when users connect to our ‘Public Internet’ SSID, they’re presented with a captive portal pop-up that allows them to select which Internet package they want and pay via Stripe. Once the payment is successful, they are authorized to use the Internet.
Once connected, if you run a speed test, you should be locked down to 10Mbps download / 5Mbps upload as we configured. You’re now ready to go sell some Internet!
Power
OK – huge consideration here – power. In my test setup, I am using an Ecoflow Delta 1300. It has a huge amount of power storage, and if you’re running Starlink, you’re gonna need it. In my testing, the ‘network in a box’ that I set up above pulls about 25 watts – but when you add in Starlink, that jumps up to 75 watts or more. I tested out the total capacity of this setup running on a fully charged Ecoflow Delta, and it kept everything online for almost exactly 8 hours. Which is pretty impressive overall, but certainly won’t be a complete power solution without recharging. So what are some options?
You could go with a generator, but of course, that’s noisy, and if you’re in a camping situation, may not be the best idea. You can also charge up the Ecoflow Delta with solar, but the power draw of the Starlink dish + the network in a box would need a heck of a lot of solar to keep it charged up 100% – and it would certainly not last overnight.
So – again, you’d have to get creative here. Perhaps you could have 2 Ecoflow Delta units – one that is charging up while the other one is in use.
Layer 7 Filtering
The setup I detailed above is pretty nice – but it’s not perfect. One issue is that there is no way to do Layer 7 filtering. If you’re using something like an AT&T SIM card for your Internet, if someone connects to your SSID and starts downloading pirated movies via bittorrent, YOU are going to get the nasty letters about pirating movies, and YOUR Internet account is at risk. So that’s something that you would want to try to curb as much as possible.
Another example – perhaps you want to allow people to do basic web surfing, check their emails, post to social media, etc., but you don’t want them sucking up all of your bandwidth watching Netflix and Disney+. There is no way to prevent streaming services with this current set of equipment – so what are the options?
One option is to use a different firewall such as the Netgate pfSense 1100. The pfSense appliances can be configured with add-on packages for blocking services at the application level. Unfortunately though, these appliances are more expensive, have a stronger learning curve, and are not powered by PoE, so you’d need to have another power cord in the mix. Not really an ideal solution.
Configuration B
So what about the UDR then? That’s right – the UniFi Dream Router. The UDR is a solution that may actually work in more ways than one. First of all, the UDR has a built in switch with 2 PoE ports, its own embedded access point, and a UniFi controller all built in. It very much simplifies our network-in-a-box setup down to a single device.
The UDR also only draws about 7-8 watts on its own, which saves some power and extends the battery life of the Ecoflow Delta. It has Protect onboard, so you could still connect a camera to one of the PoE ports, though the onboard storage for Protect is fairly minimal, so I would set the camera to motion event recording only.
As far as the access point itself, there is a spare PoE port – you could use the onboard AP of the UDR only, or you could add in a supplementary AP for an even larger coverage area. For instance, you could still use the same UAP-AC-M access point, but put it on a 100′ Ethernet cable and extend it further from the UDR base thus greatly increasing and extending the coverage area of the overall solution.
Since the UDR is a UniFi firewall, it can also do all of the Application Layer filtering that we want. You could basically set up the networks, VLANs, and SSID’s exactly the same way we did in Configuration A, except now you can click on Traffic Management and add a new rule for blocking various types of traffic on the GUESTS network – here is an example of a simple rule that blocks Peer-to-peer, File transfers, and Media streaming services:
Additionally, you can do Content Filtering on the GUESTS network as well – it’s built into UniFi.
The built in content filtering *may* eliminate the need to use Cisco’s FamilyShield DNS servers. I say that it *may* eliminate the need because I haven’t done any testing on the UniFi content blocking vs. the Cisco FamilyShield blocking – there isn’t too much info about how UniFi blocks stuff, or how well maintained their blocked sites are.
Cost-wise, the UDR solution is a bit cheaper too. Configuration A comes in at just under $2150 for all of the equipment – Configuration B saves you about $168 (and if you don’t go for the extra access point, it saves you $317).
Given this difference in price, and the fact that Configuration B has built in Application Layer filtering, it’s hard to deny that the UDR may be the right tool for the job here. There are a couple of downsides however – first of all, the UDR is incredibly hard to get your hands on. It is almost always out of stock, and when it does come in stock, it sells out almost immediately. Make sure to check out UINotify.net for all of the latest product in-stock notifications!
Another downside is that the UDR hardware *may* not be quite as robust as the hardware in Configuration A – there are numerous posts in the Ubiquiti forums about the UDR locking up, or rebooting itself, other folks experience unreliable connectivity – so if you’re lugging the UDR around to various locations, and it’s getting jostled around and unplugged constantly, it’s possible that it will fail whereas Configuration A’s hardware is seemingly more robust.
In either configuration, it would probably be a good idea to have redundancy in the hardware regardless – doubles the cost, but also would help in a pinch!
Financials
Alright – let’s talk numbers here. Keep in mind that these numbers are totally made up. Let’s say you brought this setup to an event that had 10,000 people and zero Internet access. Hypothetically, let’s say that 1% of attendees per day (100 people) sign up for the 4-hour plan, and 0.5% (50 people) sign up for the 24 hour plan. Over the course of a 3-day festival, you could possibly make just under $3,300 bucks. That would be a pretty successful Starlink Side Hustle!
That kind of money would more than pay for all of the equipment, and if the equipment is already paid for, it would likely pay for your trip to the event! There of course are other costs involved including paying for power to charge up your batteries, or fuel for a generator, etc. – but you get the general idea here.
If anyone out there reading this post has done something like this, or if you use this post and actually make some money, I’d love to hear about your solution, what problems you encountered, and how much profit you made! Post your comments down below!
Final Thoughts
Of course all of this depends on your own moral compass as to whether or not you’d actually want to charge for Internet at a remote event. You may want to just be super nice and lug this whole setup out to the middle of nowhere in order to provide Internet for free! Or you may just want to set up a network-in-a-box like this in order to have it on standby in the event of a disaster. Whatever you ultimately do with a setup like this, I think it’s a super interesting idea, and absolutely very feasible.
How would you improve this setup? Let me know down in the comments below.
If you’re interested in helping to support the work we do here at Crosstalk Solutions, please consider buying me a beer! Or you can always check out all of our awesome merch in our online store.
-
2FA FTW T-ShirtProduct on sale$29.00 -
Network the Moon T-ShirtProduct on sale$29.00 -
Felix the Network Weasel DALL-E Sticker$5.00 -
Crosstalk Magnetic Dish$12.75 -
Crosstalk Schwag Bag$9.99
Comments 1
Thanks for all the awesome videos!
Any tricks for captive portals when dealing with iPhones and private/random Wi-Fi MAC addresses?