The Challenge
After spending a month and a half in Mbingo teaching a networking class and listening to all
the regional hospital's IT directors talk about their needs, I was off to create a solution. What came out of it a month later is my
first release of CHIAS (CBC Hospital Internet Access System), an add-in to IPFire that modifies it to do something
it could never do before: make money...I mean make Internet Systems
in Africa sustainable. Surprisingly to me, there is no
open-source software out there that really does this well in an African
context. Why you ask? We don't use electronic money
here. Yep no credit cards, debit cards, PayPal, even salaries are all paid in cash. While there are
a ton of solutions out there that work great in a first world
scenario because of this, few to none use good old fashion cash. The flow
would need to work something like this: a potential user (patient, doctor, visitor, employee,
resident) is made aware of the wireless/wired Internet system. They
may attempt to connect and get on via wireless, but they will not be able to
access the Internet because a captive portal page would come up.
The Solution
In many places in Africa, hospitals, NGOs and the like have setup a low powered computer with 2 NICs that acts like a router/firewall. Using free software such as IPCop, PFSense, IPFire, ClearOS or many others, they are able to have the benefits of a fancy firewall/router for the cost of an old computer. While each of the above mentioned have their pluses and minuses I decided to use IPFire as my starting point. The main advantage to IPFire is it has some powerful filtering and caching abilities that are straight forward to use. The downside is that IPFire, from LFS (Linux From Scratch) is difficult to make changes to because it doesn't have a compiler built-in. You'll need to compile on an external box. BUT that's ok because we want as thin as possible anyway right?
I started with a partially complete open source product called PlayBilling. It needed to be extensively modified but it had a lot of the basic components that I was looking for. The way it actually handled the iptables was not at all going to work out of the box, but the database and administrative reports were perfect. Lots of small modifications like language, currency, and format were modified as well to work in Cameroon.
How it Works: The User Experience
When a user hops on to our wifi system, regardless of what site they try to go to, this page will come up:
An Intranet portal page comes up which gives the user access to locally served resources such as offline Khan Academy, phone directories, hospital information, etc all running locally on the IPFire box. These all work regardless of an Internet connection.
A link to "login" is also visible. Upon clicking on the link
information is presented that the system is available to them for a
fee. In order to use the system they are instructed to go to the person
at the hospital who takes payments and request access.
They would
decide how much to prepay for a certain amount of credit which would get put on their
newly created account. They would sign the acceptable usage policy form there and would then return to their computer with their username and password
which would grant them access.
Upon a successful login, the system then deducts the amount of time they use until they log out or until their account is out of money.
At this point they would need to put more money on their account in order to get back on. An option is available for them to check their account activity to verify proper billing.
How it Works: Administration
Furthermore, the system has a backend interface which allows the administrator to modify the system. They can setup a fee per minute of usage or differing fee based on time online. We are currently charging 300CFA/hour or $.60.
The administrator can create new accounts,
list members and edit each one (obfuscated for privacy),
Create reports summing the total usage for a month per user (obfuscated for privacy)
Or create a report for a given user over a given period to check for any "I forgot to logout" fixes.
One of the main features that I added was the ability to allow certain websites through even if people don't authenticate. In our environment, you want medical staff to be able to access life saving information on the Internet without worrying about cost. We give the staff unlimited access to a bunch of sites that are extremely helpful if not live saving. Double checking the doctors dosage (or challenging handwriting) for drugs on epocrates.com is critical to patient care.
Key Features:
- Transparent Proxy with filtering, caching, update acceleration and Authentication. Nothing needs to be modified on the client device such as proxies or DHCP custom configurations. The firewall either completely blocks the client device from entering the firewall or allows it. The firewall then transparently does all the filtering, caching, virus scanning etc.
- Works with any device including iPhone, Android, PCs, Laptops and Tablets without modification.
- Prepay with cash before use Captive Portal for IPFire
- Alleviates pressure from people wanting to use your connection. If you let one person on, then everyone will want on. Most people who really need Internet know it is well worth $.60/hr.
- Filter unwanted content, track users activities, block sites from different locations (using VLANs)
- Non-authenticated Unlimited Users-You can assign MAC addresses to bypass the authentication altogether but still keep filtering and tracking.
- Khan Academy running on IPFire box using KA-Lite. If you don't know what Khan Academy is then it is well worth researching. It is amazing and lots of people here use it, including me, to learn or polish up their education. Running it offline and on a box that is already running 24x7 is a great way to make it available to all.
- Intranet Portal
Why?
So why is this such an important thing to have? In Africa
bandwidth is expensive and a lot of connections are charged based on
the total amount of data you transfer in a month. Many organizations
don't allow people access to their system because it would probably
put them out of business in bandwidth fees. A system like this is ideal because it
allows access and also allows the system to scale with the
demand. As more people use it, the slower it gets but the more money
it raises. Administrators would then buy a larger connection with
the money raised. A sustainable system is developed which is a
win-win for everyone. Furthermore there is a significant efficiency
gained through this system. IPFire has a download accelerator built
in and a caching server which reduces and deduplicates downloads.
For example, a computer downloading a Microsoft Update for example
will have to pay the full price of it, but each subsequent user will
be able to download the update straight off the firewall at LAN
speeds. This not only reduces costs for the overall system but frees
up limited WAN bandwidth. Frequently, updates will never finish. The system will be stuck in an infinite loop trying to download updates that will never finish.
So Far:
I've been debugging the software for the last few months, trying to get a good feel if this is working well or not. We had a rough start with some devices not being properly billed but a few modifications and they are all working well now. I was surprised as to how in demand this system has become. We were able to pay for 1/3 of our subscription cost from individuals paying for access. This helps the hospital by reducing the cost of the system which they would normally have to front. My hope is to distribute this to other interested hospitals but as I only have a few more months left in the field here, I am not interested in supporting it or updating it with future releases of IPFire.
Interested?
If you are interested in running this software please let me know. I can send you my code but like I said, it is still in beta and this is all for IPFire only. There is no installer so you'll need to know your way around Linux. I do have an installation document but this isn't for the faint at heart!