3G Femtocell at home: can anybody connect, and is all traffic encrypted?

Whether the traffic is encrypted it's up to the femtocell manufacturer. You haven't provided much details, so I can only suggest you pull out wireshark and see what happens. Most likely traffic should go through via SSL, although I won't be surprised if there was no mechanism for updating CRLs and/or maintenance and open ports on the cell itself.

If I were to implement it, a low-cost solution would be to put a self-signed certificate on the box. The chances of somebody breaking into the hardware, stealing the certificate and using it for impersonating MitM attacks are small and if somebody is so well intentioned there are better devices such as stingrays which are less apparent. I've mentioned the need to stay low-cost as these devices are produced with tiny margins and often subsidised by the mobile operator.

Regarding your second question - whether anybody can connect to the device - the answer is both yes and no. When I asked my provider to set me up with a femtocell they asked for my mobile number and I suppose they set up the cell to recognise my IMEI - and since the device has no 'control panel' and it's behind my home router as NAT I assume there is some kind of ACL the device pulls remotely to see who is allowed to connect and who is not. Therefore, anyone authorized can connect, and this is probably defined server-side. Unfortunately I do not know enough about GSM standards to be sure how this is done in detail.

Lastly, regarding whether a phone has access to the local LAN, in the device I use this is not the case. In fact, I can "go online with 3G" through the femtocell and my phone's IP is of the mobile provider, not of my ISP. Therefore all traffic (data and voice) must be simply sent over the SSL tunnel to the mobile operator, which then takes care of routing it accordingly. I'm again assuming that, given the low cost of the device, a mobile operator has no interest in setting up complex routing policies to let data traffic go through a customer's LAN. This would also reduce helpdesk costs, as dealing with a home network might be very complex.

According to this , your traffic is encrypted and safe (ipsec)

According to wikipedia's article on Femtocells, you have to manually authorize what phone is able to connect to the network (and there is an upper limit), and these phones have to be on the same mobile provider as the femtocell's.

So if John wants to spy on you, he has to authorize your phone and you have to be on the same provider. He also has to act as MitM and break the encryption, or install a rogue femtocell (you definitively have really interesting information on your phone if it comes to that).

From what i've read here and there, no, you don't have access to local LAN, everything is encapsulated with their telecom specific protocols, so you do go through the local LAN but you can't see it. It's as transparent as using a regular cell tower, except coverage.

Now if John works for the NSA, he probably uses a fake femtocell, and you'r screwed. (check here)