Mar 27 2009
Today wireless is everywhere. In any point of your city you’ll find a dozen wireless access points with your laptop/PDA, more or less secured. In office buildings, on the streets, in the parc, in your neighborhood (no matter if you live in a residence or an apartment building).
Adding wireless to your home is cool since you can connect devices to your home LAN without drilling holes in your walls and fill them with wires to enable internet access from your bedroom or connect your HTPC to your wireless NAS.
Choosing an access pointÂ is easy since the technology itself is already matured enough and usually you cannot go wrong with products from Asus, Acer, MSI, Netgear, D-link, Zyxel and others. My pick however is Linksys. Mostly because is a Cisco Systems OEM (I feel a bit nostalgic for my network administration period). Secondly is price (more expensive in his class, but still very affordable). The third reason is signal strength: 2 layers of concrete walls are not a problem for a Linksys (I can pick up my network from across the street actually, or browse the internet from my toilet – well, I’m not actually doing this, but the potential is there and ready to be leveraged… ).
But why should you get a wireless access point when you can get a wireless router for the same money, while having increased functionality of the equipment? A wireless router can be setup as a plain a wireless access point as well as directly connect your home network to your ADSL modem, PPPoE ISP, just plain WAN ethernet interface. Wireless router can also be used to connect 2 or more wireless networks. In need of a DMZ? Can be done.
Majority of wireless broadband routers as the case with my Linksys WRT54GL, besides the standard WAN Ethernet interface and Wireless LAN, offers the possibility to connect to the LAN via additional wired RJ-45 Ethernet interfaces. Those additional wired RJ-45 interfaces for the LAN network will allow the configuration of the wireless router as a plain access point. Here is how:
- Completely ignore the wireless router’ WAN port (do not connect any cables to it). If anything is configured or attached there, the router will try to perform his best job: route, but we don’t want that.
- Connect the router to your LAN switch via one of the 4 available RJ-45 LAN ports.
- Access the management interface of the router via HTTP. For the Linksys WRT54GL default management address assigned is 192. 168.1.1 (check in the manual which is yours). If your network is not in 192.168.1.1/24 subnet or alreadyÂ one of your important network infrastructure is using the same 192.168.1.1 IP, have one of your computers or laptop directly connected to the router (no cross-over needed) by setting a random IP from the same class.
- Setup the desired management IP address (I’ve put 192.168.0.127 on mine).
- Re-enter the management interface with the new address.
- Double-check that wireless router’ WAN interface is in default DHCP mode.
- Setup the wireless network type.
- You’re done.
About the IP address assignment for the wireless clients there are 2 options. The most simple is to assign a DHCP scope on the router that is in the same subnet as your the rest of your LAN. The drawback here is that your wireless clients cannot connect to the internet because the default gateway as assigned via DHCP lease will be the IP address of your router. Therefore, your clients canÂ access without problems resources from your LAN, but not the internet, since no route is configured between your internet default gateway (192.168.0.1 in my case – see above picture) and Linksys WRT54GL.
The second and smartest option is to disable DHCP server of the Linksys and build a DHCP scope on one of your servers from your LAN. You do not need here a full blown DHCP server authorized in the Active Directory. Any Open Source DHCP server will do (even installed on your Windows or Linux workstation). The scope must include address range, subnet mask, DNS server (if you do not rely on “hosts” file anymore) and default gateway. This way, after physical link has been established on 802.11b/g the client will broadcast a DHCP request package to 255.255.255.255; the request will be passed to all devices on your LAN and your DHCP server will respond with a valid IP address. Your wireless clients can now access both your LAN internal and external resources (as the correct default gateway has been correctly configures in the DHCP scope).
A few more words about securing your wireless network, since you do not want to provide internet services to your whole neighborhood.
- Setup a strong administrative password for Wireless Router Management interface (disable HTTP and enable HTTPS only access). By default, the administrative password for Linksys WRT54GL is “admin”, as I remember.
- Enable Media Access Code (MAC) address filtering. This way only the MAC addresses from the access list are allowed to communicate with the wireless router. “getmac” command will help you determine the mac address of your laptops’ wireless NIC. If this does not help, usually the MAC address is written on the back of each wireless enabled device (PDAs, HTPCs, MediaBox, Wireless SAN, etc). So, make a list of all of them, and write them down in the MAC filtering table of your router.
- Enable only WPA2 (Wi-Fi Protected Access) authentication and 128-bit AES encryption. Disable plain WPA + TKIP & WEP (Wired Equivalent Privacy) as both plain WPA & WEP are legacy authentication algorithms with serious security flaws. If you are forced to choose between WEP and WPA/TKIP due to legacy wireless client’ comptibility, go for the least of the worse: WPA/TKIP.
- And finally, from “Security through obscurity” series disable SSiD broadcast. What this is doing is very simple: the wireless network name will not be shown to someone who is searching for a wireless network. The whole network will either not be shown at all or it will show as “Unknown Network”. This requires for someone trying to connect to your network to know by hand your SSiD (Service Set Identifier) name. This is not a security measure that should substitute the other 3 above as a determined hacker can easily find out your SSiD by sniffing your wireless network traffic (SSiDs are send via clear text during 802.11 handshake).
If you want an additional layer of security in your network, on your DHCP machine, make a scope allowing only a number of DHCP leases that equals with your number of wireless devices (which preliminary have been MAC filtered on your wireless router). Assign for the scope IP address reservations which links the MAC addresses of your wireless clients to unique IP addresses from your subnet. That is: if I have 3 wireless devices, I filter the MACs on the wireless router and I create a DHCP scope with only 3 addresses for lease; in the same scope I create then 3 IP reservations assigned to the same MACs.
This is how you can setup a Linksys WRT54GL (and not only) Wireless Broadband routerÂ as a plain Wireless access point and secure your newly created wireless network.
BTW: If confused about the differences between WRT54GL & WRT54G, the GL model is newer and the L stands for Linux, as the WRT54GL firmware comes packed with a mini Linux kernel.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.