Ask the Wi-Fi Guru About Firesheep, PPPOE and Locked Routers

By Aaron Weiss

May 12, 2011

Our monthly Q&A series offers advice to those seeking help with home or small business WLANs. This month our guru explains the fuss about Firesheep, helps a reader get Tomato and PPPOE talking, and explains how to get back into a router that's locked you out.

Our monthly Q&A series offers advice to those seeking help with home or small business WLANs. This month our guru explains the fuss about Firesheep, helps a reader get Tomato and PPPOE talking, and explains how to get back into a router that's locked you out.

Would you like to ask the guru a question? Write the editor.


This isn't exactly breaking news, but seeing as network security is an ever-present fixture of the news, Wi-Fi users should be tuned into the issues raised by "Firesheep". What is a Firesheep? The software is an add-on for Firefox that can reveal some startling vulnerabilities in your wireless activity.

Firesheep runs alongside your Firefox browser and sniffs the network for unencrypted cookies with session credentials for sites like Facebook, Twitter, and even some webmail services. Scenario: you are at a public library with free Wi-Fi. You have logged into your Facebook account. Another user sitting a few feet away launches Firesheep. They see your Facebook session cookie flying through the network, and can grab it. This is called "session hijacking" and basically allows the user to masquerade as you, effectively giving them full access to your Facebook account -- or any other Web service that Firesheep catches a session cookie for.

There are many more sophisticated packet sniffers than Firesheep, but this software helps illustrate the ease of session hijacking on an open Wi-Fi network. Your defense against session hijacking is to use encryption. If possible, use HTTPS (SSL-encrypted HTTP) -- you know you're using HTTPS when your browser displays a lock icon, like when you access your bank Web site. Sites like Facebook, Twitter, and Gmail provide an HTTPS option. Use it!

A Wi-Fi network protected with WPA2 is even better. Even if every user in the room knows the WPA2 password, individual sessions are still encrypted. Session cookies will be protected from hijacking. If you run a hotspot, such as a café, you can provide to your customers security by enabling WPA2 security on your wireless router and posting the password for everyone to use.

Why can't I get Tomato and PPPOE to work together?

Q:I have a TD8816TP modem and a WRT54G v 1.1 router loaded with Tomato firmware. The modem is set on bridge mode at the IP address 192.168.1.1. Tomato is doing the PPPOE session, with LAN IP 192.168.3.1 and my two wireless PC's are 192.168.3.125 & 192.168.3.126 all worked fine for 5 years BUT…I change my internet service for a ADSL 2+ and the Tomato PPPOE session disconnect every single time when I pick up the phone.

After doing all tests (change filters, put double filters, change phone, etc.), I bypass the Tomato router, put the PPPOE session on the modem and it works very well when I pick up the phone.

What I want to do is to use the modem to do the PPPOE session and the router to do the wireless to my PCs. It's possible? If it's possible I want to keep the address of my PCs unchanged. - G.C.

A: This problem is actually a lot simpler than it sounds. But first let's unravel a few issues.

The funny term "PPPoE" (PPP-over-Ethernet) is a connection protocol primarily used for DSL connections. Old people like me remember dial-up connections over analog phone lines, which often used the PPP protocol.

If you have a DSL modem which has a built in multi-port router and wireless radio, then one device is all you really need. But if your DSL modem is not also a wireless router, you need a separate box to create a wireless LAN. Or, you may simply want a separate wireless router if you intend to use an open source firmware like DD-WRT or Tomato.

In this case, either the DSL modem or the router can establish the PPPoE login, but not both. In the "bridge" mode referred to here, the DSL modem is not performing PPPoE, leaving it to the router.

But you're having a problem with this, since your router is dropping the PPPoE connection when you pick up the phone. Diagnosing a potential DSL line problem is way beyond our scope, so let's work with the situation as it is. Anyway, in my experience, setting a DSL modem into bridge mode to shift PPPoE to the router is not always as simple as it should be. And doesn't always work that well.

You already know that letting your DSL modem take care of PPPoE is more reliable. So let's stick with that.

Configure your DSL modem to PPPoE rather than bridge. Connect the Ethernet port on the DSL modem to the Internet/WAN port on your router, not one of the LAN ports.

Set your router's WAN mode to DHCP rather than PPPoE. The DSL modem's built in DHCP server will hand out an address to your router--in your case, something like 192.168.1.100, but it doesn't matter what it is.

Configure your router's LAN address to your other subnet--192.168.3.1, based on your information. Be sure the router's DHCP server is enabled.

To keep the same IP addresses for your clients that you've been using, you could just configure two static DHCP entries in Tomato. This allows you to specify exactly which IP address will be assigned to each client based on that client's MAC address. Or, you could just configure your DHCP pool to start at 192.168.3.125, which might work fine if these are your only two clients.

You may want to disable any firewall on your DSL modem, if there is one, and rely on the (probably superior) firewall on your wireless router.

My Netgear router locked me out. Now what?

Q:My router locked me out of the wireless part I was trying to configure when I messed up, I have a Netgear. - Garvin

A: Since I don't know exactly what is going on here, let's talk about resetting a router. If you can't access your router or it is asking for a login you don't know, your safety net is to perform a reset.

Most wireless routers have a reset button, usually on the rear. It is small and recessed, so you typically need a pen point or paperclip to push it in. Depress the reset button and keep it down. Eventually--usually in 15-30 seconds--you will see the router lights go on and off and maybe start blinking. The router will reboot itself with factory set defaults.

The user guide to your router should include the default username and password to access the administration page. Or you can consult this handy Web site which has a searchable list of default logins for most wireless routers.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.