By Aaron Weiss
July 16, 2009
This month our Guru ponders several WLAN mysteries–including one unsolved. Can you help?
- Ask the Wi-Fi Guru
- How to: Set Up Port Forwarding with Tomato
- How to: Convert Wireless Routers into Access Points
- How to: Speed Up Your Asus Laptop with 64-bit Kubuntu
- How to: Surf Safely at Public Hotspots
- The DD-WRT Controversy
Our monthly Q&A series offers advice to those seeking help with home or small business WLANs. This month our Guru ponders several WLAN mysteries–including one unsolved. Can you help?
At the risk of imperiling my credibility here, allow me to make a confession—I am not much of an early adopter. Early adopters are necessary for the technology eco-system. We all benefit from their bold and courageous trendiness. But early adoption is hard on the wallet. And so it wasn’t until recently that I got my hands on an iPhone.
What a useful gadget! But I don’t care about the phone. Or the visual voicemail. Or iTunes. What I like is that the iPhone is a handy Wi-Fi finder! Whether using only Apple’s built-in wireless scanner, or third-party apps like Wi-Finder/Wi-Fi Checker or Wi-FiFoFum, it is entertaining and enlightening to walk down a city block with iPhone in hand taking in the wireless scene. Which networks are unsecure? Which have default SSID’s? And which have funny names like IF****dYourBoyfriend (true story)? You don’t even need to subscribe to phone service to use the iPhone this way, and you can pick up an older first generation model for much less moolah than the early adopters paid. So there.
Q: I’m trying to setup a wireless network for a condo complex. I’ve got equipment coming to broadcast a 2.4GHz signal around the complex with a login/password system. The plan was to give each condo owner one account, but families with multiple computers will need more than one account. Would it be possible to configure a wireless router as a wireless bridge so that a condo would still only have one account to the complex network, but could have Internet access on their own personal home networks? – Jason
A: I agree that with a setup like this, you don’t want to overly inconvenience the customers, e.g. condo owners. Not only will some (many) people have multiple computers, but people will have visitors toting their own laptops/netbooks/smartphones. In this day and age, offering your guests a Wi-Fi connection with their cold beverage is just common courtesy.
One question is how this login system is being deployed. Are these customers logging in through a Web-based portal, or is this network-level authentication like PPPoE or DHCP with login or even WPA with a RADIUS server?
The wireless bridge idea poses two problems. One, in wireless bridge mode the router acts as a receiver (client) and routes the connection to attached wired devices. A wireless bridge is not the same thing as a wireless repeater, and so a bridge would not help condo residents who want to get online wirelessly, which presumably will be many of them.
Second, if residents are logging in through a Web-based portal—like you do at fee-based access points and many hotels—there isn’t any easy way for the router to do this. The router would have to behave like a Web client, which is not how they work. (I imagine this is possible with firmware like DD-WRT or OpenWRT combined with custom shell scripting, but that doesn’t seem like an appropriate solution here).
You could concoct a more complex solution to this problem. For example:
– Setup a WDS network throughout the complex so that the routers in each unit essentially act like repeaters, allowing anyone to get to the portal where they log in. This might work for a small-ish condo complex—depending on the hardware you’re using it may only support anywhere from eight to several dozen WDS links.
– Install a router configured as a client bridge in each unit, and add its MAC address to the whitelist filter on the complex’s primary router. Eliminate the login, since you’re now authorizing the routers. Clients can either plug wired devices into the client bridge router, or buy their own wireless router and plug it into the bridge router, just like subscribers to cable or DSL might do to supply their own wireless network.
I would question the point behind the login system. If the goal is to prevent people near but outside the complex to access the network, why not instead use WPA or WPA2 encryption and give condo residents the password? Sure, someone could leak the password to a neighbor in an apartment next door, but they could leak the portal login, too. Residents can give the password to visitors and guests without too much fuss. You’d still prevent drive-by wireless hijacking without incurring the burden of individual logins. Of course, there are a lot of unknown details to this scenario, so perhaps there is more to the story.
Q: I’ve got a house made out of lead. Well, 1945-style chicken wire plus plaster–it doesn’t do well with 2.4Ghz. I wired my house with gigabit Ethernet. My main router is in the basement, Linksys WRT54GSv4, and a secondary router in my office on the 2nd floor, a Buffalo WHR-G54S. Both running Tomato 1.25.
I want to have both running wireless on the same SSID, except that instead of using a wireless connection back to my main Linksys router, I want my Buffalo router to use a wired connection, to avoid unnecessary wireless traffic that the wired network can’t handle. Any ideas? – Peter
A: One thing you can say about previous generations is that although they were hard workers who persevered through difficult times, they were very shortsighted. Building a house that blocks Wi-Fi signals? It sounds like a cruel joke. Did they not think about future generations at all? Well, the damage is done, so here we are.
If I understand the scenario correctly, this should be doable. You want to feed both routers by wire. The Linksys router is in the basement, where presumably it is connected by wire to the incoming broadband connection, such as cable or DSL. You’ve run Ethernet through your chicken-wire-enmeshed house, so you can plug the upstairs Buffalo router directly into the LAN. But because the wireless signal does not travel through floors well, you want to use these two routers to create a roaming network throughout the house.
To do this, you want to setup the upstairs router as an AP, or access point. As an AP it will forfeit most of its functions as a router, and simply be an extension of your primary router downstairs.
Since you already have Ethernet cable running upstairs, plug it into one of your upstairs router’s LAN ports—not the Internet or WAN port. This will bypass the upstairs router’s “routing” (NAT) feature.
On the upstairs router, disable its DHCP server and firewall. These functions are being provided by your primary router. This router will have no WAN address. Manually configure its LAN address to something compatible with your LAN. In other words, if your primary router is 192.168.1.1, configure the secondary router to 192.168.1.2.
For the wireless settings on your secondary router, configure it with the same SSID as your primary router, as well as the same encryption protocol and password. If your primary router is using WPA2 with a password of bigpassword, set those same parameters upstairs.
However, you want to set the two routers to use different broadcast channels. This may require some experimentation. Some routers are set to use “auto,” which means that they will scan for an available frequency and choose it—setting both to auto may work in your case. If not, try manually setting your primary router to one channel—say, channel 1—and your AP router to another—perhaps channel 6.
Ideally, if your wireless clients are smart, they’ll pick up whichever router has the stronger signal as you move around the house.
Q: I have a system that generates the last two digits of its MAC address randomly every time it boots, I wanted to ask if you think DD-WRT would recognize a wildcard ** in the last two spots of the MAC address for setting a static IP automatically through DHCP. If I were to simply set the machine with a static IP, would that work with DHCP? – Mike
A: Interesting. (Strokes beard.) Interesssting.
The MAC address is like a serial number for the network adapter. Routers identify clients by their MAC address and can make certain decisions based on that information—for example, whether to include or exclude them from the network (using a MAC whitelist), or what IP address to assign them.
In many DHCP implementations, when a device connects that has been connected previously, the router will “remember” it by its MAC address and assign it the same IP it had before. There are many reasons why this might not happen, but it often does.
Plus, some routers support what is known as “static DHCP” wherein you can manually assign a specific LAN IP address to a specific MAC address. In other words, you would be telling the router “every time the machine with MAC address xyz connects, assign it the IP address a.b.c.d.”
Theoretically a MAC address is supposed to be a permanent identifier, but in practice it is easy to change. Often this is done for shady purposes—to masquerade as a different PC, for example. Not that we’re accusing Mike of anything by changing his MAC address on every boot. I’m sure there is a very good reason.
The short answer is no, I don’t know of any way for DD-WRT to recognize a wildcard in assigning a static DHCP IP.
Can you manually configure a static IP for the machine with the chameleon-like MAC address? Sure—do it on the client side. You’ll need to set not only the static IP on the client, but also the netmask (usually 255.255.255.0) and the gateway (the IP address of the router itself), and probably also the nameserver (in most cases, also the IP address of the router).
Be sure to assign a static IP that is outside the router’s DHCP pool. If the router is configured to assign addresses from 192.168.1.100-192.168.1.149, your static IP should be below or above this range. Since your client machine will never even contact the DHCP server, the router will not show this PC as an attached client.
There are many good reasons to set a static IP address (running local servers, for example), although I remain curious why one would want to change their MAC address, especially so often.
Q: I would like to find a simple Wi-Fi alphanumeric pager to use as a reminder for disabled clients, adapting a calendar program that makes cell phone calls. For our clients the pager would have to be simple, one or two buttons, run directly from the Wi-Fi LAN of the home computer. The system would be for single clients, living at home, not an enterprise system. – John
A: The short answer is that I don’t know. My research into this question did not turn up any promising leads. But this sounds like a useful project, so I would love to hear from any readers who might have ideas, pointers, or links for John. Respond publicly via the Comments section below, or click on my name above to send an e-mail to the Guru.