By Aaron Weiss
October 19, 2009
Our monthly Q&A; series offers advice to those seeking help with home or small business WLANs. This month our Guru offers advice on keeping out the bad guys, DHCP servers, Tomato, and more.
- Ask the Wi-Fi Guru
- How to: Use iPod touch to Make Voice Calls
- Wi-Fi Planet Guide to Hotspot Safety, 2009
- How to: Secure Your WLAN
- How to: Build a Wireless Bridge Using DD-WRT, Part I
Our monthly Q&A series offers advice to those seeking help with home or small business WLANs. This month our Guru offers advice on keeping out the bad guys, DHCP servers, Tomato, and more.
If you’ve traveled at all in recent years, you know that you can find some strange things in hotel rooms. Things like the mysterious location of the bathroom light switch, the irritating lack of any accessible power outlets anywhere near the bed, and of course that suspicious carpet stain that conjures up disturbing images.
Not to mention hotels that still charge for wireless Internet access, but provide wired access for free. Of course, to use the wired Internet you’ll probably be tethered to the desk, and it only serves one guest at a time. Solution? I like to travel with a wireless router, such as the CradlePoint CTR500 Cellular-ready travel router [reviewed here] or the Belkin Wireless G Travel Router. Some of the smallest models easily slip between clothing layers in luggage, and then I set up my own personal hotspot in the hotel room. I suppose it’s possible some hotels might look askance, but it seems to me that setting up your own hotspot is preferable to stealing the towels. And the soap. And the shampoo. And the hangers.
Q: I’ve got a wired LAN, and one node is a Wi-Fi router. It’s set up as FiOS->modem->router/firewall->various nodes (like computers, printers, and one Wi-Fi unit). The Wi-Fi router can be connected to the LAN thru either its WAN port, or one of its four LAN ports.
If a bad guy breaks into my Wi-Fi router then the results are different depending on if the Wi-Fi router is connected via its LAN ports or its WAN port, no? How do I configure it to use the WAN port instead? My main router/firewall is 192.168.1.1. —Tracy
A: There are a few reasons why you might include a second router in your network—the most common is to extend the range of your wireless. In this case, the second router would be configured as a “dumb” AP (access point). You would disable its DHCP server and its firewall and manually assign it a LAN IP address compatible with your primary router, for example (in this case) 192.168.1.2. And you would connect the Ethernet cable from your primary router to a LAN port on the second router.
Another reason is to use a second router in your network to isolate a group of clients from your primary LAN. In this scenario, you would connect the Ethernet cable from your primary router to the WAN port on the second router. You would leave enabled the second router’s firewall and (if you wish) DHCP server.
Anyone connected to the second router (legitimately or maliciously) when it is bridged to the primary router via the WAN port would not see resources broadcast by the primary router. In other words, if you have file shares open on machines connected to your primary router, clients on your secondary router would not be able to see these shares.
That said, a determined hacker can probably figure out some key details about your primary router. Your secondary router’s status page may reveal the WAN IP it has been assigned by your primary router, giving the hacker information about your primary subnet. Your secondary router may (or may not) route requests to the primary LAN. Of course, you could set very restrictive rules on the firewall on your secondary router. What this all means is that using your secondary router’s WAN port to create an isolated subnet can handcuff a hacker who has gained access to your secondary router; but this security is not foolproof and may not restrain a highly skilled hacker.
Q: I have a Linksys router with DD-WRT and now a Netgear router. The Netgear is the “repeater” and I followed your setup and it works fine, my question is: On the repeater, do I need to enable DHCP? The laptop connects to the wireless AP (the Netgear shows it as a client), but the IP obtained is from the Linksys. Do I have this right or am I confused? —Duane
A: It is understandable that this could seem confusing, but in fact this setup is exactly right!
You do not want to enable DHCP on your secondary repeater router (in this case, your Netgear). You should not have two DHCP servers running on one network.
The DHCP server on your primary (Linksys) router addresses your whole network, including clients that are associated through your repeater. So yes, your clients are obtaining their IP from your Linksys. Just as it should be. Don’t change a thing.
Q: I read your article on WDS using Linksys routers. I wish to do this and I have two Linksys WRT54G routers that now have DD-WRT on them, successfully working. The first router needs to have a static IP to connect to our service. How do I get the second router/AP to connect to the first to extend my range? —CU
A: Using a static IP with your primary router should have no impact on configuring WDS (wireless distribution system) to link the two routers.
When configuring WDS between two (or more) routers, the key concept is that each router needs to “know” the MAC address of its linked partner(s). A MAC address is different from an IP address—an IP address, of course, is the network address of the device, kind of like a telephone number for your phone. It can be changed, or not, depending on the situation.
The MAC address is more like a serial number that uniquely identifies that network device. So, your wireless router has both an (unchanging) MAC address and a (modifiable) IP address. Astute readers will point out here that MAC addresses actually can be changed—which is sometimes true—but also unusual and beyond the scope of this scenario.
Using DD-WRT, you’ll want to use the Wireless/WDS menu to input the MAC addresses for each router into the other router. But where do you get the MAC addresses to input?
Each network adapter actually has its own MAC address, which means your router has two MAC addresses—one for its wired network adapter and one for its wireless network adapter. Be sure that when configuring WDS, you are using the wireless MAC addresses of each router.
In DD-WRT, you can click on the Status/Wireless menu to see your wireless MAC address right at the top of the page. This is the MAC you want to enter into the WDS settings for your other router; and vice versa.
Q: I enjoyed reading your great article about using Tomato with wireless *client* access. I just got my Linksys WRT54GL 1.0 router flashed with Tomato 1.25 firmware and everything on the physical cabling side works fine, but I am unable to get a basic (even with security turned off) AP working. The WLAN light on the front of my WRT54GL should be green, I think, (if it’s active), true? This light is off and I don’t understand why. – Eddie
A: When you configure Tomato as a wireless client—either in “wireless client” mode or “wireless Ethernet bridge”—the router receives a signal from another router and passes it along to wired devices. But in doing so, it no longer broadcasts a wireless signal. In other words, in either client or bridge mode, Tomato behaves as a receiver only. This is why you can no longer connect to it as an AP using wireless devices.
If you need to extend a wireless network to both wired and wireless devices using Tomato, consider setting up “Access Point+WDS” mode. This will require setting up a WDS network, which requires configuration settings on your primary router in coordination (see question above). In this mode, Tomato would behave as if it were in “wireless Ethernet bridge” mode while maintaining its wireless access point. Note that by doing this, wireless devices connected to Tomato will have only half the bandwidth available compared to wired devices and wireless devices connected to your primary router.