I have a SpeedTouch 585(i) v6. I thought I could set "Allow New Devices" to "New stations are not allowed" without preventing established devices from connecting (see "Home Networks" page at
That link isn't correct.
The manual doesn't exactly explain its choice of words in the menu setting, but the manual does explain how to make good choices between:
(Sections 2.2.3 and 2.2.4 in the manual)
On the Wireless Access Point page, you have the following options for the ACL: New stations are
Allowed (automatically): All new stations can access the SpeedTouch. Allowed (via registration): Only allowed stations in the ACL have access.You can add new stations via: The Association / Registration button. The Search for wireless devices task. For more information, see Registering wireless clients. Not allowed: Only allowed stations in the ACL have access. You can add new stations to the ACL only via the Search for wireless devices task. For more information, see Registering clients via Web pages.
The point is that the menu selection you are referring to doesn't mean what you think. You should either use the encryption strategy or you should use the described 'registering wireless clients' section 2.2.4 in the manual.
The manual I'm referring to is this one: Thomson SpeedTouch 585 - Residential Wireless ADSL Gateway - DSL Wireless Router - Manual -
Thanks for clearing that up, Mike.
Perhaps it's a firmware thing (and I have been strongly advised against messing with the firmware), but my modem doesn't have a function to scan for devices. However, the ACL shows devices that I've connected to the WLAN and the Ethernet ports before.
My computer is already on the ACL, shown as connecting to WLAN, and shown as allowed to connect. Would you know of other possible reasons why I can't connect when new stations are not allowed?
I did some more putzing around...on my modem, the function of scanning for devices is under the HomeNetwork->Interfaces page, not the HomeNetwork->Devices page. After scanning for devices, it takes me to the HomeNetwork page, which I posted in my original post. I browse to the ACL on the HomeNetwork->Devices page, and everything is exactly the same as before scanning for devices.
This doesn't really shed any light on why I can't connect when new stations are not allowed, so any ideas on this are welcome. I note, however, that WiFi access does work when new stations are allowed with registration (not my preferred option).
That page is on your system, not mine or 'ours', this newsgroup readership.
That is the way 'everyone' else does it most often. That is, they setup for WPA encrypted access. What is it you don't like about that popular method?
Do you have an 'adversary' in range who is cracking WPA?
The speedtouch has internal webpages accessed at the speedtouch.lan address such as what you pasted above or http://192.168.1.254 Those pages aren't useful to post here for us because they are in your router which we can't access.
// To access the SpeedTouch via the Web interface - In the address bar, type your SpeedTouch?s IP address or DNS host name
According to the manual (at Thomson's site), you should be able to register your LAN devices to the ACL either by using the router's register/association button on the front or by using the speedtouch webpage interface.
That excluding setting is called "Not allowed: Only allowed stations in the ACL have access." but it requires that the/your desired stations be properly registered in the ACL accesscontrollist and it only works properly until there is a factory default reset.
However, if you reset the router to factory defaults, all of the settings are lost and it reverts to a very insecure and promiscuous mode. That reset can take place from its webpage interface or with the reset button on the back.
There are also other security measures you can take, such as not broadcasting the router's SSID.
Understood. I was thinking of the internal "URL" might be informative for people who own my model of ST, and saw the article.
I forgot to mention that I use the most secure encryption option on this modem, which is WPA-PSK (from what I've read on the web). Upgrading the firmware might provide a more secure option, but it's not something I'm comfortable doing.
I'm not sure, but a couple of weeks ago, my modem became inaccessible by WiFi. When I logged in by ethernet, it turns out that all the WiFi settings were changed, and all the control widgets to change settings weren't available to change them back. Encryption had also been turned off. After days of putzing around, I found and uploaded a previously saved configuration, which brought the proper settings and functionality back (and brought back the widgets that would have allowed me to make those settings on the web GUI). Of course, I changed the encryption key.
I'm not sure how long it takes to crack WPA-PSK if the interface is always enabled, but if it's just a matter of running a monitoring program, then I suppose it doesn't matter how long it takes.
From your other response posting:
That's exactly it...my devices are in the ACL. I assume the ACL is the page shown at "Home Network" or "Home Network -> Devices", since those are the pages described in the manual for registering clients. My devices are listed in boths. In the latter, they are listed as allowed to connect.
Well, somehow it did get reset, but not to factory defaults (I think...certainly not to the state I got the modem in, and without the GUI settings widgets normally found on the modem web pages). Now that I have the modem working again, the proper devices are listed in both the pages above. Unless ACL means something different than the pages I described above, my laptop should be able to connect.
I researched the web about that, but the impression I get is that it doesn't help much. Perhaps the same could be said about not allowing automatic connection -- I'm not sure.
I don't know about this 'previously saved configuration' if someone else has been resetting your router. I will say that it is 'common practice' for wardrivers who find an insecure router - say the default user/pass - to 'mess with it'.
To me, the best thing to do under those circumstances would be to reset to the factor defaults. This is an insecure condition which needs to be logged into and then immediately secure it with changing its name, changing the pass, turning off the SSID and so forth.
Of course it needs to be reconfigured for the wireless security and you can do that with the ACL business if you like.
You create one more layer of security if you will change the router's SSID and not broadcast it.
I suspect that you had not changed the router's pass and that it was broadcasting its SSID and someone found it wardriving and checked the default pass and it worked and they got in and messed with it.
If your router isn't working right about the ACL and if someone else has also been messing with it, I would reset to the factory defaults and start all over again with your securing the router as I described above and use the WPA process to get your clients registered and then set your 'not allowed' condition.
I don't think your usage of some 'previous configuration' is the best approach.
Mike, I followed most of your suggestions...I didn't quite muster the courage to reset to factory settings because there is such a plethora of settings beyond Home Network and WiFi. Furthermore, the previous configuration that I used as a baseline was from long, long ago. I haven't seen any devices aside from my own connected to my WiFi, which is no guarantee that the encryption wasn't compromised until at least recently (if at all), but gives me a bit of confidence. Further confidence is obtained from the fact that I have always been pretty high up on a highrise, making my WiFi inaccessible from street level. As well, there is sometimes unsecured WiFi nearby, making my network unattractive.
I changed the password, the SSID, and stopped broadcasting the SSID.
Funny run of good luck: After using the front panel button to register my PDA, I found that I could set the modem to not accept other devices, but both the laptop and the PDA could still access dis/re- connect to access point. I had avoided using the button to register devices because nowhere in the documentation I found on the web could I find a picture confirming what was the front of the modem, and the registration button on the front. I didn't want to be pressing a factory reset button in err. Well, I took a guess, and it turned out to be the right button.
One think I find about not broadcasting SSID is that (surprise) it no longer shows up "View Available Wireless Networks" on Windows XP. This means I cannot initiate a connection at a time of my choosing. I have to set that network's properties so that I automatically connect to that network when the access point is in range, and then wait for connection to start. If I disconnect from the network (or access point), the checkbox for automatic connection becomes unchecked until I check it again. I suppose this is just a clunkier way to manually controlling the connection.
Thanks for your insightful advice, and if you have any further comments on the above, I appreciate your sharing them.
IMHO, 'hiding' one's SSID is futile; all it does is inconvenience legitimate users, and it doesn't deter the bad guys one bit.
"Wireless LAN security myths that won't die":
The inconvenience is minor now that I've got it set up with allowed devices on the ACL.
Most of the argument against SSID cloaking relates to its use in place of encryption, but the few people I know of who cloak their SSID also use encryption.
In some of the links on that page, I did read with interest the fact that the mobile device broadcasts the SSID when probing for an AP of interest, but a follow-up comment that someone provided asked whether that is any less secure than when AP's broadcast their SSIDs continuously. I can imagine situations in which it can be exploited e.g. as described in the article impersonation of a preferred network to lure the mobile device (especially when the mobile device is far away from the preferred network, I guess). However,I'm not that familiar with wireless protocols, so I won't elaborate.
About this spewing of preferred network SSID by the mobile unit, that's only when it isn't connected to the preferred network, right?
Yes. But once you're connected, your SSID is visible in every frame you send. And even when you're not connected - eg if a wired device ARPs for something else.
I did some reading on google hits for "arp wifi". I have to admit that it's not my area, but I get the general idea that spoofing can happen, and all traffic can be funnelled through the attacker's computer.
This visibility of SSID in every frame, is it any different than the usual case i.e. when SSID is not cloaked?
Furthermore, in the the latter case, does the mobile device will not be spew out the SSID of the access point? I'm guessing not, since it doesn't have to query if the preferred AP is near, since it is expecting the AP to broadcast its SSID. I'm also guessing that this is the point of vulnerability i.e. letting the attacker know the SSID of the preferred AP so that the attacker knows what to emulate.
Finally, anyone who cloaks SSID will likely also use encryption. Would the ARP poisoning that you mentioned still allow the attacker to see the contents of your traffic?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.