Two remote LANs sharing internet thru wireless connection

I'd like to share JUST my internet connection with some remote PCs. Any solution would have to give me some confidence that these new PCs were somewhat isolated from my own LAN. I can share files on my LAN, they can share files on their LAN, but no sharing between LANs. Slower surfing is an acceptable outcome, just no extra security holes please. I'd like a solution that does not depend on leaving a PC running (ICS), multi-homed, SW firewalls, etc.

What I have: LAN1 is 3 PCs wired into a BEFW11S4 gateway configured router. A cable modem on the uplink provides the www. Occasionally I use a wireless laptop here as well, but most of the time I have the wireless disabled out of paranoia. I do use WEP.

LAN2 is a couple of PCs located 1/2 mile away suffering on dial-up (no cable available). These 2 PCs are not networked together yet. A wireless LAN at this location probably makes the most sense to avoid drilling holes.

I can stand on the roof of either house with binoculars and almost see just where I would mount the antenna on the other house. There is very large (pepper, willow?) tree that blocks LOS. It has lots of small leaves all year, but not so dense I can't partially see through it. There are also a few palm trees to either side of LOS.

I am thinking that a cantenna or dish pair might provide the link, with the antennas mounted up on each roof. I'll probably build or buy one cantenna so I can do a survey at each location first.

I considered getting a second BEFW11S4 for LAN2, thinking it could talk wirelessly to the first one, but I have been told they won't do that. I don't see anything in the settings about putting the router in AP client mode, so maybe that is true. Tech support never seems very confident about their answers on this stuff though.

Next I looked at the WET11 for LAN2. I believe I would still need something like a WAP11 or router too. The antenna location is not going to be very close to the PCs so its either 50ft of LMR400 on the antenna or the WET + WAP plus some CAT5.

Security questions: I have read where the directional antenna makes it harder for local eavesdropping. Are there any antennas or methods to eliminate everything but the very narrow aperature? Most of the ones I have seen have pretty wide radiation patterns.

A previous post metioned a wireless client isolation feature of the WRT54G. This could be what I want, but maybe the BEFW11S4 can provide something similar. I see some filtering functions in the router. I see how I can filter (prevent) a particular IP from reaching the WAN, and I see how the DMZ function places an IP 'outside' on the WAN. Can the DMZ function be used to isolate one IP from others? Can the static routing function be used for this? Does disabling DHCP on each LAN and using static IPs increase security? I saw mention of SSH over WEP. I suppose I would need to leave a PC running as a gateway to make this happen.

Thanks

Reply to
tns1
Loading thread data ...

Sigh. So many questions...

That's not easy, but possible. The WRT54G stock Linksys firmware has a misnamed feature called "access point isolation" which is really client isolation. It prevents bridging between wireless clients. I think (not sure) that it also prevents bridging between wireless clients and the remote LAN when used in WDS mode. I haven't tested this so treat this a potentially bad guess.

Well, password protected shares would work as well.

Speed and security are not interdependent.

Well, duz your ISP support more than one IP address per DSL or cable modem connection? Most of the local DSL resellers do that, but not the local cable company (Comcast). If you could get a 2nd routable IP address, then all that would be needed is an arrangement like this:

formatting link
dsl ===[ Alcatel 1000 ]==[ 8 port ]==[router]==192.168.1.xxx line [DSL bridge/modem] [ ethernet] [ hub ]==[router]==192.168.2.xxx [ ] [ ]==[router]==192.168.3.xxx [ ] [ ]==[router]==192.168.4.xxx [ ] [ ]==[router]==192.168.5.xxx

The above is for a 5 IP address system. One of the routers is your BEFW11S4 router and services your local LAN.

One of the other routers can be almost any type of wireless access point (not a router). The other end the link goes to wireless ethernet client radio, such as a WRT54G in client mode, WAP54G, DWL900AP+, WAP11, etc. It only needs to route 1 IP address so you do NOT need a transparent bridge. At the remote end is also a wired or wireless router. That will take care of remote machines.

Because the two LAN's are on separate WAN IP addresses and separate routers, nothing moves between them.

This can also be done with one less box using WDS. However, you will need TWO compatible wireless routers capable of doing WDS. WRT54G is a good choice.

Going wireless to wireless through a router will cause a 50% reduction in potential thruput. However, this may not be detrimental. If you get a good line of sight, strong signal, etc, half of whatever you are able to do on the link will still be faster than whatever your cable modem can deliver. (Notice how I left out all the numbers).

Any way to mount an antenna so that you go around the tree? It's difficult to judge how much a tree will interfere. My calculated guesswork is often off by several orders of magnitude. However, if you can see through the tree, you have a chance. That's a chance, not a guarantee. The problem will be that trees move. What works one day, may not work the next, or when it gets windy or rainy. Also, you can often get line of sight by going under the bottom branches of a tree. The lower branches are usually easy to trim.

I'm not a big fan of coffee can antennas, but they do work. Try it, but if possible, borrow a commercial dish or panel antenna.

That won't work. The BEFW11S4 does not support WDS, transparent bridging, or any form of point to point link.

There's no setting. However, access point mode is easy. All you need to do is:

  1. Ignore the WAN port.
  2. Connect whatever to the LAN port.
  3. Set the IP address so that it does NOT duplicate other routers on the LAN, but is in the same Class C IP address block.
  4. Disable the DHCP server. That's it. Now you have an access point instead of a wireless router.

There are about 3 standard configurations, used in 99.9% of all WLAN's that support knows about. There are about 30 configurations that support has never seen that cover the remaining 0.1%. Yours is in the

0.1% group.

50ft of LMR400 is possibly too much. That's about 3.4dB of coax loss plus about 1dB of connector loss. Half your power and sensitivity is lost in the coax. You can make it up with a bigger antenna, but there's a limit to how big is practical. 3dB is double the (aperture) size of the antenna.

True. You have to be in the beam path to do anything disgusting. If the beam is 30ft off the ground, it's kinda hard to do. However, even the best antennas are rather wide and have side lobes. For example, a

24dBi dish antenna is about 6 degrees wide at -3dB beamwidth. At 1/2 mile, that's a 330ft wide beam. You don't have to move back too far to hear that.

The real advantage of highly direction antennas are in improved S/N ratio which shows up as a speed increase. That can be due to a stronger signal, but also due to less interference from co-channel stations off to the side of the beam.

Not easily for 2.4Ghz. As you go up in frequency, the beam width gets narrower. You can probably go optical with FSO (free space optics) and get a very narrow beam.

I have a BEFW11S4v4. It doesn't have client isolation or WDS.

The DMZ is not useful for this. It simply redirects *ALL* IP ports to a specific LAN IP address, so you can totally expose a client computer to all the hackers and attackers on the WAN side.

I'm convinced that the static routing in the BEFW11S4v4 is broken. I've tried to use it to assign a static route on the WAN side to my DSL modem. It didn't work. It generated quite a threat in DSLReports.com Linksys forum, which provide some suitable alternatives, but the bug is still there today.

No. Hackers can sniff the traffic, extract the currently used IP address, and simply assign their own. No benefit at all.

Sorry, no clue. I use SSH2 all the time for admin, but not for a continuously connected tunnel. For that, I use IPSec VPN's. I have no idea what SSH over WEP means.

Reply to
Jeff Liebermann

And lots of good help on answering them, thanks.

I am looking at the manual and I don't see this.

I forgot about that. Ideally the security would not depend on PC SW, particularly windows. I'll certainly use what's there such as SW firewalls.

I like it. With cox cable, extra IPs are $7 ea. I forgot to ask them if this buys me any more BW or higher limits. At at a measured 4Mb download, I believe there is not much more peak BW to be had (they do offer 5Mb on individual accounts for $15 extra), but I am probably not fully utilizing mine anyway. If I can get a reliable link set up, this seems like the way to go. Wouldn't a switch be better than a hub here?

perfect.

I see they have a 'GX model now.

Only with an ugly 'pissofftheneigbors' brand 30ft mast, or mounting a passive repeater on a 60ft palm tree (scary, if not impossible to keep aligned).

Yes, but the two routers are cabled together. Very useful for extending a LAN in one building.

My initial reading on laser links suggested 1/2 mile was too much, but I keep reading about some bozo with a $30 laser pointer who lit up the cockpit of 747 from more than a mile away. This info does not match up.

Does static routing work on the '54G? Can you achieve client isolation with this?

I also see that with the latest firmware (BEFW11Sv0), I get MAC address filtering for wireless clients. It is not clear if I get to restrict and allow as described in the WRT54G manual, or if I just get restrict mode. Since MAC address spoofing is so easy, is MAC filtering of no benefit as well?

How is the WPA on the '54G? As implemented, is it really more secure than WEP, and does it slow things down at all?

thanks again.

Reply to
tns1

Look in the web based setup on the bottom of the Wireless -> Advanced settings. It's called "AP Isolation".

Incidentally, don't read the manual. It will make your brain explode.

It depends on from whom you're trying to secure you files. If it's a co-operative venture, such as a neighborhood WLAN, where you know everyone involved, methinks passwords are sufficient. That's how I have our neighborhood LAN setup. For W98/ME everyone can see everyone elses shares, but they're not useable without a password. For XP, W2K, and Linux (Samba), I have user level security set which requires a login and password to view shares. No problems for about the last year.

Nice. SBC DSL costs about $20/month for 1500/256 Kbits/sec with one dynamic IP address. However, if you want static, you have to take 5 IP addresses, which they treat as commerical, and raise the price to about $65/month. Ask if that's static or dynamic. It doesn't really matter for what you're doing, but it would be good to know.

Yes. Use a switch. The drawing was for my office setup. I intentionally use a hub because I have a dedicated traffic monitor and SNMP logger running on the hub. If it were a switch, I wouldn't see any of the traffic to the other routers.

I have a 30ft mast on my roof. However, it's now only 20ft high thanks to my latest failed experiments. Think of it this way... It's cheaper and less ugly than a Rhon tower.

Passive radiators do NOT work. Same with periscope antennas. I can work the numbers for you if you would like. I've designed, built, and deployed them and strongly suggest you avoid considering them as useful for 2.4GHz.

Most FSO stuff that's affordable and user buildable uses LED's, not lasers. OSHA safety requirements prevent the use of concentrated beams. So, they spread the laser light over perhaps a 1ft dia circle and then reconcentrate it at the destination. This passes OSHA specs and also prevents many types of interference.

The new green lasers are not that much brighter than infra-red when measured with an optical pyrometer. However, your eye is much more sensitive to the green light. Therefore, green lasers go much farthur.

formatting link
formatting link
formatting link

I don't know. I haven't tried it yet. I will (eventually).

No. There's no connection. Routing is done on layer 3. Client isolation is done with bridging on layer 2. You can isolate clients with creative and complex routing and ACL's, but it's much easier with bridging. Static routes are mainly for connecting remote office IP blocks on the LAN side.

V0 ?? What's that? MAC address filtering is used to allow or prevent wireless connections. That will prevent an unauthorized user from connecting, but will not offer any restrictions or filters for an authorized client.

I hate to admit it, but I'm rather behind on the encryption thing. Many of my clients have ancient wireless cards or drivers that do not support WPA. Therefore, they tend to run WEP128. I run WEP64 in my palatial office because I have a pile of Orinoco Silver cards that only do 64 bit encryption.

The few times I've tested encryption performance on a WRT54G, I found that any form of encryption slows things down about 10-15% (forgot exact number) and that there was no repeatable difference in performance between WEP and WPA. Please realize that WPA is exactly the same RC4 cypher payload as WEP. The only difference is a more secure key exchange protocol, which occupies very few packets or air time and should not impact peformance.

Reply to
Jeff Liebermann

Yep, it works. However, I use third party firmware (Satori, from Sveasoft) and do not configure routing with the web interface. When I tried the web interface I found it extremely frustrating, plus there is the habit of various of web options to clean out the route tables and reset them, so I try to avoid the web interface entirely.

Command line configuration, however, has it's own set of problems, particularly in trying to figure out how to manually set any particular option available via the web interface, and how to make the configuration survive a reboot.

The WRT54G(S) routers are very flexible, but taking advantage of it is not trivial.

Actually, depending on what you mean by "isolation", it can be done. For protocols that are not routed, it can't be done. So, for example Jeff had some folks using netbui or something, and apparently there was no way to affect that with routing.

However, for IP, you can isolate ranges of addresses. You just route them off to somewhere else! That works because of the hardware arrangement used by the WRT54G(S). Essentially the WAN port is distinct from everything else. The LAN ports and the Wireless are all connected to a bridge device and a vlan device. The trick to simple isolation is, for IP addresses you want to isolate, setting the route to the WAN port and use a LAN port to actually connect to the unit.

Note that the bridge and vlan are command line configurable with the third party firmware. I haven't figured out just exactly what the "AP Isolation" option does though, and have no pressing need to experiment with it, but it is clear that each LAN port on the WRT54G(S) can be isolated individually, and can be either routed or bridged to the others. As noted above, this is not trivial... :-)

Reply to
Floyd L. Davidson

OK. I don't actually have this unit. I was looking at the manual online. When you say 'stock firmware', do you mean say the newer firmware no longer supports this feature?

I found the Ronja project. Amazing what can be done with lots of time. The parts may be cheap, but it would cost at least a month of lost wages. I'll wait until there is an FPGA version.

So you're saying a green laser isn't any better for FSO, it just looks like it is. I don't intend to use retinas as detectors (too slippery to mount).

The visible beam is impressive, but would not go over well in a residential area. I would be the 1st to complain - no neon signs etc. For that same reason visible LEDs are less desirable.

I do like the possibility of 'drilling' through my problem foilage. A selective trimming would be much easier to do for a laser. The green laser could help for alignment of a less visible laser link.

Pre-version 1, my notation for the old model I have.

MAC address filtering is used to allow or prevent

So would this at least require extra work on the part of an evesdropper, or are you figuring they have sniffed out IP, SSID, MAC, keys, etc. already?

Reply to
tns1

I am not sure. Does that mean the 'isolated' IP goes nowhere, or does it mean it effectively comes in on the WAN side of the router with no direct bridge to the other IPs? If so, what settings are you changing?

Including each wireless client too? and can be either

Thanks, but it sounds like a pain-in-the-butt.

Reply to
tns1

The Linksys official 3.03.something firmware has "AP Isolation" on the Wireless -> Advanced page. However, I just noticed that Sveasoft Satori 4.0.something firmware, has this setting missing. Satori Alchemy firmware has "AP Isolation". HyperWRT apparently lacks "AP Isolation".

formatting link
Well, if you want cheap, take a pair of ethernet to 10baseFL media converters. Attach a pair of fiber cables at each end. Connect to some do it thyself optics to spread the beam and collumate it. That's

4 sets of lenses so this is mostly an optical and mechanical project. I've built a few of these which worked well to about 1000ft. I don't think they would make it to a mile without additional power. The big problem is that the lenses focus the light to the end of a fiber with a 62.5nm diameter. That makes lens alignment extremly critical. See:
formatting link
a commercial version.

Something like that. Green will be blocked by fog while infra-red sorta works.

Oh. Got it. I'm not sure what's the correct notation for the first release.

Incidentally, it's easy to recognize a programmer in a crowd. Ask everyone to count to 10. The programmer will start a zero. Everyone else will start at one.

Well, I'm not going to give a tutorial on how to break into a wireless system. Note that only the data payload is encrypted, but not the headers. Therefore, an encrypted signal has the MAC, IP, and SSID exposed, which can be obtained by decryption.

If there's MAC address filter engaged in the router, it will be slightly more difficult to break in and select a valid MAC address. It's easy enough to sniff the traffic for a while and extract a list of authorized MAC addresses. Windoze is kinda stupid in that it uses the MAC address in the registry, which may or may not be the same as that of the wireless device. Anyway, MAC address spoofing is easy.

formatting link
formatting link

Reply to
Jeff Liebermann

some other ideas - cantennas can be mounted to attic eves using bungee cord - will blast tru vinyl siding but not aluminum - I have used 2 facing each other for a 3 house jump. You can get your range just using a single dish. I have surveyed a couple neighborhoods and normally can find 4 or 5 wifi connections at over .5 mile. A cantenna directed back at you should guarantee a link but put the dish on the end with the tree problem as it has a larger aperature to rebuild signal thru moving foilage. for the dish I avoided building a feed and used a hawking 6db strapped over the existing feed - mine is a usb wifi adapter type but they are also available as standalone antennas with a choice of pig tails just like when ordering cantenna's. -the cantenna & wireless router would help your security as you could hook a second router downstream that would hide you from other clients on the main router

-if second router is wireless do not choose same or adjacent channels. you can also turn off DHCP on both routers and set ips manually to a nonstandard ip family (basically just don't use 0,1or 2) for third octet - now you won't issue ip's to strangers and their existing IP is unlikely to be in your range.

Reply to
frank

OK. It just clicked that one dish may be enough. I do have a small direct TV dish with offset feed I could use, but wondered about designing the feed. Seen any plans for this? I saw the primestar dish solution, which seems to have a better mount for a wifi feed, but that dish is probably not available around here.

When you say you just strapped on your AP, was this just taped on? Any particular orientation? What model did you use?

Both of the laptops I might use for survey work have the antennas built into the case somewhere, but I do have a spare WPC11 wireless pccard. Do you think I could hold the laptop up so the wireless card antenna was close to the feed and see results?

-the cantenna & wireless

Reply to
tns1

BTW, if I use a BEFW11S4 or WRT54G, and hook a directional to one of the antenna jacks, does it matter which one? If I am not using the other antenna jack (for local wireless), does disabling it in the firmware gain me anything?

Reply to
tns1

It really depends on where you put the unit. If it's on the roof with a directional antenna, you will want to only have one antenna active and disable the other antenna in the web based setup. The idea is that the radio should not pickup any garbage from the sides or behind the directional antenna.

The advantage of disabling one antenna in firmware is that without data, the radio will "scan" between antennas looking for a signal. This takes a small amount of time and affects the initial connect time. This shows up when you try to ping the radio over the wireless. The first packets has a much longer latency than subsequent packets. This is not really a problem, but just a minor oddity.

If you put the radio inside, and run a long coax to the directional outdoor antenna, you may want to also have coverage inside the house. For that, you would install the stock 2dBi rubber ducky antenna in one port, and the coax to the outside directional antenna to the other. Leave the diversity switching enabled and it will take care of which antenna is active for which client.

Reply to
Jeff Liebermann

I also use a direct tv dish - it works great. the usb adapter i used is model is hawking HWU54D you can see it here

formatting link
or just type model into search engine. I simply taped it to the old amp facing forward into dish. I mounted it so offset feed was 9 or 3 oclock rather than 6 oclock aimed into the sky this locks the elevation to horizontal and the azimuth was already an unknown as I was surveying the neighborhood anyway. I used a piece of angle bolted to the mount on back of dish and one lag bolt into the deck railing so I could walk it across horizon. as long as you install the usb adapter software first the unit is very easy to use. it ony is 6' long so order a usb extender cable also

Reply to
frank

Using a usb dongle or AP seems attractive from the standpoint of no cable/connector losses, but this thing is going to be outside, and how far can I extend usb anyway? If I bring in usb from the antenna, don't I have to run it all the way back to the PC? Where/how will a router fit into this scenario? Seems what is needed is POE version of the usb dongle.

I've gone ahead and ordered a WRT54G and WET11 to supplement my BEFW11S4. Even if I don't incorporate the WET11 as a permanent part of this scenario, I figured it would be of general use in testing things.

With the dish/cantenna plan, I will need to go from rooftop about 30ft (outside) to get inside the attic where I might put the WET11, and from there go another 50ft by CAT5 to a reasonable location for my old BEFW11S4 (I'll use the WRT54G as replacement at my main loc). I hesitate to place a router in the attic, since I have had to reset mine manually several times. I suppose some POE adaptors could help answer this requirement.

snipped-for-privacy@XReXXTwoXr.usenet.us.com wrote:

Reply to
tns1

I didn't follow the "standalone" part of that very well. I would suggest not using a bare usb mini-dongle as the driven element for a satellite dish. I don't think it would paint the dish very well. Using the Hawking antenna seems interesting, since it's pre-built.

formatting link
some ugly construction quality with regards to a Primestar dish, you could do a cleaner can feed, and use a mini-USB dongle in there.
formatting link
Or use just the mini-dongle in a can as the antenna with no dish.

formatting link
the mini dongle in a variety of ways.

And I always find David Taylor's antennas to be interesting.

formatting link

Reply to
dold

The direct tv dish I have is a single LNB with the flat white feed cover. I can see how strapping on the hawking or dongle would be pretty simple, and perfect for portable applications or short cable runs.

I am trying to figure out a way to mount a can or biquad feed. I think I'll need to be able to adjust the focus. A can feed would require some kind of custom bracket, but partial disassembly of the LNB reveals that it has a bore suitable for 1/2" copper pipe ala the Trevor biquad. A few shims could allow easy adjustment of the focal distance, but about where would that be? If the biquad focus point would be near the front of the existing LNB, all I would need to do is hack off the cone part. If the biquad would need to be all the way back where the LNB driven element is, then I am better off making my own bracket. I don't really want to destroy a perfectly good LNB if isn't going to work.

Looking into the LNB bore is a bit like looking into a cantenna. There are three concentric rings around the opening, a short tapered cone feeding into the bore, and a vertical element near the very back. All dims scaled by the 5:1 difference between wifi and satellite. freqs. Anyone know what the arrow-shaped fiberboard placed diagonally in the bore is for?

Reply to
tns1

Ok, I now have a WRT54G,BEFW11S4 and WET11. They all seem to be working (just not together). The '54G v.3 seems to work fine as my gateway router. I have tested both wired and wireless links. Likewise the BEFW v0 worked fine as my old gateway router. The lastest firmware has added a few items and fixed a reset bug. (I think the menus have a better look & organization than the '54G).

The WET11 works in the default settings to bridge between a single PC and the '54G, or between my separate BEFW LAN and the '54G provided I use the same class C subnet (192.168.1.xxx) and plug the WET11 into a normal switched port (single nat). In my tests, machines hanging off the WET11 were each assigned IPs via the '54G DHCP. The WET11 itself assumes a static IP of 192.168.1.225 as seen from the wired side.

I don't have my 2nd IP just yet, so instead of hooking up this topology right now:

I'd like to try the double nat configuration I've seen in other posts (WET11 plugged into the WAN port of the BEFW):

cable===[cbl modem]==[WRT54G] ))) ((( [WET11]==[BEFW11S4]==10.10.1.xxx || || 192.168.1.xxx

I assume that the '54G would only see one IP for all of the 2nd LAN. I also assume the 2nd LAN would still function if the '54G was off. All I am after is Internet sharing here. I don't care if the '54G LAN can't see individual machines on the BEFW LAN.

I have tried the above, but nothing works so far. I am having trouble understanding how the WET11 and BEFW should be configured for this.

First of all, is this possible? Can a class C address be used for the WAN side of a router?

Reply to
tns1

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.