Is a repeater a security hole?

Hi wifi guru's...

I've discovered a few days ago that I created a security hole in my personal home wifi network by changing the wireless security from WEP to Mac Address filtering. I decided this changed because I'm living in the country side, with only few close neighbours and the probability of havin them sniffing or cracking into my personal network is close from zero. But I don't want them to use my internet connexion so I have obviously to secure my network. I used to do it with a 128 bits Wep encryption key but decided to change it to a Mac Address filtering for performance reason. Actually I'm using a phone/PDA (Qtek 9100) to wirelessly connect to skype at home and the little device seemed quite slow using the WEP encryption.

So I changed the config, added the mac address of my personal laptop and the pda device in the list and all worked fine. Then I decided to configure my repeater (I forgot to mention that I'm using a repeater to bounce the signal everywhere in the house). So I added the repeater's Mac address in the list of permitted addresses and everything worked fine also. Then I tried to connect with a friend's laptop to the internet, and I succeeded immediately even if the Mac address is not listed in the permitted values... It seems (and it makes sense to me) that all request passing through the repeater are permitted by the router... So the repeater's action is not really transparent since it seems to change the Original requestor's mac address by its own mac address and lets it connect...

Have you guy any advies or shall I have to go back to Wep Encryption??

Thanks for your help,


Reply to
Loading thread data ...

Definitely. I only need to capture one packet from your transmission to know a valid MAC address, and I can make my adapter mimic your MAC address...

Neither method is really "security". WEP or MAC filtering will stop them accidentally connecting, but won't stop anybody from "cracking".

The repeater would need MAC filtering itself.

There's really no point in going back to WEP, but I haven't been able to make WPA work over a WDS repeater.

Reply to
Derek Broughton

Hi Derek,

thanks for your analysis, it seems that we finaly arrive at the same ending point. So, if my sole concern is to block anonymous (or not permitted) access to my network (actually I don't want to share my DSL connexion with neighbours...), is there another way of blocking this access with my current configuration (DLS Router + Repeater) without setting back the WEP Encryption?

Any other comment?



Reply to

Please quote...

"block"? Maybe not - without encryption you _can't_ keep your neighbors out. If you just want to accept the insecure nature of MAC restrictions, then I told you what you needed to do. You have to have the repeater (not just the AP) block the individual MACs. Since you haven't told us anything about the hardware or software you're using, we can't possibly tell you more than that.

Reply to
Derek Broughton
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

No. You need either WEP (preferably 128 bits, but even that is weak and easily cracked) or WPA (which is better than WEP if [and only if] a strong pass phrase is used).

MAC address filtering in the repeater would only keep the honest folks honest.

Reply to
John Navas

Sorry Derek, I'm a real newbie in forums and groups. I read the faq and other posts on this, it should be better now... I hope.

The device I use as a repeater is a D-link DWL-2000 AP+ that I configured as a repeater in this case. My router is a Linksys WRT54G (or WRT54GS) which is wired to my DSL Modem. I've been through the (very short) documentation about the D-Link AP and also into the configuration options and it seems once turned into a repeater, there isn't any security option anymore... Seems like it's not possible to have Mac Address filtering at the Dlink device's level once set as a repeater.

--=20 St=E9phane

Reply to

Thanks. It just makes things a little simpler.

Then I'd have to guess you're out of luck, unless somebody else knows about undocumented options :-(

Reply to
Derek Broughton Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.