SSID Broadcasts

I installed a WAP54G (current firmware) today to accompany my WRT54GS (current firmware). The setup works without a hitch so far. A decent setup for a somewhat large house.

I read on a few Websites that advised disabling SSID broadcasts on the AP and router. When I disabled the broadcasts it knocked my AP out of the loop, but my connection at the farthest most PC quickly switched, although weakly, to the main router.

I realize a determined hacker is going to find my network anyway, but I wanted to at least put up some semblance of a stumbling block. It looks like the router and the access point behave differently. Does anyone have any experience with this? Any advice?


Reply to
The Rejuvenated Techie
Loading thread data ...

The consensus on this newsgroup is that disabling SSID is a bad idea. It does very little for security and causes the type of problems your having. Turn it back on.

Reply to

On Mon, 2 Apr 2007 16:16:38 -0400, "The Rejuvenated Techie" wrote in :

Turn SSID back on. Bad advice. Hiding SSID doesn't really hide it except in a uselessly superficial way, and just causes problems.

(MAC filtering is likewise a bad idea.)

Reply to
John Navas

Incidentally, current firmware really means that you're too lazy to find the numbers or that you don't want to be told that you're out of date. Assumption, the mother of all screwups. In this case it doesn't really matter, but please avoid such assumptions in the future.

I assume that the WAP54G is setup as a repeater. Is this correct?

Yep. when the WAP54G tries to repeat the SSID of the WRT54G to the client, and there's nothing there, the client will not be able to connect. Thanks for reminding me of another reason why I hate repeaters. You might find my rant on the subject interesting:

Sorry, no real experience with SSID hiding and repeaters. I consider repeaters and most mesh networks an abomination (or worse).

Security by obscurity is a bad idea. The obstacle course slows hackers down, but often creates side effects. You're seeing just one of them. The other problem is that hiding the SSID makes it easier for the neighbors to accidentally land on your system. Any script kiddie with a Live CD containing Kismet will find your system anyway. MAC spoofing is just some sniffing followed by a registry tweak or ifconfig incantation. I could do it blindfolded.

I noticed that you didn't bother to mention what manner of encryption you're using. Most repeaters will not handle WPA-PSK or WPA2-PSK, which is required for decent security. The DLink DWL-G710AP and DWL-G800AP claim that they can use WPA as repeaters, but I couldn't make it work on the latter when I tried. That leaves WEP encryption which will work through a repeater, but is easily sniffed, and the WEP key recovered given sufficient traffic. In short, if you're trying to use SSID hiding and MAC filtering as a substitute for adequate encryption, you don't really have any security.

Reading between the line, what you're apparently trying to do is extend the coverage of the WRT54G. If too many walls in the house prevent adequate coverage, you can try various aftermarket antennas. Another solution is a 2nd wireless access point (or use your WAP54G as an access point) with CAT5 between the two boxes. If running CAT5 is undesireable, then you can use power line, phone line, CATV coax, or fiber optic connectivity.

Reply to
Jeff Liebermann

Firmware revision 1.52.0 on the WRT54GS and firmware revision 3.04 on the WAP54G. The WAP54G is connected to the WRT54GS via CAT-5 cable strung through the attic. Works perfect. I am using it as an access point. Repeaters suck.

You live and you learn. Thanks for the verification.

WPA-Personal with TKIP encryption.

I've got the house completely covered now.

Incidentally, what are your thoughts on third-party firmware for these two products?


Reply to
The Rejuvenated Techie

The DWL-G710 is sold as a repeater.

The DWL-G700AP is sold as an access point, but also has repeater mode (with F/W 2.1 EU, as of March 2006) and can be configured to handle WPA-PSK. The one I have works OK as a repeater with a TEW-510APB.

Reply to
Axel Hammerschmidt

Thanks. In the future, also include the hardware versions of these devices. They can be deduced from the version numbers, but it's easier if you supply them. They're on the serial number label.

WRT54GS firmware version 1.52.0 belongs to hardware mutation v5, v5.1 or v6. Is that correct? (It makes a difference if you're going to use alternative firmware).

WAP54G v3.04 the same for any hardware mutation (v1, 1.1, 2.0, 3.0,

3.1). Sorry, I can't guess this one.

Both are the latest according to the Linksys web pile.

Agreed. Repeaters are awful and you're doing it the right way. I would NOT have used a WAP54G for the purpose. It has limited RAM, limited features, and is MORE expensive than a wireless router. Any wireless router can be used as an access point by simply disabling the DHCP server, setting the IP to not duplicate the main router, and not connecting anything to the WAN/Internet port.

Oh, it's far worse than what I listed. I'm watching a local wireless mesh network turn into a wireless mess network. The real problem is that they scale badly. That's not a problem with a single home repeater, but rapidly becomes an issue on even slightly larger systems.

Perfect. When I assumed you were using the WAP54G as a repeater, I also assumed that you were using WEP. Sorry.

Prior to about a year ago, I as using the stock firmware in all my installations. I had tried the alternatives and they offered little benifit at the expense of substantial hacking and flakiness.

Eventually, the various alternative firmware distributions stabilized and became quite impressive and reliable. These days, my coffee shop, hotel, public access, and many home installations use alternative firmware. For the coffee shops, I preferred EWRT, which seems to have ceased development. For everything else, I use DD-WRT v23 SP2. For example:

Just having the per-user signal strength is worth the effort. I also use SNMP and RFLOW traffic monitoring.

The problem you're going to have is that the WRT54GS v5 and v6 are both seriously lacking in useful RAM to impliment alternative firmware. They only have 2MBytes of RAM, while earlier versions had

4MB or 8MB. It can be done, but it's a tight fit. See:

However, the WRT54GS v5 actually has 16MB of RAM and can be easily enabled:

Alternative firmware for the WAP54G is problematic.

It's possible, but I managed to "brick" a WRT54G v3.1 every time when I tried it. I gave up. Maybe you'll have better luck.

Reply to
Jeff Liebermann

I've bought and returned so much stuff to Office Depot to get this right, I think I'm going to stop making their heads spin for a while. This setup has me pretty happy.

I'm concerned about security. I see that LinkSys sells a "software version" of Radius that they consider more secure than Radius itself. Have you any experience with this, or do you stop at WPA-Personal?


Reply to
The Rejuvenated Techie

formatting link
RADIUS is software. It's just 802.1x authentication. No hardware required or involved. You can use either a local RADIUS server or one on the internet for authentication. The problem with both is that if your link to the RADIUS server goes down, you have no way to authenticate and your wireless goes down with it. The solution is to have a few key accounts duplicated inside the router configuration. Unfortunately, not every router has this feature. The way DD-WRT handles this is a setting on the Wireless-RADIUS page offering: [ ] Override Radius if server is unavailable I'm not thrilled with this kludge, but it does work.

The main advantage to RADIUS authentication is that it is used to create the WPA session encryption key. The key is pure random rubbish, is unique for each user, and different for each session. There is no public shared key (PSK) which can be stolen or possibly sniffed. Actually, it's easier to just extract and decrypt the WPA key from the Windoze registry than to sniff and decrypt. With a RADIUS server assigned key, there's nothing to steal and sniffing only gets you a temporary key for one user.

Reply to
Jeff Liebermann

Hmmm, Just wondering, how big is your place?

Reply to
Tony Hwang

Den Mon, 02 Apr 2007 22:25:25 +0000. skrev Jeff Liebermann:

What Jeff said holds true. Furthermore, as far as I recall, according to the 802.11 specs disabling ESSID broadcasts breaks among other things roaming in a multi-AP setup, and therefore ESSID broadcast is mandatory in those cases. Using a repeater is in a sense a kludged roaming setup.

Since you are using WPA-PSK, and if you have a non default ESSID, and use a fairly long (16 char minimum) passphrase, (preferably a nonsenical passphrase with numeric, capital and non capital alphabetic and non-alphabetic characters), you should only be worried if the NSA or the GHCQ are trying to listen in on you. If you look out the window, and don't see any black choppers hovering above in the vincinity, WPA-PSK is sufficiently secure for home/SoHo usage IMHO.

J.D. "Dutch" Schmidt

Reply to

On Tue, 03 Apr 2007 09:01:54 +0200, e-teori wrote in :

Only slightly, not enough to matter.

In which case SSID hiding will be of ZERO value.

Reply to
John Navas

Actually, it's sold as an "extender" - whatever that is.

Reply to
Axel Hammerschmidt Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.