Im having wireless connection and network file sharing issues with the below setup...... My set up
- Cable modem into Linksys WRT54G
- Four wired connections going out of WRT54G to four different Internet enabled clients.
- One of 4 clients(Studio PC) is now not a client it's connectted 2 a Linksys BEFW11S4
- Changed BEFW11S4's default gateway to 192.168.0.1 with DHCP enabled
- The studio PC is Internet enabled on a different default gateway
So accomplished one thing, which was ability to add more network devices in studio. But, I am unable to access all the files on
192.168.1.1 network from the Studio PC(192.168.0.1). What to do?
Also, these two wireless routers are 300 feet apart of each other. I want the ability to have XP laptop automatically connect to the closest Wi-Fi point. Oddly enough, the only way that I can connect wirelessly now is thru the Linksys BEFW11S4, but only when I hard code into laptop an IP, the BEFW11S4's default gateway and my ISP's DNS??? Strange
How can I access the files on the other default gateway and can I properly configure my wireless network as I seek?
That's because you have what is called "double NAT". You can see machines and shares in one direction, but not backwards (WAN->LAN) in the other direction. What you need to do is convert your BEFW11S4 from a wireless router to a wireless access point. That will put the BEFW11s4 and all its connected client computers on the same IP block as the WRT54G.
On the BEFW11s4:
Setup the LAN IP address to 192.168.1.2 so it is on the same IP block as the WRT54G.
Disable the DHCP server.
The WAN (internet) port is not used.
Connect a CAT5 cable between a LAN port on the WRT54G and a LAN port on the BEFW11s4. Make sure the lights come on at both ends when you plug in this cable.
You can use any SSID or channel number on the BEFW11s4. It does not need to be the same as the WRT54G. This is helpful if you want to manually select whether a client connects to the WRT54G or the BEFW11s4.
You should now have an access point instead of a wireless router. ALL your wireless clients should use the DHCP server in the WRT54G to get their IP addresses, so everything should be on the same IP block, and hopefully, every machine should see each other.
Nope. Can't be done at this time. 802.11r (fast roaming) is suppose to take care of this eventually. Use different SSID's on the two wireless devices and you can manually select to which one you connect.
Im wondering is Cat5 cable the same thing as a crossover cable? If so, then I need to rearrange the wiring connection scheme on the connection going into the BEFW11S4.
Sorta. The WRT54G to BERW11S4 connection should be a CAT5 cable wired to EIA-568B standards. However, it does NOT need to be wired for a crossover derrangement as the WRT54G does auto polarity sensing (or something like that). I just checked my setup and the cable between the two LAN ports is an ordinary ethernet EIA-568B cable. If the lights appear correctly on the front panels when you plug the cable in, it will work.
Thanks Jeff....I sucessfully added the ability to add additional wired connections in my studio and they are connectted to the BEFW11s4 and getting their IP from the WRT54G.
Unfortunately, my wireless device(laptop) will not acquire an IP address from either router. My laptop detects both routers and states a strong signal, but something is preventing it from picking up an IP from either.
You say, "You can use any SSID or channel number on the BEFW11s4. It does not need to be the same as the WRT54G. This is helpful if you want to manually select whether a client connects to the WRT54G or the BEFW11s4."
Can I just name them the same thing? I tried it with different SSID's and channels, with no luck and tried naming both routers the same SSID name and channel .
Nothing is preventing it from getting an IP address. The usual problem is incompatible WEP keys. There are two ways that the overly user friendly manufacturers of wireless contrivances convert WEP keys from ASCII to Hex. If you're using WEP, use the Hex key on the client and it will probably work.
"No luck" is not in my list of common failure modes. A rabbits foot or other charm might improve your luck, but I doubt if the router will cooperate. Try it temporarily with no encryption. If that works, fix the WEP key.
I prefer to explain how it works and let you decide if that's the way you want your network to operate. If you use the same SSID for both, you in effect have a "roaming" situation, where each client radio automagically decides which access point is "best". You have no choice. The driver decides for you.
Unfortunately, most client drivers are fairly stupid about when to switch between access points. They will tenaciously hang onto a weak signal and not switch to the stronger router until the signal is totally lost. The client often guesses wrong as to which is the initial "best" access point. Using the same SSID will work, but roaming around the house is problematic. Intel has at least recognized the problem and offers adjustable "persistence" in their Proset 9 drivers.
By using different SSID's, your client has the choice of which access point to connect. You can't roam around the house and must manually disconnect and reconnect when switching access points.
If you use the same SSID, be sure to use the same WEP key or you'll drive some clients insane.
You should use different RF channels to avoid mutual interference, especially if the two access points can hear (or see) each other. The client will autoscan all the channels looking for a matching SSID and will use any channel that it finds (as set by the access point).
For testing, I suggest you start with different SSID's, different channels, and no encryption. When that works with both access points, then turn on the encryption.
Thanks for all your help! I accomplished almost exactly what I wanted to. I can choose between which router I want to connect to. Albeit, my laptop states Not Connectted(under view wireless connection) with it's interaction with the WRT54G, but I have an IP and I am surfing the web. Also, at times after five or ten minutes Window Zero config will connect to the BEFW11s4 signal even when it's much farther then the WRT54G.
I tried to disable Windows Zero and just use the Broadcom default, but the Broadcom thing in the taskbar never appears and I can't connect. Any idea how to truly disable Windows Zero and get the Broadcom up and working? I went to WLAN --> properties --> Wireless network tab --->
remove check from let Windows configure network settings - OK. Unfortunately, the Broadcom red icon never appears and I can't connect.
Some wireless drivers and cards (i.e. Broadcom and some Belkin) do not properly report a successful connection to Windoze. Everything will work just fine, but the icon in the system tray says "not connected". Usually, a driver update will solve the problem.
Yep. Windoze always wants to connect to the fastest connection, not the strongest or the bestest connection.
Well the usual method is to disable the Wireless Zero Config service:
formatting link
Broadcom client should appear in the system tray. If not, find it from the laptop manufacturers or other site and reinstall. Be sure to create a restore point with "system restore" first, so you can recover from any screwups.
This is incorrect, at least under XP. If you remove them from the preferred connections list, or deprioritise them, it will do what it should. My next door neighbour's routers often have stronger signals in my garden than my own router, but I never have connection surprises.
I beg to differ. I had the displeasure of dealing with a local "evolutionary" hotel wireless network. The hotel maintenance person had a decent electronics background and built up the system from essentially junk. There were about 8ea access points going to a central router. No two access points were the same model. Some were
802.11b only, some were 802.11b/g, and some were set to 802.11g only. The entire network was on one SSID. (The 802.11g only was for video feeds in the conference room area).
It all worked acceptably well except for an odd roaming problem. Sniffing the traffic found that almost all of the traffic was going through the 802.11b/g access points, while the 802.11b access points were only moving traffic from one, that happened to be in an isolated corner of the hotel. Basically, the 802.11b only access points were not being utilized.
I was sitting in front of an 802.11b only access point, and the laptop insisted on connecting to a distant 802.11b/g access point. The signal level for the 802.11b only access point was 5 bars, while the
802.11b/g was about 1 bar. I tried every trick I could think of to make XP SP2 connect to the access point in front of my face but it insisted on connecting to the distant 802.11b/g access point.
Now it gets weird. I disabled Wireless Zero Config and fired up Intel Proset 9.x on a 2200BG MiniPCI card. It too insisted on connecting to the fastest but distant access point. However, Proset has the ability to control the persistence of the connection. It would switch back an forth between the distant and local access points, as depending on interference, propogration, signal strength, and possibly phase of the moon. I could sit there and watch it switch back and forth roughly once per minute.
As a temporary fix, I changed the SSID of the 802.11b only access points to something different. XP SP2 would instantly connect to the correct local access point and would ignore the weaker 802.11b/g access points. Even the evil "use any available connection" worked amazingly well. A few days later, I arrived with a box of 802.11g routers, which replaced the 802.11b only access points. Everything went back to the same SSID. This time, XP SP2 would select the strongest signal from the nearest access point.
I'll admit that this was not exactly a prefect test to determine what criteria Windoze uses to select an access point if all the SSID's are the same. However, it appears that Windoze will take the fastest connection first, no matter what the signal strength, noise level, or error rate.
Success! Here is the step by step process I took to get two wireless routers(BEFW11s4 & WRT54G) in one home network; one is now an access point only.
Plugged an regular ethernet wire(not a crossover) running out one of the WRT54G LAN(not WAN) ports right into the BEFW11s4 WAN port; BEFW11s4 is in my studio offsite of my house 100 feet away from WRT54G.
Ran another ethernet out of one of the BEFW11s4's LAN ports into my desktop in my studio.
Typed in Http://192.168.1.1/ in a web browser to change BEFW11s4's settings.
Enter my router config page, viewed setup configurations
Under setup configurations I changed the default gateway address to
192.168.1.2
Under setup configurations I disabled DHCP and then saved settings
Unplugged router and then removed ethernet wire out of BEFWS11s4's WAN port.
Took ethernet and then connectted it to the 1st LAN port of the BEFW11s4; plug bck in.
Ethernet from BEFW11s4 LAN port 2 into my studio wired PC and got IP from WRT54g.
Then went into WRT54G config page (192.168.1.1) added wireless security features
Gave WRT54G SSID name: router1, kept it in mixed(b/g)mode, kept it on chnnl 6
Then under wireless security enabled encryption: a. Security Mode: WPA Pre-shared Key b. WPA Algorithm: AES c. Created a unique WPA shared key
Config page of BEFW11s4(192.168.1.2)
SSID name: router2, changed channel to 11
Then under wireless security enabled encryption: a. Security Mode: WPA Pre-shared Key b. WPA Algorithm: TKIP c. Created a unique WPA shared key
Now I have two WI FI access points that I can choose from. I was aspiring in making a roaming situation as now I have to choose which one I want to access.
My windows zero config prefers the BEFW11s4, over the WRT54G pretty much from anywhere in my house and my property, even when Im closer to the WRT54G. Odd
Well thanks Jeff for all your help! I hope this post helps others!
Methinks that's backwards. On my almost identical setup, all of my assorted client radios prefer the higher speed device over the lower speed device when both have the same SSID. Weird.
Y'er welcome. However, you left out the odd problem you had that doesn't have anything to do with getting the 2nd access point working but everything to do with wireless security.
When we talked, your laptop could not get an IP address via DHCP from the WRT54G. I had you plug in with ethernet directly and that didn't work. Eventually, we found that you had only assigned 5 IP address to the DHCP IP pool. Since you only have 5 computers, you should only need 5 IP addresses in the pool. Well, that's true except for one situation. You had turned off encryption temporarily for the duration of the testing. That made it easier to configure the clients. However, it also caused the neighbors client computers, that were apparently set to the Windoze default of "use any available connection" to connect to your wireless router. Without encryption, they would get issued an IP address. That consumed enough IP addresses that when your laptop tried to get an IP address, all 5 IP's had already been issued. When you raised it to a larger number (10), the WRT54G correctly issued an IP address to your laptop.
The problem here is that there are a few documents claiming to offer security advice suggestion that one intentionally reduce the number of IP's in the DHCP pool to the exact number of clients. This is almost worthless, as attackers can easily find the IP address block and assign themselves a static IP address without benifit of the DHCP server.
It may be "almost worthless" but then so is a simple bolt on your front door, unless combined with other measures.
I tire of saying this, but security should be like an onion, lots of layers. The more layers, the less likely it is that a drive-by cracker will bother with you. Mark McIntyre
I see. The obstacle course theory of security, where the more effort required equates to more security. Well, that has its merits but I find it lacking. For example, the onion model does not take into consideration the ability to go around the security system. I find more and more of this happening as systems become more complex. Why should I attack your home system via wireless when I can just hotwire your ethernet cable that's running under your house? More often the obstacle model creates obstacles to authorized users rather then any real security. I get that every time the kids come home for vacation and the wireless onion obstacle course is too much for either the owner or the kids to handle. All too often, they just give up, punch the reset button, run with zero security for a while, and then call me to put it back together when the kids leave. That happened twice this Christmas.
In my never humble opinion, security is in the monitoring, not the implimentation. The best door lock is worthless if nobody checks to see if the door is locked. However, that's not a fashionable or practical position for home users. Few home users is going to read log files or operate and configure an IDS or sniffer.
Well, doesn't it? If you have to climb a wall, get past dogs, swim a crocodile infested lake, and then walk a minefield, isn't that more secure than just the wall? Do you dispute that the harder it is, the longer it takes, the less liklely it is?
Sure, thats the way.
You think it'd be inconspicuous to dig a 3ft square hole through my drive or through the public highway? And you think that hiring the equipment required would be cheap enough to warrant theft of 2MB broadband?
Did you consider training the kids? I suspect they'll grasp it much quicker than the parents. And frankly, if your clients are too stupid to get this right, then it doesn't matter what security you put in place, they'll be too thick to comprehend it.
I respect you on facts, but your opinion is definitely never humble, and often bullshit.
I agree with this. Security is more than 50% social engineering.
DUH, your right Jeff...I forgot that very important detail about upping the amount of IPs the WRT54G doles out. Well, I still hope this post helps someone!
I don't have a clear answer. If you're trying to stop the casual drive by hacker, then almost any obstacle will suffice to stop them. They simply don't have the time. However, if you're trying to stop the neighbors 16 year old script kiddie from borrowing your broadband because his parents have pulled the plug on his porno download habits, methinks you'll find him willing to spend an inordinate amount of time and effort in navigating the obstacle course. Stangely, I've found more the latter type of hacker than the former.
That again depends on what you're trying to protect against. I wouldn't bother with your home system. However, I've done the wiretap trick successfully at businesses. I posted a story of a customer with an expensive, highly encrypted, proprietary radio link between buildings. I tapped into the system in the phone room in the hallway, where the CAT5 to the roof went towards the server room. All the wireless security in the world didn't do them any good when I can go around it. Other examples if you need additional entertainment.
College kids. Impossible to teach them anything. We don't even speak the same language.
My clients are not stupid. Many of them have impressive credentials and advanced degrees. They're just not interested in the intricacies of wireless and just want it to work. You might consider them lazy i this regard, but they say they have better things to do than configure routers. Since they pay my exhorbitant rates to do it for them, I would think of disagreeing.
I would be disappointed if everyone agreed with me. I'm prepared to defend my allegations and conclusions. I'll admit that I've been quite wrong in the past and expect to be wrong in the future. It won't take much Googling to find my mistakes. I've also adequately demonstrated that I'm an egotistical, arrogant, self-centered, obnoxious, and irritating person who considers unsubstantitated opinions to be no better than bullshit.
I notice you didn't say anything about my comments about monitoring being the "real" basis of security. I'm curious if you also consider this to be bullshit. I've done my share of social engineering and suspect it's more like 25%. My guess is 50% is reading about how others have done it, and adapting their techniques for the current attack. In other words, research, reading, and understanding.
Speaking of social engineering, do some NetStumbling and find a few wireless SSID's in the form of 2wireXXX. Try doing some social engineering and try to get a complete stranger to show you the WEP key label on the bottom of the 2wire router. Good luck.
Incidentally, I once watched a real security expert (name withheld) hack his way into a 3DES protected VPN with a capture program, a debugger, and some simple crypto tools. VPN's are about the ultimate in multi-layer security obstacle courses. If you know how it works, and what you're doing, your obstacle course is worthless. However, once we had broken in, the IDS (intrusion detection system) belched alarms all over the place. My cell phone had an SMS message showing an intrusion alert about 2 minutes after we broke in. Like I said, monitoring is what makes "real" security work.
All too true. However I can't think of any obvious reason to make it /easy/ for next door's porno freak. :-)
Absolutely. Its amazing how many people make this mistake, - like my neighbour with his router visible through the window. Any casual passerby now knows the make & model, and that makes hacking in even easier [even ignoring the possibility of his WPA passphrase being written on a sticker :-) ]
This has nothing to do with how stupid they are. My dad has a couple of degrees and can barely operate a video recorder. His brain simply ain't wired for it.
I know the feeling, and totally agree that we, the technologists, need to make it easier. However the same can be said of many aspects of modern life - 'its not my fault I crashed my car, you guys should make it easier to drive, all these knobs and dials, and stuff you need to do under the bonnet...'.
I consider monitoring to be part of social engineering in this context. For example, advising everyone on a corporate lan that their internet use may be monitored is social engineering, they'll think twice about doing anything silly even if you don't ever actually look at the logs except after a complaint of some sort.
Heck I can phone up complete strangers and they'll tell me their password without batting an eyelid if I tell them I'm from their company's PC helpdesk or similar.
"Hi, I'm working in ntl's wireless mesh networking unit, and we're piloting a scheme to deploy a secure 100MB broadband in your area. Our site survey indicated you had a secure wireless network, and we'd like to invite you to take part in our secure pilot scheme. For taking part in the pilot, we give a 50% reduction in your current ntl bill, plus a 1TB/month download allowance. All I need from you is confirmation of your ntl account number, your mother's maiden name for security purposes, and the code number from your router so we can authenticate it on our servers."
... and I'm not even a pro at this. Its sad isn't it?
Not worthless, it still took an expert several minutes and he had the right tools already to hand. You're right though, no system is impregnable, as I've been arguing elsthread wrt the uncrackabilty of WPA.
I've learned more about wireless security from the horde of neighborhood kids trying to use my wireless than from any books or web pages. Would you believe a non-TCP/IP wireless network of game machines using my wireless bridge as a store and forward repeater? My IDS (intrusion detection system) didn't see them because it was sniffing the traffic to the DSL modem and not the wireless. At one time, the log files showed over 1000 different MAC addresses thanks to one kid using a MAC address generator which he stole off my machine. How about a repeater installed in a tree near my house so the game network could be easily expanded?
However, the fun ended in Sept 2005, when most of the smart ones left for college. I'll have to wait for the next generation of currently
13 year old to get up to speed. At least I'll have some peace and quite for a few years.
Anyway, one of the reasons I like the WRT54G with DD-WRT firmware is that I can do scripting from the telnet command line using 'expect'. Two of my coffee shops want to change the WEP64 key at least once per day. It was too tedious and time consuming to do with the web interface. So, I printed up a pile of flash cards with the WEP key of the day (in ASCII and Hex) along with the effective days and times. I then wrote a shell and expect script to login, change the WEP64 key, and logout. Keys were pulled from a database with about 3 months worth of keys. The card with the key of the day are hung in the coffee shop in plain sight. Despite the ease with which WEP64 can be cracked, it seems to have stopped the neighbors from hogging the system, which was the only intent.
I won't admit to how many systems I've broken into by simply looking for passwords scribbled on terminals, monitors, and under mousepads and keyboards. The nasty tendency of users to re-use the same password for everything has caused problems. If I really want someone's password, I just tell them that I have to create an "account" for them, and ask them for a suitable login and password. Invariably, they recycle an old password or worse yet, use the same one for everything. One of my dingy customers was so enamored with they're cryptic password, that they ordered a vanity license plate with it (not a joke, for real).
Yes, one should not inscribe passwords and important information in easily accessible locations. However, the only way I can get people to not recycle old passwords and use a unique password for everything is to write them down. If they have to remember the password, they'll use the same one over and over. In that case, the only question is where and how to write it down. I use an Excel spreadsheet (password secured) on an encrypted USB dongle. I don't expect my customers to do that although my HIPPA customers do use X.509 certificates on USB dongles, encrypted storage, and a trivial password in case it's lost. My level of security and paranoia largely depends on the risks and limitations of the customer. For the average home user, a post-it note under the router is good enough. I would never do that at a server farm, in a server room, or for securing a high value system.
I was trying to be nice. One of my most frustrating customer is a well know author, who still insists on using a typewriter. His staff then takes the type written pages and runs them through an OCR reader. I also have a VP at a large corporation, who has to have the biggest and newest monitor and computer on his desk, but has his secretary print his email for him as he can't figure out how to read it on the screen. He also verbally dictates his replys. These people would be totally lost dealing with the intricacies of wireless. Getting the router setup on the internet is messy enough. Now SES and AOSS want to add another layer of complexity? Yech.
I have several proposals sitting in the trash cans of the major wireless manufacturers to do just that. As long as sales are good, and returns are low, they don't care about usability.
True. However, we're not talking about a corporate LAN where monitoring is almost a requirement due to liability and internal security issues. We're talking about a home user, who thinks he can push the Cisco logo on the front of the router and be instantly secure. Just look at the boxes that the routers are package. They literally exude the impression that with the product inside, your home network will be safe and secure. Nowhere is a warning label that says "Warning. This product is insecure unless properly configured". Yet, even if someone follows the included security advice to the letter (does anyone actually read the included docs?), security can be compromised by unsafe habits and technological assumption. Monitoring would be an answer, but that's not offered by any of the manufactories.
It's like if you wanted to protect a barn. At present, you lock the door with a padlock and never check to see if the padlock still functions. With monitoring, it's like forget the padlock. Install a loud burglar alarm. If someone opens the barn door, the alarm goes off. I'm not sure which is best as the lock and the alarm both have their place. It's again based on what one is interested in protecting. For example, I just ripped out a "parental control (lock)" software pile of junk from a neighbors computer. Their 14 year old was hitting all the sex sites. Instead, I installed a URL monitoring system (monitoring) on their BEFW11S4. Every site the kid hits gets recorded. Mom looks at the reports and sees what her son is doing. Seems to work MUCH better than the "parental control" software.
You must be a better actor than me. When I try that, people get very suspicious. About 6 years ago, I got involved in a "security audit" where I phoned users at one of my customers asking for their passwords. I didn't have to simulate being from IT because I was working for IT and fairly well known. Out of about 15 people that I tried to trick, nobody gave me their passwords when I called them. However, one of the other IT people managed to get about 5 out of 10 that he called. This company has regular lectures on security and operating practices. This was underscored by one employee that was fired not for breaking them (which he did anyway), but for testing the boundaries of the security system to see what he could get away with. None of my other customers come even close to this, so social engineering would probably work.
I hate to admit it, but that will probably work on most of my customers. It might even work on me. I've experienced a variation on that with someone claiming to be from my bank. However, I got suspicious and asked if I could call them back when I wasn't so busy. They couldn't supply a verifiable call back number, so I knew this was a fake.
IDS is not part of the protection system (obstacle course). It's independent, usually NOT accessible from either inside or outside, and runs in listen only mode. Think if it as the burglar alarm, not the door lock.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.