Wi-Fi How To

From Navas Wireless Wiki

Jump to: navigation, search

Welcome! Navas Wireless Wiki is a practical, comprehensive, and objective resource for wireless communications, particularly wireless access to the Internet, and related wireless technologies (e.g., cellular). Founded by John Navas and Jeff Liebermann.

Click to Search Navas Wireless Wiki with Google

Contributions and corrections are encouraged and appreciated, but please first visit our Community Portal for Important Policies on Content, Style, What we are, What we aren't, and other answers to your questions.

Please donate to help keep the Navas Wireless Wiki free.

Collection of "how to" step-by-step recipies for making Wi-Fi work better.


Wi-Fi articles
Wi-Fi (main article)
   alt.internet.wireless (discussion group)
Fast Fixes to Wi-Fi Problems
Wi-Fi How To
Wi-Fi on a Boat
   rec.boats.electronics (discussion group)
Wi-Fi Phones

Contents

Get started

Wireless Networking Need To Know 2006

Measure wireless network performance

  • Internet speed testing (e.g., NDT) probably won't tell you anything about your wireless network performance (because wireless is normally faster than an Internet connection).
  • Instead, measure data transfer throughput between two computers on your network, using software tools such as:
  • Wireless to wireless speed will probably be much less than wireless to wired speed, because only one wireless link in one direction can be active at any one time.

Network Monitoring

Monitor network throughout, amount of data sent/received, etc.

See Network Monitors.

Why and How to do a Site Survey

See Site Survey Tools

Wireless LAN layout

Wireless LAN Channel Grid.png Single floor (horizontal) layout and channel assignments of multiple access points (all with the same unique SSID) for maximum coverage with minimum interference.
For multiple floors (vertical) layout, stagger the vertical arrangement. Wireless LAN Channel Grid multi floors.png

Use a wireless router as a wireless access point

  1. Set IP address (manually)
    • In the same address range as your other devices
    • That doesn't conflict with any other device (e.g., router)
  2. Disable internal DHCP server.
  3. Connect (Ethernet) cable to LAN port, not WAN/Internet port.
    • Nothing connected to WAN/Internet port.
    • May need to use crossover type cable.
  4. Disable any wireless-to-wired isolation feature.

Two wireless networks on one router

Based on Implementing Inexpensive Multiple SSID Networks
[Wi-Fi Planet.com Tutorial by Eric Geier, December, 2007]

Two separate wireless networks are a good way to isolate private and public/guest network clients, where:

  • Private network clients have access not only to the Internet, but also to each other (file and/or printer sharing), wired and wireless
  • Public/guest network clients have access only to the Internet, not to each other (see Wireless Isolation), and not to the private clients

While some wireless routers have this capability built-in (see Guest Account), it can also be done with third party firmware, which can provide additional functionality as well.

The following procedure is for two separate wireless networks using DD-WRT (on supported devices) with the web browser interface (as of v24 preSP2 Beta build 12533). For more than two separate wireless networks, consult the reference above.

  1. Configure two wireless networks: Wireless → Basic Settings
    • Wireless Physical Interface wl0
      • This will be the private wireless network
      • Recommendation: Click Disable for Wireless Network Name (SSID) broadcast to avoid conflict with the visible public/guest wireless network [see Overcoming Multiple SSID (Not BSSID) Connectivity Issues in the reference above]
    • Virtual Interfaces
      • Click Add to create the public/guest wireless network, which will be
        Virtual Interfaces wl0.1
      • Enter a unique Wireless Network Name (SSID) (e.g., John Doe's Guest Wireless)
      • Click Enable for AP Isolation (to isolate public/guest wireless clients from each other)
      • Click Unbridged for Network Configuration
      • For IP Address, enter a different subnet from the private network (which is 192.168.1.1 by default):
        192.168.2.1
      • For Subnet Mask, enter:
        255.255.255.0
    • Click Save (and do not click Apply Settings)
  2. Configure wireless network security: Wireless → Wireless Security
    • Enter desired security for each wireless network
    • WPA2 Personal with a strong passphrase is recommended. (WEP and WPA-TKIP are not secure!)
    • Note: DD-WRT v24 preSP2 Beta build 12533 will not properly authenticate WPA Personal or WPA2 Personal after a reboot (bug 003729), only WEP.
    • Click Save (and do not click Apply Settings)
  3. Configure DHCP for public/guest wireless: Services → Services → DNSMasq
    • In Additional DNSMasq Options enter:
         interface=wl0.1
         dhcp-option=wl0.1,3,192.168.2.1
         dhcp-option=wl0.1,6,192.168.1.1
         dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m
    • Click Save (and do not click Apply Settings)
  4. Configure firewall to isolate public/guest from private: Administration → Commands → Command Shell
  • Enter the Commands:
       iptables -I INPUT -i wl0.1 -m state --state NEW -j logaccept
       iptables -I FORWARD -i wl0.1 -o br0 -j logdrop
       iptables -I FORWARD -i br0 -o wl0.1 -j logdrop
  • Click Save Firewall
  • Click the Management tab
  • Click Apply Settings (down at the bottom)

Isolate Two Networks

Two Networks with Internet access that are isolated from each other

Isolate two local networks from each other with both able to access the same Internet connection using low-cost routers:

  • Use three (3) routers (A, B, and C)
  • Connect network A to the wireless and/or LAN ports on router A
  • Connect network B to the wireless and/or LAN ports on router B
  • Connect router A and router B WAN (Internet) ports to LAN ports on router C
  • Connect the WAN (Internet) port on router C to the Internet

Notes:

  • Routers A and B can be wired and/or wireless.
  • This method involves Double NAT, which can sometimes cause problems. (See Session Traversal Utilities for NAT)
  • The same effect can also be achieved with a single router that supports Virtual LAN (VLAN) without double NAT, although it may be less secure.

WPA/WPA2

WPA2 is strongly preferred, because

There are two forms of WPA/WPA2:

  • Personal or PSK (Pre-Shared Key)
  • Enterprise (RADIUS authentication)

Use WPA Personal with Windows 98/Me/2000

Microsoft provides WPA/WPA2 support for Windows XP. For earlier versions of Windows, third-party software must be used:

Use WPA/WPA2 Enterprise

WPA Enterprise enhances security and is preferred over WPA because each client is authenticated separately. (Sharing a key is a security risk.) Practical authentication (RADIUS) solutions for small wireless networks include:

Secure a wireless network

Why to do it: Worried about Wi-Fi security?

What to do:

  1. Change the SSID to something truly unique (e.g., instead of linksys or NETGEAR, something like John Doe's private wireless).
  2. Use some form of WPA2 with a strong passphrase. (WEP and WPA-TKIP are not secure.)
  3. Use a personal firewall (software firewall) on all networked computers (wired or wireless).
  4. Secure all network shares
  5. Either ensure remote access to the wireless administrator interface is disabled, or set a strong wireless administrator password.

Secure WDS

WPA (Wi-Fi Protected Access) cannot normally be used to secure WDS (Wireless Distribution System) wireless repeating/range extension. However, according to the TechTarget Expert Answer Center, current versions of the following products support WDS with WPA (albeit likely only with products from the same vendor):

  • Apple Airport
  • Sveasoft Alchemy
  • Belkin 802.11g Wireless Network Access Point
  • 3COM OfficeConnect Wireless 108 Mbps 11g PoE Access Point
  • Corinex Wireless to Powerline Router G

Setup a hotspot

See:

Liability:

Hotspot hardware

Products that provide "captive portal" or splash page functionality:

Hotspot firmware

3rd-party firmware that provides "captive portal" or splash page functionality:

Hotspot software

Products that provide "captive portal" or splash page functionality:

Hotspot systems

Turnkey hardware and software:

Controlling "squatters" and "leeching"

Of varying effectiveness:

  1. Password from the operator that must be entered on the initial splash or signon page, changed periodically.
  2. WEP or WPA key that changes periodically.
  3. Drastically reduced transmit power on the access point.
  4. Distance measuring devices that can tell if the client is inside or outside.
  5. Turn off wireless during off hours.
  6. Don't provide electrical power (limiting use to battery capacity).
  7. Download quotas and Quality of Service (QoS). These are rule based quotas for what an individual client may download. QoS is also good for preventing a user from hogging all your bandwidth. However, administration is tricky and there are ways around quotas.

Mobile hotspot

Secure Internet access in a public hotspot

  • Wireless transmissions on a public hotspot are typically unencrypted, and thus exposed to snooping.
  • All computers on a public hotspot are typically exposed to each other, and thus vulnerable to network attacks.

Use a software firewall

Secure network shares

  • Use strong passwords on all system accounts (including Administrator) and on all user accounts.
  • Microsoft Windows
    1. Use Simple File Sharing (Windows XP only); or
    2. Make sure that all network shares are secured with strong passwords (all versions of Windows). Use Control PanelAdministrative ToolsComputer ManagementShared FoldersShares to review and check Properties of all network shares.

Use SSL/TLS for email access

  • Using standard POP3/SMTP email protocols for email over wireless is very dangerous because passwords aren't encrypted. Use of SSL/TLS is the best way to secure email connections.
  • Email connections can be secured by using a Web-based email (webmail) service that supports SSL/TLS connections. Make sure your browser displays a padlock icon (just below) throughout your email session. Such services include:
  • POP3/SMTP sessions can also be protected if the email provider supports SSL/TLS. Such providers include:
    • Google Mail (Gmail) (free) (Help available on configuring many email clients)
  • Even with SSL/TLS, email is still vulnerable to snooping on the public Internet unless individual messages are encrypted (e.g., with S/MIME or OpenPGP).

Use SSL/TLS for sensitive Web pages

  • Use of any website for sensitive information (e.g., social security number, credit card number, on-line banking, on-line investments, etc.) should always be protected by means of SSL/TLS. The URL (link) should start with https. Make sure your browser displays a padlock icon ([1]) throughout your session.

Use VPN to protect all transmissions

Give Wi-Fi preference over wired Ethernet (or vice versa)

Interface routing Metrics control which interface will be used at any given time.

Microsoft Windows

  • Automatic route Metrics:
Interface Metric
100BaseT wired Ethernet 20
802.11a/g Wi-Fi 25
10BaseT wired Ethernet 30
802.11b Wi-Fi 30
  • To display route Metrics, Run
    %COMSPEC% /K ROUTE PRINT
    • For which Interface is which IP address, Run
      %COMSPEC% /K IPCONFIG /ALL
    • Preference is given to the lowest Metric, or to the first bound Interface for equal Metrics, as shown for Default Route.
  • Route Metrics can be controlled with the Interface Metric option in Advanced TCP/IP Settings for a Connection.
    • To give Wi-Fi preference over any wired Ethernet, set the Metric of Wireless to 10.
    • To give any wired Ethernet preference over Wi-Fi, set the Metric of Wireless to 40.

Make a Wi-Fi antenna or reflector for cheap

Amount of antenna improvement:

  • Standard "rubber duck" antenna gain (effectiveness) is about 2 dBi.
  • It takes an increase of 6 dB to double range. Thus:
 Antenna:   2 dBi    8 dBi    14 dBi    etc.  
 Range: 1x 2x 4x ...

Add additional Wi-Fi access points (to increase coverage)

Configure a Wi-Fi client bridge

For background, see Can't connect to Wi-Fi client bridge and Internet at the same time.

Problem: The NIC on a local computer needs a manually-assigned IP on the same subnet to connect to the client bridge config interface but then can't access the Internet, and when configured for DHCP through the client bridge can then talk to the Internet but not the client bridge.

Solutions:

  1. Multihoming of the NIC (single link, multiple IP addresses)
    • For Microsoft Windows XP, see "Configuring Multiple IP Addresses on a Network Adapter" in Configuring IP Addressing and Name Resolution. Note: This only works with all manual addresses, not DHCP, which can be problematic when roaming unless managed with configuration manager software (see below)
  2. Two NICs in one computer, both connected to the client bridge:
    • one manually configured to talk to the client bridge config
    • the other with DHCP for the Internet
  3. Different computers for
    • client bridge config (manually configured)
    • Internet access (DHCP)
  4. Connection manager software for rapid changing of NIC configuration profiles

Test and compare user interfaces

Product simulators:

Wireless Broadband (3G) Routers

Use 3G cellular data instead of DSL or cable modem:

Tip: Use of cellular data service as a non-mobile DSL/cable modem replacement may be against the terms of service of a given carrier (e.g., Verizon Wireless).


Make shore Wi-Fi work better on a boat

See Wi-Fi on a Boat

Share USB devices over Wi-Fi

New bi-directional USB 2.0 servers provide more functionality than older USB servers, including support for multi-function printers.

Share your Internet with a neighbor via Wi-Fi

Tip: Opening up your Internet to outsiders may violate your ISP's terms of service and can be a serious security risk.


Extend Wi-Fi through a brick wall

  • Do you really need to go through a brick wall? Try going around the wall, with a directional antenna on the router site, and a reflector, above, below, or to the side of the wall. Reflectors can be as simple as a sheet of heavy aluminum foil, or you can use a pair of directional antennas wired back-to-back if more signal is needed.
  • Run a cable from one of wireless router's antenna connectors around or (drilled) through the wall, and on the other side of the wall attach an antenna.
  • Run Cat-5 or better cable from one of wireless router's RJ45 ports around or (drilled) through the wall, and on the other side of the wall attach a wireless access point.
  • Use powerline, phoneline, or coax networking to attach a wireless access point on the other side of the wall, if any of these cables are available on both sides of the wall.

Block Wi-Fi signal

Jamming isn't lawful (in the USA at least), but these methods are:

Disable b Wi-Fi

  • Pro
  • Con
  • How
To Do: Please contribute if you can, or check back later for content.

Roam seamlessly (using VPN)

Information:

Products:

To Do: Please contribute if you can, or check back later for content.

Wake on LAN

  • For Wake-on-LAN from 'outside' a router (e.g., over the Internet), what's needed is router support for directed broadcasts, which most low-end routers lack because directed-broadcasts is a security risk (e.g., Smurf attack) and isn't of much interest to the home/SOHO market in any event. Thus this is normally found only in more sophisticated products.

Make a Wi-Fi enclosure

To Do: Please contribute if you can, or check back later for content.

Hack Wi-Fi

To Do: Please contribute if you can, or check back later for content.

Microsoft Windows

File and Printer Sharing

Windows Security

Troubleshooting Resources

Configure manual IP address

  1. StartControl PanelNetwork Connections
  2. Right-click on desired network connection, and select Properties on the pop-up menu
  3. Scroll the connection item list if necessary and double-click Internet Protocol (TCP/IP)
  4. Select Use the following IP address
  5. Enter desired IP address (must be in the same subnet as other local network devices, typically something like 192.168.0.100 or 192.168.1.100, depending on whether other devices are in ".0." or ".1." etc.)
  6. Enter appropriate Subnet mask (typically 255.255.0.0)
  7. Enter Default gateway (often the address of your router, something like 192.168.0.1 or 192.168.1.1)
  8. If needed, configure DNS servers (obtained from your ISP)
  9. Click OK to close all windows

Configure automatic IP address

e.g., by DHCP

  1. StartControl PanelNetwork Connections
  2. Right-click on desired network connection, and select Properties on the pop-up menu
  3. Scroll the connection item list if necessary and double-click Internet Protocol (TCP/IP)
  4. Select Obtain an IP address automatically
  5. Select Obtain DNS server address automatically
  6. Click OK to close all windows

Reset Internet Protocol (TCP/IP) in Windows XP

Display network adapter configuration

  1. Click StartRun
  2. Type:
    %COMSPEC% /K IPCONFIG /ALL
  3. Press [Enter]

Release DHCP lease

  1. Click StartRun
  2. Type:
    %COMSPEC% /K IPCONFIG /RELEASE
  3. Press [Enter]

Renew DHCP lease

  1. Click StartRun
  2. Type:
    %COMSPEC% /K IPCONFIG /RENEW
  3. Press [Enter]

Flush DNS cache

  1. Click StartRun
  2. Type:
    %COMSPEC% /K IPCONFIG /FLUSHDNS
  3. Press [Enter]

Display ARP cache (table)

  1. Click StartRun
  2. Type:
    %COMSPEC% /K ARP -A
  3. Press [Enter]

Flush ARP cache (table)

  1. Click StartRun
  2. Type:
    %COMSPEC% /K NETSH INTERFACE IP DELETE ARPCACHE
  3. Press [Enter]

Display active network connections and listening ports

  1. Click StartRun
  2. Type:
    %COMSPEC% /K NETSTAT -A
  3. Press [Enter]

Display Ethernet statistics

  1. Click StartRun
  2. Type:
    • %COMSPEC% /K NETSTAT -E   [standard display]
    • %COMSPEC% /K NETSTAT -E -S   [detailed display]
  3. Press [Enter]
  • For a repeating display, add the repeat interval in seconds to the end of the above commands; e.g. %COMSPEC% /K NETSTAT -E 10   [repeats at 10 second intervals]
  • See also Wi-Fi Network Monitors.

Display Windows networking connections

  1. Click StartRun
  2. Type:
    %COMSPEC% /K NBTSTAT -S
  3. Press [Enter]
Personal tools