Wi-Fi How To

From Navas Wireless Wiki

Jump to: navigation, search
(Make a Wi-Fi antenna or reflector for cheap: edit)
m (Measure wireless network performance: update)
 
Line 16: Line 16:
* Internet speed testing (''e.g., ''[http://nitro.ucsc.edu/ NDT]) probably ''won't'' tell you anything about your wireless network performance (because wireless is normally faster than an Internet connection).
* Internet speed testing (''e.g., ''[http://nitro.ucsc.edu/ NDT]) probably ''won't'' tell you anything about your wireless network performance (because wireless is normally faster than an Internet connection).
* Instead, measure data transfer throughput between two computers on your network, using software tools such as:
* Instead, measure data transfer throughput between two computers on your network, using software tools such as:
-
** [http://dast.nlanr.net/Projects/Iperf/ Iperf]
+
** [http://iperf.sourceforge.net/ Iperf]
 +
** [http://code.google.com/p/xjperf/ Jperf]
** [http://freshmeat.net/projects/netio/ Netio]
** [http://freshmeat.net/projects/netio/ Netio]
* Wireless to ''wireless'' speed will probably be much less than wireless to ''wired'' speed, because ''only one wireless link in one direction can be active at any one time''.
* Wireless to ''wireless'' speed will probably be much less than wireless to ''wired'' speed, because ''only one wireless link in one direction can be active at any one time''.
Line 48: Line 49:
#* May need to use ''[[wikipedia:Ethernet crossover cable|crossover]]'' type cable.
#* May need to use ''[[wikipedia:Ethernet crossover cable|crossover]]'' type cable.
# Disable any wireless-to-wired isolation feature.
# Disable any wireless-to-wired isolation feature.
 +
 +
== Two wireless networks on one router ==
 +
:''Based on [http://www.wi-fiplanet.com/tutorials/article.php/10724_3714521_1 Implementing Inexpensive Multiple SSID Networks]<br>[Wi-Fi Planet.com Tutorial by Eric Geier, December, 2007]''
 +
 +
Two separate wireless networks are a good way to isolate private and public/guest network clients, where:
 +
* ''Private'' network clients have access not only to the Internet, but also to each other (file and/or printer sharing), wired and wireless
 +
* ''Public/guest'' network clients have access ''only'' to the Internet, ''not'' to each other (see [[Wi-Fi#Wireless Isolation|Wireless Isolation]]), and ''not'' to the private clients
 +
 +
While some wireless routers have this capability built-in (see [[Wi-Fi#Guest Account|Guest Account]]), it can also be done with [[wikipedia:Linksys WRT54G series#Third-party firmware projects|third party firmware]], which can provide additional functionality as well.
 +
 +
The following procedure is for ''two separate wireless networks'' using [http://www.dd-wrt.com DD-WRT] (on [http://www.dd-wrt.com/dd-wrtv3/dd-wrt/hardware.html supported devices]) with the web browser interface (as of v24 preSP2 Beta build 12533).
 +
For ''more than two'' separate wireless networks, consult the reference above.
 +
# '''Configure two wireless networks: ''Wireless &rarr; Basic Settings'''''
 +
#*  ''Wireless Physical Interface '''wl0'''''
 +
#** This will be the ''private'' wireless network
 +
#** ''Recommendation'': Click ''Disable'' for ''Wireless Network Name (SSID)'' broadcast to avoid conflict with the visible public/guest wireless network [see ''Overcoming Multiple SSID (Not BSSID) Connectivity Issues'' in the reference above]
 +
#*  ''Virtual Interfaces''
 +
#** Click ''Add'' to create the ''public/guest'' wireless network, which will be<br>''Virtual Interfaces '''wl0.1'''''
 +
#** Enter a '''unique''' ''Wireless Network Name (SSID)'' (e.g., ''John Doe's Guest Wireless'')
 +
#** Click ''Enable'' for ''AP Isolation'' (to isolate public/guest wireless clients from each other)
 +
#** Click ''Unbridged'' for ''Network Configuration''
 +
#** For ''IP Address'', enter a '''different [[wikipedia:Subnetwork|subnet]]''' from the private network (which is 192.168.<u>1</u>.1 by default):<br>192.168.<u>2</u>.1
 +
#** For ''Subnet Mask'', enter:<br>'''255.255.255.0'''
 +
#* Click ''Save'' (and do '''not''' click ''Apply Settings'')
 +
# '''Configure wireless network security: ''Wireless &rarr; Wireless Security'''''
 +
#* Enter desired security for each wireless network
 +
#* '''WPA2 Personal with a strong passphrase is recommended.''' (WEP and WPA-TKIP are '''not''' secure!)
 +
#* ''Note'': DD-WRT v24 preSP2 Beta build 12533 will ''not'' properly authenticate WPA Personal or WPA2 Personal after a reboot ([http://www.dd-wrt.com/dd-wrtv2/bugtracker/view.php?id=3729 bug 003729]), only WEP.
 +
#* Click ''Save'' (and do '''not''' click ''Apply Settings'')
 +
# '''Configure DHCP for public/guest wireless: ''Services &rarr; Services &rarr; DNSMasq'''''
 +
#* In ''Additional DNSMasq Options'' enter:<code><br>&nbsp;&nbsp;&nbsp;interface=wl0.1<br>&nbsp;&nbsp;&nbsp;dhcp-option=wl0.1,3,192.168.2.1<br>&nbsp;&nbsp;&nbsp;dhcp-option=wl0.1,6,192.168.1.1<br>&nbsp;&nbsp;&nbsp;dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m</code>
 +
#* Click ''Save'' (and do '''not''' click ''Apply Settings'')
 +
# '''Configure firewall to isolate public/guest from private: ''Administration &rarr; Commands &rarr; Command Shell'''''
 +
:* Enter the ''Commands'':<code><br>&nbsp;&nbsp;&nbsp;iptables -I INPUT -i wl0.1 -m state --state NEW -j logaccept<br>&nbsp;&nbsp;&nbsp;iptables -I FORWARD -i wl0.1 -o br0 -j logdrop<br>&nbsp;&nbsp;&nbsp;iptables -I FORWARD -i br0 -o wl0.1 -j logdrop</code>
 +
:* Click ''Save Firewall''
 +
:* Click the '''''Management''''' tab
 +
:* Click ''Apply Settings'' (down at the bottom)
 +
 +
== Isolate Two Networks ==
 +
[[Image:Isolated Networks.png|right|frame|Two Networks with Internet access that are isolated from each other]]
 +
Isolate two local networks from each other with both able to access the same Internet connection using low-cost routers:
 +
* Use three (3) routers (A, B, and C)
 +
* Connect network A to the wireless and/or LAN ports on router A
 +
* Connect network B to the wireless and/or LAN ports on router B
 +
* Connect router A and router B WAN (Internet) ports to LAN ports on router C
 +
* Connect the WAN (Internet) port on router C to the Internet
 +
Notes:
 +
* Routers A and B can be wired and/or wireless.
 +
* This method involves Double NAT, which can sometimes cause problems. (See [[wikipedia:Session Traversal Utilities for NAT|Session Traversal Utilities for NAT]])
 +
* The same effect can also be achieved with a single router that supports [[wikipedia:Virtual LAN|Virtual LAN]] (VLAN) without double NAT, although it may be less secure.
== WPA/WPA2 ==
== WPA/WPA2 ==
-
[[wikipedia:Wi-Fi Protected Access|WPA]] (Wi-Fi Protected Access) and [[wikipedia:Wi-Fi Protected Access#WPA2|WPA2]] are strongly preferred over [[wikipedia:Wired Equivalent Privacy|WEP]] (Wired Equivalent Privacy) because [[wikipedia:Wired Equivalent Privacy#Flaws|WEP can be easily cracked]]. There are two forms of WPA/WPA2: Personal or PSK (Pre-Shared Key), and Enterprise ([[wikipedia:RADIUS|RADIUS]] authentication).
+
'''[[wikipedia:Wi-Fi Protected Access#WPA2|WPA2]] is strongly preferred''', because
 +
* '''[[wikipedia:Wired Equivalent Privacy#Flaws|WEP can be easily cracked]]'''
 +
* '''[[wikipedia:Wi-Fi Protected Access#Weakness in TKIP|WPA-TKIP can now be cracked]]'''
 +
There are two forms of WPA/WPA2:
 +
* ''Personal'' or PSK (Pre-Shared Key)
 +
* ''Enterprise'' ([[wikipedia:RADIUS|RADIUS]] authentication)
=== Use WPA Personal with Windows 98/Me/2000 ===
=== Use WPA Personal with Windows 98/Me/2000 ===
Line 60: Line 116:
=== Use WPA/WPA2 Enterprise ===
=== Use WPA/WPA2 Enterprise ===
WPA Enterprise enhances security and is preferred over WPA because each client is authenticated separately. (Sharing a key is a security risk.) Practical authentication ([[wikipedia:RADIUS|RADIUS]]) solutions for small wireless networks include:
WPA Enterprise enhances security and is preferred over WPA because each client is authenticated separately. (Sharing a key is a security risk.) Practical authentication ([[wikipedia:RADIUS|RADIUS]]) solutions for small wireless networks include:
-
* [http://us.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161256&CategoryGroupNo=1FD9B843-06BE-448D-B770-5383D40CD32E ZyXEL G-2000 Plus] (wireless router with built-in PEAP server)
+
* '''RADIUS Service'''
 +
** [http://cloudessa.com/ Cloudessa] ''(free for up to 100 users)''
 +
* '''Wireless Router with built-in PEAP Server'''
 +
** [http://us.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161256&CategoryGroupNo=1FD9B843-06BE-448D-B770-5383D40CD32E ZyXEL G-2000 Plus]
== Secure a wireless network ==
== Secure a wireless network ==
Line 66: Line 125:
''What'' to do:
''What'' to do:
-
# Change the [[wikipedia:Service set identifier|SSID]] to something truly unique (''e.g., ''instead of ''Linksys'', something like ''John Doe's private wireless'').
+
# Change the [[wikipedia:Service set identifier|SSID]] to something truly unique (''e.g., ''instead of ''linksys'' or ''NETGEAR'', something like ''John Doe's private wireless'').
-
# Use some form of [[wikipedia:Wi-Fi Protected Access|WPA security]] with a [[wikipedia:Passphrase#Passphrase selection|strong passphrase]]. ''(WEP is easily and quickly cracked.)''
+
# Use some form of [[wikipedia:Wi-Fi Protected Access#WPA2|WPA2]] with a [[wikipedia:Passphrase#Passphrase selection|strong passphrase]]. ''(WEP and WPA-TKIP are '''not''' secure.)''
# Use a [[wikipedia:Personal firewall|personal firewall]] (software firewall) on ''all'' networked computers (wired or wireless).
# Use a [[wikipedia:Personal firewall|personal firewall]] (software firewall) on ''all'' networked computers (wired or wireless).
# [[#Secure network shares|Secure ''all'' network shares]]
# [[#Secure network shares|Secure ''all'' network shares]]
Line 91: Line 150:
* '''[[Wi-Fi#Wireless Isolation|Wireless Isolation]]'''
* '''[[Wi-Fi#Wireless Isolation|Wireless Isolation]]'''
* [[Wikipedia:Hotspot (Wi-Fi)]]
* [[Wikipedia:Hotspot (Wi-Fi)]]
 +
* [[Wikipedia:Captive portal]]
'''Liability:'''
'''Liability:'''
Line 98: Line 158:
=== Hotspot hardware ===
=== Hotspot hardware ===
-
Products that provide "captive portal" or splash page functionality:
+
Products that provide "[[Wikipedia:Captive portal|captive portal]]" or splash page functionality:
* D-Link
* D-Link
Line 110: Line 170:
* [http://www.sonicwall.com/products/tz150_wireless.html SonicWALL TZ 150 Wireless]
* [http://www.sonicwall.com/products/tz150_wireless.html SonicWALL TZ 150 Wireless]
* [http://us.zyxel.com/products/model.php?indexcate=1028015363 ZyAIR B-4000 Turn-key Hotspot Gateway]
* [http://us.zyxel.com/products/model.php?indexcate=1028015363 ZyAIR B-4000 Turn-key Hotspot Gateway]
 +
 +
=== Hotspot firmware ===
 +
3rd-party firmware that provides "[[Wikipedia:Captive portal|captive portal]]" or splash page functionality:
 +
* [http://www.dd-wrt.com DD-WRT] supports:
 +
** [http://www.chillispot.info/ ChilliSpot]
 +
** [http://www.sputnik.com/ Sputnik]
 +
** [http://dev.wifidog.org/ WiFiDog]
=== Hotspot software ===
=== Hotspot software ===
-
Products that provide "captive portal" or splash page functionality:
+
Products that provide "[[Wikipedia:Captive portal|captive portal]]" or splash page functionality:
* [http://www.dnsredirector.com DNS Redirector] (Runs on Windows XP/2K/2K3 using any existing AP hardware)
* [http://www.dnsredirector.com DNS Redirector] (Runs on Windows XP/2K/2K3 using any existing AP hardware)
* [http://www.freeradius.org/ Free RADIUS] (open source [[wikipedia:RADIUS|RADIUS]] server)
* [http://www.freeradius.org/ Free RADIUS] (open source [[wikipedia:RADIUS|RADIUS]] server)
Line 239: Line 306:
** Standard [[wikipedia:Ethernet|Ethernet]] cable
** Standard [[wikipedia:Ethernet|Ethernet]] cable
** [[wikipedia:HomePlug Powerline Alliance|Powerline networking]]
** [[wikipedia:HomePlug Powerline Alliance|Powerline networking]]
 +
*** [http://www.actiontec.com/products/product.php?pid=48 Actiontec MegaPlug 85Mbps Powerline Ethernet Adapter Kit] (as low as $70 for the kit)
 +
*** [http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US/Layout&cid=1166859583396&pagename=Linksys/Common/VisitorWrapper Linksys PLK200 PowerLine AV Ethernet Adapter Kit] (as low as $120 for the kit)
** [[wikipedia:HomePNA|Phoneline networking]]
** [[wikipedia:HomePNA|Phoneline networking]]
** [[wikipedia:Multimedia over Coax Alliance|TV cable networking]] (Ethernet over coax)
** [[wikipedia:Multimedia over Coax Alliance|TV cable networking]] (Ethernet over coax)
Line 246: Line 315:
** Can be difficult to get working
** Can be difficult to get working
** Wireless throughput is cut in half
** Wireless throughput is cut in half
-
 
-
Check out www.thewifishop.net for a solution to this problem
 
== Configure a Wi-Fi client bridge ==
== Configure a Wi-Fi client bridge ==
Line 302: Line 369:
* See:
* See:
** ''[[Wi-Fi#Wireless Isolation|Wireless Isolation]]''
** ''[[Wi-Fi#Wireless Isolation|Wireless Isolation]]''
 +
** ''[[#Two wireless networks on one router|Two wireless networks on one router]]''
** ''[[#Setup a Hotspot|Setup a Hotspot]]''
** ''[[#Setup a Hotspot|Setup a Hotspot]]''
{{Tip|tiptext=Opening up your Internet to outsiders may violate your ISP's terms of service and can be a serious security risk.}}
{{Tip|tiptext=Opening up your Internet to outsiders may violate your ISP's terms of service and can be a serious security risk.}}
Line 311: Line 379:
* Run Cat-5 or better cable from one of wireless router's RJ45 ports around or (drilled) through the wall, and on the other side of the wall attach a wireless access point.
* Run Cat-5 or better cable from one of wireless router's RJ45 ports around or (drilled) through the wall, and on the other side of the wall attach a wireless access point.
* Use [[wikipedia:HomePlug Powerline Alliance|powerline]], [[wikipedia:HomePNA|phoneline]], or [[wikipedia:Multimedia over Coax Alliance|coax]] networking to attach a wireless access point on the other side of the wall, if any of these cables are available on both sides of the wall.
* Use [[wikipedia:HomePlug Powerline Alliance|powerline]], [[wikipedia:HomePNA|phoneline]], or [[wikipedia:Multimedia over Coax Alliance|coax]] networking to attach a wireless access point on the other side of the wall, if any of these cables are available on both sides of the wall.
 +
 +
== Block Wi-Fi signal ==
 +
[[wikipedia:Mobile phone jammer|Jamming]] isn't lawful (in the USA at least), but these methods are:
 +
* Paint with [[wikipedia:Radio frequency|RF]] shielding (e.g., [http://www.lessemf.com/paint.html Y-Shield], claimed attenuation of 40 dB per layer)
 +
* [http://www.baesystems.com/ProductsServices/ss_tes_atc_adv_mat_stealthy.html Stealthy wallpaper]
 +
* [http://www.tempestusa.com/DataStop.html RF shielding glass]
 +
 +
== Disable b Wi-Fi ==
 +
* Pro
 +
* Con
 +
* How
 +
{{TODO}}
== Roam seamlessly (using VPN) ==
== Roam seamlessly (using VPN) ==
Line 333: Line 413:
== Make a Wi-Fi enclosure ==
== Make a Wi-Fi enclosure ==
 +
{{TODO}}
 +
 +
== Hack Wi-Fi ==
{{TODO}}
{{TODO}}

Latest revision as of 21:55, 19 March 2013

Personal tools