Wi-Fi How To

From Navas Wireless Wiki

Jump to: navigation, search
(Two wireless networks on one router: edit)
m (Measure wireless network performance: update)
 
Line 16: Line 16:
* Internet speed testing (''e.g., ''[http://nitro.ucsc.edu/ NDT]) probably ''won't'' tell you anything about your wireless network performance (because wireless is normally faster than an Internet connection).
* Internet speed testing (''e.g., ''[http://nitro.ucsc.edu/ NDT]) probably ''won't'' tell you anything about your wireless network performance (because wireless is normally faster than an Internet connection).
* Instead, measure data transfer throughput between two computers on your network, using software tools such as:
* Instead, measure data transfer throughput between two computers on your network, using software tools such as:
-
** [http://dast.nlanr.net/Projects/Iperf/ Iperf]
+
** [http://iperf.sourceforge.net/ Iperf]
 +
** [http://code.google.com/p/xjperf/ Jperf]
** [http://freshmeat.net/projects/netio/ Netio]
** [http://freshmeat.net/projects/netio/ Netio]
* Wireless to ''wireless'' speed will probably be much less than wireless to ''wired'' speed, because ''only one wireless link in one direction can be active at any one time''.
* Wireless to ''wireless'' speed will probably be much less than wireless to ''wired'' speed, because ''only one wireless link in one direction can be active at any one time''.
Line 52: Line 53:
:''Based on [http://www.wi-fiplanet.com/tutorials/article.php/10724_3714521_1 Implementing Inexpensive Multiple SSID Networks]<br>[Wi-Fi Planet.com Tutorial by Eric Geier, December, 2007]''
:''Based on [http://www.wi-fiplanet.com/tutorials/article.php/10724_3714521_1 Implementing Inexpensive Multiple SSID Networks]<br>[Wi-Fi Planet.com Tutorial by Eric Geier, December, 2007]''
-
Two separate wireless networks are a good way to isolate private and public (guest) network clients, where:
+
Two separate wireless networks are a good way to isolate private and public/guest network clients, where:
* ''Private'' network clients have access not only to the Internet, but also to each other (file and/or printer sharing), wired and wireless
* ''Private'' network clients have access not only to the Internet, but also to each other (file and/or printer sharing), wired and wireless
-
* ''Public'' (guest) network clients have access ''only'' to the Internet, ''not'' to each other (see [[Wi-Fi#Wireless Isolation|Wireless Isolation]]), and ''not'' to the private clients
+
* ''Public/guest'' network clients have access ''only'' to the Internet, ''not'' to each other (see [[Wi-Fi#Wireless Isolation|Wireless Isolation]]), and ''not'' to the private clients
While some wireless routers have this capability built-in (see [[Wi-Fi#Guest Account|Guest Account]]), it can also be done with [[wikipedia:Linksys WRT54G series#Third-party firmware projects|third party firmware]], which can provide additional functionality as well.  
While some wireless routers have this capability built-in (see [[Wi-Fi#Guest Account|Guest Account]]), it can also be done with [[wikipedia:Linksys WRT54G series#Third-party firmware projects|third party firmware]], which can provide additional functionality as well.  
-
The following procedure is for ''two separate wireless networks'' using [http://www.dd-wrt.com DD-WRT] (on [http://www.dd-wrt.com/dd-wrtv3/dd-wrt/hardware.html supported devices]) web interface (as of v24 preSP2 Beta build 12533).
+
The following procedure is for ''two separate wireless networks'' using [http://www.dd-wrt.com DD-WRT] (on [http://www.dd-wrt.com/dd-wrtv3/dd-wrt/hardware.html supported devices]) with the web browser interface (as of v24 preSP2 Beta build 12533).
For ''more than two'' separate wireless networks, consult the reference above.
For ''more than two'' separate wireless networks, consult the reference above.
-
# '''''Wireless &rarr; Basic Settings'''''
+
# '''Configure two wireless networks: ''Wireless &rarr; Basic Settings'''''
#*  ''Wireless Physical Interface '''wl0'''''
#*  ''Wireless Physical Interface '''wl0'''''
#** This will be the ''private'' wireless network
#** This will be the ''private'' wireless network
-
#** ''Recommendation'': Click ''Disable'' for ''Wireless Network Name (SSID)'' to avoid conflict with the visible public (guest) wireless network [see ''Overcoming Multiple SSID (Not BSSID) Connectivity Issues'' in the reference above]
+
#** ''Recommendation'': Click ''Disable'' for ''Wireless Network Name (SSID)'' broadcast to avoid conflict with the visible public/guest wireless network [see ''Overcoming Multiple SSID (Not BSSID) Connectivity Issues'' in the reference above]
#*  ''Virtual Interfaces''
#*  ''Virtual Interfaces''
-
#** Click ''Add'' to create the ''public'' (guest) wireless network, which will be<br>''Virtual Interfaces '''wl0.1'''''
+
#** Click ''Add'' to create the ''public/guest'' wireless network, which will be<br>''Virtual Interfaces '''wl0.1'''''
-
#** Enter a '''unique''' ''Wireless Network Name (SSID)'' (e.g., ''John's Guest Wireless'')
+
#** Enter a '''unique''' ''Wireless Network Name (SSID)'' (e.g., ''John Doe's Guest Wireless'')
-
#** Click ''Enable'' for ''AP Isolation''
+
#** Click ''Enable'' for ''AP Isolation'' (to isolate public/guest wireless clients from each other)
#** Click ''Unbridged'' for ''Network Configuration''
#** Click ''Unbridged'' for ''Network Configuration''
#** For ''IP Address'', enter a '''different [[wikipedia:Subnetwork|subnet]]''' from the private network (which is 192.168.<u>1</u>.1 by default):<br>192.168.<u>2</u>.1
#** For ''IP Address'', enter a '''different [[wikipedia:Subnetwork|subnet]]''' from the private network (which is 192.168.<u>1</u>.1 by default):<br>192.168.<u>2</u>.1
#** For ''Subnet Mask'', enter:<br>'''255.255.255.0'''
#** For ''Subnet Mask'', enter:<br>'''255.255.255.0'''
#* Click ''Save'' (and do '''not''' click ''Apply Settings'')
#* Click ''Save'' (and do '''not''' click ''Apply Settings'')
-
# '''''Wireless &rarr; Wireless Security'''''
+
# '''Configure wireless network security: ''Wireless &rarr; Wireless Security'''''
#* Enter desired security for each wireless network
#* Enter desired security for each wireless network
#* '''WPA2 Personal with a strong passphrase is recommended.''' (WEP and WPA-TKIP are '''not''' secure!)
#* '''WPA2 Personal with a strong passphrase is recommended.''' (WEP and WPA-TKIP are '''not''' secure!)
#* ''Note'': DD-WRT v24 preSP2 Beta build 12533 will ''not'' properly authenticate WPA Personal or WPA2 Personal after a reboot ([http://www.dd-wrt.com/dd-wrtv2/bugtracker/view.php?id=3729 bug 003729]), only WEP.
#* ''Note'': DD-WRT v24 preSP2 Beta build 12533 will ''not'' properly authenticate WPA Personal or WPA2 Personal after a reboot ([http://www.dd-wrt.com/dd-wrtv2/bugtracker/view.php?id=3729 bug 003729]), only WEP.
#* Click ''Save'' (and do '''not''' click ''Apply Settings'')
#* Click ''Save'' (and do '''not''' click ''Apply Settings'')
-
# '''''Services &rarr; Services &rarr; DNSMasq'''''
+
# '''Configure DHCP for public/guest wireless: ''Services &rarr; Services &rarr; DNSMasq'''''
#* In ''Additional DNSMasq Options'' enter:<code><br>&nbsp;&nbsp;&nbsp;interface=wl0.1<br>&nbsp;&nbsp;&nbsp;dhcp-option=wl0.1,3,192.168.2.1<br>&nbsp;&nbsp;&nbsp;dhcp-option=wl0.1,6,192.168.1.1<br>&nbsp;&nbsp;&nbsp;dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m</code>
#* In ''Additional DNSMasq Options'' enter:<code><br>&nbsp;&nbsp;&nbsp;interface=wl0.1<br>&nbsp;&nbsp;&nbsp;dhcp-option=wl0.1,3,192.168.2.1<br>&nbsp;&nbsp;&nbsp;dhcp-option=wl0.1,6,192.168.1.1<br>&nbsp;&nbsp;&nbsp;dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m</code>
#* Click ''Save'' (and do '''not''' click ''Apply Settings'')
#* Click ''Save'' (and do '''not''' click ''Apply Settings'')
-
# '''''Administration &rarr; Commands &rarr; Command Shell'''''
+
# '''Configure firewall to isolate public/guest from private: ''Administration &rarr; Commands &rarr; Command Shell'''''
:* Enter the ''Commands'':<code><br>&nbsp;&nbsp;&nbsp;iptables -I INPUT -i wl0.1 -m state --state NEW -j logaccept<br>&nbsp;&nbsp;&nbsp;iptables -I FORWARD -i wl0.1 -o br0 -j logdrop<br>&nbsp;&nbsp;&nbsp;iptables -I FORWARD -i br0 -o wl0.1 -j logdrop</code>
:* Enter the ''Commands'':<code><br>&nbsp;&nbsp;&nbsp;iptables -I INPUT -i wl0.1 -m state --state NEW -j logaccept<br>&nbsp;&nbsp;&nbsp;iptables -I FORWARD -i wl0.1 -o br0 -j logdrop<br>&nbsp;&nbsp;&nbsp;iptables -I FORWARD -i br0 -o wl0.1 -j logdrop</code>
:* Click ''Save Firewall''
:* Click ''Save Firewall''
-
:* Click the ''Management'' tab
+
:* Click the '''''Management''''' tab
:* Click ''Apply Settings'' (down at the bottom)
:* Click ''Apply Settings'' (down at the bottom)
 +
 +
== Isolate Two Networks ==
 +
[[Image:Isolated Networks.png|right|frame|Two Networks with Internet access that are isolated from each other]]
 +
Isolate two local networks from each other with both able to access the same Internet connection using low-cost routers:
 +
* Use three (3) routers (A, B, and C)
 +
* Connect network A to the wireless and/or LAN ports on router A
 +
* Connect network B to the wireless and/or LAN ports on router B
 +
* Connect router A and router B WAN (Internet) ports to LAN ports on router C
 +
* Connect the WAN (Internet) port on router C to the Internet
 +
Notes:
 +
* Routers A and B can be wired and/or wireless.
 +
* This method involves Double NAT, which can sometimes cause problems. (See [[wikipedia:Session Traversal Utilities for NAT|Session Traversal Utilities for NAT]])
 +
* The same effect can also be achieved with a single router that supports [[wikipedia:Virtual LAN|Virtual LAN]] (VLAN) without double NAT, although it may be less secure.
== WPA/WPA2 ==
== WPA/WPA2 ==
-
[[wikipedia:Wi-Fi Protected Access|WPA]] (Wi-Fi Protected Access) and [[wikipedia:Wi-Fi Protected Access#WPA2|WPA2]] are strongly preferred over [[wikipedia:Wired Equivalent Privacy|WEP]] (Wired Equivalent Privacy) because [[wikipedia:Wired Equivalent Privacy#Flaws|WEP can be easily cracked]]. There are two forms of WPA/WPA2: Personal or PSK (Pre-Shared Key), and Enterprise ([[wikipedia:RADIUS|RADIUS]] authentication).
+
'''[[wikipedia:Wi-Fi Protected Access#WPA2|WPA2]] is strongly preferred''', because
 +
* '''[[wikipedia:Wired Equivalent Privacy#Flaws|WEP can be easily cracked]]'''
 +
* '''[[wikipedia:Wi-Fi Protected Access#Weakness in TKIP|WPA-TKIP can now be cracked]]'''
 +
There are two forms of WPA/WPA2:
 +
* ''Personal'' or PSK (Pre-Shared Key)
 +
* ''Enterprise'' ([[wikipedia:RADIUS|RADIUS]] authentication)
=== Use WPA Personal with Windows 98/Me/2000 ===
=== Use WPA Personal with Windows 98/Me/2000 ===
Line 97: Line 116:
=== Use WPA/WPA2 Enterprise ===
=== Use WPA/WPA2 Enterprise ===
WPA Enterprise enhances security and is preferred over WPA because each client is authenticated separately. (Sharing a key is a security risk.) Practical authentication ([[wikipedia:RADIUS|RADIUS]]) solutions for small wireless networks include:
WPA Enterprise enhances security and is preferred over WPA because each client is authenticated separately. (Sharing a key is a security risk.) Practical authentication ([[wikipedia:RADIUS|RADIUS]]) solutions for small wireless networks include:
-
* [http://us.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161256&CategoryGroupNo=1FD9B843-06BE-448D-B770-5383D40CD32E ZyXEL G-2000 Plus] (wireless router with built-in PEAP server)
+
* '''RADIUS Service'''
 +
** [http://cloudessa.com/ Cloudessa] ''(free for up to 100 users)''
 +
* '''Wireless Router with built-in PEAP Server'''
 +
** [http://us.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161256&CategoryGroupNo=1FD9B843-06BE-448D-B770-5383D40CD32E ZyXEL G-2000 Plus]
== Secure a wireless network ==
== Secure a wireless network ==
Line 103: Line 125:
''What'' to do:
''What'' to do:
-
# Change the [[wikipedia:Service set identifier|SSID]] to something truly unique (''e.g., ''instead of ''Linksys'', something like ''John Doe's private wireless'').
+
# Change the [[wikipedia:Service set identifier|SSID]] to something truly unique (''e.g., ''instead of ''linksys'' or ''NETGEAR'', something like ''John Doe's private wireless'').
-
# Use some form of [[wikipedia:Wi-Fi Protected Access|WPA security]] with a [[wikipedia:Passphrase#Passphrase selection|strong passphrase]]. ''(WEP is easily and quickly cracked.)''
+
# Use some form of [[wikipedia:Wi-Fi Protected Access#WPA2|WPA2]] with a [[wikipedia:Passphrase#Passphrase selection|strong passphrase]]. ''(WEP and WPA-TKIP are '''not''' secure.)''
# Use a [[wikipedia:Personal firewall|personal firewall]] (software firewall) on ''all'' networked computers (wired or wireless).
# Use a [[wikipedia:Personal firewall|personal firewall]] (software firewall) on ''all'' networked computers (wired or wireless).
# [[#Secure network shares|Secure ''all'' network shares]]
# [[#Secure network shares|Secure ''all'' network shares]]
Line 357: Line 379:
* Run Cat-5 or better cable from one of wireless router's RJ45 ports around or (drilled) through the wall, and on the other side of the wall attach a wireless access point.
* Run Cat-5 or better cable from one of wireless router's RJ45 ports around or (drilled) through the wall, and on the other side of the wall attach a wireless access point.
* Use [[wikipedia:HomePlug Powerline Alliance|powerline]], [[wikipedia:HomePNA|phoneline]], or [[wikipedia:Multimedia over Coax Alliance|coax]] networking to attach a wireless access point on the other side of the wall, if any of these cables are available on both sides of the wall.
* Use [[wikipedia:HomePlug Powerline Alliance|powerline]], [[wikipedia:HomePNA|phoneline]], or [[wikipedia:Multimedia over Coax Alliance|coax]] networking to attach a wireless access point on the other side of the wall, if any of these cables are available on both sides of the wall.
 +
 +
== Block Wi-Fi signal ==
 +
[[wikipedia:Mobile phone jammer|Jamming]] isn't lawful (in the USA at least), but these methods are:
 +
* Paint with [[wikipedia:Radio frequency|RF]] shielding (e.g., [http://www.lessemf.com/paint.html Y-Shield], claimed attenuation of 40 dB per layer)
 +
* [http://www.baesystems.com/ProductsServices/ss_tes_atc_adv_mat_stealthy.html Stealthy wallpaper]
 +
* [http://www.tempestusa.com/DataStop.html RF shielding glass]
 +
 +
== Disable b Wi-Fi ==
 +
* Pro
 +
* Con
 +
* How
 +
{{TODO}}
== Roam seamlessly (using VPN) ==
== Roam seamlessly (using VPN) ==
Line 379: Line 413:
== Make a Wi-Fi enclosure ==
== Make a Wi-Fi enclosure ==
 +
{{TODO}}
 +
 +
== Hack Wi-Fi ==
{{TODO}}
{{TODO}}

Latest revision as of 21:55, 19 March 2013

Personal tools