Wi-Fi How To
From Navas Wireless Wiki
(→Setup a hotspot: captive portal) |
m (→Measure wireless network performance: update) |
||
Line 16: | Line 16: | ||
* Internet speed testing (''e.g., ''[http://nitro.ucsc.edu/ NDT]) probably ''won't'' tell you anything about your wireless network performance (because wireless is normally faster than an Internet connection). | * Internet speed testing (''e.g., ''[http://nitro.ucsc.edu/ NDT]) probably ''won't'' tell you anything about your wireless network performance (because wireless is normally faster than an Internet connection). | ||
* Instead, measure data transfer throughput between two computers on your network, using software tools such as: | * Instead, measure data transfer throughput between two computers on your network, using software tools such as: | ||
- | ** [http:// | + | ** [http://iperf.sourceforge.net/ Iperf] |
+ | ** [http://code.google.com/p/xjperf/ Jperf] | ||
** [http://freshmeat.net/projects/netio/ Netio] | ** [http://freshmeat.net/projects/netio/ Netio] | ||
* Wireless to ''wireless'' speed will probably be much less than wireless to ''wired'' speed, because ''only one wireless link in one direction can be active at any one time''. | * Wireless to ''wireless'' speed will probably be much less than wireless to ''wired'' speed, because ''only one wireless link in one direction can be active at any one time''. | ||
Line 48: | Line 49: | ||
#* May need to use ''[[wikipedia:Ethernet crossover cable|crossover]]'' type cable. | #* May need to use ''[[wikipedia:Ethernet crossover cable|crossover]]'' type cable. | ||
# Disable any wireless-to-wired isolation feature. | # Disable any wireless-to-wired isolation feature. | ||
+ | |||
+ | == Two wireless networks on one router == | ||
+ | :''Based on [http://www.wi-fiplanet.com/tutorials/article.php/10724_3714521_1 Implementing Inexpensive Multiple SSID Networks]<br>[Wi-Fi Planet.com Tutorial by Eric Geier, December, 2007]'' | ||
+ | |||
+ | Two separate wireless networks are a good way to isolate private and public/guest network clients, where: | ||
+ | * ''Private'' network clients have access not only to the Internet, but also to each other (file and/or printer sharing), wired and wireless | ||
+ | * ''Public/guest'' network clients have access ''only'' to the Internet, ''not'' to each other (see [[Wi-Fi#Wireless Isolation|Wireless Isolation]]), and ''not'' to the private clients | ||
+ | |||
+ | While some wireless routers have this capability built-in (see [[Wi-Fi#Guest Account|Guest Account]]), it can also be done with [[wikipedia:Linksys WRT54G series#Third-party firmware projects|third party firmware]], which can provide additional functionality as well. | ||
+ | |||
+ | The following procedure is for ''two separate wireless networks'' using [http://www.dd-wrt.com DD-WRT] (on [http://www.dd-wrt.com/dd-wrtv3/dd-wrt/hardware.html supported devices]) with the web browser interface (as of v24 preSP2 Beta build 12533). | ||
+ | For ''more than two'' separate wireless networks, consult the reference above. | ||
+ | # '''Configure two wireless networks: ''Wireless → Basic Settings''''' | ||
+ | #* ''Wireless Physical Interface '''wl0''''' | ||
+ | #** This will be the ''private'' wireless network | ||
+ | #** ''Recommendation'': Click ''Disable'' for ''Wireless Network Name (SSID)'' broadcast to avoid conflict with the visible public/guest wireless network [see ''Overcoming Multiple SSID (Not BSSID) Connectivity Issues'' in the reference above] | ||
+ | #* ''Virtual Interfaces'' | ||
+ | #** Click ''Add'' to create the ''public/guest'' wireless network, which will be<br>''Virtual Interfaces '''wl0.1''''' | ||
+ | #** Enter a '''unique''' ''Wireless Network Name (SSID)'' (e.g., ''John Doe's Guest Wireless'') | ||
+ | #** Click ''Enable'' for ''AP Isolation'' (to isolate public/guest wireless clients from each other) | ||
+ | #** Click ''Unbridged'' for ''Network Configuration'' | ||
+ | #** For ''IP Address'', enter a '''different [[wikipedia:Subnetwork|subnet]]''' from the private network (which is 192.168.<u>1</u>.1 by default):<br>192.168.<u>2</u>.1 | ||
+ | #** For ''Subnet Mask'', enter:<br>'''255.255.255.0''' | ||
+ | #* Click ''Save'' (and do '''not''' click ''Apply Settings'') | ||
+ | # '''Configure wireless network security: ''Wireless → Wireless Security''''' | ||
+ | #* Enter desired security for each wireless network | ||
+ | #* '''WPA2 Personal with a strong passphrase is recommended.''' (WEP and WPA-TKIP are '''not''' secure!) | ||
+ | #* ''Note'': DD-WRT v24 preSP2 Beta build 12533 will ''not'' properly authenticate WPA Personal or WPA2 Personal after a reboot ([http://www.dd-wrt.com/dd-wrtv2/bugtracker/view.php?id=3729 bug 003729]), only WEP. | ||
+ | #* Click ''Save'' (and do '''not''' click ''Apply Settings'') | ||
+ | # '''Configure DHCP for public/guest wireless: ''Services → Services → DNSMasq''''' | ||
+ | #* In ''Additional DNSMasq Options'' enter:<code><br> interface=wl0.1<br> dhcp-option=wl0.1,3,192.168.2.1<br> dhcp-option=wl0.1,6,192.168.1.1<br> dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m</code> | ||
+ | #* Click ''Save'' (and do '''not''' click ''Apply Settings'') | ||
+ | # '''Configure firewall to isolate public/guest from private: ''Administration → Commands → Command Shell''''' | ||
+ | :* Enter the ''Commands'':<code><br> iptables -I INPUT -i wl0.1 -m state --state NEW -j logaccept<br> iptables -I FORWARD -i wl0.1 -o br0 -j logdrop<br> iptables -I FORWARD -i br0 -o wl0.1 -j logdrop</code> | ||
+ | :* Click ''Save Firewall'' | ||
+ | :* Click the '''''Management''''' tab | ||
+ | :* Click ''Apply Settings'' (down at the bottom) | ||
+ | |||
+ | == Isolate Two Networks == | ||
+ | [[Image:Isolated Networks.png|right|frame|Two Networks with Internet access that are isolated from each other]] | ||
+ | Isolate two local networks from each other with both able to access the same Internet connection using low-cost routers: | ||
+ | * Use three (3) routers (A, B, and C) | ||
+ | * Connect network A to the wireless and/or LAN ports on router A | ||
+ | * Connect network B to the wireless and/or LAN ports on router B | ||
+ | * Connect router A and router B WAN (Internet) ports to LAN ports on router C | ||
+ | * Connect the WAN (Internet) port on router C to the Internet | ||
+ | Notes: | ||
+ | * Routers A and B can be wired and/or wireless. | ||
+ | * This method involves Double NAT, which can sometimes cause problems. (See [[wikipedia:Session Traversal Utilities for NAT|Session Traversal Utilities for NAT]]) | ||
+ | * The same effect can also be achieved with a single router that supports [[wikipedia:Virtual LAN|Virtual LAN]] (VLAN) without double NAT, although it may be less secure. | ||
== WPA/WPA2 == | == WPA/WPA2 == | ||
- | + | '''[[wikipedia:Wi-Fi Protected Access#WPA2|WPA2]] is strongly preferred''', because | |
+ | * '''[[wikipedia:Wired Equivalent Privacy#Flaws|WEP can be easily cracked]]''' | ||
+ | * '''[[wikipedia:Wi-Fi Protected Access#Weakness in TKIP|WPA-TKIP can now be cracked]]''' | ||
+ | There are two forms of WPA/WPA2: | ||
+ | * ''Personal'' or PSK (Pre-Shared Key) | ||
+ | * ''Enterprise'' ([[wikipedia:RADIUS|RADIUS]] authentication) | ||
=== Use WPA Personal with Windows 98/Me/2000 === | === Use WPA Personal with Windows 98/Me/2000 === | ||
Line 60: | Line 116: | ||
=== Use WPA/WPA2 Enterprise === | === Use WPA/WPA2 Enterprise === | ||
WPA Enterprise enhances security and is preferred over WPA because each client is authenticated separately. (Sharing a key is a security risk.) Practical authentication ([[wikipedia:RADIUS|RADIUS]]) solutions for small wireless networks include: | WPA Enterprise enhances security and is preferred over WPA because each client is authenticated separately. (Sharing a key is a security risk.) Practical authentication ([[wikipedia:RADIUS|RADIUS]]) solutions for small wireless networks include: | ||
- | * [http://us.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161256&CategoryGroupNo=1FD9B843-06BE-448D-B770-5383D40CD32E ZyXEL G-2000 Plus] | + | * '''RADIUS Service''' |
+ | ** [http://cloudessa.com/ Cloudessa] ''(free for up to 100 users)'' | ||
+ | * '''Wireless Router with built-in PEAP Server''' | ||
+ | ** [http://us.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161256&CategoryGroupNo=1FD9B843-06BE-448D-B770-5383D40CD32E ZyXEL G-2000 Plus] | ||
== Secure a wireless network == | == Secure a wireless network == | ||
Line 66: | Line 125: | ||
''What'' to do: | ''What'' to do: | ||
- | # Change the [[wikipedia:Service set identifier|SSID]] to something truly unique (''e.g., ''instead of '' | + | # Change the [[wikipedia:Service set identifier|SSID]] to something truly unique (''e.g., ''instead of ''linksys'' or ''NETGEAR'', something like ''John Doe's private wireless''). |
- | # Use some form of [[wikipedia:Wi-Fi Protected Access| | + | # Use some form of [[wikipedia:Wi-Fi Protected Access#WPA2|WPA2]] with a [[wikipedia:Passphrase#Passphrase selection|strong passphrase]]. ''(WEP and WPA-TKIP are '''not''' secure.)'' |
# Use a [[wikipedia:Personal firewall|personal firewall]] (software firewall) on ''all'' networked computers (wired or wireless). | # Use a [[wikipedia:Personal firewall|personal firewall]] (software firewall) on ''all'' networked computers (wired or wireless). | ||
# [[#Secure network shares|Secure ''all'' network shares]] | # [[#Secure network shares|Secure ''all'' network shares]] | ||
Line 111: | Line 170: | ||
* [http://www.sonicwall.com/products/tz150_wireless.html SonicWALL TZ 150 Wireless] | * [http://www.sonicwall.com/products/tz150_wireless.html SonicWALL TZ 150 Wireless] | ||
* [http://us.zyxel.com/products/model.php?indexcate=1028015363 ZyAIR B-4000 Turn-key Hotspot Gateway] | * [http://us.zyxel.com/products/model.php?indexcate=1028015363 ZyAIR B-4000 Turn-key Hotspot Gateway] | ||
+ | |||
+ | === Hotspot firmware === | ||
+ | 3rd-party firmware that provides "[[Wikipedia:Captive portal|captive portal]]" or splash page functionality: | ||
+ | * [http://www.dd-wrt.com DD-WRT] supports: | ||
+ | ** [http://www.chillispot.info/ ChilliSpot] | ||
+ | ** [http://www.sputnik.com/ Sputnik] | ||
+ | ** [http://dev.wifidog.org/ WiFiDog] | ||
=== Hotspot software === | === Hotspot software === | ||
- | Products that provide "captive portal" or splash page functionality: | + | Products that provide "[[Wikipedia:Captive portal|captive portal]]" or splash page functionality: |
* [http://www.dnsredirector.com DNS Redirector] (Runs on Windows XP/2K/2K3 using any existing AP hardware) | * [http://www.dnsredirector.com DNS Redirector] (Runs on Windows XP/2K/2K3 using any existing AP hardware) | ||
* [http://www.freeradius.org/ Free RADIUS] (open source [[wikipedia:RADIUS|RADIUS]] server) | * [http://www.freeradius.org/ Free RADIUS] (open source [[wikipedia:RADIUS|RADIUS]] server) | ||
Line 240: | Line 306: | ||
** Standard [[wikipedia:Ethernet|Ethernet]] cable | ** Standard [[wikipedia:Ethernet|Ethernet]] cable | ||
** [[wikipedia:HomePlug Powerline Alliance|Powerline networking]] | ** [[wikipedia:HomePlug Powerline Alliance|Powerline networking]] | ||
+ | *** [http://www.actiontec.com/products/product.php?pid=48 Actiontec MegaPlug 85Mbps Powerline Ethernet Adapter Kit] (as low as $70 for the kit) | ||
+ | *** [http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US/Layout&cid=1166859583396&pagename=Linksys/Common/VisitorWrapper Linksys PLK200 PowerLine AV Ethernet Adapter Kit] (as low as $120 for the kit) | ||
** [[wikipedia:HomePNA|Phoneline networking]] | ** [[wikipedia:HomePNA|Phoneline networking]] | ||
** [[wikipedia:Multimedia over Coax Alliance|TV cable networking]] (Ethernet over coax) | ** [[wikipedia:Multimedia over Coax Alliance|TV cable networking]] (Ethernet over coax) | ||
Line 301: | Line 369: | ||
* See: | * See: | ||
** ''[[Wi-Fi#Wireless Isolation|Wireless Isolation]]'' | ** ''[[Wi-Fi#Wireless Isolation|Wireless Isolation]]'' | ||
+ | ** ''[[#Two wireless networks on one router|Two wireless networks on one router]]'' | ||
** ''[[#Setup a Hotspot|Setup a Hotspot]]'' | ** ''[[#Setup a Hotspot|Setup a Hotspot]]'' | ||
{{Tip|tiptext=Opening up your Internet to outsiders may violate your ISP's terms of service and can be a serious security risk.}} | {{Tip|tiptext=Opening up your Internet to outsiders may violate your ISP's terms of service and can be a serious security risk.}} | ||
Line 310: | Line 379: | ||
* Run Cat-5 or better cable from one of wireless router's RJ45 ports around or (drilled) through the wall, and on the other side of the wall attach a wireless access point. | * Run Cat-5 or better cable from one of wireless router's RJ45 ports around or (drilled) through the wall, and on the other side of the wall attach a wireless access point. | ||
* Use [[wikipedia:HomePlug Powerline Alliance|powerline]], [[wikipedia:HomePNA|phoneline]], or [[wikipedia:Multimedia over Coax Alliance|coax]] networking to attach a wireless access point on the other side of the wall, if any of these cables are available on both sides of the wall. | * Use [[wikipedia:HomePlug Powerline Alliance|powerline]], [[wikipedia:HomePNA|phoneline]], or [[wikipedia:Multimedia over Coax Alliance|coax]] networking to attach a wireless access point on the other side of the wall, if any of these cables are available on both sides of the wall. | ||
+ | |||
+ | == Block Wi-Fi signal == | ||
+ | [[wikipedia:Mobile phone jammer|Jamming]] isn't lawful (in the USA at least), but these methods are: | ||
+ | * Paint with [[wikipedia:Radio frequency|RF]] shielding (e.g., [http://www.lessemf.com/paint.html Y-Shield], claimed attenuation of 40 dB per layer) | ||
+ | * [http://www.baesystems.com/ProductsServices/ss_tes_atc_adv_mat_stealthy.html Stealthy wallpaper] | ||
+ | * [http://www.tempestusa.com/DataStop.html RF shielding glass] | ||
+ | |||
+ | == Disable b Wi-Fi == | ||
+ | * Pro | ||
+ | * Con | ||
+ | * How | ||
+ | {{TODO}} | ||
== Roam seamlessly (using VPN) == | == Roam seamlessly (using VPN) == | ||
Line 332: | Line 413: | ||
== Make a Wi-Fi enclosure == | == Make a Wi-Fi enclosure == | ||
+ | {{TODO}} | ||
+ | |||
+ | == Hack Wi-Fi == | ||
{{TODO}} | {{TODO}} | ||