Wi-Fi How To
From Navas Wireless Wiki
(→Two wireless networks on one router: add content) |
m (→Measure wireless network performance: update) |
||
Line 16: | Line 16: | ||
* Internet speed testing (''e.g., ''[http://nitro.ucsc.edu/ NDT]) probably ''won't'' tell you anything about your wireless network performance (because wireless is normally faster than an Internet connection). | * Internet speed testing (''e.g., ''[http://nitro.ucsc.edu/ NDT]) probably ''won't'' tell you anything about your wireless network performance (because wireless is normally faster than an Internet connection). | ||
* Instead, measure data transfer throughput between two computers on your network, using software tools such as: | * Instead, measure data transfer throughput between two computers on your network, using software tools such as: | ||
- | ** [http:// | + | ** [http://iperf.sourceforge.net/ Iperf] |
+ | ** [http://code.google.com/p/xjperf/ Jperf] | ||
** [http://freshmeat.net/projects/netio/ Netio] | ** [http://freshmeat.net/projects/netio/ Netio] | ||
* Wireless to ''wireless'' speed will probably be much less than wireless to ''wired'' speed, because ''only one wireless link in one direction can be active at any one time''. | * Wireless to ''wireless'' speed will probably be much less than wireless to ''wired'' speed, because ''only one wireless link in one direction can be active at any one time''. | ||
Line 52: | Line 53: | ||
:''Based on [http://www.wi-fiplanet.com/tutorials/article.php/10724_3714521_1 Implementing Inexpensive Multiple SSID Networks]<br>[Wi-Fi Planet.com Tutorial by Eric Geier, December, 2007]'' | :''Based on [http://www.wi-fiplanet.com/tutorials/article.php/10724_3714521_1 Implementing Inexpensive Multiple SSID Networks]<br>[Wi-Fi Planet.com Tutorial by Eric Geier, December, 2007]'' | ||
- | Two wireless networks are a good way to | + | Two separate wireless networks are a good way to isolate private and public/guest network clients, where: |
- | * ''Private'' clients have access not only to the Internet, but also to each other (file and/or printer sharing), wired and wireless | + | * ''Private'' network clients have access not only to the Internet, but also to each other (file and/or printer sharing), wired and wireless |
- | * ''Public'' | + | * ''Public/guest'' network clients have access ''only'' to the Internet, ''not'' to each other (see [[Wi-Fi#Wireless Isolation|Wireless Isolation]]), and ''not'' to the private clients |
- | While some wireless routers have this capability built-in (see [[Wi-Fi#Guest Account|Guest Account]]), it can also be done with [wikipedia: | + | While some wireless routers have this capability built-in (see [[Wi-Fi#Guest Account|Guest Account]]), it can also be done with [[wikipedia:Linksys WRT54G series#Third-party firmware projects|third party firmware]], which can provide additional functionality as well. |
- | # '''''Wireless → Basic Settings''''' | + | |
+ | The following procedure is for ''two separate wireless networks'' using [http://www.dd-wrt.com DD-WRT] (on [http://www.dd-wrt.com/dd-wrtv3/dd-wrt/hardware.html supported devices]) with the web browser interface (as of v24 preSP2 Beta build 12533). | ||
+ | For ''more than two'' separate wireless networks, consult the reference above. | ||
+ | # '''Configure two wireless networks: ''Wireless → Basic Settings''''' | ||
#* ''Wireless Physical Interface '''wl0''''' | #* ''Wireless Physical Interface '''wl0''''' | ||
- | #** | + | #** This will be the ''private'' wireless network |
- | #** ''Recommendation'': Click ''Disable'' for ''Wireless Network Name (SSID)'' to avoid conflict with the visible public | + | #** ''Recommendation'': Click ''Disable'' for ''Wireless Network Name (SSID)'' broadcast to avoid conflict with the visible public/guest wireless network [see ''Overcoming Multiple SSID (Not BSSID) Connectivity Issues'' in the reference above] |
#* ''Virtual Interfaces'' | #* ''Virtual Interfaces'' | ||
- | #** Click ''Add'' to create the ''public'' | + | #** Click ''Add'' to create the ''public/guest'' wireless network, which will be<br>''Virtual Interfaces '''wl0.1''''' |
- | #** Enter a '''unique''' ''Wireless Network Name (SSID)'' (e.g., ''John's Guest Wireless'') | + | #** Enter a '''unique''' ''Wireless Network Name (SSID)'' (e.g., ''John Doe's Guest Wireless'') |
- | #** Click ''Enable'' for ''AP Isolation'' | + | #** Click ''Enable'' for ''AP Isolation'' (to isolate public/guest wireless clients from each other) |
#** Click ''Unbridged'' for ''Network Configuration'' | #** Click ''Unbridged'' for ''Network Configuration'' | ||
- | #** For ''IP Address'', enter a '''different [[wikipedia:Subnetwork|subnet]]''' from the private network | + | #** For ''IP Address'', enter a '''different [[wikipedia:Subnetwork|subnet]]''' from the private network (which is 192.168.<u>1</u>.1 by default):<br>192.168.<u>2</u>.1 |
#** For ''Subnet Mask'', enter:<br>'''255.255.255.0''' | #** For ''Subnet Mask'', enter:<br>'''255.255.255.0''' | ||
#* Click ''Save'' (and do '''not''' click ''Apply Settings'') | #* Click ''Save'' (and do '''not''' click ''Apply Settings'') | ||
- | # '''''Wireless → Wireless Security''''' | + | # '''Configure wireless network security: ''Wireless → Wireless Security''''' |
#* Enter desired security for each wireless network | #* Enter desired security for each wireless network | ||
#* '''WPA2 Personal with a strong passphrase is recommended.''' (WEP and WPA-TKIP are '''not''' secure!) | #* '''WPA2 Personal with a strong passphrase is recommended.''' (WEP and WPA-TKIP are '''not''' secure!) | ||
#* ''Note'': DD-WRT v24 preSP2 Beta build 12533 will ''not'' properly authenticate WPA Personal or WPA2 Personal after a reboot ([http://www.dd-wrt.com/dd-wrtv2/bugtracker/view.php?id=3729 bug 003729]), only WEP. | #* ''Note'': DD-WRT v24 preSP2 Beta build 12533 will ''not'' properly authenticate WPA Personal or WPA2 Personal after a reboot ([http://www.dd-wrt.com/dd-wrtv2/bugtracker/view.php?id=3729 bug 003729]), only WEP. | ||
#* Click ''Save'' (and do '''not''' click ''Apply Settings'') | #* Click ''Save'' (and do '''not''' click ''Apply Settings'') | ||
- | # '''''Services → Services → DNSMasq''''' | + | # '''Configure DHCP for public/guest wireless: ''Services → Services → DNSMasq''''' |
#* In ''Additional DNSMasq Options'' enter:<code><br> interface=wl0.1<br> dhcp-option=wl0.1,3,192.168.2.1<br> dhcp-option=wl0.1,6,192.168.1.1<br> dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m</code> | #* In ''Additional DNSMasq Options'' enter:<code><br> interface=wl0.1<br> dhcp-option=wl0.1,3,192.168.2.1<br> dhcp-option=wl0.1,6,192.168.1.1<br> dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m</code> | ||
#* Click ''Save'' (and do '''not''' click ''Apply Settings'') | #* Click ''Save'' (and do '''not''' click ''Apply Settings'') | ||
- | # '''''Administration → Commands → Command Shell''''' | + | # '''Configure firewall to isolate public/guest from private: ''Administration → Commands → Command Shell''''' |
:* Enter the ''Commands'':<code><br> iptables -I INPUT -i wl0.1 -m state --state NEW -j logaccept<br> iptables -I FORWARD -i wl0.1 -o br0 -j logdrop<br> iptables -I FORWARD -i br0 -o wl0.1 -j logdrop</code> | :* Enter the ''Commands'':<code><br> iptables -I INPUT -i wl0.1 -m state --state NEW -j logaccept<br> iptables -I FORWARD -i wl0.1 -o br0 -j logdrop<br> iptables -I FORWARD -i br0 -o wl0.1 -j logdrop</code> | ||
:* Click ''Save Firewall'' | :* Click ''Save Firewall'' | ||
- | :* Click the ''Management'' tab | + | :* Click the '''''Management''''' tab |
:* Click ''Apply Settings'' (down at the bottom) | :* Click ''Apply Settings'' (down at the bottom) | ||
+ | |||
+ | == Isolate Two Networks == | ||
+ | [[Image:Isolated Networks.png|right|frame|Two Networks with Internet access that are isolated from each other]] | ||
+ | Isolate two local networks from each other with both able to access the same Internet connection using low-cost routers: | ||
+ | * Use three (3) routers (A, B, and C) | ||
+ | * Connect network A to the wireless and/or LAN ports on router A | ||
+ | * Connect network B to the wireless and/or LAN ports on router B | ||
+ | * Connect router A and router B WAN (Internet) ports to LAN ports on router C | ||
+ | * Connect the WAN (Internet) port on router C to the Internet | ||
+ | Notes: | ||
+ | * Routers A and B can be wired and/or wireless. | ||
+ | * This method involves Double NAT, which can sometimes cause problems. (See [[wikipedia:Session Traversal Utilities for NAT|Session Traversal Utilities for NAT]]) | ||
+ | * The same effect can also be achieved with a single router that supports [[wikipedia:Virtual LAN|Virtual LAN]] (VLAN) without double NAT, although it may be less secure. | ||
== WPA/WPA2 == | == WPA/WPA2 == | ||
- | + | '''[[wikipedia:Wi-Fi Protected Access#WPA2|WPA2]] is strongly preferred''', because | |
+ | * '''[[wikipedia:Wired Equivalent Privacy#Flaws|WEP can be easily cracked]]''' | ||
+ | * '''[[wikipedia:Wi-Fi Protected Access#Weakness in TKIP|WPA-TKIP can now be cracked]]''' | ||
+ | There are two forms of WPA/WPA2: | ||
+ | * ''Personal'' or PSK (Pre-Shared Key) | ||
+ | * ''Enterprise'' ([[wikipedia:RADIUS|RADIUS]] authentication) | ||
=== Use WPA Personal with Windows 98/Me/2000 === | === Use WPA Personal with Windows 98/Me/2000 === | ||
Line 94: | Line 116: | ||
=== Use WPA/WPA2 Enterprise === | === Use WPA/WPA2 Enterprise === | ||
WPA Enterprise enhances security and is preferred over WPA because each client is authenticated separately. (Sharing a key is a security risk.) Practical authentication ([[wikipedia:RADIUS|RADIUS]]) solutions for small wireless networks include: | WPA Enterprise enhances security and is preferred over WPA because each client is authenticated separately. (Sharing a key is a security risk.) Practical authentication ([[wikipedia:RADIUS|RADIUS]]) solutions for small wireless networks include: | ||
- | * [http://us.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161256&CategoryGroupNo=1FD9B843-06BE-448D-B770-5383D40CD32E ZyXEL G-2000 Plus] | + | * '''RADIUS Service''' |
+ | ** [http://cloudessa.com/ Cloudessa] ''(free for up to 100 users)'' | ||
+ | * '''Wireless Router with built-in PEAP Server''' | ||
+ | ** [http://us.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161256&CategoryGroupNo=1FD9B843-06BE-448D-B770-5383D40CD32E ZyXEL G-2000 Plus] | ||
== Secure a wireless network == | == Secure a wireless network == | ||
Line 100: | Line 125: | ||
''What'' to do: | ''What'' to do: | ||
- | # Change the [[wikipedia:Service set identifier|SSID]] to something truly unique (''e.g., ''instead of '' | + | # Change the [[wikipedia:Service set identifier|SSID]] to something truly unique (''e.g., ''instead of ''linksys'' or ''NETGEAR'', something like ''John Doe's private wireless''). |
- | # Use some form of [[wikipedia:Wi-Fi Protected Access| | + | # Use some form of [[wikipedia:Wi-Fi Protected Access#WPA2|WPA2]] with a [[wikipedia:Passphrase#Passphrase selection|strong passphrase]]. ''(WEP and WPA-TKIP are '''not''' secure.)'' |
# Use a [[wikipedia:Personal firewall|personal firewall]] (software firewall) on ''all'' networked computers (wired or wireless). | # Use a [[wikipedia:Personal firewall|personal firewall]] (software firewall) on ''all'' networked computers (wired or wireless). | ||
# [[#Secure network shares|Secure ''all'' network shares]] | # [[#Secure network shares|Secure ''all'' network shares]] | ||
Line 354: | Line 379: | ||
* Run Cat-5 or better cable from one of wireless router's RJ45 ports around or (drilled) through the wall, and on the other side of the wall attach a wireless access point. | * Run Cat-5 or better cable from one of wireless router's RJ45 ports around or (drilled) through the wall, and on the other side of the wall attach a wireless access point. | ||
* Use [[wikipedia:HomePlug Powerline Alliance|powerline]], [[wikipedia:HomePNA|phoneline]], or [[wikipedia:Multimedia over Coax Alliance|coax]] networking to attach a wireless access point on the other side of the wall, if any of these cables are available on both sides of the wall. | * Use [[wikipedia:HomePlug Powerline Alliance|powerline]], [[wikipedia:HomePNA|phoneline]], or [[wikipedia:Multimedia over Coax Alliance|coax]] networking to attach a wireless access point on the other side of the wall, if any of these cables are available on both sides of the wall. | ||
+ | |||
+ | == Block Wi-Fi signal == | ||
+ | [[wikipedia:Mobile phone jammer|Jamming]] isn't lawful (in the USA at least), but these methods are: | ||
+ | * Paint with [[wikipedia:Radio frequency|RF]] shielding (e.g., [http://www.lessemf.com/paint.html Y-Shield], claimed attenuation of 40 dB per layer) | ||
+ | * [http://www.baesystems.com/ProductsServices/ss_tes_atc_adv_mat_stealthy.html Stealthy wallpaper] | ||
+ | * [http://www.tempestusa.com/DataStop.html RF shielding glass] | ||
+ | |||
+ | == Disable b Wi-Fi == | ||
+ | * Pro | ||
+ | * Con | ||
+ | * How | ||
+ | {{TODO}} | ||
== Roam seamlessly (using VPN) == | == Roam seamlessly (using VPN) == | ||
Line 376: | Line 413: | ||
== Make a Wi-Fi enclosure == | == Make a Wi-Fi enclosure == | ||
+ | {{TODO}} | ||
+ | |||
+ | == Hack Wi-Fi == | ||
{{TODO}} | {{TODO}} | ||