SSID Broadcasts

I installed a WAP54G (current firmware) today to accompany my WRT54GS
(current firmware). The setup works without a hitch so far. A decent setup
for a somewhat large house.

I read on a few Websites that advised disabling SSID broadcasts on the AP
and router. When I disabled the broadcasts it knocked my AP out of the
loop, but my connection at the farthest most PC quickly switched, although
weakly, to the main router.

I realize a determined hacker is going to find my network anyway, but I
wanted to at least put up some semblance of a stumbling block. It looks
like the router and the access point behave differently. Does anyone have
any experience with this? Any advice?

Thanks.

"The Rejuvenated Techie" <(E-Mail Removed)> wrote in message
news:4611659c$0$19411$(E-Mail Removed)...
>I installed a WAP54G (current firmware) today to accompany my WRT54GS
>(current firmware). The setup works without a hitch so far. A
>decent setup for a somewhat large house.
>
> I read on a few Websites that advised disabling SSID broadcasts on
> the AP and router. When I disabled the broadcasts it knocked my AP
> out of the loop, but my connection at the farthest most PC quickly
> switched, although weakly, to the main router.
>
> I realize a determined hacker is going to find my network anyway,
> but I wanted to at least put up some semblance of a stumbling block.
> It looks like the router and the access point behave differently.
> Does anyone have any experience with this? Any advice?
>
> Thanks.
>

The consensus on this newsgroup is that disabling SSID is a bad idea.
It does
very little for security and causes the type of problems your having.
Turn it back on.

On Mon, 2 Apr 2007 16:16:38 -0400, "The Rejuvenated Techie"
<(E-Mail Removed)> wrote in
<4611659c$0$19411$(E-Mail Removed)>:

>I installed a WAP54G (current firmware) today to accompany my WRT54GS
>(current firmware). The setup works without a hitch so far. A decent setup
>for a somewhat large house.
>
>I read on a few Websites that advised disabling SSID broadcasts on the AP
>and router. When I disabled the broadcasts it knocked my AP out of the
>loop, but my connection at the farthest most PC quickly switched, although
>weakly, to the main router.
>
>I realize a determined hacker is going to find my network anyway, but I
>wanted to at least put up some semblance of a stumbling block. It looks
>like the router and the access point behave differently. Does anyone have
>any experience with this? Any advice?

Turn SSID back on. Bad advice. Hiding SSID doesn't really hide it
except in a uselessly superficial way, and just causes problems.

(MAC filtering is likewise a bad idea.)

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_How_To>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

On Mon, 2 Apr 2007 16:16:38 -0400, "The Rejuvenated Techie"
<(E-Mail Removed)> wrote:

>I installed a WAP54G (current firmware) today to accompany my WRT54GS
>(current firmware). The setup works without a hitch so far. A decent setup
>for a somewhat large house.

Incidentally, current firmware really means that you're too lazy to
find the numbers or that you don't want to be told that you're out of
date. Assumption, the mother of all screwups. In this case it
doesn't really matter, but please avoid such assumptions in the
future.

I assume that the WAP54G is setup as a repeater. Is this correct?

>I read on a few Websites that advised disabling SSID broadcasts on the AP
>and router. When I disabled the broadcasts it knocked my AP out of the
>loop, but my connection at the farthest most PC quickly switched, although
>weakly, to the main router.

Yep. when the WAP54G tries to repeat the SSID of the WRT54G to the
client, and there's nothing there, the client will not be able to
connect. Thanks for reminding me of another reason why I hate
repeaters. You might find my rant on the subject interesting:
<http://groups.google.com/group/alt.internet.wireless/msg/bf2b30cf583a3703>

>I realize a determined hacker is going to find my network anyway, but I
>wanted to at least put up some semblance of a stumbling block. It looks
>like the router and the access point behave differently. Does anyone have
>any experience with this? Any advice?

Sorry, no real experience with SSID hiding and repeaters. I consider
repeaters and most mesh networks an abomination (or worse).

Security by obscurity is a bad idea. The obstacle course slows
hackers down, but often creates side effects. You're seeing just one
of them. The other problem is that hiding the SSID makes it easier
for the neighbors to accidentally land on your system. Any script
kiddie with a Live CD containing Kismet will find your system anyway.
MAC spoofing is just some sniffing followed by a registry tweak or
ifconfig incantation. I could do it blindfolded.

I noticed that you didn't bother to mention what manner of encryption
you're using. Most repeaters will not handle WPA-PSK or WPA2-PSK,
which is required for decent security. The DLink DWL-G710AP and
DWL-G800AP claim that they can use WPA as repeaters, but I couldn't
make it work on the latter when I tried. That leaves WEP encryption
which will work through a repeater, but is easily sniffed, and the WEP
key recovered given sufficient traffic. In short, if you're trying to
use SSID hiding and MAC filtering as a substitute for adequate
encryption, you don't really have any security.

Reading between the line, what you're apparently trying to do is
extend the coverage of the WRT54G. If too many walls in the house
prevent adequate coverage, you can try various aftermarket antennas.
Another solution is a 2nd wireless access point (or use your WAP54G as
an access point) with CAT5 between the two boxes. If running CAT5 is
undesireable, then you can use power line, phone line, CATV coax, or
fiber optic connectivity.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

"Jeff Liebermann" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mon, 2 Apr 2007 16:16:38 -0400, "The Rejuvenated Techie"
> <(E-Mail Removed)> wrote:
>
>>I installed a WAP54G (current firmware) today to accompany my WRT54GS
>>(current firmware). The setup works without a hitch so far. A decent
>>setup
>>for a somewhat large house.
>
> Incidentally, current firmware really means that you're too lazy to
> find the numbers or that you don't want to be told that you're out of
> date. Assumption, the mother of all screwups. In this case it
> doesn't really matter, but please avoid such assumptions in the
> future.
>
> I assume that the WAP54G is setup as a repeater. Is this correct?

Firmware revision 1.52.0 on the WRT54GS and firmware revision 3.04 on the
WAP54G. The WAP54G is connected to the WRT54GS via CAT-5 cable strung
through the attic. Works perfect. I am using it as an access point.
Repeaters suck.


> Yep. when the WAP54G tries to repeat the SSID of the WRT54G to the
> client, and there's nothing there, the client will not be able to
> connect. Thanks for reminding me of another reason why I hate
> repeaters. You might find my rant on the subject interesting:
> <http://groups.google.com/group/alt.internet.wireless/msg/bf2b30cf583a3703>

You live and you learn. Thanks for the verification.

> I noticed that you didn't bother to mention what manner of encryption
> you're using.

WPA-Personal with TKIP encryption.

> Reading between the line, what you're apparently trying to do is
> extend the coverage of the WRT54G. If too many walls in the house
> prevent adequate coverage, you can try various aftermarket antennas.
> Another solution is a 2nd wireless access point (or use your WAP54G as
> an access point) with CAT5 between the two boxes. If running CAT5 is
> undesireable, then you can use power line, phone line, CATV coax, or
> fiber optic connectivity.

I've got the house completely covered now.

Incidentally, what are your thoughts on third-party firmware for these two
products?

Thanks.

Jeff Liebermann <(E-Mail Removed)> wrote:

<snip>

>Most repeaters will not handle WPA-PSK or WPA2-PSK, which is required for
>decent security. The DLink DWL-G710AP and DWL-G800AP claim that they can
>use WPA as repeaters, but I couldn't make it work on the latter when I tried.

The DWL-G710 is sold as a repeater.

The DWL-G700AP is sold as an access point, but also has repeater mode
(with F/W 2.1 EU, as of March 2006) and can be configured to handle
WPA-PSK. The one I have works OK as a repeater with a TEW-510APB.

On Mon, 2 Apr 2007 18:57:51 -0400, "The Rejuvenated Techie"
<(E-Mail Removed)> wrote:

>> I assume that the WAP54G is setup as a repeater. Is this correct?
>
>Firmware revision 1.52.0 on the WRT54GS and firmware revision 3.04 on the
>WAP54G.

Thanks. In the future, also include the hardware versions of these
devices. They can be deduced from the version numbers, but it's
easier if you supply them. They're on the serial number label.

WRT54GS firmware version 1.52.0 belongs to hardware mutation v5, v5.1
or v6. Is that correct? (It makes a difference if you're going to
use alternative firmware).

WAP54G v3.04 the same for any hardware mutation (v1, 1.1, 2.0, 3.0,
3.1). Sorry, I can't guess this one.

Both are the latest according to the Linksys web pile.

>The WAP54G is connected to the WRT54GS via CAT-5 cable strung
>through the attic. Works perfect. I am using it as an access point.
>Repeaters suck.

Agreed. Repeaters are awful and you're doing it the right way. I
would NOT have used a WAP54G for the purpose. It has limited RAM,
limited features, and is MORE expensive than a wireless router. Any
wireless router can be used as an access point by simply disabling the
DHCP server, setting the IP to not duplicate the main router, and not
connecting anything to the WAN/Internet port.

>You live and you learn. Thanks for the verification.

Oh, it's far worse than what I listed. I'm watching a local wireless
mesh network turn into a wireless mess network. The real problem is
that they scale badly. That's not a problem with a single home
repeater, but rapidly becomes an issue on even slightly larger
systems.

>> I noticed that you didn't bother to mention what manner of encryption
>> you're using.
>
>WPA-Personal with TKIP encryption.

Perfect. When I assumed you were using the WAP54G as a repeater, I
also assumed that you were using WEP. Sorry.

>Incidentally, what are your thoughts on third-party firmware for these two
>products?

Prior to about a year ago, I as using the stock firmware in all my
installations. I had tried the alternatives and they offered little
benifit at the expense of substantial hacking and flakiness.

Eventually, the various alternative firmware distributions stabilized
and became quite impressive and reliable. These days, my coffee shop,
hotel, public access, and many home installations use alternative
firmware. For the coffee shops, I preferred EWRT, which seems to have
ceased development. For everything else, I use DD-WRT v23 SP2. For
example:
<https://home.LearnByDestroying.com:8080>
Just having the per-user signal strength is worth the effort. I also
use SNMP and RFLOW traffic monitoring.

The problem you're going to have is that the WRT54GS v5 and v6 are
both seriously lacking in useful RAM to impliment alternative
firmware. They only have 2MBytes of RAM, while earlier versions had
4MB or 8MB. It can be done, but it's a tight fit. See:
<http://dd-wrt.com/wiki/index.php/Linksys_WRT54G/GL/GS/GX>
<http://dd-wrt.com/wiki/index.php/Version_5_And_6_Router_Information>
<http://dd-wrt.com/wiki/index.php/Flash_your_WRT54G_or_WRT54GS_v5_series_%28v5%2C_v5 .1%2C_v6%29>
However, the WRT54GS v5 actually has 16MB of RAM and can be easily
enabled:
<http://dd-wrt.com/wiki/index.php/Enable_16MB_RAM_on_WRT54GS_v5>

Alternative firmware for the WAP54G is problematic.
<http://wiki.openwrt.org/WAP54GHowto>
It's possible, but I managed to "brick" a WRT54G v3.1 every time when
I tried it. I gave up. Maybe you'll have better luck.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

"Jeff Liebermann" <(E-Mail Removed)> wrote in message
> Agreed. Repeaters are awful and you're doing it the right way. I
> would NOT have used a WAP54G for the purpose. It has limited RAM,
> limited features, and is MORE expensive than a wireless router. Any
> wireless router can be used as an access point by simply disabling the
> DHCP server, setting the IP to not duplicate the main router, and not
> connecting anything to the WAN/Internet port.

I've bought and returned so much stuff to Office Depot to get this right, I
think I'm going to stop making their heads spin for a while. This setup has
me pretty happy.

I'm concerned about security. I see that LinkSys sells a "software version"
of Radius that they consider more secure than Radius itself. Have you any
experience with this, or do you stop at WPA-Personal?

Thanks.

On Mon, 2 Apr 2007 20:39:57 -0400, "The Rejuvenated Techie"
<(E-Mail Removed)> wrote:

>I'm concerned about security. I see that LinkSys sells a "software version"
>of Radius that they consider more secure than Radius itself. Have you any
>experience with this, or do you stop at WPA-Personal?

http://www.Linksys.com/wirelessguard/

RADIUS is software. It's just 802.1x authentication. No hardware
required or involved. You can use either a local RADIUS server or one
on the internet for authentication. The problem with both is that if
your link to the RADIUS server goes down, you have no way to
authenticate and your wireless goes down with it. The solution is to
have a few key accounts duplicated inside the router configuration.
Unfortunately, not every router has this feature. The way DD-WRT
handles this is a setting on the Wireless-RADIUS page offering:
[ ] Override Radius if server is unavailable
I'm not thrilled with this kludge, but it does work.

The main advantage to RADIUS authentication is that it is used to
create the WPA session encryption key. The key is pure random
rubbish, is unique for each user, and different for each session.
There is no public shared key (PSK) which can be stolen or possibly
sniffed. Actually, it's easier to just extract and decrypt the WPA
key from the Windoze registry than to sniff and decrypt. With a
RADIUS server assigned key, there's nothing to steal and sniffing only
gets you a temporary key for one user.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

The Rejuvenated Techie wrote:
> I installed a WAP54G (current firmware) today to accompany my WRT54GS
> (current firmware). The setup works without a hitch so far. A decent
> setup for a somewhat large house.
>
> I read on a few Websites that advised disabling SSID broadcasts on the
> AP and router. When I disabled the broadcasts it knocked my AP out of
> the loop, but my connection at the farthest most PC quickly switched,
> although weakly, to the main router.
>
> I realize a determined hacker is going to find my network anyway, but I
> wanted to at least put up some semblance of a stumbling block. It looks
> like the router and the access point behave differently. Does anyone
> have any experience with this? Any advice?
>
> Thanks.
>
Hmmm,
Just wondering, how big is your place?