WEP and MAC Filter

Hello! 20 June 2008

We have a DIR-300 wireless router, on which I have enabled a WEP key for the
SSID, and also the MAC filter to allow only specific adaptors to access the
network.
I however find that the MAC filter appears to be inactive, as wireless
adaptors that have the WEP key entered can access the lan without their mac
addresses entered into the router.
Is access given to (the WEP key entered OR the mac address is on the router);
meaning either one of them is sufficient to access the router?

Mohan

--
Message posted via http://www.hwkb.com

bnmohan via HWKB.com wrote:

> Hello! 20 June 2008
>
> We have a DIR-300 wireless router, on which I have enabled a WEP key for the
> SSID, and also the MAC filter to allow only specific adaptors to access the
> network.
> I however find that the MAC filter appears to be inactive, as wireless
> adaptors that have the WEP key entered can access the lan without their mac
> addresses entered into the router.
> Is access given to (the WEP key entered OR the mac address is on the router);
> meaning either one of them is sufficient to access the router?
>
> Mohan
>

My Linksys WRT54Gv2 does it right: the WPA (or WEP) key must match AND the
MAC address must match (if Permit Only is selected) for the PC to access
the 'net.

Sounds like the DIR-300 has a bug or (just maybe) you did not correctly
set up the MAC filter; double-check your settings.
--
Cheers, Bob

Thanks!

Now my schedule for Saturday is ready!

Mohan

Bob Willard wrote:
>> Hello! 20 June 2008
>>
>[quoted text clipped - 8 lines]
>>
>> Mohan
>
>My Linksys WRT54Gv2 does it right: the WPA (or WEP) key must match AND the
>MAC address must match (if Permit Only is selected) for the PC to access
>the 'net.
>
>Sounds like the DIR-300 has a bug or (just maybe) you did not correctly
>set up the MAC filter; double-check your settings.

--
Message posted via HWKB.com
http://www.hwkb.com/Uwe/Forums.aspx/...eless/200806/1

> and also the MAC filter to allow only specific adaptors to access the
> network.

This is a useless feature. All it take for someone to overcome a MAC filter
is to make a text change in the network card setup to use a different MAC.

Worse, when an interace dies (or a USB dongle gets lost) it then requires
the hassle of adding the new MAC.

<My Linksys WRT54Gv2 does it right: the WPA (or WEP) key must match AND the
<MAC address must match (if Permit Only is selected) for the PC to access
<the 'net.
<
<Sounds like the DIR-300 has a bug or (just maybe) you did not correctly
<set up the MAC filter; double-check your settings.
<
< Signature
<
<
<Cheers, Bob

Could it be because the DHCP server is enabled, and the incoming wireless
adaptors were on get dynamic IP when I try to connect them to the router?
I am not sure of the sequence to be followed: I set the wifi adaptor IP to my
local lan; remove 802/11b authentication, connect to the router. I am never
sure in what order I do the three. It ends up at 'validating identity' most
of the time. Sometimes it connects; but the lan is not available ( because
the router is on one subnet and the lan on another). I go to the router and
enter the MAC address. When I retry, it still fails, and I find the 802/11b
auth has come back, or the new IP is gone :-(. I remove the auth, put back
the IP, and the thing connects. I am not sure if the 802 auth had come back
earlier, and the connection would have been made if the auth was removed,
without entering the MAC on the router.

Sorry, all that appears quite incoherent even to me!

Mohan
I would be happy if someone could point out the correct sequence to be
followed.

--
Message posted via HWKB.com
http://www.hwkb.com/Uwe/Forums.aspx/...eless/200806/1

bnmohan via HWKB.com wrote:

> Hello! 20 June 2008
>
> We have a DIR-300 wireless router, on which I have enabled a WEP key for
> the SSID, and also the MAC filter to allow only specific adaptors to
> access the network.
> I however find that the MAC filter appears to be inactive, as wireless
> adaptors that have the WEP key entered can access the lan without their
> mac addresses entered into the router.
> Is access given to (the WEP key entered OR the mac address is on the
> router); meaning either one of them is sufficient to access the router?
>
> Mohan
>

Hello,

Yes, they connect but they do not pass through to the network.

If you have the right hardware, you should use a strong WEP key such as 256
or 512 bits encryption. If not, a good long (rolling your head all over the
keyboard) WPA or WPA2 key is the way to go.

Ciao @+

bnmohan via HWKB.com wrote:
> <My Linksys WRT54Gv2 does it right: the WPA (or WEP) key must match AND the
> <MAC address must match (if Permit Only is selected) for the PC to access
> <the 'net.
> <
> <Sounds like the DIR-300 has a bug or (just maybe) you did not correctly
> <set up the MAC filter; double-check your settings.
> <
> < Signature
> <
> <
> <Cheers, Bob
>
> Could it be because the DHCP server is enabled, and the incoming wireless
> adaptors were on get dynamic IP when I try to connect them to the router?
> I am not sure of the sequence to be followed: I set the wifi adaptor IP to my
> local lan; remove 802/11b authentication, connect to the router. I am never
> sure in what order I do the three. It ends up at 'validating identity' most
> of the time. Sometimes it connects; but the lan is not available ( because
> the router is on one subnet and the lan on another). I go to the router and
> enter the MAC address. When I retry, it still fails, and I find the 802/11b
> auth has come back, or the new IP is gone :-(. I remove the auth, put back
> the IP, and the thing connects. I am not sure if the 802 auth had come back
> earlier, and the connection would have been made if the auth was removed,
> without entering the MAC on the router.
>
> Sorry, all that appears quite incoherent even to me!
>
> Mohan
> I would be happy if someone could point out the correct sequence to be
> followed.
>

From your confusing description, I can't tell how you have connected the
router into your environment. For a normal SOHO application, the WAN port
would be cabled to the cable/DSL modem, the 1-4 wired PCs would be
cabled to the 1-4 LAN ports, and the wireless PCs would be channeled
via 802.11G/802.11B to the radio end of the router; normally, all wired
and wireless PCs would be on the same LAN subnet, and all would access to
the 'net via the router's WAN port. Is this what you have, or want?

I don't know what you mean by "802/11b authentication". 802.11B is a
protocol and signalling mechanism used by some wireless nodes, just as
is 802.11G. Neither 802.11B nor 802.11G specify authentication. FWIW,
if all of your PCs are new enough to support 802.11G, I suggest disabling
802.11B in the router, since pure 802.11G will give better performance.

To simplify your LAN while troubleshooting, I suggest not using MAC filtering.
After everything works, you can turn MAC filtering ON and ALLOW only those
PCs that you want to access your LAN (and/or your pipe to the WAN). Note
that MAC filtering offers rather limited security, and probably is not
worth the effort. To secure the wireless segment of your LAN, use WPA2
or WPA or (at least) WEP; pick the best (WPA2 if possible) method that all
of your wireless PCs can use. For a new network, I suggest getting it
all working without wireless encryption, then turning on encryption in the
router and one wireless PC, then in each other wireless PC; it is easy to
screw up when trying to enter the same passphrase into the router and the
PCs, so do it one PC at a time and expect to do it over a few times (until
the difference between password and passphrase becomes clear).

As for DHCP, I would use it across the board from day one. It is very easy
to set up, in the router and in wired and wireless PCs, and it is pretty
robust. If you have problems and want to experiment, you can use DHCP on
some PCs but not others: with the DHCP server set to its normal range of
192.168.0.x (100 < x < 150), you can manually enter an IPA which is in the
same subnet but outside of the DHCP range (e.g., IPA=192.168.0.55 with a
mask of 255.255.255.0); how you assign that IPA to a PC depends on the
OS and the specific device driver for that PC.
--
Cheers, Bob

The router is connected to the LAN via one of the 1-4 lan ports. There is no
wan connection to the router. Machines with wifi adaptors connect to the lan
via the router radio connection. Others are (obviously) wired.
Re authentication: Network Neighbourhood Properties->wireless networks tab-
>Select Network->Authentication Tab.

Cheers,

Mohan

Bob Willard wrote:
>> <My Linksys WRT54Gv2 does it right: the WPA (or WEP) key must match AND the
>> <MAC address must match (if Permit Only is selected) for the PC to access
>[quoted text clipped - 26 lines]
>> I would be happy if someone could point out the correct sequence to be
>> followed.
>
> From your confusing description, I can't tell how you have connected the
>router into your environment. For a normal SOHO application, the WAN port
>would be cabled to the cable/DSL modem, the 1-4 wired PCs would be
>cabled to the 1-4 LAN ports, and the wireless PCs would be channeled
>via 802.11G/802.11B to the radio end of the router; normally, all wired
>and wireless PCs would be on the same LAN subnet, and all would access to
>the 'net via the router's WAN port. Is this what you have, or want?
>
>I don't know what you mean by "802/11b authentication". 802.11B is a
>protocol and signalling mechanism used by some wireless nodes, just as
>is 802.11G. Neither 802.11B nor 802.11G specify authentication. FWIW,
>if all of your PCs are new enough to support 802.11G, I suggest disabling
>802.11B in the router, since pure 802.11G will give better performance.
>
>To simplify your LAN while troubleshooting, I suggest not using MAC filtering.
>After everything works, you can turn MAC filtering ON and ALLOW only those
>PCs that you want to access your LAN (and/or your pipe to the WAN). Note
>that MAC filtering offers rather limited security, and probably is not
>worth the effort. To secure the wireless segment of your LAN, use WPA2
>or WPA or (at least) WEP; pick the best (WPA2 if possible) method that all
>of your wireless PCs can use. For a new network, I suggest getting it
>all working without wireless encryption, then turning on encryption in the
>router and one wireless PC, then in each other wireless PC; it is easy to
>screw up when trying to enter the same passphrase into the router and the
>PCs, so do it one PC at a time and expect to do it over a few times (until
>the difference between password and passphrase becomes clear).
>
>As for DHCP, I would use it across the board from day one. It is very easy
>to set up, in the router and in wired and wireless PCs, and it is pretty
>robust. If you have problems and want to experiment, you can use DHCP on
>some PCs but not others: with the DHCP server set to its normal range of
>192.168.0.x (100 < x < 150), you can manually enter an IPA which is in the
>same subnet but outside of the DHCP range (e.g., IPA=192.168.0.55 with a
>mask of 255.255.255.0); how you assign that IPA to a PC depends on the
>OS and the specific device driver for that PC.

--
Message posted via HWKB.com
http://www.hwkb.com/Uwe/Forums.aspx/...eless/200806/1

bnmohan via HWKB.com wrote:

> The router is connected to the LAN via one of the 1-4 lan ports. There is no
> wan connection to the router. Machines with wifi adaptors connect to the lan
> via the router radio connection. Others are (obviously) wired.
> Re authentication: Network Neighbourhood Properties->wireless networks tab-
>
>>Select Network->Authentication Tab.
>
>
> Cheers,
>
> Mohan
>
> Bob Willard wrote:
>
>>><My Linksys WRT54Gv2 does it right: the WPA (or WEP) key must match AND the
>>><MAC address must match (if Permit Only is selected) for the PC to access
>>
>>[quoted text clipped - 26 lines]
>>
>>>I would be happy if someone could point out the correct sequence to be
>>>followed.
>>
>>From your confusing description, I can't tell how you have connected the
>>router into your environment. For a normal SOHO application, the WAN port
>>would be cabled to the cable/DSL modem, the 1-4 wired PCs would be
>>cabled to the 1-4 LAN ports, and the wireless PCs would be channeled
>>via 802.11G/802.11B to the radio end of the router; normally, all wired
>>and wireless PCs would be on the same LAN subnet, and all would access to
>>the 'net via the router's WAN port. Is this what you have, or want?
>>
>>I don't know what you mean by "802/11b authentication". 802.11B is a
>>protocol and signalling mechanism used by some wireless nodes, just as
>>is 802.11G. Neither 802.11B nor 802.11G specify authentication. FWIW,
>>if all of your PCs are new enough to support 802.11G, I suggest disabling
>>802.11B in the router, since pure 802.11G will give better performance.
>>
>>To simplify your LAN while troubleshooting, I suggest not using MAC filtering.
>>After everything works, you can turn MAC filtering ON and ALLOW only those
>>PCs that you want to access your LAN (and/or your pipe to the WAN). Note
>>that MAC filtering offers rather limited security, and probably is not
>>worth the effort. To secure the wireless segment of your LAN, use WPA2
>>or WPA or (at least) WEP; pick the best (WPA2 if possible) method that all
>>of your wireless PCs can use. For a new network, I suggest getting it
>>all working without wireless encryption, then turning on encryption in the
>>router and one wireless PC, then in each other wireless PC; it is easy to
>>screw up when trying to enter the same passphrase into the router and the
>>PCs, so do it one PC at a time and expect to do it over a few times (until
>>the difference between password and passphrase becomes clear).
>>
>>As for DHCP, I would use it across the board from day one. It is very easy
>>to set up, in the router and in wired and wireless PCs, and it is pretty
>>robust. If you have problems and want to experiment, you can use DHCP on
>>some PCs but not others: with the DHCP server set to its normal range of
>>192.168.0.x (100 < x < 150), you can manually enter an IPA which is in the
>>same subnet but outside of the DHCP range (e.g., IPA=192.168.0.55 with a
>>mask of 255.255.255.0); how you assign that IPA to a PC depends on the
>>OS and the specific device driver for that PC.
>
>

If the router is the DHCP server for the entire LAN, then I suggest that
you let it also assign IPAs for the wireless PCs. If there is another
DHCP server in the LAN, then you should disable the router's DHCP server
(and assign static IPAs for your wireless PCs if you need to). In most
SOHOs, you should avoid having more than one DHCP server in a LAN, since
that may cause invisible nodes (due to multiple subnets).

But how you assign IPAs (dynamic or static) should have no impact on the
encryption method for wireless nodes, or FWIW on MAC filtering.
--
Cheers, Bob

"Bill Kearney" <(E-Mail Removed)> wrote in message
news:HI6dndtr-t-(E-Mail Removed)...
>> and also the MAC filter to allow only specific adaptors to access the
>> network.
>
> This is a useless feature. All it take for someone to overcome a MAC
> filter is to make a text change in the network card setup to use a
> different MAC.
>
> Worse, when an interace dies (or a USB dongle gets lost) it then requires
> the hassle of adding the new MAC.
>

Well.... a would be intruder would at least have to know what MAC to change
his NIC to.