SSID Broadcasts

I installed a WAP54G (current firmware) today to accompany my WRT54GS
(current firmware). The setup works without a hitch so far. A decent setup
for a somewhat large house.

I read on a few Websites that advised disabling SSID broadcasts on the AP
and router. When I disabled the broadcasts it knocked my AP out of the
loop, but my connection at the farthest most PC quickly switched, although
weakly, to the main router.

I realize a determined hacker is going to find my network anyway, but I
wanted to at least put up some semblance of a stumbling block. It looks
like the router and the access point behave differently. Does anyone have
any experience with this? Any advice?

Thanks.

"The Rejuvenated Techie" <nevertell@anon.com> wrote in message
news:4611659c$0$19411$4c368faf@roadrunner.com...
>I installed a WAP54G (current firmware) today to accompany my WRT54GS
>(current firmware). The setup works without a hitch so far. A
>decent setup for a somewhat large house.
>
> I read on a few Websites that advised disabling SSID broadcasts on
> the AP and router. When I disabled the broadcasts it knocked my AP
> out of the loop, but my connection at the farthest most PC quickly
> switched, although weakly, to the main router.
>
> I realize a determined hacker is going to find my network anyway,
> but I wanted to at least put up some semblance of a stumbling block.
> It looks like the router and the access point behave differently.
> Does anyone have any experience with this? Any advice?
>
> Thanks.
>

The consensus on this newsgroup is that disabling SSID is a bad idea.
It does
very little for security and causes the type of problems your having.
Turn it back on.

On Mon, 2 Apr 2007 16:16:38 -0400, "The Rejuvenated Techie"
<nevertell@anon.com> wrote in
<4611659c$0$19411$4c368faf@roadrunner.com>:

>I installed a WAP54G (current firmware) today to accompany my WRT54GS
>(current firmware). The setup works without a hitch so far. A decent setup
>for a somewhat large house.
>
>I read on a few Websites that advised disabling SSID broadcasts on the AP
>and router. When I disabled the broadcasts it knocked my AP out of the
>loop, but my connection at the farthest most PC quickly switched, although
>weakly, to the main router.
>
>I realize a determined hacker is going to find my network anyway, but I
>wanted to at least put up some semblance of a stumbling block. It looks
>like the router and the access point behave differently. Does anyone have
>any experience with this? Any advice?

Turn SSID back on. Bad advice. Hiding SSID doesn't really hide it
except in a uselessly superficial way, and just causes problems.

(MAC filtering is likewise a bad idea.)

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_How_To>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

On Mon, 2 Apr 2007 16:16:38 -0400, "The Rejuvenated Techie"
<nevertell@anon.com> wrote:

>I installed a WAP54G (current firmware) today to accompany my WRT54GS
>(current firmware). The setup works without a hitch so far. A decent setup
>for a somewhat large house.

Incidentally, current firmware really means that you're too lazy to
find the numbers or that you don't want to be told that you're out of
date. Assumption, the mother of all screwups. In this case it
doesn't really matter, but please avoid such assumptions in the
future.

I assume that the WAP54G is setup as a repeater. Is this correct?

>I read on a few Websites that advised disabling SSID broadcasts on the AP
>and router. When I disabled the broadcasts it knocked my AP out of the
>loop, but my connection at the farthest most PC quickly switched, although
>weakly, to the main router.

Yep. when the WAP54G tries to repeat the SSID of the WRT54G to the
client, and there's nothing there, the client will not be able to
connect. Thanks for reminding me of another reason why I hate
repeaters. You might find my rant on the subject interesting:
<http://groups.google.com/group/alt.internet.wireless/msg/bf2b30cf583a3703>

>I realize a determined hacker is going to find my network anyway, but I
>wanted to at least put up some semblance of a stumbling block. It looks
>like the router and the access point behave differently. Does anyone have
>any experience with this? Any advice?

Sorry, no real experience with SSID hiding and repeaters. I consider
repeaters and most mesh networks an abomination (or worse).

Security by obscurity is a bad idea. The obstacle course slows
hackers down, but often creates side effects. You're seeing just one
of them. The other problem is that hiding the SSID makes it easier
for the neighbors to accidentally land on your system. Any script
kiddie with a Live CD containing Kismet will find your system anyway.
MAC spoofing is just some sniffing followed by a registry tweak or
ifconfig incantation. I could do it blindfolded.

I noticed that you didn't bother to mention what manner of encryption
you're using. Most repeaters will not handle WPA-PSK or WPA2-PSK,
which is required for decent security. The DLink DWL-G710AP and
DWL-G800AP claim that they can use WPA as repeaters, but I couldn't
make it work on the latter when I tried. That leaves WEP encryption
which will work through a repeater, but is easily sniffed, and the WEP
key recovered given sufficient traffic. In short, if you're trying to
use SSID hiding and MAC filtering as a substitute for adequate
encryption, you don't really have any security.

Reading between the line, what you're apparently trying to do is
extend the coverage of the WRT54G. If too many walls in the house
prevent adequate coverage, you can try various aftermarket antennas.
Another solution is a 2nd wireless access point (or use your WAP54G as
an access point) with CAT5 between the two boxes. If running CAT5 is
undesireable, then you can use power line, phone line, CATV coax, or
fiber optic connectivity.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
news:mpv213hse71fksa0cf86hdac426jurotqq@4ax.com...
> On Mon, 2 Apr 2007 16:16:38 -0400, "The Rejuvenated Techie"
> <nevertell@anon.com> wrote:
>
>>I installed a WAP54G (current firmware) today to accompany my WRT54GS
>>(current firmware). The setup works without a hitch so far. A decent
>>setup
>>for a somewhat large house.
>
> Incidentally, current firmware really means that you're too lazy to
> find the numbers or that you don't want to be told that you're out of
> date. Assumption, the mother of all screwups. In this case it
> doesn't really matter, but please avoid such assumptions in the
> future.
>
> I assume that the WAP54G is setup as a repeater. Is this correct?

Firmware revision 1.52.0 on the WRT54GS and firmware revision 3.04 on the
WAP54G. The WAP54G is connected to the WRT54GS via CAT-5 cable strung
through the attic. Works perfect. I am using it as an access point.
Repeaters suck.


> Yep. when the WAP54G tries to repeat the SSID of the WRT54G to the
> client, and there's nothing there, the client will not be able to
> connect. Thanks for reminding me of another reason why I hate
> repeaters. You might find my rant on the subject interesting:
> <http://groups.google.com/group/alt.internet.wireless/msg/bf2b30cf583a3703>

You live and you learn. Thanks for the verification.

> I noticed that you didn't bother to mention what manner of encryption
> you're using.

WPA-Personal with TKIP encryption.

> Reading between the line, what you're apparently trying to do is
> extend the coverage of the WRT54G. If too many walls in the house
> prevent adequate coverage, you can try various aftermarket antennas.
> Another solution is a 2nd wireless access point (or use your WAP54G as
> an access point) with CAT5 between the two boxes. If running CAT5 is
> undesireable, then you can use power line, phone line, CATV coax, or
> fiber optic connectivity.

I've got the house completely covered now.

Incidentally, what are your thoughts on third-party firmware for these two
products?

Thanks.

Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:

<snip>

>Most repeaters will not handle WPA-PSK or WPA2-PSK, which is required for
>decent security. The DLink DWL-G710AP and DWL-G800AP claim that they can
>use WPA as repeaters, but I couldn't make it work on the latter when I tried.

The DWL-G710 is sold as a repeater.

The DWL-G700AP is sold as an access point, but also has repeater mode
(with F/W 2.1 EU, as of March 2006) and can be configured to handle
WPA-PSK. The one I have works OK as a repeater with a TEW-510APB.

On Mon, 2 Apr 2007 18:57:51 -0400, "The Rejuvenated Techie"
<nevertell@anon.com> wrote:

>> I assume that the WAP54G is setup as a repeater. Is this correct?
>
>Firmware revision 1.52.0 on the WRT54GS and firmware revision 3.04 on the
>WAP54G.

Thanks. In the future, also include the hardware versions of these
devices. They can be deduced from the version numbers, but it's
easier if you supply them. They're on the serial number label.

WRT54GS firmware version 1.52.0 belongs to hardware mutation v5, v5.1
or v6. Is that correct? (It makes a difference if you're going to
use alternative firmware).

WAP54G v3.04 the same for any hardware mutation (v1, 1.1, 2.0, 3.0,
3.1). Sorry, I can't guess this one.

Both are the latest according to the Linksys web pile.

>The WAP54G is connected to the WRT54GS via CAT-5 cable strung
>through the attic. Works perfect. I am using it as an access point.
>Repeaters suck.

Agreed. Repeaters are awful and you're doing it the right way. I
would NOT have used a WAP54G for the purpose. It has limited RAM,
limited features, and is MORE expensive than a wireless router. Any
wireless router can be used as an access point by simply disabling the
DHCP server, setting the IP to not duplicate the main router, and not
connecting anything to the WAN/Internet port.

>You live and you learn. Thanks for the verification.

Oh, it's far worse than what I listed. I'm watching a local wireless
mesh network turn into a wireless mess network. The real problem is
that they scale badly. That's not a problem with a single home
repeater, but rapidly becomes an issue on even slightly larger
systems.

>> I noticed that you didn't bother to mention what manner of encryption
>> you're using.
>
>WPA-Personal with TKIP encryption.

Perfect. When I assumed you were using the WAP54G as a repeater, I
also assumed that you were using WEP. Sorry.

>Incidentally, what are your thoughts on third-party firmware for these two
>products?

Prior to about a year ago, I as using the stock firmware in all my
installations. I had tried the alternatives and they offered little
benifit at the expense of substantial hacking and flakiness.

Eventually, the various alternative firmware distributions stabilized
and became quite impressive and reliable. These days, my coffee shop,
hotel, public access, and many home installations use alternative
firmware. For the coffee shops, I preferred EWRT, which seems to have
ceased development. For everything else, I use DD-WRT v23 SP2. For
example:
<https://home.LearnByDestroying.com:8080>
Just having the per-user signal strength is worth the effort. I also
use SNMP and RFLOW traffic monitoring.

The problem you're going to have is that the WRT54GS v5 and v6 are
both seriously lacking in useful RAM to impliment alternative
firmware. They only have 2MBytes of RAM, while earlier versions had
4MB or 8MB. It can be done, but it's a tight fit. See:
<http://dd-wrt.com/wiki/index.php/Linksys_WRT54G/GL/GS/GX>
<http://dd-wrt.com/wiki/index.php/Version_5_And_6_Router_Information>
<http://dd-wrt.com/wiki/index.php/Flash_your_WRT54G_or_WRT54GS_v5_series_%28v5%2C_v5 .1%2C_v6%29>
However, the WRT54GS v5 actually has 16MB of RAM and can be easily
enabled:
<http://dd-wrt.com/wiki/index.php/Enable_16MB_RAM_on_WRT54GS_v5>

Alternative firmware for the WAP54G is problematic.
<http://wiki.openwrt.org/WAP54GHowto>
It's possible, but I managed to "brick" a WRT54G v3.1 every time when
I tried it. I gave up. Maybe you'll have better luck.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
> Agreed. Repeaters are awful and you're doing it the right way. I
> would NOT have used a WAP54G for the purpose. It has limited RAM,
> limited features, and is MORE expensive than a wireless router. Any
> wireless router can be used as an access point by simply disabling the
> DHCP server, setting the IP to not duplicate the main router, and not
> connecting anything to the WAN/Internet port.

I've bought and returned so much stuff to Office Depot to get this right, I
think I'm going to stop making their heads spin for a while. This setup has
me pretty happy.

I'm concerned about security. I see that LinkSys sells a "software version"
of Radius that they consider more secure than Radius itself. Have you any
experience with this, or do you stop at WPA-Personal?

Thanks.

On Mon, 2 Apr 2007 20:39:57 -0400, "The Rejuvenated Techie"
<nevertell@anon.com> wrote:

>I'm concerned about security. I see that LinkSys sells a "software version"
>of Radius that they consider more secure than Radius itself. Have you any
>experience with this, or do you stop at WPA-Personal?

http://www.Linksys.com/wirelessguard/

RADIUS is software. It's just 802.1x authentication. No hardware
required or involved. You can use either a local RADIUS server or one
on the internet for authentication. The problem with both is that if
your link to the RADIUS server goes down, you have no way to
authenticate and your wireless goes down with it. The solution is to
have a few key accounts duplicated inside the router configuration.
Unfortunately, not every router has this feature. The way DD-WRT
handles this is a setting on the Wireless-RADIUS page offering:
[ ] Override Radius if server is unavailable
I'm not thrilled with this kludge, but it does work.

The main advantage to RADIUS authentication is that it is used to
create the WPA session encryption key. The key is pure random
rubbish, is unique for each user, and different for each session.
There is no public shared key (PSK) which can be stolen or possibly
sniffed. Actually, it's easier to just extract and decrypt the WPA
key from the Windoze registry than to sniff and decrypt. With a
RADIUS server assigned key, there's nothing to steal and sniffing only
gets you a temporary key for one user.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

The Rejuvenated Techie wrote:
> I installed a WAP54G (current firmware) today to accompany my WRT54GS
> (current firmware). The setup works without a hitch so far. A decent
> setup for a somewhat large house.
>
> I read on a few Websites that advised disabling SSID broadcasts on the
> AP and router. When I disabled the broadcasts it knocked my AP out of
> the loop, but my connection at the farthest most PC quickly switched,
> although weakly, to the main router.
>
> I realize a determined hacker is going to find my network anyway, but I
> wanted to at least put up some semblance of a stumbling block. It looks
> like the router and the access point behave differently. Does anyone
> have any experience with this? Any advice?
>
> Thanks.
>
Hmmm,
Just wondering, how big is your place?

Den Mon, 02 Apr 2007 22:25:25 +0000. skrev Jeff Liebermann:

> On Mon, 2 Apr 2007 16:16:38 -0400, "The Rejuvenated Techie"
> <nevertell@anon.com> wrote:
>
>>I read on a few Websites that advised disabling SSID broadcasts on the AP
>>and router. When I disabled the broadcasts it knocked my AP out of the
>>loop, but my connection at the farthest most PC quickly switched, although
>>weakly, to the main router.
>
> Yep. when the WAP54G tries to repeat the SSID of the WRT54G to the
> client, and there's nothing there, the client will not be able to
> connect. Thanks for reminding me of another reason why I hate
> repeaters. You might find my rant on the subject interesting:
> <http://groups.google.com/group/alt.internet.wireless/msg/bf2b30cf583a3703>
>
>>I realize a determined hacker is going to find my network anyway, but I
>>wanted to at least put up some semblance of a stumbling block. It looks
>>like the router and the access point behave differently. Does anyone have
>>any experience with this? Any advice?
>
> Sorry, no real experience with SSID hiding and repeaters. I consider
> repeaters and most mesh networks an abomination (or worse).
>
> Security by obscurity is a bad idea. The obstacle course slows
> hackers down, but often creates side effects. You're seeing just one
> of them. The other problem is that hiding the SSID makes it easier
> for the neighbors to accidentally land on your system. Any script
> kiddie with a Live CD containing Kismet will find your system anyway.
> MAC spoofing is just some sniffing followed by a registry tweak or
> ifconfig incantation. I could do it blindfolded.

What Jeff said holds true. Furthermore, as far as I recall, according to
the 802.11 specs disabling ESSID broadcasts breaks among other things
roaming in a multi-AP setup, and therefore ESSID broadcast is mandatory in
those cases. Using a repeater is in a sense a kludged roaming setup.

Since you are using WPA-PSK, and if you have a non default ESSID, and use
a fairly long (16 char minimum) passphrase, (preferably a nonsenical
passphrase with numeric, capital and non capital alphabetic and
non-alphabetic characters), you should only be worried if the NSA or the
GHCQ are trying to listen in on you. If you look out the window, and don't
see any black choppers hovering above in the vincinity, WPA-PSK is
sufficiently secure for home/SoHo usage IMHO.

J.D. "Dutch" Schmidt

On Tue, 03 Apr 2007 09:01:54 +0200, e-teori
<lyngbytest_nospam_@_nospam_business.tele.dk> wrote in
<pan.2007.04.03.07.01.53.609988@_nospam_business.t ele.dk>:

>Den Mon, 02 Apr 2007 22:25:25 +0000. skrev Jeff Liebermann:

>> Security by obscurity is a bad idea. The obstacle course slows
>> hackers down,

Only slightly, not enough to matter.

>> but often creates side effects. You're seeing just one
>> of them. The other problem is that hiding the SSID makes it easier
>> for the neighbors to accidentally land on your system. Any script
>> kiddie with a Live CD containing Kismet will find your system anyway.
>> MAC spoofing is just some sniffing followed by a registry tweak or
>> ifconfig incantation. I could do it blindfolded.
>
>What Jeff said holds true. Furthermore, as far as I recall, according to
>the 802.11 specs disabling ESSID broadcasts breaks among other things
>roaming in a multi-AP setup, and therefore ESSID broadcast is mandatory in
>those cases. Using a repeater is in a sense a kludged roaming setup.
>
>Since you are using WPA-PSK, and if you have a non default ESSID, and use
>a fairly long (16 char minimum) passphrase, (preferably a nonsenical
>passphrase with numeric, capital and non capital alphabetic and
>non-alphabetic characters), you should only be worried if the NSA or the
>GHCQ are trying to listen in on you. ...

In which case SSID hiding will be of ZERO value.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_How_To>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Axel Hammerschmidt <hlexa@hotmail.com> wrote:

>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>
><snip>
>
>>Most repeaters will not handle WPA-PSK or WPA2-PSK, which is required for
>>decent security. The DLink DWL-G710AP and DWL-G800AP claim that they can
>>use WPA as repeaters, but I couldn't make it work on the latter when I
>>tried.
>
>The DWL-G710 is sold as a repeater.

Actually, it's sold as an "extender" - whatever that is.