PDA

View Full Version : Wireless observations



relen
2006-01-17, 04:51
I have just spent a frustrating few days sorting out my wireless setup and thought I'd share the results in case they are helpful to anyone.

I have an SB2 and SB3, and until recently the SB3 was wired and the SB2 wireless, talking to a Belkin F5D7130 wireless access point running with MAC filtering and no encryption. I acquired a Nokia N770, with the idea of one use being as a Slimserver remote. However I discovered that the 770 only worked correctly if it was in the same room as the WAP, irrespective of channels used - there are about four other WiFi access points (on different channels) nearby; we also have a DECT cordless phone system that probably uses the same band, and the 770 seems to be particularly sensitive to stray wireless activity.

As a temporary measure I took the WAP and put it in the living room using the SB3's enet cable, and tried to set the SB3 up for wireless. I failed, and succeeded only in blowing up the wireless card in the SB3, probably as a result of power cycling (power on the unit and no display - however the TOSlink LED was still working: support suggested removing the card and it sprang back to life).

With a new wireless card I set the SB3 up successfully, but after playing more than a few seconds of FLAC it would start stuttering - music for half a second, pause for half a second, music for half a second... etc. It would play Internet Radio fine, however, and even .wma files (transcoded to mp3 by LAME). Evidently the buffer was underflowing, suggesting poor wireless bandwidth. The SB2 upstairs, however, continued to work perfectly throughout.

Talking to tech support suggested a possible SB3 driver issue, which is currently being worked on, but when we discussed the fact that the N770 was still a bit flakey even across the room from the WAP, I concluded it might be time to invest in a different WAP, and the tech support rep told me he had experienced excellent range with the LinkSys WAP54GX MIMO unit. It also certainly looked good on paper, and I ordered one.

Over the weekend I decided to look into the SB3 problem in more detail, and on examining the IP config carefully noticed that the Network Mask was incorrect - 255.255.255.248 instead of 255.255.255.0. This was almost certainly finger trouble as a result of doing configuration after midnight. Correcting this setting resulted in the SB3 working perfectly. I found it really strange that this config error produced the results it did.

The WAP54GX duly arrived yesterday and I installed it last night. Another part of the discussion with tech support had involved WiFi security and the fact that MAC access lists were bad news, WPA2 was the way to go, so I decided to go with that, with AES.

Everything suddenly seemed to work. The N770 worked all over the house. My iBook worked instantly, both SBs were happy. Well, almost everything. My wife's Toshiba laptop with Atheros 5004 card would not play ball. Sorting this out took a half-hour call to a Toshiba level-1 support rep who knew almost nothing about WiFi: I was finally referred to a level-2 guy who gave me the solution in 10 seconds: it doesn't do it, no updated drivers or anything, and apparently no easy answer.

I tried running the WAP in WPA1 mode with TKIP (SBs do not support AES via WPA1). Everything worked, including the Toshiba... except the Nokia, which now would not not talk to the WAP, despite prodigious signal strength.

Setting the LinkSys WAP to 'mixed' WPA1/2, AES+TKIP mode caused everything to fail except the iBook. Indeed, whatever config I tried, the iBook always seemed to be able to access the WAP!

I ended up setting up the LinkSys WAP54GX to WPA2/AES so that everything except the Toshiba worked, and placing the Belkin WAP set to WPA1/TKIP in a poor location near my wife's office so it's unreadable outside the building but usable inside.

So, everything now works... but I would love a simpler setup using only the LinkSys WAP54GX (which on the showing of under 24 hours appears to be simply brilliant), if anyone has any ideas.

I hope this is some help to people navigating the stormy waters of WiFi...

--Richard E

Mark Lanctot
2006-01-17, 07:42
Some interesting points! See below.

relen wrote:

> The WAP54GX duly arrived yesterday and I installed
it last night.
> Another part of the discussion with tech support had
involved WiFi
> security and the fact that MAC access lists were bad
news, WPA2 was the
> way to go, so I decided to go with that, with AES.

"MAC address lists were bad news" - any details?
I know MAC addresses can be sniffed by an attacker
and cloned, but it deters casual connections.

Also I thought the only difference between WPA and
WPA2 was the method of encryption - TKIP versus AES:

http://www.wi-fiplanet.com/news/article.php/3402971

"In fact, the original WPA has many of the same
attributes of the final 802.11i spec. The main
difference is that 802.11i and WPA2 require
Advanced Encryption Standard (AES) for encryption
of data, while original WPA uses Temporal Key
Integrity Protocol (TKIP) for encyrption."

I've been thinking of switching to WPA2-AES if I
can get the Squeezebox to work with it. Who
doesn't want extra security that doesn't cost
anything extra? My laptop should work with it,
the latest Intel 2200 BG driver supports WPA2-AES.

> I ended up setting up the LinkSys WAP54GX to
WPA2/AES so that
> everything except the Toshiba worked, and placing
the Belkin WAP set to
> WPA1/TKIP in a poor location near my wife's office
so it's unreadable
> outside the building but usable inside.

I have a discarded wireless router that won't work
with the Squeezebox. I wanted to reuse it
somehow, so this statement is interesting. What
do you have the Belkin connected to? Do you have
it somehow linked to the WAP54GX for Internet access?

>
> So, everything now works... but I would love a
simpler setup using only
> the LinkSys WAP54GX (which on the showing of under
24 hours appears to
> be simply brilliant), if anyone has any ideas.

Go with WPA-TKIP until you get WPA2 support for
the Toshiba. It's coming, everyone is moving to WPA2.

WPA-TKIP still remains unbroken, it's just that
WPA2-AES offers even stronger encryption.

--
___________________________________


Mark Lanctot
___________________________________

relen
2006-01-17, 10:18
> "MAC address lists were bad news" - any details?
> I know MAC addresses can be sniffed by an attacker
> and cloned, but it deters casual connections.

True, but what I was led to understand was that indeed the addresses could be sniffed. So it was time to implement encryption of some kind.

> Also I thought the only difference between WPA and
> WPA2 was the method of encryption - TKIP versus AES...

Isn't this one of those "technique versus implementation" things? It's theoretically the same but the headers are different or something else stops them being cross-compatible? Not really my field, I'm afraid.

> I've been thinking of switching to WPA2-AES if I
> can get the Squeezebox to work with it.

It was completely transparent in my case - go through setup and it works. I did have to zip through the SB setup after having rebooted the WAP, just basically going through without changing anything, so you might have to do that if there is an interruption in WAP service, rather than it just popping back up by itself, but I don't know for sure.

> I have a discarded wireless router that won't work
> with the Squeezebox. I wanted to reuse it
> somehow, so this statement is interesting. What
> do you have the Belkin connected to? Do you have
> it somehow linked to the WAP54GX for Internet access?

Both are just access points, not routers. I simply ran the Belkin up with a different SSID and channel, opposite end of the house. They both sit on my wired enet and talk to my wired router for internet access.

> Go with WPA-TKIP until you get WPA2 support for
> the Toshiba. It's coming, everyone is moving to WPA2.

Except that I don't think I can. Toshiba's support guy (the sensible one) was very iffy about either putting a different mini-PC card in - anyone any ideas? - though I suppose I could pull it, delete its drivers and put a PC card in that did it...

> WPA-TKIP still remains unbroken, it's just that
> WPA2-AES offers even stronger encryption.

That IS useful to know, as it means I don't need to worry so much about the weak link being the WPA1 WAP. But I can't use that protocol for everything as the Nokia doesn't like WPA-TKIP.

Thanks for the comments!

--Richard E

JJZolx
2006-01-17, 11:22
> Go with WPA-TKIP until you get WPA2 support for
> the Toshiba. It's coming, everyone is moving to WPA2.

Except that I don't think I can. Toshiba's support guy (the sensible one) was very iffy about either putting a different mini-PC card in - anyone any ideas? - though I suppose I could pull it, delete its drivers and put a PC card in that did it...

> WPA-TKIP still remains unbroken, it's just that
> WPA2-AES offers even stronger encryption.

That IS useful to know, as it means I don't need to worry so much about the weak link being the WPA1 WAP. But I can't use that protocol for everything as the Nokia doesn't like WPA-TKIP.
It seems hard to imagine that the Nokia won't work with WPA-TKIP. I would guess there must be other Nokia users here using it.

Don't worry about the security of WPA with TKIP. The encryption is plenty secure. But it's important is to use a long pass phrase. Once you have everything settled, generate a random 63 character passphrase. Store it in a text file and cut and paste it (except for the Squeezeboxes, where you'll have to enter it by hand).

Mark Lanctot
2006-01-17, 11:28
relen wrote:
>> "MAC address lists were bad news" - any details?
>> I know MAC addresses can be sniffed by an attacker
>> and cloned, but it deters casual connections.
>
> True, but what I was led to understand was that
indeed the addresses
> could be sniffed. So it was time to implement
encryption of some kind.

Oh yes, if you had no encryption, sniffing and
cloning a MAC address is very easy. Again, it
will deter your neighbour accidentally connecting
to your network, but it won't deter anyone looking
to crack it.

>
>> Also I thought the only difference between WPA and
>> WPA2 was the method of encryption - TKIP versus
AES...
>
> Isn't this one of those "technique versus
implementation" things? It's
> theoretically the same but the headers are different
or something else
> stops them being cross-compatible? Not really my
field, I'm afraid.

I had thought the only difference was the method
of encryption.

> It was completely transparent in my case - go
through setup and it
> works. I did have to zip through the SB setup after
having rebooted the
> WAP, just basically going through without changing
anything, so you
> might have to do that if there is an interruption in
WAP service,
> rather than it just popping back up by itself, but I
don't know for
> sure.

Makes me want to try it out. Sounds like you
didn't have to reenter your WPA passphrase, which
is the main thing stopping me. I use a
63-character phrase with capitalization, numbers
and punctuation, so while it's secure it's hard to
type into the Squeezebox using the remote! :-)

>
>> I have a discarded wireless router that won't work
>> with the Squeezebox. I wanted to reuse it
>> somehow, so this statement is interesting. What
>> do you have the Belkin connected to? Do you have
>> it somehow linked to the WAP54GX for Internet
access?
>
> Both are just access points, not routers. I simply
ran the Belkin up
> with a different SSID and channel, opposite end of
the house. They both
> sit on my wired enet and talk to my wired router for
internet access.

Aha. Thanks for the clarification.

>
>> Go with WPA-TKIP until you get WPA2 support for
>> the Toshiba. It's coming, everyone is moving to
WPA2.
>
> Except that I don't think I can. Toshiba's support
guy (the sensible
> one) was very iffy about either putting a different
mini-PC card in -
> anyone any ideas? - though I suppose I could pull
it, delete its
> drivers and put a PC card in that did it...

So the card is built-in? How old is the laptop?
If it's relatively new and still widely-used you
should eventually expect WPA2 support, but if it's
an older or rare model maybe not.

>
>> WPA-TKIP still remains unbroken, it's just that
>> WPA2-AES offers even stronger encryption.
>
> That IS useful to know, as it means I don't need to
worry so much about
> the weak link being the WPA1 WAP. But I can't use
that protocol for
> everything as the Nokia doesn't like WPA-TKIP.

Whoa, the Nokia 770 can't handle WPA-TKIP? I
would imagine it's just your situation though -
surely the hardware is capable of WPA. That sucks
for you, though. :-(

--
___________________________________


Mark Lanctot
___________________________________