Linksys wireless router setup

Posted on 2006-06-07
Last Modified: 2008-02-07
I purchased a Linksys WRT54G wireless router to act as a wireless AP for my home network.  Referring to the WRT54G as a WAP, my LAN configuration is:

Wireless client(s) -> WAP -> Linksys switch1 -> CISCO PIX -> DSL modem
Ethernet clients -> Linksys switch1 -> CISCO PIX -> DSL modem
client(s) with external IP -> Linksys switch2 -> DSL modem

The basic setup options on the WAP are automatic/DHCP (default) and static IP, among others that don't apply such as PPOE (since I have it set as router, not as gateway).  The static IP setup expects two networks - but strangely, when I tried giving the WAP a spare external IP for testing, the config page returned an error that the subnet masks for my LAN and my WAN don't match.  Of course they don't match! I have at least 255 local IPs I can use, but only one remaining routable IP which I'd rather not use. The error was probably about something else, but I want the WAP and my wireless clients behind the PIX (which does NAT) and the static IP options don't apply anyway.  So I left the default config/DHCP setting in place on the WAP, wishing I could find a bridge mode instead, but that option is nowhere in the config pages.  

I have disabled the DHCP server and assigned a local IP to the WAP in the same subnet as the internal ethernet card on the PIX. I can ping the PIX from the WAP and vice versa.  However when I ping an Internet IP from the WAP I get no response.  The WAP is included on the PIX host list.  My wireless network settings are the defaults: mixed 11/54 Mbps, channel 6 - 2.437 GHz.  The Operating Mode is router, with dynamic routing enabled for LAN & wireless.  Checking the status, the IP address I have assigned the WAP isn't registering:

Firmware Version:        v1.00.6, Jan. 20, 2006                  
                        Current Time:       Not Available                
                        MAC Address:       xx:yy:zz:etc              
                        Router Name:       WRT54G                
                        Host Name:       wap                
                        Domain Name:              
Configuration Type
                      Login Type:       Automatic Configuration - DHCP                
                        IP Address:                
                      Subnet Mask:               
                      Default Gateway:               
                        DNS 1:       10.0.x.x                
                        DNS 2:       10.0.x.x              
                        DNS 3:                     
                        MTU:       1500

I do all of my network configuration from Linux systems.  I wasn't able to browse the CD that came with the WAP, but wasn't concerned since I can access the WAP config pages with my browser.  How do I fix this?
Question by:klukac
    LVL 2

    Expert Comment

    There are several things that I am thinking. Please nderstand that I have never set up a network quite like this, so I hope my thoughts make sense. I will be watching this thread with some interest to see if some real gurus weigh in. Anyway, here goes:

    1. Unless your DSL modem is a little fancier than those I've seen, how could you have your PIX and your switch#2 plugged straight into it at the same time, as indicated in your diagrams? If your DSL modem has an integrated router with a built-in switch, then fine, but unless that's the case, your diagram seems strange to me.

    2. Do you mean that one of the devices is plugged in to the DSL modem via a USB port, and the other through an ethernet jack? If that's the case, only one of those ports is probably active, and from your description, I'd say it's NOT the one connected to your PIX, since you can't see the Internet from that part of your network. Besides, I'll bet your DSL modem only has one public IP address to give, so it can't well give it to two devices at once. That one, precious public IP goes to ONE device, which can hand out myriad private IP addresses in all kinds of configurations, all leading back to that one point of origin, that one device immediately behind your modem. That is, unles you have: a) paid for multiple public IP addresses and a fancy modem to hand them all out at once, or b) a modem with integrated router and switch, in which case any devices plugged straight into your modem are already getting private IP addresses. I'll operate under the assumption that a) is not the case, as you mention that this is for a home network. I will also assume that your modem has only one functioning LAN port.

    3) You want two sub-networks? Now, I don't have any experience with PIX's, but how about:

                                       / wired clients
                           switch #1
                          /            \ WAP -> wireless clients
      modem -> PIX
                           switch #2 -> client(s) in a DMZ, defined by the PIX [is this the effect you're after?]

    Or, even better, does one of the switches have VLAN capability?:

                                       / wired clients and WAP on VLAN #1
     modem -> PIX -> switch
                                       \ wired clients in DMZ on VLAN #2

    If it doesn't, would the PIX have any useful VLAN capability?

    4. As you know, that WRT54G you've got there is no WAP; it's a full-fledged router. However, I don't think you want that. It is the WAP54G that you really want; it's just an access point (essentially a wireless switch). I believe you should let the PIX be your router, acting as the lone DHCP server for your entire network, etc. To try and get the WRT54G to work as a simple WAP and not fight with the other router on your network, see if pluggling the line from your switch into one of the LAN ports on the WRT54G, and NOT the "Internet" port, helps. Leave the "Internet" port unoccupied and see if that turns this thing into a lowly WAP. You've already got the operating mode set to "router," so I'm not sure what else to change. Just make sure the WRT54G isn't trying to show off and act like a DHCP server.

    And by the way, I bet you shouldn't be manually assigning any IP addresses except right at the PIX, giving either: a) the x.x.1.x range to switch #1 and the x.x.2.x range to switch #2, or b) the same two ranges to two different VLAN's on a single switch. Also, your PIX wouldn't happen to have enough LAN jacks on it to do away with other switches entirely, would it....? I bet it can do VLAN's, in which case:

                         / wired clients and WAP on VLAN #1
     modem -> PIX
                         \ wired clients in DMZ on VLAN #2
    LVL 87

    Expert Comment

    Is the WAP only for internet access or will you use it for internal networking too? If you don't need internal networking access, just connect the wan port of the wap to the pix, enable it to get it's wan address from dhcp from the pix and you should have internet access. On the lan and wireless side of the wap enable dhcp too, but use a different subnet than the wan side uses. Give the wap itself a fixed ip for the lan so that you can manage it using your browser.

    If you will be using it for normal networking too, don't connect the wan port, just connect the lan port to the network, give it a static ip and disable the internal dhcp server, as the connections will now get their ip's from the normal dhcp server on your lan. Now you should be able to use both, the internet and you lan.

    Author Comment

    rindi, the 2d option is what I tried to implement - I connected one of the 4 lan ports on the back of the wireless router to the network, and as you know I disabled its internal dhcp server and tried to assign it a static ip.  I don't have dhcp running on my lan at all, but if I choose not to assign an external ip on the router, it will have to get its IP from the PIX.  I really don't want to work with DHCP, which makes no sense for such a small network, and I'm wondering if DHCP will work on the PIX at all when it's used only for a single device.  I have no choice but to try - it'll take some time, will get back to you on this.

    saxicolous1, your first diagram is correct.  My DSL modem is in bridge mode so as not to compete with the PIX, and I have an old laptop in the DMZ to see if my web and mail services are making it outside the LAN.  I don't have experience with VLAN.  I know that a router is not a WAP, but was advised that I could make it work like one.  
    LVL 87

    Expert Comment

    If you don't use a dhcp server, and you only connect the wap via the lan port, you just need to enter the following values into the nic's of your clients:

    static ip different from others on the lan, but within the same subnet. If you were using a lan segment like 192.168.0.x, the example would be
    gateway ip, this would be the ip of your pix on the lan side, example
    subnet mask, if you want to use 254 ip's, that would be
    dns server's ip. Normally that is the same as the ip of your pix,, but you could also use those of your ISP's dns servers.

    Of course you still need to define an IP address for the wap, like

    LVL 2

    Assisted Solution

    >>I don't have dhcp running on my lan at all, but if I choose not to assign an external ip on the router, it will have to get its IP from the PIX.  I really don't want to work with DHCP, which makes no sense for such a small network, and I'm wondering if DHCP will work on the PIX at all when it's used only for a single device....

    Aha. Let your PIX (basically, a glorified firewall/router with every bell and whistle?) be the DHCP server it was meant to be. The size of your network doesn't matter--I have ONE computer on my LAN at the moment. It has an internal IP address handed out by my firewall/router/DHCP server, which is at the head of my "network", such as it is:

       modem -> firewall/router -> Sax's ONE working computer
              {public IP}         {private IP(s)}

    This is simply to protect it from having an external, public IP address visible from, and subject to attack by, the Internet at large.

    Whenever you have a DHCP server, it isn't just the device(s) connected immediately to it that are served by it. Those internal IP addresses will percolate all the way down through your network, through layers of switches and hubs and WAPs (wireless switches). Even machines put in a DMZ will have internal IP addresses handed out by your one, master DHCP server; it's just that all unsolicited packets from the outside world will be forwarded straight to them, unfiltered and unfirewalled.

    Now, I have bad feelings about doing a DMZ just for the web and e-mail services you mention. Normally, for stuff like that, you just forward traffic coming in on the specific, appropriate ports to those machines, so that they can be otherwise protected by your firewall at the head of your network. That way, you wouldn't so important to quarantine them from the rest of your LAN by putting them in their own separate sub-LAN on their own switch (though you could set it up that way if you wanted, for the extra safety). A VLAN could make it be like there were two separate sub-LAN's, thus giving exactly the functionality of my diagram #1, but with the slightly simpler hardware setup of my diagram #2, from my first post.

    Author Comment

    Sadly, your instructions don't work.  I tried all that you describe before sending this request, and this fails because the GUI on the router offers no option to set the IP of the gateway - not in the basic setup and not in advanced routing.  I have set the router to route (not gateway) mode and enabled dynamic routing on the LAN, but the wireless router still sees itself as the gateway.  
    I found out how to set up DHCP on the PIX, but I don't understand how to work with the wireless router: I have to assign a static IP to open the router's GUI, but once I enable DHCP on the PIX with a range of IP addresses, I can no longer access the router GUI because I don't know what IP address it's using.
    LVL 2

    Accepted Solution

    >>once I enable DHCP on the PIX with a range of IP addresses, I can no longer access the router GUI because I don't know what IP address it's using.

    You have two options in order to avoid having to play hide and seek with your web-browser-configured network devices--I just went through this with a nice new network printer a couple weeks ago where I work:

    1) Consider, for a moment, the piece of equipment that you always want to be able to find with your web browser, in this case your WRT54G (which probably should be a WAP54G, as I mentioned earlier--I promise I won't say it again). Find its MAC address, which is frequently on a label on the side of the device, as you may know. Now, go into the DHCP server's (your PIX's) configuration pages and see if there's some way to reserve a particular IP address for the WRT54G's MAC address. That way, the WRT54G can remain a DHCP client, keeping things just one notch simpler, but you'll know what IP address it's always going to be assigned. It won't change, and other settings, like subnet mask and gateway, ought to take care of themselves--I believe it's one of things DHCP will do in addition to just handing out internal IP addresses.

    2) If there's no option by which your PIX will tie a particular IP address to a particular MAC address (which would be surprising, given that it's such a fancy piece of equipment--my $30 router can do it), then you'll just have to program your WRT54G with a static IP address and tell it not to act as a DHCP client. Give it an IP address at the upper end of the addresses that would have been offered to it by the PIX (say, x.x.x.254), and maybe even reduce the range of IP addresses handed out by the PIX (if necessary) so that x.x.x.254 could NEVER be handed out through DHCP. For example, you could tell it to hand out x.x.x.2 through x.x.x.253. In order to get the subnet mask, gateway, etc. right, just copy whatever the PIX says they are. As rindi mentioned, we're talking about the LAN side parameters of your PIX, not the WAN side.

    I do feel that keeping the WAN port on the WRT54G unused, and instead jacking into only a single LAN port, is important, although you could try the WAN port for fun as a last resort before shelling out for a WAP. Though I don't think we should admit defeat too quickly, in all honesty, I'm beginning to get the feeling that a big part of our problem is that the WRT54G just isn't designed to sit there and be a WAP. In a way, it's too smart for its own good in this situation, and we're gonna have to figure out how to get it to sit down, shut up, and play nice. Maybe it's a case of "once a router, always a router?"
    LVL 2

    Expert Comment

    Hmmm, I just thought of one more thing (a frequent occurrence seconds after I submit a post). If/when you are telling the PIX about the WRT54G's MAC address, so that it can reserve a particular IP address for it, it might (I repeat might) be the case that the WRT54G, being a router with a WAN side and a LAN side, has TWO different MAC addresses, probably one number apart at the very last digit. You said in your original post that the WRT54G was included in the PIX host list. Obviously, whichever MAC address shows up there (assuming it shows MAC addresses in that listing) would be the one to use.

    Author Comment

    ok I'm back.  First things first: I'm connected via the wireless router, yeah :)  
    First I got DHCP running on the PIX, connecting one Ethernet client at a time.  I started with 2 addresses to minimize guesswork on the wireless router's IP.  I did try to relate the mac id features to dhcp on the PIX but failed - you can list a mac id with a subnet mask in a certain format, but I didn't understand the subnet mask (examples show ffff.ffff.ffff and ffff.ffff.0000).  I copied the first and it was accepted, however the only benefit of the mac id is to exempt the device from authentication/authorization, and I really wasn't sure that's what I wanted, so I disabled it after I got the wireless router to connect to its clients.
    Now I'm working on security.  I have enabled a policy to restrict access on the wireless router to only those MAC addresses that need to connect, however I have no WAP or WEP security enabled.  I'd like to implement WAP2, which I understand is recommended, but must first figure out how it works so that my Linux and XP clients can still connect (at some point I made the mistake of pressing the "Reset security" button in the Admin pages and the wireless router reverted to its default settings so I had to start over - if I lose the connection, starting over is my only option and it's a real pain).
    Some observations: the speed is absolutely terrific, at least in the same room.  At one point my XP laptop client connected to the Internet through the wireless router with a routable IP and I have no idea how that was even possible (the router is connected to switch1 which connects to the PIX and then to the DSL modem - switch1 is connected only to internal clients with non-routable IPs).  But I was too scared to examine this problem too closely.  Tomorrow is another day - can get back to you then and close this out.

    Author Comment

    Sorry I was out sort of unexpectedly for like a week or so :(
    All is fine, except that I occasionally lose the DHCP connection and have to renew it - a bit confusing at first, since the wireless signal is fine, but I couldn't get past the inside interface on the PIX.  Also, couldn't use WAP because the wireless card on my Linux laptop only comes with WEP in the GUI tool I normally use to configure it...could investigate other means but for now, I don't expect my neighbors to break the 128-bit encryption :)

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now