How do I correctly set up 2 routers (one is wireless) with WPA and MAC Adress filtering?

I wish to reconfigure existing linksys router to be sure it is correctly using WPA and MAC Adressing with my PC, and future additional PC.

Hooked to this router I was planning on adding a wireless router also using WPA and MAC Adressing (I think...not solid on concepts).  This wireless router I've managed to configure for WPA with the wireless portion and (if I am understanding correctly) want to also use MAC Adressing.

The only thing I plan to use with the wireless is a couple of WPA & MAC Adressing compatible wireless internet radios.  I don't know how this all works but the radios are capable of working without the PC and was hoping to do this in such a way that I could turn off PC without effecting radio operation.

The DSL connection is earthlink passworded and this worries me in relation to the radios stand alone...but they support stand alone operations so I am assuming I can handle this without a problem.

I am assuming once the PC is off, my routers are safe from hacking even if they will be on Internet.

If I have said things wrong, please guide me to the True path of doing it right....thanks

PS  I wam wondering if I am asking too much and this should be 500 points?  feedback?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

j-sellersAuthor Commented:
I just posted.  it is about 1:30 AM.  Going to bed.  Will check in the morning.  Thanks.
Keith AlabasterEnterprise ArchitectCommented:
Lets take this from the top.

WPA is a protocol that requests and enforces a password that is shared between the router and the client(s) as part of its authentication mechanism. MAC addressing is where you physically insert the MAC addresses of the machines that are authorised to make use of the router. The router will check the source mac address of packets received against this list.

you can use mac addressing and wpa together but not all 'non-business' class devices support that approach - it is one or the other. No idea on Linksys - I use Cisco.

Your approach sounds fine. yes, that should work quite happily.

Yes, the routers will be safe. There is a two phase aspect to these. The MAC address/WPA is part of the outbound stage only. It does NOT apply to machines that are outside of your router (on the Internet/ADSL side).


j-sellersAuthor Commented:
So if I understand correctly about WPA, I set up a password on the router, and the client has to provide the passoword in order to be functional with the router.  Is this correct?

Now can I do this at every stage?

In other words, if these are the paths:
Internet---wired router 1---wireless router 2---Internet radio.
Internet---wired router 1---PC 1

Should I set up WPA passwords on router1 and router 2.
& Require
   1) PC1 to know router 1 password
   2) router 2 to know router 1 password
   3) Internet radio to know router 2 password

And is the MAC address a reciprical pair relationship?
Can I do the following pairs such that each member of the pair knows and uses the others MAC address?
   1) PC <--> router 1
   2) router 1 <--> router 2
   3) router 2 <--> internet radio

And to extend to additonal PCs and radios, then it is the same except there is a list so that it is many to one?

And last, have I decribed everything I need for a clean basic configuration?

Thanks, john
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Keith AlabasterEnterprise ArchitectCommented:
So if I understand correctly about WPA, I set up a password on the router, and the client has to provide the passoword in order to be functional with the router.  Is this correct? - yes, it is.

Now can I do this at every stage? God knows - never tried that or came across anyone who might....

Should I set up WPA passwords on router1 and router 2 etc?  Personally I would use mac addresses for all devices, out these onto all routers and not bother with wpa at all.
Fred MarshallPrincipalCommented:
I would be more comfortable if you were referring to "wireless clients/hosts" or "wired clients/hosts"  meaning the computers attached to the routers.

I would also be more comfortable if you were to define what you mean by "internet radio" because I have no real idea what that means to you.

Here is a brief tutorial:

WPA only applies to wireless and not to wired.  So, only the wireless clients need to provide it.

MAC filtering isn't considered to be terrible secure but can't hurt when combined with WPA.

WPA-2 is the only version considered to be very secure.  WEP and WPA are hackable.
Use the longest possible passphrases - you can generate them on the web.  Longer passphrases, much longer code-breaking times ... up to the impossible in one's lifetime sort of thing.

WEP and SPA are OK as a "deterrent" from casual lurkers.  In a signal-rich environment they can just pick some other signal/LAN to connect into.  Not much good beyond that and if YOU are targeted by those who know the ropes - better to use WPA-2.

If you cascade routers as you have shown then they are probably providing NAT.
So, the first one might have a LAN address range of
and the second one might have a LAN address range of
I highly recommend NOT using NAT with the same range on the WAN/internet side of the router AND on the LAN side.  So, you may have to configure them to be different.

If you want to isolate computers on one router from computers on another router then put the "more secure" computers after the second router.  
- Computers on the 2nd router can reach the 1st router and all the computers on the 1st router.
- Computers on the 1st router can't generally reach computers on the 2nd router.

You can avoid having NAT after the 2nd router by avoiding it's NAT altogether - so that all computers are on the same LAN.  This is a likely configuration if the 1st router doesn't have wireless capability and the 2nd router is added just to provide wireless.  In that case you:
- don't use the WAN/Internet connector on the 2nd router at all.
- plug the 2nd router LAN side into the 1st router LAN side.
- turn off DHCP on the 2nd router ... then it doesn't really matter what IP addresses are.
The 2nd router acts like a switch for both wired and wireless connnections and gets them to the 1st router.

I hope this helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
What model routers do you have?
If you're not sure, Linksys prints the model number on the barcode sticker on the bottom of their units.
That's also the only place they have the version#.

> WPA is a protocol that requests and enforces a password that is shared between the
> router and the client(s) as part of its authentication mechanism.

The original WPA was a stopgap measure to upgrade WEP's security by adding Temporal Key Integrity Protocol (TKIP) to the encryption scheme (which uses RC-4 ciphers) of Wired Equivalency Protocol (WEP). It still uses RC-4 encryption, and still includes the passphrase with every packet, which is its weak link.

Using WEP is like closing your door but not locking it. It keeps out only honest people. Google aircrack and you'll find freely available tools to crack WEP in 5 minutes (it is almost-always illegal to do so... there are legitimate uses for those tools, though, such as testing the security on your own network). The same utils can be used to capture packets and decrypt them even if they use WPA (TKIP). WPA (AES) is better, but it's not part of the WiFi WPA specification, so not all devices support it.

All devices that meet the WPA2 spec *do* support AES encryption. The WPA2 passphrase is used mainly during authentication, yet is never actually exchanged between the clients and host, so it adds no overhead to the payload itself, just uses extra processor power to do the complex encryption and decryption.

MAC filters (aka Access Control Lists, or ACLs) are rarely worth the time it takes to set them up, in my honest opinion. Nearly all wireless cards (or wired NICs, for that matter) allow setting a MAC address different than their true hardware address. e.g. See attached.
Keith AlabasterEnterprise ArchitectCommented:
Good job that we do have our own opinions :) else we might be the same person.

j-sellersAuthor Commented:
Sorry I have not responded.  I lost a whole day traveling up the SF Bay because of the D... tanker/crash fire.  It took me over 4 hours to make what is usually a 40 minute trip.  Also because of my domain, I attract more than my share of worms and the like.  I'm dealing with one now.  I do have several comments when I finish playing catchup.   Again, sorry.
:-)  -  John
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.