Go Premium for a chance to win a PS4. Enter to Win


How do I correctly set up 2 routers (one is wireless) with WPA and MAC Adress filtering?

Posted on 2008-10-19
Medium Priority
Last Modified: 2013-12-09
I wish to reconfigure existing linksys router to be sure it is correctly using WPA and MAC Adressing with my PC, and future additional PC.

Hooked to this router I was planning on adding a wireless router also using WPA and MAC Adressing (I think...not solid on concepts).  This wireless router I've managed to configure for WPA with the wireless portion and (if I am understanding correctly) want to also use MAC Adressing.

The only thing I plan to use with the wireless is a couple of WPA & MAC Adressing compatible wireless internet radios.  I don't know how this all works but the radios are capable of working without the PC and was hoping to do this in such a way that I could turn off PC without effecting radio operation.

The DSL connection is earthlink passworded and this worries me in relation to the radios stand alone...but they support stand alone operations so I am assuming I can handle this without a problem.

I am assuming once the PC is off, my routers are safe from hacking even if they will be on Internet.

If I have said things wrong, please guide me to the True path of doing it right....thanks

PS  I wam wondering if I am asking too much and this should be 500 points?  feedback?
Question by:j-sellers

Author Comment

ID: 22751382
I just posted.  it is about 1:30 AM.  Going to bed.  Will check in the morning.  Thanks.
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 300 total points
ID: 22753242
Lets take this from the top.

WPA is a protocol that requests and enforces a password that is shared between the router and the client(s) as part of its authentication mechanism. MAC addressing is where you physically insert the MAC addresses of the machines that are authorised to make use of the router. The router will check the source mac address of packets received against this list.

you can use mac addressing and wpa together but not all 'non-business' class devices support that approach - it is one or the other. No idea on Linksys - I use Cisco.

Your approach sounds fine. yes, that should work quite happily.

Yes, the routers will be safe. There is a two phase aspect to these. The MAC address/WPA is part of the outbound stage only. It does NOT apply to machines that are outside of your router (on the Internet/ADSL side).



Author Comment

ID: 22753386
So if I understand correctly about WPA, I set up a password on the router, and the client has to provide the passoword in order to be functional with the router.  Is this correct?

Now can I do this at every stage?

In other words, if these are the paths:
Internet---wired router 1---wireless router 2---Internet radio.
Internet---wired router 1---PC 1

Should I set up WPA passwords on router1 and router 2.
& Require
   1) PC1 to know router 1 password
   2) router 2 to know router 1 password
   3) Internet radio to know router 2 password

And is the MAC address a reciprical pair relationship?
Can I do the following pairs such that each member of the pair knows and uses the others MAC address?
   1) PC <--> router 1
   2) router 1 <--> router 2
   3) router 2 <--> internet radio

And to extend to additonal PCs and radios, then it is the same except there is a list so that it is many to one?

And last, have I decribed everything I need for a clean basic configuration?

Thanks, john
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

LVL 51

Expert Comment

by:Keith Alabaster
ID: 22754119
So if I understand correctly about WPA, I set up a password on the router, and the client has to provide the passoword in order to be functional with the router.  Is this correct? - yes, it is.

Now can I do this at every stage? God knows - never tried that or came across anyone who might....

Should I set up WPA passwords on router1 and router 2 etc?  Personally I would use mac addresses for all devices, out these onto all routers and not bother with wpa at all.
LVL 26

Accepted Solution

Fred Marshall earned 600 total points
ID: 22754475
I would be more comfortable if you were referring to "wireless clients/hosts" or "wired clients/hosts"  meaning the computers attached to the routers.

I would also be more comfortable if you were to define what you mean by "internet radio" because I have no real idea what that means to you.

Here is a brief tutorial:

WPA only applies to wireless and not to wired.  So, only the wireless clients need to provide it.

MAC filtering isn't considered to be terrible secure but can't hurt when combined with WPA.

WPA-2 is the only version considered to be very secure.  WEP and WPA are hackable.
Use the longest possible passphrases - you can generate them on the web.  Longer passphrases, much longer code-breaking times ... up to the impossible in one's lifetime sort of thing.

WEP and SPA are OK as a "deterrent" from casual lurkers.  In a signal-rich environment they can just pick some other signal/LAN to connect into.  Not much good beyond that and if YOU are targeted by those who know the ropes - better to use WPA-2.

If you cascade routers as you have shown then they are probably providing NAT.
So, the first one might have a LAN address range of 192.168.0.xxx
and the second one might have a LAN address range of 192.168.1.xxx.
I highly recommend NOT using NAT with the same range on the WAN/internet side of the router AND on the LAN side.  So, you may have to configure them to be different.

If you want to isolate computers on one router from computers on another router then put the "more secure" computers after the second router.  
- Computers on the 2nd router can reach the 1st router and all the computers on the 1st router.
- Computers on the 1st router can't generally reach computers on the 2nd router.

You can avoid having NAT after the 2nd router by avoiding it's NAT altogether - so that all computers are on the same LAN.  This is a likely configuration if the 1st router doesn't have wireless capability and the 2nd router is added just to provide wireless.  In that case you:
- don't use the WAN/Internet connector on the 2nd router at all.
- plug the 2nd router LAN side into the 1st router LAN side.
- turn off DHCP on the 2nd router ... then it doesn't really matter what IP addresses are.
The 2nd router acts like a switch for both wired and wireless connnections and gets them to the 1st router.

I hope this helps.
LVL 44

Assisted Solution

Darr247 earned 600 total points
ID: 22755290
What model routers do you have?
If you're not sure, Linksys prints the model number on the barcode sticker on the bottom of their units.
That's also the only place they have the version#.

> WPA is a protocol that requests and enforces a password that is shared between the
> router and the client(s) as part of its authentication mechanism.

The original WPA was a stopgap measure to upgrade WEP's security by adding Temporal Key Integrity Protocol (TKIP) to the encryption scheme (which uses RC-4 ciphers) of Wired Equivalency Protocol (WEP). It still uses RC-4 encryption, and still includes the passphrase with every packet, which is its weak link.

Using WEP is like closing your door but not locking it. It keeps out only honest people. Google aircrack and you'll find freely available tools to crack WEP in 5 minutes (it is almost-always illegal to do so... there are legitimate uses for those tools, though, such as testing the security on your own network). The same utils can be used to capture packets and decrypt them even if they use WPA (TKIP). WPA (AES) is better, but it's not part of the WiFi WPA specification, so not all devices support it.

All devices that meet the WPA2 spec *do* support AES encryption. The WPA2 passphrase is used mainly during authentication, yet is never actually exchanged between the clients and host, so it adds no overhead to the payload itself, just uses extra processor power to do the complex encryption and decryption.

MAC filters (aka Access Control Lists, or ACLs) are rarely worth the time it takes to set them up, in my honest opinion. Nearly all wireless cards (or wired NICs, for that matter) allow setting a MAC address different than their true hardware address. e.g. See attached.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22755466
Good job that we do have our own opinions :) else we might be the same person.


Author Comment

ID: 22790065
Sorry I have not responded.  I lost a whole day traveling up the SF Bay because of the D... tanker/crash fire.  It took me over 4 hours to make what is usually a 40 minute trip.  Also because of my domain, sellers.com I attract more than my share of worms and the like.  I'm dealing with one now.  I do have several comments when I finish playing catchup.   Again, sorry.
:-)  -  John

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question