Solved

How do I correctly set up 2 routers (one is wireless) with WPA and MAC Adress filtering?

Posted on 2008-10-19
9
456 Views
Last Modified: 2013-12-09
I wish to reconfigure existing linksys router to be sure it is correctly using WPA and MAC Adressing with my PC, and future additional PC.

Hooked to this router I was planning on adding a wireless router also using WPA and MAC Adressing (I think...not solid on concepts).  This wireless router I've managed to configure for WPA with the wireless portion and (if I am understanding correctly) want to also use MAC Adressing.

The only thing I plan to use with the wireless is a couple of WPA & MAC Adressing compatible wireless internet radios.  I don't know how this all works but the radios are capable of working without the PC and was hoping to do this in such a way that I could turn off PC without effecting radio operation.

The DSL connection is earthlink passworded and this worries me in relation to the radios stand alone...but they support stand alone operations so I am assuming I can handle this without a problem.

I am assuming once the PC is off, my routers are safe from hacking even if they will be on Internet.

If I have said things wrong, please guide me to the True path of doing it right....thanks

PS  I wam wondering if I am asking too much and this should be 500 points?  feedback?
0
Comment
Question by:j-sellers
9 Comments
 

Author Comment

by:j-sellers
ID: 22751382
I just posted.  it is about 1:30 AM.  Going to bed.  Will check in the morning.  Thanks.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 100 total points
ID: 22753242
Lets take this from the top.

WPA is a protocol that requests and enforces a password that is shared between the router and the client(s) as part of its authentication mechanism. MAC addressing is where you physically insert the MAC addresses of the machines that are authorised to make use of the router. The router will check the source mac address of packets received against this list.

you can use mac addressing and wpa together but not all 'non-business' class devices support that approach - it is one or the other. No idea on Linksys - I use Cisco.

Your approach sounds fine. yes, that should work quite happily.

Yes, the routers will be safe. There is a two phase aspect to these. The MAC address/WPA is part of the outbound stage only. It does NOT apply to machines that are outside of your router (on the Internet/ADSL side).

Keith



0
 

Author Comment

by:j-sellers
ID: 22753386
So if I understand correctly about WPA, I set up a password on the router, and the client has to provide the passoword in order to be functional with the router.  Is this correct?

Now can I do this at every stage?

In other words, if these are the paths:
Internet---wired router 1---wireless router 2---Internet radio.
Internet---wired router 1---PC 1

Should I set up WPA passwords on router1 and router 2.
& Require
   1) PC1 to know router 1 password
   2) router 2 to know router 1 password
   3) Internet radio to know router 2 password

And is the MAC address a reciprical pair relationship?
Can I do the following pairs such that each member of the pair knows and uses the others MAC address?
   1) PC <--> router 1
   2) router 1 <--> router 2
   3) router 2 <--> internet radio

And to extend to additonal PCs and radios, then it is the same except there is a list so that it is many to one?

And last, have I decribed everything I need for a clean basic configuration?

Thanks, john
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22754119
So if I understand correctly about WPA, I set up a password on the router, and the client has to provide the passoword in order to be functional with the router.  Is this correct? - yes, it is.

Now can I do this at every stage? God knows - never tried that or came across anyone who might....

Should I set up WPA passwords on router1 and router 2 etc?  Personally I would use mac addresses for all devices, out these onto all routers and not bother with wpa at all.
 
Yes.
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 25

Accepted Solution

by:
Fred Marshall earned 200 total points
ID: 22754475
I would be more comfortable if you were referring to "wireless clients/hosts" or "wired clients/hosts"  meaning the computers attached to the routers.

I would also be more comfortable if you were to define what you mean by "internet radio" because I have no real idea what that means to you.

Here is a brief tutorial:

WPA only applies to wireless and not to wired.  So, only the wireless clients need to provide it.

MAC filtering isn't considered to be terrible secure but can't hurt when combined with WPA.

WPA-2 is the only version considered to be very secure.  WEP and WPA are hackable.
Use the longest possible passphrases - you can generate them on the web.  Longer passphrases, much longer code-breaking times ... up to the impossible in one's lifetime sort of thing.

WEP and SPA are OK as a "deterrent" from casual lurkers.  In a signal-rich environment they can just pick some other signal/LAN to connect into.  Not much good beyond that and if YOU are targeted by those who know the ropes - better to use WPA-2.


If you cascade routers as you have shown then they are probably providing NAT.
So, the first one might have a LAN address range of 192.168.0.xxx
and the second one might have a LAN address range of 192.168.1.xxx.
I highly recommend NOT using NAT with the same range on the WAN/internet side of the router AND on the LAN side.  So, you may have to configure them to be different.

If you want to isolate computers on one router from computers on another router then put the "more secure" computers after the second router.  
- Computers on the 2nd router can reach the 1st router and all the computers on the 1st router.
- Computers on the 1st router can't generally reach computers on the 2nd router.

You can avoid having NAT after the 2nd router by avoiding it's NAT altogether - so that all computers are on the same LAN.  This is a likely configuration if the 1st router doesn't have wireless capability and the 2nd router is added just to provide wireless.  In that case you:
- don't use the WAN/Internet connector on the 2nd router at all.
- plug the 2nd router LAN side into the 1st router LAN side.
- turn off DHCP on the 2nd router ... then it doesn't really matter what IP addresses are.
The 2nd router acts like a switch for both wired and wireless connnections and gets them to the 1st router.

I hope this helps.
0
 
LVL 44

Assisted Solution

by:Darr247
Darr247 earned 200 total points
ID: 22755290
What model routers do you have?
If you're not sure, Linksys prints the model number on the barcode sticker on the bottom of their units.
That's also the only place they have the version#.


> WPA is a protocol that requests and enforces a password that is shared between the
> router and the client(s) as part of its authentication mechanism.


The original WPA was a stopgap measure to upgrade WEP's security by adding Temporal Key Integrity Protocol (TKIP) to the encryption scheme (which uses RC-4 ciphers) of Wired Equivalency Protocol (WEP). It still uses RC-4 encryption, and still includes the passphrase with every packet, which is its weak link.

Using WEP is like closing your door but not locking it. It keeps out only honest people. Google aircrack and you'll find freely available tools to crack WEP in 5 minutes (it is almost-always illegal to do so... there are legitimate uses for those tools, though, such as testing the security on your own network). The same utils can be used to capture packets and decrypt them even if they use WPA (TKIP). WPA (AES) is better, but it's not part of the WiFi WPA specification, so not all devices support it.

All devices that meet the WPA2 spec *do* support AES encryption. The WPA2 passphrase is used mainly during authentication, yet is never actually exchanged between the clients and host, so it adds no overhead to the payload itself, just uses extra processor power to do the complex encryption and decryption.

MAC filters (aka Access Control Lists, or ACLs) are rarely worth the time it takes to set them up, in my honest opinion. Nearly all wireless cards (or wired NICs, for that matter) allow setting a MAC address different than their true hardware address. e.g. See attached.
Dell-WLAN-Adv-tab.png
Spoof-MAC-Address.png
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22755466
Good job that we do have our own opinions :) else we might be the same person.

Keith_Alabaster
0
 

Author Comment

by:j-sellers
ID: 22790065
Sorry I have not responded.  I lost a whole day traveling up the SF Bay because of the D... tanker/crash fire.  It took me over 4 hours to make what is usually a 40 minute trip.  Also because of my domain, sellers.com I attract more than my share of worms and the like.  I'm dealing with one now.  I do have several comments when I finish playing catchup.   Again, sorry.
:-)  -  John
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now