Configuring Wireless
Configuring WirelessConfiguring the Wireless Access Point and Wireless Ethernet Adapters
Once you have decided on the wireless equipment you will use, the next hurdle to overcome is configuring equipment to work together. With a wired network, there is no configuration of this sort. We can plug almost any cable into any hub, switch, router, or Ethernet adapter and be fairly certain a link will be established between the two devices. With wireless networking, this is not (yet) true. The radio medium must be configured before the equipment will exchange any data with each other, and this must be completed correctly before the network configuration can be completed (which was discussed in Configuring Your Network).
The specific WAP used as an example here is a NetGear WGT624-V2 combination router (with firewall), 4-port 10/100 switch, and 802.11g (54 Mbps) wireless access point. Is also features Netgear's proprietary 108 Mbps Super G technology, which supports data rates at up to twice the standard 802.11g (according to Netgear) when used with Netgear wireless Ethernet adapters with Super G technology. The wireless Ethernet adapter used is Netgear's WG511T wireless 802.11g Ethernet adapter with Super G technology. While there will be similarities, other manufacturer's installation and setup will differ somewhat from what is shown here. However, the goals of these operations are the same. Different models of wireless equipment from the same manufacturer have also different installation programs and procedures. The user's guide for the devices you purchase should have the specific information you need. For the rest of this section, the term "WAP" will be used to describe both dedicated WAP devices and combination devices unless we need to distinguish between the two. Before we go into how to set the items, let's take a look at the items we will need to set.
There are a large number of variables that can be set, but only a few of them must be set when establishing the radio connection. The first is to decide on the channel to be used. In 802.11b and g networks, the network transmits in the 2.4 GHz frequency band. However, there are multiple specific frequencies (channels) in that band that are available. The number and exact frequencies used vary depending on the country you live in. In the U.S., there are 11 channels numbered 1 through 11. This is one way that several discrete wireless LANs can be established in the same physical location. If you live in a dorm or townhouse environment and someone else purchases wireless equipment from the same manufacturer, the two radio transmissions will interfere with each other if they are both left at the defaults. If the default channel number for the WLAN is 6, you could decide to use channel 3 instead. That way, you can both have WLANs with overlapping operational ranges, but they won't interfere with each other. (If your neighbor has left his WLAN at the manufacturer's defaults and doesn't want to touch anything in case they "break it," you may have to get them to shut their WAP off until you get yours configured to not interfere.)
The second variable is the Server Set-Identification or SSID. This is the name of the WLAN assigned by the WAP. It is fairly arbitrary and you should feel free to give it a name you find easy to remember. Linksys WAPs like to use "linksys" or "wireless" as the default SSID. Netgear seems to use "NETGEAR." This isn't guaranteed by any means, and the manual that comes with the WAP will identify what the default channel and SSID is. (It is sometimes printed somewhere on the WAP itself as well.) Technically, two (or more) WLANs operating on the same channel, but using different SSIDs can also to co-exist, but the transceivers on all the WAPs and wireless Ethernet adapters will see all the WLAN traffic. They will ignore the traffic without the proper SSID. However, if the WAPs are operating on different frequencies, they will have less radio traffic to inspect, and the throughput will be higher. If you know you have a neighbor operating a wireless LAN, you should find out what channel they are using and pick a different one if possible. (One caveat: if you decide to use Netgear's proprietary Super G 108 Mbps speed, only channel 6 can be selected. Therefore, a different SSID would have to be use to differentiate two Netgear WAPs if both are using the Super G mode.)
A third variable is the encryption settings, which we will leave for later. Using a secret key you choose for your network, all traffic will be encrypted at a level that will make it unreadable by others with a wireless Ethernet adapter if they happen to come in the transmission range of your WAP. Most WAPs come with the encryption disabled (although some come with it enabled and with a initial, random secret key printed on the WAP). While this aids in the initial setup of the WLAN (by removing one of the variables to contend with), it's not how you want to operate normally. We'll leave it disabled for now until we get the basic network up and going. In practice, you do not want to operate your WLAN without some form of encryption.
Most WAPs can be (or must be) configured using a web browser like Internet Explorer. The WAP has a built-in, specialized web server used for configuration. Rather than browsing to a well-known URL like www.google.com, you instead browse to the internal LAN address of the WAP. For the Linksys WRT54G and most other Linksys combination devices, that address is 192.168.1.1 by default, so http://192.168.1.1 is the address of the main configuration page. For the Linksys WAP54G, on the other hand, the default IP address is 192.168.1.245. The user's guide for your WAP will give the default IP address.
Here, we find ourselves in another chicken and egg situation. We would like to change the default settings of the WAP's channel and SSID. However, in order to do that with a wireless Ethernet adapter, we have to first talk to the WAP's configuration web pages using its default configuration. We will also need to configure the Ethernet adapter to have an IP address on the WAP's default LAN, which is a topic we really don't formally tackle until after the wireless radio medium configuration is completed. We have to do this in order to be able to contact the WAP, so that we can tell it what changes we want to make. (Note: If we are setting up a combination router/firewall/switch/WAP, this can also be done using a wired Ethernet adapter connected to one of the LAN ports on the switch portion of the box. However, this section will go over the general case that works for both standalone WAPs and combination router/WAPs.)
Set the Wireless Ethernet Adapter's Channel and SSID to the WAP's Defaults
First, we need to set the default SSID in the wireless Ethernet adapter to match the default SSID of the WAP in order for the Ethernet adapter to be able to communicate with the WAP for the rest of the configuration. If you purchased your WAP and Ethernet adapter from the same manufacturer and they are complimentary models, the SSID of the adapter may already be set to match the WAP's SSID. If this is so, you can skip to the next section.
We change the SSID used by the wireless Ethernet adapter using the software supplied by the adapter's manufacturer. (Windows XP [at least since service pack 1 or 2] and Vista also come with the Wireless Network Setup Wizard. However, I've always had better luck with the manufacturer's programs written for their hardware.) With the wireless Ethernet adapter installed and powered up, we launch the configuration utility. Every wireless adapter I've had seems to come with a radically different looking configuration utility - even for different wireless models from the same manufacturer. For this example, I'm using a Netgear WG511T 802.11G wireless Ethernet adapter. I also have the Linksys WPC54GS wireless Ethernet adapter, which has a very different looking utility, but with more or less, the same functionality. If the utility for your wireless adapter doesn't look like the screens shown here, don't fret about it. Just try to understand the purpose of what's being done, and you should be able to translate it to your configuration utility. Our goal here is just to make sure that the adapter is using the same SSID as the WAP.
The Netgear wireless utility for its wireless adapter - NETGEAR WGS511T Smart Configuration - has the ability to scan for wireless networks that are within range. If we didn't know (or forgot) the default SSID of the wireless access point, we could use this utility to find out. (However, our home WAP can be set to not broadcast its SSID, so this may not work.) In order to do that with the Smart Configuration utility, we open it and pick the Networks tab. Clicking on the Scan button starts a scan.
When the scan has completed, any networks found are displayed as shown below. This WAP is still set to its default values, namely an SSID of "NETGEAR" and no security. (The user's manual said the same thing, so this isn't much of a surprise.)
Now, we need to set our adapter to match the SSID of the WAP (if it's not already set to that value). The SSID setting for the WAP is the name of the network that it controls and needs to be the same for both the WAP and (all of) the wireless adapter(s). Once set for the Ethernet adapter, that SSID is the only network that it will pay attention to. If other wireless traffic from another SSID is broadcasting in the same area and on the same channel, both the WAP and wireless Ethernet adapters will ignore it. For the Netgear WGS511T, that SSID is changed on the Settings tab.
Above, I have set the name of the SSID to "NETGEAR" and I will save it in a profile named "Netgear." (Apparently, I wasn't feeling too inventive when I captured these screens.) Leave the security setting to "Disabled" (or change if to disabled if it isn't already) and hit the Apply button. (We will enable the security settings once we have established the basic wireless network. "Baby steps, Ellie, baby steps.") The result should be the screen picture below. That is, the Ethernet adapter should change from "Scanning" to displaying the new connection.
The status indicator line at the bottom of the screen now shows the wireless network we are connected to (NETGEAR), the channel being used (11), the current connection speed (54 Mbps at the moment, although this WAP and adapter card can go up to 108 Mbps), and the signal strength (8 of 8 dots or 100%; the WAP is just across the room from my laptop). I also clicked on the Save Profile button so I can recall this setup later if I need to. Using profiles comes in handy when we have a laptop that travels between wireless networks at home and work.
Note that we set the SSID, but we didn't set the channel. Most wireless Ethernet adapters will scan through the available channels and find the one your WAP is transmitting on. It will stop when it finds a WLAN that matches the SSID it is set to. If this does not happen, most cards will let you can set the channel manually. (This is left as an exercise for the reader.)
Now that the radio medium is established - the wireless equivalent of connecting the cable between the PC and the switch - we need to configure the Ethernet adapter to be on the same logical network as the WAP. That is, the adapter needs to have an IP address on the same network that the WAP operates its LAN and WLAN on. (However, it cannot be the exact IP address of the WAP; no two devices on the same network can share the same IP address.) Exactly what that IP address should be depends on the manufacturer (and possibly model) of your WAP. Assuming there is a router somewhere on your network - as will be the case if this is a combination router/switch/WAP - you may find that your newly-connected machine got a valid IP address using DHCP.
To make things simple and remove as many variables as possible, you may find it easier to set the address of the Ethernet adapter you are using (wired or wireless) manually to start with. It must be valid with respect to the WAP's default settings. For example, if the WAP uses 192.168.0.1 as its default LAN address, the manual setting for the adapter should be 192.168.0.xxx, where "xxx" can be any number between 2 and 254, inclusive. (You can't use 1 because the WAP has reserved that address for itself.) The manual that came with the WAP will tell you what the WAP's default LAN (a.k.a., inside, internal, local) IP address is by default. You will need to jump to section Fixed/Static IP (Manual) IP Assignment in order to find out how to set the IP address manually, and then return here.
Configuring the Wireless Router
Configuring the Wireless RouterConnect to the Router/WAP's Configuration Pages
Now that your Ethernet adapter has the SSID of the WAP and an IP address on the WAP's network, we need to configure it to the settings we want for our wireless network. First, we just need to see if we can contact it at all. To test to see if we have our Ethernet adapter configured to talk with the WAP, let's bring up the WAP's administration pages. Most WAPs and Routers have a built-in mini web site that can be used to check their status and to change their configuration. So to view the WAP's settings, we use a web browser like Internet Explorer or Firefox just like we would use to visit any other web site. The user's guide that came with your WAP will tell you for sure, but typically you get to the WAP's configuration pages by browsing to 192.168.0.1 or 192.168.1.1 into the address bar. Linksys equipment, for example tends to use the "1.1" address. Netgear WAPs, typically use the ".0.1" address instead.
Above is an example of logging in to the Netgear WGT624 router. Note the IP address typed into the address bar as the URL. We can change the LAN IP address of the router if we wish. Notice that a dialog box popped up for us to enter the username and password for the router. By default, the Netgear WGT624's password is "password." (Sometimes, they aren't too imaginative either, so I don't feel so bad.) The default user name is "admin," and I have yet to find a way to change it. On the Linksys WRT54GS router, you get the same dialog box, but Linksys doesn't care what you type into the user name field (including nothing at all). The Netgear router does care. Once we have entered the administration password for the router, you should see the main page of the router configuration like the one below. (The very first time you logon to the router, you may be prompted with a page asking if you want to automatically detect your settings or get an offer to check for upgraded firmware. Decline such pages for now.)
Every router's main page is different, and right now, we're concerned with changing the wireless settings. Therefore, we'll put discussing this page off until later and just click on the Wireless Settings link on the left menubar under the heading Setup. That brings up the basic wireless settings page as discussed in the next section. (Note there is a Wireless Settings Page under the Advanced heading, too.)
Set the WAP's Channel and SSID to Your Desired Choices
If you purchased your WAP and wireless Ethernet adapter from the same manufacturer, the wireless Ethernet adapter will probably be configured with the same defaults for the channel and SSID as the WAP. This means that your laptop or desktop will probably be able to talk to the WAP as soon as you install the software and drivers for the adapter. Even so, you will want to change the defaults.
If your wireless Ethernet adapters don't initially have the same channel and SSID as the WAP, you will need to change (at least one of) the adapter(s) to match the WAP at least long enough to change its settings. (See the section Set the Wireless Ethernet Adapter's Channel and SSID to the WAP's Defaults if you haven't done this already.) If you have a combination router/switch/WAP, you can also use a wired connection to the switch to configure the WAP's channel and SSID. Every router's wireless settings screen is different, but they will have a page for setting the SSID. The basic wireless configuration page for the WGT624 is shown below.
In the next screen, I've changed the default SSID from the default ("NETGEAR") to my desired name - Hard2Guess. Please don't use that name. Make up your own. Just make it something you'll easily remember and others aren't likely to use themselves.
You should also set the region at this time if it is not already set. Setting it to United States defines how many and which exact channels (frequencies) the WAP's radio transceiver can use. (In the case of the US, it's 11 channels.) If you want, you can also pick a specific channel to use. If you aren't getting the range you want or you have a 2.4 GHz cordless phone (or wireless mouse/keyboard or RF remote control or wireless speakers for your home theater or ....) that's interfering with your wireless LAN, changing the channel may help. With this particular router, I changed the mode to "Auto 108Mbps" in order to take advantage of Netgear's proprietary "Super G" 108 Mbps speed. Doing so locks the channel at 6, so I have no choice in this case. We'll leave the security options set to "Disable" for now. Hit the Apply button to make the changes and continue on to the next section.
Reset the Wireless Ethernet Adapter
Reset the Wireless Ethernet AdapterReset the Wireless Ethernet Adapter's Channel and SSID to the WAP's New Settings
Most of the time when you make a change on the router and hit Apply, the router will go to a special page or pop-up a dialog box to let you know the changes were made successfully or at the very least return you back to the same page with the changes showing. However, when you apply this change, the Netgear router doesn't come back at all. Why not? Because you've just changed the WAP to only talk to cards on the newly-named WLAN (i.e., "Hard2Guess"). Your wireless Ethernet adapter is not on that WLAN; it's still using the old SSID named "NETGEAR." If you open your wireless adapter's configuration utility and again scan for networks, you'll see the new Network Name (SSID) you chose listed as shown below.
For the Netgear WG511T, we fix this problem by going back to the Settings tab just like you did in the Set the Wireless Ethernet Adapter's Channel and SSID to the WAP's Defaults section. However, this time we set the SSID to match the new one as shown below. (You may have to close and reopen your browser before you'll be able to browse to any other configuration pages for the WAP. If so, do that now.)
Hit the Apply button and your adapter should connect using the new SSID (as it did originally using the WAP's default SSID). Continue on to the next section.
Change the Router/WAP's Default Password
When choosing a password, pick something you will remember, but make it hard to guess. In general when picking a password, include numbers, letters and special characters like "!@#%^&" if your router will allow it. Also, passwords are case sensitive, so use both upper and lower case.
On the Netgear WGT624, the router's default password is found on the page accessed by clicking on the Set Password menu found under the heading of Maintenance as shown here.
This will bring up the password change page as shown below. On this page, type in the default password and the new password you have chosen (twice to verify you've set it correctly since the dialog does not display what you type). Press the Apply button when you are finished. Most routers, the WGT624 included, will make you login with the new password in order to continue.
Additional Wireless Security Measures
Additional Wireless Security MeasuresTurn Off SSID Broadcasting?
I used to be a big proponent of turning off the broadcasting of your WAP's SSID in order to hide it from would be hackers. The theory was turning off SSID broadcast makes it harder for outsiders to use your network since they would first have to guess your SSID. Since then, it was demonstrated to me just how simple and effective it is to use a wireless hacking program that can sniff out the SSID of a WLAN even if it is not being broadcast in the usual fashion. The program isn't particularly hard to find, so I've changed my viewpoint to hide it if you want to, but don't expect that will do much. I've also had trouble with some wireless Ethernet adapters (in laptops) reconnecting to the WLAN if the SSID broadcast is off.
In order to turn off the SSID broadcast, you'll need to find that setting in your router's configuration. For the WRT624, that setting is on the Advanced Wireless Settings page. Click on the Wireless Settings menu entry under the Advanced heading.
On the Advanced Wireless Settings screen, click on the Enable SSID Broadcast checkbox to clear it (so there is no "check" in the box) and hit the Apply button. If you go to the Networks tab of the WG511T wireless Ethernet adapter's configuration utility (as you did in the section Set the Wireless Ethernet Adapter's Channel and SSID to the WAP's New Settings), you will still see the Network name if you scan for networks. This is because that adapter already knew the name.
However, any adapter that did not already know the SSID of your network will see the following if they do a scan. The wireless adapter can see that there is a wireless network operating at the "G" speed on channel 6, but it can't determine the Network Name. Thus it is blank.
Enable Wireless Encryption
Not all hackers just want to use your wireless LAN; some want to monitor it to learn personal information, passwords, and credit card numbers. If your WLAN is operating in a small office, a hacker may be interested in learning your trade secrets, active court cases, or delivery schedule. Tools exist for hackers to capture and analyze your wireless network traffic without appearing to be connected to your WLAN. For these reasons, encrypting the traffic on your wireless LAN is almost essential. It also just happens to keep freeloading neighbors off your WLAN, too.
Initially, there was no encryption available on 802.11 networks as security was an optional part of the standard. Later, Wired Equivalent Privacy (WEP) encryption became available. However, WEP has some well-documented weaknesses that were found soon after its introduction. (Still, WEP is better than no encryption, and 128-bit WEP is better than 64/40-bit WEP.) Any hacker with enough time within range of your wireless network can capture enough wireless traffic to break WEP's encryption. WEP may keep the 10 year old next door off your WLAN, but nowadays, it won't even slow down anyone that is determined to compromise your wireless network. A decent WEP cracking program on a modest laptop can generally crack a WEP password in under 10 minutes.
Later versions of the 802.11 specification promoted Wi-Fi Protected Access (WPA) Pre-Shared Key (WPA-PSK) as the encryption protocol. WPA-PSK is much stronger than WEP while still based upon it, which let existing routers take advantage of it with only firmware upgrades. The next picture shows setting the WPA-PSK with the Netgear WRT624 using the Basic Wireless Settings page. (Remember to first set the wireless settings on the WAP and then go back and set the wireless Ethernet adapter to match.) Click on the radio button next to "WPA-PSK" and then enter a passphrase.
Unfortunately, WPA-PSK can also be compromised and has since been updated to WPA2. The newer WPA2 encryption can be compromised, but has technologies in it to make it much more difficult. If your wireless equipment supports WPA2 using that is more secure than WPA. WPA2 also comes in a couple of flavors: TKIP and AES. Both are good, but AES is better. If given a choice, use AES. Any recently manufactured wireless equipment should support WPA2 and AES. Using a passphrase of 21 characters or more makes it significantly more difficult so long as a strong password (i.e., void of common dictionary words) is used. This is these types of encryption are particularly susceptible to dictionary attacks against passphrases. The passphrase can be to 63 characters in length. Making the phrase longer and more complex and using a mix letters (upper and lower case), numbers and special characters makes the password significantly more difficult to crack. One way to do this is a way that is easier to remember is to substitute numbers for certain letters (that have the effect of spelling those letters backward or look similar to the original letter). For example, use "3" instead of "E" or "e" and "1" instead of "I." As mentioned, using special characters is very good. For example, using '!' as a substitute for the word "not" or '&' for "and". The passphrase "Th1s1s!MyP@55p4r@53UF00l" is a much stronger than "thisisnotmypassphraseyoufool" will ever be. Just be sure to remember what your scheme is.
Once the WAP has been set and the Apply button pressed, you will loose connectivity with your wireless LAN until the wireless Ethernet adapter has been changed to match the WAP's new settings. With the Netgear WG511T, this is done using the Settings tab in the Smart Configuration utility. Click on the Advanced radio button.
This will cause the Advanced Security dialog to appear. Enter the same passphrase you used for the WAP and press the OK button.
For most types of wireless Ethernet adapters, changing to the Wireless Access Point's SSID and encryption method with the proper passphrase is all this is required. The card should now be able to connect to the WAP and send & receive data as it did when it was set to the defaults. If there is a problem at this point, try re-entering the passphrase on the wireless Ethernet adapter (and check that it matches what was entered for the WAP). It may be necessary to reset the WAP (router) and the wireless adapter back to the defaults and try again.
Configuring MAC Address Filtering
One of the earliest forms of WLAN protection was MAC Address Filtering. The term "MAC" is short for Media Access Control. Every hardware device on an 802 network (wired or wireless) has a unique MAC address. This is not the same as the IP address; the MAC address can be thought of as "stamped" onto that network device. It's much like the VIN number found on an American automobile. To start, open a Command Prompt window as shown below.
In the Command Prompt window, type in the command ipconfig /all, the "Physical Address" listed is the MAC address for the Ethernet adapter in use.
Most WAPs will let you enter a list of MAC addresses of "approved" wireless devices that will be allowed to use the WAP's services and connect via a wireless connection. (Some routers also have a list for wired devices kept either separately or in combination with the wireless list.) Using "MAC address filtering," as it is called, helps to keep people from using your network, but it does nothing to keep them from capturing the traffic generated by it. (Hence, encryption is still needed.) Also, MAC addresses are not secure; programs exist that will allow the MAC address of a wireless card to be temporarily changed to mimic any MAC address - including one in your approved list. This is just one more tool to help keep unwanted wireless devices off your network. To set up MAC Address Filtering on the WRT624, go to the Advanced Wireless Settings page using the left menu. Then click on the Setup Access List button.
Check the "Turn Access Control On" check box and hit the Apply button.
This will refresh the page with a list of wireless adapters currently in range. Most WAPs start with a list of devices currently connected in order to make it easy to set up the initial list.
Select the radio button next to the one(s) you wish to include. You can also manually enter the MAC address (found using the ipconfig /all command in the Command Prompt window).
Disabling an Unused Wireless Network
If your ISP supplied your router, it will likely include wireless networking built in. By default, it is usually enabled and either not secured or secured only with the factory default settings. If this is the case, and you aren't going to use the wireless capabilities, you should disable them completely - unless you want to provide free Internet service to your neighbors (which likely violates the Terms of Service with your ISP). If you don't, they can use your wireless connection freely for any purpose they choose such as illegal file downloading and sharing. This is especially prevalent in townhomes and apartment buildings. If the RIAA lodges a complaint about illegal file sharing, it will be traced to the IP in use by your account. Your ISP will generally terminate your service permanently without question upon receipt of the complaint even if you weren't aware of the activities taking place. Even if they aren't doing anything illegal, they may be doing things that use lot's of your network's bandwidth, and it's quite possible they will be able to see and inspect the devices on your network. Let's avoid that.
If you aren't going to use the wireless capabilities, the best thing to do is to shut them off. (If you are going to use wireless networking, you want to configure your network to use wireless encryption and perhaps take other security precautions.) How the wireless is shut off varies between different makes and models of routers. You will need to consult the user's guide for your router. What you are looking for is something that disables wireless networking or disables the wireless radio. In the example below, the check box is simply labeled, "Enable Wireless Router Radio." Take care not to confuse this with a setting to Enable the SSID broadcast. These two settings are not the same and disabling the SSID broadcast does not disable wireless networking.
If you've ventured this far, congratulations! You've reached the end of configuring the wireless network medium. Now it's time to go back to Configuring Your Network. Having gone through this section, you have a leg up on that task because we had to do a good portion of it in order to configure the radio medium. Don't worry if you don't need to do some of the tasks in that section because they were already done when you went through this section.