[H8R]

Wireless networking can be tough. Especially when you learn as you install.

I am the "default" IT guy at my new job. The owner asked if I could configure a wireless link from the main office building to a production office trailer about 1000 feet away down on the bottom end of the property. The main office is about 15-20 higher in elevation than the remote trailer, but there are several greenhouses and some trees in between.

We found a nice spot for a pole mounted 14db panel antenna to be placed in each location, giving line-of-site between two green houses.

I set up access points at each location, planning to make a point-to-point bridge connection between the two. The main office AP had a glitch though so I had to add a week while I RMA'd the thing. Finally got it up and running yesterday, and the boss and everyone in production is STOKED.

They were running a buried co-ax connection before that yielded less than 10mbs (more like 4). Now it's running at 54mbs or better (in "Super G" mode. Databases that once took 20 minutes to even OPEN are up and running in less than 10 seconds.

All in? Only $700 in equipment and about two days of futzing. This was down from the $5k quote they got for fiber optics.

My head hurts now though.

 

[Transcend]

You so talented.

 

[H8R]

Question for wireless expert monkies:

If I run MAC address access control, can I ditch encryption and still be safe?

 

[binary visions]

No.

MAC addresses are broadcasted in clear text on all packets sent to and from the routers. Anyone with a packet sniffer can pick them up, and MAC address spoofing is about the easiest thing in the world.

Besides, without the encryption, your packets can be picked up by anyone with a wireless card in their laptop. You don't need that

Nice job on the setup.

 

[Transcend]

What the nerd said.

Run mac filtering, WPA (or radius, even better) and shut off ssid broadcast.

 

[binary visions]

No real point in shutting off SSID broadcast, it just makes it more painful for anyone who wants to connect to get there. I wouldn't bother with the MAC address filtering either.

Encrypt it and forget about it. Anyone who is serious enough to get into an encrypted network is not going to be slowed down meaningfully by MAC address filtering or the lack of a SSID broadcast. The packets are still there, zipping around in the ether, and a packet sniffer will pick up both the SSID and the allowed MAC addresses.

Turning on MAC address filtering or SSID off makes maintaining the network more difficult, but doesn't make it much more secure. For a home situation, I'd agree. But for a business, ease of maintenance is paramount.

 

[Transcend]

No real point in shutting off SSID broadcast, it just makes it more painful for anyone who wants to connect to get there. I wouldn't bother with the MAC address filtering either.

Encrypt it and forget about it. Anyone who is serious enough to get into an encrypted network is not going to be slowed down meaningfully by MAC address filtering or the lack of a SSID broadcast. The packets are still there, zipping around in the ether, and a packet sniffer will pick up both the SSID and the allowed MAC addresses.

Turning on MAC address filtering or SSID off makes maintaining the network more difficult, but doesn't make it much more secure. For a home situation, I'd agree. But for a business, ease of maintenance is paramount.

I disagree. It makes it secure in the sense that people don't casually attempt to connect to your network to grab email and be nosey (like i do when downtown in Montreal). This is 99% of the people you don't want on your network sucking bandwidth etc.

The other 1% you aren't going to keep out with WPA anyways. So in that sense, you may as well just do nothing. It doesn't make it anymore difficult to connect, employees just have to know the network name. In a small company, this isn't an issue.

The only way to actually be "secure" is to use a callback style radius setup. I had to maintain these for a few years at school while working with the wifi guys. It was a nightmare. Steel Belted radius does rule for security however.

 

[binary visions]

So, you, when in downtown Montreal, can and will break into a WPA network?

WPA isn't going to keep out the hardcore guys, but it will keep out everyone else, without losing the convenience of a broadcasted SSID or the difficulty of maintaining a MAC address list.

Jason can figure that out for himself, though

 

[H8R]

The AP's can't run anything but WEP when they are in point-to-point bridge mode.

MAC filtering, WEP and shutting down the SSID broadcast is the ticket I guess.

Not to worried about intrusion, the nearest homes are a retirement community a half mile away. (they MIGHT have dial-up over there)

 

[binary visions]

When the time comes, 802.11n will be the ticket.

Of course, at this rate we'll all be dead before the standard ever gets approved