Wireless DevCenter    
 Published on Wireless DevCenter (http://www.oreillynet.com/wireless/)
 See this if you're having trouble printing code examples


Bridging 802.11 Networks with Linksys

by Glenn Fleishman
08/24/2001

Related Articles:

802.11b Round-Up

Life After AirPort -- New Wireless Base Stations

Introducing the Xircom 802.11 Module for the Visor

My downstairs office neighbor, a running coach named Tony, has an inquiring mind. He has heard me and my officemates wax sci-fi about wireless IEEE 802.11b networking. We somehow got him jonesing for it for when he expanded his coaching facilities to a second office in a building about 30 feet away, to which a wired extension to our shared network wasn't possible.

The new office is embedded bunker-like into a concrete foundation below ground, as well as having thick walls in its above-ground portion. Otherwise, we could have hung his new computers as wireless devices on our existing 802.11b network. He also has some legacy equipment that needs an Ethernet hub, so couldn't go entirely wire free.

We needed a solution that would allow us to extend our high-speed Internet service as well as the rest of the intranet in our existing building to Tony's new office 30 feet away. We wanted to bridge the gap wirelessly, making one seamless combination of wired and wireless networks. I'd been following discussions on the Bay Area Wireless User Group's (BAWUG) mailing list about the Linksys WAP11 access point (AP), and thought a pair of them might do the trick.

At a street price (with manufacturer's rebate) of about $185, this AP supports a firmware upgrade that turns it into the bargain wireless bridge of the century. Comparable devices from vendors such as Cisco can run $800 or more.

The Wireless Access Point

Typically, an access point acts as a central hub, router, bridge to Ethernet, and server for dynamic host configuration protocol (DHCP) and network address translation (NAT), as well as other functions. The standard home gateways often have a wide-area network (WAN) Ethernet port (to connect to a DSL or cable modem) and one or more local area network (LAN) ports for the local network.

The access point negotiates with wireless computers and other devices, hands out non-Internet-reachable NAT addresses via DHCP, and bridges traffic from the wireless LAN to the wired LAN and, through it, out to the Internet. (Home gateways with a WAN port bridge the traffic internally and send it all the broadband router.)

The Linksys WAP11 with its single Ethernet port handles all this perfectly fine. It has minimal but sophisticated options for set up, and removable antennas with standard connectors so that you could hang a higher-gain antenna off the back - important for connecting networks over longer distances.

Upgrading to build a bridge

But the bridging firmware makes the WAP11 more than just cheap and functional. In bridging mode, you can connect two or more WAP11s together to pass wired Ethernet traffic among one another, creating a super-network. If you have multiple facilities nearby or with line of sight between them, you can avoid telephone company digital line charges, as well as recurring fees for separate Internet connections in each facility.

Linksys's firmware upgrade 1.4f5, which supports bridging, was released, pulled and then re-released; the version number stayed the same. The two WAP11's I purchased for our multi-office installation came with release 1.3i installed; reports indicate that most units are still being shipped with the older firmware. Initially, the 1.4f5 upgrade utility failed on 1.3i installations, according to BAWUG list contributors, so apparently that's been fixed.

The WAP11 comes with a USB connection for configuration using a Windows-only application. It's critical to be able to use this, as once you've configured the unit, unless you give it a real IP number, you're not going to be able to reach it for reconfiguration without disconnecting it from the wired network.

Linksys provides an SNMP-based package as well, so an enterprising wireless advocate could release a pure SNMP configurator, too, for Linux or other platforms. I'm insane enough that, although I own a PC for testing, I ran Connectix Virtual PC with Windows 98 on a Mac Cube and had no problems accessing the unit over USB.

The firmware updater first installed 1.3k, not separately available, and then 1.4f5. It reported a failure on the latter, but on rebooting the units and reconnecting -- requiring a few USB plugs and unplugs -- the firmware version was reported correctly by the software and the units configured fine. (Oddly, the SNMP software shows the full firmware versioning information, while the USB shows just a fragment.)

You can link two WAP11's together by using each device's unique Ethernet or MAC (Media Access Layer) address. (It has nothing to do with Macintoshes; it's an acronym.) The USB and SNMP software displays the MAC address, a set of six two-character hexadecimal digits. You can also set up the WAP11 to talk to one or more identical devices using multipoint transmission; this also works if you don't want to enter the MAC numbers.

The two or more WAP11's need to be on the same 802.11b channel. The 802.11b protocol divides the available spectrum -- which can vary by country -- into overlapping channels of 22 MHz each. In the U.S., we have 83.5 MHz overall to play with, and 11 channels, numbered 1 through 11. Of those 11 channels, 1, 6 and 11 don't overlap at all, allowing as many as three access points to operate in the vicinity of one another.

Because the two WAP11s share the same channel, this contributes -- along with Ethernet overhead -- to reducing net bandwidth to about 4Mbps, according to Sam Habash, a BAWUG list contributor. The speed is close to the same with or without using 802.11b's built-in WEP (Wireless Equivalent Privacy) encryption system.

The bridging configuration allows WEP encryption keys at either 40/56/64 (technically all the same) or 128 bits. Even though WEP is weak and generically compromised, I'd recommend turning it on - especially since you're purposely broadcasting between multiple locations. This can reduce throughput, too.

To encrypt or not to encrypt

Most wireless folks I've spoken to at companies and in the free networking community strongly recommend using application-level encryption (tunneling SSH being the cheapest and easiest) and locating wireless devices outside a corporate firewall. Doesn't the WAP11 bridging violate both principles by transiting open Ethernet traffic?

Sure it does. But remember to consider how much time a cracker wants to spend breaking into your network, and whether your data is really dangerous if disclosed or useful to someone else. At the least you might consider SSL-enabled POP e-mail to protect your username and password in transit; or, make sure your mail account's password or username isn't the same as that you use for logins.

Because these devices speak to each other, a system administrator could be motivated set reminder on the Palm or pager, to change the encryption key on both devices weekly or monthly. Since you can use a separate WEP key from any other devices on a network, this puts control and knowledge entirely in the hands of the admin.

Also consider hooking the devices to dedicated Ethernet cards in Unix variant boxes on either side and configure firewall software to tunnel encrypted traffic between them.

Almost too easy

I tested the WAP11 bridges initially by putting my Mac Cube on its own Ethernet switch and plugging one of the WAP11s into it. The other sat on our main network. Traffic was seamless, although it did highlight that the WAP11 doesn't support AppleTalk packets. (It does handle IPSec, PPTP, TCP/IP and other Windows protocols.)

I couldn't tell except by looking at flickering lights on various boxes that I wasn't directly connected to our network. I upped the ante and moved one of the WAP11s to the next-door office.

Tony also wanted to have his own access point for wireless in-office devices, so we hooked up a Linksys EtherFast BEFW11S4. This unit is almost identical to the WAP11, except it features a built-in Ethernet 10/100 switch, and a slightly more elaborate set of options for configuring NAT and system access.

Because we already have an acess point in our main office, we configured the EtherFast with the same network name (SSID) and WEP encryption key to allow roaming. Our main office runs on channel 1; the WAP11s were set to channel 6; and to reduce any potential overlap, the EtherFast was set to channel 11. (A nearby Starbucks running a MobileStar acess point doesn't appear to put out enough juice to bug us.)

As an additional security method, we could also have hidden our network name, but that's doesn't deter a cracker or hide the network from them, so there was little point. And we might as well share our identity with fellow 802.11b users who might happen by.

Getting the final configuration was simpler than I could have imagined. We plugged the devices in, checked cables, scratched our heads at not seeing link lights on the Ethernet ports. We wound up adding a tiny Ethernet switch to connect the WAN port of the EtherFast to the single port of the WAP11, and that solved the mystery.

(Oddly, neither a patch nor crossover Ethernet cable worked between the two devices. Plugging the WAN port of the EtherFast and the WAP11's port into the EtherFast's built-in switch produced Ethernet storms, not surprisingly.)

Resources

Bay Area Wireless User Group's (BAWUG) mailing list

Linksys WAP11 access point (AP) information

1.4f5 firmware download, select WAP11 from the list. Or download directly here.

The firmware upgrade software for Windows is located here.

After solving the obvious wired world problems, the setup worked great. We have line of sight between the WAP11s (about 30 feet), and devices can roam freely between our channel 1 and 11 APs.

Over longer distances, such as hundreds or thousands of feet -- for which you'd need a higher-gain antenna, as mentioned earlier -- you're going to find this a clearly better deal than running wires.

Our total bill was about $700 for the two WAP11s and the EtherFast. Linksys dropped prices during August, bringing the total cost of a new installation to less than $600 for the same equipment (ain't it always the case?). We're also spending about $100 per machine to hook in.

But we've got an amazing amount of flexibility -- and the possibility of adding satellite offices, or extending our range to the lake and park across the street. Canoeing with Wi-Fi might be my next article.


Glenn Fleishman is a freelance technology journalist contributing regularly to The New York Times, The Seattle Times, Macworld magazine, and InfoWorld. He maintains a wireless weblog at wifinetnews.com.


Return to the Wireless DevCenter.

Copyright © 2009 O'Reilly Media, Inc.