Bridging 802.11 Networks with Linksys
Pages: 1, 2
To encrypt or not to encrypt
Most wireless folks I've spoken to at companies and in the free networking community strongly recommend using application-level encryption (tunneling SSH being the cheapest and easiest) and locating wireless devices outside a corporate firewall. Doesn't the WAP11 bridging violate both principles by transiting open Ethernet traffic?
Sure it does. But remember to consider how much time a cracker wants to spend breaking into your network, and whether your data is really dangerous if disclosed or useful to someone else. At the least you might consider SSL-enabled POP e-mail to protect your username and password in transit; or, make sure your mail account's password or username isn't the same as that you use for logins.
Because these devices speak to each other, a system administrator could be motivated set reminder on the Palm or pager, to change the encryption key on both devices weekly or monthly. Since you can use a separate WEP key from any other devices on a network, this puts control and knowledge entirely in the hands of the admin.
Also consider hooking the devices to dedicated Ethernet cards in Unix variant boxes on either side and configure firewall software to tunnel encrypted traffic between them.
Almost too easy
I tested the WAP11 bridges initially by putting my Mac Cube on its own Ethernet switch and plugging one of the WAP11s into it. The other sat on our main network. Traffic was seamless, although it did highlight that the WAP11 doesn't support AppleTalk packets. (It does handle IPSec, PPTP, TCP/IP and other Windows protocols.)
I couldn't tell except by looking at flickering lights on various boxes that I wasn't directly connected to our network. I upped the ante and moved one of the WAP11s to the next-door office.
Tony also wanted to have his own access point for wireless in-office devices, so we hooked up a Linksys EtherFast BEFW11S4. This unit is almost identical to the WAP11, except it features a built-in Ethernet 10/100 switch, and a slightly more elaborate set of options for configuring NAT and system access.
Because we already have an acess point in our main office, we configured the EtherFast with the same network name (SSID) and WEP encryption key to allow roaming. Our main office runs on channel 1; the WAP11s were set to channel 6; and to reduce any potential overlap, the EtherFast was set to channel 11. (A nearby Starbucks running a MobileStar acess point doesn't appear to put out enough juice to bug us.)
As an additional security method, we could also have hidden our network name, but that's doesn't deter a cracker or hide the network from them, so there was little point. And we might as well share our identity with fellow 802.11b users who might happen by.
Getting the final configuration was simpler than I could have imagined. We plugged the devices in, checked cables, scratched our heads at not seeing link lights on the Ethernet ports. We wound up adding a tiny Ethernet switch to connect the WAN port of the EtherFast to the single port of the WAP11, and that solved the mystery.
(Oddly, neither a patch nor crossover Ethernet cable worked between the two devices. Plugging the WAN port of the EtherFast and the WAP11's port into the EtherFast's built-in switch produced Ethernet storms, not surprisingly.)
The firmware upgrade software for Windows is located here.
After solving the obvious wired world problems, the setup worked great. We have line of sight between the WAP11s (about 30 feet), and devices can roam freely between our channel 1 and 11 APs.
Over longer distances, such as hundreds or thousands of feet -- for which you'd need a higher-gain antenna, as mentioned earlier -- you're going to find this a clearly better deal than running wires.
Our total bill was about $700 for the two WAP11s and the EtherFast. Linksys dropped prices during August, bringing the total cost of a new installation to less than $600 for the same equipment (ain't it always the case?). We're also spending about $100 per machine to hook in.
But we've got an amazing amount of flexibility -- and the possibility of adding satellite offices, or extending our range to the lake and park across the street. Canoeing with Wi-Fi might be my next article.
Glenn Fleishman is a freelance technology journalist contributing regularly to The New York Times, The Seattle Times, Macworld magazine, and InfoWorld. He maintains a wireless weblog at wifinetnews.com.
Return to the Wireless DevCenter.