RealTime IT News

Ask the Wi-Fi Guru About Wi-Fi Subnets and Building Interference

Our monthly Q&A series offers advice to those seeking help with home or small business WLANs. This month our guru helps settle the 5GHz/2.4GHz 802.11n question, offers hope to owners of aging laptops and drop tips on sharing an Internet connection.

Would you like to ask the guru a question? Write the editor.

Among my pet peeves in the department of nickel-and-diming -- besides casinos that charge for parking (boo, Borgata!) -- are hotels that charge for wireless Internet. Maybe there was a time when this seemed like a premium feature -- like a steam shower or turn-down service -- but today, charging for wireless Internet is as reasonable as charging guests for electricity or water or HBO. It seems like Internet fees are mostly the domain of "better" hotels, presumably because they attract business travelers who are less price sensitive than leisure guests at the Super 8. But these same "expense account" travelers are also the most likely to be armed with a growing arsenal of wireless technology, including 3G (and soon 4G) smart phones and laptops, or MiFi-like sharing devices. Who needs to pay for wireless Internet when you can carry it with you? Hopefully this spells doom for these absurd fees.

How Do I Keep Subnets Separate With Tomato?

Q: I am following your tutorial How to: Set Tomato Firmware for Wireless Client Modes to share Internet between my mother in law and her neighbors (she has yet to use 1Gb of her monthly 5Gb allowance). How do I prevent communication between the subnets? I ask because the followup comments suggest this is still possible in one direction, or is it the case that the different subnets provide that isolation? -- Clive

A: In other words, there's sharing, and then there's sharing. Your Internet connection resides with your mother-in-law, and so any machines connected to that router should be considered "subnet A". Across the hall, her neighbors enjoy their Internet connection because you've setup a second router using the Tomato firmware. In wireless client mode, Tomato is receiving the wireless signal from your mother-in-law's router and sharing it locally on "subnet B".

Everyone is sharing the same Internet connection, but you don't want devices on subnet B (the neighbors) to see devices on subnet A (your mother-in-law). Ideally, you want them to be separate, isolated LAN's.

As commenters to the original tutorial have correctly pointed out, in the setup as described, devices on subnet B can see subnet A; but subnet A cannot see subnet B. This is because for the wireless client mode to work, the Tomato router has built a route from subnet B to subnet A. However, the primary router has no route in the reverse direction. And so this is a problem--you don't want subnet B users to see any machine on subnet A.

You can't eliminate the route from subnet B because this is necessary for the Internet sharing to function. But there is another way to look at this: why not isolate subnet A instead?

Get a third router (with any firmware). Plug this router into the primary router already in your mother-in-law's house. Plug your mother-in-law's computers into the new third router. The resulting network will look like this:

ROUTER 1>>ROUTER 2 (any firmware, same location as router 1)
ROUTER 1>>ROUTER 3 (Tomato firmware, wireless client mode, remote location)

By doing this, both your mother-in-law's devices and your neighbors' devices will be routed to the primary router with Internet connection, but neither route will cross the other and thus both subnets will be invisible to one another.

How Can I Get a Signal From a Wi-Fi Access Point Outside When I Work in a Metal Structure?

Q: My ISP's (Comcast/Optimum) offer their service via Wi-Fi access points located around the city on public utility poles. The networks are unsecured, however you are redirected to a log-in page where you must enter your appropriate username and password for your internet account. No problem as I have an account with both providers.

The problem:

While at work inside a brick & steel warehouse, I cannot get a Wi-Fi signal. - Walter

A: On the surface this seems like a resolvable situation: you need a repeater setup with an antenna on the roof, and a properly configured router inside the warehouse. The antenna on the roof would be connected to the indoor router with a run of coax cable. Because your question contains many (helpful) details, let's take them one at a time.

I purchased a system that consists of a bridge, a router and an additional access point. This is using a 15db antenna mounted on the roof of this 3 story warehouse. The antenna does not have line-of-sight with the ISP's access point, but my netbook does get 3 to 4 bars while standing under it.

Keep in mind that your netbook's internal antenna probably has much lower signal loss than the 15db antenna mounted on the roof. That outdoor antenna has a cable running from it to the router; the longer that cable is, the more signal loss will occur--especially if we're talking about dozens of feet or more. For this reason, it is actually possible for an integrated antenna like in a notebook or other mobile device to perform as well or better than a much larger external antenna, if that external antenna is losing signal strength over a long cable run.

Oddly, the bridge only sees the ISP access points intermittently. When the bridge does see the access point, and is "joined" with it as per the instructions, it doesn't seem to be sending the signal to the router connected via a cat5 patch cable.

Why would the bridge not see an access point when running at 200mw with a 15db omni antenna on an 8 foot mast, while a netbook in my hands right next to that antenna will get 3-4 bars?

See above. You might achieve a more reliable connection by using a directional rather than omni antenna on your mast. An omni antenna is useful when you are roaming because access points could be anywhere relative to you--but in a fixed position like this, you know exactly where the access point is. A directional antenna (properly) aimed at a remote access point will pick up a more stable signal, because its power is being concentrated. This may help overcome some of your cable loss, although you should also try to minimize how much cable you need to run indoors, and be sure to use the lowest loss cable you can afford.

I am also concerned about this "bridge" term. A bridge and a repeater are different configurations, although they can usually be achieved with the same gear. Creating a proper bridge requires some knowledge of the IP configuration of the host network--you likely don't know this about the commercial hotspots you are trying to repeat.

In a repeater configuration, your router doesn't need to "know" anything about the host network, but you may face a different problem. We don't know how the commercial hotspot authorizes users. A common method would be to register your MAC address for a period of time after you successfully sign in. If you do this, the hotspot is going to receive the MAC address of your router--not your personal computer. This would prevent each user in your warehouse from logging in using their own credentials--essentially your router would be signed in "globally", but as you say, this would probably violate the terms of your subscription.

I'd like this system to be transparent with multiple networks if possible. By that I mean I'd like to associate the bridge to both the comcast Xfinity network AND the Optimum Online network so users of both can benefit from the indoor repeater.

This would not be possible using one set of gear, because your router can only be associated with one hotspot at a time. Plus, using a directional antenna rather than an omni would further prevent this unless both ISP's hotspots were in the same location.

To sum things up, the approach outlined doesn't seem capable of achieving your goals. In addition to using a directional antenna in a repeater configuration, you will need to use a single login to authorize your router with the hotspot. Everyone in the warehouse would essentially be sharing that account. Is it not possible for the business in question to sign up with one of these ISP's? In that case, the business could authenticate to the hotspot using its account. Repeating the signal within your warehouse, using the account your business is paying for, would seem like a legitimate solution.

How Do I Implement WAP Using Radius With Windows 2008?

Q: I have a Wi-Fi network of 4 Cisco 1142 access points, currently using wep. I want to implement WPA using Radius on a Windows 2008 box. I get the prompt for my ad username and password, but it doesn't authenticate. Do you have a link or can you suggest a site that will have step by step instructions? - Russ

A: Full disclosure: I have never setup a Radius server, let alone one running on Windows 2008. However, I have seen a few guides which seem promising. I will simply pass these along without further comment, lest I say too much about something I know almost nothing about: