Ask the Wi-Fi Guru, Episode XX

By Aaron Weiss

October 19, 2009

Our monthly Q&A; The series offers advice for those looking for help with home WLANs or for small businesses. This month, our guru offers tips on preventing bad guys, DHCP servers, Tomato, and more.

Related Articles

Our monthly Q&A series offers tips for those looking for help with home or small business WLANs. This month, our guru offers tips on preventing bad guys, DHCP servers, Tomato, and more.


If you’ve traveled the past few years, you know you can find strange things in hotel rooms. Things like the mysterious location of the bathroom switch, the irritating lack of outlets accessible anywhere near the bed, and of course that suspicious carpet stain that conjures up disturbing images.

Not to mention the hotels that still charge for wireless internet access, but provide wired access for free. Of course, to use wired internet you will likely be strapped to the desk, and it only serves one guest at a time. Solution? I like to travel with a wireless router, such as the CradlePoint CTR500 Cellular-ready Travel Router [reviewed here] or the Belkin Wireless G Travel Router. Some of the smaller models fit easily between layers of clothing in luggage, then I set up my own personal hotspot in the hotel room. I guess it is possible that some hotels look awry, but it seems to me that it is better to create your own hotspot than to steal the towels. And the soap. And the shampoo. And the hangers.

Q: I have a wired LAN and one node is a Wi-Fi router. It is configured as FiOS-> modem-> router / firewall-> various nodes (like computers, printers and a unit Wireless). The Wi-Fi router can be connected to the local network through its WAN port or one of its four LAN ports.

If a bad guy breaks into my Wi-Fi router, the results are different depending on whether the Wi-Fi router is connected through its LAN ports or its WAN port, right? How do I configure it to use the WAN port instead? My main router / firewall is 192.168.1.1. —Tracy

A: There are several reasons why you can include a second router in your network. The most common is to extend the range of your wireless network. In this case, the second router would be configured as a “dumb” AP (access point). You would disable its DHCP server and firewall and manually assign it a LAN IP address compatible with your main router, for example (in this case) 192.168.1.2. And you would connect the Ethernet cable from your main router to a LAN port on the second router.

Another reason is to use a second router in your network to isolate a group of clients from your main local network. In this scenario, you would connect the Ethernet cable from your main router to the WAN port on the second router. You would leave the second router’s firewall and (if desired) the DHCP server enabled.

Anyone connected to the second router (legitimately or maliciously) when connected to the main router via the WAN port would not see the resources broadcast by the main router. In other words, if you have file shares open on machines connected to your primary router, clients on your secondary router will not be able to see those shares.

That said, a determined hacker can probably figure out some key details about your main router. Your secondary router’s status page can reveal the WAN IP address assigned to it by your primary router, giving the hacker information about your primary subnet. Your secondary router may or may not route requests to the primary LAN. Of course, you can set very restrictive rules on your secondary router’s firewall. All of this means that using the WAN port on your secondary router to create an isolated subnet can handcuff a hacker who has gained access to your secondary router; but this security is not foolproof and may not hold back a highly skilled hacker.

Q: I have a Linksys router with DD-WRT and now a Netgear router. The Netgear is the “repeater” and I followed your setup and it works fine, my question is: On the repeater, do I have to enable DHCP? The laptop connects to the wireless access point (the Netgear displays it as a client), but the obtained IP address is from the Linksys. Am I allowed or am I confused? —Duane

A: It’s understandable that this might sound confusing, but in fact this setup is absolutely correct!

You do not want to enable DHCP on your secondary repeater router (in this case, your Netgear). You should not have two DHCP servers running on the same network.

The DHCP server on your main router (Linksys) addresses your entire network, including associated clients through your extender. So yes, your customers get their IP from your Linksys. Just as it should be. Would not change a thing.

Q: I read your article on WDS using Linksys routers. I wish to do this and I have two Linksys WRT54G routers that now have DD-WRT on them, which are working successfully. The first router must have a static IP to connect to our service. How can I get the second router / AP to connect to the first one to extend my range? -CU

A: Using a static IP address with your main router should not have any impact on the configuration of the WDS (Wireless Distribution System) to link the two routers.

When setting up WDS between two (or more) routers, the key concept is that each router must “know” the MAC address of its linked partner (s). A MAC address is different from an IP address – an IP address, of course, is the device’s network address, much like a phone number for your phone. It may or may not be changed depending on the situation.

The MAC address is more like a serial number that uniquely identifies this network device. Thus, your wireless router has both a MAC address (immutable) and an IP address (changeable). Astute readers will point out here that MAC addresses can be changed – which is sometimes true – but also unusual and beyond the scope of this scenario.

When using DD-WRT, you will want to use the Wireless / WDS menu to enter the MAC addresses of each router into the other router. But where do you get the MAC addresses to enter?

Each network card actually has its own MAC address, which means your router has two MAC addresses: one for its wired network card and one for its wireless network card. Make sure that when configuring WDS, you are using the wireless MAC addresses of each router.

In DD-WRT, you can click the Status / Wireless menu to see your wireless MAC address at the top of the page. This is the MAC you want to enter in the WDS settings of your other router; and vice versa.

Q: I enjoyed reading your great article on using Tomato with wireless * client * access. I just flashed my Linksys WRT54GL 1.0 router with Tomato 1.25 firmware and everything on the physical wiring side is working fine, but I am unable to get a basic access point to work (even with security disabled). The WLAN light on the front of my WRT54GL should be green I think (if it’s active), right? This light is off and I don’t understand why. – Eddie

A: When you configure Tomato as a wireless client, either in “wireless client” or “wireless Ethernet bridge” mode, the router receives a signal from another router and transmits it to wired devices. But in doing so, it no longer broadcasts a wireless signal. In other words, in client or bridge mode, Tomato behaves only as a receiver. Therefore, you can no longer connect to it as an access point using wireless devices.

If you need to extend a wireless network to wired and wireless devices using Tomato, consider configuring “Access Point + WDS” mode. This will require setting up a WDS network, which requires configuration settings on your main router in coordination (see question above). In this mode, Tomato would behave as if it were in “wireless Ethernet bridge” mode while retaining its wireless access point. Note that by doing this, wireless devices connected to Tomato will only have half the available bandwidth compared to wired devices and wireless devices connected to your main router.

Latest posts by Eric Sandler (see everything)

Comments are closed.