mimo bridging = no wpa

[Dravic]

Here is the issue:

I own a 2 story home, and I want to connect two wired LANs together. I also need to maintain an access point strong enough for my lappy with wifi. I will eventually tie in a third wired LAN.

Can?t run cat as I might be selling this home soon, and don?t have the time (wife, 3 kids, 2 dogs.. etc etc etc) to really do the project right.

Current solution:

2 belkin g routers working as bridged (WDS) access points for the two wired networks. They are running WPA between the two also with other typical security measures (ssid off, mac filtering... yada yada yada).

My issue: remote bandwidth...

I just had FIOS installed and my remote network using the belkin WDS bridge is capping out at ~5-6 mbps (I know boo hoo me) with some minor packet loss/connection issues. The entry LAN is getting the full 15mb down, and my wifi lappy is getting just about full bandwidth also(pulled in a suse DVD iso at 1.6MB per sec today. woot).

I figure now that my internet connection is larger then the bandwidth of my WDS connection, its time to upgrade the routers/AP's. NONE of the new mimo AP supports WPA while in bridging mode. NOT ONE. They all (except linksys) support WDS, but just not WPA while using WDS/Bridging. The only choice they provide is to use WEP 128 bit. While I don?t think anyone out here in rural Delaware is all that interested in my content. My wifi bridge is linking my internal networks, and the UNIX security professional in me can?t seem to get past WEP's crackability. Its now to the point with enough point and click tools that a script kiddie can crack it.

Solutions:
So how do I go about securing this bridge if I do go with the new mimo AP's (best choice so far is the trendnet tew-610apb). I was thinking of buying a couple $50 VPN firewalls such as:

Linksys BEFSX41
D-Link's DI-808HV
NetGear FVS318 - prob overkill do need that may vpn tunnels along with vpn endpoint
NetGear FVS114 - $46 online

And putting them on the wired side of the connections, so if they are hacked all you get to is the front of a VPN firewall. My issue here is the throughput of the VPN firewalls. The last thing I want to due is have the bridge throttled down to the same 5-6mbps by the VPN's, especially after spending a couple hundred bucks on mimo gear.

All ideas are appreciated.

 

[Dravic]

well that wont work at all.

even the more expensive fvs318 wont cut it.

LAN to WAN throughput: 12.5 Mbps
3DES throughput: 1.2 Mbps

wep 128bit might be all i have if i want to improve my bandwidth..

 

[nweaver]

easy, *bsd box connected to LAN1 and AP1 creates a secure, ipsec tunnel to BSD box on network 2 hooked to ap2. Use wep128 and mac filtering/no dhcp/no routed traffic except IPSEC tunnel.

 

[Dravic]

thx..

I was looking into a similar solution using smoothwall v2.

I currently have smoothwall set up as my primary firewall to my fios internet access. But this would require me to build 2 (eventually 3) more smoothwall boxes. This method is just heavy on time requirements, time to acquire the older hardware and build vpn boxes. It also requires me to have 2+ more computers (running headless of course) sucking up electricity 24/7.

I would really like to build some mini itx boxes running off flash drives, but that would add more cost then I (or the wife) care to incur currently. Unless someone know where to get full itx pc?s cheap ($100)

I?m also not sure what the vpn throughput is going to be for this set up. I?m assuming it should be better then the vpn firewall solutions

 

[Madwand1]

I use a Netgear Wireless Print Server WGPS606 as a bridge without WDS using WPA TKIP and get around 20 Mb/s bandwidth (as measured by QCheck, 28 Mb/s from Sandra). WDS is dead from what I see, unless it adapts to WPA somehow.. When 802.11n bridges come out, I'll probably upgrade (and look for WPA2 support).

I'm not sure how this lowly non-mimo bridge is outperforming yours -- unless you already know that you have a challenging distance / interference problem, perhaps a dedicated wireless bridge is worth a try?

 

[nweaver]

WDS is dead?

WDS works great on many applications with WPA and WPA2...I test it all the time on my Cisco gear. Haven't tried a bridge, but I assume it would work fine, as the AP's have a "bridge" mode in them.

 

[Dravic]

It?s not that WDS I dead, but it appears this is an issue with the new consumer grade MIMO chipsets. No WPA while in bridging mode. The previous g gear like my belkins were able to do it. There are even some reports that is existed in some MIMO beta firmware?s but was pulled out of the production version firmwares.

Madwand1 Your print server is probably acting as a client to your router/AP, my laptop gets great throughput to my router/ap also. Even when I put these two AP devices next to each other it tops out at ~6-7 Mbps. It def a protocol issue, and a bandwidth halving issue you get with bridges. I?m also using a ?non supported? configuration. Blekin wants you to use a router and an AP to due WDS, but I?m using two routers as AP?s to due it.

 

[spidey07]

a 802.11g bridging should give you close to 54 Mbs. Is MIMO really needed here?

 

[Dravic]

Originally posted by: spidey07
a 802.11g bridging should give you close to 54 Mbs. Is MIMO really needed here?

While rated at 54Mbps 802.11g seldom exceeds 22-25Mbps. Radio communication is half duplex. Multiple antennas and MIMO (multiple in multiple out) can help get around this.

On average my belkin pushes around 15-20Mpbs. Since wds bridging halves your throughput to the far end, that leaves me with 7-10Mbps ( which then puts me at my previously stated ~5-6Mbps on the second floor across the length of the house (with an open foyer). Even right next to each other I?ve never seen anything faster then 7 ½ Mbps

My belkins do both support HSM 125Mbps (40-60Mbps real world), but this mode is unavailable while in bridging mode.

 

[spidey07]

pickup two cisco or proxim access points, bridge and use WPA?

sorry, I'm not too used to home gear. But we do this all the time with cisco APs. They can run any mode (infrastucture AP, bridge root, bridge client) all at the same time regardless of encryption. all while maintaining 54 Mbs.

 

[Dravic]

Originally posted by: spidey07
pickup two cisco or proxim access points, bridge and use WPA?

sorry, I'm not too used to home gear. But we do this all the time with cisco APs. They can run any mode (infrastucture AP, bridge root, bridge client) all at the same time regardless of encryption. all while maintaining 54 Mbs.

ouch.. too pricey

I cant justify $400+ access points for a home network. I?m looking to spend ~$350 on three AP?s not one.

But thanks for the suggestion.

 

[Madwand1]

Originally posted by: Dravic
Madwand1 Your print server is probably acting as a client to your router/AP, my laptop gets great throughput to my router/ap also. Even when I put these two AP devices next to each other it tops out at ~6-7 Mbps. It def a protocol issue, and a bandwidth halving issue you get with bridges. I?m also using a ?non supported? configuration. Blekin wants you to use a router and an AP to due WDS, but I?m using two routers as AP?s to due it.

Yes, the print server / bridge is acting as a client, and this is an advantage most of the time -- no special configuration / mode required on the AP/router (although I MAC filter it too as a matter of course). Cross-vendor is typically no issue here.

Originally posted by: Dravic
It def a protocol issue, and a bandwidth halving issue you get with bridges.

If that's the case, then that could be another reason to stay away from WDS to do wireless bridging, assuming that you don't need to endpoint of the wireless bridge to do wireless range extention (which I don't -- I just want to avoid cabling to a distant wired switch).

(FWIW, I've never actually used it as a print server, and if I wanted a print server in the current configuration, a computer there would probably work better / more conveniently, although I should try it for "fun".)

 

[nweaver]

you probably wouldn't need 3 ap's if you had a 1200 series cisco....

 

[spidey07]

where's Jack and his knowledge of Buffalo tech?

seems Dell is reselling Proxim gear now?

OP - the the SOHO stuff isn't doing what you want then get commercial gear.

 

[Madwand1]

Originally posted by: Dravic
I?m also not sure what the vpn throughput is going to be for this set up.

I just set up IPSec here (end to end, no tunneling), and, well, IPSec = IPSuck? Hehe. Good news is that it sucks less bandwidth from lower speed connections (Sandra's 28 Mb/s went to 18 Mb/s, QCheck's bandwidth went down by 1-2 Mb/s, but I don't trust it because...); bad news is that it really trashes my high bandwidth connections (77 MB/s over gigabit went down to 13 MB/s).

(Would love to hear about how to configure IPSec (in Windows) so that it doesn't suck so much bandwidth. I want to use this over the Internet, and we don't get FIOS here, so it might not matter so much though.)

 

[Dravic]

Originally posted by: nweaver
you probably wouldn't need 3 ap's if you had a 1200 series cisco....

I?m not using the AP?s to extend wireless range, just to bridge wired networks, so I need as many AP as wired end points which will eventually be 3.

Originally posted by: spidey07
OP - the the SOHO stuff isn't doing what you want then get commercial gear.

Nah too expensive, at ~$1000 - $1200 for 3 AP, or I would just buy a case of beer and have a couple Telco/networking peers come hang out and run the cat. I have the gear for the work (was looking into doing low volt wiring as a business). I just don?t want to put in this effort and clean up since I will most likely be selling the house soon enough.


But I may look into using a couple of print servers or game console wireless adapters and plugging their Ethernet port into my wired LAN switches. They way they act as a client and not a bridge, so I don?t get the bandwidth halved. I may get a mimo AP for increased range and signal, and a couple plain g client devices and see if I can get closer to my 15Mbps down.

 

[Dravic]

I ended up ordering a couple of Dlink wireless adapters to solve the issue. They should arrive in a day or two.

But then out of no where i found this Buffalo wireless converter that supports the same 125HSM that my belkins use. So if i can't get the single port on the dlink wireless adapters to work, i'll try the Buffalo piece. It has a 4 port switch built into it, and is the same price. wish i had found it sooner.

If the dlink stuff wont work with switches you may see them and my dlink air extreme router on FS/ST soon

 

[Dravic]

conclusion

I ended up needing the Buffalo wireless converter for the main extension since the dlinks wont support mutiple macs attached to a switch. The first device i plugged in would still work , but no other subsequent devices would be recognized. I'm using this in 125HSM with the belkin AP and so far i'm gettiing ~12-13 Mbps. signal strength is at > 95% all the time so i think is a matter of finding the right location in the room. I dont think 125 HSM is much benefit and i'm back to getting some slight bandwidth stuttering that didnt exist on the dlink DI-624 (the dlink adapter and the di-624 gave me about ~8-9Mbps in this furthest location, but with no network stuttering). I may use the standard g mode and see if network consistancy returns. I havent tested the buffalo with its great range and the di-624 together yet, that might be the winning combination.

I'm using one Dlink wireless adapter on the 3rd loacation which is just a single PC above the AP, getting 13-14Mbps, it would probably pair up better with the dlink DI-624 i got when i ordered FIOS, but is working well with the belkin. but as i said above i may go back with the dlink if the belkin AP does improve.

I'll update one more time if and when i try the buffalo converter with the di-624 router/AP.

Thanks Madwand1 for pointing me in the direction of using client devices..

WDS bridging is dead if you can get a multi port converter like the buffalo (yet to try and see if i can extend a switch off it, or if its just limited to 4 macs). Looks like its the extact same as their MIMO router but no WAN port, so i'm assuming its a switch...


Either way i happy now i'm getting close to my full internet bandwidth i'm paying for in all my locations. and with some of the inconsistancy of the network with the belkins i might take advantage of the Belkin rebate offer and rid myself of them.

 

[VirtualLarry]

Originally posted by: Dravic
NONE of the new mimo AP supports WPA while in bridging mode. NOT ONE. They all (except linksys) support WDS, but just not WPA while using WDS/Bridging.

Thanks for that info, good to know. (I hate it when these mfgs offer "one step forward, but one step back". It does provide for the possibility of constant upgrade sales though - IMHO it's probably intentional.)

I have a Moto WR850Gv2 WDS bridged w/WPA PSK with a Linksys WRT54Gv2. The Linksys doesn't support WDS bridging explicitly, but it does support "Lazy WDS" in the firmware. The Moto v6 firmware supports it explicitly. Btw, it supports multiple PCs on the LAN ports over WDS, not just a single PC.

Originally posted by: Dravic
And putting them on the wired side of the connections, so if they are hacked all you get to is the front of a VPN firewall. My issue here is the throughput of the VPN firewalls. The last thing I want to due is have the bridge throttled down to the same 5-6mbps by the VPN's, especially after spending a couple hundred bucks on mimo gear. All ideas are appreciated.

Sounds like that might set you back financially, while still putting you back to square one as far as a solution for the bandwidth issue.

The Rube Goldberg in me, wonders if deploying an additional pair of WDS routers instead of MIMO gear, on a different channel than the first, and somehow bonding the channels at the host PC would solve the bandwidth crisis. I'd buy a pile of those Moto WR850G routers, you could probably find them for $20ea + ship.

Still.. it boggles me that they would remove such a useful feature in these new MIMO routers.

 

[VirtualLarry]

Originally posted by: Dravic
There are even some reports that is existed in some MIMO beta firmware?s but was pulled out of the production version firmwares.

Urg. That confirms my suspicions.

 

[StormRider]

I don't underunderstand the purpose of WDS. What advantage does it give you over using a wireless bridge in "client mode"? It seems to me that using a wireless bridge in client mode is better since it doesn't halve your bandwitth? Is WDS used to bridge 2 networks and at the same time allow you to extend your wireless range? Is that the purpose for it?

 

[Dravic]

Originally posted by: StormRider
I don't underunderstand the purpose of WDS. What advantage does it give you over using a wireless bridge in "client mode"? It seems to me that using a wireless bridge in client mode is better since it doesn't halve your bandwitth? Is WDS used to bridge 2 networks and at the same time allow you to extend your wireless range? Is that the purpose for it?

yes that is one of the uses for it, and in the past most wireless bridges/adpater like the dlinks i linked above only allow one wired client to be connected. The buffalo I have now has a 4 port switch(i assume its a switch) built in, and allows mutilple computers to connect using it.

WDS allowed you to link two wired networks together. I have as LAN upsrairs and downstairs and wanted these to be connected securely without running the physical wires. You can also choose to allow other wireless devices to still use the access points for connection or not. I left the downstairs AP open for additional connections for my laptop. It was a point(upstairs) to mulit-point(downstairs) set up.