Using WDS with MAC list for Xbox 360 (no WEP/WPA) - how vulnerable am I

[davidrees]

Most of my network is wired right now. I have a work laptop but I don't use it much at home. I may get another laptop soon so that will play into this situation.


I have:

Linksys WRT54G v1.1 with v4.21.1 (latest) firmware
--10/100 connect to printer
--10/100 connect to GbE switch::
--WDS connect to Gigabyte AP::

::Netgear Gbe 5 port Switch
Gaming PC (Vista 64)
Gaming / Family PC (XP Pro)
DLink DNS 323 NAS (mirrored 1.5GB Samsung 5900RPM)

::Gigabyte AP01g "Access Point" (1.13 fw = latest)
10/100 ethernet patch cable to Xbox 360 in living room (access to media on NAS, Xbox Live, Netflix)

So it took me a few hours to get WDS figured out. I upgraded all the firmware, made a few mistakes on entering MAC addresses, etc. Now that it is working, it is pretty slick. Netflix runs pretty well in the LR and I can get to my media files on the DLink NAS.

What worries me is that right now the only security I have is MAC address white lists and I know that it's probably a hassle, but not difficult to spoof that and if someone did, they would (probably) be on my Ethernet network (yikes)

I tried going through several WPA and WEP options but once I turned those on, I would always lose the connection - I could never get any setting working on both sides so right now, the wireless side is pretty open (again, other than MAC filtering)

I live in a suburban / semi rural area on the outskirts of Central Texas. A few neighbors have unsecured WiFi but I never see more than 2-3.

Any suggestions on how to make this more secure? I am probably most worried about someone getting access to the DLINK DNS323 NAS box and just formatting it or something. I don't have many accounts and I am going to double check them for strong passwords, but if anyone has any ideas, I am open.

I was wondering how much of a pain it would be to build a little RADIUS server but that seems ridiculous and I don't know it that well.

I am a former IT guy (4 years ago) with good networking and Windows skills, but not much Linux. Any ideas?

 

[xSauronx]

put dd-wrt (or maybe tomato, if its compatible) on the linksys and see if that will coexist with the AP using any security

if it wont, get another 54g or some other ddwrt/tomato compatible router and use it as a WDS node. mac filtering is indeed crap, though i expect it would be enough to keep a majority of people off your network.

either of those would be way simpler than setting up a RADIUS server, im sure

 

[Madwand1]

Or you could get another router, any modern wireless router, use it as the main router + AP, install DD-WRT or Tomato on the WRT54G v1, and run that in client bridge mode in place of the Gigabyte. This is faster than WDS with repeating and supports WPA2. If you really want wireless "repeating", you could add the Gigabyte back on another channel as a standard AP -- this would minimize the bandwidth impact.

In this configuration the main router would be running as a standard router / AP, so it wouldn't need DD-WRT.

 

[davidrees]

Well, if I am going to spend money the best plan would be to just bite the bullet and buy the WiFi adaptor for the Xbox 360. You can sometimes find it for $80 and I am sure that would allow me to use more security. However, I like using a device independent solution as it seems there are more and more things that like to use the internet and access your network and I am inclined to be interested in those things.

I looked at the DD-WRT firmware last night. I am strongly considering doing that and so far I don't see a downside. My WRT54G is version 1.1 which has 16MB RAM and 4MB Flash so it seems easy to upgrade (as long as you don't get the wrong FW and brick it).

My concern is the Gigabyte AP01G. I picked this up for $20 at a local store and it appears to be from around 2005 where as the WRT54G I have is around 2006. My suspicion is that the AP has a poor or early or incomplete implementation of the different key / security systems and still might not work with the router.

In the mean time, I went through all my systems, assigned new and long/random passwords and remade my user accounts on the NAS with difficult users/passwords and made sure no data was "open" (it was before I did this).

 

[Madwand1]

Originally posted by: davidrees
Well, if I am going to spend money the best plan would be to just bite the bullet and buy the WiFi adaptor for the Xbox 360. You can sometimes find it for $80 and I am sure that would allow me to use more security.

That makes sense if you're not up to the technical work or have really tight space constraints.

The Asus WL-520gC is currently $30 on the 'egg. It's good as a wireless bridge running DD-WRT, and can handle the XBox and additional devices (e.g. Blu-Ray player, TV, etc -- these increasingly have LAN ports). It is not recommended as a router, as it has limited flash RAM. The WL-520gU, currently at $45, can run a more full-featured version of DD-WRT.

Another cheaper option is the WL-500W, currently $64 AR. This one I'd consider as the main router and not just a bridge, possibly keeping the Gigabyte for g-only devices.

 

[JackMDS]

Originally posted by: Madwand1

The WL-520gU, currently at $45, can run a more full-featured version of DD-WRT

:thumbsup:


david

This is currently the best Price/Performance Sweet spot.

Both with DD-WRT would work well and be compatible with No hassle.

 

[imported_hopeless]

I could be wrong but I've always thought of WDS as really to extend your wireless distance.

If WDS is the only way to use the AP01g, I'd really look into replacing it with a router that can be flashed with tomato or dd-wrt.

When I wanted to get wireless to my 360 I didn't have any wireless and at the time everyone was recommending the WRT54GL, which is a re-release of what the WRT54G was before they took out the ability to use third party firmwares. I bought 2 of them and put tomato firmware on both (using WPA w/ AES) and the only problem I had was living in an apt complex with a lot (12+) of wireless APs.

Now there are a few other choices that can be flashed with either tomato or dd-wrt.

 

[davidrees]

I am working on a better solution, but in the mean time, I am having some kind of routing problem.

I am using a 10.0.0.x network where .1 is my WRTG54G, .2 is the AP and .36 is the Xbox360

When the Xbox is using the AP to get to the network, I can get to the internet (Xbox Live) and I can see Windows Media Center on my main PC, but when I try to connect to WMC, as soon as I see the menu on the Xbox, it locks up and says it disconnected from the PC.

When I take the Xbox back to the computer room and put it on the wire (same IP info) it goes into the Gbe switch and is able to use WMC without any issues.

My conclusion is that the WRTG54G is trying to keep my network private or disallow some of the traffic. When I go to the wire, I connect to the PC *before* I get to the router so it works fine.

Trying to figure this out...

 

[davidrees]

I am sure a lot of people know a lot of this, but in case someone find this thread and wants to use it as a reference to to help triangulate a similar problem I thought I would include more updates.

I did not realize that Windows Media Center had a network test/tune applet built in. Apparently it is not always completely accurate but what I discovered was that when I would run WMC on my Xbox360 through my WDS wireless connection, it would often get to the main screen and seemingly freeze. I brought the Xbox and AP back to the computer room to troubleshoot. My monitor has 2 VGA inputs and I have a VGA cable for the 360 so I am able to flip back and forth between the Xbox screen and my PC.

Where I thought the WMC screen on the Xbox was freezing, it actually was working, but so bandwidth starved that any control input had response latency of up to 30 seconds or so. This completely went away when I put it on the ethernet. (edit: apparently running the Xbox 360 as a WMC extender is similar to a remote desktop connection - only with multi media streaming included)

One thing I found interesting was that even on the ethernet (Xbox is 10/100 but it was on my GbE switch) and even with ONLY my PC and the Xbox on the GbE switch, the WMC console said I did not have adequate bandwidth to support reliable HDTV (edit: also, the bandwidth graph was all over the place - massive spikes). When I ran the networking graph, my connection looked like it was barely adequate for standard TV.
This did not seem right to me - I have an E5200 @ 3.5Ghz, 4GB RAM and nothing else going on on my PC and yet with ONLY the PC and Xbox on the GbE switch, I can only muster SDTV bandwidth? That's crazy.

Doing more research, other people had similar problems and said to make sure "flow control" was enabled on your PC NIC (I got excited and checked but it was already enabled). Then I decided to reconnect everything to the network and move the Xbox ethernet cable from the GbE switch to the 10/100 port on my WRT54G (which is now running DD-WRT - which is neato, but not giving me any new capabilities so far)

So when my PC is on the GbE switch and the Xbox is on the WRT54G (10/100 ethernet between them) then the bandwidth meter on WMC goes from massive up and down spikes to mostly being pegged at maximum with the occasional, minor down spike. In other words, putting each device on a network switch with it's own native speed has made everything appear much faster.

I can only speculate that the GbE switch has problems running 10/100 clients with GbE clients (it's a Netgear 5 port home model - $32.99 from Frys) - probably something in the way it runs those two modes together. Very interesting. I have come to the conclusion that security issues aside, my little wireless networking scheme just does not have the bandwidth to support what I want to do.

My plan at this point is to invest in some quality ethernet over powerline adaptors. I think that this will be a better long term solution. We plan to add a Wii and a new HDTV - maybe one with fancy network features and who knows what else.

The LINKSYS PLK300 is $120 ish at newegg and seems to be well reviewed.
http://www.newegg.com/Product/...6&Tpk=LINKSYS%20PLK300

Thanks for the input everyone - if you have anything else to add, I would love to hear it.

 

[JackMDS]

I do Not understand why the WDS term is keep coming again and again.

Your toplogy does not call for WDS but rather setting the second Router as Wireless Bridge.

Bridge is more compatible with variety of Source Router and it is more stable than WDS.

http://www.dd-wrt.com/wiki/index.php/Wireless_Bridge

 

[davidrees]

Jack, you are correct, WDS is not ideal for my network - however, my second wireless device is NOT a router - it is an AP and it does not have bridge capability. The WDS implementation is a hack to make do with what I have at the moment.

I am seeing some cheap WRT devices on craigslist, I think I will pick one up and try a bridge before I drop the coin on a powerline solution.

 

[davidrees]

I bought another WRT54G on craigslist for $20. It was a v6 model which are notoriously hard to install DD-WRT on (only 2MB of flash), but I got it up and working in client-bridge mode.

I tried Media Center on the 360 and it works very well. I had to do some tweaking, but now my bandwidth meter has me riding just under the line for HDTV and the tools in the routers seem to show me getting a consistent ~20Mb / sec.

Performance is consistent, but I have a plugin to watch internet TV and I don't think that is ever going to work well because it renders the TV on the PC and then streams frames through the network to the 360. Apparently it's very similar to remote desktop. Also, the DVD library is not accessible. None of these issues are due to problems with my network and at this point, I am very happy with the outcome.