Best Practices for Configuring Wireless Routers at Home

Introduction

With the start of the academic year, a lot of folks are moving in to new houses or apartments off-campus and setting up their own home Wi-Fi wireless routers. With the increased numbers of these wireless routers and the increased coverage ranges associated with newer Wi-Fi equipment, it’s important to review a number of network design issues for everyone’s benefit. There are four areas to cover:

1. Security – security – security!

2. Limiting access

3. Channel allocation

4. “Rogue” access point actions

Security

In terms of security, it is important to realize that being a technology based on radio transmissions, all data that you transmit is broadcast IN THE OPEN for all to “see”. With any one of a dozen free software tools that exist out there, any person that can pick up your wireless radio’s signal (including people just parked out on the street with a laptop) is able to capture anything that you’re sending over the network, including passwords, credit card information, banking information — unless your information is encrypted. Most web sites that request that information use SSL (https) technology to provide that encryption; however, not all do. The good news is that your wireless router has the ability to encrypt the information that’s transmitted over the air (i.e. between your machine and your wireless router); the bad news is it looks like many of the people with wireless routers at home aren’t turning that on.

Yesterday, for example, I saw five home wireless routers (other than my own) that are within radio coverage of my house (how I know that is something I’ll cover later) — two of them have no encryption configured on them. There are two primary mechanisms for encryption with Wi-Fi technology in homes – one of them is part of the original standard and has to be on all devices, the other is newer and won’t be there on older equipment: these mechanisms, respectively, are called WEP and WPA. In both cases, you set a “key” (or password) that you configure on your wireless router and on any device you have in your home that uses the wireless router. That key acts both as a password, restricting access to those who know the key, and as an encryption mechanism that keeps the data from being easily “eavesdropped” on. If you can use WPA (again, many older wireless routers and older computers don’t support this), USE IT (with a secret key), as the encryption mechanisms are much stronger; but even if you can’t use WPA, you really should be using WEP for your own safety. And remember to change the login ID and password on your home router from the default.

Limiting Access

It is extraordinarily easy for anyone to see what other wireless routers are within the radio coverage area of their house. There are free tools out there, like NetStumbler, that can show you the names (SSIDs) of available wireless routers/access points, whether or not they’re using encryption (WEP/WPA) and what channel they’re transmitting on (more about that later). There are two ways that you can limit who can connect through your wireless router: (1) WEP/WPA configuration as indicated above, or (2) restricting access to specific network hardware addresses. Even if you don’t do the WEP/WPA thing, you should at the very least restrict access to the specific network addresses of the devices in your house. Otherwise, ANYONE that “hears” your wireless router can connect to it and use your Internet bandwidth (and you wonder why your network throughput has sucked lately!). Not only does that affect your own Internet access, but if someone other than your family is using your network connection and doing really bad things out there, you will probably hear about it.

So how can you tell if someone else is connected to your wireless router? Most of these devices have a web interface to them that provides the configuration/setup pages; those pages usually have a place that shows you what other hardware addresses are connected. Another thing to do is to make sure you know what your baseline Internet performance numbers are; if you think your connection “seems slower than normal”, verify it quantitatively. ITS maintains a publicly accessible “Network Diagnostic Tool” page, which is an Internet2 network performance measurement application. If you pull up a web page to http://ndt.itcc.unc.edu:7123 and click on START, you’ll get a measurement of your upstream/upload and your downstream/download throughput, as well as a boatload of other performance data. For example, through my RoadRunner connection at home, I get between my house and the UNC campus an upload (outbound) throughput of 354 Kb/sec and a download (inbound) throughput of 4.74 Mb/sec. If you use RoadRunner and you’re getting significantly poorer numbers than that, you might want to make sure you know who’s using your network.

Channel Allocation

Just like radio stations operate at different frequencies (88.9, 90.7, 105.1, etc.), so does Wi-Fi technology. Without getting into a detailed description of exactly how the technology works, the important point here is that there are only three non-overlapping channels that can be used with 802.11b or 802.11g technology without creating interference within a given radio space: channels 1, 6, and 11 (these are settable on your wireless router, but I’m guessing most people go with the factory defaults). If you have more than one wireless access point in a given radio coverage area set for the same frequency range, you can get reduced performance as the wireless routers and wireless clients will interpret the other signals on that channel as “noise” and interference. The Netstumbler tool referred to above will show you all the other access points that are within radio range of your house and on what channel they’re operating. This tool will also display the signal strength that you’re “hearing” those other wireless routers at. Decide on an appropriate channel configuration for your router based on that information. Even better, the 802.11a standard allows for 11 non-overlapping channels, so you’ve got a LOT more options there. Recommendation: if you can get a wireless router and network devices that support 802.11a, use that.

Related to this issue is the fact that since Wi-Fi uses non-licensed frequencies, you might see wireless equipment other than Wi-Fi devices using those same frequencies, particularly cordless phones. Most cordless phones operate on one of three different frequencies: 900MHz, 2.4GHz, and 5GHz. Amazingly enough, 802.11b/g operates at 2.4GHz and 802.11a operates at 5GHz. Significant radio frequency interface can occur, so coordinate your Wi-Fi deployment carefully with any cordless phone deployment.

Rogue Access Point Actions

Some higher-end/new models of wireless routers/access points allow for something referred to as “rogue AP detection/action”. These are useful within a large institutional network, wherein you tell all of your access points/wireless routers the addresses of all of the other centrally managed access points/wireless routers that are “good” devices; users on any other access points then that are detected are sent “de-authentication” messages, which effectively knock them off of their own access point. While that may be useful in an institutional setting where you’re trying to control and manage the overall network infrastructure, it is NOT appropriate to use in a home/neighborhood environment, where you could be causing your neighbor to disconnect from their own home router. If your home system does have a “rogue AP detection” mechanism, please make sure it is shut OFF.

Conclusion

I hope this helps your neighborhood to have a better quality of home network performance. And remember, if you have problems, try upgrading your router firmware.

Jim Gogan – Information Technology Services (ITS)