Wifi Networks

Wifi – Equipment Configuration Modes

  • admin 

Source : http://wiki.openwrt.org/doc/start

  • Bridge AP

Bridged AP is to extend your existing wired host router with wireless capabilities. Clients connecting to OpenWRT will get an IP address from the wired host router.

OpenWrt bridges the LAN network with the WLAN of the device in Access Point mode. The advantage of bridging is that broadcast traffic from Wireless to LAN and viceversa works without further changes.

  • Routed AP

In the default configuration, OpenWrt bridges the wireless network to the LAN of the device. The advantage of bridging is that broadcast traffic from Wireless to LAN and vice versa works without further changes.

In order to separate the wireless network from LAN, a new network with the corresponding DHCP and firewall settings must be created. This document outlines the steps necessary to implement such a setup.

  • Cliente Mode

Client Mode Wireless

This article outlines several variants to realize wireless connectivity usingClient or Station mode.

First of all, there are various reasons to do such a kind of setup, examples are

  • possibility to connect a single device or a whole network segment to an existing wireless access point
  • implementing a point-to-point link to connect two network segments
  • swapping roles of access point and client due to driver limitations
  • being able to take down the OpenWrt device without interrupting the rest of the network

OpenWrt supports various client mode setups, including WDS (Wireless Distribution System)routed client mode or bridged client mode (only onbrcm-2.4).

WDS – Wireless Distribution System

The WDS mode is a non-standard extension to the wireless 802.11 standard using a 4-address-format to allow transparent ethernet bridging on the station and to implement seamingless hand-over for wireless clients roaming between different access points.

Due to its non-standard nature, WDS is often differently implemented in wireless drivers and vendor firmwares making them incompatible to each other. In order to be able to use WDS one should use the same hard- and software on all deployed wireless devices to have the best possible compatibility.

In OpenWrt there are two flavours of WDS available, depending on the wireless chipset and driver in use:

  • Broadcom WDS – available on Broadcom wireless chipsets using the proprietary wl.o driver
  • AP-to-Sta WDS – available for both Madwifi and mac80211 supported wireless devices

The biggest advantage of WDS is the Layer 2 transparency enabling bridging and broadcasting accross the wireless connections – all involved network segments form one common broadcast domain. 

  • Routed Client

Routed Client

In the default configuration, OpenWrt bridges the wireless network to the LAN of the device. Most wireless drivers do not support bridging in client mode (seeBridged Client Mode Issues), therefore the traffic between LAN and the wireless client must be routed.

Using MASQUERADE

If you have no administrative access (e.g. ability to configure static route entries) to the target Access Point, the local LAN subnet must be masqueraded to ensure proper routing.
When configuration of the target Access Point is possible, start with themasqueraded configuration below and proceed with the steps in the Using routingsection to define a fully routed setup.

Masqueraded



WDS: Wireless distribution system

  • admin 

fuente: http://en.wikipedia.org/wiki/Wireless_Distribution_System

Wireless distribution system

wireless distribution system (WDS) is a system enabling the wireless interconnection of access points in an IEEE 802.11 network. It allows a wireless network to be expanded using multiple access points without the traditional requirement for a wired backbone to link them. The notable advantage of WDS over other solutions is it preserves the MAC addresses of client frames across links between access points.[1]

An access point can be either a main, relay, or remote base station. A main base station is typically connected to the (wired) Ethernet. A relay base station relays data between remote base stations, wireless clients or other relay stations to either a main or another relay base station. A remote base station accepts connections from wireless clients and passes them on to relay stations or to main stations. Connections between «clients» are made using MAC addresses.

All base stations in a wireless distribution system must be configured to use the same radio channel, method of encryption (none, WEP, or WPA) and the same encryption keys. They may be configured to different service set identifiers. WDS also requires every base station to be configured to forward to others in the system.

WDS may also be considered a repeater mode because it appears to bridge and accept wireless clients at the same time (unlike traditional bridging). However, with this method, throughput is halved for all clients connected wirelessly.

Implementations

Wds may be incompatible between different products (even ocasionally from the same vendor) since it is not certified by the WI-FI Alliance.

Technical

WDS may provide two modes of wireless AP-to-AP connectivity:

  • Wireless bridging, in which WDS APs communicate only with each other and don’t allow wireless clients or stations (STA) to access them
  • Wireless repeating, in which APs communicate with each other and with wireless STAs

Two disadvantages to using WDS are:

  • The maximum wireless effective throughput may be halved after the first retransmission (hop) being made. For example, in the case of two APs connected via WDS, and communication is made between a computer which is plugged into the Ethernet port of AP A and a laptop which is connected wirelessly to AP B. The throughput is halved, because AP B has to retransmit the information during the communication of the two sides. However, in the case of communications between a computer which is plugged into the Ethernet port of AP A and a computer which is plugged into the Ethernet port of AP B, the throughput is not halved since there is no need to retransmit the information. Dual band/radio APs may avoid this problem, by connecting to clients on one band/radio, and making a WDS network link with the other.
  • Dynamically assigned and rotated encryption keys are usually not supported in a WDS connection. This means that dynamic Wi-Fi Protected Access (WPA) and other dynamic key assignment technology in most cases cannot be used, though WPA using pre-shared keys is possible. This is due to the lack of standardization in this field, which may be resolved with the upcoming 802.11s standard. As a result only static WEP or WPA keys may be used in a WDS connection, including any STAs that associate to a WDS repeating AP.

Recent Apple base stations allow WDS with WPA, though in some cases firmware updates are required. Firmware for the Renasis SAP36g super access point and most third party firmware for the Linksys WRT54G(S)/GL support AES encryption using WPA2-PSK mixed-mode security, and TKIP encryption using WPA-PSK, while operating in WDS mode. However, this mode may not be compatible with other units running stock or alternate firmware.

Example

Suppose you have a WiFi-capable game console. This device needs to send one packet to a WAN host, and get one packet in reply.

Network 1: A wireless base station acting as a simple (non-WDS) wireless router. The packet leaves the game console, goes over the air to the router, which then transmits it across the WAN. One packet comes back, through the router, which transmits it wirelessly to the game console. Total packets sent over the air: 2.

Network 2: Two wireless base stations employing WDS: WAN connects to the master base station, that connects over the air to the remote base station, which talks over the air to the game console. The game console sends one packet over the air to the remote, which forwards it over the air to the master, which sends it to the WAN. Reply comes from the WAN to the master base station, over the air to the remote, and then over the air again to the game console. Total packets sent over the air: 4.

Network 3: Two wireless base stations employing WDS, but this time the game console connects by Ethernet cable to the remote base station. One packet goes from the game console over cable to the remote, from there by air to the master, and on to the WAN. Reply comes from WAN to master, over air to remote, over cable to game console. Total packets sent over the air: 2.

Notice that network 1 (non-WDS) and network 3 (WDS) send the same number of packets over the air. The only slowdown is the potential halving due to the half-duplex nature of wifi.[2]

But network 2 gets an additional halving because the remote base station uses double the air time because it’s retransmitting over air packets that it just received over the air. That’s the halving that’s usually attributed to WDS, but that halving only happens when the route through a base station uses-over-the air links on both sides of it. That does not always happen in a WDS, and can happen in non-WDS.

Important Note: This «double hop» (one wireless hop from the main station to the remote station, and a second hop from the remote station to the wireless client [game console]) is not necessarily twice as slow. End to end latency introduced here is in the «store and forward» delay associated with the remote station forwarding packets. In order to accurately identify the true latency contribution of relaying through a wireless remote station vs. simply increasing the broadcast power of the main station, more comprehensive tests specific to the environment would be required.

Los riesgos de las redes inalámbricas (802.11 o Wifi)

Falta de seguridad

Las ondas de radio tienen en sí mismas la posibilidad de propagarse en todas las direcciones dentro de un rango relativamente amplio. Es por esto que es muy difícil mantener las transmisiones de radio dentro de un área limitada. La propagación radial también se da en tres dimensiones. Por lo tanto, las ondas pueden pasar de un piso a otro en un edificio (con un alto grado de atenuación).

La consecuencia principal de esta «propagación desmedida» de ondas radiales es que personas no autorizadas pueden escuchar la red, posiblemente más allá del confinamiento del edificio donde se ha establecido la red inalámbrica.

El problema grave es que se puede instalar una red inalámbrica muy fácilmente en una compañía sin que se entere el departamento de IT. Un empleado sólo tiene que conectar un punto de acceso con un puerto de datos para que todas las comunicaciones en la red sean «públicas» dentro del rango de transmisión del punto de acceso.

War-driving

Debido a lo fácil que es «escuchar» redes inalámbricas, algunas personas recorren la ciudad con un ordenador portátil (o PDA) compatible con la tecnología inalámbrica en busca de redes inalámbricas. Esta práctica se denomina war driving (a veces se escribe wardriving o war-Xing). Software especializados en «war-driving» permiten hacer un mapa exacto de la ubicación de estos puntos de acceso abiertos con la ayuda de un sistema de posicionamiento global (GPS).

Estos mapas pueden revelar las redes inalámbricas inseguras que están disponibles y a veces permiten que las personas accedan a Internet. Se crearon diversos sitios Web para compartir esta información. De hecho, en 2002 unos estudiantes londinenses inventaron una especie de «lenguaje de signos» para mostrar dónde están las redes inalámbricas al indicar su presencia con símbolos dibujados con tiza en las veredas. Esto se denomina «warchalking«. Dos semicírculos opuestos significa que el área está cubierta por una red abierta que provee acceso a Internet, un círculo indica la presencia de una red inalámbrica abierta sin acceso a una red conectada y una W dentro de un círculo revela que es una red inalámbrica adecuadamente segura.

Warchalking

Riesgos de seguridad

Existen muchos riesgos que surgen de no asegurar una red inalámbrica de manera adecuada:


Intercepción de datos

Una red inalámbrica es insegura de manera predeterminada. Esto significa que está abierta a todos y cualquier persona dentro del área de cobertura del punto de acceso puede potencialmente escuchar las comunicaciones que se envían en la red. En el caso de un individuo, la amenaza no es grande ya que los datos raramente son confidenciales, a menos que se trate de datos personales. Sin embargo, si se trata de una compañía, esto puede plantear un problema serio.

Intrusión de red

La instalación de un punto de acceso en una red local permite que cualquier estación acceda a la red conectada y también a Internet, si la red local está conectada a ella. Es por esto que una red inalámbrica insegura les ofrece a los hackers la puerta de acceso perfecta a la red interna de una compañía u organización.

Además de permitirle al hacker robar o destruir información de la red y de darle acceso a Internet gratuito, la red inalámbrica también puede inducirlo a llevar a cabo ataques cibernéticos. Como no existe manera de identificar al hacker en una red, puede que se responsabilice del ataque a la compañía que instaló la red inalámbrica.

Interferencia radial

Las ondas radiales son muy sensibles a la interferencia. Por ello una señal se puede interferir fácilmente con una transmisión de radio que tenga una frecuencia cercana a la utilizada por la red inalámbrica. Hasta un simple horno microondas puede hacer que una red inalámbrica se vuelva completamente inoperable si se está usando dentro del rango del punto de acceso.

Denegación de servicio

El método de acceso a la red del estándar 802.11 se basa en el protocolo CSMA/CA, que consiste en esperar hasta que la red este libre antes de transmitir las tramas de datos. Una vez que se establece la conexión, una estación se debe vincular a un punto de acceso para poder enviarle paquetes. Debido a que los métodos para acceder a la red y asociarse a ella son conocidos, un hacker puede fácilmente enviar paquetes a una estación solicitándole que se desvincule de una red. El envío de información para afectar una red inalámbrica se conoce como ataque de denegación de servicio.

Asimismo, conectarse a redes inalámbricas consume energía. Incluso cuando los dispositivos inalámbricos periféricos tengan características de ahorro de energía, un hacker puede llegar a enviar suficientes datos cifrados a un equipo como para sobrecargarlo. Muchos periféricos portátiles, como los PDA y ordenadores portátiles, tienen una duración limitada de batería. Por lo tanto, un hacker puede llegar a provocar un consumo de energía excesivo que deje al dispositivo inutilizable durante un tiempo. Esto se denomina ataque de agotamiento de batería.