dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
23084
WirelessGuy0
Premium Member
join:2004-04-24

1 edit

WirelessGuy0 to eranros

Premium Member

to eranros

Re: Two problems with the new firmware


Restricted Wireless MAC Addresses
said by eranros:

I entered that MAC into Recognized Bridges list, but at the bottom of the page under Authenticated Clients, it is listed as Associated, but un-authorized . Whatever I try will not change that - until I disable Wireless Bridge Restriction Mode , and then it connects.
Does anyone else have that problem? Does anyone have a solution?
Thanks guys.
Sounds like you are entering the MAC Address into the wrong area. "Authorized Bridges" is for entering other access points in (such as WDS Mode). You want to enter your MAC Address for your laptop and other devices under the "Restricted Wireless MAC Addresses" section... Also make sure your MAC address is entered in this exact format XX:XX:XX:XX:XX:XX

If you are using WPA-PSK, there is no reason to filter MAC addresses, it won't provide any further security...

Hope this helps!
eranros
join:2004-06-09
Israel

eranros

Member

Right as always WG! Though "Restricted Wireless MAC Addresses" is a bit misleading, don't you think? I thought it was only for restricting...
BTW, why do you think MAC restrictions don't add to WPA-PSK security?

Any clue as to why they changed the protocols option in the port forward section? What happens when you fill all the available boxes - does it offer more? If you're asked by Motorola - can you mention this please
Thanks again.

TexasFlood
join:2005-07-01
Aurora, CO

TexasFlood to eranros

Member

to eranros
said by eranros:

There are 2 issues I found:

1. In the port forwarding page you can only choose one protocol (TCP or UDP) and not BOTH , as in the previous version. WHY ?????

2. A more critical problem is in the Wireless section. I prefer to enable MAC authorization on my network. That worked flawlessly in 5.13. Now I entered the MAC of my PDA WLAN card - that works fine. However, my laptop, using the Motorola WN825G card, will not get authorized, and therefore can't connect. The router reports the right MAC in the LAN section, and I entered that MAC into Recognized Bridges list, but at the bottom of the page under Authenticated Clients, it is listed as Associated, but un-authorized . Whatever I try will not change that - until I disable Wireless Bridge Restriction Mode , and then it connects.
Does anyone else have that problem? Does anyone have a solution?
Thanks guys.
I don't know why they left off the both UDP&TCP option on forwarding. Would doing two rules, for both UDP and TCP, work? I know it is a pain and cuts the potential rules you can add in 1/2, but looks like something you will have to work around. I hadn't even noticed since I am using these as bridging routers to extend my network, not as a front end router. As for the MAC filtering, as WirelessGuy said, just make sure they are in the "Restricted Wireless MAC Addresses" section, not the "Recognized Bridges" in allow mode and it should work. FYI when I was using WEP, my MAC would show up as associated but not authorized, now WITH WPA it shows as authorized as well.
WirelessGuy0
Premium Member
join:2004-04-24

WirelessGuy0 to eranros

Premium Member

to eranros
said by eranros:

Right as always WG! Though "Restricted Wireless MAC Addresses" is a bit misleading, don't you think? I thought it was only for restricting...
BTW, why do you think MAC restrictions don't add to WPA-PSK security?
MAC addresses are easily spoofed and are broadcast in the clear (unencrypted), it is easy to clone a MAC address to any piece of wireless hardware. WPA will offer all the security you need. Think of it like this, if the front door of your house is a 3" solid steel plate door with 14 deadbolt locks on it and you have a flimsy screen door on the outside, will locking that screen door provide any additional protection over the solid steel door?
said by eranros:

Any clue as to why they changed the protocols option in the port forward section? What happens when you fill all the available boxes - does it offer more? If you're asked by Motorola - can you mention this please
Thanks again.
This I don't have an answer for, I have never really messed much with the port forwarding and such so I am not that familiar. However, you can thank "yours truly" for the large number of port forwards and port trigger slots available... IN the earlier Beta's of the ver 6 firmware, there was only about 1/2 the number of slots. Same goes for the Filters page as well... They thought I was nuts, I told them to add them because there are users who would use them...

schaps
Premium Member
join:2004-01-15
Saint Paul, MN

schaps

Premium Member

said by WirelessGuy0:

MAC addresses are easily spoofed and are broadcast in the clear (unencrypted), it is easy to clone a MAC address to any piece of wireless hardware. WPA will offer all the security you need. Think of it like this, if the front door of your house is a 3" solid steel plate door with 14 deadbolt locks on it and you have a flimsy screen door on the outside, will locking that screen door provide any additional protection over the solid steel door?

That's a good analogy, but it would be more accurate if the screen door were INSIDE the steel door. If someone is skilled enough to break your WPA (steel door), the MAC filtering (screen door) would not even slow him down once he's got the WPA out of the way. It is more likely to just cause you problems when you change out cards, etc.

However, if you manage a network of users wherein someone else has access to the WPA key (for example, the weekend-tech-geek boss), despite your best efforts, some people will always write passwords down where they can be found by others. In that case, MAC filtering may help you deny someone who'd like to explore your network but is not willing or able to spoof a MAC address to do it.

TexasFlood
join:2005-07-01
Aurora, CO

TexasFlood

Member

said by schaps:

That's a good analogy, but it would be more accurate if the screen door were INSIDE the steel door. If someone is skilled enough to break your WPA (steel door), the MAC filtering (screen door) would not even slow him down once he's got the WPA out of the way. It is more likely to just cause you problems when you change out cards, etc.

However, if you manage a network of users wherein someone else has access to the WPA key (for example, the weekend-tech-geek boss), despite your best efforts, some people will always write passwords down where they can be found by others. In that case, MAC filtering may help you deny someone who'd like to explore your network but is not willing or able to spoof a MAC address to do it.
MAC filtering was just one of a number of steps that I hoped would cumulatively yield better security. I should probably remove it now as WPA security should stand on it's own and might add some overhead (though probably slight) to the routers. I used to -try- (rarely lived up to it), to change my WEP keys every couple of weeks to mitigate the risk of break-ins. It was a pain, but password changes are a good part of any security plan. With WPA in place now, I don't really see the reason for it, as I have pretty tight control of access. However, I will probably change them every so often anyway, just because it is the right thing to do.
WirelessGuy0
Premium Member
join:2004-04-24

WirelessGuy0 to schaps

Premium Member

to schaps
said by schaps:

it would be more accurate if the screen door were INSIDE the steel door. If someone is skilled enough to break your WPA (steel door), the MAC filtering (screen door) would not even slow him down once he's got the WPA out of the way.
That is correct... Your's is even a better analogy...
eranros
join:2004-06-09
Israel

eranros

Member

True, but the screen door is there for mosquitoes, not burglers...:D
I get the point. Thanks for the explanation. Off with the MAC address filtering.

BTW WG, remember that odd bug I had where the router wouldn't forward ports if the IP address was 12 digits ? That's fixed too in v6.14 !

I also like the fact that there is no restart after applying changes - that was really "old school",even my 3 years old Linksys didn't need that...

Does anyone know what type of Firewall is installed ? Is it Stateful Inspection? Is it worth having on, or will it slow down traffic (Stateful Inspection slowed my Linksys considerably) ? What advantage does it offer to simple NAT ?
WirelessGuy0
Premium Member
join:2004-04-24

WirelessGuy0

Premium Member

said by eranros:

BTW WG, remember that odd bug I had where the router wouldn't forward ports if the IP address was 12 digits ? That's fixed too in v6.14 !
Glad to hear, sounds like a LOT of things got fixed in 6.14
said by eranros:

I also like the fact that there is no restart after applying changes - that was really "old school",even my 3 years old Linksys didn't need that...
However, IF you are using the time features on the Filters page, you will need to do a restart after making all your changes otherwise the clock on the Basic page will read the incorrect time. It appears to apply your time zone correction twice, once on restart and once after you hit apply on any page. So if using the Time feature, just makes sure when you are ready to log out, you do a quick restart to make sure your clock is set correctly...
said by eranros:

Does anyone know what type of Firewall is installed ? Is it Stateful Inspection? Is it worth having on, or will it slow down traffic (Stateful Inspection slowed my Linksys considerably) ? What advantage does it offer to simple NAT ?
Not sure on this one, I leave mine on all the time, on the Shields Up! test it shows all my ports as being stealth... I would leave it on...
eranros
join:2004-06-09
Israel

eranros

Member

I tried shields up with and without the firewall - only difference is that without the firewall pings (ICMP Echo) were not blocked. Didn't the v5.13 have a setting for ICMP (or was it the Linksys...) ?

I found that for the time settings, If I refresh the page , the time is corrected, even without restarting the router. I do use an Internet Time Server.
eranros

eranros to Bryant Smith

Member

to Bryant Smith

Another feature removed in v6

Just found one more feature removed: If you have a DHCP connection, you can no longer set your DNS server IP manually.
This becomes important when your ISP has problems with it's DNS server. Then it's useful to add a DNS of one of the other ISPs in your country.
A workaround is to put the DNS directly into your TCP/IP settings. I have it set so that my TCP/IP has the router's IP as the primary DNS (and thus uses the DNS recieved automatically from the ISP), and the "foreign ISP" setup as the secondary DNS.
BTW, it's useful to have the list of the leading ISPs in your country, just in case...;)
WirelessGuy0
Premium Member
join:2004-04-24

WirelessGuy0 to eranros

Premium Member

to eranros

Re: Two problems with the new firmware

said by eranros:

I found that for the time settings, If I refresh the page , the time is corrected, even without restarting the router. I do use an Internet Time Server.
I use the Internet Time Server as well, but even refreshing the page doesn't correct my time... I need to do a restart and then it is correct again...
eranros
join:2004-06-09
Israel

eranros to Bryant Smith

Member

to Bryant Smith

Tunneling protocol gone?

The v5 had at least PPTP protocol (I'm not sure about L2TP). I don't see them now. Any chance they'll be in the final version?
WirelessGuy0
Premium Member
join:2004-04-24

WirelessGuy0

Premium Member

said by eranros:

The v5 had at least PPTP protocol (I'm not sure about L2TP). I don't see them now. Any chance they'll be in the final version?
From what I understand, what you see is what you get, I think this pretty much is the final version...
eranros
join:2004-06-09
Israel

eranros

Member

Why would they remove the tunneling protocol? It makes the router less complient in certain places. Some ISPs demand you use a dialer , even with cables, and if you have a router you need L2TP or at least PPTP.
WirelessGuy0
Premium Member
join:2004-04-24

WirelessGuy0

Premium Member

said by eranros:

Why would they remove the tunneling protocol? It makes the router less complient in certain places. Some ISPs demand you use a dialer , even with cables, and if you have a router you need L2TP or at least PPTP.
I have no idea, I am not a designer or engineer, only a beta tester...

TexasFlood
join:2005-07-01
Aurora, CO

TexasFlood to eranros

Member

to eranros
said by eranros:

The v5 had at least PPTP protocol (I'm not sure about L2TP). I don't see them now. Any chance they'll be in the final version?
As time goes by, it's amazing what I haven't noticed about the beta firmware. Guess I have tunnel vision and only see what is applicable to me. You could always stick with 5.03. It actually worked OK for me.
TexasFlood

2 edits

TexasFlood to PinkySwear

Member

to PinkySwear

Re: WR850G firmware leaked

said by PinkySwear:

TexasFlood said:
Yahoo! Finally graduated from WEP. I got the old junky Windows 98SE box working with WPA(PSK) using WSC Guard.
Hey, Congratulations!
I know you've gotta feel a lot more secure, now.

I do actually. But I am questioning if it is worth it. My network was pretty stable under WEP. Since switching to WPA, the WR850Gs keep zoning out and becoming inaccessible. I am hoping to find something I can fix, but may have to fall back to using WEP and just change the keys more often. I did notice that the group key renewal time on the Linksys units, which don't lose contact, are set by default to 3600 seconds and the WR850Gs are set by default to 86400 seconds. Should I set them all the same? I have no idea what this setting does or should be set to on my various routers. I just set them all to zero as a stability experiment, but this is probably not optimal, but figured I would turn it off until I learn a bit more about what this setting does.
WirelessGuy0
Premium Member
join:2004-04-24

WirelessGuy0

Premium Member

said by TexasFlood:

I did notice that the group key renewal time on the Linksys units, which don't lose contact, are set by default to 3600 seconds and the WR850Gs are set by default to 86400 seconds. Should I set them all the same?
The 86400 setting in the Motorola is for the DHCP Lease time... Under WPA, the Network Key Rotation Interval I have set to 300.

I would make sure the settings are the same between your Linksys and your Motorola. How is your network set up? Why 2 routers?

WPA-PSK has been VERY stable for me on my Motorola.

TexasFlood
join:2005-07-01
Aurora, CO

TexasFlood

Member

said by WirelessGuy0:

said by TexasFlood:

I did notice that the group key renewal time on the Linksys units, which don't lose contact, are set by default to 3600 seconds and the WR850Gs are set by default to 86400 seconds. Should I set them all the same?
The 86400 setting in the Motorola is for the DHCP Lease time... Under WPA, the Network Key Rotation Interval I have set to 300.

I would make sure the settings are the same between your Linksys and your Motorola. How is your network set up? Why 2 routers?

WPA-PSK has been VERY stable for me on my Motorola.
I will try setting them the same. I thought the simplest test to see if that was the issue was to just turn them off for a while. If I understood what that setting did, I might feel more comfortable. Like, 300 seconds from when. If I reboot a router, how do they stay in sync? I just don't understand it and haven't had time to look it up. I actually have a Linksys WRT54G attached to my cable modem. I picked up one for a friend, so until he comes by and takes it, I have two WRT54Gs. I also bought two WR850Gs. I got a pretty good deal on them and wanted two things out of them - 1) better coverage throughout the house and 2) to replace an old 802.11b bridge to a game system and to wirelessly attach a wired printer in a guest room. I was able to get all of that by adding a couple of pretty inexpensive routers that could be used as combo wireless bridges and range expanders. Seems like a heck of a deal to me. If my house was wired, I wouldn't need it, but it isn't.
WirelessGuy0
Premium Member
join:2004-04-24

WirelessGuy0

Premium Member

You really shouldn't need to keep them "in sync" as they should be renewing the keys based on the time from association with a client, not when they boot up...

You might want to power down your network, then power up your main router, then one at a time power up your "other" routers and give them time to associate and such...

TexasFlood
join:2005-07-01
Aurora, CO

TexasFlood

Member

said by WirelessGuy0:

You really shouldn't need to keep them "in sync" as they should be renewing the keys based on the time from association with a client, not when they boot up...

You might want to power down your network, then power up your main router, then one at a time power up your "other" routers and give them time to associate and such...
Thanks for the explanation. I just set them all the same, and not zero this time. Hopefully stability will come back to rejoin security in my network,
trevi55
join:2004-09-09

trevi55 to Bryant Smith

Member

to Bryant Smith
DNS servers can be edited only in the "Static" mode. I'm in that situation, so I don't need this feature...

About DDNS services, I've tried it using DynDns and it really seems to work well. My configuration is this: An ISDN router with a dynamic WAN ip (assigned by ISP), and a static LAN ip wich is the gateway of my Motorola Router (that has a static ip too).
Well... In this situation, DynDns.org recognises exactly my external public IP (assigned to the ISDN router) and the motorola router updates it corectly. Btw I don't know how often the wireless router check the new external IP...

Bye!
dantm
join:2005-01-14
Quincy, MA

dantm

Member

Guys one more question, I'm sure you can point me in the right direction.

What I want to do is have a FTP server behind this router -- so far all I've been able to do in the previous version 5.1.3 was to have the IP of the server computer in the DMZ, and then I could connect to it.

Right now with 6.1.4 I can't get to the FTP server (it was working just before switching to this firmware) even if I do put the IP in the DMZ.

Can anybody let me know if there's a better way to have a FTP server behind this router and what the settings should be with 6.1.4???

Many thanks!

zvolts
Premium Member
join:2005-02-04
Mikado, MI

zvolts

Premium Member

dantm,

I just set a static IP on my FTP server and forwarded TCP ports 21 (control) and 20 (data) on the router to that static IP.
will5
join:2004-08-19

will5 to Bryant Smith

Member

to Bryant Smith
i have upgrade mine to 6.14 and my modem light stays red all the time..
everything works smoothly, but i have a feeling its not a professionally designed release.
No log reports, every page is too long , need to scroll, no static DHCP,
no security restrictions for websites and keywords to limit children access.
Hopefully many things will be added and fixed to match their conmpetitors

xabba
join:2001-09-26
Summerfield, NC

xabba to dantm

Member

to dantm
Had the same problem as dantm, port forwarding stopped working including DMZ (couldn't access my server unless using it's local 192.168.10.xx address). I had no problems with 4.03 so I downgraded again. Will be waiting for the final release.
dantm
join:2005-01-14
Quincy, MA

dantm

Member

Yeah, I've continued to play with this and I can't access my PC behind the firewall. Also where do you define static routes to that PC?

(regardless, it should work if that IP was DMZ, correct?)

THANKS!
trevi55
join:2004-09-09

trevi55 to Bryant Smith

Member

to Bryant Smith
This is strange... I don't use a FTP server, but my PC is absolutely accessible (on some ports) behind the Router...
And I've not only the motorola Access Point, but as you can see above, I've also another router wich forwards to the moto router...

Look for example: »3v1.homeip.net:4711/ it's a my local pc page!

I just used the routing settings of the Moto router and set my PC with a static local IP (with a client ID not selectable by DHCP)

BYE!
eranros
join:2004-06-09
Israel

eranros

Member

Did you do any port forwarding? Try ShieldsUp or »www.auditmypc.com/ and see which ports are open.