how-to block ads
Possible to set up a WEP network from a bridged WPA network?
I'm very sorry if this is in the wrong place - I'm fairly new to wireless networking in general and am wondering if this setup I've got going is even possible.
I live in a house which broadcasts WPA (in accordance with the forum rules, I am allowed to use this router but I have no physical access to it nor permission to change its settings, nor am I looking to gain either of those things - no cracking involved here!). However, I have a Nintendo DS Lite which plays a few games that can only connect to Nintendo WFC with a WEP connection.
I have a D-Link DIR-615 router that I have installed the latest version of dd-wrt firmware on, and it is currently functioning as a bridge (mostly in working order, wired devices receive spotty internet from it). Connected to that I have a TRENDnet TEW-652BRP router, which I would like to use to broadcast WEP for my Nintendo DS to connect to.
The TEW-652BRP so far can provide Internet access via ethernet to wired devices. However, when I enable WEP128, none of my devices are able to connect to it (my Nintendo DS gets an error code "51302", which apparently means the authentication settings are wrong, but I have re-tried entering the information many times, my Win7 laptop gives me an ambiguous error message). Furthermore, when I changed the TEW-652BRP wireless to WPA (with a different SSID and key than the house WPA router) to see if the wireless on it worked at all, my non-DS devices can connect to it just fine with Internet access.
Here is a network diagram of what I'm trying to do: »i.imgur.com/o1eifN1.png
Is it possible to successfully broadcast WEP on the bottom-level wireless router?
Thank you for your time.
John GaltForward, MarchPremium
Try the 64-bit WEP...
|reply to SM |
Let's assume for the moment you get past your present problem, whatever that may prove to be. THIS IS A REALLY BAD IDEA!
The overall network is only as good as its weakest link. As soon as someone introduces a WEP entry point to an otherwise WPA/WPA2 network, that network is, for all intents and purposes, a WEP only network! And thus vulnerable to being hacked.
If you want to do this relatively safely, you need to completely separate yourself from the WPA/WPA2 network. One way to do this would be to connect a dd-wrt router to the primary router, WAN to LAN respectively. Let it broadcast WEP. But most importantly, add firewall rules to prevent access to the upstream network and only the internet. In effect, its a guest network. The worst that happens is that someone steals your internet access, but local resources are at least protected.
iptables -I INPUT -i br0 -d `nvram get lan_ipaddr` -j DROP
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -j DROP
NOTE: If you cant physically access the primary router, then configure the bridge (DIR-615) as a repeater (not repeater bridge) and enable WEP on the repeaters SSID. Then add the firewall rules.
There are other ways too, like using three routers in a Y configuration, with the private and public/guest/WEP routers each connected to the third router and thus cant interact. But its a bit of a PITA to deal w/ that many devices (and you need physical access), so using the method above works well enough, as long as you have access to a dd-wrt router where you can manipulate the firewall rules.
Thank you for the insight eibgrad, would it work if I added firewall rules to the bridge router in my current configuration? My third router is not supported by dd-wrt firmware.
So far I have the network working, but I keep the WEP router unplugged when I'm not using the DS, but I'll keep it unplugged until I get the security better figured out!
|reply to SM |
The firewall rules will only work if you either use the WAN, or the virtual WAN provided by client (not client bridge) or repeater (not repeater bridge) modes. Just beware that client and repeater require you to use a different network from the WPA network. So if the WPA network is 192.168.1.x, youll have to be something else, like 10.0.0.x.