What wireless router and wireless networking card would you all recommend? I'm thinking of going wireless.

I'm using US Robotics products so I can recommend them.

Wireless Lan Card:
http://www.usr-emea.com/support/s-prod-tem...=emea&prod=5417

Wireless router:
http://www.usr-emea.com/products/p-wireles...t-5461&loc=emea

Wireless router/access point/firewall/4 port switch/ADSL modem:
http://www.usr-emea.com/products/p-broadba...b-9106&loc=emea

No problems with connection. I have 2 PC and one notebook connected to this accesspoint. US Robotics claims it can connect up to 125MB/s. Wireless router is fully configurable via web browser and its firmware is based on Linux.

You can't go wrong with the Linksys WRT54G(S) for a wireless router. There are tons of great firmwares you can install in place of the stock Linksys one.

Until recently, I was pretty jaded with Linksys gear, but I picked up a WRT54G and it's much better than their older gear was. I agree with that recommendation. Even the stock firmware is pretty good. The third party firmware is okay too, except I can't seem to find one with UPnP support, which is kind of a deal breaker for me. Fortunately the stock firmware's UPnP works great.

For cards in the computer and such, they're pretty much all the same chipsets anyway, so there's usually not a whole lot of difference there. Except for Cisco cards, of course, which are incredible in several ways. Anything less than that is pretty much indistinguishable.

Thanks for the insight, guys. I never regret asking technical questions here.

I have had excellent results with my Linksys WRT45GS. Make sure you install the latest firmware when you get it. This is a good idea with any wireless router. Be certain to run WPA-PSK, so you are not giving out free wireless.
The Linksys WPC55AG is a great PCMCIA wireless A/B/G card based on the Atheros chipset, very wide OS support.

I have the Linksys WRT54G also.

Most broadband here is ADSL, but I'm with Telewest, a cable company.

I know very little about networking but I managed to get my PC set up, and also locked it down so it's not broadcasting the SSID, etc. I'm using WPA-PSK.

What would be the benefit to a 3rd party firmware?

Hmm... IIRC the stock firmware can only perform QoS for uploads and when I tried it, it didn't seem to really work. The QoS in DD-WRT works great. Other reasons to use other firmwares:

- some have VPN servers so you can connect to your home network while away
- most have more advanced status pages (show MAC addresses of all wireless clients, etc.)
- most can run SSH daemons
- some have "client mode", where the router acts as a wireless client and shares that connection (VERY useful sometimes)

There are probably many more reasons that I cannot think of at the moment. In my experience, DD-WRT and OpenWRT are both fantastic firmwares (warning: OpenWRT doesn't have a web interface so you better like to do things from the commandline if you install it).

If you're using encryption, turning off SSID broadcast or enabling MAC filtering is pointless.


Additional functionality like traffic shaping and prioritizing (examples: if you had a VoIP phone, you could ensure that it always got highest priority over anything else, or you could limit the bandwidth of downloads to allow online games to continue to work with low latency while you are downloading). More secure ways to configure the thing (SSH, etc).

Basically, the router is a little linux box with a 200 Mhz processor and some flash memory in it. You can do all sorts of things with it. People have added flash card readers to theirs, audio output ports, etc.

Disabling the SSID, MAC filtering, WPA-PSK ( with AES ) are all parts of a security plan. Just as with a firewall, the point is layers of defense. Any one item is a minor irritant. The more layers someone has to go through, the greater the possibility they will move on to easier targets. Nothing is hack proof, all you can do is keep the script kiddies out, and make it more costly in time than some idiot wants to spend to get into your network. Boosting your signal strength with some of the third party firmwares, may increase the range and vulnerability of your wireless network.

Yeah, I am MAC filtering as well. There's only one client at the moment - it's just that the cable point is in another room to the PC, and I didn't fancy loads of cables.

Whoever is right, it's working fine, so I don't think I'll be changing anyway. I see no reason not to do it.. I guess it's the old "belt and braces".

Thanks for the 3rd party explanations.

It seems I'm going against the grain here, I have the Linksys WRV54G. It has worked perfectly well for me for the last 6 months I've had it.

That's a nice theory, but not really the case here.

SSID broadcast being disabled doesn't actually stop anybody. If they have a sniffer, your SSID is sent out in all packets. Bypassing it means, glory be, typing it in. And that completely ignores the "ANY" SSID that anybody can use if they want to connect to your network, whcih completely bypasses the need for the SSID in the first place. It's built into the spec. No, the only valid reason to disable SSID broadcast is to reduce crosstalk in multipath situations, and if you don't know what it is that I just said, then you really shouldn't be messing with that setting.

MAC filtering is intended to stop specific devices from roaming. It's useful to prevent your next door neighbor from accidentally connecting to your network, but it's trivally bypassed by simply changing the MAC address of ones own wireless card to one seen on the network. Having the same MAC as somebody else causes no issues at all for wireless or on a hub.

By contrast, WPA-PSK (with AES) is hard encryption. Breaking it is very difficult from a computer perspective. The fastest way is currently a dictionary attack against the passphrase, so using a weird phrase prevents pretty much anybody getting in.

To put it in perspective, WPA raises the bar to 10 feet tall. If you can leap 10 feet to get in, then the half an inch added by disabling SSID broadcast and MAC filtering don't mean a whole lot.

Furthermore, disabling SSID and using MAC filtering make the network much harder to actually use when you want to use it. Take my network. I use WPA-PSK only. SSID broadcast is enabled, MAC filtering is off. If I want somebody to connect to my network, I hand them the key, they type it in. Done. If you want somebody to connect to yours, you give them the key, tell them the SSID so they can manually set it, then use another system to connect to the router and allow their MAC address access (which you first have to look up on their machine).. It's a major hassle is my point.

And you're not any more secure than I am, because before anybody can get into either of our networks, they first have to jump that 10 foot hurdle that is WPA. Spending the literally 30 seconds it takes to type in a SSID and type in a sniffed MAC address doesn't really add any extra security.


With WEP you had a point, but WPA is still uncracked for hard passphrases. Furthermore, if somebody is going to spend the days or weeks it takes to break the encryption the hard way, then the other two ain't going to stop them either. Somebody seeing WPA encryption will move on already, no SSID and MAC filtering really ain't a deterrent.


Yes and no. It'll increase the range of the broadcast, possibly making it easier for somebody to sniff the traffic from your router and thus gather packets to work on breaking the encryption, but with AES, that'll take them forever to begin with. Way longer than anybody sane is willing to spend just for network access.

All I can recommend you is that you DON'T use D-Link. It's crapola.

I am not sure you intended to sound arrogant, but to me, you did.

I have done a fair bit of reading on the subject and I will provide links below. I work in the IT department of my company. The folks who handle the security and the wireless (one of which is a CISSP) are in agreement with the steps I recommended.

From http://www.us-cert.gov/cas/tips/ST05-003.html

• Restrict access - Only allow authorized users to access your network. Each piece of hardware connected to a network has a MAC (media access control) address. You can restrict or allow access to your network by filtering MAC addresses. Consult your user documentation to get specific information about enabling these features. There are also several technologies available that require wireless users to authenticate before accessing the network.
• Encrypt the data on your network - WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) both encrypt information on wireless devices. However, WEP has a number of security issues that make it less effective than WPA, so you should specifically look for gear that supports encryption via WPA. Encrypting the data would prevent anyone who might be able to access your network from viewing your data (see Understanding Encryption for more information).
• Protect your SSID - To avoid outsiders easily accessing your network, avoid publicizing your SSID. Consult your user documentation to see if you can change the default SSID to make it more difficult to guess.

http://www.sans.org/rr/whitepapers/wireless/1619.php

Following setting the SSID, configure the Wireless SSID Broadcast to
“Disable” (the wireless channel, which was skipped, can be left at the default
setting). While I did mention that the SSID can be discovered even while the
SSID broadcast is turned off, and I do believe that security through obscurity
rarely works, it is still considered a best practice to disable this function.

http://www.windowsecurity.com/articles/Wir...er_Part_II.html

what do people think about ZyXEL? the seem to have a good reputation as far as I can say.

http://www.zyxel.com/product/category.php?...alue=1021876859

are they on par with Linksys, better or worse in terms of security, accessibility, robustness?

It seems to me that not broadcasting your SSID would at least stop nosey neighbours, or potential burglars, with a wi-fi laptop from knowing that you have a wireless network inside the house, and therefore potentially a reasonable amount of expensive hardware. I understand now that it won't stop a determined or prepared hacker.

Thanks to your and ddrawley's detailed responses I (and hopefully Canar) now understand that the WPA-PSK with AES encryption is the most important key. I actually had mine set at TKIP (or something like that) so I have now changed to AES thanks to the advice on this thread. Thank you.

Another question: I have my cable modem plugged into the router via ethernet, and then my PC accesses the modem using wi-fi. I saw, while in the admin interface, that my router is currently set up as a "Gateway", the other option being "Router". My question is: if i do manage to get myself a laptop - or more likely a PVR - would I need to change anything to let the second machine access the Internet and for both computers to be able to communicate (transfer files)? Edit: Or can I just stick a wireless adapter in the PC, set up the profile, and hey presto everything communicates? (once I've permitted the extra MAC address)

Thanks again. Apologies to Canar for slightly hijacking the thread - but I'm hoping that this will all be useful to you also.

I've been doing wireless for over 10 years. Yep, for longer than 802.11 has been around. So while I didn't mean to sound arrogant, I can if you'd prefer. Let's see here...


And they're all wrong too.


You're going to listen to security recommendations from the US Government?

More to the point, go back and read what I said. It's not that those don't add security, it's that they don't add any significant security. Let's look specifically at your bullet points, shall we?


What this doesn't say is "MAC addresses are trivially faked, and which MAC addresses are allowed are trivially discovered. It takes somebody with a wireless cracking tool less than 30 seconds to bypass this restriction, and there's no way to detect them doing so. Whereas somebody not bothering to fake a MAC address can be easily detected by intrusion software monitoring your network traffic."

MAC address filtering makes your network less secure if you have a good security plan in place already, because it forces intruders to fake the MAC of some other valid user on your network.


No argument. WPA is good. Use WPA.


What this doesn't say is that:
-The SSID is included in every packet on your wireless network. Every single one. So getting it is a matter of capturing one packet. Any one packet.
-Most low end wireless devices don't include an option to ignore the "ANY" SSID, which allows a client to attach to, you guessed it, any network. Higher end wireless devices, mainly Cisco gear, do allow you to turn that off.


The only thing that turning off SSID broadcast does is to prevent things like Microsoft's Wireless Zero Config screen from finding the network and displaying it. It prevents nobody from connecting to the network, unless they only know how to connect by clicking one of the found networks. So it'll keep grandma next door off, but not any kind of actual attacker. And heck, WPA will keep grandma next door out as well as an actual attacker.



My point is that you *should* evaluate security not as a bullet list of "must do these things", but as part of an actual understanding of the consequences of doing each thing in relation to the whole. If checking off one of those bullet points makes things harder to use, and won't actually keep anybody out, then really, what's the point?

You'll have to permit the MAC address, force the SSID, and enter the WPA passphrase to connect the new machine. Once you do all that, yes, everything will talk okay.

OK, thanks Otto.

"All that" is still only a two minute job.

I think your point above about MAC filtering makes a lot of sense though. However, as I know nothing about networking and doubt I have any intrusion software I think the point is irrelevant to me.

I may well disable MAC filtering - but I think I'll keep the SSID hidden. That way all I have to do is give someone two strings rather than one, and not tackle the cumbersome router web interface to add the MAC address. 30 seconds work.

I think my point about hiding the SSID simply from local users with a wi-fi PC has some merit.

At this point all I can do is resist the Troll.
I encourage other readers to research "best practices."
These are unnecessary for those who know everything.

Edit: Spelling

To Synthetic Soul

We use the Aruba wireless products here at work, but that probably won't be useful to you, so I will limit the reply to a retail product.

My Linksys WRT54GS has the following entry on Gateway:

Operating Mode. Select the mode in which this Router will function. If this Router is hosting your network’s connection to the Internet, select Gateway. If another Router exists on your network, select Router. When Router is chosen, Dynamic Routing will be enabled.

So you would set this based on whether the wireless router is connected directly to your cable/dsl modem, or another device does this for you.

The newest firmware on my WRT54GS allows me to select if wireless clients will 'see' each other. I cannot find the details listed in the Linksys manual on their site.

Slightly off topic, WPA-TKIP uses MD4 encryption, which while not as good as AES, is listed as acceptable in the resources I could find. Some older devices, drivers, or firmware may not offer AES. In short, AES is still preferred.

Edit: Reread your question.



I 'talk' to several machines on my network. I transfer files to my Samba server, PVR, and laptop (wireless) without any trouble. All devices have internet access.

Excellent. Thanks for the info ddrawley.

I tried downloading the manual today but it wasn't working. I believe I have the PDF at home so I will take another look. I need to check whether mine is version 1, 2 or 3 before I get the latest firmware. I'm not sure I will actually install it yet as I have had many bad experiences upgrading firmware and drivers when I really should have just left it working perfectly well as it was!

Sounds like I should have it, and keep it on, "Gateway". I guess I must have known what I was doing at the time...

I'm really interested in getting a PVR, and at that time I will need to let that PC have access to the Internet and also transfer recordings to my main PC. I'm hoping to squeeze an MCE machine from work, for "testing purposes".

Networking just makes my head spin.

Thanks for your help.

Consider getting all your gear the same brand. At least as of a couple of years ago manufacturers admited that different brands often didn't play well together.

For me, this was most evident when trying to set up security.



Another security problem is that a lot of wifi accessories don't support WPA. The wifi SD card available for my Palm came out long after WPA was the new standard, but does not support it..... so I'm not getting one.

Yeah, I agree with DonP. A lot less headaches for me when I set clients up with gear from the same manufacturer. I have had reasonably good success with Linksys and Netgear. YMMMV.

Oh, I encourage other readers to research "best practices" too, except I mean that it's a good idea to go talk to people who know what they're talking about instead of just doing Google searches.

I agree with you about Linksys gear though. My older gear had issues, but my new gear seems happier overall and works better. The router doesn't crash and reboot itself all the time anymore like the old one did.

Okay, I checked with my local computer store and they strongly recommend the D-Link. They claim they have a lot of returns on Linksys gear and recommend against that brand. Likewise, their D-Link gear doesn't get a lot of returns. Any responses to that? I've always personally had luck buying the products my guys recommend so I'm inclined to buy their D-Link router and Foxconn wireless cards. I didn't ask about USR though.

No, definitely go for the Linksys! I've got a D-Link wireless router that came free with a friend's computer and it is a complete piece of junk. We currently have 2 Linksys WRT54Gs in WDS mode set up to cover 3 apartments and it works perfectly.

Define "piece of junk", and give a model number, please. All models are not equal. One user's opinion is great, and I thank you for that, but please sympathize: my local guys go through dozens of pieces of hardware, and they know return rates. Your experience seems to contradict them, and if I get enough people agreeing with your view, great. I'm just trying to do my best to figure out where the best place to spend my money is.

My experiences with D-Link and USR wireless have been very negative.
The cases, drivers, and documentation for the D-Link were very poor.
No drivers, no joy.
USR had a cheap product and lousy drivers.
The Intel 2915ABG has a decent product and drivers.
The Netgear has better drivers, docs, and cases. Not perfect by any stretch, just pretty good.
The Linksys has been OK for me. I own one, I am typing this message through it. I have no complaints.
My customers have been happy with the Netgear and Linksys.
D-Link was quite simply, crap.

I would not go for the linksys! I got the WRT54GS and it sucks big time. Everytime I download something really fast or connect to a server multiple times for a download, the router freezes for some seconds and therefore I'm loosing the connection. I tried to download iTunes using Firefox and wasn't able to complete the download unless I reseted the max simultaneous connections in windows from 10 to 4....sometimes it won't even let me open new connections, just the already running connections are working...same thing when browsing websites: it won't let me open new websites, but I can surf websites, which domains have already been resolved in the active browser session. So it seems that the DNS lookup gets somehow blocked. Of course, this doesn't happen all the time and only if the router is somewhat overwhelmed. However, it doesn't take much to overwhelm it...when I tested it, I was the only one connected to the router...in order to gain back full internet access I had to restart Windows...

D-Link units have known issues with the iTunes 5 Bonjour service as well. I'd avoid them.

As for Jojo's problems, well, I had similar issues with an older Linksys router. It would freak out and reboot itself for no reason. I ended up replacing it with my current WRT54GS (the one with "SpeedBooster") and it works great. No issues.

I have had no issues with my WRT54GS V2 with the 4.70.6 firmware.
It is rock solid.
I surf with different browsers.
I regularly download large files.
No issues.
Hope it works for you.

Edit: Added router version.

I wholeheartedly agree.

Also, I rarely trust store people's opinion. They often recommend brands based on how much they will earn with sales, and not on quality (every store here recommends Intel over AMD, not because Intel is supposedly better, but because stores get big revenues and prizes based on sales of Intel products, and the same doesn't happen with AMD)

I'd much rather trust users' and friends' opinions.

what settings are you guys using? Do you use WPA encryption and stuff? What settings did you guys change? Are you using B or G wireless cards (it shouldn't make any difference though)

I am using WPA - AES.
I have used Orinoco, Atheros, and Intel based wireless chipsets and connected successfully.
My primary card is a Linksys PCMCIA with Atheros ABG chipset.
I connect on G/54.

Edit: Corrected wording

Except for enabling WPA-Shared key and a new password andSSID, it's basically set for the defaults on mine. I'm using a Linksys PCI G card on one machine, an older Linksys PCMCIA B card on a laptop, an older Cisco B card on another, and an Orinoco B card on my tablet. Took some effort to get WPA working on a couple of the older cards, but the router has no issues with those. The router is also connected wired to an old series 1 Tivo with one of the first TivoNet cards in it (a handmade adapter to a really old ethernet card, basically).

well, I don't know guys, but it doesn't work for me. Did one of you change the max allowed connections in windows from 4 to 10? Also, I just noticed that people who know my IP address (the one exposed to the internet), can gain access to my router settings. Remote Mangement is turned off, so really I don't know why it is doing that. The only thing that is turned on is 'Wireless Access Web', which I need, because I want to access and change my routers settings wirelessly...

Jojo: Have you tried the latest firmware on that device?

yes, the latest firmware is installed. Have you tried to type in your internet ip address in your browser and see what happens? It shouldn't do anything, but in my case it comes up with the login mask.

I am seeing references that recommend a factory reset prior to, and following the firmware flash.

Huh? If you're on the inside, the LAN side of things, then yes, it should come up with the login mask screen (unless you have port 80 forwarded elsewhere in the network).

There's actually a setting for this, although not being at home I don't recall what it was called. Basically, internal requests that use the external address of the router get redirected to internal requests. If it's not on, then you can't access internal services by using the network's WAN IP.

But this doesn't mean that people outside the LAN will see the same thing. It's a router, it treats things differently depending on where they come from. If you see it from outside your LAN, like from work or something, then that is a problem. In my case, that doesn't happen.

I have a related question, so I'll shamelessly hijack this thread.

Currently, internet access in this household works via a proxy server installed on my PC. This is highly impractical for several reasons and now to be changed in favour of a router solution.

I will be getting a WLAN compatible laptop for Christmas, so I am thinking it would make sense to buy a WLAN router now - since they (well, at least the Linksys WRT54GS, haven't bothered to look at others yet) also have standard ethernet ports that I could connect the stationary PCs to.

My question is, is there any security risk involved in running the WLAN router without actually having any WLAN clients (yet) to check the network security, or can I be sure that after enabling encryption in the router config, everything is OK? Or is it even possible to turn off the WLAN functionality completely until I need it?

Thanks for any advice.

I own a Netgear DG834G and with this:
You can always check 'Attached Devices' to see everything connected to your network.
If you choose a secure password and use WPA-PSK, I don't see why not.
Yes. This is possible with my router at least.
No problem

Get a FritzBox 7050.
It rocks,
eg. Siemens SX541 is crap from my and others experience.

Bringing up this old thread to point out this article I just ran across which basically makes the same sort of recommendations on security that I did. Notice the first two items in the list, saying that MAC Filtering and SSID Broadcast disabling are both worthless from a security standpoint.

http://blogs.techrepublic.com.com/Ou/?p=43