Pure AP, what can I turn off?

Discussion in 'Tomato Firmware' started by jsmiddleton4, May 19, 2008.

  1. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I'm using one router as nothing but an access point. Its in a remote location hard wired to my main router. So what can I turn off in addition to DHCP? My main router is the dhcp server. Can I disable things like NAT forwarding? What else as it seems I don't need all the features enabled if its only a simple AP.
  2. Rob650

    Rob650 Addicted to LI Member

  3. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Thanks but was looking for a little more information like some of the features like NAT forwarded, etc.
  4. LLigetfa

    LLigetfa LI Guru Member

    Since AP mode doesn't use the WAN port, there is no NAT or any portion of the router engine involved. WLAN to LAN simply goes through the switch unimpeded unless you get jiggy with VLANs.
  5. HennieM

    HennieM Network Guru Member

    Turn off:

    DHCP server
    Inbound Layer 7
    Use Internal Caching DNS Forwarder
    Use Received DNS With Static DNS
    Intercept DNS Port (UDP 53)
    Reduce Packet Size

    Mode set to Router
    etc., etc.

    Everything that does not have directly to do with wireless and the LAN IP address of the router, including any routing related functions.
  6. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Thanks. That is what I was looking for. Had already set mode to router. But other than that had left those things on. Thanks again.

    Triggered Port Forwarding?
  7. HennieM

    HennieM Network Guru Member

    Off. If you don't have routing between networks, you don't have forwarding, so turn off everything under "Port Forwarding".

    Just to be clear: If you use the router as a "pure AP", you are just expanding your normal network (usually 192.168.1.x) with another network switch. In this case, the switch just happen to (also) be wireless switch.
  8. jsmiddleton4

    jsmiddleton4 Network Guru Member


    Yes, I understand. Tried to turn off port forwarding, won't let me in either basic or triggered. I'm just trying to make it as simple minded as it can be since its just a wireless switch.
  9. jsmiddleton4

    jsmiddleton4 Network Guru Member

    With these suggestions I have memory use Total/Free 14.19 MB / 8,596.00 KB (59.17%).

    One last question, as a pure AP do I need a gateway/dns entry? Right now its the main router/dhcp server. Works of course. But being a dumb AP do even the gateway/dns fields really need to be filled out? Going to test it of course and see but was just wondering?

    It would be great to have an option of presets so that if you want to use a Tomato supported router as a dumb box of rocks AP that there was a check box for doing so and checking that box turned off all unnecessary stuff AND set the WAN port to a LAN port. Since we already have different hardware versions, Buffalo, Linksys, etc., the difference in the scripts for those models could easily be model specific as well.
  10. LLigetfa

    LLigetfa LI Guru Member

    Without GW/DNS it wouldn't be able to resolve and reach NTP servers.
  11. jsmiddleton4

    jsmiddleton4 Network Guru Member

    So even being a dumb box of rocks AP its still going out to an NTP server and getting time information?
  12. HennieM

    HennieM Network Guru Member

    Your AP is just like any PC on your network. If you give the AP an address for a DNS server, then if that AP is asked to resolve a host name to an IP address, it can. If you don't, the AP can't resolve such queries.

    As you don't actively work on the AP (like you do on a PC), it's not strictly necessary for the AP to resolve name-to-IP queries. If however, you specify some parameter that you want the AP to use as a host name, the AP won't be able to resolve. One such parameter could be the NTP server. You want the AP to have the right time, so when you check its logs, you know where you are. You could override the built-in NTP server names with a fixed IP address of course.

    The gateway address is also not necessary, as your AP is a switch, so it does not route anything from one network to another network. However, if your AP (like any PC on your network) don't know the gateway address, and it needs to query the internet for something (a something like NTP time for instance), it won't know where to send that request.

    I always specify all parameters on APs, then I know, when something goes haywire somewhere, that my APs are good.

    On the NTP server subject: I sync all my devices on my network to a single NTP server within my network, and then sync only my NTP server to the internet. It cuts down on the little bit of bandwidth used when every device syncs to the internet, and I know all my devices use exactly the same time.

    There is no such thing as a "dumb box of rocks AP". APs have to be intelligent, or be a pseudo PC, by definition. The intelligence to authenticate stations, encrypt, etc. is actually, relative to the intelligence required for routing, on a way higher level (my opinion of course). APs can never be a dumb unmanaged switch. And that concludes our sermon for today.... ;)
  13. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "On the NTP server subject: I sync all my devices on my network to a single NTP server within my network, and then sync only my NTP server to the internet."

    How? And I'm thinking the answer would be a great sticky....
  14. HennieM

    HennieM Network Guru Member

    Linux box (an old Pentium I) with ntpd running, IP Time servers "close to home" specified in ntpd's config. This box always runs, as it's also my http proxy, mail server, VPN server, etc. I guess you could also set up a Win- or any other box with a proper ntp client/server similarly.

    On router connected to internet: iptables rule to allow tcp/udp port 123 (NTP) from, followed by a rule to block port 123 from all.
    Also, a dnat rule to redirect any ntp internet request to my ntp server:

    iptables -A FORWARD -p udp -s --dport 123 -j ACCEPT
    iptables -A FORWARD -p udp -d ! --dport 123 -j DROP

    iptables -t nat -A PREROUTING -p udp -s ! -d ! --dport 123 -j DNAT --to

    The rules are from memory, so they may not be exactly correct. Only udp shown, but all rules are duplicated for tcp.

    That's it. Now any NTP request to say time.nist.org ( send by any device on my network, will get to my router (, and be redirected to my ntp server (, which will serve the ntp request.

    I used to have devices which do not allow you to override the time server setting, so the dnat rule on the router took care of them. I do however try to do it "right", so I specify the right ntp server on devices where possible:

    On Tomato APs: Under Basic > Time set custom NTP server to
    On Win PCs: Under Date and Time properties (double click on the time in the taskbar), set to
    On Linux boxen: run ntpd with as peer or server.

    Forgot to mention: I also dish out as "ntp server" with DHCP, but not many devices actually use this.
  15. LLigetfa

    LLigetfa LI Guru Member

    As do I making my debian server the NTP time source. I also run php-syslog-ng on it, consolidating all the syslogs in one place.
  16. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I appreciate you posting but that's probably still not step by step enough for me to follow. Again sorry and don't mean to impose on your or expect you to make up for my inexperience. Its just I can't get there from here.....

    How would it look, what would it take, in a multi-router environment to have one router, or pc, be the ntp server and all others point to the one ntp server for those of us who don't have Pentium 1's running linux sitting around.

    Mini ntp server on a XP machine, routers look to it for time information.
  17. LLigetfa

    LLigetfa LI Guru Member

  18. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Thanks ll, I started a dedicated thread on this and moved your line to there. Only problem I have with the software at your link is I'd have a better chance and making it work if the software was made by a company named cro-magnum man. The Thinking man thing, kinda makes me pause....
  19. fyellin

    fyellin LI Guru Member

    There is very little to be gained by having your ntp server be internal. The network traffic is minimal. The disadvantage is that your clocks are only within milliseconds of each other, rather than microseconds.*

    So the fact that the instructions didn't make sense may mean that you're best off just leaving things as they are. Come back and play with ntp daemons in a month, when you're more comfortable hacking with cron jobs and iptables.

    [* I made these numbers up. I have no idea what accuracy you'll get. I do know that on the MacOS, ntp is supposed to give you accuracy within a 100ms using external servers. That's certainly good enough for my purposes.]
  20. HennieM

    HennieM Network Guru Member

    @fyellin: The stratum (0 being the best) at which your NTP server runs determines the accuracy. This in turn, is, among others, influenced by (i) what stratum the NTP server is that you sync to, (ii) how well your NTP software controls your server's clock, and (iii) how well your server's clock runs. Whether it's an intranet or internet NTP server has zero bearing.

    Example: I'm in South Africa. I have WVC54GC cameras that are hardcoded to time servers in North America. (Not that time i.t.o. seconds would matter on a camera, but I'm trying to prove a point .. ;)
    My Co. network goes via London, which seems to be linked to New York, and then onto the internet. Ping time to New York is about 700+ msec when you're lucky. What sort of accuracy will I get, even if those North American time servers are at stratum 0? Not much.

    So, the New York guys set up an NTP server (A) to sync to the NIST or somewhere, and the London guys (B) sync to A, and I set up a C in South Africa syncing to B. I'm at stratum 3 or 4. Each NTP server smooths it's own clock, resulting in network latencies being "buffered". Thus, as my cameras have just about zero latency to NTP server C, they get stratum 4 or 5 accuracy.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice