Best way to expand my network and stay with Tomato

Discussion in 'Tomato Firmware' started by Groovely, Nov 21, 2009.

  1. Groovely

    Groovely Addicted to LI Member

    Bear with me, I'm still a little green, but always trying to improve, and would appreciate some advice.

    I'm looking to improve my network because streaming seems unreliable over G connection and I also need large files transferred often now that I'm experimenting with OSes on old computers. Here is my setup:

    First floor: WRT54G w/ Tomato (static IPs, no SSID broadcast), 1-3 clients usually connected LAN or WLAN.
    Basement: Old B 10/100 router with wireless disabled acting as a switch for Xbox 360, an old P4 hackintosh in progress (goal is HTPC/print server), another experimental Linux machine [rec room], iMac (wireless) [office], and Airport Express (G) client/music mode [hallway/bathroom]

    All files/media on the Mac, streaming to Xbox or HTPC frequently stutters or hangs, files are OK, but would like faster. I figure this is because everything is being sent upstairs, across the house to the WRT before being wired back to the switch.

    Unfortunately, there is a big concrete supporting wall that I can't drill through or get around that prevents me from wiring the Mac into the downstairs switch otherwise I'd just buy a gigabit switch.

    In summary, I guess two questions:

    1. Could I buy a wireless N router with a gigabit switch and just use it as an add-on. Let the WRT54G continue to sort out the routing via Tomato upstairs, but wire my downstairs clients to the switch and the iMac over N to it as well? I know I can do this with the switch, but I'm uncertain on the wireless-N AP part. How would wireless security on the new router work? QoS? What do I disable besides DHCP?

    2. Since what I've been reading suggests that there's not really a good solution to running Tomato on an N router at this point, should I just buy a cheap N-gigabit router and wait, or should I buy a more expensive one and future-proof in hopes that Tomato will soon be able to run on it?

    Sorry for the long post or any folly on my part, and thanks for any advice you can give.

  2. Azuse

    Azuse LI Guru Member

    I would go modem - tomato - switch/wireless i.e. a separate switch and wireless N access point plugged into that. Where/how you place them is up to you, just disable the wireless in tomato and leave it controlling the network whlie lan devices transfer at N/gigabit speeds.

    Separate switches/access points will be the same, probably cheaper, than buying an N router and have better performance but you could get an n router, give the wireless a separate ssid and treat it as a 4 port switch/access point.

    I don't believe there's any real benefit in turning the ssid broadcast off, but I could be mistaken.
  3. Groovely

    Groovely Addicted to LI Member

    Thanks for the reply.

    I have seen cheap Gb switches (~$35) and could even look used no problem, but N access points seem pricey around here, and any inexpensive ones have a 100/10 LAN port on them which puzzles me a bit. Doesn't that mean that you'd connect at up to 300Mbs to the antenna, only to be immediately slowed to 100Mbs?

    For example this D-Link N access point, which seems good is only $20 away from this D-Link router with Gig switch. I guess that is why I was leaning that way. If I could find one that might someday accomodate Tomato if I made it the main router, I could kill 3 for 1 (Gig switch/N access point now, router later).

    Is there something I'm missing about the benefits of each (highly possible) or is it just the pricing around here?

    Part of the way I got to Tomato, and trying to learn more about networking in general in the first place was getting charged $25 per month in overages three months in a row before figuring out that one of my neighbours is a clever little thief (must've broken my WEP PW). In addition to WPA2 I now filter by MAC and (theoretically) no one can see the network without being on the list. This is the best I could come up with and seems to be working so far.

    Thanks again for the advice.
  4. Azuse

    Azuse LI Guru Member

    Eh? Turning off broadcast ssid only means your network doesn't broadcast its name, its still broadcasting it just doesn't appear in idiot proof connectors (e.g. windows). It can still be seen by any wireless scanner.

    Mac filtering is an utter waste of time, it's initial design was flawed and doesn't stop anyone seeing the lan - hardware based authentication that is held in ram therefore removing its own authenticity. You need a certain degree of understanding to crack wep despite how easy it is, you want to spoof a mac all you need is a program with 1 button.

    An N access point with 10/100 port? :/
  5. Groovely

    Groovely Addicted to LI Member

    I figured I wasn't foiling any masterminds or packet sniffers, but I get the impression that it was maybe some kid with a one-button PW cracker as you suggested; maybe looking to add to their torrent limit-- speculative possibilities are endless. Doesn't this at least discourage people who start off by seeing what networks are available and then trying to crack the passwords of those? I didn't want to be faster than the bear, just faster than the guy behind me.

    I do appreciate the info though. As I said, I'm still learning, and learning from the internet is far from a linear and complete education.

    In any event, something seems to have worked. Probably the security increase of WPA2. As for the original AP vs router choice, what do you think of my options based on my reply (prices, etc)?
  6. TVTV

    TVTV LI Guru Member

    WEP has been cracked. TKIP has been cracked too, but the tools to do it are not as easy to find as those needed to f*** WEP. Furthermore, you also need some brains to crack TKIP, so script kiddies don't pose any threat. Having said that, TKIP is still a good enough encryption algorythm to keep unwanted internet users off your WiFi router. If your OS/HW only supports WEP/TKIP, use TKIP in favour of WEP.
    On the other hand, AES has not been cracked yet and i don't think it will be in the near future (strong encryption), so if you really want all your wireless internets for yourself, use WPA/WPA2 + AES.
    MAC filtering is obosolete, as Azuse already said. MACs can be sniffed off the air and spoofed pretty easily.

    Well, if your problem was a kid who has found a WEP cracking tool, hiding your SSID may detter him. If your problem was someone with a little more intelligence, they are surely using a scanner which can detect hidden networks too. So hiding your SSID does not ultimately protect you more than WEP does.
  7. Groovely

    Groovely Addicted to LI Member

    I am using WPA2 (PSK) and AES, so I guess I'm good to go for now. But again, it's good to know the reasoning, and also about what's out there and what the potential threats are. I appreciate the guidance.

    It seems this thread has been a little sidetracked by my (mostly incorrect) reasoning for my security changes.

    I still haven't settled my original issue. I want to find a good wireless N gigabit router, that can be used as an access point/switch now but would be a good candidate to accomodate Tomato in the future once it makes the jump to N.

    Any recommendations?
  8. TVTV

    TVTV LI Guru Member

    AFAIK, no N router can run Tomato in N mode. I think teddy_bear's mod can run on certain N routers, but wireless is limited to G only, so that wouldn't be of any use to you.

    Now, if you don't really need a gigabit switch, you could buy that cheaper router with standard 10/100 switch. That should be of little impact to your wired to wireless N speeds, because draft-N doesn't really run at 400+ mbit/sec, just as G doesn't really run at 54 mbit/sec. What you can realistically expect out of draft-N is something close to 60-110 mbit/sec. So, 100 mbit/sec switch -> 110 mbit/sec wireless... you only lose like 10 mbit/sec, which, IMHO, is not such a big issue at all. ;)
    In conclusion, if a draft-N + 10/100 is way cheaper than draft-N + gigabit, and you don't need gigabit, go for the draft-N + 10/100. Just be sure you don't buy a piece of junk, because well, you need good, proper wireless signal quality. :)
  9. Groovely

    Groovely Addicted to LI Member

    Okay, the speed thing again is good to know. I guess I was hoping to buy something like the WNR 3500L (if it were out when they said it would be), and use it as a switch/wirelss AP for now to serve my devices in the basement, with the idea that I could use it as the main router in the future when I move somewhere where the layout is more central and I'm near the modem.

    I'm still left with a lot of questions about how to implement a second router as simply an extension of my network (i.e. switch/AP).

    - So I give my new router an address on my Tomato router's subnet, leave the WAN empty and plug one LAN port as a connection to Tomato router, the other LAN ports are for my downstairs "switch" devices
    - But what happens to the wireless devices that connect to the new router? They can use any IP on the tomato router's subnet as long as it's not the same as the switch router's IP? What do I set their DNS on the new router to? The Tomato router's IP? Or does the switch/AP not need DNS because it's handled by the Tomato router?
    - How does port forwarding work with this AP/router setup, do I need to forward them on both devices?

    Sorry for all the questions, I'm just trying to understand and want to make sure I do before I drop the cash on new hardware.

    Overall though, I'm wishing I could rent an impact driver and just drill through the danged brick and do some drywalling to avoid needing a wireless AP. Then I'd have sweet gigabit dreams. Unfortunately the landlord doesn't dig this idea.
  10. TVTV

    TVTV LI Guru Member

    I'm no expert, but from my experience, one needs to do this in order to put a router in AP mode:

    - set it's IP to a non-conflicting IP addy in the main router's subnet;
    - set main wireless router to channel 1, AP to channel 11 (to avoid interference);
    - set different SSIDs for both routers + WPA/WPA2 AES;
    - disable DHCP server (note that after disabling DHCP sever, there will be nothing left to give your PC an IP, so in order to access your AP's config page, you will need to manually assign your PC an IP in the same subnet as the AP's);
    - disable the WAN port, if possible;
    - disable firewall, QoS etc.;
    - insert LAN port into main router's LAN port;
    - set your PC's IP addy back to auto;
    - reboot PC, restart router (just to be sure);
    - enjoy!

    Your AP will now act as a simple switch/wireless switch. All your PCs will get an IP addy from your main router etc. Basically, the main router will handle everything: port forwarding, firewall, QoS, just as it does now. :) No need to set anything up on the AP.

    Tip: you may not be able to access your AP's config page while it's connected to the network. If that's the case, simply disconnect it from the network, assign your PC a static IP and try again. It should work now.
  11. Azuse

    Azuse LI Guru Member

    Not really. Disable nat/firewall on the second router, assuming you're using the wan port which you really shouldn't - stick to the 4 port switch and you'll be fine, turn off dhcp, qos etc.

    Connect everything to its lan ports, give it's wireless a septate ssid from tomato's and the least (inSIDDer will show you everything near you) congested channel*, assuming you'll be using both. If not just disable tomato's, it'll free up alot of cpu cycles.

    Lastly go into tomato and assign it a static ip, make sure the ip in the second router is the same. Strictly speaking switches don't need ips but as it's a router it will always have one, reserving it will avoid any conflicts, don't worry if it doesn't show up in the device list.

    Connect you're devices to the lan ports (one being the tomato router) & wifi, reboot the second router and refresh the ips of anything connected to it (or just restart then after the router's back up).

    Basically, you use the lan ports and wifi and turn everything else off, including logs etc. Tomato controls the ips, firewall & qos - Lan devices enjoy gigabit/N speeds between each other. The only limit is the 10/100 cable from the switch to tomato, but I doubt you have those kind of speed from your isp :).

    *Strictly speaking only 1, 6 & 11 have no overlap, but it's unlikely they'll be totally free.
  12. TVTV

    TVTV LI Guru Member

    Not really... what? :)
  13. Groovely

    Groovely Addicted to LI Member

    Okay great! Thanks for all the info both of you!! Much appreciated.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice