Info: wpa and dropouts

Discussion in 'Tomato Firmware' started by rcordorica, Mar 11, 2007.

  1. rcordorica

    rcordorica Network Guru Member

    I know a lot of people have their wlan go down randomly, because I've experienced the same problem and searched this forum for answers.

    Anyways, I finally managed to create a stable wireless network. I have a WRT54GL v1.1 set up using WPA + TKIP (because AES is not an official supported standard by all clients).

    It has been observed that when using WPA some routers have wlan dropouts for a period of time, and magically it comes back. And switching to WEP or going unencrypted solved the problem for some forum users.

    But I am unwilling to use WEP because i'm in an apartment complex, and hacking wep is far too easy.

    The solution for me involved:


    DHCP Server Lease Time: 1440 minutes (1 day) - a number too low, and the clients have to request a renew too often. A number too high, and the DHCP server on the router holds an old client's lease in its memory too long. 1 day seems like a good compromise.

    Choose G or B only: this is to prevent your wlan switching between the modes.

    Broadcast your SSID: some clients don't know how to associate without a SSID in WPA mode

    Select the clearest channel: Channel 1 had no nearby neighbors, while 6 and 11 were flooded (even though many people suggest channel 11 and 6 for some reason). Don't use an in between channel.

    Security: WPA Personal w/ TKIP

    Group Key Renewal: 7200 seconds (2 hours): I believe this was the crucial adjustment. Before I had the renewal at 360, 1200, and other small values. After setting this to it's maximum, I no longer have dropouts.


    Maximum Connections: I set mine to a nice number of 10240 (10K), because it has been observed that sometimes the router appears to drop when the Conntrack table becomes full...(possibly due to a bug or a sudden increase in connections) so we might as well put this to a high upper limit (there is no disadvantage in doing this, it might as well be hard coded to 10240).

    Some other possibly non-related adjustments:

    Advanced->DHCP / DNS->

    DHCP Client (WAN) Reduce Packet Size (enable) - my cable modem sb4200 doesn't like the packets of the standard DHCP wan client because it complains of malformed DHCP requests. With the option on, there is no problem and the modem correctly gives out an IP.


    Basic Rate: All: because i'm on a pure G network, I don't have to worry about compatibility issues (i.e. default setting which tries to account for B speeds).

    Beacon interval: 24: I set mine to a nice evenly divisible number based on the clock speed of the router. My router is at 240MHz, so I choose to send a beacon interval packet every 24 milliseconds. A larger or smaller multiple of the clock speed would also be valid.

    In linux the kernel timer is also chosen based on the internal timers of the CPU, so I am just trying to replicate their effort (assuming the clock speed is the only relevant timer). It allows for higher precision because the computer doesn't need to deal with calculating the remainder and finding the correct time to perform the function (in this case sending a beacon packet).
  2. GeeTek

    GeeTek Guest

    Thanks for the contribution. Lots of interesting concepts there. Anything we can do to help Mr. Der Keif with the sticky post section will help us all. I like your concept of keeping events within even multiples of the clock.
  3. ifican

    ifican Network Guru Member

    For the most part wireless dropouts seem to happen more when the ssid is not broadcast. Though i have had my share with wpa-tkip vx wpa-aes. Tkip is much more processor intensive and i think just causes the router issues. As an experiment about a week ago now i change over from tkip to aes and have not had a single drop and that running in a mixed mode network with box b and g clients.

    Though as stated very good info.
  4. rcordorica

    rcordorica Network Guru Member

    Yeah, I have tried WPA + AES and the combination, WPA + TKIP/AES. But the problem with AES is that it isn't an official supported standard. In my own home network, there is a 3945ABG client that does not associate if I have AES on. I have tried updating its drivers, but it didn't help. So the reason I use TKIP is to ensure connectivity because we have a lot of people visit with their laptops (college).

    Using unencrypted is the fastest, it provides the least processor overhead. But security is non-existent with unecrypted wlan. I don't think that the processor is really doing much work with AES or TKIP because if you read the load averages it hardly goes above 0%. However, throughput goes down with AES or TKIP, so perhaps the overhead is simply that the packet has to carry the encryption (extra data) and the small time to decrypt the packet.
  5. ifican

    ifican Network Guru Member

    Dont get me wrong tkip has been fairly stable, I would get occasional dropouts when there was no activity but as you have stated i had an issue with a device that would not run tkip but instead aes. So i switched everything over to aes and have been pleasently surprised. Though i think it really comes down to as long as you run anything other then wep unless you are purposely running an open wireless network, you should be fine.
  6. GeeTek

    GeeTek Guest

    Speaking of Tkip and AES, I just noticed that Tomato classifies advanced encryption in various combinations of WPA/WPA2/PERSONAL/ENTERPRISE. I work almost exclusively with open networks, and until now have saved the finer details of advanced encryption for a later day. There seems to be no stickies or FAQ info defining Tomato's encryption modes. Does anybody have any links, or a quick crash course as to what is what ?
  7. ifican

    ifican Network Guru Member

    Basically personal is a passphrase and enterprise is used via a radius server. Other then that its pretty straight forward and used just like wep without the 13 or 26 bit key limitation.
  8. GeeTek

    GeeTek Guest

    Well, I sniffed a bit deeper. After selecting any of the WPA modes I discovored the extra drop down field that allows the selection of TKIP,AES or the combination thereof. I know radius is a whole different animal that does not involve RF carrier encryption at all. I'm still trying to find a good spyware free Windows based Radius server. Thanks anyway !
  9. rcordorica

    rcordorica Network Guru Member

    On this page there is a nice chart about the different security methods (excluding Radius/Enterprise).

    TKIP stands for Temporal Key Integrity Protocol. TKIP utilizes a stronger encryption method (RC4 -128bit) and incorporates Message Integrity Code (MIC) to provide protection against hackers. AES stands for Advanced Encryption System, which utilizes a symmetric 128-Bit block data encryption. AES and TKIP are both equally hard to brute force for all intents and purposes.

    TKIP enhances WEP by adding a per-packet key mixing function to de-correlate the public initialization vectors (IVs) from weak keys (weak IV packets are what we use to break WEP).

    TKIP also enhances WEP by adding a rekeying mechanism to provide fresh encryption and integrity keys. (called "Group Key Renewal" in tomato) This makes TKIP protected networks more resistant to cryptanalytic attacks involving key reuse.

    WPA only requires TKIPv1 encryption, with AES being optional (not supported by all clients). WPA2 mandates TKIPv2 + AES for the most secure connection.

    WPA RADIUS (called WPA/WPA2 Enterprise) uses an external RADIUS server to perform user authentication. To use WPA RADIUS, enter the IP address of your RADIUS server, the RADIUS Port (default is 1812) and the shared pass phrase from the RADIUS server.

    RADIUS utilizes a RADIUS server for authentication and WEP for data encryption. To utilize RADIUS, enter the IP address of the RADIUS server and its shared pass phrase. Select the desired encryption bit (64 or 128) for WEP and enter either a passphrase or a manual WEP key.

    There are two levels of WEP encryption, 64-bit and 128-bit. The higher the encryption bit, the more secure your network, however, speed is sacrificed at higher bit levels. To utilize WEP, select the desired encryption bit, and enter a passphrase or a WEP key in hexadecimal format. But of course, WEP is easily hacked (I can do it in a few minutes with my gentoo linux OS on a dell 700m laptop).
  10. GeeTek

    GeeTek Guest

    Very good explanation and link. I was lost on how to find it in Tomato for a minute there. The finer detailed info on the protocols is really a good read. Much appreciated !
  11. lwf-

    lwf- Network Guru Member

    FYI, the highest number of connections that can be selected is 10240.
  12. digitalgeek

    digitalgeek Network Guru Member

    just to dispel any rumors about wrt wireless...

    I am run wpa-psk-aes with wds and I do not broadcast....
    (My Mac didn't want to connect with tkip)

    my max connections are set to 4096... bt needs more

    and all lease times and key renwals are default.

    I am running dyndns.

    All wireless and wds configuration was done in the gui.

    I have no firewall scripts and my QOS is basically default.

    My network is more stable know with 1.04 than it was with Thibor...

    I never reboot (except for an upgrade) and I never reboot my dsl modem
  13. dvaskelis

    dvaskelis Network Guru Member

    A few notes:

    It's not correct to say AES is not part of the WPA standard. It's an optional (but recommended) part of WPA standard, and a required part of the WPA2 standard.

    The benefit to AES on Tomato is the Broadcom chipset in the wireless router (and on most Broadcom-based hardware) is that it does AES in hardware, while the other encryption techniques are done in software. Because of that, AES is almost as fast as no encryption on our routers. So in terms of speed, no encryption > AES (~3% loss) > WEP 64bit (~10% loss) > WEP 128 bit (~12% loss) > TKIP (~17% loss).

    AES/TKIP isn't exactly a combination with both encryptions at once, but allowing both AES or TKIP clients.

    Also, the downside to more Conntrack entries is that the router's performance goes down with more entries to manage. That's why most people recommend 2048 unless you actually fill up the table with that value, say from lots of downstream clients running a BitTorrent client.
  14. Toxic

    Toxic Administrator Staff Member

  15. digitalgeek

    digitalgeek Network Guru Member

    thanks for clarifying that...(I couldn't have put it better myself) it should also be noted that dlink (at least with b & g devices) did not use the broadcomm chipset. this is not to say that threy are not good products... just that compatibility with extended broadcomm features is not guaranteed.

    and WDS will effect performance as well. there are plenty of thread on this subject here and on other forums for those who want more info
  16. Toxic

    Toxic Administrator Staff Member

    the simple answer is each WDS device you add, the overall bandwidth is halved.
  17. rcordorica

    rcordorica Network Guru Member

    Good info. But I have some questions. Does increasing the maximum number of connections actually slow down the router? I guess it would come down to how the table/array was implemented in software... because you can easily tell it to stop traversal of a array once it hits a NULL entry (so it would only do as much work as needed depending on the number of connections).

    I like the idea of using a combination TKIP+AES WPA mode since you say AES is hardware based. But the question is, how can I know what connection will be handed out to the clients by default? TKIP? or AES? Would one client incompatible with AES force the entire wlan down to TKIP?
  18. dvd-guy

    dvd-guy Guest

    Does WPA/WPA2 AES+TKIP work in WDS? I couldn't do WPA Person AES+TKIP with WDS. Maybe AES+TKIP isn't compatible with WDS?
  19. digitalgeek

    digitalgeek Network Guru Member

    WPA2 TKIP+AES does not work with wds

    WPA TKIP or AES works fine when setup from the gui
  20. dvaskelis

    dvaskelis Network Guru Member

    I cannot speak to how the code works that manages conntrack, but it's part of iptables/netfilter so there's plenty to find on the web and the full Tomato source is available. From what I've seen, most of the performance issues are due to our rather rather low-end CPU with a very small amount of memory compared to most systems that run iptables/netfilter. Routing performance is going to be highly dependent on the numbers and type of rules configured for iptables/netfilter, so I imagine it's difficult to predict the impact. I recall seeing someone do benchmarks on the DD-WRT site's forums, and they posted noticeable routing performance loss when having a large conntrack userspace.

    If I were you I'd try a quick benchmark yourself. Give yourself a huge conntrack userspace and see how your router performs. Then give yourself 2048 conntrack entries and try the same tests again.

    The client asks for the type of encryption, although in WPA (I don't think in WPA2, but not sure) there's some fallback mechanism so that if AES negotiation is requested and fails then the standards have a way for the client to try TKIP before giving up. Again, there's plenty on the web about wireless encryption standards, and the full WPA and WPA2 specifications are available.

    The WPA standard allows mixing encryption types at the same time, there's no forcing of the network to one type in the standard, but obviously it's up to the implementation. For example, the WPA standard allows mixed WEP, TKIP, and AES clients with one AP, something not configurable from the Tomato GUI. I suspect there's no reason one couldn't tweak Tomato to allow for that, since it's something other WRT54G firmware allows. With Tomato, TKIP+AES means the AP will work with both encryptions in a mixed environment.
  21. rcordorica

    rcordorica Network Guru Member

    thanx, updated my info post with the upper limit. I've been using 10240 with no problems for a while now.

    I still haven't dug into the iptables code to see how the conntrack table was implemented. I want to find out if having a higher number actually causes slowdown.
  22. rcordorica

    rcordorica Network Guru Member

    Found the answer in a conntrack/iptables document.

    It turns out that the conntrack table is really a linked list. And it does! have to be iterated through to find the correct entry.

    My understanding:

    1. compute unique hash (based on type of packet) = index to hash table
    2. hash_table [index] -> points to linked list of conntrack entries for that type of packet (e.g. p2p classified packet)
    3. iterate through list to find specific packet

    But! since it's a linked list, you only have to iterate to the end of the list before it wraps around.. So basically, having a large conntrack table has no disadvantage. Your performance will scale with the # of connections. Not the "possible" size of the list.

    Parts 1 & 2 are a constant time function, as long as there are no hash collisions.
    Part 3 is variable time depending on the size of the list (which depends on the number of connections).

    But I still want to check out the tomato code since it may be different.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice