Need Multiple Access Points: WDS or Just Same SSID?

Discussion in 'General Discussion' started by Hmoll, Nov 5, 2007.

  1. Hmoll

    Hmoll LI Guru Member

    Due to whatever reason, my one WRT54G's signal strength isn't great in my building (construction materials, etc.) So, I want multiple Acess Points, for coverage. But I don't want to configure multiple networks on each client machine (XP/Vista/OSX.)

    • Do I need WDS? OR do I just need to configure each of the (I'm guessing on number) four WRT54GL's with the same SSID and WEP/WPA2 information?
    • Regardless of the above, do I need to configure them on different channels?
    • Will the above work? Or will the client PC see each AP as a different AP (due to the different MAC) and require multiple configurations?
    • Will the users be able to roam from one AP to another?

    NOTE: I do have wired connections to each AP (so maybe I don't need WDS???)
    NOTE2: I'm using a server-based DHCP server
  2. HennieM

    HennieM Network Guru Member

    No WDS needed - that will just slow you down.

    Exactly the same security on all APs (and I strongly suggest WPA2).
    Same SSID on all APs.
    Different channels, spaced at least 3, but preferably more, apart; i.e. 1, 4, 7, 11. Or if AP1 can't see AP3 (or are very far apart), you can use like 1, 6, 2, 7 (or similar).
    WRTs configured to be APs only (no WAN, plugged to wired net via a LAN port).
    DHCP server OFF on all APs (use your "other" DHCP server).

    Now a wireless client can move freely among all the APs, and you (just about) won't notice when it roams from one AP to the next.

    WPA2 has a built-in protocol that facilitates "fast roaming". This helps when a mobile wireless endpoint moves from say AP1's coverage area to AP2's coverage area. The transfer is a bit quicker with WPA2 (not that its very slow with other schemes). How quickly a wireless client switches over from one AP to the next is determined by how aggressive the client is set to roam.

    Also, use AES encryption (which you actually should if you set WPA2), as this has the lowest encryption performance penalty.

    Importantly, if your OS and/or wireless supplicant allows you to specify the AP by MAC, don't, as this would then not allow free roaming. Just specify the SSID.
  3. Hmoll

    Hmoll LI Guru Member

    Excellent! Thanks for the info.

    • Are there any advantages to setting up Microsoft IAS (RADIUS) servers? It looks like I can get rid of preshared keys and simply use IAS for connecting (Authenticating)
    • Well.... if I should just go to using IAS.... should I just use WEP (not very secure) but force employees to use VPN (which is already there in the RRAS/PP2P service?)
  4. Toxic

    Toxic Administrator Staff Member

    best to keep the channels to 1 6 11 (or 1 7 13 in EU) and make sure no one wireless cell is interfering with another cell on the same channel.
  5. spuxie

    spuxie LI Guru Member


    What firmware do you use to get WDS on your WRT54G. I am trying to get this Zoon repeater to work with WRT, with no success. My WRT is V5
  6. HennieM

    HennieM Network Guru Member

    No real advantage to using Radius in a small environment - in a bigger env., there's mainly 2:
    1) Nobody knows (or should know) the WPA passkey at any specific time, as the Radius server and the client sorts that. A real machine-to-machine love affair - no humans involved... ;)
    2) Every user can have a different username/password, or certificate, or the likes. It makes managing many users MUCH easier, especially if you already have an authentication framework like eDirectory, Active Directory, LDAP, etc.

    Never use WEP! Even if you use a VPN on top of WEP:
    1) hackers may still gain access to your router, fiddle it, and then get to your network, even if they can't decrypt your web browsing or file sharing traffic. Your network link packets, etc. are running outside the on-top-VPN. (To get around this, in days gone by [I think], companies used a VPN concentrator that sits between the AP and the rest of the net, and then allowed only specific traffic past the VPN concentrator. This way an AP compromise was not such a big deal).
    2) WEP slows you down. The WEP encryption scheme is all software/CPU. Add to that the VPN encryption, which, most likely, will even involve multiple passes to decode/encode, further slowing your traffic.

    With WPA or WPA2:
    1) You already have the strongest VPN (experts call it something like RSN - Robust Security Network) you can just about imagine, encrypting not only your payload traffic (web browsing, file sharing, etc.), but also your link packets and some other connection data. (Bear in mind though that this VPN exists only between the wireless client and the AP. Where the AP joins the wired net, it's all unencrypted again.)
    2) With Rijndael (I think that's how it's spelled) encryption, more commony known as AES or AES-CCMP, part of the work is done by hardware (in the client adapter and the AP) in a single pass. Quick-quick... Just "no encryption" beats AES's speed.

    If you use TKIP encryption with WPA/WPA2, you are somewhat - not much - less secure than with AES, but the bigger drawback is that TKIP takes you back to all software encryption. Slower.

    So, to stop my rambling: If you don't use a VPN to encrypt ALL you data on your wired net, there's really no point in having a VPN at all - just use WPA2/AES on your wireless segments to encrypt your on-air stuff.
  7. starbiker99

    starbiker99 Network Guru Member

    Are you still able to used a wired PC at the far end as well? I have the same issue where I ran a cable and would like to add an AP plus hook up a PC there as well.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice