Configuring Windows Server 2008 Server Core Basic Networking Settings

In my previous articles (see list below) I have written about how, in Windows Server 2008, Server Core installation does not include the traditional full graphical user interface (GUI). Therefore, once you have configured the server, you can only manage it locally at a command prompt, or remotely using a Terminal Server connection.


Like any other server, Server Core machines must be properly configured to be able to communicate on your network. Some of these settings include:

• Configuring an IP address
• Configuring an administrator's password
• Configuring a server name
• Enabling remote MMC snap-in management
• Enabling remote RDP connections
• Enabling remote Windows Firewall management
• Enabling remote shell management
• Activating the server
• Joining a domain
• Configuring Windows Updates
• Configuring error reporting
• Adding server roles and features

And other tasks.
Before you start, you need to configure the server's IP address.

To set the server with a static IP address

1. At a command prompt, type the following:

   netsh interface ipv4 show interfaces

2. Look at the number shown in the Idx column of the output for your network adapter. If your computer has more than one network adapter, make a note of the number corresponding to the network adapter for which you wish to set a static IP address.
3. At the command prompt, type:

   netsh interface ipv4 set address name="" source=static address= mask= gateway=

   Where:
   
   • ID is the number from step 2 above
   • StaticIP is the static IP address that you are setting
   • SubnetMask is the subnet mask for the IP address
   • DefaultGateway is the default gateway
4. At the command prompt, type:

   netsh interface ipv4 add dnsserver name="" address= index=1

   Where:
   
   • ID is the number from step 2 above
   • DNSIP is the IP address of your DNS server
5. Repeat step 4 for each DNS server that you want to set, incrementing the index= number each time.
6. Verify by typing ipconfig /all and checking that all the addresses are correct.

To set the administrative password in Windows Server 2008

1. At a command prompt, type the following:

   net user administrator *

2. When prompted to enter the password, type the new password for the administrator user account and press ENTER.
3. When prompted, retype the password and press ENTER.

Next, you might want to change the computer's name, as the default name is a random-generated name (unless configured through an answer file)

To change the name of the server

1. Determine the current name of the server with the hostname or ipconfig /all commands.
2. At a command prompt, type:

   netdom renamecomputer  /NewName:

3. Restart the computer by typing the following at a command prompt:

   shutdown /r /t 0

To manage a server running a Server Core installation by using the Windows Remote Shell

1. To enable Windows Remote Shell on a server running a Server Core installation, type the following command at a command prompt:

   WinRM quickconfig

2. Click Y to accept the default settings. Note: The WinRM quickconfig setting enables a server running a Server Core installation to accept Windows Remote Shell connections.
3. 3. On the remote computer, at a command prompt, use WinRS.exe to run commands on a server running a Server Core installation. For example, to perform a directory listing of the Windows folder, type:

   winrs -r: cmd

   Where ServerName is the name of the server running a Server Core installation.
4. You can now type any command that you require, it will be executed on the remote computer.

To activate the server

1. At a command prompt, type:

   slmgr.vbs –ato

   If activation is successful, no message will return in the command prompt.

To activate the server remotely

1. At a command prompt, type:

   cscript slmgr.vbs -ato

2. Retrieve the GUID of the computer by typing:

   cscript slmgr.vbs -did

3. Type

   cscript slmgr.vbs -dli

4. Verify that License status is set to Licensed (activated).

To join a Windows 2008 server to a domain

1. At a command prompt, type:

   netdom join  /domain: /userd: /passwordd:*

   Where:
   
   • ComputerName is the name of the server that is running the Server Core installation.
   • DomainName is the name of the domain to join.
   • UserName is a domain user account with permission to join the domain.
   Note: Entering * as the password means you will be prompted to enter it on the command prompt window in the next step. You can enter it in the initial command, if you wish to. Note: Note that the word "passwordd" has 2 d's in it…
2. When prompted to enter the password, type the password for the domain user account specified by UserName.
3. Restart the computer by typing the following at a command prompt:

   shutdown /r /t 0

To remove the Windows 2008 server from a domain

1. At a command prompt, type:

   netdom remove

2. Reboot the computer.

To configure automatic updates

1. To enable automatic updates, type:

   cscript C:'Windows'System32'Scregedit.wsf /au 4

2. To disable automatic updates, type:

   cscript C:'Windows'System32'Scregedit.wsf /au 1

   BTW, in order to view your current settings you can type:
   

   cscript C:'Windows'System32'Scregedit.wsf /au /v

To configure error reporting

1. To verify the current setting, type:

   serverWerOptin /query

2. To automatically send detailed reports, type:

   serverWerOptin /detailed

3. To automatically send summary reports, type:

   serverWerOptin /summary

4. To disable error reporting, type:

   serverWerOptin /disable

Read more »

Posted in: Cisco,Network,Window Server

How to Stop Hackers from Invading Your Network

Unethical hackers (in bad sense of this word) are always looking for weaker points in a network system to hack the security system of your company and get hold of confidential and new information.

Some such "black-hat hackers" derive a vicarious pleasure from wreaking havoc on security systems and some hackers do it for money. Whatever may be the reason, malicious hackers are giving nightmares to companies and organizations of almost all sizes. Especially, large corporate houses, banks, financial institutions, security establishments are favorite targets for hackers. However, this menace can be prevented to a great extent if proper security measures are taken at the right time.

1. Follow forums. It is always a good idea to follow hacking forums as you will be able to pick up on all the latest methods being used. A good ethical hacking forum can be found at http://zero-security.org 
2. Change default password immediately. Some software has built-in password to allow the first log in after installation; it is extremely unwise to leave it unchanged.
3. Identify entry points. Install proper scanning software programs to identify all entry points from the internet into the internal network of the company. Any attack to the network needs to start from these points. Identifying these entry points, however is not at all an easy task. It is better to take the help of skilled ethical hackers who have taken special network security training to perform this task successfully.
4. Perform attack and penetration tests. By running the attack and penetration tests, you can identify those vulnerable points in the network that can be easily accessed from both external and internal users. After identifying these points, you would be able to thwart attacks from external sources and correct the pitfalls that could become the entry points for intruders to hack into your network. The test must be done from both the internal as well as external perspectives to detect all the vulnerable points.
5. Make user-awareness campaigns. All possible steps must be taken to make all the users of the network aware of the pitfalls of security and the necessary security practices to minimize these risks. You can conduct the social-engineering tests to determine the user awareness. Until all the users are aware of certain factors related to the network, protection cannot be carried out in the true sense of the term.
6. 6
   Configure firewalls. A firewall if not configured properly can act like an open door for any intruder. Hence it is vitally important to set the rules to allow traffic through the firewall that is important to the business. A firewall must have its own configurations depending upon the security aspect of your organization. From time to time proper analysis of the composition and nature of the traffic itself is also necessary to maintain security.
7. Implement and use password policies. Use strong password policies by having passwords of seven characters which are of secure length and relatively easy to remember. Passwords must be changed in every 60 days. The password should also be made up of both alpha and numeric characters to make it more unique.
8. Use paswordless authentication. Regardless of the policies above, passwords are less secure than SSH or VPN keys so think about using these or similar technologies instead. Where possible, use smart cards and other advanced methods.
9. Delete comments in website source code. Comments used in source code may contain indirect information that can help to crack the site, sometimes even usernames and passwords. All the comments in source code that look inaccessible to external users should also be removed as there are some techniques to view the source code of nearly all web applications.
10. Remove unnecessary services from devices. You will not be dependent on reliability of the modules you actually do not use.
11. Remove default, test and example pages and applications that usually come with web server software. They may be a weak point to attack and as they are the same in many system the cracking experience can be easily reused.
12. Install anti-virus software. Both intrusion detection systems and anti-virus software must be updated regularly and if possible on a daily basis. The updated version of anti-virus software is necessary as it helps in detecting even the latest virus.
13. Ensure physical security. Apart from ensuring the internal security of the network, you need to think about the physical security of your organization. Until and unless your organization has full security, any intruder can simply walk in your office premises to gain whatever information he wants. Hence with technical security, you must also ensure that the physical security mechanisms of your organization are fully functional and effective.

Read more »

Posted in: Internet,Network

How to Prevent DoS Attacks

Denial of Service (DoS) attacks are among the most feared threats in today's cybersecurity landscape. Difficult to defend against and potentially costly, DoS attacks can cause outages of web sites and network services for organizations large and small. DoS attacks can also be lucrative for criminals, some of whom use these attacks to shake down businesses for anywhere from thousands to millions of dollars.
Any deliberate effort to cut off your web site or network from its intended users qualifies as a DoS attack. Such attacks have been successfully deployed against major online businesses including Visa and Mastercard, Twitter, and WordPress. DoS attacks effectively knock the services offline, costing lost business and negative publicity. They also force IT staff to expend valuable resources defending against the attackers.
If there is a silver lining to DoS attacks, it's this: The objective of the typical DoS attack is not to steal or expose confidential data. Most DoS attacks do not actually breach a company's network, they simply overwhelm it with traffic. In many recent cases, DoS attacks have been used by Anonymous and other hacktivist groups as a form of online protest against corporate and governmental targets whose policies or actions are at odds with the demonstrators.
The exception to this is when a DoS attack is used as a distraction to funnel attention and resources away while a targeted breach attack is being launched. Sony claims that Anonymous used that technique against them in a major 2011 attack that ultimately led to the theft of over 12 million customers' credit card data.
DoS vs. DDoS
The most easily executed type of DoS attack is one that is launched from a single origin. In this attack, a single machine somewhere on the Internet issues a barrage of network requests against a targeted victim machine. The requests themselves can take a variety of forms – for example, an  attack might use ICMP flooding via ping requests, or HTTP requests against a web server.
Single-origin DoS attacks can be effective against undefended victims, but they have a few key limitations:

• Victims can block the originating IP address, either at the firewall level (to kill HTTP requests) or further upstream at the ISP level (to kill network-level floods).
• Security tools now exist to detect and prevent ICMP flood attacks. Web servers can be configured to detect and block HTTP request attacks.
• Enterprise products can identify and block single origin attacks as soon as they begin.

These days, the more nefarious type of DoS is called the DDoS, or Distributed Denial of Service attack.
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.
DDoS: The Rise of the Botnets
Where does an attacker even get thousands of machines to launch a DDoS? Distributed Denial of Service attacks are executed by a so-called botnet – a collection of computers around the world infected with an attacker's malware.
Malware infections can install silent software on a victim machine which places it under the control of a remote attacker. Successful botnets can be comprised of hundreds of thousands of infected machines, typically without the owners' knowledge. There big money in creating botnets – among other things, botnet creators rent out their creations to criminal enterprises who can use them to launch a DDoS.
Large-scale DDoS attacks are not random. The perpetrators choose their victim deliberately, either due to a grudge, revenge, or an attempt to bully them into meeting some demands – possibly including paying extortion. Renting a botnot to launch a DDoS can cost about $100 per day, so the duration of an attack is partially dependent on how well-funded the attacker.
Inside a DDoS
The specific mechanisms used by a DDoS to "drop" a web site or network can vary depending on the attacker's preferred strategy. One major difference between DDoS implementations is whether they target the computing resources of the victim's machine or the network resources.
An attack against a web server based on HTTP flooding – as many as 10,000 requests per second – can overwhelm the server software, eventually consuming the machine's memory, CPU time, and possibly even disk space (if the log files grow out of control).
An attack such as a SYN flood instead focuses on the TCP network, overloading it with unacknowledged packets. Depending on how an organization's network is managed, this kind of DDoS can not only overwhelm a server, it also can overload switches or other network resources, potentially impacing a victim's entire network, including casualties unrelated to the victim if they share network space with the same ISP.
HTTP and SYN floods are not the only weapons in a DDoS attacker's arsenal but they are among the most common. Other attack mechanisms may include UDP, ICMP and DNS floods, as well as mailbombs. A so-called "mixed DDoS" can incorporate several of these weapons into one attack.
Can a DDoS be stopped?
Let's start with the bad news: It is very difficult to defend against a sophisticated DDoS attack launched by a determined adversary.
Many organizations struck by a DDoS are left to scramble in an effort to stop the attack once it has already begun. Sometimes this requires coordination with the ISP that provides network access. This is especially true when an ISP is forced to "null route" a victim – meaning that to protect other customers, the ISP routes traffic intended for the victim into the trash. This of course effectively prevents all access, including from legitimate users.
One of the more well-known countermeasures against a SYN flood is the use of "SYN cookies" either in the server OS or, better yet for network efficiency, in a network security device at the network edge such as the Cisco Guard. SYN cookies provide a more efficient method for tracking incoming TCP connections lessening the chance for a typical SYN flood to overwhelm the stack.
An effective defense against an HTTP flood can be the deployment of a reverse proxy – in particular a collection of reverse proxies spread across multiple hosting locations. A reverse proxy is somewhat akin to a bouncer at a nightclub, deciding which guests are allowed into the party, where the real web server is. By deploying many bouncers in different locations, the crush of incoming traffic is split into fractions, lessening the possibility of the network becoming overwhelmed. Deploying this type of architecture can be done in the scramble after an attack has begun, or baked into the network architecture of a web site as a preventative defense.
The limitation with these DDoS defenses is that if the attacker can generate network traffic at a higher rate than your network's Internet connection can handle, it will be hard to avoid a meltdown. But what these defense strategies do accomplish is at least force the attacker to get a bigger gun.

Read more »

Posted in: Internet,Network

Manage your network connectionsHow to Setup IP PBX step by step

The network connections settings in Microsoft Windows XP specify how your computer will connect to a network. If you use a laptop, you might need to change your network connections to adapt to different environments. You might also need to change network settings if you add a network adapter or change Internet service providers (ISPs).

To manage your network connections

1. Click Start, and then click Control Panel.
2. In Control Panel, under Pick a Category, click Network and Internet Connections.
3. Under or pick a Control Panel icon, click Network Connections to display the Network Connections window.
4. In the Network Connections window, you can perform any of the following network management tasks:
   • Disable a network connection. Disable a network connection if you aren't using it. For example, if your computer has a built-in wireless connection, and you're currently connected to a wired network, you should disable the wireless network connection to make sure your computer doesn't use the slower wireless connection. You'll save power, too. To disable a network connection, right-click the network connection, and then click Disable.
   • Enable a network connection. To enable a previously disabled network connection, right-click the network connection, and then click Enable.
   • Repair a network connection. Windows XP can solve common network problems automatically. To repair a network connection, right-click the network connection, and then click Repair.
   • Configure your Internet Protocol (IP) settings. Though you rarely need to change the default settings, your employer or your ISP might request that you specify your IP address and Domain Name System (DNS) servers.

To configure your IP settings

1. In the Network Connections window, right-click your network connection, and then click Properties.
2. On the General tab, under This connection uses the following items, click Internet Protocol (TCP/IP), and then click Properties.
3. In the Internet Protocol (TCP/IP) Properties dialog box, configure your network settings, and then click OK. Click Close to return to the Network Connections window.

Read more »

Posted in: Network

Configuring an Access Point as an Access Point

The Linksys Wireless-G Access Points can be configured as an Access Point, Access Point Client, Wireless Repeater, and Wireless Bridge.  Wireless-G Access Points by default are set to Access Point Mode.
NOTE:  The AP Mode options on the access point depend on its version number. 

Checking if the WAP54G v1.1 is set to Access Point Mode 

Step 1:
Log on to the access point's web-based setup page.  For instructions, click here.
NOTE:  If you are using Mac to access the access point’s web-based setup page, click here.
Step 2:
When the access point’s web-based setup page opens, click AP Mode and make sure Access Point (default) is selected.

                 

NOTE: If the WAP54G v1.1 is not set to Access Point, select Access Point (default) then click Apply.
Step 3:
Click Apply if you made any changes.

Checking if the WAP54G v3 is set to Access Point Mode
Step 1:
Connect the Linksys access point to one of the router's Ethernet (1, 2, 3 or 4) ports.
Step 2:
Access the web-based setup page.  For instructions, click here.
NOTE:  If you are using Mac to access the access point’s web-based setup page, click here.
Step 3:
When the access point’s web-based setup page appears, click AP Mode and make sure that Access Point (default) is selected.

QUICK TIP:  When configuring the access point in AP mode, make sure also its wireless settings are the same with the router.  To check the wireless settings of your Linksys access point, click here.
Step 4:
Click  if you made any changes.

Read more »

Posted in: Internet,Network,Wifi

Simple AP Setup --ubnt

Network Topology

We'll consider this simple network topology:

• 1 Router/Gateway connected to Internet and/or private LAN (IP Address: 10.10.10.254/24)
• 1 Switch for private LAN (optional)
• 1 AP AirOS device directly connected to Router (IP Address: 10.10.10.253/24)
• 1 or more Wireless Clients (Notebook, WiFi-Phone, other Wireless devices...)
• The Router assign IP Address to network devices by DHCP Server. Alternatively, if you prefer, you can set static IP Address on Client.

Devices configuration

Router Setup

Router can be your ISP ADSL Router, a Ubiquiti Routerstation or a Mikrotik RouterBoard plus Ethernet Modem... please refer to device manual.

• Set your Internet connection according to ISP paramenters (WAN IP Address, DNS IP Address, ...)
• Set LAN IP Address/SubnetMask: 10.10.10.254/255.255.255.0 (10.10.10.254/24)
• Enable DHCP Server to assign IP Address to Network Devices (e.g. range Client IP Pool from 10.10.10.1 to 10.10.10.100)

AirOS AP Setup

Connect your PC directly via Ethernet cable to AirOS Device to configure as AP and login into WEB-GUI.
Note: need to configure your PC with an IP Address of same Subnet of AirOS device.
By default, AirOS device have 192.168.1.20/255.255.255.0, you can assign your PC IP Address like: 192.168.1.1/255.255.255.0 (see this guide)

• In LINK SETUP Tab, set:
  • Wireless Mode: Access Point
  • SSID: yourSSID (or any other string to identify your WLAN)
  • Country Code: set according your country
  • IEEE 802.11 Mode: B/G mixed (assuming devices running in 2.4 GHz)
  • Channell Spectrum Width: 20MHz
  • Channel: 1 - 2412 MHz (or any other free channel)
  • Output Power: 10 dBm (or check Obey Regulatory Power according your country law)
  • Data Rate, Mbps: 54, Auto
  • Security: WPA (or any other, supported by Wireless Client)
  • WPA Preshared Key: yourpassphrase (this is a secret key for your WLAN, minimum 8 printable ASCII chars, maximum 63)
  • Click "Change"
  • Wait until process is complete and click "Apply" to confirm new configuration (or click "Discard" to refuse).
    

Note: we suggest to set Wireless Security only after you are sure that Wireless Client are able to connect your AP.
Note: not all Wireless devices support all Wireless Security (WEP, WPA, WPA2, ...)

• In NETWORK TAB, set:
  • Network Mode: Bridge
  • IP Address: 10.10.10.253
  • Netmask: 255.255.255.0
  • Gateway IP: 10.10.10.254
  • Primary DNS IP: 10.10.10.254 (or DNS IP provided from your ISP)
  • Secondary DNS IP: as Primary DNS IP
    
  • Click "Change"
  • Wait until process is complete and click "Apply" to confirm new configuration (or click "Discard" to refuse).
    
  • Now the devices should be reachable on new IP Address 10.10.10.254.
  • Remember to assign to your PC a IP of Subnet 10.10.10.x (e.g.10.10.10.200/255.255.255.0)

Client Setup

Wireless Client devices can be: Laptop (whit Windows, MAC, Linux...), PDA, WiFi-Phine, WiFi IP Cam... refer to manual.
In TCP/IP Network Section:

• If supported, set device to obtain Address IP automatically
• Otherwise set statically:
  • IP Address: any free IP 10.10.10.x/255.255.255.0
  • Gateway: 10.10.10.254
  • DNS: 10.10.10.254 (or DNS provided by your ISP).

In Wireless Section, set the same parameters used in AP Setup:

• WiFi Channel
• Wireless Security (WEP, WPA, WPA2,...)

Monitoring Associated Clients/Stations

• In MAIN TAB, select Show Station from Extra info menu.
  .
  A popup window will list Associated Stations For detailed info, click on the MAC address.

Read more »

Posted in: Internet,Network,WDS,Wifi

Basic Internet Sharing with Bandwidth Limiting -- Mikrotik

This tutorial explains how to configure a router to share a single Internet connection (WAN) among multiple local computers (LAN) using NAT.

First we will configure interface that is connected to WAN.

/ ip address add address=192.168.1.20/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether2

---

Now one interface is configured and connected to WAN (with ip 192.168.1.20/24). Now we will configure second interface for our Local Network.

/ ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=ether1

---

Now we will configure DHCP using WinBOX, download Winbox from http://www.mikrotik.com and login to you MT Router. Then goto IP > DHCP-Server, now press Setup Button, then you will see a similar window as shown below. Just select the interface that you have configured for your Local Network (as in our example it is ether1), now just press Next till the end of setup.

---

Now we will configure DNS for our local network. Goto IP > DNS, press Settings button then add you Primary and Secondary DNS Server IP as provided by your Internet Service Provider. Also make sure that you select "Allow Remote Requests", so that you can give your MT Router's IP as a DNS Server to your Clients. Then Apply and OK.

---

Now we will configure NATing for our Local Network. Goto IP > Firewall, goto NAT table press the plus sign which will allow you to add new firewall rules. Select chain=srcnat, then set Src. Address=192.168.0.0/24 (ip range of your local network), then select Out.Interface=ether2 (interface connected WAN), as shown below.



Now goto Action Tab in the same window, then select Action=Masquerade, then Apply and OK.

---

Now we will setup Bandwidth restriction (10kbps per IP in 192.168.0.0/24 range). Goto Queues, then goto Queue Types, then press the plus sign to add a custom Queue Type. In the name field enter your desired name, select kind=pcq. As shown below.


Now goto Settings Tab in the same window, and enter the Rate to 10000 (i.e equal to 10kbps), also select Dst. Address, as shown below.



Now for Upload limit repeat the same procedure to create another Queue Type name it something different and in the Settings Tab instead of selecting Dst. Address this time select Src. Address. Apply and OK

---

Now in the Queues window goto Simple Queues Tab, and add a new simple queue by pressing plus sign. Enter your desired name, then add a Target Address=192.168.0.0/24 the IP Range of your local network.


Now goto Advanced Tab in the same window and in Queue Type in the Target Upload select the Queue Type that we created before for upload restriction purpose, do the same for Target Download. As shown below. Press Apply and OK.

---

As per the steps shown and performed, you should now have an up and running MT Router, that will serve Internet Service to local network with IP Range 192.168.0.0/24 that will be given by the DHCP Server.

Read more »

Posted in: Internet,Mikrotik,Network

How to setup Bridge mode on R6300?

The R6300 Wi-Fi Router can be configured in Bridge mode. To configure the router in Bridge mode, you need two R6300 routers—one configured as the router and the other as a bridge.

For a Gigabit Wi-Fi connection for your home entertainment center, install the first R6300 router, then set up the second R6300 in Bridge mode near the home entertainment center and connect via Ethernet your Smart TV, DVR, game console or Blu-ray® player. The R6300 Bridge connects at 802.11ac Wi-Fi speeds to the R6300 Wi-Fi Router, providing you a gigabit Wi-Fi connection to your home entertainment center.

Benefits of Installing the R6300 Router as a Bridge:
• Enables you to take advantage of Gigabit speeds on current devices.
• Utilize Gigabit speed for applications like video and gaming by putting this next to your home entertainment center.
• Connect using Gigabit Ethernet cable on multiple devices like Smart TV, NeoTV, Blu-ray Player, game console to the R6300 bridge.
• The R6300 bridge connects wirelessly  at Gigabit Wi-Fi speeds to the R6300 router.

How to Set Up Bridge Mode on the R6300 Router
Make sure that the base router (the router that the R6300 will connect to) is operational and able to connect wireless devices. Make a note of the following items: SSID, security mode, wireless password, operating frequency (either 2.4 GHz or 5 GHz)

1. Log in to the second R6300 Router by typing routerlogin.net on an Internet browser's address bar.
2. Go to Advanced tab > Advanced Setup and click Wireless Settings.
   
   
3. Click Use other operating mode and select Enable Bridge mode.
   
4. Click Setup bridge mode wireless settings and configure the following items on the pop-up window.
   a. Click the drop-down menu to choose the wireless network frequency (2.4 GHz or 5 GHz) of the router you are connecting to. Please choose 5GHz to setup in 802.11ac mode.
   b. Type the wireless network name (SSID) of the router you are connecting to.
   c. Select the security mode of the router you are connecting to.
   d. Type the passphrase of the router you are connecting to.
   e. Click Apply.
   
5. Click Apply again on the Wireless Settings screen.
   Congratulations, you've finished! The R6300 router will reboot and connect to the base router in a few minutes.

Read more »

Posted in: Internet,Network

Configuring a network with a wireless bridge

LAN: Local Area Network. Your local network WAN: Wide Area Network. The larger network your LAN connects to. The first step on the path to the Internet. DHCP: Dynamic Host Configuration Protocol A server that assigns IP Address, Subnet Mask, Default Gateway and DNS Server values to your TCP-IP system. DNS: Domain Name System DNS is what translates Google into googles IP address. Router: A network device with two interfaces; one side WAN, the other side LAN. They must be on different networks, or there is nothing for the router to do. Bridge, Wireless Bridge, Client: A device with two network interfaces that connects to an AP or Wireless Router. A bridge does the same thing as a USB WiFi adapter, or a wireless PCI card. The difference is that the bridge has an ethernet connector that allows the output to be shared by all of the computers on a wired network. A printer, scanner or DVR ( digital video recorder ) on a wired network with a bridge is effectively a wireless device. The router inspects network taffic and decides: Local ( PC to printer ) or Long Distance ( PC to Internet ) and sends the traffic out the appropriate interface. You have 4 values to deal with in TCP - IP: IP Address. Think phone number. Subnet Mask. Works with IP address. Must be the same on all equipment in your network. Different subnet mask = different network. If these two are good, you get local connectivity; your in house network equipment communicates. Default Gateway: Think Dial 9 for an outside line. The default gateway is an IP address on your network that is the LAN side of a router that connects to a bigger network. The other side of that router is the WAN side of that router. Think of your network as a tree. The default gateway in every unit points to a bigger part of the tree. Twig, branch, bigger branch, trunk. The default gateway points to the closest junction with a larger part of the tree. In the diagrams below, the blue arrows point to the next default gateway in the chain. If you traceroute your network, you will see a list of default gateways from your PC to the IP or URL you tracerouted to. DNS Server. The address of a DNS server. Frequently multiple choice. One of these choices should be the IP address of your ISP. A simple wireless bridge setup: A network consisting of a wireless bridge router connected to a WISP, feeding a PC: ( The ISP is actually a generous neighbor ) Note that: Default gateway changes in each unit; DNS server stays the same. The same network with an AP added. An extra network has been inserted betwen the AP and the bridge router. This was necessary to get the AP to route traffic out the routers WAN port: A more complicated system: The scenario: 1) You live near a city park. Three organizations have hotspots feeding this park. You can see these hotspots from a motorhome in your backyard, but not from the house. You want to access these connections from the house. 2) You want access to the house network from the motorhome 3) There are computer science majors in the neighborhood. The kind who have no social life and hack into everything. Is there another kind? You need: 1) A client in the motorhome that connects to the hotspots. This must not have wireless security enabled, because the hotspots are open. 2) A wireless router in the motorhome to relay the signal into the house. This will have the best security available enabled. This requirement of secure on one end but not the other keeps us from using a WDS repeater. 3) A client in the house. This client will be configured as a Client Bridge; a client to the wireless router in the motorhome.. It needs the same security settings as the wireless router. The difference: A client bridge connects two halves of one network together. The same network on both sides. The 192.168.1.14 client in the image below us a client bridge. The 192.168.1.X network can be connected to on the switch side of the WIFFLI AP. It can not be seen from the ISP. Three DNS servers are listed: The client to the ISPs, and the two most common WISP IPs. Last edited by Mark Oney; 06-14-2009 at 10:05 PM.. Reason: Added a client bridge

Read more »

Posted in: Internet,Network

HowTo: Connect Two Wireless Router Wirelessly ( Bridge ) With Open Source Software

ou can setup a wireless connection between two routers only so that it will link a wireless network to a wired network allowing you to bridge two networks with different infrastructure. You can find wireless access points products that offer either a "bridge" mode or a "repeater" mode. In this post I'm going to explain three popular open source choices that can be used for setting up a wireless bridge.

Sample setup

Consider the following network diagram:

Fig.01: Wireless client setup

• You connect to the Internet using standalone ADSL2 modem with 202.54.1.1 public IP address.
• SSID set to nixcraft on wireless # 1 and an IP address set to 192.168.1.2. This router is located in downstairs and connected to ADSL2 modem.
• SSID set to nixcraft on wireless # 2 and an IP address set to 192.168.1.1. This router works in client bridge mode and located in upstairs.
• All computers and devices connected to wireless router #1 and #2 can share files and other resources with each other.

Fig.02: Access point as a wireless bridge

Where,

• This setup saves electricity and resources by removing standalone ADSL 2 modem.
• You connect to the Internet using combo ADSL2 modem plus wireless router (AP) with 202.54.1.1 public IP address. This router is called wireless #1 and SSID is set to nixcraft. This device has two IP address and it is located in downstairs.
• SSID set to nixcraft on wireless # 2 and an IP address set to 192.168.1.1. This router works in client bridge mode and located in upstairs.
• All computers and devices connected to wireless router #1 and #2 can share files and other resources with each other.

Software (3rd party firmware)

You can use the following software / firemware to get the addition features which are not typically included in a manufacturer's router firmware such as client mode wireless bridge. You can either setup a full WAP or just bridge your LAN so that wireless devices can get access to all LAN resources transparently.

1. DD-WRT : Linux-based alternative OpenSource firmware for wireless routers. It works for several routers, most notably the Linksys. It works great with variety of wireless routers and embedded systems. This is recommend for new users as it comes with easy to use web-gui.
2. Tomato : Another simple and easy to use replacement firmware for Linksys' WRT54G/GL/GS, Buffalo WHR-G54S/WHR-HP-G54, Asus and other Broadcom-based routers. It features a new easy to use GUI, a new bandwidth usage monitor, more advanced QOS and access restrictions, enables new wireless features such as WDS and wireless client modes, raises the limits on maximum connections for P2P, allows you to run your custom scripts or telnet/ssh in and do all sorts of things like re-program the SES/AOSS button, adds wireless site survey to see your wifi neighbors, and more. This is recommend for new users as it comes with easy to use web-gui.
3. OpenWrt : OpenWrt is not just firmware but it is often described as a complete Linux distribution for embedded devices. Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application. This firmware is recommend for advanced users only.
4. DIY option - You can install Linux or FreeBSD/OpenBSD based operating systems and create a full WAP or just a bridge. This option requires good understanding of Unix, networks and embedded devices.

I strongly recommend DD-wrt for new users and openwrt for advanced Linux users.

Hardware

I've used the following devices in last couple of years for personal usage:

1. Linksys WRT 54 with DD-WRT firmware.
2. Dlink DIR-615 with DD-WRT firmware.
3. Asus RT 16 with Tomato firmware.
4. Soekris net4801 with DIY option. You can use Debian/Ubuntu/CentOS Linux and FreeBSD/OpeNBSD. This option is only recommended for advanced hardcore unix users.

You can find list of supported router hardware by visiting the following pages:

• Search dd-wrt hardware database.
• Search openwrt hardware database.
• Search tomato hardware database or read README file.

Example: Configuring Asus RT-16 as a wireless bridge

Let us see how to configure a wireless connection between two routers only as discussed earlier with tomato firmware.

Wireless # 1: ADSL2+router configuration

This is my ADSL 2 modem + wireless router (netgear N600) that connects to my ISP. This is my primary router and it is called wireless #1. Open a browser and type:
http://192.168.1.2
Make sure LAN setup is as follows:

Fig.03: Netgear N600 (DGND3700) Static Lan IP Configuration For Wireless Bridge

1. Set the IP address of your router in dotted decimal notation to 192.168.1.2 (factory default: 192.168.0.1).
2. Also set IP subnet mask to 255.255.255.0. Your router will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask (computed by the router).

Setup wireless as follows:

Fig.04: Prepare Netgear N600 / DGND3700 For Wireless Client Bridge Mode

1. Set SSID to nixcraft.
2. Setup mode as per your requirements. I set it to 300Mbps performance mode, with a maximum Wireless-N speed.
3. Set security options to WPA2-PSK standard encryption with the AES encryption type.
4. Finally, set the WPA passphrase (network key) as per your requirements. For demonstration purpose I set it to "Neil_Armstrong".

Wireless # 2: Router client bridge configuration

I'm assuming that you've already replaced your default firmware with DD-WRT/Tomato/Open-WRT. In this example, I'm going to use tomato firmware.

How do I use Tomato firmware as wireless ethernet bridge?

Fire a web browser and type the following url:
http://192.168.1.1
Click on Basic > Networking. Make sure LAN is setup as follows:

Fig.05: Totmato USB firmware LAN setup for wireless bridge

1. Make sure router IP address is set to 192.168.1.1.
2. Make sure subnet is set to 255.255.255.0.
3. Make sure default gateway is set to 192.168.1.2 (IP address of wireless # 1).
4. Make sure static DNS is set to 192.168.1.2 (IP address of wireless # 1). However, you can set it to OpenDNS or Google DNS.

Scroll down to the Wireless section and set it as follows:

Fig.06: Tomato wireless settings for br0

1. Set wireless mode to "Wireless Ethernet Bridge".
2. Set wireless network mode to "N only" or as per your requirements.
3. set SSID to "nixcraft".
4. Set security to "WPA-2 Personal" and encryption to "TKIP/AES".
5. Set shared key to WPA passphrase In this example set it to "Neil_Armstrong".

Click on Advanced > Routing:

Fig.07: Setup tomato in gateway mode

1. Set mode to "Gateway"
2. Make sure RIP1 & v2 set in "Disabled" mode.
3. Turn on "DHCP routes" for dhcp relays i.e. send all dhcp requests to DHCP server located at 192.168.1.2 (or any other server on LAN)

Click on Advanced > Firewall. Set it as follows:

Fig.08: Firewall settings for br0

You are done. Configure any other settings you wish at this point. To see current router status click on Status > Overview:

Fig.09: Tomato status page - running in a bridge mode

Have any advice for better 3rd party firmware or software? Let's hear them in the comments.

Read more »

Posted in: Network,Tips

Routing with point-to-point

Point-to-point connections are typically used to connect two systems together over a wide area network (WAN). You can use a point-to-point connection to get data from your local system to a remote system or to get data from a local network to a remote network. Do not confuse point-to-point connections with Point-to-Point Protocol. Point-to-Point Protocol (PPP) is one type of a point-to-point connection that is commonly used to connect a computer to the Internet. See PPP connections for more information on how to set up and manage your PPP connections.
You can use point-to-point connections across dial-up lines, leased lines, and other types of networks such as frame relay. There are two ways that you can configure the IP addresses for a point-to-point connection: a numbered connection or an unnumbered connection. As the names imply, a numbered connection has a unique IP address defined for each interface. An unnumbered connection does not use additional IP addresses for a connection.
Numbered network connections:
On the surface, it seems that the simplest way to configure a point-to-point connection is by using a numbered connection. A numbered connection is a point-to-point definition that has a unique IP address defined for each end of a connection.
Here are some points to keep in mind when you consider a numbered point-to-point connection:

• Each end of the connection has a unique IP address.
• Routing statements must be added to your system to flow the traffic to the remote system.
• Addresses on the point-to-point link must be managed by your network administrator.
• Addresses are used up just to connect two systems.

When each point-to-point connection is defined to your iSeries^(TM) server, a routing entry must be made on each end to describe how to get to any network at the other end of the connection. The routing selection process on your iSeries server depends on having an IP address for each interface. These addresses and routes must be managed by your network administrator. In a small network, these addresses are easy to keep track of and do not use many additional addresses. In a large network, however, this may use an entire subnet of addresses just to define an interface at each end.
The figure below shows a numbered network connection between two iSeries servers. A routing entry is not needed if all you want to do is communicate from AS1 to AS2. If you want to communicate with systems in the remote network (10.1.2.x), the routing entry included in the figure must be added to each system. This is because the remote network,10.1.2.x, is a part of the 192.168.1.x connection.

Unnumbered network connections:
An unnumbered connection is a more complex method of defining a point-to-point connection than a numbered connection. However, you may find the unnumbered connection a simpler and better way to manage your network.
The routing selection process in the iSeries server depends on having an IP address for an interface. In an unnumbered connection, the point to point interface does not have a unique address. The IP address of your iSeries server interface for an unnumbered connection is actually the IP address of the remote system.
Points to keep in mind while considering an unnumbered connection:

• The point-to-point interface has an address that appears to be in the remote network.
• Routing statements are not needed in the system.
• Your network administration is simplified by not using up IP addresses for the link.

In the following example, AS1 appears to have an interface in the 10.1.4.x network and AS2 appears to have an interface in the 10.1.3.x network. The AS1 is connected to LAN network 10.1.3.x with an address of 10.1.3.1. This allows AS1 to communicate with any system on the 10.1.3.x network directly.


Also shown in the example is AS2. AS2 is connected to LAN network 10.1.4.x with an address of 10.1.4.1. This allows AS2 to communicate with any system on the 10.1.4.x network directly. Each system (AS1 and AS2) adds the remote address to its routing table as a local interface. The address is treated specially so that packets destined for that address will not be processed locally. The packets for the remote address will be placed on the interface and transported to the other end of the connection. When the packet arrives at the other end of the connection, normal packet processing is used.
Now you have a need to connect AS1 to the 10.1.4.x network and to connect AS2 to the 10.1.3.x network. If these two systems were in the same room, you would simply add a LAN adapter to each system and plug the new interface into the correct LAN. If you did this, AS1 and AS2 would not need any routing entries added. In this example, however, the systems are in different cities so you must use a point- to-point connection. Even though you are using a point-to-point connection, you would still like to avoid adding routing entries. By defining the Point-to-Point Protocol (PPP) connection as an unnumbered connection, you achieve the same results that you would have gotten if you could have used LAN adapters without adding any routing entries to your iSeries server. To do this, each system borrows the IP address of the remote system for use with route resolution.
Unnumbered versus numbered connection data flow:
The following figure shows the addresses that would be used in a numbered and unnumbered point-to-point connection. The top half of the picture shows, that with a numbered connection, the remote system address of 192.168.1.2 or 10.1.2.1 could be used to reach the remote system. This is because there is a routing entry in AS3 that directs packets for 10.1.2.1 to 192.168.1.2 as the next hop. The addresses used in the return packet are based on the received packet. The bottom of the figure shows the addresses used with an unnumbered connection. The outbound packet has a source of 10.1.3.1 and a destination of 10.1.4.1. No routing entries are needed on either system because the systems have a direct interface to the remote network by using the remote system address of the point-to-point connection.

Read more »

Posted in: Internet,Network

How do I configure wireless Access Point to Point to Point Bridge mode?

Definition: In Wi-Fi networking, Bridge mode allows two or more wireless access points (APs) to communicate with each for the purpose of joining multiple LANs.

Some wireless bridges support only a single point-to-point connection to another AP. Others support point-to-multipoint connections to several other APs. This article is about to setup Point to Point Bridge.

Note:

1. You need configure both of your two wireless access points (TL-WA501G/TL-WA601G) to Bridge mode by following below steps in order to setup a Bridge mode based wireless network.

2. Before the configuration, please check and write down the Wireless MAC Address of the Access Points.

In the bottom of the device, there is a label with the MAC address printed.

Configuring the access point (TL-WA501G/TL-WA601G)

Step 1 Connect your computer to TL-WA501G/TL-WA601G, and then log into the Web-based Utility by entering the IP address 192.168.1.1 into Web Browser.

If you can not log into the Web-based Utility, please follow the instruction How do I log into the Web-based Utility of TL-WA501G/TL-WA601G for a try. 

Step 2 Change the LAN IP address of the access point (TL-WA501G/TL-WA601G) to avoid IP conflict if necessary. This is due to your own network, please refer to Why & How do I change the IP address of TL-WA501G/TL-WA601G for some detailed information.

After changed the IP address of your access point, you need re-log into it by using the new IP address. And please note that the IP addresses of the two access points can not be the same in your network.

Step 3 Configure your TL-WA501G/TL-WA601G to Point to Point Bridge mode.

1. Click Wireless -> Wireless Mode on the left, select Bridge (Point to Point). And then enter the MAC address of the other access point (TL-WA501G/TL-WA601G) which you want to connect into the MAC of AP box.

Note: Very two numbers should be separated by the character ‘-‘, and please enter the correct MAC address of another access point which you want to connect into the box, otherwise, the wireless connection will be can not set up.

2. After done the configuration, enable Reboot and click on Save, the

settings will take effect after the device reboot.

After done the below procedure in both of the two wireless access

point (TL-WA501G/TL-WA601G), the Bridge mode based wireless

connection will be setup successfully.

Additional information:

There is an option called With AP Mode in the setting page, if you enable it, the access point (TL-WA501G/TL-WA601G) also can work in AP mode at the same time when it had been configured to Bridge mode. This means that you can connect other wireless clients to this access point when it had been configured to Bridge mode.

And if you do not enable it, you can not connect any wireless client to this access point when it had been configured to Bridge mode.

Read more »

Posted in: Internet,Network,Tips