Hi, Im experiencing some problems with security in my wireless network.
Could you guys tell me what are you using to make the best of wireless security? I have open signal(no encryption) with MAC Filter, and some firewall rules to drop packets that arent in the “valid IP” address-list. But i think a RADIUS server would be nice to implement as well since i dont wanna use encryption to not overwhelm the CPU of my routerboard. What do you guys think i should do to ensure my network will be really hard to break so it will make hackers go away? I have a Linux server running also with squid installed, i was planning on using that server for RADIUS authentication as well. Am I going in the right direction? Any tips will be helpful.
One more thing, I have arp control as well but since some of my APs arent in WDS with my main control unit, i have multiple IPs with the same MAC(Mac of AP). So, if i set arp reply-only, when those multiple ips with same mac connects together sometimes i have to disable arp control so they can navigate. How can i solve this without using WDS? I really wanna use arp control to link IP’s with MAC’s. Thx very much.
There are at least a dozen ways to add security in various ways and combinations… Already mentioned are radius and wpa2 wireless coding. There is also ‘hidden’ essid, access and connect lists in the APs, with MAC / SSID checking. Much of this can be used in conjunction with radius. This can be done also w/MT Hotspot and MT Usermanager - sufficent level license required…
Get out of WDS and use a routed network - wds for the local areas that need it - not the whole network.
Thx for replying, well, if WPA2 dont make CPU overload on a routerboard 532 then its a good choice for sure. I will be trying to implement this in some of my network to see how it behave. Radius is more about control than security then? At least that was what i understood from some replys. And why im supossed to leave WDS? i have WDS over one of my repeaters and its working fine so far, any concerns i should have about this that can cause some problem in the future? Thx!!!
nitrium -
Where to start… Radius is about control but also adds security as well… You can simply have it authenticate by MAC address or get sophisticated and have it send the wpa and ask for a username and password…it is entirely up to you…
As to WDS - well there certainly are situations where one would need WDS - mostly this would be to simulate a ‘mesh’ like network in a concentrated area. You lose about 30% of your data throughput capacity when using WDS - hence the reason for using it in a mesh like environment where your capacity would not be the issue. I did not mean to say there is something wrong with using WDS - just that unless you have special needs that other methods are more efficient. And I see you have already discovered the MAC address issue with using WDS as well so you may want to consider a purely routed network over the WDS model you are using now.
Another good starting place (security) is to use the ‘hidden’ ssid mode in your APs and clients. Some clients work better than others but MT does seem able to support them all. A hidden ssid will not stop a hacker, it will slow them down as in if they don’t know the network is there they’ll move on…if they know one is there - there are tools to ‘discover’ a hidden ssid - so a dedicated hacker will find you - but it is one more step they have to take to ‘get’ to you. Using Radius along with the wireless access and connect list will further make it much more difficult for someone to break your network…
Thx for all the replys guys, its good to know some options like these! I already have a radius server configured on a linux box but didnt make it work along with my RouterOS, just lack of info to configure it right but i will keep trying. I dont wanna use usermanager so im using FreeRadius on a Slackware system. Along with the WPA2 encryption plus access-list i think it will be dificult enough to disincourage ppl to hack my network. So, in radius.. any info on how i use it along with RouterOS? I already configured it on Linux along with MySQL but maybe it need some tunning, after all its my first attempt in a RADIUS enviroment and i never configured one before. I hope im not going away from the subject of this topic. Any advices will be helpful!