linksys

Wiring the house

Dave Farquhar Hardware , , , ,

My trusty Linksys WRT54G started dying yesterday. I think I’ve had it 3-4 years, so it’s had a decent run.

I have some temporary wiring in place until I decide what I want to do, but I really think I want some wired Ethernet.For one thing, my phone wiring is really bad, and I think that’s affecting my DSL speed and reliability. Modern CAT5 wiring would solve that problem neatly. And if I ran a dedicated unfiltered line straight to the modem and filtered lines everywhere else, I could get by with just a single line filter, instead of a half dozen. That should improve reliability too.

And while I’m running CAT5, I might as well run two wires, so I’ll have convenient network jacks in several places in the house. And if I’m running wire, I might as well run CAT5e and get gigabit capability. That should give me faster and more reliable networking, both locally and online.

The project would take about $100 worth of cable and jacks, I estimate. I already have plenty of jacks, so I’d just have to buy a spool of CAT5e. That, and find the time to run it.

I may keep wireless around for ultimate convenience (a combo DSL modem/router/access point costs about $70, which isn’t much more than another WRT54G, and my modem is getting old too), but I like the idea of having my desktop PCs connected via gigabit. It’ll make sharing drives more practical, and potentially much more secure if I get fancy with network segmenting and firewalling.

I think I’m going to be asking the network wizard at work a lot of questions… Good thing he sits right next to me.

And now mostly I need a free weekend to do all this.

If you have wireless, you need DD-WRT

Dave Farquhar DD-WRT, Hardware , , , ,

I picked up a spare Linksys WRT54G recently, and tonight I finally got a chance to try DD-WRT, a free replacement operating system, on it.

Amazing is an understatement. The biggest complaint I usually hear about wireless networking is range (and when people complain about reliability, they almost always mean range), and DD-WRT offers several solutions to this.First of all, DD-WRT allows cheap, ubiquitous routers to serve other functions. Wireless repeaters cost $100. Wireless routers cost $50. DD-WRT lets you turn that $50 router into a repeater, among other things. So if there’s a dead spot in your house, you can pick up another WRT54G (be sure to get the WRT54GL version if you’re buying new; when buying used, you want version 6 or earlier, and version 2 or so is probably the best), load DD-WRT on it, use it as a repeater, and save 50 bucks. Some of the used units on Amazon or eBay already have DD-WRT loaded on them, which can save you some effort.

Second of all, once you load DD-WRT, you can connect to it, click on Wireless, then Advanced Settings, and scroll down to TX Power. The default value is 28. You may want to adjust that.

I was also happy to see that once when I configured my second WRT54G as a wireless bridge, the computer I was using to configure it gained Internet access through it. So a DD-WRT-equipped router can do double duty. If you have a video game console with an Ethernet port on it, you can put one of these routers in the same room with it, run a cable to the device to put the game system online, and at the same time configure the router to serve as a repeater, strengthening your wireless signal. So not only do you save $50 by not having to buy a repeater, it can also mean one less wireless card you have to buy.

The one thing I’ll say about DD-WRT is that when you load it, you need to take precautions. If you follow the instructions, loading it is a safe procedure that only takes a minute or two. But if you don’t follow the instructions, it’s possible to ruin the router. You never want to change firmware using a wireless connection; use a computer connected to a wired port. And with my particular router and the version of DD-WRT I was loading, I had to use Internet Explorer. For some reason Firefox has difficulty getting this particular job done. Also you have to load the factory default settings at one point or another during the configuration. So read the documentation at least twice and make sure you understand everything before you proceed.

I like DD-WRT a lot and I plan to load it on the WRT54G that I have connected to my DSL modem very soon. The main benefit I see is being able to crank the power of the signal up a bit, but there are plenty of other goodies in there that I may end up using. Perhaps more importantly, my WRT54G stopped working with DynDNS at some point, and Cisco/Linksys doesn’t seem to be revising the standard WRT54G firmware anymore. But DD-WRT has an active community behind it, so if something changes, I’m confident that there’ll be a new DD-WRT to take care of me, whether I need it next year or five years from now.

Pay DD-WRT.com a visit, find a compatible router (there are non-Linksys models that are compatible also) and pick one up. It won’t disappoint you.

The best way to optimize your firewall: Use hardware

Dave Farquhar Windows , , , , , , , , ,

Let’s get back to talking about utility replacements. We last talked about antivirus programs, but what about the other component of what’s commonly now called a “security suite,” the firewall?

The answer is, don’t use firewall software if at all possible–which means every man, woman and child who has a cable or DSL connection. Use a separate device.There are several good reasons for this. First, there’s the fundamental problem with running your security on the same system you’re trying to protect. If your firewall software goes haywire and crashes, you run the risk of being unprotected. It’s much safer to rely on an external device that doesn’t have an Intel or AMD processor in it and isn’t running Windows. So when someone tries to send a Windows exploit or virus to it, it bounces off because the device just doesn’t understand.

The second reason is price. A plain no-frills cable/DSL router/firewall costs about $20 at Newegg today. The unit I generally recommend is the Linksys WRT54G, which sells for about $50 new or as little as $25 used and adds wireless capability. That’s about the same as the retail price of a software firewall anyway, and it gives you better protection without robbing your system of performance.

A cheaper alternative, which was what I used to do when these devices cost $200, was to take an obsolete PC, put in a couple of cheap network cards, and run Freesco on it. It will run on any PC with a 386 processor or better (I recommend a Pentium with PCI slots for ease of setup). A 100 MHz Pentium is more than powerful enough and if you don’t already have an obsolete PC to run it on, you probably won’t have to ask around very long before finding one for a very low price or free. Today I prefer a Linksys-type box though, since they take less space, consume less electricity, generate less heat and noise, and take less time to set up.

Performance is the third reason. Two years ago I was working at a large broadband ISP that will remain nameless. It provides a “high speed security suite” as part of the subscription price. The system requirements for this suite are ridiculous–the suite itself needs anywhere from 128 to 192 megabytes of RAM all to itself to function. Basically, if you have a PC with 256 megs of RAM (which is what a fair number of PCs out there still have), loading this security suite on it will bring it to its knees. But if your firewall is running on a separate device, 256 megs of RAM is a comfortable amount of memory to run Windows XP or 2000 and basic applications.

Reliability is the fourth reason. Every high-speed security suite I’ve ever dealt with, be it a freebie provided by your ISP, or an off-the-shelf suite, hooks itself into winsock.dll. Three of the last four computer problems I’ve fixed have been related to this problem, and the symptoms are difficult to diagnose unless you’ve seen the problem before. Basically the computer loses any and all ability to do any networking, but when you call tech support, enough things work that tech support will probably tell you to reload your operating system. Unfortunately, the WinSockFix utility doesn’t seem to be well-known at ISPs.

If messing around with your Winsock isn’t bad enough, the security suite my former employer provided was overly paranoid about piracy. If you did any number of things, including but not limited to trying to install it on a second PC without getting a second key from the ISP, it would disable itself and not necessarily warn the user that it had left the PC unprotected. It was my job, when I was working there, to go through all of the disabled accounts by hand. It wasn’t an automated process. So if the security suite decided to go jump off a cliff sometime on Friday after I’d pulled the current report, it would be sometime on Monday before I would even be aware of the problem. Given that it usually takes about 20 minutes for some exploit to find an unprotected Windows box sitting on the Internet, that 48-72 hour window that you could be sitting unprotected is anything but ideal.

Things may have changed since I left that employer in November 2005, but if it’s my PC, I’m not willing to risk it. I’d much rather spend $20-$50 on a cable/DSL router to give myself firewall protection that I know I can just set up once and then ignore for a few years and won’t cause my PC to constantly fall behind on the upgrade treadmill.

And finally, the fifth reason to use a hardware firewall is apathy. Software firewalls tend to throw a lot of popups at the user, warning the user that this or that is trying to access the Internet, or come in, or whatever. Most users are likely to do one of two things: either allow everything or deny everything. The result is either a PC on which nothing works, or whose firewall is full of so many holes there might as well not be one. It’s much better to have a hardware firewall that just does its job. If you’re worried about unauthorized applications hitting the Internet, that’s the job of antivirus and antispyware software, not the firewall.

Don’t overlook thrift stores when looking for software

Dave Farquhar Software , , ,

Need a cheap copy of Windows or Office? Don’t need the newest, buggiest, clunkiest version?

Visit your local Salvation Army Thrift Store.I was flipping through CDs at a Salvation Army store over the weekend. The software was mixed in with the music. I found several copies of Windows 95 and Windows NT 4.0, and numerous copies of Office 97, all marked at $3.

Windows 98 is probably more useful, which is probably why I didn’t find any copies of it. But NT4 is reasonably fast and stable (by Microsoft standards) as long as your hardware is supported.

Office 97, on the other hand, had all the major functionality of later versions but is a lot less CPU- and memory-intensive. Remember, when it came out, 133 MHz PCs were above average, and 32 MB of RAM was usually considered excessive.

Just make sure the disc is original, the right disc is in the case, and it includes the CD key. I found a number of odd things in Windows 95 CD cases–some more useful than Win95 and some a whole lot less. None of it would have mattered since they would have required a different CD key from the one on the jewel case.

And make sure that if you’re going to run this stuff and connect the computer to the Internet that you’re sitting behind a reasonably good firewall. A Linksys router or wireless access point is perfectly adequate. Microsoft no longer provides security fixes for this old software, so you could be more susceptible to attacks than someone running the latest and worst.

I was definitely glad to stumble across a source of legal and useful commercial software. I know it’s just a matter of time before I’ll need it, and I’d much rather pay $3 for Office 97 than $300 for a newer version that didn’t really add anything useful besides ribbon toolbars, new Clippy animations, and a soundtrack by Robert Fripp.

Microsoft getting into the backup business?

Dave Farquhar Software , , , , ,

I take issue with this Register story, which says Veritas has a better name in the storage arena than Microsoft.

Enron has a better name in the storage arena than Veritas. Ditto BALCO and FEMA and Michael Jackson and Martha Stewart.

So Microsoft wants to get into the backup business? Good.I gave three of the best years of my life to the shrink-wrapped stool sample that is Backup Exec. I believed, wrongly, that the Constitution protects sysadmins like me from that piece of software in the clause that mentions cruel and unusual punishment.

After that last job put me out with Thursday night’s garbage, one question I always asked on job interviews was what they used for tape backups. Had anyone said Backup Exec, I would have walked out of the room immediately.

Nobody did. That was good. There are still some smart people in the world. My confidence in humanity was somewhat restored.

Microsoft’s offering will no doubt have problems, but when batch files and Zip drives are more reliable than your competition, who cares? Backup software is one area that desperately needs some competition. Microsoft entering with its usual less-than-mediocre offering will force everyone else with their less-than-mediocre offerings to either improve or die, because Microsoft’s offering will be cheaper, and there will be people who will assume that Microsoft’s offering will work better with Windows because nobody knows Windows better than Microsoft. (In this case, that assumption might actually be true.)

What’s wrong with Backup Exec? Ask your friendly neighborhood Veritas sales rep what they’ve done about these issues:

If a Backup Exec job backing up to disk contains both disk and system state data and it’s the second job to run on a given night, it will fail just as certainly as the sun coming up the next morning. Unless they finally managed to fix that bug, but I doubt it. I sure reported it enough times.

Remote backups happening over second-tier switches (D-Link, Linksys, Netgear, and other brands you find in consumer electronics stores) usually fail. Not every time. But more than half the time.

Those are just the problems I remember clearly. There were others. I remember the Oracle agent liked to die a horrible death for weeks at a time. I’d do everything Veritas support told me to do and it’d make no difference. Eventually it’d right itself and inexplicably run fine for a few months.

Maybe competition will fix what support contracts wouldn’t. And if it doesn’t, maybe Backup Exec will die.

And if Backup Exec must die, I want to be part of that execution squad. Remember that scene in Office Space with the laser printer and the baseball bat?

I never thought I’d say this, but now I’m saying it.

Welcome, Microsoft.

Freesco still works as a router/firewall in a pinch

Dave Farquhar Linux , , , , ,

I set up a Freesco box over the weekend. It makes less sense now that router/switch/firewall combos from the likes of Linksys sell for $50 than it did when they sold for $200, but if you’re long on unused PCs and short on cash, it still works.

My old walkthrough no longer applies directly to the current version 33, but if you’re reasonably technically competent it should get you on your way.As far as what hardware to use, I had a Kingston 10 megabit (NE2000 clone) PCI card and a D-Link card based on a Realtek 8139 chipset. They worked fabulously. The 8139 is a workhorse; networking guru Donald Becker blasted it in print–it’s the only chipset I think he’s ever said anything bad about–but until you start routing between a 100-megabit network and a gigabit network you probably won’t notice, especially if you’re using a 200+ MHz machine as your router, which in these days of $30 Pentium II PCs, is likely.

All you need is a computer with 8 megs of RAM, two NICs, and a floppy drive. To make it easier on yourself, make sure it has PCI slots, use two PCI NICs, and and 16 megs of RAM or more. Since 32-meg sticks are useless to most people these days, they’re cheap.

I suspect that if you have a pile of unused hardware that you’re looking to turn into a router, chances are decent you have a pile of network cards in that stash. Try a few different PCI cards. Life sometimes goes a bit easier if the two cards have different chipsets on them, but it’s not usually necessary to mix it up.

Give yourself a time limit. Mess around with it for an hour. If you get frustrated after an hour, go out and buy a Linksys or a D-Link or a Netgear. If you don’t have it working after an hour but you’re fascinated and you’re learning a lot, then keep plugging away at it. The knowledge you’re gaining is worth more than 50 bucks.

Things to look for in a wireless router

Dave Farquhar Servers and Networking , , , , , ,

It’s the time of year that a lot of people buy computer equipment, and wireless networking is one of the things people look for. But what things should be on the shopping list?

I was hoping you’d ask that question.Compatibility with what you already have, if possible. Routers are available that speak 802.11a, 802.11b, and 802.11g, or all three. If you already have some wireless equipment, look for something that can speak its language.

Cordless phone interference. 2.4 GHz cordless phones will interfere with 802.11b and 802.11g. 802.11a works at a different frequency, but it might be cheaper to replace your 2.4 GHz phone with a 900 MHz phone.

Speed. 802.11a and 802.11g operate at 54 Mbps, which is considerably nicer than 802.11b’s 11 Mbps, although both are much faster than current U.S. broadband connections, which tend to top out around 3 Mbps. If you move a lot of files around, you’ll appreciate the 54 Mbps speed. If your primary use of wireless is sharing an Internet connection and a printer or two, 802.11b is probably fast enough, and it’s usually cheaper, with the downside of shorter life expectancy.

802.11g is currently the most popular standard, because it gives 54 Mbps speed and offers compatibility with existing 802.11b equipment. Use this information as you will. If you’re of the security by obscurity mindset, 802.11a is a better choice, as a wardriver is more likely to be driving around with an 802.11b or 802.11g card. If you want to make sure your buddies can hook up when they come over, or you can hook up at your buddies’ places, 802.11g is the better choice.

Brand. Match the brands of router and cards, if at all possible. This makes configuration and security much simpler.

WPA. The encryption used by older standards is relatively weak. You want to enable 128-bit WEP (256-bit WEP is better but still not as good as WPA), change the SSID and disable SSID broadcast, and hard-code your MAC addresses so that only your cards can use your router. This protects you from someone driving around your neighborhood with a laptop and using your Internet connection to send out spam or transfer illicit material that can be traced back to you. Do you want the RIAA suing you because someone used your Internet connection to download 400 gigs’ worth of boy-band MP3s off Kazaa? Worse yet, if that happens, word might get out that you like that stuff.

WPA adds another layer of protection on top of these (which are standard issue by now). Rather than the security key being fixed, it’s dynamically generated from trillions of possibilities. Sufficient CPU power to crack WPA and either monitor your transmissions or use your access point might someday exist, but for now it gives the best protection available, so you should get it and use it. This USRobotics whitepaper on security ought to be a must-read.

Built-in firewall with port forwarding. This is a standard feature on all brand-name units and ought to be on the off brands as well, but it doesn’t hurt to double check. Hardware firewalls are far superior to software firewalls–they don’t annoy you with popups and they can’t be disabled by a malicious process. Port forwarding is necessary for a lot of games, and also if you want to run your own mail or web server.

Hackability. By this I don’t mean the ability of an outsider to get in, I mean your ability to add capability to it. The Linksys WRT54G is based on Linux, so it has a big following with an underground community adding capabilities to it all the time. If you want to take advantage of this, look for a WRT54G or another device with a similar following.

Resolving an issue with slow Windows XP network printing

Dave Farquhar Servers and Networking , , , , , , ,

There is a little-known issue with Windows XP and network printing that does not seem to have been completely resolved. It’s a bit elusive and hard to track down. Here are my notes and suggestions, after chasing the problem for a couple of weeks.The symptoms are that printing occurs very slowly, if at all. Bringing up the properties for the printer likewise happens very slowly, if at all. An otherwise identical Windows 2000 system will not exhibit the same behavior.

The first idea that came into my head was disabling QoS in the network properties, just because that’s solved other odd problems for me. It didn’t help me but it might help you.

Hard-coding the speed of the NIC rather than using autonegotiate sometimes helps odd networking issues. Try 10 mB/half duplex first, since it’s the least common denominator.

Some people have claimed using PCL instead of PostScript, or vice versa, cleared up the issue. It didn’t help us. PCL is usually faster than PostScript since it’s a more compact language. Changing printer languages may or may not be an option for you anyway.

Some people say installing SP2 helps. Others say it makes the problem worse.

The only reliable answer I have found, which makes no sense to me whatsoever, is network equipment. People who are plugged in to switches don’t have this problem. People who are plugged into hubs often have this problem, but not always.

The first thing to try is plugging the user into a different hub port, if possible. Sometimes ports go bad, and XP seems to be more sensitive to an deterriorating port than previous versions of Windows.

In the environment where I have observed this problem, the XP users who are plugged into relatively new (less than 5 years old) Cisco 10/100 switches do not have this problem at all.

This observation makes me believe that Windows XP may also like aging consumer-grade switches, like D-Link, Belkin, Linksys, and the like, a lot less than newer and/or professional grade, uber-expensive switches from companies like Cisco. I have never tried Windows XP with old, inexpensive switches. I say this only because I have observed Veritas Backup Exec, which is very network intensive, break on a six-year-old D-Link switch but work fine on a Cisco.

I do not have the resources to conduct a truly scientific experiment, but these are my observations based on the behavior of about a dozen machines using two different 3Com 10-megabit hubs and about three different Cisco 10/100 switches.

When will we take security seriously?

Dave Farquhar net.culture , , , ,

Overheard today at work:
“Hackers don’t usually work during the day, or on weekends…”

I guess by that same logic, I could say that I ran file servers with all ports exposed on the public Internet for years and never got hacked (just don’t mention that those years started in 1996 and ended in 1998).

It’s sad that there are people who still don’t take security seriously. The attitude I heard 10 years ago–“What? Do they want to look at the GIFs and JPEGs on my hard drive? If they can get in, they can have ’em!”–pervades today. Nobody’s interested in your GIFs and JPEGs because you don’t have anything that hasn’t been posted on Usenet’s alt.binaries groups a dozen times, but they want your high-speed connection. It doesn’t matter anymore how insignificant you are. If your computer is online, they want it.

I’m quickly reaching the point where I believe it’s socially irresponsible to have anything faster than a 56K dialup connection and not have a hardware-based firewall sitting between you and the Internet. I bought a couple of the low-end Network Everywhere-brand (made by Linksys) 4-port cable/DSL routers a year ago. I paid $50 apiece for them. That’s what you’ll pay for a shrink-wrapped “Internet Security” software package, but it’s more effective and it doesn’t slow your computer down. Even a one-computer household should have one.

As far as antivirus software goes, Grisoft offers antivirus software free for home use. Yes, it slows your computer down. If you don’t like that, run Linux. Grisoft’s AVG is free, effective, and easy to use. And it stamps outgoing e-mail, assuring your friends that your mail has been scanned. That’s comforting in these days.

Hopefully the typical computer user will soon outgrow the teenage it-can’t-happen-to-me mindset.

But I won’t hold my breath. Since hackers only work on weekdays, problems can only happen when I’m at work and my home PC is off, right?

CompUSA’s $30 house-brand router looks like a rare bargain

Dave Farquhar Hardware , , , , ,

I just built a network for a friend using CompUSA’s $30 cable/DSL router/4-port switch. I’m not sure if the price was a Memorial Day special, or if that’s the regular price. Considering you can’t get a Linksys or D-Link for under $50 without rebate hassles, and usually they cost closer to $80, that’s a nice deal.
The CompUSA unit looks bland and generic–it’s brown and boxy, from the same design school as the original Commodore 64–but that’s the only knock I have on it. Hide it behind your desk if its homely looks bother you. Installing it was literally a plug-in-and-go affair. Plug in the cable modem, plug in the computers, release the computers’ IP addresses and renew them (or reboot if you wish), and they’re all on the network.

If you want to get fancy, then open the manual. You can do port forwarding, set up a DMZ, and do everything else you’d expect from a consumer router. It even includes dynamic DNS support–something the more expensive units didn’t give you, the last I checked.

I can’t speak for the long-term reliability of the unit, since I literally spent 15 minutes with it. The price is good enough that to me, it’s worth a slight risk. In devices like this, it’s the wall wart that’s most likely to fail anyway.

So if you or a friend is looking to share your cable or DSL broadband connection and there’s a CompUSA nearby, it’s worth a look.