Can't print and use internet simultaneously
June 15, 2006 4:08 AM Subscribe
Network follies. Airport + wireless ethernet bridge + gigabit switch + printer + Mac + PC = any single network service works until I try to use another one.
An apartment and an office are in two separate buildings which are physically right next to one another. The apartment has DSL and an Airport base station.
The office has a wireless ethernet bridge (Moto WE800g) which receives the Airport signal and repeats it to the office via an ethernet cable. The signal tends to be around 30% which is not horrible by 802.11b standards.
In the office, there is a gigabit switch with the following things attached to it:
1. the ethernet cable from the wireless ethernet bridge
2. a Mac
3. a PC
4. a Laserjet
The printer has a manually-entered IP address (past experience has shown that DHCP is an iffy proposition with this ancient beast). The Mac and PC are assigned their IPs by the wireless ethernet bridge via DHCP but they always end up being more or less the same numbers (but if I manually assign them those same numbers, nothing works at all).
Any one network service can be induced to work, but it breaks all the others (i.e., you can print from the PC or the Mac, but you can't print from the PC and use the internet on the Mac at the same time; if you started printing first, the Mac's IP will reset itself to a self-assigned address). I have a spare hub that I'm not using at the moment and that's about the extent of my extra equipment I could bring to bear on this problem. Can I get everyone playing nicely together? Thank you in advance for any help!
An apartment and an office are in two separate buildings which are physically right next to one another. The apartment has DSL and an Airport base station.
The office has a wireless ethernet bridge (Moto WE800g) which receives the Airport signal and repeats it to the office via an ethernet cable. The signal tends to be around 30% which is not horrible by 802.11b standards.
In the office, there is a gigabit switch with the following things attached to it:
1. the ethernet cable from the wireless ethernet bridge
2. a Mac
3. a PC
4. a Laserjet
The printer has a manually-entered IP address (past experience has shown that DHCP is an iffy proposition with this ancient beast). The Mac and PC are assigned their IPs by the wireless ethernet bridge via DHCP but they always end up being more or less the same numbers (but if I manually assign them those same numbers, nothing works at all).
Any one network service can be induced to work, but it breaks all the others (i.e., you can print from the PC or the Mac, but you can't print from the PC and use the internet on the Mac at the same time; if you started printing first, the Mac's IP will reset itself to a self-assigned address). I have a spare hub that I'm not using at the moment and that's about the extent of my extra equipment I could bring to bear on this problem. Can I get everyone playing nicely together? Thank you in advance for any help!
This is going to sound a little harsh, but I'm trying to save you grief here: the first thing you need to do is take that wireless gear and throw it away. 801.11b is obsolete and insecure. You can be broken into in minutes by anyone with reasonable line of sight to you... from a mile or more away, if they have a good antenna. You MUST use WPA these days if you want any kind of security at all, and WPA2 with AES encryption is much better. 802.11b doesn't do WPA in any form, so you'll have to upgrade to 11g.
If you really like Apple's hardware, you could use an Airport Extreme and an Airport Express. You might even be able to do it with two Expresses.
That said, your problem sounds like it's related to that bridge. Wireless bridging in general is a pain and hard to get right. Motorola is not known for quality network gear. If I had to bet my own money, that's what I'd bet on.
There should be no difference between manually assigning IPs and getting them through DHCP. It may be only allowing clients through that it gave an IP address to. Or it could be doing firewalling or NAT when you don't want it to.
The fact that it's assigning IP addresses in the first place is a strong sign of misconfiguration. Bridges do not normally do that. I don't think your bridge is bridging, I think it's NATting, and it sounds like it's doing so very, very poorly. (typical Motorola.)
I strongly think you'd be better off just replacing both pieces with something good. With an Airport Extreme and an Airport Express, you should be up and running in, oh, 45 minutes or so. You'll have to configure both of them for bridging, and enter each one's MAC address into the other unit, but once you've done that, it should basically be cake.
If you absolutely can't afford both, replacing your Motorola bridge with an Airport Express would probably work. You would configure it to use your Airport base station as its 'outbound' link, and do NAT from the inside wire. This would separate your office and home networks (so you couldn't easily connect from the apartment into the office), and would give your office machines some protection. Unfortunately, this would do nothing to help your outbound wireless, and would leave it, and the machines in your home network, vulnerable to hijack.
posted by Malor at 6:14 AM on June 15, 2006
If you really like Apple's hardware, you could use an Airport Extreme and an Airport Express. You might even be able to do it with two Expresses.
That said, your problem sounds like it's related to that bridge. Wireless bridging in general is a pain and hard to get right. Motorola is not known for quality network gear. If I had to bet my own money, that's what I'd bet on.
There should be no difference between manually assigning IPs and getting them through DHCP. It may be only allowing clients through that it gave an IP address to. Or it could be doing firewalling or NAT when you don't want it to.
The fact that it's assigning IP addresses in the first place is a strong sign of misconfiguration. Bridges do not normally do that. I don't think your bridge is bridging, I think it's NATting, and it sounds like it's doing so very, very poorly. (typical Motorola.)
I strongly think you'd be better off just replacing both pieces with something good. With an Airport Extreme and an Airport Express, you should be up and running in, oh, 45 minutes or so. You'll have to configure both of them for bridging, and enter each one's MAC address into the other unit, but once you've done that, it should basically be cake.
If you absolutely can't afford both, replacing your Motorola bridge with an Airport Express would probably work. You would configure it to use your Airport base station as its 'outbound' link, and do NAT from the inside wire. This would separate your office and home networks (so you couldn't easily connect from the apartment into the office), and would give your office machines some protection. Unfortunately, this would do nothing to help your outbound wireless, and would leave it, and the machines in your home network, vulnerable to hijack.
posted by Malor at 6:14 AM on June 15, 2006
In the first paragraph, I should have said '802.11b's WEP encryption is obsolete and insecure'. The protocol itself works fine, it's just that the encryption is no good.
posted by Malor at 6:15 AM on June 15, 2006
posted by Malor at 6:15 AM on June 15, 2006
Response by poster: Thanks! Good advice, not too harsh, and yes the bridge is NATing.
There is one advantage to 802.11b in this situation; it has a longer range, so a protocol change will likely result in a further investment in range improvement. This isn't the right time for me to replace a lot of equipment (the Airport Express can't work as a bridge with an 802.11b Airport base station, that function only works with Airport Extreme) so I was also hoping to hear some suggestions about more fault-tolerant configuration approaches if anyone's got 'em.
I agree with you as far as 128-bit WEP goes, but I think your confidence in WPA is unwarranted (it's like a screen door versus a plywood door, except that in both cases, there isn't anything that tempting to script kiddies behind the door). Without going into the details, I think it would be highly improbable that my network would be the top on any wardriver's list around here.
I think a piece of the puzzle is that it doesn't work to manually enter IP addresses on the computers; that isn't really normal, is it? Also, given this setup, how could the WE800g interfere with the ability of the PCs to connect to the printer or vice versa?
posted by Your Time Machine Sucks at 7:26 AM on June 15, 2006
There is one advantage to 802.11b in this situation; it has a longer range, so a protocol change will likely result in a further investment in range improvement. This isn't the right time for me to replace a lot of equipment (the Airport Express can't work as a bridge with an 802.11b Airport base station, that function only works with Airport Extreme) so I was also hoping to hear some suggestions about more fault-tolerant configuration approaches if anyone's got 'em.
I agree with you as far as 128-bit WEP goes, but I think your confidence in WPA is unwarranted (it's like a screen door versus a plywood door, except that in both cases, there isn't anything that tempting to script kiddies behind the door). Without going into the details, I think it would be highly improbable that my network would be the top on any wardriver's list around here.
I think a piece of the puzzle is that it doesn't work to manually enter IP addresses on the computers; that isn't really normal, is it? Also, given this setup, how could the WE800g interfere with the ability of the PCs to connect to the printer or vice versa?
posted by Your Time Machine Sucks at 7:26 AM on June 15, 2006
Well, I'm thinking maybe it supports only one device at a time. If the PC does a DNS lookup, that sets up a NAT entry on the router, and then it doesn't know how to handle the Mac. You say the Mac reverts to default IP space if you run the PC, so perhaps the Motorola is explicitly sending a DHCP revocation. (I'm pretty sure those exist, although ... god, that would be weird.)
If you can set it into pure bridge mode, where it's REALLY being a bridge instead of a wireless client + NAT, you'd probably have better luck. Let the Airport be your DHCP server via the bridge.
I don't what your geography is like, but I wouldn't place bets on where wardrivers would go or what they would do. They can potentially see your network from A LONG way away. As soon as you become the easiest target within scan range, you're toast. At the moment, you are a VERY easy target.
WPA2 is pretty good, as it uses AES. It may have errors in the implementation, but between the hourly key rotation and the difficultiy of cracking AES, it's likely pretty solid. Metaphorically speaking, it's not a bank vault, but it's probably a solid metal door. It'd probably be easier to just break into your house than to break into your wireless.
As you say, the Airport Express likely won't function as a true bridge with the Airport, but it SHOULD function as a client doing NAT, as I described above. Bridging is repeating the signal to increase range, and often requires support by all APs involved. (not always). Being a client, though, means the AE just looks like a laptop or something to your base station. It should work with any AP, anywhere.
Basically, it would do what the Motorola is doing, except correctly. :-)
Apple's good about returns, too, so if you have an Apple store nearby..... if this doesn't work, you're just out some time.
posted by Malor at 8:25 AM on June 15, 2006
If you can set it into pure bridge mode, where it's REALLY being a bridge instead of a wireless client + NAT, you'd probably have better luck. Let the Airport be your DHCP server via the bridge.
I don't what your geography is like, but I wouldn't place bets on where wardrivers would go or what they would do. They can potentially see your network from A LONG way away. As soon as you become the easiest target within scan range, you're toast. At the moment, you are a VERY easy target.
WPA2 is pretty good, as it uses AES. It may have errors in the implementation, but between the hourly key rotation and the difficultiy of cracking AES, it's likely pretty solid. Metaphorically speaking, it's not a bank vault, but it's probably a solid metal door. It'd probably be easier to just break into your house than to break into your wireless.
As you say, the Airport Express likely won't function as a true bridge with the Airport, but it SHOULD function as a client doing NAT, as I described above. Bridging is repeating the signal to increase range, and often requires support by all APs involved. (not always). Being a client, though, means the AE just looks like a laptop or something to your base station. It should work with any AP, anywhere.
Basically, it would do what the Motorola is doing, except correctly. :-)
Apple's good about returns, too, so if you have an Apple store nearby..... if this doesn't work, you're just out some time.
posted by Malor at 8:25 AM on June 15, 2006
Hmm. I don't believe that the Moto WE800g does DHCP or NAT. If it did it would be a router. The bridge just passes signals from the AirPort. The AirPort is the one doing DHCP and NAT. Can you report the current IP, subnet and gateway for the workstations and the printer?
posted by banshee at 8:30 AM on June 15, 2006
posted by banshee at 8:30 AM on June 15, 2006
Response by poster: Hi Malor; we'll have to agree to disagree about the nature of the threat, but I appreciate your concern. Unfortunately, the Airport Express doesn't do NAT in client mode, it just serves a printer or music.
I don't think that the bridge is doing any revoking, since that outcome isn't unique to the use of the bridge.
banshee, the computers report the Airport's IP as the gateway when they have successfully gotten an IP by DHCP. So, I think you're right. The subnet is 255.255.255.0 and the IPs are all in the 10.0.xx.xx range when all is good, but when the IP is self-assigned, it's always 255.255.0.0 subnet mask.
posted by Your Time Machine Sucks at 9:01 AM on June 15, 2006
I don't think that the bridge is doing any revoking, since that outcome isn't unique to the use of the bridge.
banshee, the computers report the Airport's IP as the gateway when they have successfully gotten an IP by DHCP. So, I think you're right. The subnet is 255.255.255.0 and the IPs are all in the 10.0.xx.xx range when all is good, but when the IP is self-assigned, it's always 255.255.0.0 subnet mask.
posted by Your Time Machine Sucks at 9:01 AM on June 15, 2006
Give all your clients static IPs in the 10.0.x.y range (NB makes sure x is the same for all of them) and 255.255.255.0 subnet mask. That should fix some of your problems.
posted by cillit bang at 9:07 AM on June 15, 2006
posted by cillit bang at 9:07 AM on June 15, 2006
Response by poster: cillit bang: when I give them static IPs and enter the subnet mask manually, they cannot see the internet at all. It's weird.
posted by Your Time Machine Sucks at 10:14 AM on June 15, 2006
posted by Your Time Machine Sucks at 10:14 AM on June 15, 2006
You need to put the router in as well (usually 10.0.x.1) and possibly put the same number in the DNS server field.
posted by cillit bang at 10:16 AM on June 15, 2006
posted by cillit bang at 10:16 AM on June 15, 2006
a protocol change will likely result in a further investment in range improvement
If you're using built-in antennas on your routers now, the price of range improvement is about $20 for an external 7dbi omni antenna.
posted by kindall at 10:50 AM on June 15, 2006
If you're using built-in antennas on your routers now, the price of range improvement is about $20 for an external 7dbi omni antenna.
posted by kindall at 10:50 AM on June 15, 2006
You may want to use your ISP's DNS IPs for your DNS server settings.
posted by banshee at 10:55 AM on June 15, 2006
posted by banshee at 10:55 AM on June 15, 2006
That 802.11b doesn't support WPA is a misconception. WPA was implemented on 802.11g/a hardware first but many vendors have rolled back support of WPA in to their legacy 802.11b gear.
WPA was designed specifically to be backwards compatible with older hardware that ran WEP, it addresses many of the shortcomings of the original WEP standard/implementation.
More than likely what is going on is one of your devices does not have an MAC table capable of holding the necessary mac addresses for all the devices. Based on the description it's probably the bridge. Because it can't know about multiple devices at the same time when you use one it ignores the mac for the others. That's my guess
WPA vs WPA2, it's a toss up which you use, you'll be fine with either assuming you have a sufficiently large pass phrase and change it quarterly. WPA uses TKIP, WPA2 uses AES, both are sufficiently secure for just about any implementation. If you're REALLY concerned and have the resources skip pre shared keys and deploy a certificate based infrastructure and couple it with PEAP.
Some vendors implement very large WEP keys sizes, but due to poor implementations many can be reduced to 40bit regardless of the size you specify.
posted by iamabot at 10:56 AM on June 15, 2006
WPA was designed specifically to be backwards compatible with older hardware that ran WEP, it addresses many of the shortcomings of the original WEP standard/implementation.
More than likely what is going on is one of your devices does not have an MAC table capable of holding the necessary mac addresses for all the devices. Based on the description it's probably the bridge. Because it can't know about multiple devices at the same time when you use one it ignores the mac for the others. That's my guess
WPA vs WPA2, it's a toss up which you use, you'll be fine with either assuming you have a sufficiently large pass phrase and change it quarterly. WPA uses TKIP, WPA2 uses AES, both are sufficiently secure for just about any implementation. If you're REALLY concerned and have the resources skip pre shared keys and deploy a certificate based infrastructure and couple it with PEAP.
Some vendors implement very large WEP keys sizes, but due to poor implementations many can be reduced to 40bit regardless of the size you specify.
posted by iamabot at 10:56 AM on June 15, 2006
This thread is closed to new comments.
posted by Your Time Machine Sucks at 4:23 AM on June 15, 2006