diffrentcolours: Wireless Networking: Sanity Check

Carefully, Correctly Wrong (

diffrentcolours) wrote,
@ 2005-08-27 12:39:00

Current mood:	geeky
Current music:	Uninvited Guest - "Beautiful Orchid"
Entry tags:	geek, old skool daze

Wireless Networking: Sanity Check

Further to my initial ponderings and after much research (particularly from the Linux Wireless LAN HOWTO and Freenode #wireless FAQ), I think I've got this wireless networking cracked, but I'd like to just run it past people for a last-minute sanity check.

The Problem

The primary problem is that there are two properties on the Bristol Road in Birmingham that we wish to connect via 802.11b wireless. They're both shops owned by my sister, they're about 220m apart, and they almost, but not quite, have LOS. The first property is Old Skool Daze, a ticket outlet and record shop. The second is Zen, which is full of hippy crap. The Bristol Road that runs between them has many nice, radio-reflective buildings so I'm expecting that there will be many indirect paths between the two shops, some stronger than others. Getting these two shops linked is a priority.

Old Skool Daze already has a wireless network - it's an old butcher's shop and drilling cables through the thick concrete floor between the lower and upper floors was problematic. It's all running on Windows 2000, with the cards in ad-hoc mode (I don't think the Windows drivers support running as an access point), and using IPSec for security, since that and WEP were the only options at the time of installation. It's a bit flakey, particularly between floors, but I've not been able to work out why - I'd suspect interference or just a lack of vertical signal strength in the built-in omnis, but sometimes Windows filesharing won't work but pinging across the link does (and reliably so), so I think there's some weirdness involving a combination of IPSec, the wifi drivers and SMB. Finding a robust solution to this is also important.

The Solution

At the radio signal level, I know that the Old Skool Daze shop building itself blocks a lot of signal - kneeshooter has tested this. So my plan is to mount an external aerial with good gain on the front of the shop, such as the RF Technics 9dBi Omni-Directional from MS (Distribution) UK, providers of weird and wonderful wifi whackiness. The use of an omnidirectional will hopefully kill two birds with one stone; as martling points out, using a directional antenna with no direct line-of-sight is probably a bad idea, and hopefully having a higher-gain antenna in the vicinity of the shop (all the Old Skool Daze desktops will be within 10m of this aerial) will solve any signal problems. Another option would be to have a smaller omni inside Old Skool Daze for the machines there, and a sector antenna for the link to Zen, but this would be more expensive and complicated. I'd welcome opinions on the options here. I am assuming that the building frame of Zen will also block wifi signals much as the one at Old Skool Daze does, hence mounting a second omni or sector aerial outside that shop.

At the wireless protocol level, I'm looking at switching from the ad-hoc network to one revolving around an access point, running off a Linux server at Old Skool Daze wired to the external aerial. I have a handy Prism2.5-based card for this with an external RF connector, which I'm currently testing with hostap right now. I believe that this will give extra stability, particularly since the clients have no need to talk to each other other than through the access point anyway - the AP will also be the Internet gateway and the fileserver for the shop.

At the IP level, I'm thinking of doing away with IPSec, and using VPN instead. I can set up the Linux box as a VPN server, using OpenVPN, and have the Windows clients tunnel all their traffic through the VPN to avoid leakage. This will make the system more simple, since I'm planning on implementing OpenVPN anyway to allow people to connect to the shop from their home connections for remote working. This would also mean that we could offer public wifi access to non-VPN-authenticated clients, which would be nice. Another option would be to use WPA or WPA2, but that would involve replacing the cards - the Actiontec 802.11b cards we're using don't support WPA at the driver level (though ironically the Free drivers under Linux make this perfectly possible).

So basically that's it - I need to look up the cards we're using and find out the decibel or watt strength of the transmitters, and sensitivity of the receivers, and do some calculations to work out whether this is feasible, and what gain I need on the antennas, but as far as I can tell, this is a sane plan. Hence the request for a sanity check - any thoughts? Anything I'm blatantly missing? Anything I can do to test things before I start spending money?

Update: Calculations

The card I'm planning on using in the access point at Old Skool Daze is a Prism-based Linksys WMP11. According to this chart of Prism2-based card specs, it has a transmit power of 16dBm. I'm planning on using aerials with 9dBi gain at each end. The reflective path between the shops is, at an overestimate, roughly 250 metres, giving a free space loss of 88dB. I'm going above martling's estimates and assuming 15dB loss for the reflection. There's another 3dB (estimated) loss in the cables between the machines and the aerials.

Putting this all together gives a received signal strength of 16 + 9 + 9 - 88 - 15 - 3 = -72dB. This means that I'm looking for a card with a receive sensitivity of -82dB, which according to this chart of Receive Sensitivities shouldn't be too hard to obtain. Sadly, I don't have any figures for the receive sensitivity of the WMP11 to do the calculation in reverse.

Update: I think this setup might be illegal - many things I've read suggest that the power of the transmitter plus the gain of the transmitting aerial (in my case 24dB, taking into account the local cable loss) needs to be less than 20dB to avoid violating the regulations. I don't think I could get away with significantly less gain on the transmitting aerial.

Other Links: Discussion on the manchesterwireless mailing list, the conclusion.

(Post a new comment)

evath
2005-08-27 02:40 pm UTC (link)

Firstly don't bother with WPA or WPA2 I don't trust WPA at all and don't expect WPA2 to remain flawless for very long. Hence just use openVPN or pptpd since they are easily upgradable as you suggest

As for the whole decibel/impedance/load thing remember this is complex RF stuff be careful, if you antenna does not match the correct impedance for the transmitter you going to get shafted with reflections inside the wire etc. Not to be patronising but also remember decibel is a log scale over ten and relative to something. DBi I assume is an absolute scale setting 0 to something useful. Gain of antennas is not a magical zero power in amplifier. Also I think to say direction with LOS is a bad idea seems wrong to me the passing through walls is better than a large number of reflections reaching a single antenna at different times. Reflections arriving at different times can equal high singal strength with no signal qualitly, giving you the ability to transmit and receive at low signal rates. Also there is no reason why you cannot reflect a direction antenna the same way as you do with a omni, just only using one path, stopping the multiple times of arrival problems. Also with a directional you are geting all the signal strength in one arc rather then 2-pi steradians or what the unit is for every direction. This will why even a crummy cantenna works well, even when they are crapply made.

One thing I will admit is I have not read up on this but I would not trust wikipedia type sites for this sort of thing, RF tech is full of urban legends and crap, however if you have read a site you trust that disagrees with me don't give my arguments too much weight, it's only picked up knowledge from a working environment where I have to check RF cables don't have any issue with impedance, suck-out blah blah. If you want the lowest losses possible make sure you use cables for 2.4Ghz, not DC or any any other frequency. It will work with the wrong cables but you will get crap performance in comparison.

If you want good facts I do work with the right people to pass this onto.

(Reply to this) (Thread)

example

evath
2005-08-27 02:54 pm UTC (link)

I thought of an example you should be aware of.

If we have a piece of kit and with an antenna on and we wish to put a cable between so that we can put the antenna further away we must know the impedance of the antenna at the frequency we are using it, therefore if we have an impedance of 50 Ohms (note effectively impedance is resistance at anything but DC and varies with frequency) at 2.4Ghz, then we must use a cable with an impedance of 50 Ohms at 2.4Ghz otherwise when the signal tries to leave the cable it will partially reflect off the antenna (e.g. light reflecting off glass exactly the same concept if light is treated as a wave). If we then decide to change the antenna from a whip antenna to a dipole antenna we will change the impedance of the antenna since the box is expecting a load of 50 Ohms we can't just match the cable since we will just get a reflections at the connector from the box into cable so we must load the anntenna up to 50 Ohms (or find another method) so again the impedance is the same all along . And this is all dependant on not chaning from 2.4Ghz. Even with is setup like this each connector will give an X db loss.

Now the company you want buy off note the difference in between 2.4Ghz and 5.xGhz are probably aware they will need to sell the right stuff to people who don't understand, but this was just an example of what can go wrong an may not even apply to you.

(Reply to this) (Parent)(Thread)

	Re: example diffrentcolours 2005-08-28 06:38 pm UTC (link)
	OK, so basically I need to match the impedance of the card, the cable and the aerial? Thanks for that, it's been bloody ages since I did this AC stuff. (Reply to this) (Parent)

	Re: example diffrentcolours 2005-08-28 09:06 pm UTC (link)
	BTW is there any way to measure the impedance of the card I'm using? (Reply to this) (Parent)(Thread)

	Re: example evath 2005-08-29 04:02 pm UTC (link)
	Go to an RF engineer with a network analyser (they about 22K a pop so you can't get one yourself) or find someone who can tell you a wet finger estimate. The closer you are the better. Btw are you intending at any point to make your own cables? (Reply to this) (Parent)(Thread)

	Re: example diffrentcolours 2005-08-30 12:35 pm UTC (link)
	Google suggests that the impedence is 50ohm, which is good. It seems to be standard for wireless kit. I'm not planning on making my own cables, no. The cables on the msdist site seem to be pretty reasonably priced, for the sake of having a professional job. (Reply to this) (Parent)(Thread)

	Re: example evath 2005-08-30 05:14 pm UTC (link)
	Far to easy to botch up worth paying for trust worth ones. (Reply to this) (Parent)

	bobtfish 2005-08-27 07:45 pm UTC (link)
	pptp bad, mkay? Kids, don't use pptp! (Reply to this) (Parent)

	gothgems 2005-08-28 11:03 am UTC (link)
	What's the problem with WPA? The only vulnerabilities I'm aware of are based on dictionary attacks against weak pre-shared passphrases. If you're using WPA with EAP-TLS you've got a pretty secure system. EAP-TLS support is out of the box with Windows 2000. (Reply to this) (Parent)(Thread)

diffrentcolours
2005-08-28 11:23 am UTC (link)

As I understand it, basic WPA is identical to WEP, just using a 128 bit RC4 stream instead of a 64 bit, so it's significantly harder to crack, but suffers from the same algorithmic weakness. As processing power increases, the time taken to break WPA will reduce down to realistic levels. WPA2 uses AES instead of RC4, which doesn't have any (known) algorithmic weakness.

IPSec is also out of the box with Windows 2000, but I don't trust that either. Using something like OpenVPN seems to be the simplest solution.

(Reply to this) (Parent)

evath
2005-08-29 03:50 pm UTC (link)

I may be wrong but I am sure that I have seen an attack that cracks the pass phrase using several gigs (alot more than WEP needs at any rate) of encrypted data, But I haven't gone to check, also not all cards drivers allow you to do it trouble free, even if they should

I just think it solves you a lot of trouble to use a software based encryption like openvpn below and assume that the default encryption are not as good. At the end of the day keeping up with hardware linked encryption which WPA etc.. end up as being even it it doesn't need to be will lead to hassle in the future.

(Reply to this) (Parent)

diffrentcolours
2005-08-28 06:41 pm UTC (link)

From what I read, the multiple path / signal strength / delay thing isn't too much of a problem unless you have a *really* cluttered environment - usually, the electronics in the cards will sort it all out. Since this is basically a road with lines of shops on either side, I don't think it'll be too much problem.

I could use directional aerials and line up a reflective shot off a building, but this would require careful calibration, I'm not 100% sure that there's a building at a suitable angle in a suitable place and it'll be very hard to check, and it's more easily interrupted by things like buses.

(Reply to this) (Parent)(Thread)

	evath 2005-08-29 04:00 pm UTC (link)
	I think the bus comment is most appropriate, you will lose some signal quality from reflections even if the box can cope performance will be degraded, however I agree a directional antenna will lack redundancy. (Reply to this) (Parent)

thespirit3
2005-08-27 03:49 pm UTC (link)

Most coax at 2.4 Ghz is hugely lossy, so keep the RF cables as short as possible. Check the loss at 2.4 Ghz, and bear in mind every 3dB loss is a drop of 50% power. At 6dB loss, only 25% of your power is even making it to the antenna. So, short coax runs; move the access point / linux box closer to the antenna.

Also, I'd suggest you do try a directional antenna. Problem is, the higher the gain, the more directional they will become. If the path between sites isn't clearly line of site, this isn't necessarily a reason *not* to use a directional beam. Using an omni would effectively be wasting a *lot* of energy. As you say, there may be many paths due to reflections etc - if you have two directional beams then you may be able to make advantage of these reflections (assuming reflections produced by buildings etc). Also, bear in mind rain will greatly attenuate the signal.

Also, another thing of note - make sure you don't exceed the power limitations imposed by the 802.11b standard.

There's probably more I've not though of but ... good luck!

(Reply to this) (Thread)

thespirit3
2005-08-27 03:51 pm UTC (link)

Oh - I forgot to mention - we have wireless links all across Bristol. These are done using old Astra satellite dishes. The dishes are apparently exactly the right dimensions - it was the satellite LNB's that downconverted to frequency usable by the set top boxes. An old satellite dish will probably give you more gain than an expensive yagi. Satellite dish each end, and you'll probably be laughing. But again, keep an eye on effective radiated power - to comply with regulations.

(Reply to this) (Parent)

	RF cable loss diffrentcolours 2005-08-28 02:23 pm UTC (link)
	(answering in bits while I sort through different parts) I'm planning on having a cable run of about 5 metres from the access point to the antenna. I could possibly make this shorter, but LMR400 cable for example would only experience a 1dB drop on this run. But thanks for pointing out something I hadn't thought of. (Reply to this) (Parent)(Thread)

	Re: RF cable loss thespirit3 2005-08-28 04:48 pm UTC (link)
	Ahhh ... 5 metres should be fine. I've seen people try to use much longer runs, and then wonder where their signal has disappeared. There's a website - bristolwireless.net? Search on google - you'll find it. That's the Bristol lot - and a lot of experience/pictures/info/links can be found on their webby. (Reply to this) (Parent)

Directional aerials

diffrentcolours
2005-08-28 06:35 pm UTC (link)

Am I misunderstanding the way that gain works on an aerial? Is a 9dB omnidirectional aerial less powerful in terms of range than a 9dB directional aerial?

The 9dB aerials I've been looking at are 50 quid from msdist; looking at their sector antennas there's nothing in a comparable price range - either 7dB for 35 quid, or 13.5dB for 100 quid, which is more than I'm hoping to spend.

The trouble with using a directional aerial is partly that it requires very careful alignment, and also that it's easily interrupted by, say, a passing bus. Using a non-directional (either sector or omni) aerial should mean multiple paths and the electronics should take care of finding the best one to use.

(Reply to this) (Parent)(Thread)

	Re: Directional aerials evath 2005-08-29 03:54 pm UTC (link)
	I've gone look for the answer to this for an antenna to have a gain it must be directional to some extend. Omni's with gain normally don't see up or down apparently. If you want the correct answers talk cjholding since it is his job to make antennas (Reply to this) (Parent)(Thread)

	Re: Directional aerials diffrentcolours 2005-08-30 10:50 am UTC (link)
	Ah yeah, that makes sense, I was aware that omnis had little in the way of vertical sensitivity. (Reply to this) (Parent)(Thread)

	Re: Directional aerials evath 2005-08-30 05:16 pm UTC (link)
	Have you considered a directional antenna in the form of a Sector antenna? giving you some directionality As to the db update, the legal limit AFAIK is not in db but in another unit something like Equivalent Isotropic Power or something. So you may still be within that however your twenty dB might end up being equal. (Reply to this) (Parent)(Thread)

	Re: Directional aerials (Anonymous) 2005-08-31 07:26 am UTC (link)
	it is 20dbm it seems; at 0.1Watt well that what was just shouted at me from the RF lab (Reply to this) (Parent)(Thread)

	Re: Directional aerials evath 2005-08-31 07:45 am UTC (link)
	opps I've made a mistake there can't work it out right now, but 20dbm is an abosulte scale using 1dbm to be equal to 1 miliwatt. So 20dbm is 0.1watt EIRP? (Reply to this) (Parent)

	Power Limitations diffrentcolours 2005-08-28 08:56 pm UTC (link)
	How do I calculate effective radiated power to make sure I'm not breaking the law? I don't want to get busted for my wifi! (Reply to this) (Parent)

martling
2005-08-27 07:15 pm UTC (link)

You sound like you're on the right track, but note that you're missing a key variable for a link budget calculation - you don't know what the signal path loss between shops is, and you can't really estimate it from free space air loss since it's not LOS. Unless you can borrow some equipment to run a temporary link and measure it, you'll just have to take a guess. It'll come to the free space loss along a reflected pass, plus a big attenuation at the point of reflection; the value will depend on the characteristics of the building. It might be worth trying some experiments with a couple of laptops to give an estimate.

(Reply to this) (Thread)

	martling 2005-08-27 07:20 pm UTC (link)
	s/reflected pass/reflected path/ Incidentally, if you need to take a wild guess, I'd reckon you might be looking at around minus 9-12 dB for the reflection. Maybe more but unlikely to be much less. (Reply to this) (Parent)(Thread)

	thespirit3 2005-08-28 05:03 pm UTC (link)
	If you know of some local amateur radio types - they have access to this band and aren't restricted to milliwatts, they'd probably also jump at the chance to get involved and do some testing for you. Radio comms on both sites would make testing/setting up all the more interesting too... ;) (Reply to this) (Parent)(Thread)

	diffrentcolours 2005-08-28 06:00 pm UTC (link)
	I don't really know any local amateur radio types; as previously mentioned, I asked on the Consume mailing list for Birmingham-based wifi types, and didn't really get any response. It's a shame, I'd really like to test this out before forking out for kit. (Reply to this) (Parent)(Thread)

	thespirit3 2005-08-28 06:14 pm UTC (link)
	http://www.bristolwireless.net/wiki/ is your friend. They're very committed amateur radio (and 802.11b) types and would probably offer some good (and enthusiastic!) advice, and if offered beer - might even get involved with some testing. Tell them Steve M0SPN (0=zero) suggested you contact them - that way you're more likely to get a response. (Reply to this) (Parent)

gothgems
2005-08-28 11:07 am UTC (link)

I did something similar a couple of years back where we needed to offer public and secure wireless LANs. In the end I did it with 802.1x (EAP-TLS) with Windows 2000 user and computer certificates to secure the private LAN. The public LAN was running on the same access points but segregated using VLANs. If your access points support it this might be the best way to go - you don't have to expose your VPN endpoints on the public network.

(Reply to this) (Thread)

	diffrentcolours 2005-08-28 11:20 am UTC (link)
	This must be some different definition of VLAN to the one I'm used to, which works by assigning different ports on a switch to different VLANs. Do you mean using a different SSID for the networks? (Reply to this) (Parent)(Thread)

	gothgems 2005-08-28 01:00 pm UTC (link)
	Yeah, you assign a different SSID then use 802.1q tagging to segregate the data. You need the switch to support it too, of course. (Reply to this) (Parent)(Thread)

	diffrentcolours 2005-08-28 06:03 pm UTC (link)
	I'm not sure how that counts as not exposing VPN endpoints - surely any attacker can just sniff out the SSID? Or are you relying on people being nice? (Reply to this) (Parent)(Thread)

Oops! I've exposed my endpoints!
(Anonymous)
2005-08-30 01:28 pm UTC (link)

The VPN endpoint is on the private LAN advertised with the private SSID, which is protected by 802.1x. Users of the public SSID (on the same access points) can't get access to the private LAN - even if they sniff out the private SSID, they won't be able to associate because they have no valid credentials.

Thus, the VPN endpoint is fully protected... at least until someone discovers a vulnerability in the implementations of 802.1x or 802.1q!

(Reply to this) (Parent)

gothgems
2005-08-28 12:58 pm UTC (link)

Yes the algorithm is the same as WEP, but the key is renegotiated every session or more frequently, if you prefer (we had it renegotiate every 60 seconds with no impact on performance).

Using EAP-TLS as your authentication protocol you've got your enterprise PKI protecting the session key negotiation rather than using a potentially weak pre-shared key.

Microsoft lets you use both user and computer certificates - e.g. an unauthorised user will not be able to access the WLAN even if he uses an authorised machine.

There's also TKIP in WPA which means it's a lot harder to sniff out weak packets or inject valid packets to generate more traffic for your cracker to break.

It's still susceptible to denial of service, as any wireless LAN is, but you've got relatively good integrity and confidentiality. Ultimately it depends on the sensitivity or value of the data.

On a related note, is there any particular reason why you don't trust the Windows 2000 implementation of IPSec or is it just the Microsoft label?

(Reply to this) (Thread)

diffrentcolours
2005-08-28 01:12 pm UTC (link)

The main reason I don't trust the Windows 2000 implementation of IPSec is that I've been using it for years and it's prone to random failure. I've had situations where the signal strength for the wireless network is good, where ICMP has been working fine, but SMB has totally failed with no meaningful diagnostic.

OpenVPN can also use certificates for client authentication, which is what I was planning on using. Having user and computer certificates is overkill for our needs, as is IPSec - but given the choice between that and WEP, it was the only option at installation time.

(Reply to this) (Parent)(Thread)

thespirit3
2005-08-28 05:00 pm UTC (link)

Plus what's the point on wasting hardware on a Win2K box, when an outdated but perfectly usable 486 (or possibly pentium) could easily handle the traffic they'd be throwing at it? Pay for hardware good enough to run an inefficient gui, pay for a legit Win2K license (this is a business afterall), and ... very soon you see why Linux is gaining huge ground in these sort of situations. Not to mention ease of remote admit.

I don't disagree that Win2K has it's place - but, seems a bit overkill for this - and would probably cause more headaches. At least linux just 'sits there and works'.

< shrug >

(Reply to this) (Parent)(Thread)

	thespirit3 2005-08-28 05:03 pm UTC (link)
	s/admit/admin/ (Reply to this) (Parent)

diffrentcolours
2005-08-28 05:56 pm UTC (link)

Yeah. The original network had a FreeBSD box in place to act as an SSH to VNC gateway, but the hardware (the old desktop PC from the shop before the upgrade) died and was never replaced.

The reason for putting a Linux box in is ease of remote admin, better logging and information (for example, Windows gives an "Unexpected Exception" error when a remote filesystem can't be accessed because the account on the server has expired; I'm expecting Samba to be a little more verbose), and the fact that the wireless cards I already have can act as access points and use WPA under Linux, but don't have relevant drivers for Windows ;)

(Reply to this) (Parent)

	802.11n evath 2005-08-30 05:16 pm UTC (link)
	Just wondering if this would give you the range you need and if anyone has relevent experiance to comment on it? (Reply to this)

Username:		Create an Account Forgot your login or password? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

Store

LJ Labs