Network Setup Help

Ask general networking questions here.... home setups, relatively simple work configurations, that sort of thing.

Things we may need to know:

  • What your goals are.
  • Your budget.
  • How much time you're willing to invest.
  • If money or time are unusually important. It's quite common to be able to save a lot of cash if you're willing to put in some hours learning and configuring. Alternately, you can sometimes just buy a solution, if you don't want to think about it much.
  • If applicable, what's not working now.
  • How fast your external network connection is. This one is important for sizing hardware recommendations.
  • Whether you're running (or planning to run) any internal services. If you know about things like DHCP, DNS, Samba, and Apache, talk in those terms. If not, talk about goals instead, and we can usually translate that into necessary services.
  • If you're planning to share any of those services with the outside world.
  • Your approximate skill level with computers in general, and Linux in particular. This applies back to the time/money tradeoff: Linux is often an extremely powerful and free solution to many network problems, but it takes time to learn and configure.
  • If you have any strong brand or OS preferences we should know about.

Setting aside this first comment for later reference. It'll probably never have anything in it, but just in case, reserved.

Hi!

Thanks for creating this thread, Malor.

I just bought a couple of wireless routers for my house and a 16-port switch. Is there anything special I need to know to avoid conflicts etc, or can I simply plug these in? The switch will be in the basement, attached to my modem, then wired to other rooms throughout the house. The wiring is already setup (properly and professionally). I plan to have one wireless router in my living room on the main floor and another in my office space on the second floor.

Any advice is super appreciated.. and yes, I should have bought 5G routers, in retrospect, but I'm sure these will do just fine, as the wireless devices don't really need a lot of speed.

What router/firewall are you using now, and are you planning to replace it, or keep it?

And, yes, the 54GL is very old, and I would have suggested something newer.

Malor wrote:

What router/firewall are you using now, and are you planning to replace it, or keep it?

And, yes, the 54GL is very old, and I would have suggested something newer.

Hmm, router is built into the modem from Rogers.

OK, how much control do you have over it? Can you turn services on and off from that device? Does it have built-in wireless? If it does, can you turn it off, or are you stuck with it?

I can turn off the wireless that is built into the modem (Hitron CGN3ROG). I'm thinking since the modem is capable of 2.4G and 5G, and the other routers are 2.4G, I can leave the 5G running to serve the basement and that should not conflict with the 2.4G routers, right? I can turn both off independently.

Yeah, that should work well.

Ok, this is probably how I'd set it up:

Hitron modem as your external router, just like you have it now. It runs DHCP and provides DNS, exactly the way it's doing now.

Your switch goes in a convenient spot. I don't know how your wiring is set up, but it's normal to route all the rooms to a central closet; you'd want to put the switch there. Connect to whatever rooms you want active. All connections plug into any port. You may find it easiest to remember if you put the router in port 1, and the two 54GLs in either 2 and 3, or 15 and 16, whichever you prefer. You shouldn't need to do any configuration, this part should be trivial.

The 54GLs you'll want to put in as dumb a mode as possible. I haven't run a GL in a long time, so I don't remember how their web interface is set up, but what you want is for them to be dumb bridges to your internal network. However, there are at least three different kinds of bridging in wireless, so this is going to be a little confusing.

The first thing you DON'T want: client bridging. This is where the AP joins another wireless network, just like a laptop. (that's why it's client bridging; the secondary AP is just a client, and shares its wireless connection over its wired ports.) This is almost exactly backward to what you want; this joins two wired networks over a wireless bridge.

The second thing you (probably) don't want: wireless range extension, aka wireless bridging. (it is really stupid that it's called the same thing.) This is where all nodes in a network cooperate; they all have to know about each other. Every one of them repeats every packet they see to all the other routers. This cuts your bandwidth dramatically: if you have X routers in range-extend mode, then you will have 1/X bandwidth. Two routers means 1/2 bandwidth, three routers means 1/3, and so on. It's terribly inefficient, and you probably don't want it.

The way you probably do want it: dumb bridge mode, where each AP is hosting a unique network. You could call them something like "BASEMENT", "FRONT_HOUSE", and "BACK_HOUSE", or whatever you like. You'll be plugging them into the switch on their LAN ports, not their WAN port. They will run no services: you will need to turn off DHCP and DNS, so that the Hitron is handling that. The idea is for them to take everything they see on either the wireless or the wired network, and send it to the other side. This is yet ANOTHER thing called 'wireless bridging', but this flavor is probably what you want. For channels, you should pick any two of channels 1, 6, and 11. (2.4GHz channels should be 5 apart. to avoid interfering with one another, so the best channels are 1, 6, and 11.)

The upside to this method: you will get maximum speed, and computers on one AP won't interfere with computers on the other. It will still all be one network fabric, so it won't matter which AP you're connected to. All your machines will be able to talk to all your machines, no hassle. Downside: you have to put both (or all three) networks into each machine, and you have to switch them manually as you move around.

In theory, with the range-extension method, laptops are supposed to roam around to the best AP. In practice, what I've found is that they refuse to switch unless you disconnect and reconnect. Whatever AP they pick first, they'll stick with, until they absolutely can't talk with it anymore. So you end up manually turning the wireless off and on again to get onto a better AP after moving.... so you might as well just run separate networks, and do the switch manually anyway. The hassle level is about the same, and you don't cut your network speed in half.

That's most of it. It shouldn't actually be that difficult. The hardest part will be figuring out how to put the GLs into the right bridging mode, and disabling their services. The slightly tedious bit is then configuring your portable devices to talk to both.

Make sense so far?

Yeah I think that all fits with the bits I know, thanks a ton for explaining the different options.

The one bit you said banged off my working knowledge of routers though: you are saying I plug my other routers into a LAN port, not a WAN port. That's totally a novel concept to me, and is probably what's currently stopping me from configuring the device.

Well, the way it should look, overall, is this:

Internet | WAN Hitron LAN | switch | | LAN LAN GL1 GL2

Only one of your WAN ports should be plugged in, and it's the one facing the Internet... aka, the WAN. (Wide Area Network.)

You *could* plug into those internally, but then you'd end up with a segmented network, with a router/firewall between devices. There are times when that's useful; it can add a fair bit of security, for instance, by allowing you to have devices you don't trust (like, say, a console or a TV) in a separate network from the internal ones. But it also adds a fair bit of complexity. Plugging into all LAN ports, in dumb bridge mode, ends up merging everything into a single network.

If you did want more security, we could talk about running your net in two segments.... the one you already have, and then a separate one, behind one of the GLs. One GL would serve as the wireless AP for the existing net, the 'untrusted' zone, and the other GL would serve the 'trusted' machines. This is more like how I have my own network running, but it will take more attention to get it working.

No, your first idea is what I wanted, but I'm having trouble configuring the two routers. I can get on the wireless portion easily if I am not physically connected to the device, but I can't figure out how to get into it to configure the wireless portion.

I guess that means at least one thing, the device cannot service ethernet, right?

Malor wrote:

Well, by default, each of the routers will come up with DHCP and DNS active, on their LAN ports. So you'll need to unplug your computer from your main network, plug it into one of those LAN port, and then browse to the admin utility. I don't know what the default address will be, but it should be listed in the manual.

In that admin utility, you'll need to turn off all the services, put it into bridge mode, and give it a (LAN!) IP address on your internal network, out of your DHCP range. If you put them up high in your network range (say, 192.168.0.251 and 252), that shouldn't conflict with anything. Once you save and reset the router, you'll have to plug back into the main network, and then plug a LAN port from that router into your switch. You should then be able to reach it on 192.168.0.251 or whatever you chose.

Then you'll have to repeat the process for the other router... bring it up entirely separately, configure it to slot into your main network, reboot, and connect it over there.

Ok, that's sort of what I tried, but didn't get anywhere. I'll have to pick this up Sunday evening, but I think you have provided enough to get me sorted.

Unfortunately, I am also still waiting for the switch to come in, so that may also be causing some issues.

Thanks so much for your detailed help!

Well, by default, each of the routers will come up with DHCP and DNS active, on their LAN ports. So you'll need to unplug your computer from your main network, plug it into one of those LAN ports, and then browse to the admin utility. I don't know what the default address will be, but it should be listed in the manual.

In that admin utility, you'll need to turn off all the services, put it into bridge mode, and give it a (LAN!) IP address on your internal network, out of your DHCP range. If you put them up high in your network range (say, 192.168.0.251 and 252), that shouldn't conflict with anything. Once you save and reset the router, you'll have to plug back into the main network, and then plug a LAN port from that router into your switch. You should then be able to reach it on 192.168.0.251 or whatever you chose.

Then you'll have to repeat the process for the other router... bring it up entirely separately, configure it to slot into your main network, reboot it, and connect it over there.

edit: I'm sorry I can't be more specific. It's been many years since I worked with a GL, so I don't remember much about their web interface.

If you can't find everything you need, the replacement firmware OpenWRT should run fine on it, if you've got a version of the GL they support. (per their tables, there's only a 1.0 version, so it may never have changed in all this time.) OpenWRT has a TON of features, but for what you're doing, I think the stock firmware should be fine.

(note, I added some stuff above after you posted, sorry.)

You should be able to substitute the LAN ports on the Hitron for the switch. If you plug both your machine and a LAN port on the GL into LAN ports on the Hitron, you should be able to talk to it, at least if you've configured it correctly.

Oh, I just thought of something: do you get lights when you plug the Linksys into the Hitron? If you don't, you might need crossover cables. You don't need crossovers anymore in the gigabit era, but the GL is not gigabit, and the Hitron may not be, either.

yet another edit: once you get the switch in, it will probably figure all that stuff out for you. It's gigabit, so it should be able to talk to anything... it should do internal crossover as needed.

Also if you can, set up the actual router to serve up a subset of the available IPs over DHCP. That leaves addresses you can use as static ones for network equipment and any servers.

For example...

My home network uses IPs in the 192.168.2.0 subnet with a mask of 255.255.255.0. That means 192.168.2.1 through 192.168.2.254 are available (255 is the broadcast address and left unused).

I set up DHCP to serve up the range 192.168.2.2 through 192.168.2.200. This means that 192.168.2.1 won't be served up (used by the router) and I have 54 other addresses (201-254) which I can manually assign to any devices which need them.

I think it's all making sense... too bad I have on time to work on it until Sunday evening.

You know, I was thinking about this a little this morning, and I think you would be very wise to take advantage of Amazon's generous return policy. That switch is fine, but the WRT54GL is absolutely ancient hardware, more than 13 years old. By modern standards, it's extremely slow. (to the point where my first version of that sentence included an expletive.) And they're still charging $70 for it, which just about knocked me out of my chair.

For $80 or so, you could get a refurb RT-N56U, which is pretty good kit. It's about ten times faster than the 54GL in terms of wired routing speed, somewhere around twice as fast with N wireless (the limit being the signal, more than the router), and it's got gigabit ports, so you don't have to screw with crossover cables. I think you'd be much better off with something like that.

Malor wrote:

You know, I was thinking about this a little this morning, and I think you would be very wise to take advantage of Amazon's generous return policy. That switch is fine, but the WRT54GL is absolutely ancient hardware, more than 13 years old. By modern standards, it's extremely slow. (to the point where my first version of that sentence included an expletive.) And they're still charging $70 for it, which just about knocked me out of my chair.

For $80 or so, you could get a refurb RT-N56U, which is pretty good kit. It's about ten times faster than the 54GL in terms of wired routing speed, somewhere around twice as fast with N wireless (the limit being the signal, more than the router), and it's got gigabit ports, so you don't have to screw with crossover cables. I think you'd be much better off with something like that.

Yeah, don't rub it in. I will have to limp along this way for a while, unfortunately, as I already opened them up, and my wife will skin me if she gets wise. However, I did not pay any $80 for them..

I might add something in a few months... what about this?

complexmath wrote:

For $80 you can get TWO brand new Buffalo AirStation N600s and still have $10 in your pocket. (Buffalo has been having a fire sale on their routers because they're re-releasing them with DD-WRT preinstalled)

Personally, I have the AirStation 1750s, which are great if you're willing to drop $100 for a router. If you really want to spend some money, the Netgear Nighthawk is highly regarded for its signal strength. Unlike the Buffalo routers though, it can't be wall mounted.

I have no experience with TP-Link routers and so can't comment there, except to say that the price tag is unbelievably low for an 801.11 ac router.

Oddly enough, that's the same price at amazon.ca

For $80 you can get TWO brand new Buffalo AirStation N600s and still have $10 in your pocket. (Buffalo has been having a fire sale on their routers because they're re-releasing them with DD-WRT preinstalled)

Personally, I have the AirStation 1750s, which are great if you're willing to drop $100 for a router. If you really want to spend some money, the Netgear Nighthawk is highly regarded for its signal strength. Unlike the Buffalo routers though, it can't be wall mounted.

I have no experience with TP-Link routers and so can't comment there, except to say that the price tag is unbelievably low for an 801.11 ac router.

For wifi in general, there's a "three wall rule", which is that once the signal is going through three walls it's time to add a repeater or a new router. If you have a laptop, it may be worth walking around your house with something like InSSIDer running to check signal coverage in rooms you care about and experiment with router location. You can even do this without the routers wired to the internet, since you're just testing your ability to talk with the router itself. I know some people put routers in the attic to get around the wall penetration issue, but attics get so hot I've never tried it.

Ok, I bought two of those Buffalo AirStations. I am pretty sure I can return the other two to Newegg, they just want me to include all parts/manuals etc.

NewEgg is good about returns. It shouldn't be a problem.

Alright, I probably did it wrong, because I definitely am doing things differently than you outlined, but again, you gave me advice based on different products, so here goes.

The switch I plugged into the modem and disabled the 2.4G wireless portion of the modem. I then plugged one cable into the plug leading to my living room and another one into one of the cables leading to my office on the third floor. I plugged the cable from the switch into the WAN ports on my new Buffalo AirStations. I then was able to sign into each station and give them a static IP address, I used 192.168.0.254 and 192.168.0.255. I gave each wireless network its own unique SSID, and used the same password as I have on the Hitron (modem/router).

I noticed the AirStations have a switch that can be set to Auto, Bridge or Router, but I left both on Auto. I then decided to leave the cable plugged into the WAN port. I know you said to use a Bridge setting and plug into a LAN port, but things seem to be working well the way I have them setup.

Any reason I should switch them to Bridge and swap where the cable is plugged in, or was that specifically because the old routers would not know how to handle the connection otherwise?

Don't use IP 255. It's the broadcast address (used for messages that all of the machines on that subnet listen to) and should never be used by an actual machine. Using .0 or .255 can lead to weird issues. Stick with 1 through 254.

Also, don't use the WAN ports on the wireless access points. You don't want the wireless networks to be separate from (and inaccessible from) your wired network. Leave the WAN ports empty and plug ethernet into one of their LAN ports.

The wireless access points hopefully don't have DHCP enabled either. Leave that to your actual router.

I plugged the cable from the switch into the WAN ports on my new Buffalo AirStations.

OK, if you do it that way, what you're doing is segmenting your network. Your Airstations do not freely pass traffic between the WAN port and the LAN ports. They think that anything connected to the WAN port is the Internet, and it's not to be trusted, and they will not pass any traffic in from that interface... only outbound traffic from its LAN ports, and replies to that traffic, are allowed.

You can do it this way if you wish. However, you need to be careful to choose different network ranges on each side of each router. You need to be paying attention to what interface is getting which IP; the WAN ports should be getting IPs in the Hitron's internal network, and the machine behind the Airstations should be getting IPs from the Airstation, in a different network. In other words: the Airstation doesn't know anything about the Hitron. It just has a static IP on the WAN interface... it thinks that's the Internet. Then it needs to have a network with a different number on its internal side, which it will do normal NAT and firewalling for. If the Hitron is providing 192.168.0.X, then Airstation 1 should be doing 192.168.1.X, and Airstation 2 should be doing 192.168.2.X. (it doesn't have to be 1 and 2, but those are easy.)

So, this means you end up with double NAT... your Airstations do NAT to the Hitron, and then Hitron does NAT again to the outside world. And this means that you can't easily talk back and forth on your network; only devices connected to any given Airstation can talk to one another, and anything connected directly to the Hitron can't talk to anything connected to an Airstation.

I think you probably don't want this. I think what you probably want to do is connect the Airstation LAN ports instead. On the Airstations, turn off everything but the most basic bridge mode, so they're NOT running DHCP or DNS services (only your Hitron should do that), assign an IP address on the LAN interface in the same network as the Hitron, and set up separate wireless networks.

What you should end up with is a single, unified network fabric. If the Hitron is serving 192.168.0.X, then all addresses in the system should be in that range. Anything plugged in anywhere can talk to anything else. If you connect a machine via wireless, it should automatically and transparently be given a DHCP address from the Hitron.

Another way of looking at it: the way you're setting it up is the easy setup method, where the Airstations don't trust anything but themselves. But in exchange for easy setup, you'll have a difficult network to deal with. If you take more time on the setup, and unify everything into a single fabric, then everything will be easy for actual use.

I used 192.168.0.254 and 192.168.0.255.

Yeah, as Lou says, that's bad. Use 251 and 252 instead.

Any reason I should switch them to Bridge and swap where the cable is plugged in, or was that specifically because the old routers would not know how to handle the connection otherwise?

Well, like I said, the setup method I'm describing takes more effort now, but saves you effort in the long run. However: the way you're set up now is somewhat more secure, in that if a device is compromised, it will be partially firewalled away from the rest of the network.

Segmentation is more secure, but you need to understand the network much better to be able to use it well.

Okay, for some reason now I can't connect to my AirStations to make changes

That weird IP address you assigned could be making it difficult.

Most routers have a reset button, which will return them to factory defaults.

So it seems that when I successfully switched the airstation to IP 192.168.0.254, and switched it to bridge, I now cannot get onto the wireless network. When I sign into the router to make changes to the config, none of the buttons work. Do I have to have it in auto or router while I configure the wireless security settings, then switch it to bridge?

If they're still hooked up using the WAN ports, you can't get on the wireless network because your DHCP server is on a different physical network. It isn't receiving the request from your machine for an address, because that won't go through the WAN port.

Okay, I am running with the switch connected to my first airstation through LAN port 1 on the airstation. My laptop I am using to configure this router is connected through LAN port 4. The physical switch on the airstation is set to 'auto' and I assume it is acting as a router, because there is something in the settings called WDS which I cannot access while the airstation is in 'router' mode. When I switch the airstation to bridge mode, the wireless continues to function as does the wired connection, but I am unable to configure the airstation anymore.

When I switch the airstation to bridge mode, the wireless continues to function as does the wired connection, but I am unable to configure the airstation anymore.

It sounds like you might be assigning the IP to the WAN interface, and then you can't connect to it anymore when you put the router into bridge mode. Is there a spot where you can assign an IP to the LAN interface instead?

WDS, by the way, is one of the 'wrong' kinds of bridging; that's where you extend range, and cut your speed to 1/X. (so if you have two routers in WDS mode, you're at 1/2 speed.)