Pablo Averbuj

The TLA Files: WRT, WPA, AES, PPTP

For over two years now I’ve had the wireless network configured in a reasonably satisfying way: The main wrt54g has a public IP (wan), segments the lan and the wireless lan (wlan), provides dhcp to both, and provides pptp (vpn) on the wlan. The wlan was wide open, no encryption, broadcast ssid. You could connect but you couldn’t get anywhere until you VPN’d. This is very similar to the way we ran the wlan at work.

Eventually I got a second wrt54g, and I set it up in the living room. Frankly, at this point the configuration got too complicated to explain in a blog entry. Suffice it to say, lan was 10.0.0.0/24, wlan was 10.0.1.0/24 and devices connected to the lan segment of the wrt in the livingroom were on 10.0.2.0/24. Routing hilarity ensues.

When we moved in January the office also splintered off the wired lan which introduced it’s own issues. I broke out the ancient powerline ethernet bridge giving the office a whopping 10mbps. Yesterday I bought Doug’s old wrt54g (v1.1!) for $5. After 10 minutes of thinking about routing tables it was clear that starting a 10.0.3.0/24 segment was not going to make my life happier. After some consultation, I decided to use wpa2/aes to secure all traffic, and run the client wrt’s in bridge mode.  Commence slamming head into desk.  The difficulties of doing wpa2 in combination with bridged (wet) mode are reasonably well documented. You have to break the  bridge (separate the wlan from the lan) and then run software to do the traffic routing. Very lame.

After a few hours of banging my head into that wall I decided that wpa2 wasn’t buying me enough to justify the annoyance (you also lose multicast) and I dropped all three devices down to wpa/aes. I just finished reconfiguring the last of the devices and everything is at least talking to each other.

Along the way I tried HyperWRT (including various flavors thereof: tofu, tomato, thibor) and they generally seem abandoned and less featureful than OpenWRT, so I went back.

The real question is whether this will improve network performance or not. Earlier on I did some speed testing with the encryption and it was at least on par, if not slightly better than the powerline. It feels like a lot of effort just to come out even, but I’m happy to have only 1 subnet for the entire house.