Running WEP and WPA(2) on the same network

ZForce915

ZForce915

CAGiversary!
Feedback
112 (100%)
First off, the reason I am posting this here is because I'm considering this whole process to allow the DS and any other inferior devices access to the internet.

I'm running a local network on WPA2 and I'm wondering if I could hook another router up to this one and run WEP on that. I've read conflicting reports online, is anyone already doing this with any success?

And would I need to have the "main" router running WPA and the WEP hooked into that, or the other way around?
 
I successfully do this. I'm away from home, so I can't check the config, but here's what I remember:


  • I'm using a linksys router as the main router and a really cheap one for the secondary
  • Main router:
    • DHCP on
    • WPA enabled
    • DSL model links to this router through the uplink/WAN port
    • Ethernet port links to secondary router
  • Secondary router:
    • DHCP off
    • linked to primary router through an ethernet port not the uplink/WAN port!
    • WEP enabled
It shouldn't matter which router runs which wifi mode, but I like having the more reliable one for the PCs and WPA enabled devices.

Good luck with this. I can answer specific questions after I'm home on Sunday August 1.
 
[quote name='ZForce915']
And would I need to have the "main" router running WPA and the WEP hooked into that, or the other way around?[/QUOTE]

I would put the least secure router closer to your cable/DSL modem, so "the other way around."

Think about it...If you put the WEP router into your WPA router (which is connected to your modem), then if someone breaks the WEP, then they are into your home network. If you do it the other way around and the break the WEP, then they still have to get past your WPA router's firewall just like anyone else on the internet at large.
 
I won't claim to be able to explain why, but security minded folks will tell you that this should be a three router process, otherwise your wpa network is just as susceptible as your (thr0ugh your) wep network. In other words, if modem connects to router a, then routers b + c, connect from a, running their own networks. PCs connect to router b, running wpa, DSi connects to network c, running wep. This is the only way to ensure that network b is safe in the event that network c is breeched.

Again, I can't explain the specifics, but this less "paranoid security guy doesn't use social networks", and more "will probably happen if you live next curious computer savy college kid" kind of advise.
 
[quote name='mcelfour']I successfully do this. I'm away from home, so I can't check the config, but here's what I remember:


  • I'm using a linksys router as the main router and a really cheap one for the secondary
  • Main router:
    • DHCP on
    • WPA enabled
    • DSL model links to this router through the uplink/WAN port
    • Ethernet port links to secondary router
  • Secondary router:
    • DHCP off
    • linked to primary router through an ethernet port not the uplink/WAN port!
    • WEP enabled
It shouldn't matter which router runs which wifi mode, but I like having the more reliable one for the PCs and WPA enabled devices.

Good luck with this. I can answer specific questions after I'm home on Sunday August 1.[/QUOTE]

This is how I was going to set mine up as well. This should keep people from hacking the WEP router to access the WPA network. Or worse case scenario I could just turn off the WEP router when I'm not accessing it.
 
This was a question on The Tech Guy (a radio show by Leo Laporte, formerly of TechTV who now runs the TWiT network) and he said this:

Ken’s son plays videogames online using his Nintendo DS. What about security? Leo says that the DS only uses WEP, which is useless. But what you can do is put an old router into “bridge” mode and it’ll set the DS aside in WEP and you can protect your network in WPA as a result.
 
[quote name='murphyspub']I won't claim to be able to explain why, but security minded folks will tell you that this should be a three router process, otherwise your wpa network is just as susceptible as your (thr0ugh your) wep network. In other words, if modem connects to router a, then routers b + c, connect from a, running their own networks. PCs connect to router b, running wpa, DSi connects to network c, running wep. This is the only way to ensure that network b is safe in the event that network c is breeched.

Again, I can't explain the specifics, but this less "paranoid security guy doesn't use social networks", and more "will probably happen if you live next curious computer savy college kid" kind of advise.[/QUOTE]

+1

This is the safest way to do it now (however, 90% of people don't which is ok). I have my Apple Base Station N with 2 Airport Expresses.

Your setup looks fine (security wise). It's setup better than your average user.

And murphyspub is correct. Unless you live in an apartment complex, hotel or dorm you really have nothing to worry about. If you do (and I tell everyone this), you might want to stay away from anything WEP.
 
I forgot to add that i use MAC address filtering so that only my DSes can connect to the WEP network, as addtional security. I light of the previous comments, I don't know it that matters.
 
[quote name='mcelfour']I forgot to add that i use MAC address filtering so that only my DSes can connect to the WEP network, as addtional security. I light of the previous comments, I don't know it that matters.[/QUOTE]


MAC filtering is another security layer, but it's not fool proof. You can spoof MAC addresses if the persons know what they're doing. In a majority of cases you won't see people doing this though. All it takes if a wireless packet sniffer and bam, you've got a devices MAC address you can now spoof over your own.

But yeah, like a previous poster said... unless you're next to/in a hotel, parking lot, dormitory, apartment or any other high population area then it's likely not going to happen to you. Although you can sit a fair distance away and use a pringles can to make a signal strengthener to sniff out other peoples networks. Yes, you can seriously use a pringles can and it works.
 
I might have to pick up a cheap WiFi router now; this is good info. I rarely use my WiFi for anything other than my laptop and my roommate's laptop (everything else uses Ethernet). Any time I need to use the DS I just temporarily switch the security setting from WPA2 to WEP... and this is usually just to get a Pokemon WiFi event or global trade. It would be nice to have a spare router with minimal security so I can just flick it on and do my business without any hassle.

Oh, I forgot; the Wii uses WiFi too, but it supports my WPA2. I just rarely use it for online play or Internet since I don't have Monster Hunter 3 yet and don't much care for the online play or extra content for anything else.

By the way, I do live in an apartment; there are approximately 20 to 30 other WiFi networks in range at any given moment (many of which use WEP). Probably one of the better security measures to keep people from even trying to get into your network is to just set your router(s) to "do not broadcast SSID" mode. This really should be a more widely used method, but your average user is reluctant to even have to enter a password much less manually enter the SSID. Sure you're still vulnerable to sniffers but if you get someone that determined to break in, well good luck!
 
I always just connect my DS to the neighbor's unsecured network. I keep my stuff WPA2. (Apartment dweller here.)
 
Some routers will allow for a 2nd wireless network with different security. I think DD-WRT and its offshoots will allow for this.
 
Some routers will allow for a 2nd wireless network with different security. I think DD-WRT and its offshoots will allow for this.
 
Does anyone know if there is a step-by-step set of instructions on how to hook up a second router as WEP anywhere online? I have an extra Linksys wireless router, and I'd love to do this (but I'm ignorant about setting up networks).
 
[quote name='Liontamer']Does anyone know if there is a step-by-step set of instructions on how to hook up a second router as WEP anywhere online? I have an extra Linksys wireless router, and I'd love to do this (but I'm ignorant about setting up networks).[/QUOTE]

This.

I just finally, a couple months ago, installed DD-WRT on my Linksys to improve reliability (with MUCH success... hasn't booted me once since). Now the next step is to try and do what the OP is doing, since everything else can use WPA or better.
 
If you have a router capable of it, you can install DD-WRt or OPEN-WRT on the router. With that, you can create what are called 'Virtual Access Points'. This will let your single router to support WPA2 and WEP connetions (each VAP can be assigned it's own encryption stnadard). If you do this, I recommend you take other steps to lock down the WEP portion of your link. You can use MAC address filtering, for example, to make sure only certian devices connect.

Check the following links to see if your hardware is supported.
OPEN WRT
DD-WRT
 
I just got a DSi XL.. what a pain in the ass this is... I can go under advanced and connect to my WPA2 network but none of the games will use that setting to connect. this is just too much work for me to even care about playing these online. I mean can;t they do an update and fix this?
 
Got this figured out with DD-WRT on my router. Thanks for the tips guys! Downloading some new quests for DQIX as we speak!
 
[quote name='Draekon']But yeah, like a previous poster said... unless you're next to/in a hotel, parking lot, dormitory, apartment or any other high population area then it's likely not going to happen to you. Although you can sit a fair distance away and use a pringles can to make a signal strengthener to sniff out other peoples networks. Yes, you can seriously use a pringles can and it works.[/QUOTE]

I thought the pringles can only worked for transmission i.e. you can send packets further (by virtue of "directing the beam") but it doesn't help reception.
 
Yes. You can create a 'virtual' wireless access point, and basically wall it off from the rest of your network.

I'd highly suggest that if you do that, that you give it a different SSID and key than your hardware wireless access point, and make sure to turn the virtual access point off once you are finished gaming.

For bonus points, you can also use DDWRT to reduce the broadcast strength of your router. Since I have a small ranch style home, I use half the original broadcast power rather than the default; this makes the signal weak outside of my home, and a script kiddie would likely assume that the 'the connection is the suxxors.'
 
[quote name='Kezmer']I just got a DSi XL.. what a pain in the ass this is... I can go under advanced and connect to my WPA2 network but none of the games will use that setting to connect. this is just too much work for me to even care about playing these online. I mean can;t they do an update and fix this?[/QUOTE]
Unfortunately no. The software for wifi is embedded inside the DS carts and it's all WEP. New games MAY use WPA2 but don't count on it. Hopefully Nintendo will force WPA2 on all 3DS carts OR remove wifi from the carts and have an API for the carts to access the hardware based settings.
 
You must log in or register to reply here.
bread's done
Back
Top