Adding wireless to existing Ethernet home network; also, router NAT & firewalls

I want to add wireless capability to my home network. I already have a central switch and Ethernet cable in the walls, plus two network drives, a cable “modem”, two more network drives hanging off their own local hub, a router doing NAT so my cable modem can be a DHCP host while my network uses fixed IP, and an Apple Time Capsule. The Time Capsule is a network drive dedicated to automated backup of my iMac, plus an “Airport” wireless access point that is currently turned off. The other drives are for general use and manual backup for the iMac and Mrs. Napier’s Windows laptop.

I’d like to turn the wireless access point on to be able to use laptops and a new Kindle wirelessly, but keep using the Ethernet where it’s already wired (it’s faster and more secure). I think I’d like to retire two of the older network drives, which cannot be DHCP clients; this would let me switch my wired network to use DHCP. I played around a little with the Time Capsule Airport but things were complicated and confusing, thus several questions:

Am I right to assume it is straightforward to have a network that includes wired and wireless components? Or would this be two networks? The AirPort controls seemed to say that either it would provide the only network or would join an existing wireless network, neither of which is what I want.

Do wireless networks use IP addresses? Can they be static or DHCP?

I have a router. It’s a Linksys BEFSX41 VPN firewall router. Its WAN port connects to the LAN port of the cable modem, and its LAN port connects to one of the switch ports. It does network address translation between my static IP network and the DHCP based port on the modem, on which DHCP can’t be turned off. The point was to allow using the older drives which need fixed IP (or else each one needs to be the DHCP host). I also use its hardware firewall. I think I can get rid of this router, which is trouble prone and often needs a hardware reset, if I use DHCP everywhere. But I worry about not having the hardware firewall. How safe is that?

Do most people just plug a switch or hub into their cable modem, and let everything use DHCP, with no hardware firewall?

Thanks!

This part I can answer, assuming that Apple doesn’t have too many oddities - yes, your network can have both wired and wireless components - I’ve got a Linksys wireless router with 4 ethernet connections, and both the wired and wireless connections are in the same network.

You’ve got enough things wired together that I can’t comment further though - but I’d guess that all you need to do is turn on your wireless access point - I’d think that it would join your current network. I think that it would join your current network (the “wireless” bit is probably an assumption on Apple’s part that you are trying to extend the range of a current wireless network?).

Joe

It’s very common to have a network with both wired and wireless components. I’m working on one right now. Generally, one uses a router with a built-in Ethernet switch, so the entire system shares one IP address scheme, and is one network. If you are rolling your own, you need to make sure you only have one router handling DHCP. If you have some of the network with fixed IP addresses (not necessary for OS X, unless you are running a web server that needs to be reachable from outside your private network), then you need to make sure that those IP addresses are in the same address range as the rest of the DHCP’d network.

As long as you aren’t connected directly to your cable modem, you are protected by NAT. No incoming connections to any port are allowed, unless you specifically configure it that way. Newer routers have UPnP, which allows software on your computer to open ports, so you may want to shut that off.

I don’t understand. If a bunch of computers and network drives plug straight into a switch which also connects to the cable modem, what would be doing the NAT? There’s no router!

I think he’s assuming that you are behind a router, since otherwise only one computer can access the Internet at a time. Even if you aren’t behind a router, only one machine would be at risk, since only one machine would have a valid external IP address.

I think maybe I found a good answer to some of this. Apple has an article on their support site entitled “Apple AirPort Networks” that says one of the options is the following: “Set up the device to act as a router and provide Internet Protocol (IP) addresses to computers on the network using Dynamic Host Configuration Protocol (DHCP) and Network Address Translation (NAT). When the wireless device is connected to a DSL or cable modem that is connected to the Internet, it receives webpages and email content from the Internet through its Internet connection, and then sends the content to wireless-enabled computers, using the wireless network or using Ethernet if there are computers connected to the Ethernet ports.” So, I plug the WAN port of the TimeCapsule (which contains an AirPort) into the modem and plug the switch into one of the TimeCapsule LAN ports. I can run the tractor over the Linksys router and throw away the bent paperclip I had to keep next to it (next to the router, not next to the tractor).

Yes, you can configure all Apple WAPs to act as routers. You can even use any OS X computer to do this if you want.

You have to have a router to connect more than one computer to a cable modem. With a cable modem, you only get one ip address. The router assigns private ip addresses, and routes the traffic from the cable modem to the computers. Outside computers cannot connect to these private ip addresses unless you configure the router to do so.

Wikipedia might explain it better than me.

Doesn’t a switch let multiple computers share a cable modem?

Three years ago I added an Apple Airport Extreme Base (AEB) station to my existing wired ethernet with an existing router - and used a USB drive with it for backups. Should be the same as TimeCapsule.

I simply plugged an ethernet cable into the AEB WAN port, turned on the wireless in the AEB and configured it to ‘bridge mode’ (Internet connection sharing ‘OFF’). It gets an IP address via DHCP from my router, as do any devices plugged into the LAN ports.

Generally, no. Generally, a cable modem is assigned one IP address. So you can only connect one computer to it. To connect more than one computer, you need a separate network on your side, which means using a router to link your network with the ISP’s network.

A router has one IP address from one network - e.g. from the cable modem - and has a different IP address from another - e.g. on the side of your network - and links the two. Most routers for the home and small business markets have additional functionality, like being a firewall, or being a DHCP server.

A switch directs packets coming from one network port to another network port. It is considerably less intelligent.

Thanks all. I didn’t appreciate the necessity of NAT and thought of it as an extra security feature. I never tried using my network without a router.

A little of background…

A home router is actually three things:

  • A NAT firewall with DHCP server. This is the traffic cop that manages all of the bookkeeping needed for your one Internet cable to be shared in your house.
  • A network switch. This device passes packets back and forth between hosts plugged into one of its multiple ports. This is what lets your router have four hard ports on the back.
  • A Wireless Access Point. You can have a WAP without the NAT firewall or switch, but these usually come bundled all together. If you were to turn off NAT and attach one of the local ports of your router to a network, then you are effectively extending that network, with a WAP only device.

There are many ways to hook these things up to play nicely together. For an example of one configuration that is similar to your own, this is how I have things set up…

  1. Cablemodem=>NAT Router (Time Capsule)=>
    Network Switch=>Hard-wired Devices (NAS, work computer dock)

The Time Capsule is the only device in this network configured as a DHCP server. This is necessary if you have a single network.

The network switch is needed because the Time Capsule only has three local ports (it has a 3-port switch internally, in other words), and I needed to extend my network down to the basement. I have a big long wire going from the Time Capsule down two floors to the switch.

  1. The Time Capsule has a second NAT Router (Linksys WRT54G) plugged into it, configured as its own NAT Router and DHCP server.
    This Linksys router is a brand new network. Devices on the Linksys network (192.168.2.x) can see devices on the Time Capsule network (192.168.1.x), but the Time Capsule devices can’t see anything on this Linksys network.
    This is because a router serves as a one-way valve: stuff on the inside can see out, but nothing can see in.

Both of these routers (Time Capsule and Linksys) have their wireless access points turned on. This means I have two wireless networks: one for me and one for my kids.

By doing this, I can control Internet access to everything on the Linksys network (the kids) by setting access limits on the one wire going from that router to the parent network (the Time Capsule network).

  1. I have assigned a static IP address to things that are “shared devices” such as my print server, NAS, and an experimental MediaWiki server I have set up.
    Everything else gets an address via DHCP.

This simplifies network shares substantially, since I can go to a PC or Mac and type in a hard-coded IP address to map a network share on the NAS. Likewise, it makes it easier to set up a network printer in the mixed Mac/PC environment.

  1. I use OpenDNS for DNS services. I simply set the NAT Router (Time Capsule) to use the two OpenDNS servers for DNS purposes. All other network devices are given the address of the gateway (192.168.1.1) as DNS.
    This means that when a laptop user looks up Google, the DNS request goes to the Time Capsule, which then goes to OpenDNS to resolve it.

The small twist to this is that the kids’ network needs to have its own DNS configuration as well. Those devices ask the Linksys router for DNS information, which then forwards to the Time Capsule, which then forwards to OpenDNS.

A final note:

(Everything from here on down is about the Router and its capabilities as a NAT firewall and DHCP server)

The Time Capsule is not a flexible gateway router device. I have been very pleased with it as a network backup appliance, but have been disappointed in its configurability.
If you find yourself needing much fancier stuff, you can do a few things:

Consider getting a Linux router and installing DD-WRT on it. This is very flexible firmware that gives you neat stuff such as QoS, granular access rules, captive portal, VPN, and other spiffy features.

If your needs are more demanding than that (e.g. small office), you might consider getting a cheap single-board-computer (Soekris or PC Engines) and run some more pro-quality firewall firmware such as m0n0wall.
You can even do this using an old PC with two network cards, though it is much tidier if you use a small fanless computer.

minor7flat5, thank you very much for this, as your descriptions make sense and answer several questions. Your #1 is what I want to do. Your #2 makes sense and is most thought provoking - it hadn’t occurred to me to do that sort of thing.

A question about DHCP, then - I would like to be able to set up a DHCP host to exclude a certain range of addresses within the same 256 address space, so that they could be devoted to static IPs, and I had tried to do that several times in the past with my router, but it doesn’t seem to work. There are settings in the configuration page that clearly seem to do that, and I set things and apply the settings and can log out and log back in and see they are still there. But when I set non-DHCP client devices to use addresses in that exclusion range, things will regularly screw up as the router gets around to those numbers and starts leasing them out. I wondered if I completely misunderstood the point. So: are you supposed to be able to exclude a range of addresses when configuring a DHCP host, and then use static addresses within that range? Or is excluding a range of addresses in a DHCP host actually intended for some other purpose I have no idea of?

If you are using an AirPort or Time Capsule:[ul]
[li]Open AirPort Utility[/li][li]Click Manual Setup at the bottom of the page[/li][li]Select Internet in the toolbar area[/li][li]Click DHCP on the tabbed area of the Internet pane[/li][li]Put the starting address for your DHCP range in DHCP Beginning Address (I have [192.168.]60.3)[/li][li]Put the full ending address in the DHCP Ending Address field (I have 192.168.60.149)[/li][/ul]Now AirPort should be issuing IP addresses in that range. No devices should be given automatic addresses above the selected range.

You then have to go to each static device and set it to an IP address outside the DHCP range. I set mine all in the 150+ range. For example, my printer is 192.168.60.155.

I didn’t start at 192.168.60.1 because that is the address of the router itself.
I gave the static address 192.168.60.2 to the kids’ router (in other words, when you log in to the kids’ router’s admin screen, the “WAN IP address” appears as 192.168.60.2).

(By the way, I specifically avoid the default 192.168.1.x network because if you ever try to set up VPN between your home and a small office, you will run into all kinds of strangeness if both home and office share the same subnet. Since it is most likely that someone else will use the default network address in their small office router, I set mine to be different.)

The funny thing about home “routers” is that they do so many things, as **minor7flat5 **describes --cable/DSL modem, NAT device, Ethernet Switch, wireless access point, rudimentary firewall – but actual routing is about the last thing they do. They simply pass outgoing traffic to the ISP’s routers, and incoming traffic is not routed at all. It may be passed to the internal network via NAT or port-forwarding, but that is a fundamentally different process to routing.

They do have two interfaces at the the IP level, which makes them routers in a broader sense, but they are not routers. I just looked at the routing table of my “router”, and there are precisely zero entries in it.

I’ve got a similar starting question, but with a distinct variable. I too want to just slap a wi-fi AP on my ethernet network, but I don’t want to go to the hassle of swapping a router for my switch.

Sorry; I’ll explain.

My at-home entirely-ethernet network goes through a 24-port unmanaged switch, that itself is wired to my DSL modem. All my internet connections are DHCP. so, why can’t I just connect an AP (and do the setup?) to the switch for use by the new notepad device sitting on the table, over… uh, there. The phone company providing the internet access is resistant to handing me a bunch of static IP addresses (unless I bestow gobs of cash on them).

Can it be done?

Oh, and do I use straight-through E’net to connect to the AP, or crossover?

Crossover vs. straight through rarely matters anymore, as most devices can switch automatically. But technically you should use a straight through cable, as the AP is a dedicated serving device, rather than a client. Crossover is only for devices that can be both server and client.

As for your question–it should work. The lack of static IP’s from your ISP is not a problem at all. Explanation in the spoiler below.

Your unmanaged switch has to be going through a gateway, and a gateway can grant new IP addresses without conflicting with any out on the real Internet. Based on what you describe, I’d guess your modem is a router/modem, and, as far as your ISP is concerned, you have only one IP address for all 24 devices on your switch.

The only problem I can see is that the AP has a preconfigured static IP on its own internal network and a preconfigured DHCP range. These may conflict. If so, you’ll need to change the IP of the device and subnet a different range. You’ll have to read your instructions for specifics, but the basic method is in the spoiler below:

You’ll probably need to temporarily plug your AP directly to your laptop (and nowhere else), go to the AP’s default IP address, which will take you to a configuration screen. One of the options will allow you to change the IP. Only after the IP is changed should you connect it to one of the ports on the switch.

As for what to change it to? The easiest way is just to change the third number to something different than all other devices on the network, including the modem. For example, if all your devices start with 192.168.1, then your AP could start with 192.168.2.

Good stuff, and jargon-free. Thanks. I’m off to buy an AP. Which, based on all the nasty user comments I’ve seen (on mail-order commercial sites), will be an adventure in the swamp pf dubious quality control…