O'Reilly logo

Wireless Hacks by Rob Flickenger

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Java Configurator for AirPort APs

Configure your AirPort or Lucent-based AP from a Java applet.

Jon Sevy has done extensive work with the AirPort, and has released an open source Java client (http://edge.mcs.drexel.edu/GICL/people/sevy/airport) that configures the AirPort (including Graphite, Snow, and Extreme) as well as the RG-1000. He has also compiled a tremendous amount of information on the inner workings of the AirPort, and makes extensive resources available online at this site. Since his utility is open source and cross platform, and works very well, I use it in the following examples; see it in action in Figure 4-1.

The AirPort Java Configurator.

Figure 4-1. The AirPort Java Configurator.

To use the Java Configurator app, you need a copy of the Java Runtime Environment. Download it from http://java.sun.com/ if you don’t already have it. You can start the utility by running the following in Linux:

$ java -jar AirportBaseStationConfig.jar &

Or simply double-click the AirportBaseStationConfig icon in Windows.

The AirPort can be configured over the Ethernet port or over the wireless. When the application window opens, you can click the Discover Devices button to auto-locate all of the APs on your network. When you find the IP address of the AP you want to configure, type it into the Device address field, and type the password into the Community name field. If you’re unsure about the IP address or the password, the AirPort ships with a default password of public and an IP address of 10.0.1.1 on the wireless interface (it picks up the wired IP address via DHCP; use Discover Devices to find it if you’re configuring it over the Ethernet). Once you’ve entered the correct information, click the Retrieve Settings button.

The very first thing you should change is the Community name, on the first panel. Otherwise, anyone can reconfigure your AirPort by using the public default! While you’re there, you can set the name of the AirPort (which shows up in network scans), and also the location and contact information, if you like. These fields are entirely optional, and have no effect on operations.

You should also choose a network name, under the Wireless LAN Settings tab. This is also known as the ESSID, and identifies your network to clients in range. If you’re running a “closed” network, this needs to be known ahead of time by any host attempting to connect.

Local LAN Access

As stated earlier, the default AirPort configuration enables LAN access by default. If you’re using DSL or a cable modem, or are installing the AirPort on an existing ethernet network, then this is what you want to use. In the Java Configurator, take a look at the Network Connection tab, and check the Connect to network through Ethernet port radio button.

From here, you can configure the IP address of the AirPort, either via DHCP, by entering the IP information manually, or by using Point-to-Point Protocol over Ethernet (PPPoE). You’ll probably want to use DHCP, unless your ISP requires a manual IP address or PPPoE.

Configuring Dialup

There is also a radio button on the Network Connection tab marked Connect to network through modem. Use this option if your only network connection is via dialup. Yes, it’s very slow, but at least you’re wireless. Note that the Dialup and Ethernet choices are exclusive, and can’t be used at the same time.

When you check Connect to network through modem, the pane presents you with Phone number, Modem init string, and other dial-up-related fields. Make sure that Automatic dialing is checked, so it will dial the phone when you start using the AirPort. Click on the Username/Password/Login Script button to enter your login information. On this screen, you can also define a custom login script if you need to. The default script has worked fine for me with a couple of different ISPs.

Once the AirPort is configured for Dialup, it dials the phone and connects any time it senses Internet traffic on the wireless port. Just start using your wireless card as usual, and after an initial delay (while it’s dialing the phone), you’re online.

NAT and DHCP

By default, the AirPort acts as both a NAT server and a DHCP server for your wireless clients. DHCP service is controlled by the DHCP Functions tab. To turn DHCP on, check the Provide DHCP address delivery to wireless hosts box. You can specify the range of IPs to issue; by default, the AirPort hands out leases between 10.0.1.2 and 10.0.1.50. You can also set a lease time here, which specifies the lifetime (in seconds) of an issued IP address. After this timer expires, the client reconnects to the DHCP server and requests another lease. The default of 0 (or unlimited) is probably fine for most installations, but you may want to set it shorter if you have a large number of clients trying to connect to your AirPort.

If you don’t have another DHCP server on your network, the AirPort can provide service for your wired hosts as well. Check the Distribute addresses on Ethernet port, too box if you want this functionality.

Warning

Only check this box if you don’t have another DHCP server on your network! More than one DHCP server on the same subnet is a BAD thing, and will bring the wrath of the sysadmin down upon you. Watching two DHCP servers duke out who gets to serve leases may be fun in your spare time, but can also take down an entire network and leave you wondering where your job went. What were you doing connecting unauthorized gear to the company network, anyway?

If you have more than one AirPort on the same wired network, make sure that you enable only DHCP to the wire on one of them—and again, only if you don’t already have a DHCP server.

NAT is very handy if you don’t have many IP addresses to spare (and these days, few people do). It also gives your wireless clients some protection from the wired network, as it acts as an effective one-way firewall. In the Configurator, NAT is set up in the Bridging Functions tab. To enable NAT, click the Provide network address translation (NAT) radio button. You can either specify your own private address and netmask, or leave the default (10.0.1.1 / 255.255.255.0).

Bridging

A big disadvantage to running NAT on your wireless hosts is that they become less accessible to your wired hosts. While the wireless users can make connections to any machine on the wire, connecting back through a NAT is difficult (the AirPort provides some basic support for this by allowing for static port mappings, but this is far from convenient). For example, if you are running a Windows client on the wireless, the Network Neighborhood shows only other wireless clients, and not any machines on the wire, since NAT effectively hides broadcast traffic (which the Windows SMB protocol relies on). If you already have a DHCP server on your wired network and are running private addresses, the NAT and DHCP functions of the AirPort are redundant, and can simply get in the way.

Rather than duplicate effort and make life difficult, you can disable NAT and DHCP, and enable Bridging to the wire. Turn off DHCP under DHCP Functions (as we just saw), and check the Act as transparent bridge (no NAT) under the Bridging Functions tab. When the AirPort is operating in this mode, all traffic destined for your wireless clients that happens on the wire gets broadcast over wireless, and vice versa. This includes broadcast traffic (such as DHCP requests and SMB announcement traffic). Apart from wireless authentication, this makes your AirPort seem completely invisible to the rest of your network.

Once bridging is enabled, you may find it difficult to get the unit back into NAT mode. If it seems unresponsive to the Java Configurator (or the Mac AirPort admin utility) while in bridging mode, there are a couple of ways to bring it back.

If you have a Mac, you can do a manual “reset.” Push the tiny button on the bottom of the AirPort with a paper clip for about two seconds. The green center light on top will change to amber. Connect the Ethernet port on your AirPort to your Mac, and run the admin utility. The software should let you restore the AirPort to the default settings. You have five minutes to do this, before the amber light turns green and reverts to bridged mode.

WEP, MAC Filtering, and Closed Networks

If you really want to lock down your network at the access point, you have the following choices at your disposal: WEP encryption, filtering on MAC address (the radio card’s serial number), and running a “closed” network. The three services are completely separate, so you don’t necessarily have to run MAC filtering and a closed network, for example. Combining all of these features may not make your network completely safe from a determined miscreant, but will discourage the vast majority of would-be network hijackers.

To set the WEP keys, click the Wireless LAN Settings tab, and enter the keys in the fields provided. Also check Use encryption and uncheck Allow unencrypted data to require WEP on your network. Give a copy of this key to each of your wireless clients.

With MAC filtering enabled, the AirPort keeps an internal table of MAC addresses that are permitted to use the AirPort. Click the Access Control tab, and enter in as many MAC addresses as you like. Only radios using one of the MACs listed here will be allowed to associate with the AirPort. The MAC address of a radio card should be printed on the back of it (a MAC address consists of six hex numbers of the form 12:34:56:ab:cd:ef ).

A "closed” network makes the AirPort refuse connections from radios that don’t explicitly set the ESSID, i.e., clients with a blank ESSID, or an ESSID set to ANY. To make your network “closed,” check the Closed network box under Wireless LAN Settings.

Remember that without encryption, all traffic is sent in the clear, so anyone within range could potentially read and reuse sensitive information (such as ESSIDs and valid MAC addresses.) Even with WEP, every other legitimate user can see this traffic. If you need to later restrict access to a user, you must change the WEP key on every wireless client. But for small groups of trusted users, those using these access control methods should discourage all but the most determined black hat without too much hassle.

Roaming

Wireless roaming can be very handy if your network is arranged in a way that you can support it. In order for roaming to be possible, your APs all need to be from the same manufacturer, they all need to reside on the same physical wired subnet (i.e., on the same IP network, with no intervening routers), and they all must have the same network name ( ESSID).

In the AirPort, roaming is automatically enabled if this is true. Make sure that all of your AirPorts have the exact same network name under Wireless LAN Settings. If, for some reason, you want to disable roaming, just give each AirPort a different ESSID.

Save Your Changes

Once you are satisfied with your settings, click the Update Base Station button, and give your AirPort about a minute to reboot. If you changed your network name or WEP settings, be sure to change your local wireless client accordingly before trying to associate with the access point. That’s all there is to it.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required