5.4 Configuring an Access Point

To connect your access point to the Internet, use a straight-through Ethernet cable to plug the access point's WAN port into your cable modem, DSL modem, router, or whatever piece of equipment in your home or office that is responsible for providing Internet access. After you plug it in, turn on the access point's switch (assuming it has one ? some access points can only be powered down by unplugging them), and it will power up, perform its initialization, and then request a DHCP address from the cable or DSL modem or router.

You may need to reboot your cable or ADSL/DSL modem in order for the access point to obtain an IP address. This is especially important in cases where the modem was initially connected directly to the PC and may have locked itself to the MAC address of the PC (see Locking MAC Addresses in Chapter 2).

5.4.1 Web-Based Configuration

To configure the wireless router, connect your computer to one of the wireless router's LAN ports using a straight-through Ethernet cable (if your computer has an autosensing Ethernet port, you can use either a straight-through or crossover cable). For the Linksys BEFW11S4, load the following URL in your web browser: For the D-Link DI-714P+, use When prompted for a username and password, use "admin" as your username and leave the password field empty.

The default IP address, username, and password may be different for different access point models and manufacturers. Check your access point manual for the correct defaults.

Bypassing a Proxy Server

If you use a proxy server to connect to the Web, ensure that you bypass the router's IP address or you may not be able to connect to the web-based configuration utility.

To do so, go to Internet Explorer and follow these steps:

  1. Click on Tools Internet Options...

  2. Select the Connection tab and click on LAN settings...

  3. Check the option "Bypass proxy server for local addresses"

Figure 5-19 shows the web-based configuration utility of the BEFW11S4.

Figure 5-19. The BEFW11S4 configuration utility

Figure 5-20 shows the web-based configuration utility of the DI-714P+. There are several tabs displayed horizontally: Home, Advanced, Tools, Status, and Help. Corresponding to each tab are various functions displayed vertically. For example, in the Home tab there are five functions: Wizard, Wireless, WAN, LAN, and DHCP.

Figure 5-20. The configuration utility of the DI-714P+
figs/xpuw_0520.gif DI-714P+ setup wizard

To quickly set up the DI-714P+, I suggest you run the wizard. Click on the Run Wizard button and take the following steps:

  1. Change the password of the DI-714P+ (see Figure 5-21). Failing to change the default empty password will allow unauthorized users to access the router and make modifications that compromise the security of the network.

    Figure 5-21. Changing the password of the DI-714P+
  2. Choose the time zone settings for your router.

  3. Select the Internet connection type (see Figure 5-22). Choose Dynamic IP Address if your wired network supports DHCP. In a case where you are allocated a fixed IP address, choose Static IP Address. Most ADSL/DSL users will choose "PPP over Ethernet".

    Figure 5-22. Selecting the Internet connection type
  4. Depending on the connection type you have selected in Step 3, you will be asked to enter information pertaining to the selected connection type. Figure 5-23 shows the window displayed if you select Dynamic IP Address in Step 3. You can clone your network card's MAC address here.

Figure 5-23. Setting the MAC address of the DI-714P+

Please refer to Chapter 2 for an explanation of MAC address cloning.

  1. Enter an SSID for your network. You can also set a channel to use here (see Figure 5-24). If you have multiple access points in a network, set them to use nonoverlapping channels (see Chapter 2 for more information on nonoverlapping channels). For WEP encryption, you have three choices: 64 bits, 128 bits, or 256 bits. Depending on the strength of the encryption, you would need to enter 10, 26, or 58 hexadecimal (0 to 9, A to F, or a to f) characters.

Figure 5-24. Using WEP encryption

Chapter 4 discusses WEP keys in more detail.

That's it! Restart (switch off and switch on the router) the DI-714P+ for the new settings to take effect. Now, use an Ethernet cable and connect the WAN port of the DI-714P+ to the switch (or directly to the customer premise equipment supplied by your ISP, in case the DI-714P+ is the only switch you plan to use). You should now be able to use your computer with a wireless card (see Chapter 2) to connect to the Internet through the DI-714P+.

The configuration screen for different access point models, as well as access points from other manufacturers, will vary somewhat. The remaining sections explain how to accomplish common tasks with the web-based configuration.

5.4.2 Setting the SSID

The SSID (Service Set Identifier) gives your access point a name (see Section 2.2.2 in Chapter 2). If you intend to let strangers connect to your access point, I suggest you give your SSID a friendly name such as "welcome." (If you don't, be sure to see Section 5.4.4 and Section 5.4.11 in this chapter).

To change the SSID of the BEFW11S4, click on the Setup tab, enter the new SSID, and select the appropriate channel number. To change the SSID of the DI-714P+, click on the Home tab and select the Wireless option.

5.4.3 Setting the Channel Number

If you have multiple access points in close proximity to one another, you should set them to broadcast on different channels. To change the channel number of the BEFW11S4, click on the Setup tab, enter the new SSID, and select the appropriate channel number. To change the SSID of the DI-714P+, click on the Home tab and select the Wireless option.

5.4.4 Enabling WEP

You can also enable WEP encryption to secure your wireless network. If you use WEP, users will not be able to connect to your network unless they know (or can obtain) the WEP key. Chapter 4 goes into more detail about using WEP (and stronger systems) to secure your wireless network.

To enable WEP on the BEFW11S4 (64- and 128-bit keys are supported), click on the WEP Key Setting button. You can specify up to four keys for WEP. You can also enter a passphrase to get the router to generate the four keys required. To enable WEP on the DI-714P+ (64-, 128-, and 256-bit WEP keys are supported), click the Home tab and select the Wireless option. As with the BEFW11S4, you can specify up to four keys.

The DI-714P+ does not support generating WEP keys using a passphrase.

5.4.5 Changing the Access Point's Default IP Address

By default, when a wireless client connects to the access point, it is assigned an IP address by the access point. The default LAN IP address for the BEFW11S4 itself is The default IP address for the DI-714P+ is

A wireless router has two IP addresses ? one for LAN (Local Area Network) access and one for WAN (Wide Area Network) access. The LAN IP address (for example, is used internally within your home or office wireless network. The WAN address (for example, is for communicating with the outside world (in this case, assigned by your ISP).

You can modify the default LAN IP address of the BEFW11S4 by clicking the Setup tab and selecting the LAN IP Address option. You can modify the default IP address of the DI-714P+ by clicking on the Home tab and selecting the LAN option.

When the default IP address is changed, the range of allocatable IP addresses also changes. To learn how to change the range, see Section 5.4.7.

Be sure to enable the DHCP server on the wireless router if your ISP allocates only a single IP address to you. This allows multiple wireless users to connect to the Internet.

Forgotten the IP Address of Your Wireless Router?

Suppose you have changed the LAN IP address of your wireless router and a month later you need to configure the router again. But, what is the IP address of the router? If you've forgotten, there are two ways to solve this problem:

  1. Most wireless routers come with a reset button to restore the router back to its default factory settings. Doing so resets the router back to its original default IP address (which you can look up in the manual). But doing so also erases all the other settings. This is especially painful if you have entered the MAC addresses of all the network cards used for MAC address filtering. Note that some routers do have a backup utility to allow you to back up your settings.

  2. Use the ipconfig /all command to see the default gateway IP address (wireless router). You will see something like the following. The Default Gateway is then your wireless router.

    Ethernet adapter Wireless Network Connection:
            Connection-specific DNS Suffix  . :
            Description . . . . . . . . . . . :
              Cisco Systems 350 Series Wireless LAN Adapter
            Physical Address. . . . . . . . . :
            Dhcp Enabled. . . . . . . . . . . : Yes
            Autoconfiguration Enabled . . . . : Yes
            IP Address. . . . . . . . . . . . :
            Subnet Mask . . . . . . . . . . . :
            Default Gateway . . . . . . . . . :
            DHCP Server . . . . . . . . . . . :
            DNS Servers . . . . . . . . . . . :
            Lease Obtained. . . . . . . . . . :
              Tuesday, May 06, 2003 7:23:33 PM
            Lease Expires . . . . . . . . . . :
              Wednesday, May 07, 2003 7:23:33 PM

But what if you have forgotten your password to the router? Well, then the first option is the only solution!

5.4.6 Setting the WAN IP Address

The BEFW11S4 supports five ways to obtain a WAN IP address:

Obtain an IP address automatically

Under this configuration, your ISP assigns you a different IP address periodically using DHCP.

Static IP

With this configuration, your ISP gives you a static IP address. This is often found with commercial and hobbyist accounts where there's a need to run servers (such as a web or gaming server).

PPPoE (PPP over Ethernet)

This is a protocol used by many ADSL providers to encapsulate the Point-to-Point Protocol (PPP) within Ethernet. Among other things, it allows multiple users to be serviced through a single DSL modem.

RAS (Remote Access Service)

This is a protocol used by Windows for remote access. SingTel, a large ISP in Singapore, uses this.

PPTP (Point-to-Point Tunneling Protocol)

This is a protocol used for Virtual Private Networks (VPN), and is commonly used to establish a secure connection to a corporate network.

If your ISP allocates an IP address to you automatically, choose "Obtain an IP address automatically". If you use a static IP address, choose "Static IP". For most ADSL/DSL modem users, choose "PPPoE".

The DI-714P+ also supports Dynamic IP Address, Static IP Address, PPPoE, and PPTP.

5.4.7 Configuring DHCP

DHCP automatically assigns IP addresses to machines that connect to your access point (for more information, see the earlier DHCP and NAT).

To enable or disable the DHCP server on the BEFW11S4, click on the DHCP tab. For the DI-714P+, click on the Home tab and then click on the DHCP option.

The BEFW11S4 assigns IP addresses (if the DHCP server is enabled on the router) to all its wireless clients from a default range of to (50 users). The DI-714P+ assigns IP addresses to its clients from a default range of to (customizable).

Disabling the DHCP server on the access point requires all clients that connect to the router to have their own static IP addresses. This makes it slightly harder for unwanted users to connect to your network.

5.4.8 Changing the Administrator Password

A hacker who knows the default password on your access point and who can manage to connect to your network will have full control over your network, and all the other security precautions that you have taken (such as using WEP and disabling DHCP) could come to naught.

To change the Administrator password on the BEFW11S4, click the Password tab. To change it on the DI-714P+, click the Tools tab. I suggest you change the Administrator password frequently.

5.4.9 Disabling SSID Broadcast

By default, the access point will broadcast its SSID to all wireless clients. Anyone in the vicinity with a wireless-enabled computer now knows that you have a wireless network. In order to minimize the chances of allowing uninvited people to connect to your wireless network, it is advisable that you disable the SSID broadcast feature.

To disable the SSID broadcast on the BEFW11S4, select the Setup tab and choose "No" in the "Allow `Broadcast' SSID to associate?" option.

As of this writing, the DI-714P+ does not have the option to turn off the SSID broadcast.

5.4.10 Viewing the Status of the Access Point

If you need to check on the status of the BEFW11S4, click the Status tab. The Status tab will display information on the following options: LAN and WAN Information such as IP addresses and subnet mask will also be displayed. This is a useful option to troubleshoot network problems that may sometimes occur when you connect the BEFW11S4 to the network.

You can also renew your IP address and see the IP addresses in use by computers on your network (these are assigned by the BEFW11S4's built-in DHCP server) in the Status tab.

If you need to check on the status of the DI-714P+, click the Status tab. The Status tab will display information on the following options: LAN, WAN, Wireless, and Peripheral. Information such as IP addresses and subnet mask will be displayed. This is a useful option to troubleshoot network problems that may sometimes occur when you connect the DI-714P+ to the network. SNMP monitoring

SNMP (Simple Network Management Protocol) is a protocol used to monitor network devices. Some access points, such as the DI-714P+, will send SNMP messages (known as traps) across the network. You can configure the DI-714P+ to send SNMP messages by clicking Tools and then clicking SNMP.

To receive SNMP messages, you'll need an SNMP monitoring program such as SNMP Trap Watcher (a freeware SNMP trap receiver available from http://www.bttsoftware.co.uk/snmptrap.html). For a comprehensive list of SNMP tools as well as more information about SNMP, see http://www.snmplink.org/.

5.4.11 MAC Address Filtering

One of the security measures you can take for your wireless network is to enable MAC address filtering. MAC address filtering ensures that only computers with the specified MAC addresses are allowed (or denied) access to the network. This can prevent wandering users from accessing the network.

MAC address filtering is not foolproof: using the appropriate utility, a wireless card can assume any MAC address. However, MAC address filtering will prevent users from casually connecting to your access point.

You can use the ipconfig /all command to check for the MAC address of your wireless card. Most wireless cards have the MAC address directly printed on it. Figure 5-25 shows the MAC address printed on my Cisco Aironet 350.

Figure 5-25. The MAC address printed on the Cisco Aironet 350

To enable MAC address filtering on the BEFW11S4:

  1. Click on the Advanced tab and then the Wireless tab.

  2. Choose the Enable option in the Station Mac Filter section.

  3. Click on Edit MAC Filter Setting.

  4. Enter the MAC addresses of the wireless card/adapter to which you would like to grant access. If you want to prevent a particular device from connecting, check the Filter checkbox (see Figure 5-26). You can enter up to 32 MAC addresses. (Other routers from Linksys and other vendors may have a different limit.)

Figure 5-26. Specifying the MAC addresses for enabling wireless access (BEFW11S4)

To enable MAC address filtering on the DI-714P+ (see Figure 5-27):

  1. Click on the Advanced tab and then the Filter tab.

  2. Choose the MAC Filter option.

  3. Choose "Only allow computers with MAC address listed below to access the network".

  4. Enter the MAC address of each computer to which you want to allow access and turn on the Enable checkbox.

  5. Click the Apply button.

Figure 5-27. Specifying the MAC addresses for enabling wireless access (DI-714P+)

5.4.12 Opening a Port

In some cases, you may want to punch a hole in your firewall to let users on the Internet access a service on one of your computers. For example, you may want to run a public web server on your network. However, when a remote user tries to connect to your public IP address, she'll be stopped dead in her tracks by your access point's firewall.

Be careful using this option. Even if you only tell a few friends about your web server (or FTP, game, or some other kind of server), malicious hackers will scan your computer on a regular basis (they choose ranges of IP addresses and scan them constantly with automated tools looking for victims), and will be able to tell if the port is open. As soon as they find it, they will begin probing it for vulnerabilities using kits put together by experienced hackers. Unless you are prepared to make daily visits to http://www.microsoft.com/security/ to check for and act upon security bulletins, you should think twice before punching a hole in your firewall. It's not a matter of whether the hackers will go after you, it's a matter of when.

You can configure the access point to accept connections on a particular port and let one of your computers inside your network handle it. For this to be effective, you should configure that computer with a fixed IP address (otherwise, the access point's DHCP server may assign a different IP address each time). If you do this, make sure the fixed IP address is outside the range of DHCP addresses used by your router (see Section 5.4.7 earlier in this chapter), or you could end up with two computers on your LAN with the same IP address.

To open a port on the BEFW11S4:

  1. Click the Advanced tab and select Forwarding.

  2. Specify the port or port range, IP address, and whether the port should be open for TCP, UDP, or Both. If in doubt, select Both.

  3. Click the Apply button.

To open a port on the DI-714P+:

  1. Click the Advanced tab and select Virtual Server.

  2. Specify the port or port range (for example, 80-81) and the IP address of the machine running the service, and turn on the Enable checkbox.

  3. Click the Apply button.