Segmenting and Securing Networks with Microsoft Wireless Base Stations
Published: January 26, 2004
By Barb Bowman, Windows XP Expert Zone Community Columnist
Editor's Note: Past articles by members of the online community are archived for your use. The information may become outdated as technology changes. For the most current information, please search the Web site or post a question in the newsgroups.
In the newsgroups, e-mail, and other community forums, I've recently had many requests for instructions on how to replace a Microsoft MN-500 802.11b wireless networking router with the newer Microsoft Broadband Networking MN-700 wireless router that supports 802.11g and the newer Wi-Fi Protected Access (WPA) security.
WPA Wireless Security for Home Networks covers the advantages of using WPA as opposed to wired equivalent privacy (WEP) for securing your network. In Raising the Speed Limit with 802.11g, I showcase the capabilities of 802.11g wireless networking. Expert Zone readers have asked that I demonstrate how to set up and configure WPA-PSK on the new Microsoft MN-700 802.11g base station. (The Setup Wizard doesn't handle this task because WPA is only supported on Windows XP. The wizard is designed to handle setup on mixed networks with other supported versions of the Windows operating system where only WEP can be used.) Readers have also asked how WPA fits in with a network already running a Microsoft MN-500 802.11b base station and non-WPA-capable network cards.
In this column, I demonstrate how to create a segmented network that uses the best available security and throughput. I'll start with a network running the Microsoft 802.11b MN-500 wireless base station (router) behind a cable modem and show you how to replace this router with a new Microsoft MN-700 802.11g base station (router). You'll learn how to configure it properly on a broadband connection without the need to contact your provider.
Next, I'll show you how to configure your network so that you have the capability of running your new base station in the fastest G-only mode with the strongest 256-bit encryption available using WPA-PSK. Along the way, I'll transform the MN-500 into an 802.11b access point, using bridging mode to provide connectivity for 802.11b clients and for any 802.11g clients or devices that are not WPA enabled. I'll finish by integrating the reconfigured MN-500 into the network.
Advantages of a Segmented Network
Although 802.11g is backward compatible with 802.11b, I prefer to segment my network into 802.11b segments and 802.11g segments using separate hardware. A segmented network lets me take advantage of WPA-PSK on my Windows XP computers. With this configuration, I can still use WEP to secure other devices and older operating systems that are not WPA enabled.
This topology includes the following benefits:
| • | Provide WPA security for 802.11g capable clients |
| • | Use G-only performance mode for best throughput |
| • | Provide a separate wireless network to connect 802.11b clients and any 802.11g clients that cannot be configured for WPA. (Non WPA capable 802.11g clients will connect at 802.11b speeds using this configuration). |
| • | Provide WEP security for 802.11b clients and 802.11g clients not WPA capable |
| • | Establish two unique SSIDs |
| • | Use two channels, separated by at least five channels |
Determine Your Current Settings First
As tempting as it may be to plug in your new MN-700 hardware and insert the included CD, this is not the first step to take. Start by determining certain current network configuration settings and writing them down or saving them to a text file. While connected to the MN-500 using a wired connection, open the Base Station Management Tool (BSMT) using either the Broadband Networking Utility or by opening your browser and navigating to http://192.168.2.1. (If you changed this default to another IP address, use that instead).
You'll need to determine and save the following information:
| • | The MAC address and/or host name assigned to the MN-500. (Many ISPs are using the MAC address or a host name for authentication. If you originally cloned a MAC address into a MN-500, this is the MAC address that should be used in the MN-700 that will shortly be placed online). |
| • | The WEP encryption key. |
| • | If you are using MAC address client filtering and port forwarding, you should save this information as well. |
| • | If your ISP provides you with a static IP address and DNS servers, you will need to record this information. |
I've found that I can copy most of this information directly from the page that opens and paste it into Notepad and save as a text file, which ensures that typing errors won't occur. As an alternative or backup to saving information in a text file, take a screen shot of each page on the MN-500 and save for reference. You can do this easily by pressing ALT-PrtSc on your keyboard and pasting the image into Microsoft Paint and saving each configuration page that you need to a file on your hard drive.
When you have completed gathering the settings from your MN-500, disconnect it from your broadband modem but leave it connected to your computer.
Reconfigure the MN-500 as a Wireless Bridge
The next step is to change from routing mode to bridging mode, which allows your MN-500 to act as a wireless access point.
Important: If you follow the procedures I've listed below instead of the procedures documented in the MN-500 User Guide, you will not lose the ability to administer the MN-500. This will give you the ability to change the SSID, channel, and encryption key if needed without performing a factory reset of the base station and starting from scratch.
1. | While logged into the BSMT, click the Local Area Network link and access the Settings page, as shown in the figure below.  Figure 1 |
2. | Change the IP address from the default (192.168.2.1) to another IP in the same range and set the DHCP server to disabled using the list. Click Apply. In the example shown above, I've changed the IP to 192.168.2.252. Wait for all lights to turn green on the base station. |
3. | Open the BSMT again using the new IP. Use your Web browser and navigate to http://192.168.2.252 and enter your password if prompted. You will not be able to open the BSMT from the Microsoft Broadband Networking Utility (BNU). |
4. | Click Security, and then click Network Mode. |
5. | Click Bridging mode, as shown in the figure below, and then click Apply.  Figure 2 |
6. | Disconnect your computer from the MN-500 but do not disconnect the power from the MN-500 because it may take several minutes for the hardware to restart in access point (bridging) mode. |
Connect and Set Up the New MN-700
The Microsoft Broadband Networking Wizard makes it easy to set up a new MN-700 even if you are replacing an existing router such as the MN-500. Collecting and recording the settings of the hardware being replaced is the key to success. With these settings available, here are the critical steps for the initial configuration of the new MN-700 using the wizard:
1. | Connect the modem port of the MN-700 to your broadband modem using Ethernet. Then connect a computer with a wired Ethernet connection to one of the LAN ports on the MN-700. |
2. | Insert the CD that was supplied with the MN-700 and when prompted, click Set up a product. |
3. | Click Base Station and then click Wireless G Base Station (MN-700, MN-820). |
4. | Click External broadband modem connected with Ethernet cable. When the base station is detected, click Next to continue. |
5. | Select Dynamic (or Static IP or PPPoE, if that is your connection method). You should have saved static IP settings from the MN-500 if this was your connection type). |
6. | Use the MAC address that you saved from the MN-500 settings and enter it into the MAC address field, as shown in the Figure 3. I've entered the MAC address previously cloned into a MN-500. If your ISP authenticates using a host name, enter the host name you saved earlier in the field provided. If your ISP does not authenticate using a host name, you can enter any name into this field.  Figure 3 |
7. | Specify Dynamic DNS in the next window or enter the IP addresses of DNS servers saved earlier. |
8. | Supply a name for your base station and then specify a password for your base station. This is the administrative password that will let you manage and change the configuration. |
9. | Supply a wireless network name and specify the channel. Be sure to change the wireless network name from the default. You must use a wireless network name that is different from that of the MN-500. Since I'll be adding my MN-500 to the network in bridging (access point) mode next, I need to ensure that the new MN-700 is using a different channel to avoid interference. The MN-500 is using channel 6, so I've selected channel 11. Use channels that are at least five apart for best results. |
10. | Specify 128-bit WEP encryption for now. You want to keep your network as secure as possible while configuring it. Use the same WEP key that you saved from your MN-500. |
11. | Click Next as prompted and the wizard will apply the settings to your base station and restart it. This may take several minutes. |
When all lights on the newly configured base station are green, power cycle your broadband modem.
Set Up WPA on the MN-700 and Client Computers
During the initial setup of the MN-700, 128-bit WEP encryption was configured. WPA must be configured after the initial base station setup is completed. WPA is not configurable by the Setup Wizard. Here are the steps to configure the MN-700 base station to use WPA:
1. | Open the Base Station Management Tool using the Microsoft Broadband Networking Utility by clicking Tools, and then clicking Base Station Management Tool. (Alternatively, open your Web browser and navigate to http://192.168.2.1). |
2. | Enter the base station password. |
3. | Click the Security, Wireless Security link. |
4. | Select 256 bit WPA-PSK from the Encryption Strength list.  Figure 4 |
5. | Create a passphrase of at least 20 characters, using a combination of letters and numbers or other characters. In Figure 4, I've used par1liamentisn0tinsessi0n0verxmassin2003. After entering it, I've copied this passphrase from the BSMT to the clipboard and pasted it into a text file using Notepad and saved it for future reference. Then click Apply. |
6. | Because I'll be using my MN-500 to service 802.11b clients, I change the performance setting of the MN-700 to G-only by clicking the Wireless link, and then selecting g performance from the Wireless mode list as shown in Figure 5.  Figure 5 |
7. | Click Apply, and then log out of the BSMT by clicking Log out on the top right of the page. |
After the base station is configured for WPA, you should install your wireless client adapter(s). If you are installing a Microsoft MN-720, MN-730, or MN-710, do not use the Microsoft Broadband Networking Setup Wizard to configure WPA. First, ensure that you have installed Windows XP Service Pack 1 and the Wireless Update Rollup Package for Windows XP (Microsoft Knowledge Base article 826942).
Note: Windows XP operating systems provide native support for WPA and you should always use the Wireless Auto Configuration, the built-in Windows XP feature enabled by the Wireless Zero Configuration service, with the Microsoft wireless adapters.
Install the hardware and allow the Found New Hardware Wizard to install the appropriate drivers. If the Network Wizard appears, cancel it. After Windows XP reports that your new hardware is ready to use, access the built-in Wireless Auto Configuration and use it to configure WPA-PSK. To do this, follow the procedures outlined in my WPA Wireless Security for Home Networks, as shown in the Configure WPA-PSK on Windows XP section. Use the passphrase from Step 5 in the procedure above. Note that you can paste from Notepad into these fields, which makes it easy to enter a more secure (longer) passphrase.
Create an Efficient Segmented Network
The last step is to reconnect the MN-500 to your network. Connect an Ethernet cable from the modem port on the MN-500 to an open port on the MN-700. If you use the modem port and not one of the internal LAN ports, you'll be able to access and administer the MN-500 by opening a Web browser and navigating to the static IP address that you previously configured. Because I configured the MN-500 with a static IP of 192.168.2.252, when I need to change a setting, I open Internet Explorer, navigate to http://192.168.2.252 and enter my password. This provides me with full access to all administrative settings.
I've now created a segmented and very efficient network with the best possible security.
| • | The MN-700 (configured for G-only performance) will not allow slower 802.11b clients to connect. |
| • | WPA-enabled 802.11g adapters can be configured to use the MN-700. |
| • | 802.11b clients and/or non-WPA-capable 802.11g devices can be configured to use the SSID of the MN-500 using 128-bit WEP encryption. |
My final step, now that I've created and tested my ideal network configuration, is to save the settings of the MN-700 to a file on one of my computers. This gives me the security of knowing that if I change the configuration, I always have a base line configuration to return to.
To save the MN-700 configuration:
1. | Open the BSMT or use your Web browser and navigate to http://192.168.2.1 (or other IP if you changed it from the default settings). |
2. | On the Management tab, click Backup and Restore Settings. |
3. | Save the file (settings.dat) to your hard drive. Change the name of the file to one that indicates the device and the date to make it easily recognizable. Instead of settings.dat, use a name like "700settings_dec122003.dat". |
Help with Microsoft Broadband Networking Products
Microsoft offers a dedicated newsgroup specifically for the support of Microsoft broadband networking products. If you need help configuring your Microsoft wireless networking products, Microsoft MVPs will provide assistance in this peer-to-peer online forum. See you there!
Barb Bowman enjoys sharing her own experiences and insights into today's leading edge technologies. She is a product development manager for Comcast High-Speed Internet, but her views here are strictly personal.
