Setup WiFi - And WPA - Carefully

Setting up a WiFi LAN is a great experience. The convenience of surfing the web from your back yard, or sharing files between your main computer and your music server, without running wires here and there, is exhilarating. But there is stress involved.

When you connect a computer to a WiFi LAN, with WPA (and WPA-PSK is absolutely the minimum security measure that you should - no must - take), you are testing a number of things, simultaneously.

  • The WiFi router.
  • Your computer.
  • Your WPA setup.

Now if you do this carefully, and with a small amount of preparation, the whole project can take an hour - or less. Plan it wrong, or make a mistake, and you could be days figuring out the problems. Use a layered strategy - similar to layered testing.
  1. Get each computer connected, by Ethernet, to each other.
  2. Setup, and copy, a key set to each computer.
  3. Get each computer connected, by WiFi, with no security.
  4. Setup WPA on the router, and on each WiFi client.

The different WiFi router vendors have different ideas what type of key their WPA security should work with. Steve Gibson's GRC "Perfect Passwords" Generator will give you a choice of 3. Here's an example of what you might be provided when you click the latter link. Try it, and see.
  • 64 random hexadecimal characters (0-9 and A-F) (not case sensitive):

  • 63 random printable ASCII characters (case sensitive):
    Hb+r#^S-T/1!JTP0_~SB 4&rQ7|s"q)7S`teMB`]x_uGATQQ-{B:=%W/_")$w6h

  • 63 random alpha-numeric characters (a-z, A-Z, 0-9):

All I do is to go to the web page (where it generates a new key set each time - try it), copy the six lines (as in the above list) to a Notepad file, and save the file. Then, with all computers connected by Ethernet (step 1 above), copy the file to each computer. Depending upon the router, one key may work properly, while another won't. Having 3 possibilities, in an identical set on each computer, means repeatedly copying and pasting, without having to worry about getting the computer back online, by other means, to simply copy another file.

After you copy the key set to each computer, start up the WiFi radio, and the WiFi clients. Start with WiFi in open (unencrypted) mode. Make sure that the router works, and you have a working signal, by testing without setting up security.

Since you'll probably be testing the router connection by loading a web page, decide how comfortable you are with giving your neighbourhood open Internet access while you test. If you're not comfortable, then disconnect the Internet feed from the router, while you test, and load the router management web page for your test. Reconnect the Internet service after you get WPA security working.

After you can connect the computer without security, and all network functions work, add WPA-PSK security.
  • Configure the router - copy the appropriate portion of 64 random hexadecimal characters into the router management program.
  • Copy the identical portion of 64 random hexadecimal characters into the client computer WiFi client manager setup wizard.
  • Test the WiFi client. If it works, fine. If not, repeat these steps, trying the 63 random printable ASCII characters, and finally the 63 random alpha-numeric characters.

This is 3 times as complex as it needs to be, and after you've done this a few times, you'll be able to simplify these procedures. But for the first couple times you do this, the careful planning, and the lowered stress level, will make it easier to not make mistakes. By not making mistakes, you're more likely for this to work. And making it work is the reason for my writing this in the first place.

>> Top

Advanced Windows Networking Using Internet Protocol

Windows Networking is the subsystem that lets you share files and printers, between computers running the various versions of Windows. Server Message Blocks, also called SMBs, are the foundation of Windows Networking. SMBs provide several crucial functions.

(Note): If you're not familiar with the concept of network layers, take a few moments and read about the OSI Network Model.

SMBs are not transported directly over the various physical networking components, as Layer 1 or 2 traffic. SMBs may be transported over Internet Protocol (IP), as well as alternate protocols like IPX/SPX or NetBEUI.

Windows Networking has historically used NetBIOS Over TCP/IP (NetBT) as an intermediate transport for SMBs over IP. Windows 2000, XP, and Vista however, will transport SMBs over IP, without NetBT, using directly hosted SMBs.

To remain compatible with the older versions of Windows, a Windows Networking client, running Windows 2000, Windows XP, or Windows Vista, can use either directly hosted SMBs, or it can use NetBT. If any server supports directly hosted SMBs, the client computer in question will bypass NetBT, when communicating with that specific server.

This dual compatibility, which allows Windows 2000 / XP / Vista clients to communicate with computers running other editions of Windows, is not without cost. Trying for two communications channels, when establishing a connection with any server, increases program complexity and network traffic. In some cases, it may increase latency.

We need to resolve one major misconception. It may appear that when you Disable NetBT, you are disabling Windows Networking over IP. This is not correct. When you Disable NetBT, you are merely disabling hosting of SMBs over NetBT. You then end up with SMBs hosted directly over IP. But look at address resolution on your LAN, before trying this. Don't make this change blindly.

If your LAN
  • Has a domain.
  • Has computers running only Windows 2000, Windows 2002 (aka Windows XP), Windows 2003 (aka Server 2003), Windows 2006 (aka Vista), and Windows 2009 (aka Windows 7).
  • Uses DNS, properly setup, for name resolution.
then you may wish to Disable NetBT, and (KB204279): use directly hosted SMBs. If any of the above are not true, you should Enable NetBIOS Over TCP/IP. Be consistent on all computers.

In the TCP/IP Properties - Advanced wizard, WINS, select Disable NetBIOS Over TCP/IP. Alternately, if you have the Default NetBIOS setting selected (instead of "Disable" or "Enable") on your client computers, and you have a DHCP server (not a NAT router with DHCP), you can disable NetBT from a DHCP server setting.

If you use directly hosted SMBs, whether alternately or exclusively, be aware of the security implications.
  • NetBT uses TCP and UDP ports 137 - 139.
  • Direct hosted SMBs use TCP port 445.

Be sure that all personal firewalls have the proper ports opened.

Here are the relevant ports used by SMBs over NetBT, per IANA port number allocation:

netbios-ns 137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service
netbios-dgm 138/tcp NETBIOS Datagram Service
netbios-dgm 138/udp NETBIOS Datagram Service
netbios-ssn 139/tcp NETBIOS Session Service
netbios-ssn 139/udp NETBIOS Session Service

And the relevant ports used by directly hosted SMBs:

microsoft-ds 445/tcp Microsoft-DS
microsoft-ds 445/udp Microsoft-DS

Similar to the effect of a personal firewall, SMBs can be setup to use secure channel communication, by using SMB Authentication and Encryption. If you ever see
The account is not authorized to log in from this station.

then check SMB Encryption and Signing settings.

And, if you have an integrated security suite (previously sold as anti-virus protection), you may have an anti-worm component protecting you. Anti-worm protection, if not correctly configured, may interfere with any or all of the above NetBT traffic. Different brands of products will cause different problems.

For more information:

>> Top

Sharing Files With The XBox 360

The XBox 360 is a gaming computer, and more. As a computer, it's perfectly capable of sharing files, music, movies, what have you, with any computer on the LAN.

Since the XBox 360 is built on the Windows Media Center Edition platform, (KB887212): it can't join a domain. You'll do better having your computers in a workgroup.

You'll need either Windows Media Connect or Windows Media Center Extender. You may find additional information in:

>> Top