Student Accomodation - Got A Router And Could Use A Hand

[pritchard9]

I'm currently staying in student accomodation. However, internet access is wired only, with ports only in our bedrooms. I noticed that this made my flatmates and I quite unsociable, having to stay in our rooms in order to stay online. So I looked up the DD-WRT database and found a nice, cheap compatible router - the WRT160N.

The router works fine with the stock firmware, so I'm not flashing just yet. However, the problem arises during logins.

When you connect your machine to the ethernet port, and open up a browser, you get a login screen asking for a username and password. This is obviously so they can keep an eye on what we're looking at ;). I expected that when I plug in the wireless router and people connect, they would all have to individualy enter their username and passwords. However, everyone ends up logged into the first account that logs in.

Can one of you clever folk tell me how I can set it up so that each wireless device need to log in individually?

Thanks for your time,

pritchard92

[Samysam]

Hmmm... I wouldn't know

it'd be cooler if you just bypassed the login overall :P

Edited November 1, 2010 by Samysam

[digip]

NAT is masking this, so their network, in my mind, is only seeing the MAC for the router and is assigning the first login with correlation to the MAC address of the router.

They should instead be doing it based on the connecting machine names or providing a socks proxy to login to for all browsers by account.

Does your router have the option to put all connected devices in the DMZ, so the schools network can see each individual machine (also defeats NAT and the protection from anonymous scans and attacks, will put you directly onto the network). If they could see each machine and its MAC address, I assume all would then get prompted for logins based on unique MAC addresses.

[pritchard9]

Thanks for the speedy reply!

I've just found that section just now. However, it's asking for a destination ID or a MAC address?

[digip]

Read the help link in that panel, and see if the source address is the schools network, or the local devices on the router. Also if destination is a local device or the intended network to connect the source IP to. I'm not familiar with your router settings.

Looks like you can only do one device, but not sure.

[VaKo]

LOL, when I worked for a university, one of my jobs was hunting for people who'd setup wireless AP's. When I found one, because I wasn't allowed to enter the flat without being invited, we used to unplug the entire flat from the switch. Just an FYI, hide the SSID at least, or name it after any nearby businesses.

[digip]

If you can get an old hub, that would probably work too. No NAT to get in the way. Hell, try turning NAT off, see if you can still connect. Might have to turn off DHCP, and set it up with an IP on the school network, and then get IP's from the schools DHCP server in the process.

[pritchard9]

@digip: It seems that I can only DMZ one device at a time :(

digip2: I wouldn't really know how to start though.. I'm not sure on the universities network topology, or whether that topology is similar or connected to the one in the student accomodation :s

@Vako: LOL. Dominoes it is :)

Ideas guy? :)

Edited November 2, 2010 by pritchard9

[digip]

Some ideas, 1) set the router up to get addresses from the school, 2) get a switch and point it to the schools gateway, 3) or use a hub.

[pritchard9]

My lack of knowledge when it comes to networking is really showing here :(

AFAIK (which isn't very far at all, really..), #1 means that i've got to find a way for the router to request address from the school's DHCP server. Is that correct?

Also, just for the record, I've just flashed DD-WRT onto the router successfully, and it's working beautifully. Just now the way I wanted it to..

[Infiltrator]

My lack of knowledge when it comes to networking is really showing here :(

AFAIK (which isn't very far at all, really..), #1 means that i've got to find a way for the router to request address from the school's DHCP server. Is that correct?

Also, just for the record, I've just flashed DD-WRT onto the router successfully, and it's working beautifully. Just now the way I wanted it to..

Your router by default comes with a built in DHCP server that can lease IP addresses. But since your university network already have its own DHCP server, you might just better off disable DHCP server on your router altogether, to avoid conflicts.

[digip]

Your router by default comes with a built in DHCP server that can lease IP addresses. But since your university network already have its own DHCP server, you might just better off disable DHCP server on your router altogether, to avoid conflicts.

It won't make conflicts, but if he wants to get addresses from the schools pool of available addresses, he needs to disable it in the router and point it to the schools gateway so the computers on his router don't get local addresses, but instead addresses in the range from the schools pool.

@pritchard9, now that you have the new firmware, can you put them all in the DMZ? Do you all now get prompted for signons?

[Infiltrator]

It won't make conflicts, but if he wants to get addresses from the schools pool of available addresses, he needs to disable it in the router and point it to the schools gateway so the computers on his router don't get local addresses, but instead addresses in the range from the schools pool.

So you are saying that by placing another DHCP server on the same network segment, won't make any difference whatsoever.

[Netshroud]

Can you set up the router as a boring wireless access point instead of a router? That might do the trick.

[Infiltrator]

Yeah just turn off all the services on the router and then you should be able to use it as switch only.

[digip]

So you are saying that by placing another DHCP server on the same network segment, won't make any difference whatsoever.

Had to think about that for a minute, you are right he can't hand out addresses for the schools network, or it would create duplicates that might be in use and cause conflicts. The router wont let you do this anyway most likely, and should get an error trying to give out addresses in a pool it gets its own address from.

He's not placing another DHCP server on the schools network. His router is already doing DHCP for his room's LAN, while the school has its own DHCP server. If the school was on say the 10.X.X.X/8 subnet and his router was on 192.168.1.X/24 subnet, on the inside of his lan, his pc sees the 192.168.1.X-XXX network and gets an address in that range from his own router, while the routers outside (internet facing address) is part of the schools 10.X.X.X subnet and assigned an address in the 10.X.X.X range of the schools network pool (or whatever subnet range they are using). NAT handles talking between the two subnets and routes the packets accordingly.

After giving this whole setup some thought though, disabling DHCP won't help because you would then have to set your NIC's IP manually, and you are still confined to your routers internal subnet range, so thats a no go.

Turning NAT off won't help either, and would prevent you from reaching outside of the routers own subnet (in other words, you wouldn't be able to reach the Internet or schools lan with no way to speak to a different subnet than your own. The router would only router to itself, only the other connected PC's on the routers own subnet would be seen by each other).

I'm trying to think of what the best way is to do this and you probably can't with the current router unless you can set all of the nodes into the DMZ, which I don't even think is possible(at which point might as well have a switch or a hub).

The only consumer switches and hubs I know of are wired, but using a plain switch or even a hub would probably be the best chance, just require everyone to plugin, no wifi. The layer3-4 wireless switches are like $3-4000(example, a D-Link DWS1008 Wireless Switch).

I think the school is assigning access based on what they think is the students MAC address per student signon. I believe this would assign one logon to everyone connected to his router because they only see the MAC address of his router. They probably use the students MAC address alone for legal reasons to track back to a students physical machine, in the event they abuse the network or get any legal paperwork to identify someone for abuse, such as file sharing, etc. In his case, this just happens to be his router's MAC and not the actual student's NIC MAC address.

I could see the schools current setup being abused though, because if someone on his lan did something of an offense, they would trace it to the one students signon attached to the allowed MAC address that was first used for all the other people on his router. If everyone was then under that one persons signon, only that person would be looked at as the responsible party when in fact someone else could be at fault.

Edited November 2, 2010 by digip

[pritchard9]

Again, thanks for the replies. Very much appreciated.

Unfortunately, even with DD-WRT, i can only assign one machine into the DMZ, via their assigned IP.

That's the most worrying part of this - i trust my flatmates, but not the friends that they bring round who might use their machines. This leads me to think that I should just use the router personally, unless I can get each computer who is running through the router an IP address which is recognised by the accomodations DHCP server, such that each computer must have a sign-in.

Unfortunately, I'm at at University just now. However, I've just read how to set my DD-WRT router purely as an AP. I'll give this a go when I get home.

Quick question though: this will give me less control over the wireless network, won't it?

UPDATE!:

I tried the router with everything DHCP-related disabled, aswell as the firewall and all of the services, and still no connection - I get a "limited connection", which I guess means I am connected to the router, but not to the internet.

Any other possibilities? I feel like it's possible, but I just don't know how to do it, or where to even begin looking it up. As an FYI, we use KeyCom to get online from student accomodation.

http://www.keycom.co.uk/index.php?p=keysurf&i=2

Edited November 2, 2010 by pritchard9

[Infiltrator]

UPDATE!:

I tried the router with everything DHCP-related disabled, aswell as the firewall and all of the services, and still no connection - I get a "limited connection", which I guess means I am connected to the router, but not to the internet.

Any other possibilities? I feel like it's possible, but I just don't know how to do it, or where to even begin looking it up. As an FYI, we use KeyCom to get online from student accommodation.

One of the reasons why you are receiving limited connectivity is because your computer has not received a valid ip address. If you open up a command prompt windows and type ipconfig and then press enter

You most likely will get an ip address of 169.254.X.X.

Instead of using DMZ, just use one of the normal ports on the router and give it shot again, it should work.

[digip]

I think a native switch or hub would be required ro you can still get DHCP from the schools server, and not tied to the NAT of the routers internal DHCP server.

Even a wireless bridge might do. Should be able to get DHCP from the schools network in this manner. We need some more cisco people to have a look, they could probably answer the question in 2 seconds. Personally I think a switch or hub would be what you need though.

http://www.google.com/products?num=50&...sa=N&tab=wf

Edited November 3, 2010 by digip

[pritchard9]

Gah, not luck yet..

@digip: ohright.. I was hoping that I would be able to mimic the functionality of a hub or switch using DD-wrt. And now that i've got a working dd-wrt router, I'm a bit wary about spending any more money on an idea which seems to have totally fallen apart :(. On the other hand, I can also VPN into the university network without going through the KeyCom setup at all.. This gives me an idea in terms of using the router just for myself, instead of the original idea of setting it up for the flat.

[xiaoai201010]

ead the help link in that panel, and see if the source address is the schools network, or the local devices on the router. Also if destination is a local device or the intended network to connect the source IP to. I'm not familiar with your router settings.

Looks like you can only do one device, but not sure

[Machstorm]

LOL, when I worked for a university, one of my jobs was hunting for people who'd setup wireless AP's. When I found one, because I wasn't allowed to enter the flat without being invited, we used to unplug the entire flat from the switch. Just an FYI, hide the SSID at least, or name it after any nearby businesses.

I know what you mean I used to work for the IT department at local university. We used to catch people left and right and turn them off at the switch as well. Some of the Admins will go around the dorms with Wifi finding devices and if that signal is triangulated at you dorm then by by internet. The Campus that I worked at is the same campus where I am taking a major in Information Assurance and Forensics. Not that it should have any correlation at all with any anonymous take downs of any unsecured wireless routers on campus. ^_^

Edited November 4, 2010 by Machstorm

[Machstorm]

Sorry about the double post I got a little click happy. Ignore this post nothing to see here.

Edited November 4, 2010 by Machstorm