Yesterday, I saw a social media post from my friend Thorsten, who is an engineer for a large network security company, in which he shared some nifty dashboard graphics from his installation of a nifty little Linux distribution known as T-Pot (I’m a total sucker for great dashboards!).
T-Pot is a collection of various network honeypots with a very nice reporting backend. The project is maintained by Deutsche Telekom, who use it extensively within their own networks. (disclosure: If you run it, it will send back anonymized collected information about the threats seen to their data lake)
So I’m going to veer off a little bit from my regularly scheduled Working From Home series and talk about the importance of securing your networks. T-Pot won’t actually secure your network, it will merely report on the threat actors (most of them automated) that are attacking your network every second of the day. And to a small extent, time they spend “attacking” your honeypot is time they’re not spending attacking real targets (like Pooh up there at the top)
T-Pot takes about 30 minutes to install on a virtual machine (put it in a VLAN that is isolated from everything else!) and then all you do is add a firewall rule to port forward all TCP/UDP (I also did ICMP) to that machine (after any rules to forward to actual stuff), and let it do its thing.
Results will start coming in almost instantly. In a matter of minutes, I’d collected literally hundreds of attacks. After a couple of hours, the numbers were a little disturbing. About 90 minutes after going live, I saw a sharp uptick in one type of attack, as it seems the attackers had found a new target and relayed that information to other attackers.
If you’re a business hastily trying to get people to work from home, did you just open up a port forward on your Layer 3 firewall to allow Remote Desktop? That probably wasn’t a great idea. As you can see, threat actors are constantly scanning each and every IP address on the internet, probing for vulnerabilities. All it takes is one successful entry into your network, and you’re toast. That can come through your homebound workers as well, if their networks aren’t secure.
Do you still think you don’t need a Layer 7 firewall?
In my previous post, I went over the basics of working from home. It’s worth noting here that many of these concepts can also be applied to your kids who might be taking school online – they’re teleworking just like you are, and face many of the same challenges. In this and future posts, I’ll be dealing with the tech basics required for a successful and productive home office.
I was originally going to do a single post on all things tech, but it started getting lengthy, so I decided to break it down into a couple of parts. This post will deal specifically with external network connectivity.
No surprises here – a decent internet connection is pretty much a given for remote work. One thing that is becoming apparent during this quarantine period is that a whole lot of people have abysmally bad internet connections at home. I’m hearing horror stories from the trenches, from my colleagues and friends who work front-line IT support.
The word “Broadband” is thrown around a lot by ISPs intent on selling you a service package, but what does it really mean? In the United States, the Federal Communications Commission updated their definition of “broadband” most recently in 2015, to mean a connection speed of at least 25Mbps downstream (from ISP to your house), and 3Mbps upstream (from your house to your ISP. But what do those speeds really mean? The FCC also has a handy guide listing what activities require what level of speed.
So your Cable ISP touts their “SuperGigaFast” service with “gigabit” service. Sounds great, right? Not so fast. Cable-based ISPs that come into your house via a coaxial cable use a technology called DOCSIS, which has great downstream speeds, and (usually) abysmally bad upstream speeds. The cable companies originally designed this technology back in the late 1990s when internet usage consisted largely of downloading web pages and sending small bits of control data. This meant that an asymmetrical connection would work great for most users, and they would be able to leverage their existing wiring infrastructure.
Fast forward 25 years to 2020, and cloud-based data storage and teleconferencing and the like mean that you need a lot more upstream speed than you used to. But that hasn’t stopped cable companies from selling “gigabit” packages with a paltry 10Mbps upstream connection. When getting an internet service package for teleworking, your upstream speed should be at least 10% of your downstream speed – because if you saturate your upstream link, it’s going to negatively impact your downstream traffic and limit it. This lets the cable company sell you “gigabit”, knowing full well that they’ll never have to deliver on that promise. They also usually provide really cheap equipment which means your Wi-Fi speeds are going to be limited even more, and they still don’t have to deliver on those gigabit speeds they’re charging you for. If you have the option of a symmetrical connection (usually delivered over fiber optic cable), it will be a lot more functional.
Much of what applies to DOCSIS cable connections also applies to DSL connections from the local telephone company. Make sure you have enough upstream bandwidth to do what you need to do. Also beware of any service that has a data cap – working from home can blow through a data cap in a real hurry.
It’s usually worth investing in your own router – the equipment provided by the ISP is, in most cases, absolute junk. AT&T is notoriously bad about this on both their U-Verse DSL and fiber-based services, and they have it configured such that it’s very difficult to use a “real” router with their service.
And in some places, cable, fiber, or DSL aren’t an option, and you’re stuck with either a wireless ISP or cellular.
The typical internet connection requires a couple of devices. ISPs and telcos generally refer to this as “Customer Premises Equipment”, or “CPE”.
This is the device that interfaces your ISP’s connection with your home network, usually via an Ethernet connection. The term comes from “modulation/demodulation”, which is the process of converting a data stream into a series of electrical signals. This operates between what us network nerds call “Layer 1” (electrical signals) and “Layer 2” (data link). I posted on network layers in this post from 2018, if you want to get into some of the details of those. The modem’s primary function is extending your ISP’s physical network to your house. Before the days of direct internet connections, the data link was established over a telephone line by modulating the data signals into electrical signals in the narrow audio range supported by the telephone system.
Modems can take many forms, and in many cases, your ISP’s modem is integrated into a single device with a router. In the case of cable, you can usually supply your own. In the case of DSL or fiber service (where it’s usually called an Optical Network Terminal instead of a modem) it’s usually provided by the ISP and you won’t get much choice in the matter, although sometimes it’s possible to request a specific type or model.
Your smartphone also contains a modem that interfaces to the cellular networks – it likely uses LTE (4G), but older ones (3G) would use CDMA or GSM, and newer ones (5G) use a few different things, mostly based on LTE. If you need to interface a cellular network to your home network, either as a primary or backup link, there are dedicated cellular modem devices for that (more on that in a moment).
This is the device that connects your network to your ISP’s network. It operates at “Layer 3”, which for the vast majority of people means “the internet”. The internet is nothing more than a whole bunch of interconnected networks. A protocol (known as the “Internet Protocol”, or “IP”) has been in place for decades, specifying how all these networks can talk to each other. Each network is connected to other networks by way of a router (also known as a “gateway”). Its job is to look at traffic that comes in, and decide where it needs to go next. If it’s for another device on a network it’s directly connected to, it sends it directly. For something elsewhere on the internet, it sends it to the next router down the line (usually your ISP) to deal with and eventually get it to where it needs to go. This process usually happens in a matter of milliseconds (you can use the “ping” command to see how long this takes, or “tracert” (windows)/”traceroute” (everything else) to see the path it takes. The whole idea is that you don’t see what’s happening under the hood.
The term “Router” is often misconstrued to mean “WiFi”. This is often because the equipment provided by an ISP or purchased consists of a router, a network switch, and a Wi-Fi access point (and sometimes a modem) all in one box referred to as “the router”.
Owing to a general shortage of IP addresses, your ISP will assign a single IP address (which is unique on the entire internet!) to your router’s Internet-facing connection (the Wide Area Network/WAN interface), and your own network devices (on the Local Area Network/LAN interface) will occupy address space that is defined by RFC1918 as “private” address space (which can not be used directly on the internet, but can be re-used by anyone – in most cases, your network will be 192.168.something, the specifics vary from one devices to another). The router will then perform Network Address Translation (NAT) to move data between the two networks. Most of the time, you don’t need to worry about the details of how it’s set up, although when it comes to troubleshooting, having at least a general awareness of how it’s set up can be useful.
This is a key piece of the network, as it is what decides which traffic is and isn’t allowed. This is critical to providing network security. It is usually integrated into the router. It examines each packet and checks a list of rules (which can be updated multiple times a day to react to ongoing threats) to determine if the packet should be sent along its merry way, or dropped into a deep, dark hole.
The Local Area Network
The router is the transition point from your network to the rest of the internet. I’m not going to get into the details of the LAN for the moment (that’s for another post), but this is where you will connect all your equipment, either wirelessly via Wi-Fi, or via a wire to an Ethernet switch.
Virtual Private Networking (VPNs)
This isn’t really a hardware component, but is usually a key piece of any home office (it sometimes uses dedicated hardware, though). The function of a VPN is to connect you to another private LAN located elsewhere (either physically or just another part of the network.) When working from home, installing a dedicated private network connection between the main office to a home office is cost-prohibitive (although there are some interesting new technologies with 5G that will allow you to connect mobile devices directly to the corporate network, essentially making the corporate network its own cellular carrier.)
Enter the VPN – It uses the public internet to establish a connection to the corporate network, and it builds an encrypted tunnel that allows corporate traffic to pass through securely. Sometimes, this is an application that runs directly on a computer, establishing the tunnel directly to that computer, and sometimes, the tunnel is established by the network equipment you have at home, and it just presents another LAN for you to connect anything to. In most cases, in order to use bandwidth more efficiently, any traffic destined for the internet will go out directly from your router rather than through the tunnel and go out from the corporate network. This is known as a “split tunnel”. Some companies, however, will choose to pass all traffic through the tunnel in order to benefit from high-power corporate firewalls to better secure traffic against malware, data leakage, or to just filter content.
As cloud-based services such as Office 365 become more prevalent, VPN connections back to the office are becoming less important.
It’s worth noting that this is very different from public “VPN” services that claim to offer privacy when accessing the internet. While the underlying technology is similar, all these are doing is relocating where you hop on to the internet, sending it through the VPN service’s network where they can inspect all your traffic.
A quick rundown of connectivity equipment:
If you need to connect to a cellular network, you can use the following:
Your smartphone hotspot (easiest in a pinch, can also usually connect to your laptop via a USB cable if you don’t want to or can’t use Wi-Fi)
A portable hotspot, sometimes called a “Mi-Fi” or a “Jetpack”, both are brand names for common devices in this category. Many of these also can connect via USB.
A USB cellular modem (check your cellular carrier for options)
An Ethernet cellular modem or router such as a CradlePoint IBR series device
Some home routers and most enterprise routers will support a USB cellular modem as a WAN connection, either primary or as a backup.
There is a wide variety of these out there, and most of what you can get commercially will do the job better than what the ISP provides. NetGear and Asus both make devices that perform well, but these devices have limited security capabilities. TP-Link and Linksys are cheap, but tend to underperform. Plan on about $200-300 for these types of devices. I’ll get into this a little more when I talk about the LAN side of things.
Many people recommend Ubiquiti equipment, but that’s a lot more complex than I feel is appropriate for non-technical users. If it’s what a managed service provider supplies, then it’s quite adequate, but make sure they’re the ones that have to deal with the technical side of it. If you’re a network nerd, then you already know this stuff.
This is where your corporate IT department or managed service provider usually comes into play, and provide you with a firewall/router device that is pre-configured for corporate networking and security standards (and will often set up a dedicated VPN connection as well). These devices come from a vendor like Fortinet, Aruba (in the form of a Remote Access Point), Palo Alto, Cisco/Meraki, and other enterprise networking vendors. These are helpful in a home office because they are generally managed by your MSP or IT department and are essentially plug and play, giving you a secure network connection that is functionally equivalent to being on the network at the office.
You can also purchase your own standalone firewall from these vendors, all of which have a home office model or two in their lineup. They usually come with an annual subscription cost which gives you frequent updates to the security profiles and rules, to adapt to the changing network threat landscape. These will typically provide much better security than a residential gateway device, but are more complex and expensive to operate.
This got long (which is why I’m breaking tech up into multiple posts), but the bottom line is that your internet connection is a vital piece of the home office puzzle, and it’s one where you’re going to want to spend some time and money getting it right. If you have to go cheap somewhere, this is not the place to do it, but you also don’t need to go overboard.
Since working from home is a hot topic right now with everyone practicing social distancing, I thought I’d present a couple of posts about what works for me. I’ve been working from home in some form or another since 2011, and I think I’m starting to get the hang of it. We’ll start with some of the basics of remote work in this post, and in later posts, I’ll dig into the details of home office technology and creating a functional work space.
Help : About
Working from home has this almost mystical quality about it – that office lizards crave, and teleworkers almost take for granted. You can’t beat the commute. For me, it’s down a flight of stairs to the basement. The only time I have to contend with “traffic” is when the cats are sitting on the stairs demanding to be fed.
One common misconception about “working from home” is that it’s something you can do as an alternative to paying absurd sums of money for childcare when you have small children around. Don’t fall into this trap!. It’s literally impossible to focus on both work and kids at the same time. When I started working from home, my kids were 8 and 6. They’re now teenagers. They need supervision (and later, surveillance), and that’s simply not something you can do while working, and still provide the attention either one needs. If you’re splitting your time between kids and work, you’re doing both part-time. Your employer probably won’t be OK with this. If you’re self-employed, your income may also suffer.
Make sure you dedicate space for “work” that is distinct and separate from “home”. If you work from the living room couch all day, your family won’t know when you’re “at work” and when you’re “at home”. This can also lead to spending too much time on one, and not enough on the other. Your family probably won’t be OK with this. And whatever you do, don’t ever work from your bedroom. It will be almost impossible to shut off work if you do that. If you’re married, your spouse will definitely not be OK with this. Bedrooms are for resting, not working.
Ideally, your space should have a door that you can close to separate yourself from the rest of the house. If you have the misfortune of living in a big city where living accommodations are reminiscent of concentrated animal facilities, then you may not have the luxury of a separate room. If you need to operate in the corner of the living room, get a divider like a shōji that can delineate that space (or if for some reason you’re feeling particularly nostalgic for cubicle life, you can buy actual cubicle furniture!). Being able to close yourself off is important when you’re on a video call, and it also doesn’t have your living space in the background.
Ideally, your space should also be able to be acoustically separate from the rest of the house. If you do have the kids at home, you don’t want their noise intruding on your conference calls. They also don’t really want to hear your call either.
Remember that the biggest enemies of productivity at home are:
The Couch (or even the bed!)
Make sure you don’t have any of those in your work space.
I not only don’t have a fridge in my home office, I don’t have a coffee machine or any other beverage dispensing device. Because when I need to get a beverage, it forces me to get up, go upstairs, and move around. Nobody works in the break room. Likewise for bathroom breaks. Moving around periodically is vital. If you have a smart watch that reminds you to do so, take advantage of that feature.
A few points of etiquette:
If you’re on a call and not speaking, MUTE YOUR MICROPHONE. Always.
If you’re on a call with video, WEAR CLOTHES, preferably business-appropriate attire. Don’t forget that if you stand up, everyone on the call can see that you’re wearing Hello Kitty pajama bottoms… Or no bottoms at all!
Also on video calls: Be aware of what’s in the background. Both in your work environment and on your computer desktop. Audio calls, be aware of background noise. See also: Point #1
If you’re the one scheduling the calls, allow time between calls for people to take care of basic physical needs like standing, going to the bathroom, or getting coffee. Nobody wants to be on back to back to back calls all day long. The converse is that you need to allow that same time between meetings when accepting them. Don’t overschedule yourself.
When you “go to work”, do so just like you would if you were to commute… Get up, exercise if that’s your thing, shower and make yourself presentable, and put on actual clothes. It’s easier to get into a work mindset if you do this.
Likewise, take a 15-minute break, and an actual lunch break. When you’re not self-quarantining, leave the house and get lunch somewhere local. Your brain will appreciate the break. Take a walk outside.
What are your favorite WFH tips? Leave them in the comments below.
Recently, the nice people that employ me to be a wireless network engineer for them were kind enough to add a WLANpi to my toolkit (as well as that of several of my co-workers), and it is indeed a very handy gizmo for network engineering work.
The other day, I found yet another useful trick I could do with it: Software repository. Sounds basic, because it is. But useful nonetheless. Necessity is the mother of invention, after all.
The situation was that I needed to update AirWave on a customer server, and the WLAN management network at this site is isolated from the rest of the world (and even if it wasn’t, a satellite connection is not a fun thing to download a couple of gigabytes over!) Fortunately I came prepared for this and while I was at home on my gigabit fiber connection, I downloaded a whole host of software images I might need and stored them on my laptop.
AirWave’s heavily locked down CLI does give you the option of uploading a file, but it does it in a strange way that is in fact initiating an SCP download from somewhere. There’s not really any way to push a file to the box. No worries, Macs are Unix-ish, and this should be trivial, right? Nope, in Mojave there appears to be a strange quirk where ssh won’t respond on anything but localhost. So, my plan to scp from my Mac was shot to bits. I needed a linux box, and didn’t want to download an install ISO over the satellite any more than I wanted to download AirWave (after all, AirWave is itself Linux-based). Then I remembered I had my WLANpi.
Like an increasing number of gadgets these days, the WLANpi’s USB port (used for power) also happens to be an OTG port, and presents itself to the host system as an “RNDIS Ethernet Gadget”, and sets up an Ethernet link over the USB. This allows gadgets like the WLANpi and the Ekahau Sidekick to easily communicate with the host without going through the brain damage of custom device drivers (incidentally, Aruba is taking a similar approach to IoT support on its APs). RNDIS handles the messy layer 1 and layer 2 stuff, sets up layer 3 (the WLANpi defaults to 192.168.42.1) and then the application only has to implement standard upper-layer network communications.
So all I had to do was open an ssh session to my WLANpi (I use Emtec’s ZOC, which I have been using since the days of OS/2!) to see if I had enough storage space on the device to hold the 2.5GB AirWave update (Narrator: it did). Then I fired up Transmit, my go-to file transfer application on MacOS (whatever your platform, anything that supports scp will fit the bill), and sent the Airwave update over to a newly created files directory in the WLANpi user’s home directory.
Once the file was on the WLANpi, I plugged the WLANpi’s Ethernet port into a VLAN that was accessible to the WLAN management devices (I used the AP management VLAN since it already had a DHCP server), and then opened an ssh session to the AirWave server from my existing session on the WLANpi, essentially using it as a jump box. This served to verify port 22 connectivity, and also meant I didn’t have to put my laptop on that VLAN either.
Once I was able to copy the file from the AirWave server, the process was a snap to get the thing upgraded.
I think I’m going to get a bigger SD card for my WLANpi and store a full set of code and images that I may need, and also set up a tftp server on there, and maybe a file manager for the WLANpi’s web interface.
The life and contents of a survey kit is a dynamic one. Here’s what’s in my kit these days. The Pelican 1510 is airline carry-on size, because there’s no way they’ll let you check that stuff with the batteries (which are all just under the airline limit of 100Wh), and the contents are valuable enough that you probably don’t want it out of sight, or trust it to the airline baggage handlers. If you’re carrying this stuff, it’s because you need it at your destination. Downside is that the 1510 doesn’t allow the overhead bin to be closed on Embraer 135/145 regional jets.
Links go mostly to Amazon where I get all this stuff
Red/white sUAS strobes (x2) These are FAA-approved for being visible from at least 3 miles away. They’re ridiculously bright and have a few flashing modes, so I mount these to the AP stand at eye level so people don’t walk into it. Also good to have one on your back when surveying areas with heavy forklift traffic. Since they also have a constant on mode, they make a good flashlight in a pinch.
Also, if you’ve started adding this up in your head, you can see why I carry this on instead of leaving it to the baggage system. Make sure your business has insurance, especially if you’re self employed. If you’re traveling overseas, you’ll need special insurance coverage. I used to carry audiovisual insurance (the kind news crews carry) when doing streaming, and those policies will even cover against force majeure and acts of God. I don’t know if there’s an IT equivalent.
For those of us that work on wireless systems with a strong guest access component, the fine folks at Wowza Media Systems posted earlier this month about the inner workings of HTTP Live Streaming (Apple’s proprietary streaming protocol, or HLS) which accounts for about 45% of all streaming traffic – which tracks pretty closely to Apple’s market share of mobile devices.
Prior to getting hot and heavy with wireless networks, I did a lot of streaming infrastructure implementation for Wowza’s customers (as many of this blog’s readers are well aware – just go look into the archives!) HLS, which was released with the iPhone 3Gs, is designed from the ground up to handle the highly variable bandwidth and delay conditions inherent to mobile connections on Wi-Fi and cellular, while delivering a good streaming experience to the end user. It also allows streaming providers to leverage existing HTTP-based content delivery infrastructure.
Older streaming protocols like RTMP and RTSP are particularly unfriendly to wireless networks as they require a constant data stream at the stream bandwidth. For a video stream, much like a VOIP call, this requires consistent and timely medium access, which is definitely not a sure thing on Wi-Fi the way it is on Ethernet. The tradeoff is that the delay from live on HLS (a minute or two) is much higher than it is on RTSP (a few frames/milliseconds) or RTMP (a few seconds).
When working down at Layer 2, it’s usually helpful to understand what’s going on up the stack, especially with regards to what kind of unholy things are being done inside HTTP (which we may or may not have visibility into because of encrypted packet and segment payloads). In terms of the ISO model, HLS is probably best described as Layer 5 (the HTTP segmentation) and Layer 6 (the video data).
One of my favorite things to do when I’m at a Disney park is to play the wireless nerd’s version of Hidden Mickeys: Trying to spot the myriad creative ways in which Disney’s Imagineers have blended their excellent wireless network into the carefully contrived scenery. It truly is magical how they can make wireless everywhere while keeping it nearly invisible.
So naturally, when I’m wearing the wireless engineer hat and have a challenge where I get to flex some of that creativity, I’m all over it.
A few years back, I helped a church in Wichita overhaul their aging and underpowered WiFi by designing and installing a new Ruckus system. Last year, they embarked on a new project to add a chapel to their campus. Naturally they wanted to extend the wireless LAN to this new building.
But… It’s a chapel aimed at doing weddings and other sorts of events, so it was paramount that the wireless equipment not be visible, to maintain clean architectural lines with a minimum amount of obvious tech equipment. Some concessions had to be made for audiovisual, but visible access points were a (network) bridge too far.
After pondering the problem as well as observing drawings and renderings, I happened upon the architectural lighting elements in the plan that were mounted on each of the columns. I dug into the design of these and discovered that they were a pair of LED fixtures concealed inside some finish carpentry with a textured plastic surface. And most importantly, there was an empty space in the middle between the two light fixtures that measured about 20cm square by 40cm high, and centered approximately 8 feet off the floor. Not only was that low enough to keep the APs close to the clients, there was plenty of room to put in one of the Ruckus H510 Wall APs designed for the hospitality market (which I also currently have in my house running Unleashed, although they will soon make way for some of the Aruba AP303H units or their new Instant On AP11D counterpart). I’m a big fan of these in-wall units for many reasons.
I asked the electricians to give me a box and conduit to four of these columns, as well as a pair of data cables. I only planned to use two access points initially, but since running cable would be prohibitively difficult after the buildout, I wanted to keep my options open should capacity needs increase in the future.
After many months of construction (Summer of 2019 was an utterly awful weather summer if you were in the construction business), I finally got the green light to install these. I took a bit of personal time on my way down to another job in Oklahoma for my employer, and executed the plan. I’m pretty happy with the results.
How I learned to stop worrying and love predictive modeling
Due to this topic coming up regularly in the community, I’m posting this slightly edited version of one of the project documents I submitted as part of my CWNE application. The building in question has since been completed, but I have not had a chance to go see how the wireless ended up being implemented.
When I was working at Servant42, we were approached by another wireless integrator that we had met at a conference, and I was tasked with taking a preliminary design for a $125M academic research building currently in the early stages of construction, and come up with a usable wireless design in order for the integrator to plan cable placement. The RCDD who did the initial cabling design had put together a grid overlay of access points over each floor, and requested an outlet at each one. The integrator knew this wasn’t going to provide for functional Wi-Fi, and sent over the plans, with a note to pay very close attention to some of the wall types.
The prints were exceedingly detailed, and the wall type schedule alone covered multiple sheets. Not having any real-world walls in this facility to measure attenuation with, I had to rely on published materials regarding attenuation of each type of common construction material. A valuable resource in developing this attenuation model was a 2002 paper published by Robert Wilson (then a graduate student at USC, now a staff engineer at Qualcomm). Based on the various wall types listed on the sheet, I painstakingly added up all the attenuation values and created a wall type for each one in Ekahau Site Survey Pro, labeled to match the callouts on the prints. It wasn’t perfect, but it would get me within about a dB. Some of the walls I had to deal with:
2-hour rated walls, with double-thick 5/8” drywall on each side, filled with fiberglass
Single layer drywall on only one side, open on the other, or wrapping a column
Filled concrete block
Security walls (more on that in a minute)
Low-E glass curtain walls
And so on…
Each of these wall types was also found in varying thicknesses throughout the building. As it turned out, the walls the client was telling me to pay special attention to were the security walls. Several areas of this building were slated to house medical laboratories, and as part of the security specification, it called for steel strapping, “to prevent penetration of a 100mm sphere.” This oddly specific requirement sounded like they were trying to stop small cannonballs, and I was more than a little curious because the specification didn’t mention anything about the velocity of said sphere.
The prints showed 6” wide 54mil steel straps spaced 3.75” apart (95mm) all the way up to the ceiling. And there were a LOT of these walls in the building. The nature of these walls is also such that they were certainly going to be grounded:
So I start digging back into the recesses of my brain where the RF theory is stashed, and consulted an RF engineer colleague, where he gave me a refresher on the RF transparency of various openings, where odd numbers of quarter waves are opaque to an RF frequency and even numbers are transparent. Some quick calculations told me that my 95mm openings were almost exactly ¾ wave on 2.4GHz. And because they ran horizontally, the gaps were about 16” wide between studs. So these lovely security walls were going to be opaque to 2.4GHz, but only one way. And transparent to 5GHz. Welcome to my nightmare! How in the heck was I going to model this? Ekahau didn’t give me the option for different attenuation values for frequencies or polarization.
Wilson’s paper also didn’t make any mention of this sort of thing. And I still couldn’t go out into the field to measure it, nor did the client have the budget or the time for us to set up a model of the wall and test that.
As I’m trying to figure out my next move, I get a call from the client, and he tells me they’re starting to build those security walls on one of the lower floors. And then he sends me this picture. Sure enough, they deviated from the version of the plans that I had, and used an entirely different construction material on the security walls: an expanded metal diamond mesh rather than strapping, the type once commonly used as lath for plaster walls in the 1940s after wood lath fell out of favor (I’ve had to add data drops to those walls and cut in boxes, it’s NOT fun.)
So now my calculations are out the window and I have to start over. I try to estimate the size of the holes in this mesh. I come up with about 6mm based on some rudimentary photogrammetry. This hole works out to 1/8 wave in 5GHz, and 1/16 wave in 2.4GHz. As far as the Wi-Fi is concerned, these might as well now be brick walls. I still don’t have a true idea of the actual attenuation. So I assume at this point that a layer of this stuff is going to stop the signal dead and dump it to ground, and put in 20dB. But at least I can model these now.
Now that I can put all my walls in, I build the model in Ekahau (and I was really wishing for a CAD file at this point) and I’m able to model the existing planned AP locations, show the numerous coverage problems caused by the security walls, and then re-plan the whole building (four occupied floors and a basement, including a few high-density lecture halls). Coverage was defined by the client for Cisco 3802i APs with -67dBm primary coverage, -75dBm secondary coverage, and not to worry about voice. Lecture halls needed to assume 2 client devices per seat.
In several locations, I was having to place an AP just to cover a small pair of offices, because they were wrapped on three sides with these security walls. In a few cases, the office itself was fully wrapped in these secure walls, with a solid core door and safety glass window to the hall. I decided not to model the window and doors into the outer halls as the RF spilling from them would not be relied on for coverage outside the office. I made the recommendation to run these APs at lowest possible output power and specified a separate AP to cover these halls, preferably with a directional antenna. In other places, I had to place APs to cover RF shadows left by these walls.
Once complete, the client was then able to go back to the RCDD and request the additional cabling drops for the access points (the AP count through the entire building increased by nearly 50% just to deal with these Wi-Fi-eating walls)
And so it goes. I get questions like these all the time when it becomes known that I’m a wi-fi expert (really! don’t take my word for it, CWNP and a panel of my peers said I was!) Since I get asked this a lot, I’m creating this post as a handy guide to making your home wi-fi better.
While by day, I’m a mild-mannered field engineer for a wi-fi consulting company, and deal mostly with large-scale enterprise systems (often fixing their bad wi-fi), many of the same principles apply, because it all boils down to best practices.
First, you’re going to need a couple of basic tools to see what your wifi environment looks like.
Mac: Wifi Explorer Lite
Android: Wifi Analyzer
iOS: AirPort Utility
All these tools do is give you a listing (usually with a graphical representation) of the wi-fi channels in use in your environment.
What causes my wi-fi to suck?
Generally speaking, if you have bad wi-fi, it’s because the device and the access point can’t hear each other very well, or it’s so busy neither one can get a word in edgewise. Wi-Fi can only have one device on a channel talking at once. When it wants to talk, it listens on the channel to see if it’s clear, and if it is, it says its piece and gets off. If it’s not (because someone else is talking), it pauses for a moment and tries again. On a busy channel, that can take a while (and in terms of computer networking, “a while” may only be a few milliseconds, but any delay slows you down. Sometimes a device says its piece, and the intended recipient couldn’t acknowledge it because it was too noisy because of interference from something that isn’t wifi (like bluetooth, microwave ovens, zigbee, etc.)
Let’s get a little terminology out of the way, first, so we’re all speaking the same language.
a router in terms of home wi-fi is an all-in-one device that contains not only a router, but also an ethernet switch and an access point. the access point is the piece that actually does your wi-fi. They just happen to all be stuffed into the same box together. Sometimes they’ll stuff a cable modem or a DSL modem in there too…
a mesh is a means of connecting other access points to the network wirelessly. You have probably seen home “mesh” systems that incorporate a couple of access points in some sort of plug and play fashion.
Your wi-fi is a wireless local area network. It is not internet access. It is entirely independent of your internet access, even if the router box you got from your ISP does wi-fi (usually badly).
So the first thing you’ll want to do is check out your channel environment. The tools listed above will highlight the channel and AP you’re connected to, and show all the others, with the signal strength of each. It’s doing this by listening for beacon frames that are sent out approximately 10 times per second by every AP on every SSID.
There are two things you’re looking for: YOUR signal above -65dBm, and everyone else’s BELOW -82dBm. In the 2.4GHz band, you also want to watch out for anyone on channels in between the non-overlapping channels of 1,6,11 (many devices will automatically choose channels that aren’t 1/6/11, which they need to stop doing).
So what if one or both of those tests comes back outside of those parameters? There are a few things that affect your signal strength:
Proximity to the access point
objects between you and the access point
the access point’s output power
the access point’s antennas
Your access point should be located somewhere fairly central in your home. It often isn’t because the ISP/Cable company was lazy and put the cable outlet on an outside wall. It should also be out in the open and not behind anything (I’ve seen many stuffed behind a TV, which does nobody any favors). The top of a bookshelf in the middle of your house is a great spot.
If it has external antennas, they should ALL be pointing vertically. This is not an art piece where they go every which way, and they are not magic wands where wi-fi comes shooting out the ends (in fact, the axis of the antenna has the weakest signal.) If you mount it on a wall, they should still be vertical.
One caveat to this is that if the antennas are detachable, you can keep your access point near the edge of your home and get a directional antenna.
If your access point lets you set power levels, set it to the lowest you can go and still cover what you need to cover, and nothing more. This keeps your neighbors from getting your wi-fi, and having yours interfere with theirs. If you go too high, you may be able to reach the far corners of your house, but your AP won’t hear your device’s responses.
Which brings me to extenders. There are many of these on the market, and they’re all junk. Because of the whole “one device may speak at a time” thing, you now have a conversation where another person is repeating it loudly for the people in the back. Don’t do it. If you need more coverage, get one of those residential mesh systems, but connect it up with wires if at all possible (otherwise they act mostly like repeaters and murder your performance).
I mentioned channels earlier. If you’re on 2.4GHz, you should only ever be on channels 1,6, or 11. But really, you shouldn’t be on 2.4GHz at all. There are lots more channels to work with in 5GHz. If you must be on 2.4GHz, minimize your use of it, and whatever you do, don’t use a 40MHz channel unless you live in the middle of a cornfield with no neighbors.
If you’re on 5GHz, try to avoid 80MHz channels, 40 is OK if you don’t have many neighbors, and 20 is best when you have lots of neighbors. Many devices default to channels 36/40/44/48 and 149/153/157/161. I’m gonna let you in on a little secret: there are a whole lot more channels you can use. If your device supports them, you can use 52/56/60/64, 100/104/108/112/116/120/124/128/132/136/140/144, and 165. Chances are those channels are WIDE OPEN where you are. use them!
And now, for cutting through the marketing hype:
“Tri-Band” is NOT A THING. (at least, not as of late 2018 when this is being written) Those devices are all a 2.4GHz radio and two 5GHz radios. That’s only two bands. However, if you have a tri-band radio, your best use is to set up one of the radios with a dedicated SSID and channel for your streaming equipment like Smart TVs, AppleTV, Roku, etc, and use your general internet access on the other.
Gigabit wifi is A BIG FAT LIE. At most, you’re going to see a couple hundred megabits on a channel. Many vendors’ marketing people like to add up the theoretical maximum of all the radios in the device and claim that as the maximum speed, which is why you see absurd things like “5300Mbps” and “6400Mbps”. Those speeds will NEVER HAPPEN, because wi-fi doesn’t add them up.
More antennas does not mean a better AP. a 4×4 AP is all well and good, but most of your clients are 2×2 with a small handful of high-end Macs that do 3×3. This refers to the number of MIMO spatial streams. There is ONE 4×4 client device on the market from Asus, and it is a PCIe expansion card for desktops.
Power levels are limited by FCC rules (in the US – national communications authorities in other countries impose similar limits) , mostly at 100mW. Any device claiming high power wifi is lying to you.
The current generation of WiFi is 802.11ac (also called WiFi 5 – and is 5GHz Only). The previous generation is 802.11n (WiFi 4, and is the current generation for 2.4GHz). Anything older than that should be replaced. The upcoming 802.11ax (WiFi 6) standard is still being developed and won’t be official until at least late 2019.