I have a couple of Draytek 800 wifi APs.

One of them seems OK but the other one is behaving oddly.

I made this video (http://www.aa-kkemail.co.uk/2012-02-11-069.mp4) (70MB) of the AP's diagnostics.

It shows data being transferred but NO stations connected.

The AP config is:

"AP 800 acts as a bridge between wireless devices and wired Ethernet network, and exchanges data between them."

I have seen weird instances of devices with unaccounted names showing up in the DHCP table of the router which feeds the APs (Draytek 2955), which were fairly obviously connecting via wifi. The Draytek 800 AP is unusual in that it has four configurable SSIDs, of which only one contained a name. It seems to use a non-null string to enable a particular SSID, which is obviously dodgy because a white space would not be visible... I used on the 1st SSID but it is likely that the default setting for the other 3 is ON and certainly the default setting for those 3 is NO security. But even after I set up WPA/PSK and a random pwd on the other 3, I still saw the data flow and that was when I made the video. It certainly seems possible to enter e.g. a space character in one of those SSIDs and end up with an open channel...

I have reported this to Draytek UK but they are not very interested.

Maybe I should chuck these APs out and get some Cisco ones :)

The other big Q is which APs actually work with the Ipad2 and its notorious wifi issues (a 90 page thread on the Apple forums, with Apple not commenting at all). Draytek released a special fix for that but it doesn't do a lot. One of the issues is reportedly that the IOS devices request DHCP every few seconds.

I made this video (70MB) of the AP's diagnostics.

Any chance you could put that up on YouTube or some other streaming service ? I can't be bothered to download a 70MB file that may or may not have anything useful in it.

a 90 page thread on the Apple forums, with Apple not commenting at all

:ugh:

The Apple forums are busy community forums, I don't know why you expect Apple to read every single thread on there ? If you want Apple support, get a AppleCare support contract and make use of that (or drop into your local Apple Store).

Re your unknown traffic: This is only a guess; but in the version of Linux I'm using, Its easy to connect to a "Hidden wireless network" - If there's no password or security enabled on those channels, it may that someone is piggy backing on the data link that you have.

Although the SSID is not being identified, with your router acting as a bridge, will still be broadcasting replies to any ARP packets issued by routers within range.

I'm not familiar with your equipment, but if its possible to disable the unused access streams through your router admin software, do this.

[Edit:I don't know if its possible to restrict access to a limited and therefore restricted list of wireless end points: I disable DCHP and assign each of my PC's a fixed IP with a band at the bottom of the usable range for 1 or 2 guests - AES encryption enabled. The routing table assiciates each PC's MAC address with its assigned IP. ]

CAT III

Re your unknown traffic: This is only a guess; but in the version of Linux I'm using, Its easy to connect to a "Hidden wireless network" - If there's no password or security enabled on those channels, it may that someone is piggy backing on the data link that you have.That's what I assumed, which is why that stupid Draytek 800 AP bothers me...

But I am not talking about hidden-SSID stuff. I never use that, because (a) it creates incompatibilities with loads of clients and (b) it is easy to get around with a wifi sniffer.

Although the SSID is not being identified, your router although acting as a bridge, will be broadcasting replies to any ARP packets issued by routers within range.

I'm not familiar with your equipment, but if its possible to disable the unused access streams through your router admin software, do this.I don't know how to do that, unfortunately. I know a fair bit about networking but that much is outside my expertise.

I also found that one of the two APs had apparently reset itself to factory defaults. This would mean it connected to the router via DHCP and got transmitting with security disabled ;) This is a really stupid bug too, which could create havoc. I suppose one could block it by not having a DHCP server enabled - at least not on the physical ethernet segment to which that AP(s) is/are connected.

On one occassion I found a device connected called "NETBOOK" which was nothing we have. I don't know how long that condition existed for. Obviously it is pretty serious. Somebody using that AP cannot access computers on the internal LAN (well, he will get the windoze login prompt ;) - a case of "do you feel lucky" ) but could access any network drives, etc.

I have just ordered a Linksys WAP4410N which should not do any of this crap.

Mixture - thank you for your "helpful" advice. If I wanted to do that I would not have wasted my time posting a question here. Tell me... how long does it take you to download a 70MB file? The last thing I am going to spend money on is an Apple support contract, anyway :yuk:

CATIII's suggestion of using fixed IP addreses and disabling DHCP is good.

Add MAC address filtering to enhance security even more.

And make usre you change the default AP admin password!

SD

I don't think MAC address filtering deters anybody but the most casual user.

Unfortunately we need to have wifi that is usable for guests too. I used to run MAC filtering and it was a big hassle. Perhaps the best way to deal with that is to have a second AP, which is not normally switched on.

I already have a second AP, configured to block windoze networking (ports 138, 139, etc) for use by my son, whose laptop is usually infected :)

I am just puzzled that somebody can bring out a "modern" £100+ wifi AP which is as crappy as this one.

1: The AP800 isn't crappy
2: Draytek UK say that there's an updated firmware to fix a few issues. Are you using it?
3: I too CBA downloading 70mb to look at a video, and yes it will have taken me some time.
4: Please don't expect much more help if you're going to refer to it as "Windoze".
5: The iPad issues are iPad issues, not AP issues. If Apple ever get to fixing their wifi stack, it'll be not a moment too soon. Incidentally, the AP800 isn't immune to iPad wifi issues.
Actually, scrub that, if Apple ever get to admitting there's a flaw in their wifi drivers that'd be a start. :ugh:

1. OK, but I suspect it can show an unsecured channel. Once, another AP800 actually displayed such a channel (when doing the scan for nearby APs). I took a screenshot and emailed it to them; they had no real explanation for it...

2. Yes, 1.0.3

3. OK

4. OK.

5. I am sure you are right. I think Apple test their stuff with 2 lots of gear: their own, and some Cisco stuff. But knowing "whose fault it is" isn't terribly helpful given that so many people have bought into the Church of Jobs scene.

Don't get me wrong, it's not faultless, and like other APs from other manufacturers you'll still need to use the latest firmware to fix a few issues (the 1.0.3 fixes a VLAN tagging issue for me), however as a Draytek reseller I have a fair few of these deployed in the field and they're all behaving (and the macs connected to them are behaving as well, once you retrograde the wifi drivers as per the community support items on the web - something you probably can't do with an iPad).

The vulnerability depends on who is trying to connect.

A normal windoze :) laptop will not display an AP with a null (or all-spaces) SSID in the list of available networks.

But if you do a scan, using one AP800, for nearby wifi networks, that shows it allright!

Draytek UK dismissed this as a user interface artefact, but obviously there is "something there" which any competent scanner will discover soon enough.

And it is a fact that all four SSIDs have No security as default, and if (like most people) you configure just the first one, by entering an SSID and setting up the security, it seems that the others might be appearing as open channels albeit with a blank SSID.

One of the last things I was was to config some random passwords on the other three SSIDs, just in case...

But I am chucking out these AP800s anyway because the one which reset itself to factory config was definitely providing the pub across the road with free open wifi. Draytek are saying that I must have reset it myself, because it offers that option in the reboot menu, and won't take it back.

The other point is that Draytek have a bit of a history of leaving open doors. The 2900 router had a long standing bug which was never fixed, whereby remote admin (via port 443) was always enabled even if you disabled it in the config. This was soon discovered by attackers who then hammered it with dictionary attacks. The only way to make port 443 not respond was by port forwarding it to an internal IP on which no device was responding. Another one (which I got from a freelance network security specialist) was that a lot of Draytek routers could be logged in using a password of DRAYTEKER even if you configured a different one.

BTW v1.03 was claimed to address Iphone/Ipad wifi issues. It improves them but doesn't fix them. I gather this is Apple's problem in implementing stuff differently to everybody else, but it doesn't help me, with two of the bl00dy things in the house.

Well I'm also a Ruckus reseller if you'd like something a little more upmarket ;)

(although the price difference and the fact they're aimed at professional installs probably makes this a non-starter!)

Incidentally, Windows shows blank SSID networks sometimes. It depends upon what you're using for drivers it appears. I can also see them on inssider.

I would never use SSID hiding or MAC filtering for security though. Both methods are noddy in the extreme.

A nearby school went for the Ruckus stuff. They were going to spend best part of £50k, last time I heard :) For a totally basic wifi network, with no special functions. Just several POE switches (24 ports each I guess) and a load of POE APs.

As you obviously know, there are two ways to get wifi set up on a windows PC: using the windows' own interface, and using the software which comes with the wifi adapter.

The latter usually offers more facilities.

Anyway I put in the Linksys WAP4410N which not only covers the whole house but also works with everything, seemingly, and it has explicit "enable" checkboxes for each of the four SSIDs, unlike the Draytek which has no clear enable mechanism. However it does not offer a list of current wifi clients, which is a bit bizzare... can't win them all :) And if a client is using a fixed IP (which somebody clever might do) then that client won't be visible in any way I can think of (maybe the ARP cache in the router?).

A nearby school went for the Ruckus stuff. They were going to spend best part of £50k, last time I heard :) For a totally basic wifi network, with no special functions. Just several POE switches (24 ports each I guess) and a load of POE APs.

"best part of £50k" probably means they bought too many APs (or the reseller was trying it on). The APs will support a surprising amount of nodes themselves.


As you obviously know, there are two ways to get wifi set up on a windows PC: using the windows' own interface, and using the software which comes with the wifi adapter.

The latter usually offers more facilities.

The former offers group policy configuration in a domain :ok:

Anyway I put in the Linksys WAP4410N which not only covers the whole house but also works with everything, seemingly, and it has explicit "enable" checkboxes for each of the four SSIDs, unlike the Draytek which has no clear enable mechanism. However it does not offer a list of current wifi clients, which is a bit bizzare... can't win them all :) And if a client is using a fixed IP (which somebody clever might do) then that client won't be visible in any way I can think of (maybe the ARP cache in the router?).
Bizarre - i've just checked a pair of AP800s I have in service with a customer and can confirm there's a missing checkbox next to the SSIDs for enable/disable - it's there on the 2820/2830 routers, I must have missed that as a feature on the AP800. Anyway, wirelessly snooping doesn't find any extraneous networks, so one must assume it's working okay for me.

If you're looking for cheap but good APs though, take a look at the Edimax.

Anything supplied to the government or local authority is automatically 4 to 6 times the normal price. :ugh:

Anything supplied to the government or local authority is automatically 4 to 6 times the normal price. :ugh:

Yes, once a company gets onto a public sector "preferred supplier" list, it's a gravy train.
:ugh:

SD

The problem is that the people who buy the stuff are usually not able to specify the equipment correctly...

Bizarre - i've just checked a pair of AP800s I have in service with a customer and can confirm there's a missing checkbox next to the SSIDs for enable/disable

Yeah, a really crappy way to do software, especially security-critical stuff like this.

Try two AP800s, straight out of the box, config one of them with just the 1st SSID, WPA/TKIP, leaving the other SSIDs untouched. Then start up the other one and use it to scan for nearby networks. See what it finds. Mine found another AP, with a blank SSID (IIRC- I did a screenshot but cannot find it right now).