Web Extras: Help | Catalog | Feedback | Print | Check for Updates Take Control Your 802.11n AirPort Extreme Network of by Glenn Fleishman Table of Contents (1.2) Read Me First ...................................................... 2 Introduction ........................................................ 5 AirPort Networking Quick Start .............................. 6 Quick Troubleshooting Guide ................................. 8 Key Glossary Terms ........................................... 10 Learn Wireless and AirPort Basics......................... 13 Put Your Base Station into Action ......................... 25 Set Up Your Network .......................................... 54 Connect Your Computers .................................... 70 Connect Multiple Base Stations ............................ 86 Mix Legacy, New N Networks............................... 97 Reach Your Network Remotely........................... 101 Set Up a Shared USB Printer ............................. 113 Set Up a Shared USB Disk................................. 121 Secure Your Network........................................ 132 Overcome Interference ..................................... 146 Appendix A: Stream Media with AirPort............... 150 Appendix B: Setting up a Software Base Station .. 158 Appendix C: Advanced Extreme Features ............ 161 Appendix D: What’s New in Leopard ................... 167 About This Book............................................... 179 10 $ READ ME FIRST Welcome to Take Control of Your 802.11n AirPort Extreme Network, version 1.2. This book helps you install and get the most out of an 802.11n Wi-Fi network. This book was written by Glenn Fleishman, edited by Tonya Engst, and published by TidBITS Publishing Inc. Copyright © 2008 Glenn Fleishman. All rights reserved. The price of this ebook is $10. If you want to share it with a friend, please do so as you would a physical book. Click here to give your friend a discount coupon. Discounted classroom copies are also available. Updates You may not have the latest version of this PDF. To find out if there’s a new version, click the Check for Updates link on the cover. Once you click the link, you’ll be taken to a Web page where you can learn about any available or planned updates, and sign up to be notified about updates to the PDF via email. You may also find minor update information directly on that Web page. Who Needs This Book I wrote this book for people who have purchased or are considering buying the thoroughly overhauled, 802.11n AirPort Extreme Base Station, released in January 2007 with new software, and updated with new hardware and revised software in August 2007. My goal is to help you configure this base station model to meet your needs, and to use it with existing and new networking equipment and computers. Who Doesn’t Need This Book If you’re not yet using a 2007-or-later, 802.11n AirPort Extreme Base Station, this book would be worthwhile only for background research if you are considering buying that new base station. If you use earlier networking hardware on a Mac, consider purchasing Take Control of Your AirPort Network, which covers gear released before 2007. Basics In reading this book, you may get stuck if you don’t know certain basic facts about Mac OS X or if you don’t understand Take Control Page 2 syntax for things like working with menus or finding items in the Finder. Please note the following: • Path syntax: I occasionally use a path to show the location of a file or folder in your file system. Path text is formatted in bold type. For example, the Airport Utility gets installed into the Utility folder, which is located inside the Applications folder. The path to AirPort Utility is: /Applications/Utilities/AirPort Utility. • Menus: When I describe choosing a command from a menu in the menu bar, I use an abbreviated description. For example, the abbreviated description for the menu command that creates a new folder in the Mac OS X Finder is “File > New Folder.” • Finding preference panes: I sometimes refer to Mac OS X preferences that you may want to adjust, such as the Network preference pane. To reach this pane, open System Preferences by clicking its icon in the Dock or choosing System Preferences from the menu. You access a particular preference pane by way of its icon, or the View menu. For example, to see “the Network preference pane,” you would launch System Preferences and then click the Network icon or choose View > Network. To see “the AirPort view of the Network preference pane,” you would do the same thing, and then click AirPort. • Configuring a base station: Throughout the book, I refer to using a program called AirPort Utility to configure a base station. To configure a base station in almost all cases, you launch or switch to AirPort Utility, select the base station in a left-hand list of base stations, and then choose Base Station > Manual Setup (Command-L) to proceed. What’s New in Version 1.2 Leopard shipped several weeks after the 1.1 version of this book, and there was nothing to be done but wait to see what shook out—and boy did a lot shake out, including Apple’s release of Time Capsule, an updated AirPort Express, and another overhaul of their AirPort Utility. As a result, this updated version 1.2 features an extensive appendix documenting changes in Leopard. An upcoming new book, tentatively titled Take Control of Your Draft N AirPort Network in Leopard, will thoroughly address all the new backup and network options separately. Page 3 See Appendix D: What’s New in Leopard (p. 167) for the rundown on how the Network preference pane changed, how the new AirPort menu works, and how to configure a host of small tweaks that have moved since Tiger. Also, in areas of the book where the new appendix has important information about Leopard, I’ve added a leopard spot ( ) in the margin. If you see the spot, you can click it to view the appendix. If you find yourself moving around a lot due to clicking the spots, you may find it handy to use a keyboard shortcut to quickly return to the previous location. Look in the menus to find the shortcut for your PDF software. What Was New in Version 1.1 At first, this revision was intended to be a 1.0.1 update, to cover the changes in the AirPort Extreme Base Station with 802.11n that Apple introduced in August 2007. After reviewing reader mail and spending many hours working with the gigabit model, I wound up making a number of changes and additions that should help with setting up regular networks and those with multiple base stations. In this update, I added the following: • An updated discussion of the state of 802.11n. See Extreme N Details (p. 18). • More information about Third-party adapters for 802.11n (p. 22). • A new section, Connect Multiple Base Stations (p. 86), which explains in detail how to use Ethernet and Wi-Fi links to build a network of two or more base stations to cover a greater area or increase the speed of the network. • For mixed networks using older 802.11 standards with 802.11n, I recommend that you attach USB printers to an Extreme N Base Station. See Put Printers in the Right Place (p. 99). • Updated information about NAT-PMP and wide-area Bonjour, Apple technologies for extending access to local network resources. • To the section on coping with interference, I added more specific advice. See Eliminate Conflicting Signals (p. 146). Page 4 INTRODUCTION Apple introduced integrated wireless networking to the world with AirPort in 1999. Although corporations had already been using forms of wireless networking for warehouse tracking and to connect buildings in a large campus, the cost was high, speeds were low, and complexity was manifest. Other companies were selling similar wireless hardware in 1999, but Apple’s products shot off the shelves due to their relatively low initial price, simple configuration interface, and excellent performance. AirPort came out of the same approach that allowed Apple to ship the iMac the year before: combining available, standard parts in a unique package that provided more value as a whole. The AirPort Card fit into a special slot in Macintoshes; its standalone, central coordinating hub was called the AirPort Base Station. Apple replaced the original AirPort line with AirPort Extreme: first, in 2003 with a somewhat faster flavor (known as 802.11g), then again in 2007, with a substantially faster version (802.11n). Today, AirPort Extreme is built into every Mac, except the Mac Pro, for which it is an add-on option, and the Xserve, which is designed for server rooms. Despite Apple’s 8-year history with wireless networking and the general excellence of their software and support, setting up a wireless network isn’t always a snap. This book helps you set up a wireless network and offers tips to help save time, improve security, extend range, and enjoy a technical edge when working with AirPort. Although the title of this book references 802.11n AirPort Extreme networks, I also cover compatibility and connections with older hardware, as well as connecting to a new network using Mac OS X, Windows XP, and Windows Vista. I start with wireless basics, move through installation and configuration, explain how to share printers and hard disks, tell you how to connect to a Wi-Fi network, give advice on extending a network’s range and quality, look at adding devices like an Apple TV or AirPort Express, and finish with how-to information on security for those who want their AirPort networks safe from freeloaders and intruders. Page 5 AIRPORT NETWORKING QUICK START If you read this book in order, you’ll be guided through the steps shown below—unpacking an 802.11n AirPort Extreme Base Station, configuring the gateway, and getting on the Internet. The book also guides you through adding devices like printers, hard disks, and Apple TV, and securing the network. Need a quick solution? If you are reading this book in order to solve a particular problem, flip ahead two pages to the Quick Troubleshooting Guide, also, you may especially wish to consult Eliminate Conflicting Signals (p. 146). Learn wireless basics: • Get a quick grounding in wireless terminology and technology. See Key Glossary Terms (p. 10) and Learn Wireless and AirPort Basics (p. 13). Set up your network: • Unpack and power your base station (p. 25), and Install new software (p. 27). • Handle initial setup (p. 32) for the base station. This might be all you need to get on the Internet. • Learn about options and tradeoffs for which frequency band and channel to use, in Configure the Spectrum and Channel (p. 47). • Place your gateway in the right place for optimum coverage. See Pick the Right Place for Your Base Station (p. 49). • Hook your AirPort Extreme into the Internet or a larger network, while learning the difference between public and private network addresses, and static and dynamic addresses in Get a WAN Address (p. 55). • Set up your local network connections for computers to connect wirelessly and via Ethernet to the base station. Read Hand Out LAN Addresses (p. 61). Page 6 • Control how your computers connect to the network with Connect Your Computers (p. 70), which covers Mac OS X, Windows XP Service Pack 2, and Windows Vista. • Open your local network up to the wider world in limited ways for gaming, remote control, and Web servers. See Reach Your Network Remotely (p. 101). • Add printers and external drives to your base station to share across the network—or the Internet. See Set Up a Shared USB Printer (p. 113) and Set Up a Shared USB Disk (p. 121). • Stream media on your network through an Apple TV (p. 150) or with AirPort Express and AirTunes (p. 154). Extend your network with more routers: • Add access points to your network with the right settings to create seamless roaming. See Connect Multiple Base Stations (p. 86). • Don’t throw away your old gear: combine old and new for the best of both worlds. See Mix Legacy, New N Networks (p. 97). • Extend your network over your home electrical system. Read the sidebar Extend with HomePlug (p. 90). • Bridge Wirelessly among access points, in order to avoid wiring (p. 91). Secure your network: • Decide if you need encryption. Read Likelihood, Liability, and Lost Opportunity (p. 132). • Avoid security tricks that don’t work, while using a new method that does. See Simple Tricks That Don’t Work (p. 134). • Apply encryption using the best—and often simplest—method. See Use Built-In Encryption (p. 137). Page 7 QUICK TROUBLESHOOTING GUIDE If you need quick help, here’s the starting point. Reset the Base Station from a Lock-Up If your AirPort Extreme Base Station can’t be seen over the network via AirPort Utility (see Install new software, p. 27), and you cannot connect to the base station or the Internet via a Wi-Fi-enabled computer, try these steps in order: 1. Check a local connection: Make sure that the computer running AirPort Utility is on the same local network as the base station. Try connecting the computer via Ethernet to one of the base station’s LAN ports. Try AirPort Utility again. 2. Failing a direct Ethernet connection, try power cycling: Pull the power adapter’s plug out of the wall socket or remove the end that plugs into the base station. Wait 10 seconds. Plug it back in, and try to connect via AirPort Utility. Everything may be back to normal. 3. Failing power cycling, try a factory reset: This step erases any the custom settings you’ve made (I recommend backing up settings using AirPort Utility; see Create and manage profiles, p. 38). To reset the base station, straighten one end of a paperclip, and with the base station plugged into power, hold down the base station’s reset button with the paperclip end. The reset button is recessed in the rear right of the base station below the reset symbol: a white arrow reversed out of a gray circle. 4. Failing power cycling, try to reset another way: Unplug the base station from power, push in the reset button and hold it down, plug the base station into power, and keep the reset button pressed for at least 20 seconds. 5. Failing factory reset: Call Apple for return instructions. Page 8 Printer Problems Printer on 802.11g part of network won’t print You’ll need to connect it to your Extreme N base station. Put Printers in the Right Place explains how (p. 99). Can’t print to a USB-connected printer See Troubleshoot an Unavailable Shared USB Printer (p. 120). Other Troubleshooting Can’t see base station’s network from all computers Did you set the base station to the 5 gigahertz (GHz) band? Only newer Macs with 802.11n built in can connect. See Configure the Spectrum and Channel (p. 42). Can’t connect to base station’s network; get an error instead If you can see its network name, try these fixes: • Did you inadvertently set the base station to allow 802.11n only connections in the 2.4 GHz band? See Connect Your Computers (first Warning, page 70). It’s also possible that access control is preventing access. See Mac address filtering (p. 135). • It’s possible that interference in your area from other networks is preventing you from connecting. You may need to change the base station’s channel. See Eliminate Conflicting Signals (p. 146). Error occurs after connecting to the base station with the correct encryption key Are you using a Mac with the older AirPort Card with your base station set up with WPA2 encryption? See Turning on WPA/WPA2 with AirPort Extreme (p. 141). Firmware update makes base station act erratically Try to Revert to Older Firmware (p. 161). Network works erratically Another network might be interfering with yours. See Eliminate Conflicting Signals (p. 146). Conflicting signals seem to cause network problems See Eliminate Conflicting Signals (p. 146). Page 9 KEY GLOSSARY TERMS In this section, I’ve defined a few terms that you’ll encounter over and over in this book. Read the list below to become familiar with any new terms and refresh your memory on the rest. I also define these terms where they occur. I’ve presented the concepts below in the order you need to understand them, building one on top of the other. Wi-Fi: The set of wireless networking standards that encompasses all of Apple’s AirPort products, and thousands of wireless networking products made by other firms. The in-progress 802.11n standard used in the latest AirPort Extreme Base Station is slated to become part of Wi-Fi in third quarter 2007. Ethernet: A set of standards for connecting computers by wire, typically at speeds of 10 megabits per second (Mbps), 100 Mbps, and 1,000 Mbps. 1,000 Mbps Ethernet is commonly called gigabit Ethernet. Local Area Network (LAN): A LAN comprises computers connected via Ethernet and/or Wi-Fi into a small or large group. A LAN’s computers are in close physical proximity, usually in an area as small as a home office or as large as an entire office building. A LAN is typically thought of as a single network, especially when considering local network resources like fileservers. Wide Area Network (WAN): A router, like the AirPort Extreme Base Station, connects its own LAN to a wider network that’s known as a WAN. A WAN, from the perspective of a base station, is often simply the Internet; or it might be a network connecting several offices run by the same company in different cities. Access point: A wireless networking device that accepts connections from clients or other access points in order to move network traffic over the air. Base station, router, gateway: These three terms are used somewhat interchangeably to refer to the central Wi-Fi hub that connects a LAN to a WAN. Routers, often called gateways, connect different kinds of networks and allow devices on each network to communicate with each other. Apple calls its combination of an access point and gateway a base station; other companies call these Wi-Fi gateways or Wi-Fi routers. Page 10 MAC (Media Access Control) address: The MAC address is a unique number assigned by a manufacturer to each network adapter, including Ethernet adapters and Wi-Fi adapters. The MAC address is used to identify an adapter on a LAN. (Media here is the plural of medium, as in the access medium: the physical means over which data flows.) To learn how to find a device’s MAC address, see the sidebar What and Where is a MAC Address? (p. 59). Larger LAN: A base station often creates a LAN for computers connected to it. But in larger networks, the base station is connected via its WAN port to a “larger LAN”—despite the name of the port, this is a local network, but it typically has services that are passed through to the base station-connected computers. The larger LAN handles functions that an Internet service provider (ISP) would. Often, the settings for an Apple base station are different when you connect it to a broadband modem and the Internet—a simple WAN connection—than when you connect the base station to a larger LAN. Internet Protocol (IP) address: An IP address is a number assigned to a network interface, like an Ethernet card or a Wi-Fi radio, that allows it to be identified uniquely on a local network or the Internet. A device needs an IP address in order to interact with Internet services such as an email server or a Web site. Private IP addresses: Private IP addresses, also called simply private addresses, are assigned in LANs from a pool of globally reserved IP address prefixes. Private addresses are not reachable or routable from outside the LAN without extra work: Internetconnected computers can’t directly address private IP addresses, and require an intermediary to help (see Network Address Translation, below). Public IP addresses: Public IP addresses, also frequently called public addresses, are drawn from the global pool of IP addresses that can be routed, or reached, from any other computer on the Internet. These are colloquially called real IPs. (Public addresses access can be restricted through firewalls, however.) Network Address Translation (NAT): NAT provides a workaround that lets computers outside a LAN reach privately addressed computers inside a LAN. NAT maps outgoing connections from computers within the LAN to an address on the WAN side of a router, Page 11 allowing a response to that outgoing connection, like a Web page being requested and retrieved. NAT can also map in the other direction. I discuss how this mapping can be safely controlled in Map Ports for Remote Access. A NAT gateway is not a firewall, although it’s often marketed as one. Dynamic Host Configuration Protocol (DHCP): DHCP is used to assign IP addresses to computers and other equipment on a network. Any device that can connect to a network has a DHCP client built in, and that client can request and retrieve an address from the network gateway. The AirPort base station has a DHCP server to provide this function. The base station also has a DHCP client that operates on its WAN port to request an address—if necessary—from the higher-level network to which it is connected. In some cases, the DHCP server in the base station is redundant and needs to be turned off to avoid interfering with other elements of a network. In other cases, you might disable a computer’s DHCP client so that you could enter a fixed IP address. DHCP and NAT are often used together: NAT allows a private address to reach the Internet; DHCP assigns that private address to a computer or other networked device. Page 12 LEARN WIRELESS AND AIRPORT BASICS Let’s quickly run through some wireless basics to set the stage for what follows. Access Points and Adapters AirPort and Wi-Fi networks need two connected parts: a wireless adapter and an access point. The wireless adapter is part of a computer or mobile device, while the access point, in many ways, works just like an Ethernet switch. An access point that’s coupled with a router is called a wireless gateway; Apple’s wireless gateway is called a base station. NOTE You might have heard of AirPort Extreme by the name Wi-Fi, which is a certification guarantee for which The Wi-Fi Alliance trade group owns the rights and controls the testing. Wi-Fi loosely connotes wireless fidelity, in the sense of faithfulness: devices with Wi-Fi stamped on them work with other Wi-Fi devices, or are faithful to one another. NOTE An AirPort network is a Wi-Fi network with some Apple extras that may work only with Apple software—under Mac OS X, or Windows XP or Vista—or in conjunction with other AirPort equipment. Examples of such features include streaming audio, hard-drive sharing, and base-station-to-base-station connections. The wireless adapter uses client software on the computer or handheld device to connect to a specific base station (or set of affiliate base stations) after a user selects a network name from a list or manually enters the network’s name. Mac OS X allows network selection from the AirPort menu in the menu bar, the AirPort pane of the Internet Connect program (located in the Applications folder), and the AirPort view in the Network preference pane. When a wireless adapter connects—technically, associates—with a base station, the device to which the adapter is attached can send data to and from the base station. If the base station has encryption enabled, then an encryption key must be provided before the base station allows the device access to any networks to which it connects. Page 13 Depending on your setup, the key, a series of characters, must be entered exactly as it was entered on the base station. A stored key can be sent without a person having to re-enter it. Avoid entering an encryption key manually: The AirPort Extreme also now supports a simpler method that avoids key entry altogether. See Use WPS. Once an adapter connects to a base station and the encryption key is accepted, the computer’s operating system can carry out the next steps, such as automatically requesting an Internet protocol (IP) address using DHCP and sending data over the wireless network. The Spectrum Part of Wi-Fi Wi-Fi networks use unlicensed spectrum, so called because regulatory agencies don’t require users to obtain a license to use those airwaves, and everyone may use that spectrum; cellular telephone companies, by contrast, pay huge amounts for the exclusive geographic rights to certain frequencies. Unlicensed bands—specified ranges of frequencies—are divided into smaller upper and lower bounds called channels, which allow many devices to use the same band within “hearing” distance of each other, but without overlapping any or all the frequencies they employ. However, unlicensed bands are intended for broad use by individuals and businesses, and there’s no guarantee that you and other people won’t produce interfering signals, reducing the speeds you can achieve. The rule is that in these unlicensed bands, devices use extremely low signal power, but they also must be quite robust in order to cope with lots of interference while still functioning. In the United States and in most countries, the 2.4 GHz (gigahertz) and 5 GHz bands are available for use. (The 900 MHz [megahertz] band is also unlicensed in the United States, but it is not employed for wireless LANs.) The precise frequencies and channels vary enormously by country. Older AirPort equipment could work only in the 2.4 GHz band; the 2007 version of the AirPort Extreme and the 802.11n protocol can use either the 2.4 or 5 GHz band. Page 14 Warning! Apple and other manufacturers limit the usable channels and power output levels of Wi-Fi devices to what’s legal in the country in which the gear is sold. Using that equipment outside the country of purchase without first checking on what’s legal could result in fines or jail time. NOTE In some countries, the 4.9 GHz band is used instead of the 5 GHz band; in the United States, 4.9 GHz is a restricted band, partly devoted to fire, emergency, and police digital communications. Wi-Fi and AirPort Flavors AirPort hardware has gone through many transformations since its original 1999 introduction. Each major flavor of Wi-Fi that Apple has built into AirPort gear relies on industry standards created by the IEEE, the Institute of Electrical and Electronics Engineers. The IEEE has groups that work on many different kinds of standards. Their 802 group handles local area networks (LANs), and a working group in that area, numbered 11, covers wireless LANs (WLANs). This is called the 802.11 Working Group. Each successive update to the standard produced by the 802.11 group is lettered and defines a particular set of codified ideas. For instance, the original popular flavor of Wi-Fi was known as 802.11b or just “B” for short. The current fastest generation is known as 802.11n or “N,” and is still being finalized even as Apple and others have released equipment that uses a draft of the standard, often called “Draft N” (see Not yet finished, for more detail). The Wi-Fi Alliance takes those IEEE standards and builds tests that allow different makers to ensure that they are creating equipment that works with all the other manufacturers’ equipment and that carries out a common set of tasks in the same way. Since the original AirPort in 1999, Apple has released three major versions of AirPort hardware, which correspond to three major revisions of the IEEE 802.11 standards (Table 1, next page). Every older version can be used with even the newest flavors. Let’s look at those older flavors, briefly, and then focus on Apple’s newer 802.11n gear. Page 15 Table 1: Wi-Fi Standards in Apple Hardware Standard Apple Equipment (introduced, discontinued) Raw Speed Maximum Throughput 802.11b (B) • AirPort (1999, discontinued 2003) 11 Mbps 5.5 Mbps 54 Mbps 25 Mbps 300 Mbps 90 Mbps (with Feb. 2007 base station) • AirPort Card (1999, discontinued 2004) 802.11g (G) • AirPort Extreme (2003, discontinued 2007) • AirPort Extreme Card (2003, superceded by built-in adapters, but not discontinued at this writing) • AirPort Express (2004) • Built-in 802.11g adapter in Macs (2005) • iPhone (June 2007) 802.11n* • AirPort Extreme (Feb. 2007) (N or Draft N) • Apple TV (Feb. 2007) • AirPort Extreme with gigabit Ethernet (Aug. 2007) • Built-in 802.11n adapter in all current model desktop, laptop Macs (late 2006)** 140 Mbps (with gigabit model) * Current draft became a tested part of Wi-Fi in June 2007; final version is due in September 2008 in a very similar form. ** Intel Core 2 Duo Macs except discontinued 1.83 GHz iMac and all Mac minis; optional adapter for the Mac Pro. Original AirPort (1999) The original AirPort system uses 802.11b, and it comprises an AirPort Card, which fits into a card slot in all AirPort-capable Macs released through 2002; and an AirPort Base Station, which resembles a small, gray (“graphite” original) or white (“snow” revision) flying saucer. The graphite base station has a single Ethernet port and a built-in modem; you couldn’t connect the graphite model to an Ethernet LAN and WAN at the same time. The snow base station added a second Ethernet port, which increased security and flexibility by allowing Page 16 you to separate a LAN from a broadband or wide area network (WAN) connection via a cable or DSL modem. AirPort Extreme (2003) AirPort Extreme 2003 uses the 802.11g standard. AirPort Extreme originally appeared in two components: the AirPort Extreme Card that fit into a new kind of internal card slot, and the AirPort Extreme Base Station. The Base Station has the previous generation’s spaceship shape, is translucent white, and has three white LEDs for status on the front. Apple started adding the Extreme card slot to Macs released starting in January 2003, and completed the transition by September 2003. By 2006, all Macs included AirPort Extreme as a built-in feature except for the Intel Xeon Mac Pro, which has the option to be factory equipped with Wi-Fi, and the Xserve, which is designed for server rooms. (Bluetooth came to be included in all but those two models, too, by 2006.) Apple quietly added 802.11a—which uses a different frequency band and is explained later—to the Intel line of Macintoshes, but never explicitly advertised this fact or offered support. See Apple’s version of 802.11n for why this is useful. Card or built-in? Apple moved from offering Macintoshes with an AirPort Extreme card slot to including Wi-Fi onboard—but they still call the technology AirPort Extreme, and they still sell the standalone card for older Macs. AirPort Express (2004) The AirPort Express Base Station, which started shipping in July 2004, is similar to the AirPort Extreme Base Station, but it supports fewer users and can stream music to a stereo. A single yellow/green LED shows the unit’s status. The Express is still sold as this book goes into production. AirPort Extreme (2007) At Macworld Expo 2007, Apple quietly moved the AirPort Extreme Base Station from 802.11g to 802.11n. They announced that most current Macs could have 802.11n enabled through a firmware update, and they revealed a new AirPort Extreme that started shipping in February 2007. This unit had just 10/100 Mbps Ethernet built in. Page 17 In August 2007, Apple released an updated unit, keeping the same name but adding gigabit Ethernet. Because Apple has unfortunately kept the name the same for both of these new units, to avoid confusion, I call the new base station models collectively “Extreme N” where Ethernet speed doesn’t matter. When Ethernet makes a difference in performance or features, I call the February 2007 model “Extreme N (original)” and the August 2007 model “Extreme N (gigabit).” This new base station has a square footprint, is squat, and is designed to be stacked, making it easy to distinguish visually from the spaceship shape of previous base stations. Extreme N Details Let’s learn more about the new Extreme N base station and Extreme N AirPort adapters. 802.11n technology 802.11n is up to seven times faster than G in typical circumstances when measuring real data passed over a network. N uses several antennas, with at least two receiving and two transmitting data, as well as multiple radios. Each radio can transmit data while varying the amount of power on each transmitting antenna, thus steering the radio beam. This allows signals to go farther, and allows multiple simultaneous data streams—each radio sending a unique set of data at the same time over the same frequencies! Each incoming signal is “heard” by two or more antennas, making it easier to pick up more distant transmissions and to tease out the wheat (data) from lots of chaff (other, interfering signals and background noise). These techniques allow 802.11n to have a raw data rate of 300 Mbps in a basic version and up to 600 Mbps in advanced versions. The Extreme N and other consumer gateways will almost all use the 300 Mbps speed, which can pass as much as 150 Mbps in real data. The speed drops when other Wi-Fi networks are in use in the vicinity, when older 802.11 devices are used on the same network, or when N adapters are far enough away from the base station to require slower transmission rates. Page 18 Not yet finished An important proviso when discussing 802.11n is that the standard isn’t finished. As with some earlier 802.11 standards, the work has taken so long in the IEEE 802.11n task group that companies and the Wi-Fi Alliance have moved forward while the details are being settled. That led to a lot of equipment working at its best speeds only when exchanging data with other devices made by the same company and using the same Wi-Fi chips. Draft N, as it’s known, spent 2006 in limbo, while companies and engineers engaged in horse trading in order come up with something the whole industry liked. Draft 2.0 was accepted by the IEEE’s wireless networking group in March 2007, and the Wi-Fi Alliance developed a set of interim interoperability tests in June 2007 to certify equipment as complying with Draft 2.0. Most major hardware vendors have had pre-production versions of their Draft N hardware approved by the Wi-Fi Alliance to carry their Draft N seal of approval. However, the testing happens on engineering models; firmware still must move into production and then be released as updates by hardware makers. In early September 2007, Apple released its certified Draft N firmware update for Extreme N. By the time you read this book, many other companies’ products should also have certified Draft 2.0 firmware available for download. That new firmware should, in turn, allow the highest possible speeds among all Draft 2.0 gear. Apple’s version of 802.11n The Extreme N is the first base station released by Apple that supports both major frequency bands for Wi-Fi: 2.4 gigahertz (GHz) and 5 GHz. While 2.4 GHz is better known, and has been used by the original plain 802.11 spec, as well as B and G, the 5 GHz band has been available for some time, waiting for the right technology to make use of its wide-open spectrum. Page 19 NOTE A little-used 802.11 protocol known as 802.11a, or “A,” was famously declared dead by Steve Jobs in January 2003. The A protocol never took off because while it had the advantage of using the 5 GHz band, it wasn’t backward compatible with the popular B protocol, which is still in wide use. Some organizations chose to use A for voice over IP (VoIP) for that very reason: they could use the 5 GHz band with little interference. Apple slipped 802.11a into the Intel versions of its Macs without advertising the fact because the Intel chips Apple used included 802.11a at essentially no additional cost. Since there were so few 802.11a base stations available—almost none for consumers—the fact seemed unimportant. The 5 GHz band in the United States offers 23 non-overlapping channels for 802.11a/n; whereas the 2.4 GHz band offers only 11 staggered, overlapping channels for 802.11b/g. Further, the 5 GHz band has many fewer users. Tune in tomorrow: Apple has chosen to allow use of just eight of those 5 GHz channels at present, but future firmware could easily up the total to 23. The company told me in August 2007 that they are investigating adding more channels but had no specific plans nor timetable. When and if that happens, I’ll post information on this book’s update page; click the Check for Updates link on the cover to visit that page. Warning! Apple sells specifically tailored versions of its Extreme N for different parts of the world. This is especially significant due to how the 5 GHz band is regulated in each country. If you buy a North American Extreme N and take it to, say, France, as one of my colleagues did, when you power it up, you’re likely in violation of local law. If you happened to tread on local uses, including military purposes, you could be found (via triangulation) and spend some years in jail. Apple could have supported just 2.4 GHz in the new 802.11n gear for backward compatibility, but instead the new gear supports both bands, which offers a lot of potential for maximizing the speed of a network, even in the home. (See Mix Legacy, New N Networks.) Page 20 Physical features The latest base station (Figure 1) is square, designed for stacking, with the same footprint as a Mac mini (6.5 inches/16.5 cm square), and a smaller footprint than the Apple TV (7.7 inches/19.7 cm square). (The Apple TV is 1.1 inches/2.8 cm tall; the Mac mini, 2 inches/5.1 cm; and the Extreme N, 1.3 inches/3.4 cm.) FIGURE 1 The tilted front view (left) and straight-on back view (right) of the AirPort Extreme Base Station introduced in 2007. The back ports are, left to right, power, USB, one WAN Ethernet jack, three LAN Ethernet jacks, and a security slot for physical lock-down. The Extreme N base station is the first to offer an Ethernet switch; Apple included four Ethernet ports, three of which are used for the LAN and one for the WAN. The Extreme N (original) included 10/100 Mbps Ethernet. The N standard can outstrip 100 Mbps Ethernet, which achieves somewhere over 90 Mbps of real throughput. That’s the reason why in August 2007, Apple released the Extreme N (gigabit) with 1,000 Mbps Ethernet on all four ports. In the process, Apple improved throughput in nearly every configuration I tested. Hardware, not software: Before you ask, the earlier Extreme Ns can’t be upgraded to support gigabit Ethernet. Okay, it’s a reasonable question, given that Apple’s 802.11n was included but not turned on, in some Macs. To add gigabit Ethernet, Apple used different chips in the second model of the Extreme N. Fastest method: If you really need speed, gigabit Ethernet is far faster and simpler than Wi-Fi, with the only downside being the requirement for wires. Ethernet switches can deliver nearly seven times the throughput of N between any two connected gigabit Ethernet devices in both directions. In contrast, Wi-Fi is limited to half its maximum speed when transmitting data between two Wi-Fi devices on the same network. Page 21 Adapters in Macs Starting around the end of the third quarter of 2006, Apple began introducing new Mac models that secretly included 802.11n wireless chips. Apple didn’t tell customers or enable the faster N mode, so the Macs behaved like they had a G card inside. Apple was apparently waiting for the standard’s progress to be clear before switching on the new 802.11n capabilities. (Clever buyers who cracked their Macs open figured this out long before Apple made it official.) This set of computers comprises: • All Macs with Wi-Fi adapters and Intel Core 2 Duo processors— except the 17-inch, 1.83 GHz iMac , which was discontinued in August 2007, and the Mac mini. (Those exceptions have 802.11a, however.) • The Xeon Mac Pro, if you chose the wireless add-on option. Enable your Mac! Apple didn’t start enabling 802.11n on Macs until as late as third-quarter 2007. So, depending on when your Mac entered the retail channel, it may, or may not, need you to enable 802.11n. (Find out if you Mac needs to be enabled in the sidebar Do You Need the 802.11n Enabler?) To enable a Mac, you must install the AirPort Extreme 802.11n Enabler for Mac. You can install it from the CD that ships with the Extreme N, as I describe in Install new software. You can also buy it from the Apple Store separately for $1.99. Once you own a copy of the enabler, you can use it on “all computers under your ownership or control,” as Apple’s licensing terms put it. Third-party adapters Apple didn’t offer—and never will offer—N on the separately installable AirPort Extreme Card. About 3 years ago, Apple began including the 802.11g AirPort Extreme as a basic design feature on new Macs. Without Wi-Fi being on a separate card, Apple had little motivation to provide an upgrade. They’d rather you buy a newer computer, if you really need 802.11n. Third parties are starting to step up to the plate, however, with QuickerTek the first out of the gate and Other World Computing following at their heels. Page 22 QuickerTek The company has released several adapters in its nQuicky series and under other names (http://www.quickertek.com/). Some options remain expensive (at this writing) because of the higher engineering cost and higher chip costs associated with N right now. Expect prices to drop. The nQuicky models and the nNano all support just 2.4 GHz, which reduces potential throughput. The nNano is a $59.95 USB adapter that works with all Macs running Mac OS X 10.3 or higher; they’re also offering the $49.95 Nano, which is 802.11g only, useful for Macs that could otherwise operate only at 802.11b speeds with a hard-to-obtain original AirPort Card. The nQuicky USB ($149.95), nQuicky PCI ($99.95), and nQuicky CardBus ($64.95) all require Mac OS X 10.3.9 or later. The USB model works with any Mac, and it has a much higher-gain antenna than the nNano; the PCI works with all Power Macs (G3, G4, and G5) except the G5 models that use DDR2 (double data rate, 2nd version) memory; and the CardBus adapter supports any PowerBook. For Intel Macs issued without Draft N hardware, QuickerTek offers hardware updates that require opening a case and messing about. They’ll also perform the upgrade for you. Prices for the kit and the mail-in install (exclusive of return shipping) are: MacBook or MacBook Pro, $99.95/$149.95; Mac mini or iMac, $179.95/$199.95. Finally, if you have a Mac mini, QuickerTek offers a kit and mail-in install ($149.95/$199.95) that swaps in 802.11a for 5 GHz and 802.11n for 2.4 GHz. It’s an odd option, but could be useful. Other World Computing Other World Computing has also released a set of 802.11n adapters that work in the 2.4 GHz band: a PCI Card for Power Macs, a PC Card for PowerBooks, and a USB adapter for any Mac that can run Mac OS X 10.3 or later (http://eshop.macsales.com/shop/wireless/). All three adapters in their Edimax nMax series cost $67.99, and work with Windows XP/2000 and later, too. A unique aspect to the Edimax adapters is that they support wide channels in 2.4 GHz. Because Apple doesn't offer wide 2.4 GHz channels, you would need a Wi-Fi gateway from another company to take advantage of that option, which isn't considered particularly advantageous in 2.4 GHz, anyway. Page 23 More coming soon I expect that other vendors will add Mac OS X drivers, too, as many have with each previous generation of Wi-Fi hardware. Belkin, a stalwart provider of Wi-Fi and other peripherals with Mac OS X drivers, told me fairly strongly that Mac OS X drivers are coming for their equipment. Ralink is likely, too, as are firms that resell products using Atheros chips (Atheros is Apple’s chip supplier for Wi-Fi). Compatibility among AirPort Generations Each AirPort generation is backward compatible with all previous generations, although backward compatibility can be turned off. While the original AirPort handled just 802.11b, AirPort Extreme 2003 added 802.11g, which incorporates B with full support. Likewise, Extreme N’s 802.11n handles the older A, B, and G standards. However, transfer speeds between an adapter and a base station running different 802.11 standards can’t exceed the speed supported by the slower of the two 802.11 flavors that both devices share. A B device connecting to an N base station communicates at B speeds, meaning that each packet of data a B device pushes through the network occupies the equivalent of 10 to 20 N packets. While most of the loss in throughput happens only while older devices are taking up airtime (and newer devices are cooling their heels), simply enabling backward compatibility shaves at least 10 percent off the maximum throughput of the network. This overhead comes from the fact that every computer on the network must send extra traffic that’s designed for older devices to interpret. NOTE Wi-Fi gateways can force older adapters to talk less. In one method, an 802.11n gateway would use an existing mechanism that all the standards understand to grab an equal amount of time as a B device, rather than an equal amount of data. These mechanisms aren’t standardized yet, and it’s unclear if Apple has implemented any of them. In the future, it’s likely that we’ll see this kind of protection against older devices hogging a network. One way to avoid bogging down an N network is to set the N network up as a new, separate entity, leaving an older, slower B or G network in place. I discuss how to set this up in Mix Legacy, New N Networks. Page 24 PUT YOUR BASE STATION INTO ACTION You’re ready to set up your network, so let’s get unpacking! This section focuses on initial setup, and in many cases it will take you to a working Wi-Fi network. But, if you need to go beyond the basics, you can keep reading beyond this section to learn about special cases in configuring your local and wider network connections. Also, note that Connect Your Computers, later, explains how to connect via WiFi from any computer in the vicinity to the newly set up base station. TIP MULTIPLE HOPS TO THE INTERNET Although one base station must be connected with Ethernet to your Internet connection, you can connect AirPort Extreme—both G and N models—and AirPort Express Base Stations wirelessly back to that main base station. For setting up these satellites, see Bridge Wirelessly for step-by-step details. Set Up Your Base Station Let’s get that base station out of its box, plugged in, and ready to connect to the Internet. Unpack and power your base station The Extreme N comes with fewer parts than any previous Apple base station. Unpack the base station to determine what you have and if you need any additional hardware: • Remove your base station from its box and check the parts. The Extreme N box includes just a few necessary parts: The square base station, a CD containing utility and enabler software, and a power adapter and its corresponding AC power cord. The base station no longer comes with a wall-mounting bracket; it’s designed to work horizontally. • Is the power cord long enough? The power cord’s length— 17 feet/5.2 m—should aid in placement; in the American version, the AC end of the cord terminates in a non-polarized two-prong plug—both prongs are the same width—which can work in any outlet in either orientation. That still may not be long enough, so plan on purchasing a lightweight extension cord if you need to place the base station more than 17 feet/5.2 m from an outlet. Page 25 This model doesn’t have a wall-mounting bracket because it works best level on a table or floor. (For now, your goal is to plug the base station in where you can set it up, though you may wish to skip ahead and read Pick the Right Place for Your Base Station before you continue.) • Get Ethernet cables. The Extreme N, unlike its predecessors, comes with no network cables. Configuring your base station may be simpler if you hook it to your computer or existing LAN with an Ethernet cable, and you need at least one Ethernet cable in the likely case that you plan to connect the base station to a broadband router or other network. The Extreme N has autosensing, auto-switching Ethernet, which means you needn’t buy particular kinds of Ethernet cables. I recommend Cyberguys.com as a good online source for cables (http://www.cyberguys.com/). Configuration Computer: You’ll be using AirPort Utility to configure your base station, and the steps I give shortly show screenshots taken on a Macintosh. To configure from a Mac, you must be running Mac OS X 10.4.8 or later. However, AirPort Utility can also be installed under Windows XP or Vista, and the steps are the same. Now it’s time to power up. Plug your base station into an electrical outlet, and plug an Ethernet cable from your computer into any of the three LAN ports. If you’d rather have mobility while configuring, you can also set up the base station via Wi-Fi, but you will have to keep reconnecting after each configuration change if you change password and naming options. Flashy: In a neat addition, all the Ethernet ports on an Extreme N have a tiny green LED that lights up when an Ethernet cable is connected to the port and there is a live connection on the other end of the cable; the LED flashes to indicate activity. A front green/amber LED shows the status of the base station, including activity (green) or trouble (amber). I recommend not connecting your base station via the WAN (Wide Area Network) port to a broadband modem or the rest of your network until you’ve carried out more of the setup, especially the very next part. Page 26 Install new software The Extreme N comes with a CD full of software: AirPort Utility, AirPort Disk Utility, and the 802.11n enabler for appropriately equipped Macs. The software isn’t—at this writing—available for download from Apple’s Web site. AirPort Utility replaces the hoary AirPort Admin Utility, which dates back to 1999; the new AirPort Utility combines a set of assistants with advanced configuration options (Figure 2). It can configure any AirPort Extreme or AirPort Express base station. No advantage for older base stations: AirPort Utility is different, not better, than the older AirPort Admin Utility. There’s no particular reason for those of you without an Extreme N to use the newer software. TIP If you’re still using an old graphite or snow base station, the AirPort Admin Utility isn’t deleted; it’s renamed AirPort Admin Utility for Graphite and Snow (find it in /Applications/Utilities). FIGURE 2 The main screen of the new AirPort Utility. Page 27 On a Mac running Mac OS X 10.4.8 or later, or with Windows XP or Vista, run the installer on the CD. While installing, on the Installation Type screen, you can click the Customize button to install individual utilities or components. The full installation includes: • AirPort Utility, which you need to configure your Extreme N base station. • AirPort Disk Utility (called AirPort Disk on the Custom Install screen), which lets you mount hard disks and partitions that are connected via USB to an Extreme N. • AirPort Base Station Agent, a monitoring program that can alert you when there’s a problem with an Extreme N on the local network. • The 802.11n enabler, (it’s called AirPort Extreme Drivers on the Custom Install Screen), which turns on the N support in Macs that have the correct chips. It’s installed only on computers that need it. All newly purchased Macs that were described as including 802.11n are already enabled for that flavor of Wi-Fi; if you bought a Mac before August 2007, see the sidebar Do You need the 802.11n Enabler?, next page. The last step of the installation is to restart the computer. Page 28 DO YOU NEED THE 802.11N ENABLER? You can check if you need to install the enabler on your Mac by launching Network Utility from /Applications/Utilities and choosing the appropriate interface from the pop-up menu at the top of the Info pane, usually “Network Interface (en1)”. If the computer doesn’t require the update, “(802.11a/b/g/n)” appears under Wireless Network Adapter at the bottom (Figure 3). If only “(802.11a/b/g) is shown, run the enabler and restart, and then check Network Utility again. FIGURE 3 Network Utility shows that the 802.11n enabler isn’t needed. After restarting, you can find AirPort Utility and AirPort Disk Utility in /Applications/Utilities. Run the installer on every computer on your network that has an 802.11n adapter that needs to be upgraded, from which you want to mount hard disks connected to the base station, or with which you want to configure the base station. Launch AirPort Utility and let’s get this AirPort on the air! Keep up to date The first time you run AirPort Utility, it prompts you to choose whether or not to check for updates automatically. Although Mac OS X’s Software Update feature (Apple > Software Update) will also alert you to install AirPort software and firmware releases, Apple set Page 29 up this separate update conduit to make it more likely that you would apply security, stability, and compatibility upgrades that you might otherwise ignore for a while in Software Update. This update notification works whether or not you have AirPort Utility launched. The AirPort Base Station Agent, added as part of the AirPort Base Station Update 2007-002 (for Mac and Windows) in August 2007, monitors at the frequency you specify for updates, and then launches AirPort Utility if an update is available. You can adjust the frequency for which updates are checked in AirPort Utility’s Preferences dialog (Figure 4). FIGURE 4 AirPort Utility can check for AirPortspecific software releases independently from Software Update (top). The Summary view also alerts you when an upgrade is available (bottom). Connect to your base station AirPort Utility is your one-stop shop for setting up the base station’s parameters. But, first, you need to make a network connection to your base station so that AirPort Utility can access it. With AirPort Utility launched, use one of these three methods to find your base station; the methods are listed in order of simplicity: • Connect via LAN: In the simplest case, you use an Ethernet cable to plug your computer into one of the three LAN Ethernet ports on the Extreme N. The unconfigured base station should appear in the left column of AirPort utility (Figure 5), confirming that you’ve made the connection. Page 30 FIGURE 5 An unconfigured base station appears in AirPort Utility’s base station list named uniquely with the last six digits of its AirPort ID (see the note, “Default Network Names,” below). (Dig the subtle reflection!) • Connect via a larger network: For larger LANs, in which the base station is just a piece of the network, you can connect the base station to your larger LAN through the base station’s WAN port, connecting an Ethernet cable from it to any port on an Ethernet switch on your network. Because the base station uses Apple’s Bonjour, a way for devices to advertise their availability across a network, you should be able to spot the new base station in AirPort Utility even though it hasn’t been configured. Failing that, try configuring with Wi-Fi. • Connect via Wi-Fi: Slightly trickier is connecting via Wi-Fi, because many configuration changes require that you apply new settings by clicking Update in AirPort Utility. This restarts the base station and thus you have to reconnect to it. From the factory, Extreme N is set to 2.4 GHz, so you can initially configure it via Wi-Fi from any computer. An unconfigured base station shows up with a default Wi-Fi network name in the AirPort menu (see “Default Network Names,” below). NOTE DEFAULT NETWORK NAMES The default Wi-Fi network name for Extreme N base stations— as well as previous base station models—is AirPort Network 0033FF where 0033FF is replaced with the last six digits of the AirPort ID of the wireless adapter in the Extreme N. The default Ethernet network name is Base Station plus a space and then the last six digits of the AirPort ID. That ID is printed on the underside of an Extreme N. The AirPort ID is a MAC (Media Access Control) address. See What and Where Is a MAC Address? (p. 59) for more information about MAC addresses. Page 31 Handle initial setup The simplest way to configure a base station is to use AirPort Utility’s built-in assistant, which walks you through assigning a name to the base station, changing its administrative password, and turning on encryption. (If you are reconfiguring a base station, see Reconfiguring a base station, ahead.) Follow these steps to configure your base station: 1. In AirPort Utility, select the base station from the list of base stations at the left. 2. On the “Welcome to AirPort Utility” screen, click Continue to open the first Network Setup screen (Figure 6). FIGURE 6 Enter a network and base station name. Screen names: The assistant screens lack unique names; look in the title bar of each window for the name of the screen. I’ll give you other cues, too. 3. Enter a network name and base station name: • The network name will be “advertised” to Wi-Fi adapters that scan for networks to connect to; for instance, on a Macintosh the network name will appear in the AirPort status menu at the right of the menu bar. Multiple base stations may share the same network name to create a network with a larger area or more available bandwidth. • The base station name will be used to identify the base station in AirPort Utility. Page 32 Once you’ve entered both names, click Continue. 4. On the second Network Setup screen (Figure 7), choose the country in which the base station will operate and the backward compatibility you need, and click Continue. FIGURE 7 Choose your country and compatibility. Almost anyone reading this book will want to choose United States or Puerto Rico, and leave the radio button next to Radio Mode set to “802.11n (802.11b/g compatible)”. (For more about spectrum and country choices, see Configure the Spectrum and Channel.) Warning! Do not use the AirPort Extreme in a country that’s not listed in the Country pop-up menu. It’s not just a suggestion; national regulators monitor for misuse and you could wind up in the pokey, or worse. 5. On the third Network Setup screen (Figure 8), select the level of security you want to use: • WEP allows the oldest Wi-Fi adapters to connect to a network. • WPA2 is actually mixed WPA/WPA2 security, which allows Macs running Mac OS 10.3 Panther or later and computers with Windows XP SP2 or later to connect. • No security allows all connections. Warning! Apple’s explanation on this screen about how WPA and WPA2 work is a little breezy, and it could frustrate you when trying to connect some older Macs to the network. The Use Built-In Encryption section can help you avoid that frustration. Page 33 Select your security option, and click Continue. FIGURE 8 Set security to prevent unwanted users. 6. The first Internet Setup screen lets you choose how addresses are assigned on your network (Figure 9). The four options cover the major scenarios, which you then configure in the next step: • DSL or cable modem with static IP address or DHCP: This is the right choice in almost every case. Most broadband providers use DHCP to assign your base station an address automatically. (DHCP and the corresponding NAT feature are explained in detail in Hand Out LAN Addresses.) A static IP address requires additional manual entry. (A static IP address is a fixed IP address that your service provider provides to you.) • DSL or cable modem with PPPoE: This option works with ISPs that use a special log in that the base station has to handle. The login process lets an ISP server assign an address (static or dynamic) to your base station. • LAN: For larger networks, this is the right option, because you’ll set up networking values based on what you chose yourself or use those provided by a network administrator. Page 34 • Not ready: Apple provides this choice so you can configure the rest of the settings without having to gather details for the Internet setup. • Modem: A modem option appears but is dimmed for Extreme N base stations. If you’re configuring an older Extreme G with a modem, that option’s available. Confirm your selection and click Continue. FIGURE 9 Choose the kind of connection that’s exactly or close to your set up. 7. In the second Internet Setup screen, configure the TCP/IP connection that allows your base station to access the Internet: • If you chose the first (DSL/cable with static or DHCP address) or third (LAN) option in the previous step, you have two choices: ◊ If you aren’t sure, or your ISP told you to, choose Using DHCP from the Configure IPv4 pop-up menu. This option is what most people choose. ◊ If your base station is assigned a static address, with details provided by your ISP or network administrator, choose Manually from the Configure IPv4 pop-up menu. Page 35 • If your provider uses PPPoE, enter the account name, password, and optionally the service provider’s name, while choosing to have the connection always on (default), automatic (connects when needed), or manual (connects when you choose). For more details, see Set Up Your Network. Click Continue. 8. The USB Peripherals Setup screen lets you set your initial password configuration for attached hard disks that can be shared via the Extreme N. For details on these choices, see Set Up a Shared USB Disk. The preselected options are fine; click Continue. 9. On the AirPort Extreme Setup screen, set up a base-station password. This password is unrelated to network data encryption and protection, but it’s vital to set the password to prevent unwanted access by others to the base station. The default base station passwords for all Wi-Fi routers are well known. Use a password that is simple, but hard to guess. I recommend checking the Remember the Password in My Keychain option so that you can invent a password here and have the system store it. Click Continue when you are ready to move to the next screen. 10. The Summary screen shows all your choices (Figure 10). You can click Go Back repeatedly to change options, or Update to store your options and restart the base station with those new settings. If you’ve forgotten the passwords you entered, click the Show Passwords button first to see them in plain text so you can copy them or write them down. NOTE Whenever you click Update in AirPort Utility, the program sends your configuration changes to the base station, which burns those changes into non-volatile memory. Removing power from the base station doesn’t cause it to lose these settings. Page 36 FIGURE 10 A summary appears, showing the choices you made during setup. Reconfiguring a base station You can reconfigure a base station that’s already set up by selecting the base station in AirPort Utility and choosing Base Station > Assist Me. NOTE HOW TO RETURN TO THE FACTORY DEFAULTS You can reset an Extreme N to its factory settings at any time through software or hardware. Resetting the Extreme loses all settings you’ve applied, including passwords. If you save a configuration (see Export and import configuration profiles), you can load that configuration after resetting the base station. Via software, launch AirPort Utility, select your base station, and choose Manual Setup or press Command-L. From the Base Station menu, choose Restore Default Settings. Click Restore in the dialog that appears and wait for the base station to restart. If you can’t connect to the base station or prefer the hardware approach, use a ballpoint pen or the tip of a straightened end of a paperclip to press the reset button for at least 5 seconds. The tiny reset button is on the Ethernet connection end of the Extreme, beneath a white right-pointing arrow in a field of gray. Page 37 Create and manage profiles The Extreme N carries over a feature, first found in the AirPort Express, which allows you to define and store multiple profiles. A profile is a complete set of configuration parameters; each profile resides on the base station in non-volatile memory. Stored versus exported profile: I call this form of profile a “stored” profile to distinguish it from the “exported” profile described just below. These profiles can be useful when you’re sorting out precisely what options you want for your network and want to create different scenarios to test. Stored profiles are also useful if you take the base station to different locations. I suggest starting with a base profile that you can duplicate to test other options, and then you can simply revert to it whenever you like. Since you created the equivalent of a profile in following the steps (just previously) for initial setup of an Extreme N, you can rename that first profile to something descriptive and then duplicate it: 1. Select the base station in AirPort Utility, and then choose Base Station > Manual Setup (Command-L). 2. Choose Base Station > Manage Profiles. The screen that appears lets you create, activate, and delete profiles. 3. Click the profile. button to copy the current configuration to a new You should now see another profile in the list. The AirPort Utility also adds a Profile pop-up menu at the bottom of the screen. 4. Name the new profile: double-click the profile name to activate the edit field, and then type a new name. Press Return to accept the new name. You can switch among profiles by choosing them from the Profiles pop-up menu at the bottom of the manage profiles screen (Figure 11). You must click Update to activate a given profile, or to save changes that you make to the active profile. Page 38 FIGURE 11 AirPort Utility lists stored profiles for a base station. To switch to a different profile, choose the profile’s name from the Profiles pop-up menu and click Update to restart the base station and load that profile’s settings. Export and import configuration profiles There’s one more way you can work with profiles that you set up in AirPort Utility: you can export current settings to a file that can be imported later, for the same base station or for a different one. This is useful when you want to create a model configuration with the same network name, password, and other details, and then use it to configure many base stations. Page 39 Warning! Unlike stored profiles, these exported profiles do not reside on the base station. However, profiles can be exported and imported from any AirPort Extreme or AirPort Express base station; stored profiles are available only with the Extreme N and AirPort Express. Management utilities will return: AirPort Management Tools lets you manage several base stations at once, including applying a model configuration file to them. However, it hasn’t been updated at this writing for Extreme N. Apple told me it will be updated at some point—although they told me that in February 2007, and the tools hadn’t returned when we published this edition in September 2007. To export a profile: 1. In AirPort Utility, select the base station from the list at the left, and choose Base Station > Manual Setup (Command-L). 2. Choose File > Save a Copy As, and name the file descriptively, as there will be few other clues that help you identify the file. (Apple should have named this option Export Profile, since that’s the action the menu item carries out.) After you’ve exported a configuration file, you can open it within AirPort Utility to examine the file’s list of settings without applying those settings to an active base station. The settings appear in what looks like a standalone AirPort Utility configuration window, but you can’t apply the settings against a base station from that window. If you want to restore a base station to the settings in a file or configure a different base station in the same way, follow these steps to import the exported profile: 1. In AirPort Utility, select the base station from the list at the left, and choose Base Station > Manual Setup. 2. Choose File > Import. (See? For symmetry’s sake, you’d like Apple to call the opposite operation Export!) 3. Select the configuration file and click Open. 4. Choose which options you want to import and click OK. Page 40 Extreme N includes timed settings, which can restrict access to given computers at given times of the day or week, and you can choose to import just those restrictions, all settings, or all settings except restrictions (Figure 12). FIGURE 12 Select settings to import. 5. Click Update to apply the imported profile’s settings. Once the profile is imported, the settings replace your current base station settings. This could confuse you if you’re also using stored profiles: the imported profile modifies the active stored profile. These changes take effect when you click Update. TIP Importing just Timed Access Control settings lets you apply the same restrictions for use across all base stations on a network, while just setting those restrictions on a single base station. Connecting remotely You may want to set up remote access to your AirPort, so that you can configure it via its WAN port—either from a larger network to which the gateway is connected or elsewhere on the Internet. While there are some risks associated with that, remote connections also mean you can help, say, relatives, friends, or remote offices keep their networks running. To allow remote access, follow these steps: 1. In AirPort Utility, select the base station from the list at the left, and choose Base Station > Manual Setup. 2. Click the Base Station button in the AirPort pane. 3. Check Allow Configuration over Ethernet WAN Port. Page 41 With remote access on, AirPort Utility can now access a remote Extreme N via its IP address or through a domain name if you’ve assigned that name through DNS (Domain Name Service). To make the connection, choose File > Configure Other and enter the IP address or domain name. Secure connection: I didn’t know if AirPort Utility creates a secure, encrypted connection when you configure locally or remotely. I looked at a packet dump of raw data while configuring a unit, and saw nothing intelligible, which typically means that encryption is employed. I asked Apple, and they assured me that they did the right thing: you can enter a base-station password and configure over a local or remote network without fear of interception. Configure the Spectrum and Channel With the Extreme N, you’re faced with a choice: 2.4 GHz or 5 GHz? That choice makes a huge difference in the overall performance of your network, and how well it works with older machines. Warning! With all the talk of Extreme N supporting two frequency bands, you might have thought that the base station could work in both bands simultaneously. Not so; that would require duplicating the whole radio function. Instead, you could set up two separate, connected networks, one on each band; see Mix Legacy, New N Networks. Consider your spectrum choices The 2.4 GHz band is crowded with other Wi-Fi networks, Bluetooth devices, and other uses; 5 GHz is relatively empty—in the United States, the band has almost seven times the amount of frequency available in the 2.4 GHz band. Further, Apple restricts the use of socalled wide channels to the 5 GHz band. Wide channels use twice the standard amount of spectrum and thus can achieve twice the data throughput. Apple does this in order to avoid treading on older networks in 2.4 GHz. Page 42 In my tests comparing the two bands’ throughput—the net amount of data passed over a network—I found that the 5 GHz band offered very consistent throughput as high as 140 Mbps (N to Ethernet LAN) and 90 Mbps (N to N) because there were few other variables to control, like other users or uses of the channels I tested. With 2.4 GHz, however, throughput was all over the place. I could test the same network setup over and over again, and sometimes see the highest rates (about 70 Mbps, N to Ethernet LAN), and other times see rates drop to 10–30 Mbps. See Table 2 for specifics. Higher Wi-Fi rates require Extreme N (gigabit): To achieve the highest speeds from the Extreme N, you must have the newer gigabit Ethernet model. Table 2: Throughput Based on Band Choice (Best Speeds) Connection 2.4 GHz (regular channel) 5 GHz (wide channel) Draft N to Draft N (same Extreme N) Up to 35 Mbps (from one computer to another), but varies enormously Up to 90 Mbps (from one computer to another); up to 50 Mbps with two computers transmitting to each other Draft N to wired 100 Mbps Ethernet (LAN) Up to 70 Mbps, but varies enormously Over 90 Mbps Draft N to gigabit Ethernet (LAN) Over 140 Mbps Draft N to any Ethernet Up to 50 Mbps* (WAN) with NAT Any Ethernet (LAN) to any Ethernet (WAN) Up to 70 Mbps* 100 Mbps Ethernet LAN to same LAN 94 Mbps Gigabit Ethernet LAN to same LAN 900 Mbps * With NAT turned off, speeds are the same as Ethernet LAN. Page 43 OTHER USES OF THE 2.4 AND 5 GHZ BANDS The 2.4 GHz and 5 GHz bands weren’t empty before Wi-Fi networking came along. 2.4 GHz is known as a “junk band” because it’s full of other approved uses that can conflict at times. Industrial sealers, for instance, use heating processes that emit 2.4 GHz radiation. Home microwave ovens use the principle that water molecules are dipolar (have two oppositely charged ends), and they switch the fields 2.45 billion times a second to cause friction which heats the food. (If your friends think microwaves “leak” radiation, create ionizing radiation, or “irradiate” food, please have them read this excellent Q&A page: http://rabi.phys.virginia.edu/HTW/microwave_ovens.html.) Problems with AirPort networks often stem from your own or neighbors’ use of conflicting technology, which can include 2.4 GHz cordless phones, the above-mentioned microwave ovens, nearby industrial sites, or wireless cameras. The 5 GHz band has many fewer approved uses; primarily, 5.8 GHz cordless phones will be your enemy. The rising interest in a new wireless standard called WiMax could be problematic. While WiMax will largely use licensed spectrum, there’s plenty of interest and many early deployments that use the 5.8 GHz band to carry data from one central transmitter to many roof-mounted antennas. You would think that the choice of using 5 GHz is obvious, right? Not so fast. If you have any 802.11b or g devices on your network— like Macs with the original AirPort Extreme built in—they can’t connect. Or if a visitor were to show up with an older adapter, she would be out of luck. On the other hand, if you have all Intel Macs, you could use 5 GHz and mix A and N, which would provide much better performance than mixing G and N in the 2.4 GHz band. See Table 3 (next page) for a comparison of the tradeoffs. You can get the best of both worlds if you have an existing 802.11b/g network and want to add to the network, rather than replace it. See Mix Legacy, New N Networks. Page 44 Table 3: Comparing the 2.4 GHz and 5 GHz Bands Band Pros Cons 2.4 GHz • Backward compatible with 802.11b/g devices • Relatively crowded with other users, purposes, including 2.4 GHz cordless phones, Bluetooth • Longer range than 5 GHz • Best for a network with a mix of B or G, and N Wi-Fi adapters • Third-party N adapters already available for Macs, but only in 2.4 GHz 5 GHz • Maximum data rate is about 70 Mbps (Wi-Fi to wired) or 50 Mbps (Wi-Fi to Wi-Fi) only in the best conditions • Throughput can be very poor, connection erratic • Allows wide channels for higher throughput • Can’t work with 802.11b/g devices • Maximum data rate is 140 Mbps (Wi-Fi to wired) or 90 Mbps (Wi-Fi to Wi-Fi) in normal conditions • Higher attenuation than 2.4 GHz means signal strength drops faster when passing through walls, floors, even people • Relatively uncrowded, very large band, with lots of room to move to other channels • 5.8 GHz cordless phones and some unlicensed WiMax networks can interfere, reducing the number of possible channels • Backward compatible with 802.11a found in Intel Macs and some Windows laptops • No need to slow down for B devices • Best for all-new network with no visitors expected Second to choosing your spectrum is choosing a channel. The regular and wide channels I mentioned earlier are schemes to allow many networks to work together in overlapping locations. Regular channels use 20 MHz of spectrum; wide channels use 40 MHz. Page 45 MHz and Mb: Megahertz does, in fact, correlate to megabits per second. Shannon’s Law, a bit of information theory, says that there’s a direct relationship that ties the width of a channel and the ratio of signal to noise to the achievable data rate. Twice the channel width means up to twice the raw data. In case you were wondering, the formula is: maximum bit rate equals channel width in hertz multiplied by log2 multiplied by the sum of 1 + signal divided by noise. In the United States, 802.11 standards can use any of 11 numbered, staggered channels in the 2.4 GHz band (Figure 13). Because these channels are staggered and overlap, only channels 1, 6, and 11 in the United States can be used in networks that overlap their coverage area when you want the least interference. (In some countries, the 2.4 GHz band is slightly wider, allowing for four non-overlapping channels.) Also, due to the overlapping, staggered nature of the channels, there is room for only a single unique 40 MHz channel and a single 20 MHz channel to be used at the same time—and then only in ideal cases. This is why Apple didn’t want wide channels in 2.4 GHz. FIGURE 13 2.4 GHz 802.11 channels are staggered, with channels 1, 6, and 11 having the least overlap. 5 GHz 802.11 channels are meant to have little overlap; only the four lowest channels of 23 are shown. By contrast, the 5 GHz band can be divided into 23 channels for 802.11a or n. The regular-width channels are the same 20 MHz width as 2.4 GHz band channels; or you can use 11 wide channels that are Page 46 40 MHz wide. These channels overlap only at the fringes, and thus allow many different networks to work in the same space with little interference. NOTE Unlike the 2.4 GHz channels, which are numbered sequentially— 1 to 11 in the United States—5 GHz channels jump by an increment of four and don’t proceed sequentially. Why? Two reasons: • First, 802.11 channels—for A, B, G, and N—increment by 1 for each unit of 5 MHz. Because 802.11a/n channels don’t overlap, you get four numbers (20 MHz) between each regular-width channel. • Second, there are four separate hunks of allotted unlicensed 5 GHz bandwidth. The first two (which comprise channels 36 through 64) are contiguous; we then jump to channels 100 to 136, and finish in 149 to 161. There’s a 24th channel, 165, that’s not supported in 802.11a or n. Unfortunately, for reasons that are still not publicly stated, Apple has chosen to offer only 8 of the 23 possible 5 GHz 802.11a/n channels for use. The 15 that they aren’t supporting have specific restrictions on use. A few years ago, the IEEE developed 802.11h to allow the A spec to work in Europe. This 802.11h addition allows better co-existence between some existing uses of 5 GHz, like military radar, and it’s become a necessary part of N as well. More recently, a compromise between the electronics industry and the military opened up 255 MHz of additional spectrum in the 5 GHz band—11 A/N regular channels— but using the additional spectrum requires that you use 802.11h not only for those new channels but also for four of the existing ones. Between European restrictions and the availability of more channels, it’s even more peculiar that Apple has released a worldwide product without fully taking advantage of all the possible channels. Apple’s Wi-Fi chip suppliers support this co-existence. One chip vendor told me that Apple could add the missing channels through a simple firmware upgrade. Apple told me in August 2007 that they were actively investigating adding additional channels, but had no timetable or specific plan to do so. Page 47 Set a band and a channel To configure which band you use, and what backward compatibility your base station offers, launch AirPort Utility, connect to your base station, and choose Base Station > Manual Setup. Click the AirPort icon to open the AirPort pane, and then click the Wireless button. The Radio Mode pop-up menu offers four choices: • 802.11n (802.11b/g compatible): This mode allows full backward compatibility in 2.4 GHz, while allowing N to work at about 70 percent of its full speed in regular-width channels. • 802.11n (2.4 GHz): With this choice, your base station supports only N devices, and B and G devices can’t connect to it. • 802.11n (802.11a compatible): This 5 GHz mode could be useful if you have all Intel Macs on your network and you want the advantages of 5 GHz’s free-and-clear spectrum. You lose some speed when mixing A and N, but if you have the right set of machines, it’s the best choice, unless you want to operate two networks. (See Mix Legacy, New N Networks.) • 802.11n only (5 GHz): The best choice for 5 GHz networks. Additional options: If you hold down the Option key while choosing from Radio Mode, you see four additional options: 802.11b only, 802.11b/g compatible, 802.11g only, and 802.11a. These are provided in the interest of providing the most complete support for older networking gear, I’ll wager. The Channel pop-up menu lets you choose a channel based on the band you selected. You are best off setting it to Automatic when you use the 2.4 GHz band. The Automatic option is the only apparent choice for 5 GHz. Choosing Automatic causes the base station to pick the least occupied channel when the base station starts up or restarts, but the base station doesn’t change the channel while running—only after it has been restarted. To bypass Apple’s Automatic mode for 5 GHz channels, hold down the Option key as you pop up the Channel menu. Page 48 Warning! “Least occupied” (previous paragraph) means least occupied by other Wi-Fi networks. In testing, even apparently “empty” channels were sometimes full of interference from other causes. While I couldn’t determine the cause, switching channels alleviated problems, but it required choosing a channel rather than relying on the Automatic setting. Pick the Right Place for Your Base Station When you walk around with a cell phone, the number of bars showing signal strength varies with the quality of the signal that the phone receives. These bars reflect the strength of signals received from nearby cellular network transmitters on towers and roofs. It’s the same issue over a much smaller space when you connect a computer to a Wi-Fi gateway. Depending on where you place the base station, its signal may or may not penetrate with enough strength to be useful. First, decide where you want service. Do you want to work in your backyard? Upstairs and downstairs? Second, think about the obstacles in the places you want to work. Walls, ceiling, floors, and even metal exercise bikes can all absorb and reflect Wi-Fi signals, reducing their range and quality. While the Extreme N uses MIMO technology—multiple sets of receiving and transmitting antennas—to cover a much greater area than its predecessors, the base station still has its limits. It’s just much closer to covering the area of a typical home than earlier units. Pick a spot that is near the middle of where you want your signal to reach and test to see if it’s a good location for your base station. You want to get the best average signal in all the places from which you want to connect. To run the test, just power up the base station: its default settings provide a name and a signal. General testing advice Here are some general tips for finding your ideal location: • Leave the base station in one place while you try all the areas you want to use it in. • Spend up to 30 seconds in one spot to see if the signal strength varies. Page 49 • Use sticky notes to mark signal strengths at the locations where you want to provide network access (see Testing from base station to client, below). Also write down the current location of the base station and the signal strength you’re seeing at that location so it’s easy to sort out the ideal placement of the base station later. TIP The AirPort menu lists networks alphabetically. Hold down the Option key and select the menu, and Mac OS X re-orders the list by signal strength, from strongest at the top to weakest at the bottom. • When you move the base station, make sure to keep its orientation the same. The antenna in a base station is omnidirectional—all directions, but Apple designed the base station to have its strongest performance parallel to the horizon. It doesn’t come with a mounting bracket, perhaps Apple’s way of emphasizing that you should keep it in a horizontal orientation. NOTE All flavors of Wi-Fi work at speeds below their maximum rates as an adapter becomes more distant from the access point. Testing from base station to client AirPort Utility now incorporates what was a separate Apple utility to monitor the performance of wireless adapters connected to a base station. To view this monitoring tool: 1. Launch AirPort Utility, connect to your base station, and choose Base Station > Manual Setup. 2. At the top of the window, click the Advanced icon. 3. In the Advanced pane, on the Logging & SNMP view, click the Logs and Statistics button (located near the bottom). 4. Click the Wireless Clients button. You can now check the performance of any devices connected to your base station (Figure 14). This nifty readout provides ongoing monitoring of the signal rate for each connected device. Each device is assigned a different color in the Client list beneath the graph, and that color corresponds to a line that tracks signal strength over time. Page 50 FIGURE 14 The graph at top shows the signal strength for each client. The bottom lists each client by MAC address, with the actual measurements for signal and noise, and the raw data rate. The Client list shows connected devices by their unique adapter number. (For more on adapter numbers, see What and Where Is a MAC Address? on p. 59.) For each client, the utility shows the signal and noise rates. The signal-to-noise ratio is an absolute measure of potential throughput. Signal and noise levels are measured in such a way that a negative number means below a certain threshold, rather than an absence of a signal or noise. Noise has a large absolute value, like -100; the larger the absolute value, the less noise. The signal should be negative, too, but have a lower absolute value, approaching 0; the closer to 0, the better the signal. NOTE The label dBm on the left of the graph means decibels below one milliwatt (mW). Decibels are a logarithmic measure of power, and dBm defines how much signal strength was received below the nominal strength of 1 mW, a useful starting point for these kinds of signals. Page 51 The Rate column, however, has the most useful information: It shows the raw data rate, in Mbps, at which the client is connected. This is useful to know because you can have decent signal strength but be connected at a lower speed than the raw 54 or 300 Mbps maximum for 802.11g or 802.11n, respectively. The lower the connection speed, the more likely you need to tweak the base station’s—or the computer’s—position. Testing from client to base station The flip side when testing connections is measuring how strong your base station is from the computer you’re trying to connect from. iStumbler (http://www.istumbler.com/) is my detector of preference. iStumbler provides a continuous scan with information about signal and noise for all the networks in your vicinity (Figure 15). FIGURE 15 iStumbler shows nearby networks. I made this scan in my office, which is in the middle of a building in Seattle with a window off to one side. Imagine a scan made in Manhattan. If you’re truly frustrated with finding a good connection, you could make an expensive purchase—or perhaps pool your dollars with friends or colleagues—and get a spectrum analyzer. The Wi-Spy and Wi-Spy 2.4x from MetaGeek run $199 and $399, respectively, and provide a live analysis of the signals passing in the air around you. Page 52 A spectrum analyzer constantly measures the strength of signals in hunks of frequency, and produces an output that software can read and display (Figure 16). The more energy or more spikes in a given channel, the more likelihood that Wi-Fi won’t work there. FIGURE 16 Wi-Spy and Wi-Spy 2.4x capture signal strength over time at frequencies in the 2.4 GHz band and relay them to software like EaKiu, which displays the results graphically. (Wi-Spy 2.4x data pictured.) Page 53 SET UP YOUR NETWORK The next steps in setting up your AirPort network involve configuring the LAN (local area network) and WAN (wide area network). For many of us, this configuration is as simple as plugging in a couple of cables—or maybe even one cable. But for more complicated networks, a few more steps are involved to make sure the computers connecting via the Extreme N can access the Internet, or the rest of a local network, without you pulling out your hair. More than one base station: If you’re building or re-building a network with more than one base station, read this section first for how to set up the base station that connects directly to your broadband service provider. Then read Connect Multiple Base Stations. Simplest Case: Plug and Go Before getting into more exotic scenarios, let me give you the rundown on the simplest possible case, which has two parts: • You have a broadband cable or DSL modem that doesn’t require any special login or restrictions in order to access the Internet. (If you’re not sure, see Log in via PPPoE over broadband DSL and Deal with MAC-address-restricted cable broadband.) • You plan to share the Internet connection coming in from the broadband connection among computers and devices that connect to the Extreme N via Wi-Fi or Ethernet. Here’s how to get your connection up and running: 1. Plug an Ethernet cable from the LAN port of your broadband modem into the WAN port of the Extreme N. 2. Connect the computers on your network via Wi-Fi or Ethernet to the Extreme N. That’s it! This setup relies on the factory settings that an Extreme N has when it’s first powered up. If this simplified setup appears to be working, and you have no reason to think that it shouldn’t do the job, then skip ahead to Connect Your Computers. Page 54 If this simplified setup doesn’t work, or you know you have a more complicated situation, read through the rest of this section to find your scenario. Get a WAN address The more complicated scenarios start with getting a WAN address for your base station; you’ll then move to LAN configuration. To communicate with the rest of the world, you need to hook the wide area network (WAN) port of your Extreme N into either a broadband modem; or, if you have an existing Ethernet LAN to which you are connecting the base station, into that larger network. In either case, start with an Ethernet cable and plug the cable into the Extreme N’s WAN port. Next, plug the other end into the LAN port of your broadband modem, or into a port on an Ethernet switch for a larger network. Auto-sensing: Extreme N has auto-sensing, auto-switching Ethernet, which means you can use either type of Ethernet cable— straight-through or crossover—successfully. The Ethernet ports also automatically adjust speed to the highest available rate. Now that you’ve made the physical connection, you can configure your base station to handle the connection. The many different possible configurations can be broken down into two categories: those that use dynamic addressing and those that use static addressing: • If your Internet connection is a home broadband connection, you’ll probably use dynamic addressing; you may need to ask your ISP for more information if you’re not sure whether they provide you with a dynamic address or not. • A static address is more typical for small and large offices. Dynamic addressing A dynamic address is an Internet protocol (IP) address that is assigned through Dynamic Host Configuration Protocol (DHCP), a relatively old Internet technology. With DHCP, your Extreme N requests an IP address via its WAN port, acting as a DHCP client. A DHCP server on the other end of the Internet connection (typically at your service provider) receives the requests and provides an address. And that’s as complex as it has to be. Page 55 A dynamically assigned address can be a private address, one that’s restricted to the ISP’s own network; that network is hard for anyone to reach making your network even more inaccessible; or a publicly routable address, which is part of the global numbering system for IP addresses. The Extreme N is set to act as a DHCP Client if back in Step 7 of Handle initial setup, you chose Using DHCP. No additional steps should be needed (Figure 17). FIGURE 17 The simplest way to get an Extreme N on the Internet. In some limited cases, you might need to enter the DNS (Domain Name Service) IP addresses manually. Your ISP should tell you those addresses if you need them. DNS IP addresses are entered in the DNS Server(s) fields (Figure 17, above). Page 56 TIP HANDLE DNS RESOLUTION WITH OPENDNS I recommend using OpenDNS to handle your DNS resolution instead of DNS server information provided by an ISP. OpenDNS has a few neat features that improve on normal DNS resolution. First, they’re much faster than most ISPs, making the Web seem snappier. Second, they can fix typos, for instance, when you enter an address that doesn’t exist—flickr.cmo becomes flickr.com. Third, they offer a custom account that lets you set DNS shortcuts so that when you type a word into a browser’s Location field, you control what domain name is looked up. See http://www.opendns.com/ for more details, including their two nameservers’ IP addresses. Some ISPs require you to jump through additional hoops to connect to their networks: a login process or a way to restrict access to a single computer. The former is used mostly by DSL providers; the latter, by cable firms. Log in via PPPoE over broadband DSL For security and tracking purposes, many DSL providers require you to use a technology called PPPoE (PPP over Ethernet) when connecting to their network. With PPPoE, you log in with a user name and password to your ISP over your DSL connection, at which time you are automatically assigned an address and the connection works just like any other broadband connection. If you need PPPoE, configure it in the Internet pane of AirPort Utility in the Internet Connection and PPPoE views (Figure 18). The base station connects per the setting you choose in the Connection pop-up menu in the PPPoE view: Always On is the most likely choice. Page 57 FIGURE 18 PPP over Ethernet connects using a login name and password. Deal with MAC-address-restricted cable broadband To prevent multiple machines from accessing a single cable-modem connection, some providers restrict access to a single MAC address (see What and Where Is a MAC Address? next page). ISPs use two common methods for restricting access by MAC address: • In the less annoying method, the cable modem powers up and locks on to the MAC address of the device connected to it. You can switch between devices by unplugging and reconnecting the cable modem after you connect your Extreme N. • In the more annoying method, you register the MAC address with the ISP manually or through an automatic process. You may need to call your cable provider—which may want to charge an additional monthly fee—to register the MAC address of your Extreme N’s WAN port. (The WAN port’s MAC address is printed on the underside of the Extreme N, as the Ethernet ID.) Warning! A feature in non-Apple Wi-Fi gateways, called MAC cloning or spoofing, lets you enter any MAC address for the WAN port. No AirPort base station firmware version has this common feature. Page 58 WHAT AND WHERE IS A MAC ADDRESS? The MAC, or Media Access Control, address is a unique, factoryassigned address for every network device, including Ethernet and Wi-Fi adapters. A MAC address consists of six two-digit hexadecimal numbers separated by colons, such as 0C:F2:33:01:02:FC. (Hexadecimal, or hex, is the base 16 number system, with values running from 0 to 9, and then from A to F for 10 to 15.) The first three numbers are assigned to a manufacturer; Apple has at least two common ranges, which begin with 00:0a:95 and 00:03:93. MAC addresses are frequently used for filtering, authentication, and WDS, often without requiring direct entry. Here’s how to find MAC addresses for Apple’s devices: • Extreme N: Look on the bottom of the base station to find the MAC addresses of the WAN Ethernet port and the Wi-Fi adapter. Or, in AirPort Utility, select a base station at the left to see its MAC addresses on the right: ◊ The AirPort ID is the device’s wireless MAC address. The Ethernet ID is the WAN port’s MAC address. • Computers connected to an Extreme N: In AirPort Utility, select the base station and choose Base Station > Manual Setup. Click the Advanced icon, and then—on the Logging and SNMP view—click the Logs and Statistics button. Click the DHCP Client button and a list of MAC addresses appears. You can turn your computer’s Wi-Fi adapter off and on to see which MAC address corresponds to your computer. ◊ • Wi-Fi adapter in a Mac: In Mac OS X, open the Network preference pane in System Preferences and choose AirPort from the Show pop-up menu. The MAC number is listed as the AirPort ID. (Ethernet MAC addresses are labeled as Ethernet ID in the Ethernet view.) • Wi-Fi adapter under Windows: In Windows XP or Vista, view the connection status of the adapter and click Details below the Connection Status section. The Physical Address is the MAC address. Page 59 Static addressing A static address is an IP address that is entered manually and is fixed over time. A static address could be private or public. To enter a static address, you need details provided either by your ISP or, for an office network, by a network administrator. You need: • The static IP address: This address could be from an internal private range or a public address reachable from the Internet. • The subnet mask: A number full of mystery, the subnet mask merely defines the size of the local network in which the static address comes from, with “size” expressed as the number of addresses in that local range. • The router address or gateway: This is the address to which any traffic that’s not bound for other machines on the local network is sent, to be routed to higher-level networks, such as a larger office LAN or the Internet. • DNS server or servers: You need at least one DNS server, which handles turning domain names into IP addresses. Two is better; that avoids slowdowns if the first DNS server is unavailable or overloaded. To enter these values, click the Internet icon at the top of the AirPort Utility window; click the Internet Connection button, and choose Manually from the Configure IPv4 pop-up menu (Figure 19). FIGURE 19 Configure the Internet connection manually by entering the static values provided by your ISP or network administrator. Page 60 NOTE WHAT’S IPV4? The other element of mystery in setting an IP address is what, exactly, is IPv4? IP stands for Internet Protocol, but v4 means “version 4,” the form of IP used in Internet networking for decades. That distinction has become important with the availability of IPv6 (version 6), which Apple supports in Mac OS X and Extreme N, among other products. IPv6 isn’t widely available, but it is out there and will become increasingly embedded in our lives and devices. See IPv6 settings for more details. Hand Out LAN Addresses With the WAN configured, it’s time to look at your own network— the LAN. The LAN can be configured to assign IP addresses to client computers in one of four ways: • Dynamic private addresses: In this common mode, the Extreme N shares one incoming Internet address with all the machines on LAN. The base station assigns addresses to computers on the LAN from a private range; you can modify what that range is. The addresses are typically transient for any given computer. The Extreme N coordinates traffic between the LAN and the greater Internet so that all packets end up in the right place. • Dynamic public addresses: With this setup, the Extreme N shares multiple, publicly routable Internet addresses with computers on the LAN. • Reserved addresses: With this feature, you can assign specific private or public addresses to individual computers on the LAN. • Passthrough and bridging: you can set up an Extreme N to let another device on a larger network dynamically assign addresses or allow static addresses. With this set up, the Extreme N doesn’t manage addressing. The first option is by far the most common, in which computers on the LAN receive addresses that can change from time to time, and which exist solely to give the computers access to the Internet. The other options are typically used when computers on the LAN side of Page 61 the network need to be reached by computers on the Internet or by computers on another LAN to which your Extreme N is connected. Let’s look through each of these in turn. Warning! In testing the Extreme N, I discovered performance issues in one particular configuration. A NAT-enabled Extreme N bogs down when you send data between devices on the base station’s LAN (via Ethernet or Wi-Fi) and devices on a network connected to the base station’s WAN. In this rare configuration, Ethernet tops out at 70 Mbps; Wi-Fi at 50 Mbps. Fortunately, you would almost never use NAT on a base station that connects its WAN port to an office or a larger LAN network—see Passthrough and Bridging. Apple is aware of this problem (I reported it), and they improved the speed by 25 percent from the Extreme N (original) to Extreme N (gigabit) model. NOTE DHCP works by having a computer or other device send out a message over a network asking for an address. A DHCP server hears this message and provides an address. The DHCP client pulls the address that the DHCP server provides. Dynamic private addresses As with the WAN side of the equation, if you set up your network using the straightforward assistant in AirPort Utility, you should have no changes to make, so you don’t need to proceed further in this section to set up the base station; you can skip ahead to the next section, Connect Your Computers. However, should you want to control which addresses are assigned or manage other details of NAT and DHCP, read on. Set up the base station In AirPort Utility, click the Internet icon at the top of the window, click the Internet Connection button, and choose Share a Public IP Address from the Connection Sharing pop-up menu. Page 62 Set up client computers With an Extreme N set to use dynamic addressing, each of your computers needs to be set to receive an address via DHCP. This is the default setting for any network adapter. In Mac OS X: 1. Open the Network preference pane. 2. Switch to the TCP/IP view for any adapter—Wi-Fi or Ethernet. 3. Choose Using DHCP from the Configure IPv4 pop-up menu (Figure 20). FIGURE 20 With TCP/IP set to use DHCP, Mac OS X automatically obtains a dynamically assigned IP address, in this case from a private range. Your Mac should now be set up to receive an IP address via DHCP. In Windows XP and Vista: 1. Choose Control Panel from the Windows menu. 2. Access network connections: • In XP, open Network Connections. • In Vista, open the Network and Sharing Center, and then in the left-hand Tasks list, click Manage Network Connections. Page 63 3. Right-click the adapter you want to view settings for, such as Wireless Network Connection, and select Properties. (In Vista, you should be prompted to approve that action; click Continue, if so.) 4. In the Networking tab that appears, select Internet Protocol (TCP/IP) in XP or Internet Protocol Version 4 (TCP/IPv4) in Vista, and click Properties. TCP/IP settings are configured in the General tab; the default settings are the correct ones (Figure 21). FIGURE 21 In Windows Vista, selecting Obtain an IP Address Automatically— the default setting for an adapter—allows the operating system to get a dynamic address. (In Windows XP, the interface for making this selection looks quite similar.) Your Windows system should now be configured to receive an IP address via DHCP. Refining base station DHCP settings You have two additional views in the Internet pane in AirPort Utility for configuring the LAN. These allow you to control how private addresses are generated. The DHCP view offers a DHCP Range pop-up menu where you choose one of three reserved ranges of private addresses—10.0.*.*, 192.168.*.*, or 172.16.*.*—as the two-number prefix to your private network numbers. (The prefixes in the pop-up menu are reserved by the global numbering authority, and they are guaranteed to not be in use on any public Internet network.) Page 64 You enter the third number, any number from 1 to 254, in the field to the right of the pop-up menu. The fourth number is generated by DHCP in a range limited to the starting and ending values shown in the DHCP Beginning and Ending Address fields. The only reason to change the range of numbers is if you want to create and assign static private addresses. These would be addresses that start with the first three numbers in the base station’s private network range, but which you enter manually on each computer. This used to be the only way to create a fixed private address, but I now suggest you avoid this method by using reserved addresses; see Reserved addresses, next page. 28-2: The lowest legitimate number in the fourth number position of an IP address is 1; the highest is 254; 0 and 255 have particular reserved network purposes. Limited addresses: The range you assign must start with the same prefix you defined in the DHCP Range pop-up menu. AirPort Utility prevents you from modifying the first three numbers in the four-number IP address in the range fields. This is also true anywhere you can enter a LAN address in AirPort Utility. In the DHCP view, you can also set the length of a time of a DHCP lease, which is the association of a given computer with an address that’s been handed out, and you can set the DHCP Message, which will pop up in a dialog box on a computer when the computer receives its DHCP address. (The LDAP Server field is relevant only for networks that use that directory protocol.) The DHCP Reservations list is in Reserved addresses (next page). Also on the Internet pane, the NAT (Network Address Translation) view has two settings relevant for remotely accessing programs running on one or more computers on the LAN. I discuss how NAT works and what these settings offer in Reach Your Network Remotely. Dynamic public addresses Some people need to assign public addresses to their LAN computers so that each computer can be reachable from the Internet. In this case, you usually want to use a static public address, in which you must configure each computer manually, and DHCP isn’t involved. Page 65 However, some networks use only public addresses for all connected devices, while also not requiring that each device have a static address over time. In that case, you configure an Extreme N to hand out public addresses from a defined range using DHCP. To configure an Extreme N to assign dynamic public address, follow these steps: 1. In AirPort Utility, select the base station at the left, and then click the Internet icon at the top of the window. 2. Now, on the Internet Connection view, from the Connection Sharing pop-up menu, choose Distribute a Range of IP Addresses. In this mode, the NAT button disappears because there’s no translation going on. 3. In the DHCP view, enter values for DHCP Beginning and Ending Address. The range you specify is limited to the same IP network that the Extreme N uses for its Internet Connection IP address. For instance, if your Extreme N is 126.96.36.199, your range has to be within 188.8.131.52 and 184.108.40.206. Warning! Using public routable addresses means your entire base station LAN is fully exposed to the higher-level network through its WAN port, which usually means that all the computers can be reached via the Internet. Reserved addresses Reserving an IP address using DHCP is a new feature in the Extreme N—new to Apple, as it’s been available in other devices for years. Reservation allows a given computer on a network to obtain the same IP address, whether public or private, each time it joins the network. This works whether or not you share the Extreme’s connection or distribute a range of addresses, but does require DHCP service to be turned on. The reserved address is never assigned to another computer, and if the computer in question has to restart or is shut down, the next time the computer powers up and its network adapter is active, that computer still receives its reserved address. Page 66 Reserved addresses work well if you want to connect from the WAN side of a base station to computers, printers, and other devices that are connected via the LAN side. Follow these steps to set up a reserved address: 1. In AirPort Utility, in the DHCP view of the Internet pane, click the button. The DHCP Reservation Setup Assistant (Figure 22) appears. FIGURE 22 The assistant lets you set up a reserved DHCP address by MAC address or by DHCP client ID. 2. Enter a description, which will later appear in the DHCP Reservations list. 3. Select whether to reserve an IP address by a Wi-Fi adapter’s MAC address or by its DHCP Client ID, and click Continue. DHCP Client ID is easier to set up, but works only with Mac OS X (and earlier). 4. Now: • If you reserved by MAC address: enter the MAC address (AirPort Utility fills in the colons as you type two-digit hexadecimal numbers), choose the last number in the IP range that you want to reserve, and click Done (Figure 23). If you need help locating the MAC address, see What and Where Is a MAC Address? (p. 59). Page 67 FIGURE 23 Enter the MAC address and your reserved IP address, and then click Done. • If you selected Reserve by DHCP Client ID: The DHCP Client ID is a text tag that you assign when configuring a Wi-Fi or Ethernet adapter. This text is transmitted when an adapter requests a dynamic address (Windows XP and Vista don’t support this), and the base station uses that tag to assign a reserved IP address: a. First set the DHCP Client ID on a client computer running Mac OS X: Open the Network preference pane, click TCP/IP, choose Using DHCP from the Configure IPv4 pop-up menu, and enter the DHCP Client ID in the field at the right. Figure 24 shows the DHCP Client ID set to GlennDualMac. FIGURE 24 The DHCP Client ID field is found in the TCP/IP view when the Configure IPv4 pop-up menu is set to Using DHCP. Page 68 Warning! To avoid confusing the Extreme N, make sure that DHCP Client IDs are unique. b. In AirPort Utility, enter that DHCP Client ID in the DHCP Reservation Setup Assistant and click Done (Figure 25). FIGURE 25 Enter the same DHCP Client ID in AirPort Utility. 5. When you’ve entered all the reservations, click Update. After restarting, the DHCP Reservations list shows the entries you made and any computers listed will have retrieved their new addresses. Passthrough and bridging For networks in which the Extreme N is connected to a larger LAN, you may already have a DHCP server running that handles address distribution. In that case, you need to turn off Connection Sharing: 1. In AirPort Utility, click the Internet icon at the top of the window. 2. In the Internet Connection view, choose Off (Bridge Mode) from the Connection Sharing menu. The DHCP and NAT buttons disappear in the Internet pane when that option is selected. 3. Click Update to restart the base station. With bridge mode, the Extreme N simply passes through any DHCP messages or other traffic, and isn’t involved in assigning addresses. NOTE If you connect base stations wirelessly using Wireless Distribution System, all the base stations other than the “main” unit, which acts as the Internet or LAN conduit, are turned into bridges. See Bridge Wirelessly for details on setting up a WDS connection. Page 69 CONNECT YOUR COMPUTERS Once you’ve set up your Wi-Fi network and connected it to the Internet, you’ll want to configure your computers to connect to the network properly, whether you’re working with a few desktop computers or helping customers use a public hotspot. Making a connection is quite simple, but configuring how your computers connect may take a little thought. You might choose to connect automatically to unknown networks, or need to connect to a network that doesn’t advertise its name. You may also reconnect to networks that you’ve visited before. Read this section to learn how to use Tiger (below), Windows XP, and Windows Vista to connect to networks, modify stored profiles for networks, and choose when to connect to unknown networks. NOTE Leopard hasn’t shipped as the book goes into production. To learn about the Leopard update to this book, click Check for Updates on the cover and sign up for the update mailing list. If you have only the printed version of the book, send us an email message. Warning! Remember that if you set up your network as 802.11nonly in the 2.4 GHz band, or if you set the base station to use the 5 GHz band, neither an 802.11b nor a 802.11g adapter found in an older computer will be able to connect. If you can’t see your network on a given computer or can’t connect to a network that shows up in a list of available networks, check your base station setup (see Consider your spectrum choices for more details). Connection problems: Just because a network is visible doesn’t mean you can connect to it. MAC address access control and other restrictions could keep you from joining. See Secure Your Network. Connect in Tiger Connecting to a Wi-Fi network with Mac OS X involves two phases: discovering, or finding, a network, and connecting to it. Separately, you can create stored profiles for Wi-Fi networks that you wish to connect with automatically in the future. Page 70 Warning! If the AirPort status menu on your menu bar displays an icon like an open fan (shown at left), your network adapter is turned off. To turn it on, choose Turn AirPort On from the menu. If the AirPort icon still looks like a fan or you get an error saying that there’s no card or it can’t be turned on, you may have a hardware problem. If you have a model with a removable Wi-Fi card, check that the car is seated properly: power the computer down, open the case, and check the card; start up the machine and see if AirPort is now available. If you don’t have a serviceable card or this doesn’t help, bring the computer in for service. Discovery Mac OS X constantly looks for networks when the Wi-Fi adapter is turned on, and a list of them appears in the AirPort status menu at the right of the menu bar (If you don’t see the menu, you can turn it on by opening Internet Connect from /Applications. A checkbox for the menu is on the AirPort pane.) You can also use software like iStumbler to get more information about your own and other networks in the vicinity (see Testing from client to base station). If a Wi-Fi network appears in your vicinity and you aren’t already connected to one (for instance, if a neighbor turns on a new network or if you open your laptop in a coffee shop), Mac OS X alerts you (Figure 26). From that alert, you can then choose whether you wish to connect to the network, and if you want Mac OS X to remember the network so that you always connect to it again in the future. FIGURE 26 Mac OS X alerts you to a new network and lets you choose to always join it in the future. Page 71 You can configure a Mac running Tiger so that it automatically picks which network it connects to: Mac OS X can recognize a new connection when you wake up or turn on the Mac, when you turn AirPort off and back on, when a network is turned on near you, or even when a Wi-Fi network disappears and reappears while you’re actively using your computer. Warning! The fact that Mac OS X and other operating systems constantly scan for networks is a security problem. Many patches were released in 2006 that dealt with flaws in Wi-Fi drivers that could be exploited with maliciously crafted data designed to crash an operating system when it is scanning for networks. This is one reason why it’s critical to keep your software up to date, especially if you use Wi-Fi networks that aren’t in your home or office. Connecting To connect to a network, you typically select its name from a list, and then enter an encryption key if it is secured. In some cases, you might have set up your network to be “closed” (invisible to casual passers-by). Let’s walk through these options for connecting. Connect to a named network To connect to an AirPort network in Tiger when the network broadcasts its name—as most do—choose the network name from the AirPort status menu (Figure 27). The AirPort menu’s icon should go from gray to black, with the number of black waves indicating signal strength by their quantity. FIGURE 27 Choose a network from the list or choose Other to join a closed network by name. At hotspot networks and other open networks, before you can do anything else on your connection, you may need to open a Web Page 72 browser window and try to visit any site. Instead of going to that site, the network will redirect you to a gateway page at which you may be asked to agree to terms of service, or enter account information or a credit card number to proceed. You typically have no Internet access until you’ve passed the gateway page. If the network is secured with a key, see just below for the next steps, or look on the next page for WPS information. Enter an encryption key (WEP, WPA/WPA2 Personal) If encryption is active on the network, after you select the network name, you are prompted by a dialog to enter an encryption key. Typically, the AirPort software on a Mac automatically chooses the correct encryption type, and you simply enter the encryption key that you have been given or that you set yourself for the network. Save the key, save time: You can choose to store the key in the Keychain to avoid having to retype it in the future. If the encryption type is incorrect, you can choose the correct type from the pop-up menu. Click OK to join the network. You enter an encryption key or passphrase differently depending on how the network was configured. Extreme N networks can always be joined with either a WPA or a WPA2 password, but WEP keys may be needed to join older networks: • Apple WEP Password: If you created a WEP key on an original AirPort Base Station, the 2003 Extreme, or an AirPort Express, enter the password exactly as you entered it in setting up the base station or as it was provided to you. • WEP hexadecimal key: If you are joining a non-AirPort network, you need to enter a $ (the dollar sign character) followed by 10 to 26 hexadecimals digits. Whoever set up that network needs to provide those hex numbers to you. • WEP ASCII key: If the network was set up with WEP using an ASCII (text) key, you must enter that password between quotation marks, like "fishy". WEP ASCII keys are 5 or 13 characters long. Page 73 Extract WEP key: AirPort Utility lets you extract a WEP key when using WEP Transitional in case you have older Windows computers or other devices that need to join. Connect via the utility to your base station, choose Base Station > Manual Setup, and then choose Base Station > Equivalent Network Password. The ASCII and hex WEP keys are identical, just expressed in different forms. • WPA/WPA2 passphrase: Enter the passphrase exactly as it was entered on the Extreme N or other base station. All computers handle WPA/WPA2 passphrases the same way. Some networks may be configured to accept either a WPA or a WPA2 password; others may require only a WPA2 password. Warning! Macs with the original AirPort Card cannot connect to WPA2 Personal protected networks, but won’t provide an error to explain that. If you are using an AirPort Card on an older machine, make sure via AirPort Utility that the network is configured with WPA/WPA2 Personal, not WPA2 Personal. • WPA/WPA2 hex key: In rare cases with WPA or WPA2, you may need to enter the 64-digit hexadecimal encryption key. To enter this in Tiger, hold down the Option key while selecting WPA Personal or WPA2 Personal from the Wireless Security pop-up menu, and an extra large field appears allowing entry. Yes, it’s a pain to enter 64 hex digits. Connect to a simplified secured network with WPS Wi-Fi Protected Setup (WPS) lets you join a secured network without entering an encryption key. But this method requires access to the base station via AirPort Utility at the time you want a computer to join the network. To read the full procedure, skip ahead to Use WPS. Connect to a closed (hidden) network For a closed network, choose Other from the AirPort status menu. In the resulting dialog, enter the network’s precise name (close doesn’t count), and choose the form of encryption and enter the password. If there’s no encryption, leave the option set to WEP Password and enter no password. Click OK to join. (For more on closed networks, see Closed network.) Page 74 Saved locations Tiger can automatically connect to networks that you’ve joined previously, including password-protected networks for which you’ve saved the password in your Keychain. But you can also create custom settings for different locations where a computer might be used (perhaps at the office, at a relative’s house, and at a local coffee shop), and you can set up multiple profiles at each location. To create a new location, in the Network preference pane, choose New Location from the Location pop-up menu, enter a name, and click OK. Managing profiles You can manage profiles for connected networks and create new profiles from scratch. To show those profiles, and to create and edit them: 1. In the Network preference pane, choose your AirPort adapter from the Show pop-up menu and click the AirPort button. 2. Choose Preferred Networks from the By Default, Join pop-up menu. A list of networks appears, ordered from top to bottom by the most preferred to least preferred network to join. Warning! Even though you can create different profiles for your other network settings through the Location pop-up menu, Wi-Fi networks in this profiles list are shared in all locations. Warning! I discovered a bug some time ago with location profiles created in Panther and used in Tiger. I was unable to get Preferred Networks to appear in the pop-up menu with a Panther-created location; instead an option that’s not supposed to appear in Tiger shows up: A Specific Network! When I created a new location in Tiger, the correct menu commands appeared. This bug has never been fixed. Page 75 3. To work with these profiles: • Add a profile manually by clicking the button. • Delete a profile you no longer need by selecting the profile and clicking the button. • To edit an existing profile, select it and click Edit; you can change the password or type of password, too. • To change the preferred order in which the Mac connects to networks if more than one is available, drag a network name to a new position in the list. 4. Click Apply Now when you’re done. Advanced connection options For more control over how a Mac connects via AirPort at a particular location, in the Network preference pane, choose a location, click the AirPort button, and then click Options at the lower left. Now you can: • Set whether you want to add profiles for new networks that you connect to by checking or unchecking the “Automatically add new networks to the…” box. (If, instead, you chose Automatic from the By Default, Join pop-up menu, that box is checked and cannot be disabled. In Automatic mode, you manage networks entirely via the AirPort status menu.) • You can also choose one of three items from the If No Preferred Networks Are Found pop-up menu: ◊ Ask Before Joining an Open Network lets you join any network that’s within your Mac’s range, but first prompts you. ◊ Automatically Join an Open Network is ill advised: it’s rare that every open network will be acceptable to you, or even intended for use by outsiders. ◊ Keep Looking for Recent Networks prevents your Mac from joining, or asking to join, networks that you haven’t agreed to connect to before. • In Tiger, Apple added the checkbox Disconnect from Wireless Networks When I Log Out, which disconnects the Mac when no user is active. This makes sense for users who routinely log out of Mac OS X, or on computers with multiple users. Page 76 TIP If you can’t get your AirPort interface to connect to a network, Tiger has a troubleshooting feature called Network Diagnostics that’s available when you click Assist Me at the bottom of the Network preference pane. TIP WHERE YOUR MAC STORES PASSWORDS When you enter a WEP, WPA, or other encryption key in Mac OS X, it’s stored in the Keychain. You can run Keychain Access (located in /Applications/Utilities) to delete entries you no longer wish to store or to retrieve passwords that you have forgotten. Keychain passwords are secured with your Mac OS X user password, unless you specifically set a special Keychain password, which you can do in Keychain by choosing Edit > Change Password for Keychain “keychain name”. For more advice on Keychain, see Take Control of Passwords in Mac OS X. Connect in Windows XP In this subsection, I first look at how to make a basic connection. I then cover a few more advanced options, and look at how to create a preferred network profile. In all cases, my steps apply specifically to Windows XP Service Pack 2 (SP2). Discovery and connecting To start setting up a Windows computer to connect to a wireless network under Windows XP Service Pack 2, right-click the wireless network icon in the System Tray and choose View Available Wireless Networks. Windows responds by showing any networks that it can see, along with info about the status and nature of each one (Figure 28). This is an enormous improvement in SP2 over previous XP releases, which left you guessing. Page 77 TIP WATCH OUT FOR WIRELESS ZERO CONFIGURATION If Windows XP says that another program is controlling wireless access or that it can’t use the wireless adapter, Wireless Zero Configuration may be at fault. Despite its name, it needs handholding: Go to Control Panels, open Administrative Tools, then open Services, and finally select Wireless Zero Configuration. Click the square stop button at the top of the Services window; after you’ve been told that the service has stopped, click the triangular start button. That typically takes care of the problem. FIGURE 28 Windows shows you all the networks that it can see in the vicinity, as well as their security parameters and signal strength. Now, select a desired network and click Connect, at which point you’re prompted for any encryption keys needed to join. Page 78 Advanced connection options Now that you’ve established a connection, you can tweak aspects of that connection. To see more options, at the left, in the Related Tasks list, click Change the Order of Preferred Networks. That brings up the Wireless Networks tab of the Wireless Network Connection Properties dialog (Figure 29). FIGURE 29 You can use this tab for many tasks, such as setting which networks you prefer to connect to in which order when more than one is available (use the Move Up and Move Down buttons). The symbol at the top of the Preferred networks list marks the currently connected network. A red x ( ) marks any networks that are not visible. An icon by itself ( ) means the network is available in the vicinity. This dialog box is a bit of a powerhouse despite its demure appearance. Using it as a launching pad, you can: • Re-order your preference for which network your machine automatically connects to. Select a network name and click the Move Up or Move Down button to rearrange it. • Add new Wi-Fi connections. Click Add. • Delete a preferred network. Select a network and click Remove. Your computer no longer automatically joins that network. • Set advanced connection properties: Click the Advanced button and then choose whether to connect to any available network, only to base station Wi-Fi networks (access point or infrastructure Page 79 networks), or only to ad hoc (computer-to-computer) networks (Figure 30). You can also choose whether to connect automatically to non-preferred networks—ones that you haven’t already set up profiles for. I recommend leaving that box unchecked. FIGURE 30 The Advanced dialog box controls how your computer connects to available networks that it finds. Creating a preferred network profile (WPA/WPA2) To set up a stored preferred network profile with WPA/WPA2, follow these steps: (I don’t describe how to use WEP encryption here because you are unlikely to be limited to WEP on a Windows XP SP2 system when connecting to an Extreme N!) 1. Navigate to the Wireless Networks tab for a Wi-Fi adapter as shown in Figure 29 (previous page). 2. Now, either: • Add a new profile by clicking Add. or • Select an existing profile, and click Properties. 3. If you don’t already have one filled in, enter the network name (SSID). Page 80 4. Set network authentication to WPA-PSK, and set data encryption to TKIP for WPA, or to AES for WPA2 (Figure 31). FIGURE 31 Choose WPA-PSK and TKIP in order to enter your WPA key; choose AES from the Data Encryption pop-up menu for WPA2. 5. Enter your WPA or WPA2 passphrase in Network Key and again in Confirm Network Key. Since you can’t see the key as you type it, you can’t verify visually that you have typed it correctly. Retyping the key helps ensure that you’ve entered it correctly. 6. Click OK. Windows stores the profile. You can then drag the profile to make it more or less preferred than other networks already listed. Connect in Windows Vista Windows Vista streamlines connecting to a Wi-Fi network by providing much clearer information than Windows XP’s process along with a better designed interface for working with wireless networks. Page 81 Warning! Because Draft N is in flux, a Windows computer with an 802.11n adapter might have trouble making a connection to the Extreme N. In testing, I found I couldn’t get the highest speed connection rates using an Intel Draft N card that had been released at the same time as Apple’s N enabler and Extreme N (original). Firmware updates due in late 2007 should improve this situation enormously. Discovery To see what Wi-Fi networks are available in Vista, right-click the Network icon in the System Tray and select Network and Sharing Center. Click Connect to a Network from the left-hand Tasks list. This reveals a list of wireless networks (Figure 32). If you hover the pointer over a network, more detail is revealed, such as the type of network encryption. FIGURE 32 View available networks. Connecting Let’s connect to a Wi-Fi network with Vista. You can double click a network in the browser shown above in Figure 32, or select a network and click the Connect button to start: • Open network: If the network is open, Vista warns you that there’s no protection with an exclamation point in a shield. Page 82 • Secure network: A secure network appears in the list as a “Security-enabled network,” and when you select it and click Connect, Vista prompts you for an encryption password (Figure 33). Unlike in XP, you need only enter the key once— I mean, if it’s wrong, it’s going to tell you, right? Vista, like Mac OS X, handles the password type automatically, but doesn’t tell you what kind of encryption is being used. You can also select the Display Characters checkbox to see what you’re typing. FIGURE 33 Enter the security key to connect to the network. Next, Vista shows a dialog while it’s trying to connect, and even warns you if the connection is taking longer than usual to hook up (Figure 34). FIGURE 34 The progress bar shows that something is happening while the connection is set up. Page 83 Managing profiles Vista offers a new profile manager to help store information about networks you’ll connect to on an ongoing basis. In the Networking and Sharing Center, click Manage Wireless Networks in the left-hand Tasks list. The resulting dialog is shown in Figure 35. FIGURE 35 You can add and configure networks that you connect to regularly in Vista’s profile manager. To add a profile, follow these steps: 1. Click the Add button. 2. Make one of the following choices: • Choose Add a Network That is in Range of This Computer (scan for networks). Now enter an encryption key when prompted. Vista will store the key along with your other network details. Page 84 • Choose Manually Create a Network Profile (enter the network name). Now, you can enter your network’s name, encryption type, and security key (Figure 36): ◊ For WPA, choose WPA-Personal from the Security Type popup menu, and TKIP from the Encryption Type pop-up menu. ◊ For WPA2, choose WPA2-Personal from the Security Type pop-up menu and either TKIP or AES from the Encryption Type pop-up menu. FIGURE 36 Set up a manual profile for a network you connect to more than once. 3. Click Next and then Close. The profile appears in the networks list. Page 85 CONNECT MULTIPLE BASE STATIONS Wi-Fi is described as reaching “only” about 150 feet, which is a very rough estimate of the radius of older 802.11b and g devices. With an Extreme N, the distance is much farther. But you can also extend the covered area by adding more base stations with overlapping signals. As a Wi-Fi adapter in a laptop or handheld moves across overlapping areas, it can automatically switch base stations while maintaining a continuous network connection—as long as you’ve set the network up right. While it’s always critical to follow instructions exactly when setting up any kind of network gear—or almost anything computer related— extending a network with more base stations is particularly rough because a failure to check one box or enter exactly the right text could result in a network problem that none of the base stations can accurately report. If, in following the steps below, you find yourself stymied, retrace your steps from the start and see what went wrong. When you extend a network, the additional base stations tend to be dumb; that is, they don’t assign out addresses or handle other features you think of as belonging to a base station’s set of options. Rather, one base station remains smart, offering DHCP and NAT (if needed), among other network choices. The rest pass through traffic from that main unit. Dumb base stations are typically called access points to distinguish them from routers. Because dumb base stations (access points) simply pass traffic through, an adapter retains the same IP address as it switches from one base station to another, thus maintaining a continuous connection in most cases. There are two mix-and-match methods of extending your network: • Add base stations via Ethernet • Add base stations wirelessly via Wireless Distribution System (WDS) Page 86 I write “mix and match,” because you can use any combination of Ethernet and WDS to build a network. Let’s start with the simpler case, which is extending a network via Ethernet. Add Access Points via Ethernet When you add access points, they must each have the same network name, known as an SSID (service set identifier). This enables computers to move around without changing their network settings, because their Wi-Fi cards automatically and seamlessly switch from one access point to another as needed to maintain a constant connection. If you have encryption enabled, each access point must be set up with the same options and keys. Different names for seamless networks: In Mix Legacy, New N Networks, I will advise you to set different network names for the old and new networks. That advice is designed to keep the networks separate. However, when adding access points to grow a single network, you keep the same name so that the connecting computers see the network as a single entity. When adding access points to create a network that allows roaming, you need a network backbone that connects all the access points. Typically, you use Ethernet cabling to connect the access points (Figure 37). However, you can also use wireless connections or electrical connections to form that network backbone, as I describe ahead in Bridge Wirelessly and Extend with HomePlug. FIGURE 37 A common Ethernet backbone connects one base station in the living room, another upstairs, and a third in the basement. Page 87 The most important part of adding access points is choosing the Wi-Fi channels for them wisely. Because each access point can communicate over a unique hunk of spectrum, you can avoid interference by making sure that no adjacent APs use the same frequencies. See Configure the Spectrum and Channel for more details on how to pick channels. Typically, all the base stations on an extended network will use either the 2.4 GHz or 5 GHz band for simplicity, but it’s not strictly necessary (see Mix Legacy, New N Networks). Set up a main wired base station Your main base station should be plugged into your broadband connection, and configured as discussed in Set Up Your Network for setting up a base station to share addresses. Where you deviate from those instructions is in choosing the channel for the base station to operate on. You need to select the 2.4 GHz or 5 GHz channel manually, rather than using the Automatic setting, so that you can set additional base stations that overlap to use different channels. Instead of following the procedure detailed in Set a band and channel, follow these steps: 1. Launch AirPort Utility, connect to your base station, and choose Base Station > Manual Setup. 2. In the AirPort pane’s Wireless view, choose a numbered channel from the Channel pop-up menu. • If you chose from the Radio Mode pop-up menu either “802.11n (802.11b/g compatible)” or “802.11n only (2.4 GHz),” select channel 1, 6, or 11. These are the “clearest” channels that can be used in overlapping areas. • If you chose from the Radio Mode pop-up menu either “802.11n (802.11a compatible)” or “802.11n only (5 GHz),” hold down the Option key to select a 5 GHz channel manually, such as 36. 3. Click Update to restart the base station with these changes. Page 88 Set up additional wired base stations Adding additional access points is straightforward: 1. Launch AirPort Utility, connect to your base station, and choose Base Station > Manual Setup. 2. In the AirPort pane, choose the Wireless view. 3. Enter the same Network Name as your main base station (this enables seamless roaming). 4. Choose a channel that won’t interfere with your main base station or other base station’s choices: • In 2.4 GHz (B, G, or N), any three base stations can uniquely use channels 1, 6, and 11 with the least interference. If you set your main to 1, set an additional one to 6, for instance. • In 5 GHz (A or N), all channels are nonoverlapping. But if you use the “wide” channel mode, an Extreme N uses the equivalent of channels 36 and 40 at the same time. Choosing channels eight numbers apart for base stations that have overlapping signals produces the best results; those would be 36, 44, 149, and 157. 5. Choose the same Wireless Security option and enter the same Wireless Password as on your main base station. 6. Click Update to restart your base station with the new settings. 7. Plug your additional access point into your main base station via Ethernet, connecting the cable from the WAN port on the additional access point either to a LAN port or to an Ethernet switch connected to a LAN port on the main base station. Page 89 EXTEND WITH HOMEPLUG What’s the most robust and ubiquitous wired network in your home? The electrical system! We don’t think of data transmitting over power, but all wired networks use electricity to encode data. In the case of powerline networking, small adapters plugged into outlets modulate data over the 60-hertz (Hz) frequency used in U.S. power. At least three incompatible versions of powerline networking now exist, operating at speeds up to 200 Mbps. Powerline networks have no central hub in most cases. Mac users should purchase Ethernet bridges, which offer a single Ethernet jack. You plug a cable from a Mac into this bridge, plug the bridge into a wall socket, and you’re done. The powerline system handles communication among all the adapters on your electrical network. When I say “wall socket,” I do mean wall socket: powerline networking typically cannot work when an adapter is plugged into a power strip. To extend a wireless network, simply place your access points in appropriate locations, configure them as described above for Ethernet network extension, and then plug them into HomePlug Ethernet bridges (Figure 38). And that’s it. FIGURE 38 A powerline network works like Ethernet over electrical outlets. Page 90 Bridge Wirelessly Wireless Distribution Service (WDS) is a neat way to extend an AirPort network without running wires between locations. As I noted previously, if you want to extend a network by adding access points, you might connect them via Ethernet—which means more wires. Instead, WDS can connect an access point to other access points as easily as wireless clients connect to an access point. TIP You can mix and match WDS with Ethernet-extended networks, too. Each cluster of WDS machines can work together, and then the “main” base station in that group—see below—can hook into a larger network via Ethernet as an additional base station. You can also set a main base station to be both a WDS base station and to handle serving DHCP to computers over Ethernet, which allows it to be the root of both kinds of networks without additional configuration. How it works WDS works much like plugging an Ethernet hub into an Ethernet switch. An Ethernet hub interconnects devices to each other as a single segment, just like wireless clients connecting to a wireless base station. An Ethernet switch, by contrast, isolates each port as a separate segment. A computer connected to a hub connected to a switch’s port can reach computers on other ports’ hubs because the switch has information about which computers (by MAC address) are on other segments; this info allows the switch to transfer data across segments. Likewise, WDS allows access points to exchange information about where computers and other devices are located on a physical network. One access point can then route data to another or to a series of other access points to reach the destination computer (Figure 39). NOTE The biggest downside in WDS is that on a busy network, you effectively halve, quarter, or even eighth, your available bandwidth: All the network traffic that travels among access points over WDS reduces the overall throughput of the network. But with an effective network throughput of nearly 100 Mbps on an 802.11n network, even splitting that into pieces still provides plenty of usable bandwidth. Page 91 FIGURE 39 The same basic setup for an Ethernetconnected network can work with WDS. Here, each base station is set to WDS and also to serve access to local computers wirelessly. Distribute wirelessly In general, to set up WDS you need to know the MAC address for each of the wireless gateways you want to connect (see What and Where Is a MAC Address?, earlier, p. 59). Mix and match: You can mix and match an older or newer Extreme and the AirPort Express, as long as you recall that the 802.11g devices slow down overall network performance both by the general backward compatibility overhead hit (about 10 percent loss there), and when they’re actively sending or receiving. Resolved bug—Extremes didn’t mix: In testing for this first edition of the book, I found WDS would not work between an Extreme N (original) and an Extreme 2003. When I tested the Extreme N (gigabit), I had no such troubles. Apple requires that you configure one device as the main base station; you should choose the one best positioned to connect to an Internet feed. Base stations that connect to the main are called remotes, and they relay traffic via the main to and from their clients, whether to other clients on the local network or the Internet. Finally, Apple defined a relay, which a remote can connect to and which is in turn connected to a main. Relays can’t connect to relays; remotes can’t connect to remotes. You could have 4 remotes on each relay Page 92 and 4 relays connected to a main for a total of 21 base stations (Figure 40), although bandwidth would be enormously reduced. FIGURE 40 If one main base station tells four friends, and they tell four friends… well, this is what happens. THE HIDDEN NODE PROBLEM In a wireless network in which more than two access points connect among themselves in any manner, the “hidden node” problem occurs when one node has at least two access points that can see the node but can’t see each other. Wi-Fi relies on collision detection that requires that every device on a segment can spot when other devices start transmitting and then back off. With a hidden node, some devices can’t tell when other devices are transmitting, resulting in crosstalk, interference, and other problems. When designing a network to use WDS with more than a few access points, you may have to give this issue some consideration, keeping all base stations within at least weak reception range of each other. In some cases, you’ll experience reduced performance if you ignore it; in others, the network might mysteriously vary in its quality and reliability. To set up a WDS network, follow these steps, repeating for each base station you need to configure. There are two separate methods: one for all-Extreme-N networks (next page); another for a Mix of Extreme N and older Extreme/Express units, ahead. Page 93 All Extreme N Apple rather oddly added a way for Extreme-N base stations to configure themselves via WDS without providing enough cues for most of us—myself included—to figure it out. You have to read page 46 of their ebook on designing 802.11n networks to find this out! And even then, it’s a bit obscure. (See Designing AirPort Networks Using AirPort Utility, a free download from http://www.apple.com/ support/manuals/airport/.) Warning! This option works only with Extreme-N base stations. If you set up an Extreme N as your main and try to connect with 802.11g Extreme or Express models, AirPort Utility doesn’t list the necessary Wireless Mode option. If you set up an 802.11g AirPort as your main, and try to connect via Extreme N, AirPort Utility tells you after you restart that the base station you’re trying to connect to lacks the proper checked option. Configure the main base station 1. In the AirPort Utility, in the toolbar, click AirPort. 2. In the Wireless view, choose Create a Wireless Network from the Wireless Mode pop-up menu (Figure 41). 3. In the same view, check Allow This Network To Be Extended. 4. Click Update to restart the base station with that setting. FIGURE 41 Check Allow This Network To Be Extended to make an Extreme N the main base station in a WDS network. Page 94 Configure additional base stations 1. In AirPort Utility, in the toolbar, click AirPort. 2. In the Wireless View, select Extend a Wireless Network from the Wireless Mode pop-up menu. 3. Check Allow Wireless Clients if you want the remote base station to be available via Wi-Fi, not just to Ethernet-attached computers. 4. In the same view, set your Wireless Security choice and Wireless Password to be identical with your main base station. 5. Click Update, and you should be prompted after the base station restarts for the base station password of the main unit. (If the password is the same for the main and additional base station, you may not be prompted.) Mix of Extreme N and older Extreme/Express units 1. Launch AirPort Utility, select a base station to configure, and choose Base Station > Manual Setup (Command-L). 2. In the AirPort pane, click the Wireless button. 3. From the Wireless Mode pop-up menu, choose Participate in a WDS Network A WDS button appears in the AirPort pane. 4. Click the WDS button. 5. If you want this unit to act just as an Ethernet extender or a bridge between a main and a remote, uncheck Allow Wireless Clients. In this mode, wireless clients can’t connect to a base station, but the Ethernet port is active and a main, remote, or relay could connect to other base stations via WDS. 6. Set radio mode, channel, base station password, wireless security method, and wireless password identically: • In the AirPort pane, in Base Station view, set the Base Station Password. • In the AirPort pane, in the Wireless view, set the remaining items: Radio Mode, Channel, Wireless Security, and Wireless Password. Page 95 7. In the WDS view, enter the AirPort ID (Apple’s name for the “air” interface’s MAC address on a base station; see What and Where Is a MAC Address? (p. 59) as follows: • Main base station: Click the button at the bottom of the WDS Remotes list to enter the AirPort ID of the base station(s) that you want to add, up to four total (Figure 42). • Remote base station: Enter the AirPort ID of the main base station in the WDS Main field. • Relay base station: Enter the AirPort ID of the main base station in the WDS Main field and use the to enter WDS remote base stations. FIGURE 42 When configuring a main base station, click the button to enter each base station in a WDS network in turn. 8. I recommend testing each base station as you add it by clicking Update (at the lower right), waiting for the base station to reboot, and then making sure clients can connect (if enabled) and bridge on all attached units. If WDS has failed to work, AirPort Utility will flash the light on the front of an Extreme N amber while displaying an amber icon next to the base station’s icon. Troubleshooting by double-checking or re-entering: If you have problems after following these directions, remember that the frequency, channel, base-station password, wireless security method, and wireless password must all be identical on every WDS base station (Step 6). Failing that, ensure that the MAC addresses were entered correctly on each base station, (Step 7). Page 96 MIX LEGACY, NEW N NETWORKS I expect that many readers of this book already have an AirPort Extreme from 2003 to 2006, or another 802.11g gateway. If that’s the case for you, you may be thinking of shutting down that network in favor of a new one. But to achieve your greatest efficiency, I’d like to suggest that you run two networks: one operating in 2.4 GHz and handling computers and devices with 802.11b or 802.11g built in; the other, an Extreme N using 5 GHz and handling only newer adapters. This is especially worthwhile if you expect to move lots of files across your network, or use Apple TV wirelessly, where you’ll need a lot of unimpeded bandwidth to have video stream at its best quality. Setting up a two-band network isn’t hard, particularly because the Extreme N has an Ethernet switch built in. The goal state for the network is shown in Figure 43. FIGURE 43 The finished mixed network: The Extreme G and desktop Mac are connected to the Extreme N’s LAN Ethernet ports. A PowerBook connects via 802.11g to the older base station; a MacBook connects using 802.11n to the newer base station. The Extreme N’s WAN port is connected to the broadband modem, which is in turn a conduit to the Internet. Page 97 Update Your Older Base Station Your older base station needs to have three specific settings changed in order to work in this configuration: • Its network name should make clear that it’s a distinct network. • Connection Sharing must be set to Off (Bridging), so that the existing base station doesn’t create a nested set of private network addresses. • The base station needs to obtain its address via DHCP from the new 5 GHz base station. NOTE If you already have a DHCP server running on a LAN, you can skip connecting your existing base station to your new Extreme N base station. The existing base station can obtain an Internet address from your network’s DHCP server instead by being plugged into any Ethernet switch on the network. To configure and connect your old base station: 1. Launch AirPort Utility, select your existing base station, and choose Base Station > Manual Setup (Command-L). 2. At the top of the window, click the AirPort icon, and then click the Wireless button. 3. Change the Network Name to something descriptive, like Home 2.4 GHz or Old Slow Network. 4. Click the Internet icon. 5. From the Configure IPv4 pop-up menu, choose Using DHCP. 6. Select Off (Bridging) from the Connection Sharing pop-up menu. 7. Click Update to restart the base station with the new settings. 8. Now, plug an Ethernet cable from the WAN port of your 2.4 GHz base station into any of the three LAN ports of the Extreme N. Page 98 Wireless base station connections won’t work: While you can connect two or more Apple base stations together via Wi-Fi using Wireless Distribution System, that works only when the base stations are using the same frequency band, channel, base station password, and wireless security method and password. See Bridge Wirelessly. Configure Your New Extreme N Next, you need to set up your Extreme N to use the 5 GHz band: 1. Launch AirPort Utility, connect to your Extreme N, and switch to Manual Setup (Command-L). 2. Click the AirPort icon and then the Wireless button. 3. Enter a unique and descriptive name in the Network Name field, like 5 GHz or Bust or Fast New Network. 4. From the Radio Mode pop-up menu, choose 802.11n only (5 GHz). 5. Click the Wireless Options button and check Use Wide Channels. (This option is available only in certain countries, including the United States.) 6. Click the Internet icon. 7. Make sure that Connection Sharing is set to Share a Public IP Address (bottom pop-up menu). 8. Click Update to restart the base station. Now you have two independent Wi-Fi networks operating at peak performance without contention between them. Put Printers in the Right Place A number of readers of the first edition of this book wrote in after reconfiguring their networks as described above because their printers stopped working. After some troubleshooting, we collectively discovered that printers needed to be moved from the old 802.11g network to the new Extreme N network to work reliably. Page 99 A setting change was also needed. Follow these steps: 1. Unplug your USB printer from the old base station; you needn’t power down the printer unless you also plan to move it. 2. Plug the USB printer either directly into the new Extreme N base station, or into a USB hub that’s plugged into the base station. 3. Launch AirPort Utility, connect to your Extreme N, and switch to Manual Setup (Command-L). 4. Click Printers on the toolbar, and confirm that the printer appears in the list of printers shown. 5. If you are plugging the Extreme N into a larger LAN, check the Share Printers over Ethernet WAN Port box so that computers on that larger network can access the printer, too. Page 100 REACH YOUR NETWORK REMOTELY When you share an Internet connection among one or more computers on a local network using private addresses, you give up an easy way to connect from the outside world to a service, like a Web server or fileserver, that’s located on one of those local computers. Public IP addresses allow anyone on the Internet to connect directly to a computer, barring any firewalls or other blocks in place, but private IP addresses are specifically non-routable without a bit of extra work. Extreme N and AirPort Utility mark a major breakthrough for Apple, finally adding features that have been found in other gateways for years, but adding the usual Apple twists: their products are later than similar ones from competitors, but they are easier to use. You can choose from three different methods of reaching your network from the outside world: • Basic port mapping and reserved addressing: While earlier Apple base stations offered port mapping, a way to connect a public port on a routable address on the base station with a private port on a locally connected computer, the Extreme N also lets you assign addresses to local computers on a persistent basis—these reserved addresses don’t change over time. When the base station is restarted, or when the computer is restarted, the same address is assigned to the computer once again. This reservation system makes the whole mapping system work consistently with less effort. I cover these options beginning on the next page. • Punch through from certain programs: A protocol from Apple just starting to become more widely used, called NAT-PMP (NAT plus Port Mapping Protocol), helps with port mapping without requiring any special configuration on a computer or a base station. You can find out more in Punch Through from Certain Programs. • Use one computer as your default host: There’s a coarser way to make NAT work, too, allowing a single computer behind the NAT gateway to act as if it’s directly connected to the Internet. I describe the default host option in Set a Default Host for Full Access. Page 101 Map Ports for Remote Access Port mapping relies on network address translation (NAT), which I’ve noted only in passing previously in this book. NAT acts as a gateway between a WAN IP address for a router reachable from a larger LAN or the public Internet, and the private addresses hidden behind NAT on the base station’s LAN. NAT maps private to public connections When a computer within the LAN wants to connect to the Internet, the NAT software creates an association between that computer’s outgoing connection and a public port on the WAN IP address of the base station. (I talk more about Ports in a sidebar on the next page.) When, for instance, a LAN-connected computer wants to retrieve a Web page, that computer might send a request from its IP address (192.168.1.100) using port 5509. (Ports for outbound connections are arbitrarily numbered above 1024.) The NAT server receives that connection and creates a request over the Internet using the WAN IP address and typically a different port. So the NAT gateway’s request might originate from a public address such as 220.127.116.11 with a port of 12087. The Web server receiving the request doesn’t know about the original computer behind the NAT. Rather, the Web server responds by sending HTML for the requested Web page to port 12087 on IP 18.104.22.168. The NAT server retains a list of associations between public and private ports and addresses, and hands that Web connection over to the machine that originally requested it. This process is ugly, but it works reliably, almost all the time. Port mapping maps public to private connections With port mapping, you create a persistent connection that allows computers outside the LAN to connect to computers inside the LAN. This port mapping lets you expose very limited services in a way that you fully control. When you map a port, you make the gateway connect one of its Internet-accessible ports to the same (or a different) port on a computer on the otherwise-private inside network. Page 102 PORTS Every kind of network server you might run, including a personal Web server and your side of a multi-player online game, uses a port to communicate with the rest of the machine, network, or world. A port number in Internet networking can be compared to an apartment number in a typical postal mail addressing system: a computer has an IP address just like an apartment building has a street address, and each kind of service used by a computer has a port number, just like each apartment has its own number within the building. With ports, it’s as if every apartment building had the manager in unit 1, the mailroom in unit 25, a lounge in unit 80, and so forth. Ports are consistent for the same services on whatever machines those services are running on. Taking it one step further, if you have a static IP addresses, that’s like having a street-front address. In contrast, NAT-provided private addresses are like buildings within a gated compound, where nobody on the outside knows the building numbers on the inside. If you were inside the compound, you might carry a letter to be mailed to the outside world to the compound’s mailroom, and the mail carrier would pick up your letter from there. Return mail, addressed to a mailbox number in the mailroom, is delivered only to that outer mailroom, where you can receive it without leaving the compound. Warning! Anything you do to punch through ports or computers from the private network to the outside world reduces your security. Be careful about what you leave open. You may want to provide better security on computers that you expose in this fashion by installing active firewall and intrusion-monitoring software. Page 103 INSTANT MESSAGING WITH NAT You might wonder how software like iChat and Skype works behind a NAT gateway, because it seems like they have two-way communication where it shouldn’t be possible. Both systems hide the fact that central servers are involved in connecting chatters: • iChat: In iChat, the central server is run by AOL, as iChat is part of the AOL Instant Messenger network. Each person using iChat connects to the AIM server, which maintains a persistent connection to iChat using the channel that iChat opened up. The server coordinates among everyone chatting to move messages among all those connections. • Skype: Skype uses a different method, because it’s decentralized. Instead of using one central server, Skype uses what it calls supernodes, or Skype clients on publicly reachable IP addresses that can coordinate connections among NATconnected Skype users. Your computer can be picked as a supernode without you ever knowing it, but because the system is so distributed, that shouldn’t affect any given user unduly. This is also how services like GoToMyPC and LogMeIn work, where you can remotely connect to a Windows computer when on the road: the software on the computer maintains an open connection to the remote-control firm’s servers. Once you’ve created a mapping, the gateway listens for traffic on the specific port on its public, WAN interface. When traffic arrives and a connection needs to be opened, the gateway reroutes the traffic from that public interface port to the appropriate private address on its LAN interface, whether that’s a Wi-Fi LAN or a wired LAN (Figure 44). In the figure, I show the example of operating a Web server and playing Half Life behind a NAT gateway. Using port mapping reliably has two parts: set a persistent private IP address for a computer on the LAN, and then set a persistent port mapping between a port on the base station and a port on the LAN computer. Page 104 FIGURE 44 One user on a laptop is playing Half Life over the Internet; another computer on the network is running a Web server. When a user in Kuala Lumpur requests a Web page, the gateway maps the incoming request on port 80, the standard port for Web servers, from its public address to the Web server’s private address. Likewise, when traffic needs to run over port 27015, the standard port for Half Life, the gateway connects traffic from a player at Indiana University with our network’s laptop user. Set a reserved address Before the Extreme N, you had to use a variety of complicated workarounds to maintain a private NAT-enabled address on an AirPort network. Now, you can create this with just a few keystrokes and clicks. For each computer with which you want to use port mapping, you should create a DHCP reservation, which I describe fully in Reserved addresses, earlier. Page 105 I recommend creating a text file or other simple list that contains a list of your computers in some descriptive way—the owner or its unique name—and the corresponding reserved addresses. Once you’ve reserved addresses, you can set up effective port mapping. Dynamic addresses don’t cut it: Port mapping ties a public port to a specific private IP address, so if you don’t use a DHCP reservation, you can’t easily keep port mapping working without constantly making changes to the Extreme N configuration and restarting—which changes the IP addresses assigned dynamically! Set base-station-to-computer port mapping To use port mapping, you need to know which ports to map! This can be trivial. You could map port 80 on the public side to port 80 on a given computer on the private LAN, and establish a Web server connection, for instance. For games, streaming media, and other purposes, you might need to set up a bunch of ports. Let’s look first at the simple example of setting up that Web server, along with setting up ports for other services. First, we need to configure the firewall on the computer that’s acting as a Web server. The firewall protects the computer from unwanted inbound connections, and must be set to allow the ones you do want. Second, we need to set up the base station to pass traffic to the newly configured port. Running a Web server in non-server versions of Tiger: 1. Open the Sharing preference pane, and click the Firewall button. 2. Look at the upper left corner of the Firewall view. If you see Firewall Off, click the Start button. 3. To allow inbound Web server requests, make sure Personal Web Sharing is checked. (If you’re using Apple’s built-in Web server, the firewall On box for Personal Web Sharing is checked automatically.) 4. To allow requests for other ports or for a non-Apple Web server, click the New button, choose Other from the Port Name menu, and fill out the entries for ports as discussed a few pages ahead in Configure the Extreme N for other ports. Page 106 Running a Web server in Windows XP and Vista: Typically, you use third-party firewall software for added security, and these packages allow you to enter exceptions for particular ports, such as port 80; read their instructions for details. But Windows XP and Vista each come with a built-in firewall package that you can configure quite simply: 1. Open Control Panel from the Windows menu. 2. Open Windows Firewall. 3. In Windows Vista, click Change Settings to the right of the Windows Firewall text, and then click Continue when prompted. 4. In the General pane, make sure the firewall is set to On, and Don’t Allow Exceptions should be unchecked. 5. In the Exceptions pane, click Add Port. 6. Enter Web Server in the Name field, and 80 in the Port field. 7. Click OK, and then OK again. Configure the Extreme N to pass through to the Web server: With the server set up to accept connections, we now can configure the Extreme N in this fashion: 1. Launch AirPort Utility, select your Extreme N, and choose Base Station > Manual Setup (Command-L). 2. Click the Advanced icon at the top of the window, and then click the Port Mapping button. 3. Click the button to bring up the Port Mapping Setup Assistant (Figure 45). Page 107 FIGURE 45 After you choose Personal Web Sharing from the Service popup menu, the correct ports are entered. 4. From the Service pop-up menu, choose Personal Web Sharing (really, this means any kind of Web server). (For a more advanced network setup, described on the next page, enter all the necessary ports in this step.) 5. Enter the reserved IP address in the Private IP Address field. (You can edit only the last number of the IP address, as the first three numbers are set in DHCP configuration.) 6. Click Continue. 7. In the next screen, enter a description for the entry so you can recall later what you meant by it. 8. Click Done. 9. Click Update to restart your base station with this setting. After restarting the base station, you should attempt to make a connection from outside your network to the service you enabled, or have a friend or colleague initiate the connection. If the connection doesn’t work, make sure the firewall on the computer running the service is configured correctly. Page 108 TIP ONE PER PORT Here’s the tricky part. If you want to run Web servers on different computers on your private LAN, you can’t simply map public TCP port 80 to several computers. It won’t fly. Instead, you can use different public ports; however, then visitors who type in a domain name as the Web address can’t reach your alternate-port servers. You should reserve using alternate-port servers to special purposes or servers available only by clicking a link. All Web browsers can specify a Web server not just by domain name, but also by port, in the form http://serveraddress.com:0, such as http://tidbits.com:8001. Say you have two private Web servers, both receiving connections on port 80. Using port mapping, you would set one’s public port to be port 80, and the other to be something like 8000 (a typical alternative Web server port). In port mapping, you would map port 80 to one private IP address’s port 80, and port 8000 to the other Web server’s private IP address at port 80. This avoids having to make any changes on the Web server, and renders the sites completely reachable. Configure the Extreme N for other ports: We won’t all run Web servers on our private networks, however, so let’s look at the options in the Port Mapping Setup Assistant more closely (Figure 45, previous page); these settings are nearly identical to those used when adding new ports to Tiger’s firewall, too: • Service: This pop-up menu is prefilled with the ports needed for many common services, like FTP for file transfer and SMB/CIFS (Windows File Sharing). If what you need isn’t in that list, you have to look further. For games and other more complex services, read the documentation for the game or program, which typically describes the portmapping settings needed. You can also consult this extensive list: http://www.practicallynetworked.com/sharing/app_port_list.htm. • UDP and TCP: These two different kinds of packets can be carried over an IP network. UDP (User Datagram Protocol) is often used for streaming media, while TCP (Transmission Control Protocol) Page 109 handles Web and other kinds of connections. Any service you might want to use could have a combination of UDP and TCP ports. • Port(s): Each field for entering ports can handle a single number or a range as two numbers separated by a hyphen. You can have multiple numbers or ranges separated by commas. For instance 407, 1216-1300, 6000-7000 would be a legitimate entry. • Bonjour advertising and service type: You can use Bonjour network discovery to allow access to various services by name via the WAN port. Typically, this means that in a program that supports Bonjour, like Safari, any Web site that you offered up via port mapping would appear in the browser’s list of Bonjouradvertised Web sites. (In Safari, choose Bookmarks > Bonjour, and the program lists any Web sites available in this fashion.) Punch Through from Certain Programs Apple has developed a new protocol to help with port mapping without requiring special configuration on a computer or a base station: NAT-PMP (NAT plus Port Mapping Protocol) lets properly enabled programs on a computer on the LAN part of a base station’s network ask the base station for the base station’s public address. This new service can then be available remotely via Bonjour or through the WAN IP address. NOTE Stuart Cheshire, an Apple employee, created both Bonjour (also known as zeroconf for zero configuration, in the wider Internet world) and NAT-PMP. I knew of him back when he was a grad student, writing about latency for TidBITS: http://db.tidbits.com/series/1014. You can read his Internet Engineering Task Force (IETF) draft of the NAT-PMP spec at http://files.dns-sd.org/draft-cheshire-nat-pmp.txt. To enable this feature, select your base station in AirPort Utility, select the Internet pane, and, in the NAT view, check Enable NAT Port Mapping Protocol. Click Update. The downside to the NAT-PMP protocol is that each program must have built-in support built in to work with the protocol. With regular port mapping, software can be entirely unaware that it’s not exposed to the Internet. Page 110 Apple notes that for Macs behind NAT gateways, .Mac can sync its mountable iDisk more easily with NAT-PMP turned on, because that lets .Mac initiate remote connections to those Macs. With iChat AV, Apple told me that NAT-PMP enables more reliable initiation of file transfers when the feature is enabled on base stations on both ends. There’s not yet widespread use of NAT-PMP, because it’s not found in routers outside Apple’s. However, as Apple continues to sell its routers in great numbers, it’s more likely that applications will enable the feature. Set a Default Host for Full Access The alternative to creating reserved addresses and port mapping for each service on each computer you want to expose from your private network is to appoint a single computer as your public machine. This exposed machine could serve any kind of service over any port without the necessity of adding port mapping rules. If one computer runs FTP, Web, and Samba servers, and no other computers on the LAN have any public services, this might be the right option. Apple calls this machine the default host; other gateway makers call it the DMZ host. You must share an IP address over DHCP and NAT for this option to be available. Warning! If your Extreme N has a public IP address, your default host is as exposed as if it were on the public Internet. You should still use DHCP reservation to maintain the computer’s private address over time; see Reserved addresses. To set up a default host, follow these steps: 1. Launch AirPort Utility, select your base station, and choose Base Station > Manual Setup (Command-L). 2. Click the Internet icon at the top of the window, and click the NAT button. 3. Check the Enable Default Host At box and enter the last number in the IP address for your default host (Figure 46). Page 111 FIGURE 46 To set up an exposed computer, check Enable Default Host At and enter the private IP address’s last number. 4. Click Update to restart the base station with these settings. Page 112 SET UP A SHARED USB PRINTER With a base station set up to handle local computers and hooked into the Internet, your next step may be to attach a USB printer to the base station so that it can be shared among all the local computers. TIP ADDING TWO USB DEVICES To attach more than one USB device to the base station, such as a USB printer and a hard disk, or more than one of either, you need to attach a USB hub to the base station, and then attach the devices to the hub. I recommend a Hi-Speed powered hub that uses external AC power; this ensures greater reliability. Add a Printer For each printer you want to attach to the Extreme N: 1. Plug the printer into the base station or USB hub. You should not need to reboot your base station for it to recognize the printer. 2. Give the printer a custom name and share it over a larger LAN or the Internet; see “Rename and Widely Share a USB Printer,” (below). 3. As needed, configure recent Macintoshes to connect to the printer; Add a Shared Printer in Mac OS X explains how. 4. As needed, configure Windows XP and Vista machines to connect to the printer; Add a Shared Printer in Windows XP and Vista has instructions. Rename and Widely Share a USB Printer Your first task in setting up a printer is to get it working with respect to your base station. You can assign the printer a custom name that appears on the network during set up. Follow these steps: 1. Launch AirPort Utility and connect to your base station, and choose Base Station > Manual Setup (Command-L). 2. At the top of the window, click the Printers icon to open the Printers pane (Figure 47). Page 113 FIGURE 47 You can change a printer’s name as it appears on the network. 3. Enter a name for the printer in place of the default name, or leave the name that AirPort Utility prefilled in place. This name will appear in the Print dialog when you select a printer or print. 4. Check Share Printers over Ethernet WAN Port to make the printer available to other computers on a larger LAN (and even over the Internet if the Extreme N has a public IP address). 5. Check Advertise Printers Globally Using Bonjour to make the printer browsable over a larger LAN (outside the base station’s private network) from all Mac OS X machines, and from Windows machines with Bonjour installed. 6. Click Update to save this change and restart the base station. NOTE Apple briefly offered a list of supported USB printers when this shared capability first appeared, but they withdrew this list years ago when it became, in their words, “unwieldy” to maintain. If the steps above don’t work, your printer may be unsupported—for more info, read the last suggestion in Troubleshoot an Unavailable Shared USB Printer (ahead about six pages). You should also consult iFelix’s unofficial list of USB printers that work with an AirPort Extreme or Express base station at http://www.ifelix.co.uk/tech/1013.html for the Extreme 2003 and at http://www.ifelix.co.uk/tech/8013.html for the Extreme N. It contains the original Apple list supplemented with details from readers of the page and tested by iFelix’s maintainer. Page 114 Add a Shared Printer in Mac OS X Follow these steps to set up printing from a Macintosh running Jaguar (you need at least Mac OS X 10.2.7), Mac OS X 10.3 Panther, or Mac OS X 10.4 Tiger to a shared USB printer: 1. Open your printer utility from the /Applications/Utilities folder. In Jaguar, it’s called Print Center. In Panther and Tiger, it’s called Printer Setup Utility. 2. Click the Add icon. 3. Now: • In Jaguar and Panther, choose Rendezvous from the top pop-up menu. Then, find your printer in the resulting list, select it, and click Add. • In Tiger, click the Default Browser icon at the top, if it’s not selected already. Your printer should appear in the list. However, if your printer doesn’t show up, try the suggestions offered ahead in Troubleshoot an Unavailable Shared USB Printer. Now, your printer connection is set up. You can print from any application offering a Print command—just choose the printer from the Printer pop-up menu in the Print dialog. NOTE You can also add a printer from the Print dialog. From the Printer pop-up menu choose the printer from the Shared Printers submenu, if it’s there. If not, then choose Edit Printers or Add Printer (which command you see depends on the version of your operating system). After you add the printer, it shows up in the list of printers in the Print pop-up menu. Warning! Don’t choose the printer from the Shared Printers submenu again, or you may create yet another instance of the printer! Page 115 Add a Shared Printer in Windows XP and Vista We can do it the hard way or the easy way. Let’s try easy first: Bonjour for Windows! (I recommend Bonjour because it is easy to set up, but if you prefer to not install additional software, I also give directions for setting up a printer without Bonjour in Windows XP and Vista, ahead.) Apple lets you add Bonjour network resource discovery in Windows XP and Vista with the free, downloadable Bonjour for Windows package from Apple at http://www.apple.com/support/downloads/ bonjourforwindows.html. Once you’ve installed the package, make sure your printer is turned on and follow these steps to add printers shared by the base station: 1. Launch the Bonjour Printer Wizard and click Next. 2. Select a printer and click Next. 3. Choose a printer driver if one hasn’t been selected automatically for you, and click Next. 4. Click Finish to install the printer. The printer is now available to all applications. Add a shared printer in Windows XP The following advice comes in general form from Mac OS X Hints (http://www.macosxhints.com/), a great Web site for technical advice. I was initially stymied in my attempt to convince my Windows XP box to print to a shared USB printer, and the advice on Mac OS X Hints was of great help in getting started. Here are the steps, which you should follow after making sure your printer is on: 1. From the Control Panel, open Printers and Faxes. 2. From Printer Tasks in the list of tasks in the left navigation bar, click Add a Printer. 3. The Add Printer Wizard appears. Click Next. 4. Select Local Printer Attached to This Computer. Uncheck Automatically Detect and Install My Plug and Play Printer. Click Next. Page 116 5. Select Create a New Port (near the bottom of the screen). Choose Standard TCP/IP Port from the pop-up menu, and click Next to launch the Add Standard TCP/IP Printer Port Wizard. 6. Click Next again to show the Add Port screen. 7. For Printer Name or IP Address you have two choices, depending on whether the Windows machine is connected via Wi-Fi or Ethernet to the base station LAN, or is outside that LAN (either on a larger LAN or remotely printing over the Internet): • Within the base station LAN: Enter your base station’s LAN network address—this is the first three numbers in your DHCP address range with a 1 in the fourth number’s position, like 10.0.1.1. • Outside the base station LAN: Enter the base station’s WAN IP address. Leave Port Name alone; Windows will fill it in for you. Click Next. 8. On the next screen, choose Hewlett Packard Jet Direct from the pop-up menu next to the Standard radio button. I don’t know why, but Mac OS X Hints found that it works. We obey. Click Next. 9. Click Finish to return to the first wizard. From the list of manufacturers and printers, select your precise model. Click Next. 10. The final screen has you name your printer. By default, it uses the name from the model type in the previous screen. You can enter a new name if you’d like, however. Select whether or not you want this printer to be your default by clicking the Yes or the No radio button. Click Next. 11. Leave the Do Not Share This Printer radio button selected unless you want this computer to share the printer to other computers, which makes no sense given that it’s already a shared printer, right? (If you must be contrary, click the Share Name radio button and enter a name.) Click Next. 12. Choose to print a test page by leaving the Yes radio button selected, which is the default, and click Next. 13. Finally, click Finish. Page 117 14. Walk over to your printer, and see if a test page was printed. If the page printed, you’re ready to go. If not, check through the preceding steps to make sure you configured everything correctly or try the suggestions in Troubleshoot an Unavailable Shared USB Printer, two pages ahead. Add a shared printer in Windows Vista Vista streamlines the process of adding a shared USB printer to a Windows setup, though not as much as Bonjour (covered a few pages earlier). Here are the steps, after making sure your printer is on: 1. From the Windows menu (the icon in the lower left of the screen), click Control Panels. 2. Double-click Printers. 3. From the menu bar at the top, click Add a Printer. 4. Click Add a Network, Wireless, or Bluetooth Printer. 5. After a moment, the printer should appear in the list of available printers. Select it and click Next. (If the printer doesn’t appear, skip ahead to “Additional Steps,” next page.) 6. Vista now contacts the printer to obtain the printer’s information, such as its name. If all is well, Vista will suggest you use a currently installed driver for the printer. Click Next. 7. If you want the printer to appear in Vista with a different name, enter that name. Click Next. 8. Click Print a Test Page. Then click Close in the test page window and Finish in the Add Printer wizard. If the page printed, you’re all set. If not, go through the preceding steps again to make sure you configured everything correctly or try the suggestions in Troubleshoot an Unavailable Shared USB Printer, two pages ahead. Page 118 Additional Steps If your printer didn’t show up in Step 5, continue with these steps: 1. Click The Printer That I Want Isn’t Listed. 2. Select Add a Printer Using a TCP/IP Address or Hostname, and click Next. 3. In the “Hostname or IP Address” field, enter an address based on your Vista computer’s position in the network: connected via Wi-Fi or Ethernet to the base station LAN, or outside that LAN (either on a larger LAN or remotely printing over the Internet): • Within the base station LAN: Enter your base station’s LAN network address—this is the first three numbers in your DHCP address range with a 1 in the fourth number’s position, like 10.0.1.1. • Outside the base station LAN: Enter the base station’s WAN IP address. Leave Port Name alone, as Vista prefills it as you type. Click Next. Vista tries to find the appropriate printer driver. In my testing, it fails at this stage, and requires manual selection. If Vista succeeds in finding the right driver, resume at Step 7 on the previous page. 4. Otherwise, in the screen that results—Additional Port Information Required—choose Hewlett Packard Jet Direct from the Standard pop-up menu. (Don’t ask why; just do it!) Click Next. 5. Now: • If your printer maker and model show up in the list, first select the maker on the left and second the model on the right; then click Next. Leave Use the Driver That Is Currently Installed unchecked, and click Next. • If you don’t see your printer maker and model listed, insert a disk that came with the printer and click Have Disk to install a driver that way. Click Next and follow the resulting directions. 6. Resume at Step 7 on the previous page! Page 119 Troubleshoot an Unavailable Shared USB Printer If you followed the directions earlier in this section and you can’t print to your shared USB printer, one of the following suggestions should shed light on the problem: • Make certain that the printer is powered up and not in an error condition (such as out of paper or out of ink). • Make sure your computer is on the same network as the base station (on the computer, launch AirPort Utility and make sure the base station appears in AirPort Utility’s left-hand list of base stations). • Make certain the base station recognizes the printer: use the instructions in Rename and Widely Share a USB Printer. • Using AirPort Utility, restart the base station and try again. • Consult the suggestions from Apple at http://docs.info.apple.com/ article.html?artnum=107418. Note that the last suggestion, under “Still not working?” is to confirm that your printer is able to work with AirPort printer sharing. Apple has linked to Lexmark and HP’s list of compatible printers. Page 120 SET UP A SHARED USB DISK Extreme N adds an interesting option for sharing disks across a network without attaching them to a computer. The base station can share attached drives over a network both via the standard Apple Filing Protocol (AFP) format, the same format used with Personal File Sharing and Mac OS X Server share files, and via Samba, a network file-sharing service compatible with Mac OS X, Windows, and Linux. Warning! There’s no way to share volumes via either only AFP or only Samba; you have to share through both. You can connect a single drive to the USB port on the Extreme N, or connect a USB hub and then a series of drives to the hub. The drives may be hard drives or USB thumb (flash) drives, but you cannot use CD/DVD drives with removable media. You must format mountable disks before you attach them to the base station, using either the Mac HFS+ format, or the FAT16 or FAT32 (MS-DOS) formats. Each partition on a disk becomes a separately available shared volume. (FAT16 supports smaller maximum partition sizes than FAT32; you’re unlikely to see FAT16 except on disks formatted by very old computers.) Warning! Before you format anything, read Grant Access, ahead, to learn the quirks that can arise with different formats and different types of access. Warning! Unix, Microsoft NTFS, and other partition formats are not supported. Once one or more drives are connected, you can access them and let others access them, too. You handle all the configuration in AirPort Utility in the Disks pane. Page 121 Slow Speeds Ahead! The performance of base-stationconnected drives is slow to creeping, when compared to network throughput and to the speed of reading and writing to a drive connected to a computer. In my tests of the Extreme N (gigabit), I saw speeds about onethird that of directly connected USB drives when transferring larger files. When I copied 8,000 tiny HTML files—documentation for a program, the transfer speed dropped to below 10 percent of directly connected USB. This is partly due to inefficiencies in copying many small files in AppleShare File Protocol (AFP), and partly due to the low-power, but adequate, processor in the Extreme N (both models). For networks in which speed is an issue, use a computer-based fileserver or dedicated network-attached storage (NAS) device. DISKS, PARTITIONS, VOLUMES, FILES & FOLDERS Here’s a guide to file-sharing concepts that you need to understand in order to make sense of this section: • Hard disk: A hard disk is a physical piece of hardware that contains data. • Partition: A partition is a division of a disk’s available storage into a separate logical compartment—part of the physical disk is written with certain kinds of data, and a disk-wide partition map is updated to reflect that partition information. Many disks have a single partition that spans the entire disk’s storage capacity. The partition’s format—like HFS+, FAT16/32, or NTFS— determines how data is written to the disk; each operating system supports a different set of formats. • Volume: While volume is a synonym for any partition on a disk, I like to use shared volume to mean a shared partition that can be mounted over a network in the context of file sharing. A fileserver is a device that has one or more volumes available to share. • Files and folders: Any format you deal with stores files inside folders, the latter also known as directories. With some systems, you can share folders as volumes. In some cases, Extreme N makes folders into volumes, so that you can control access more finely, as described ahead. Page 122 Viewing Connected Volumes In AirPort Utility, the Disks view in the Disks pane offers a little information and one option. Each disk connected to the base station is noted in a list on the left, and each partition on that disk is found by clicking the triangle next to the disk name (Figure 48). Selecting a partition reveals the capacity of that partition, the used and remaining storage, and how many users have mounted the partition. FIGURE 48 In this example, AirPort Utility shows two partitions for the drive attached to the base station. Selecting the partition shows storage information and connected users. Clicking Disconnect All Users shuts down all file service, forcing connected users’ computers to lose a connection with mounted volumes no matter whether they have open files or transfers in progress, so click it with care. It’s better to have each user (or you) unmount each connected volume first. If you do disconnect users by clicking the button, Mac OS X warns you in AirPort Utility and informs each user with an alert message (Figure 49). This button appears even if no users are connected. When no users are connected, the drive is in a standby state that lets you unplug it from the Extreme N without harm. Page 123 FIGURE 49 Clicking Disconnect All Users brings up the warning (top) about the consequences to users still working on data stored on those drives. If you want to bump working users off, however, AirPort Utility obliges and Mac OS X complains (bottom). Grant Access Apple offers relatively little granularity in setting up security and access for hard disks you connect to an Extreme N. You can choose only one of three methods for setting passwords, and you can’t set permissions individually for folders or files on each hard disk, nor set permissions differently for different partitions or different hard disks. Kinds of access AirPort Utility has three ways to grant access, found in the Disks pane, in the File Sharing view, in the Secure Shared Disks pop-up menu (Figure 50). Page 124 FIGURE 50 AirPort Utility offers three options for securing a shared disk by controlling the level of security. The three ways to grant access are: • With Base Station Password (default): This self-explanatory option is the default method, and means that only a single password is used to secure the base station’s settings and any attached hard disks. This option is good for home and small networks in which you’re not concerned about someone changing the settings on a base station. • With a Disk Password: This sets a password that controls access to all disks; this password is distinct from the base-station password. All users accessing the disk have access to all files. This works for a small network where you want to make sure those with fileserver access can’t modify the base station, even unintentionally. • With Accounts: On partitions formatted with HFS+, you can set up individual user names and passwords, each with different levels of access; these accounts are distinct from any Mac OS X or Windows user accounts set up on the computer that’s configuring the base station. An Accounts button appears, and you can click it to add and edit users. User access options can be set to Read and Write, Read Only, and Not Allowed. (That last option lets you disable an account without removing it.) Page 125 Accounts are useful for larger networks, but they are a new feature and still have some quirks that I hope Apple will work out soon: ◊ No directory services: You can’t yet tie in network directory services with this option, so accounts must be entered one at a time and manually updated. ◊ Inconsistent partition-to-account matching: With partitions formatted using HFS and named accounts, you can’t choose which HFS+ partition winds up containing the userspecific account folder. In my testing, it seemed arbitrary, and even moved from partition to partition after changing seemingly unrelated settings and restarting the base station. All other partitions formatted with HFS+ are served as single, wholepartition volumes, which is a related bug or missing option. This could result in the strange circumstance in which you attach a 1 terabyte (TB) disk drive and a 1 GB flash drive to your Extreme N, and the unit puts user accounts on the smaller drive. I expect Apple will add an option to select the volume on which user accounts are created to solve this. Single drive, no worries: With a single hard disk that’s formatted in HFS+, you won’t see this problem. Paired with each of the three ways to grant access is the Guest Access pop-up menu. You can set those without a password to have full access, read only, or no access. Other network settings for file sharing You can limit access to what network or part of a network is available through two related checkboxes beneath Guest Access: • If you check Share Disks over Ethernet WAN Port, other computers on a larger network or the Internet can access your base-station fileserver. With the Share Disks box checked, you can also check Advertise Disk Globally Using Bonjour. This option has risks, too, as it ties in your fileserver access with a globally registered domain name that could expose you more broadly than you intend. Page 126 Warning! If you enable WAN access and the Extreme N has a public IP address, you are exposing your files to a larger potential audience of crackers and ne’er-do-wells, so it becomes critical to set guest access appropriately. Or, you can use a firewall between the Extreme N and the larger world to provide additional access control, such as limited fileserver access to particular IP ranges that represent other locations you work for or remote offices. • The other option in this section lets you configure Windows File Sharing—more frequently called Samba—by naming the Workgroup and choosing a WINS Server. The Workgroup name allows other Samba-capable computers to organize fileservers into a group for display. The WINS server, if there’s one on your network, provides a separate name-based association for Windows computers to the IP address on your base station. Gain Access You or users on your network can access disks connected to an Extreme N in two ways: • With the new AirPort Disk Utility, which can identify drives as they appear using Bonjour • With normal file-sharing connection options, such as Connect to Server in the Mac OS X Finder Before we look at methods of accessing shared disks, though, we need to figure out precisely which volumes are mounted based on the settings on a given base station, the disk’s format, and what kind of access you’re attempting to gain. I lay out the options in Table 4, because they’re too baroque to explain conversationally. Page 127 Table 4: Comparing Methods of Serving Shared Disks Access Control Access Method Base station or disk password Password The entire volume is served. Users mount it as a volume having the partition name. Guest* A folder named Shared** is served as a volume. Users mount it as a volume having the partition name. Accounts Account HFS+-formatted partition: How Partitions Are Served • A folder named with the account is created on only one partition, no matter how many HFS+ partitions are attached; users mount this folder as a volume having the account name. • A folder named Shared is also created on one partition, and users mount it as a volume named with the partition name. • Any other partitions are served as volumes named with the partition name. FAT 16/32-formatted partition: • A folder named Shared is served. Users mount it as a volume having the partition name. Guest* A folder named Shared** is created on each partition, and users mount it as a volume named with the partition name. * If Guest Access is set either to Read and Write, or to Read Only. ** The shared folder appears on the disk, viewable as a folder only by users with a password, only after the first guest accesses the volume. AirPort Disk Utility The AirPort Disk Utility program makes it convenient to identify base stations that are sharing hard disks. That sounds great at first, but the utility has few advantages over other ways of accessing shared volumes. (Versions are available for both Mac and Windows; I cover the interface for Mac OS X here.) Page 128 When you install the utility (see Install new software, earlier), you can turn on a status menu that lists each base-station fileserver (Figure 51). You can also remove this menu, and turn off automatic notification when new shared volumes are added to any base station on the network (Figure 52). FIGURE 51 The AirPort Disk menu shows all base station fileservers. FIGURE 52 AirPort Disk Utility lets you set notification and menu preferences, as well as allowing you to change the way you connect to base station fileservers. If you don’t change the utility’s default, when a new volume is added, you’re prompted to act on it; the same is true if you choose the basestation fileserver name from the AirPort Disk menu. A dialog appears (Figure 53) that wants to know your action: • Ignore: Don’t notice if this volume appears in the future. • Connect as Guest: No password required, but you can view only shared files. (This option doesn’t display if Guest Access is set to Not Allowed in AirPort Utility.) • Connect with Password: This option shows up with a Username field if, on the base station, Secure Shared Disks is set to With Accounts; or as just a Password field otherwise. Page 129 FIGURE 53 AirPort Disk Utility displays these options for mounting all volumes connected to a base station. There’s no way to tell AirPort Disk Utility to mount a single volume, which makes the tool less than ideal if you need only a single volume. If you want to mount all volumes at once or have only a single partition, then the utility is fine. Otherwise, I recommend using normal volume mounting, described next. Normal volume mounting Fortunately for us, the file sharing in the Extreme N uses standard methods: AFP, commonly known as AppleShare, and Samba, Windows’s default method. Stick to their own kind: The Extreme N fileserver shares only HFS+ volumes as AFP volumes, while Samba can share either HFS+ or FAT32 (MS-DOS) formatted partitions as SMB/CIFS volumes. Mount in Mac OS X You can mount volumes in Mac OS X by following these steps: 1. In a Finder window, click Network in the sidebar, or choose Go > Network (Command-Shift-K). A list of connected servers appears in the Finder window, and the fileserver should appear in the list twice: first as an AppleShare fileserver and second as a Samba fileserver. 2. Double-click the base station’s fileserver name to open an authentication dialog. Page 130 3. In the Name field: • If you don’t have a user account because the base station is using base-station or disk passwords enter any short bit of text or leave the field blank. • If you have a user account name, enter it. 4. In the Password field, enter the base station, disk, or account password. 5. Select the volume or volumes you want to mount and click OK. If you are mounting a volume remotely or it doesn’t appear in Step 1, choose Go > Connect to Server and enter the IP address of the base station or an associated domain name (for FAT16/32 volumes, enter smb:// followed by the IP address.) Then, follow Steps 3 to 5 above. Mount in Windows With Windows XP and Vista, open the network browser by doubleclicking Network on the Desktop. The base station name should appear in the Network browser. When you connect, enter the name and password as in Steps 3 to 5 above. Page 131 SECURE YOUR NETWORK If you use a wired network in your home, someone would have to break into your house, plug into your Ethernet switch, and then crouch there in the dark to capture data passing over your network. Wireless networks have no such protection: anyone with an antenna sensitive enough to pick up your radio signals can eavesdrop on traffic passing over your network. This could be a neighbor, someone in a parked car, or a nearby business. Many free, easy-to-use programs make this a simple task for only slightly sophisticated snoopers. However, you’re not powerless to prevent such behavior. Depending on what you want to protect and whom you’re protecting against, you can close security holes with tools that range from a few settings up to industrial-grade protection that requires separate servers elsewhere on the Internet. But before I delve into the details of protecting yourself from snoopers, let’s look at whether you even need to turn on security. Likelihood, Liability, and Lost Opportunity When Adam Engst and I were writing The Wireless Networking Starter Kit, Second Edition, back in 2003, we disagreed over how concerned the average home Wi-Fi networker should be about security. Adam came up with a great formulation that I agreed with and want to walk you through. He calls it the three L’s of security: likelihood, liability, and lost opportunity. This framework lets you evaluate how much security—if any—you need for your network. NOTE If you’d like to know more about the topics in this section, read Take Control of Your Wi-Fi Security, a companion book we wrote. Likelihood The first aspect of security to consider is likelihood: how likely is it that someone will violate your privacy, steal your data, or otherwise exploit you? If you live in a lightly populated area, and no one could easily come within range of your network without sitting in your driveway, you probably don’t have much to worry about. Page 132 But if you live in an apartment building with neighbors who could pick up your connection, the likelihood of someone connecting to your network rises significantly, raising the question of whether you want to allow others to share your Internet connection or not. TIP Because Wi-Fi and public hotspots (free and fee) go together like coffee and cream, it’s very likely that you’ll use a laptop on a network outside your home, too. There are a whole different set of concerns about the likelihood of someone snarfing your data and passwords on hotspot networks as opposed to networks you set up yourself. We address those concerns and how to solve them in Take Control of Your Wi-Fi Security. The likelihood of attack increases significantly if you’re running a business, since it’s plausible that your network would carry desirable information such as credit card numbers, business plans, and so on. Also, most businesses are located in areas or buildings where someone could easily sit and hack into a network without being noticed. Liability What is the realistic liability if someone were to record all the traffic that passed across your wireless network? For most home networks, the amount of network data that’s at all sensitive is extremely low; perhaps a credit card number being sent to an ecommerce Web site that unusually doesn’t use SSL/TLS (Secure Sockets Layer/Transport Layer Security, a security standard for Web servers), maybe financial data, possibly some bits that would be embarrassing if made public. Simply allowing someone else to use your Internet connection has a relatively low liability in most cases. However, you may think differently if you pay per byte, if you have a slow dial-up connection that would be impacted by someone else’s use (with high speed DSL and cable modem connections, you’re unlikely to notice another user), or if you’re concerned that allowing someone else to use your connection would be violating your ISP’s terms of service in a way that was likely to result in you being disconnected. A few scary stories have surfaced of police obtaining a warrant, knocking down a door, and finding an innocent person or family who had an open access point. (For one such example, see http://www.washingtonpost.com/ wp-dyn/content/article/2007/02/10/AR2007021001457.html.) Page 133 Businesses are, once again, a different story. The likelihood of sensitive and confidential information passing through a business’s wireless network is much higher, of course, and the liability of an outsider learning that information is significantly greater. For instance, rules protecting patient information could lead to significant fines if a medical office or hospital had its network compromised. And if a competitor learned confidential business plans, the ramifications could be catastrophic. Lost opportunity With home wireless networks, the opportunity cost for layering on security comes mostly in the form of troubleshooting irritating problems, which is more necessary and harder when security is on, and in the annoyance of dealing with passwords with new machines or when you have visitors. Companies, even small ones, may have fewer lost opportunities because they might have a dedicated staffer or whole department that deals with installing, maintaining, and supporting software to promote overall security. Your spot in the security spectrum It’s up to you to determine the likelihood of someone breaking in to your network and either using your Internet connection or eavesdropping on the data that flies by. Next, you must determine the severity of the problems that could ensue from someone using your bandwidth or using a network sniffer to record your data. Lastly, you need to figure out what the lost opportunity of different levels of security is: the higher the likelihood of attack and the higher the liability if your network were to be invaded, the more you’re probably willing to spend and the more annoyance you’re willing to endure. Once you’ve worked through those three thought exercises, you can determine just how much money and effort you should expend to secure your wireless network. Now let’s look at how you might apply such security precautions. Simple Tricks That Don’t Work You may have read suggestions for setting up basic security that advise you to hide your network’s name and make it hard to connect to, such as employing a closed network or using MAC address filtering. Page 134 Closed network In a closed network, your base station stops broadcasting its network name, or SSID (Service Set Identifier), as part of its beacon, an “I’m here” message that access points regularly transmit in order to help clients connect to them. However, the beacon continues to be sent because it still includes information that is used for network data synchronization. An open network appears by name in the AirPort menu or in other places in the Mac OS and Windows that show the names of networks you can connect to. But closing the network makes it only slightly obscure. A cracker can easily find out that the network exists, and by monitoring for a connection or using a tool to create a disassociation for a computer on the network—which forces that computer to reconnect—the cracker can grab the network’s name. So you cannot rely on closing your network for any real security. Although I discourage bothering with a closed network, here’s how to set one up: 1. Launch AirPort Utility, connect to your base station, and choose Base Station > Manual Setup (Command-L). 2. At the top of the window, click the AirPort icon. Then, click the Wireless button. 3. Click the Wireless Options button. 4. Check Create a Closed Network. 5. Click Done, and then click Update to restart the base station. MAC address filtering MAC address filtering initially sounds more promising than a closed network. With this method, you enter the MAC address of every computer you want to allow to connect to your Wi-Fi network. If a computer’s address isn’t in the list, then that computer can’t connect. The flaw with MAC address filtering is that any cracker worth her salt can easily monitor a network to see which MAC addresses are able to access the network. She can then use simple software to modify or clone the MAC address on her own network adapter, thus gaining access. Page 135 TIP If you use MAC address filtering and your network has multiple base stations, each one must have the same list of allowed MAC addresses. You can use AirPort Utility to save one base station’s configuration, and then import just the MAC address controls, to your other base stations. See Export and import configuration profiles. If you don’t want to build a security fortress against crackers, but you do want to mediate the access for kids in your house or you want to clarify to outsiders that you’ve restricted access, MAC address restriction works quite well. You can also combine encryption and MAC address filtering for a pretty good overall solution. The Extreme N adds another element to the mix: controlling access by time of day and day of week for particular MAC addresses. To restrict access, first note the MAC addresses for devices you want to limit; see What and Where is a MAC Address? (p. 59). You can also use AirPort Utility to extract the MAC address of a computer you’re using to configure setup. Warning! Don’t store the base station’s password in the Keychain on a computer that you’re restricting via AirPort Utility. Otherwise, later, someone on that computer could quite easily reconfigure the base station to remove those restrictions! NOTE If you use Wi-Fi Protected Setup (WPS) to allow computers to join the network, but limit their access to 24 hours, an entry appears in the access control client list with a special tag. See Use WPS for more details. To restrict access by MAC address on an Extreme N, follow these steps: 1. Launch AirPort Utility, select your base station, and choose Base Station > Manual Setup (Command-L). 2. Click the AirPort icon; then click Access Control and select Timed Access. 3. Click the button at the bottom of the access control client list. Page 136 4. In the Timed Access Control Setup Assistant, repeat these steps for each Wi-Fi device you want to restrict: a. Enter the MAC address of the computer you want to add, or click This Computer to fill the field with the MAC address of the computer on which you are running AirPort Utility b. Enter a description of the computer you are adding. c. If you want to control access time, choose restrictions: Click the button to add an entry, or select an entry and click the to delete it. You can choose a day of the week, weekdays (Monday through Friday), weekends (Saturday and Sunday), or Everyday. The time of access is either All Day or a range in the current day. You can’t set a range of time that spans two days; that requires two separate entries. (The combination of Everday and All Day would be an ineffective barrier to access!) d. Click Done. 5. You should also edit the “(default)” entry in the access control client list. It’s set at the factory to Unlimited. If you want to exclude all computers that aren’t listed here from having any access, select it, click Edit, and then choose No Access from the Day pop-up menu. Click Done. 6. Click Update after you have added all the computers that you want to restrict. Now, only those computers on your network whose MAC addresses you’ve entered may connect to the network. If one can’t connect, check that you’ve set the access time restrictions correctly. Use Built-In Encryption Although MAC address filtering and a closed network will deter casual passers-by, they don’t constitute a defense. If you want a better defense, you need to step up to encryption and password protection. Wi-Fi has always offered some form of built-in encryption to secure the connection between a client computer or device and the base station; this connection is the most vulnerable part of a wireless network. Page 137 Unsecured out to the Internet: The connection from the base station to the rest of the network or the Internet has to be secured separately from the Wi-Fi segment. Some people use virtual private network (VPN) connections to secure a larger chunk of their traffic. Encryption always requires a key. With Wi-Fi encryption, you don’t enter the key directly, but instead enter a password that is used by the system to generate or retrieve a key. Sharing the password reduces security by allowing others to see the same network traffic. Three different encryption methods have been offered since 802.11b started appearing in hardware in 1999, each of which supersedes the previous one. See Table 5 for side-by-side comparisons. I look at each option in more detail next. Table 5: Wi-Fi Security Compared Name What Can Use It? Difficulties WEP Any Wi-Fi adapter using 802.11a, b, or g, including the earliest made Encryption easily broken; deprecated since 2003 WPA Personal Works with original AirPort Card (10.3 or later), and with many early adapters with new firmware Requires slightly newer computers and operating systems; no Mac OS 9 or earlier support WPA2 Personal Works only with gear shipped starting in late 2002, including AirPort Extreme, but requires 10.3 or later, or Windows XP SP2 or Vista Older machines can’t connect, including those with original AirPort Card WEP Transitional Allows mix of WEP and WPA/WPA2 Personal Doesn’t seem to work consistently; doesn’t allow robust security WPA/WPA2 Enterprise Supported in Mac OS X 10.2 or later, Windows XP SP2, and Vista Requires back-end server to handle account management Page 138 WEP WEP (Wired Equivalent Privacy) allows the use of a 40-bit or 104-bit password, the equivalent of 10 or 26 hexadecimal digits, or 5 or 13 text characters, respectively. WEP was never designed to be very strong, and cracks, or ways to retrieve the encryption key by watching network data, started to appear in 2001. It’s acceptable for home use, but I wouldn’t rely on it as a business. You could use WEP to signal that your network is off limits. In some U.S. states and in some countries that “no trespassing” intent could result in an interloper between charged with a computer crime and even convicted, as recent cases in Florida, Alaska, and Singapore indicate. WPA & WPA2 background WPA (Wi-Fi Protected Access) was introduced by the Wi-Fi Alliance as an interim measure when work by an IEEE committee—802.11i— was taking too long. Released in 2003, WPA is considered to be quite strong and was designed to allow even the earliest Wi-Fi gear to be upgraded to support it. The original AirPort Card can use WPA with Mac OS X 10.3 or later; see http://docs.info.apple.com/article.html? artnum=107795 for Apple’s requirements and software links. (The original 802.11b AirPort Base Station cannot be upgraded.) WPA2 was the final version of WPA security that includes all the work done in the 802.11i committee. WPA2 can use the weaker, but still relatively secure form of encryption offered in WPA. But WPA2 significantly adds a government-grade method favored by corporations. Any equipment released in 2003 or later can handle WPA2. The Extreme 2003 and 2007 and AirPort Express all handle WPA2, but Mac OS X 10.3 or later is required to use it. The original AirPort Card cannot access WPA2-protected networks. Page 139 NOTE THE KEY TO KEYS The difference between WPA and WPA2 is that the former offers an encryption method that’s a repaired version of WEP, known as TKIP (Temporal Key Integrity Protocol). WPA2 adds AES-CCMP (Advanced Encryption System, Counter-mode CBC-MAC Protocol, whew), which incorporates the U.S. government-backed AES method limited to 128 bits. WPA2-enabled Wi-Fi adapters may use either TKIP or AES-CCMP to connect. The Extreme N can offer WPA/WPA2 protection, in which both older and newer devices can join with either form of key; or it can offer a WPA2-only network, in which only computers that support WPA2’s advanced encryption key type can join. NOTE On 802.11n networks that are set to use only 802.11n, WPA2 is the minimum level of security. This makes sense because all 802.11n devices must support WPA2. Both WPA and WPA2 come in two versions: Personal and Enterprise. The Personal versions allow the use of passphrases, long sequences of text—minimum 8 characters, maximum 63 characters—that are converted into the source material for generating an encryption key. This makes a WPA/WPA2 passphrase memorable, and the length adds entropy, the principle of adding greater disorder to make it harder to use brute force to uncover a key. A key could look like my d000gs have lite_brite_hair! I kid you not. TIP Researchers believe that WPA and WPA2 keys are susceptible to cracking through brute force if you choose passphrases that are shorter than 20 characters and that contain only dictionary words. Choosing short passphrases that combine a random assortment of numbers, letters, and punctuation; or longer passphrases with a few punctuation marks defeats this problem, as in the example passphrase above. The Enterprise flavor of WPA and WPA2 requires a server to manage accounts, but simplifies access by letting people enter a user name and password—one that might be shared for resources across a Page 140 network, including fileservers—and receive a unique encryption key that they never need to know about. TIP Even small offices might like to use WPA/WPA2 Enterprise, and a few companies offer affordable ways to add it to an Extreme N: • You can buy server software from Periodik Labs (http://www.periodiklabs.com/shop/, $750). • You can use a hosted option in which the server is located outside your network and you use a Web site to add and delete users. I recommend WiTopia’s SecureMyWiFi (http://witopia.net/ securemore.html; $20 setup and $10 per month for up to five users, $100 setup and $100 per year for up to 100 users). Turning on WPA/WPA2 with AirPort Extreme Here’s how to enable WPA/WPA2 or WPA2 only: 1. Run AirPort Utility and select your base station. Choose Base Station > Manual Setup (Command-L). 2. Click the AirPort icon. Then, click the Wireless button. 3. From the Wireless Security pop-up menu, choose WPA/WPA2 Personal or WPA2 Personal. Warning! Macs with the original AirPort Card can’t connect to WPA2 Personal-configured networks. 4. Enter a key of 8 to 63 characters in the Wireless Password field and the same key again in the Verify Password field. 5. Click Update and wait for the base station to reboot. The next time someone tries to connect to the network, they’ll have to enter a password to gain access; for details on entering a password, see Connect Your Computers, earlier. WEP Transitional The Extreme N supports WEP Transitional, a rare and interesting security mode that I and colleagues have found to be problematic and buggy in actual usage. WEP Transitional lets you mix older WEP-only Wi-Fi connections with newer WPA/WPA2 connections. Page 141 The problematic part is conceptual: the network encryption is as weak as the weakest link. Using WEP Transitional leaves you vulnerable to the same cracks that affect plain WEP. The buggy part is that it’s seemingly erratic whether computers can connect via WEP, WPA, or WPA2 in this mode. Apple will surely fix that—we hope. If it’s necessary for you to mix modes, or occasionally allow WEP clients on your network, here’s how to set this up, but I warn you that it might not work at all: 1. Run AirPort Utility and select your base station. Choose Base Station > Manual Setup (Command-L). 2. Click the AirPort icon. Then, click Wireless. 3. From the Wireless Security pop-up menu, choose WEP (Transitional Security Network). 4. Your WEP password must be exactly 13 characters, although Apple doesn’t note this until you try to update the configuration. Enter the WEP key in the Wireless Password and Verify Password fields. 5. Choose Base Station > Equivalent Network Password. A dialog appears, showing the WEP key you just entered, which is also the key you use as a WPA passphrase to join the network (Figure 54). The dialog shows the 26-digit hexadecimal WEP key for older devices or those that can’t handle ASCII WEP keys. You can select and then copy—Edit > Copy—either key from the dialog. (This isn’t an error in this book: You can really select and copy within this dialog.) Also, if you ever forget or misplace the keys, you can also later follow these steps again to retrieve the key. FIGURE 54 The Equivalent Network Password dialog shows you the passwords needed to gain access using WEP or WPA. Page 142 6. Click OK, and then click Update and wait for the base station to reboot. The next time you or another user tries to connect to the network, whatever operating system you’re using will prompt you for a password to gain access. You can find details on connecting to a network in Connect Your Computers, earlier. Use WPS WPS, Wi-Fi Protected Setup, lets a computer or other Wi-Fi device join a WPA/WPA2 Personal protected network without entering a key. Instead, in the two versions that Apple has implemented, you can join without a password or via a simpler PIN (personal identification number). Apple’s use of WPS requires that you connect to the base station using AirPort Utility and, while connected, have the device that wants to join the network attempt to join. Warning! The only Macs that support WPS at the moment are those that have 802.11n adapters in them with the latest software installed. Windows XP SP2 and Vista don’t seem to yet have builtin support. As an industry-wide standard, WPS will appear in more operating systems and more base stations during 2008. For either kind of WPS, follow these steps to get set up: 1. Connect to your base station via AirPort Utility and choose Base Station > Manual Setup. 2. Choose Base Station > Add Wireless Clients to open the Wireless Client Setup Assistant (Figure 55). FIGURE 55 The assistant allows a client to join the network without a password. Page 143 3. If you like, you can check Limit Client’s Access to 24 Hours, perhaps for a visitor. This will put a special restriction on the account in its access control settings after you finish the configuration (Figure 56). (See MAC address filtering for more detail.) FIGURE 56 The special 24-hour limit entry for timed access can’t be edited for time, only by name and MAC address. 4. Select PIN or First Attempt, and then click Done. This puts AirPort Utility and the base station into a state of watchful awareness! AirPort Utility notes that it’s waiting for a connection. 5. On the client machine, look in the AirPort status menu on the menu bar for the network name, which appears in bold. Choose that network name (Figure 57). FIGURE 57 The network with WPS standing by appears in bold: Draft N Network. Page 144 6. Now: • If you’ve selected the First Attempt option, the first computer that tries to connect to the network after this point is presented with an encryption key automatically. • If you’ve selected a PIN, the Mac OS X system that’s trying to connect generates a code onscreen that you must enter in AirPort Utility. A key is then exchanged between that computer and the base station, and that computer joins the network. 7. AirPort Utility’s watchful-waiting dialog disappears, and AirPort Utility confirms that the device has been added. This lone operation, out of all others on the base station, requires no Update to complete. The client is now connected. Page 145 OVERCOME INTERFERENCE Interference from other Wi-Fi and non-Wi-Fi devices using the same spectrum is one of the most frustrating problems to deal with in making your AirPort network work well. Let’s first look at eliminating sources of conflict, and then at a mysterious option Apple offers that seems to help as well. Eliminate Conflicting Signals A frustrating part of Wi-Fi networking is that you can’t control your “air space.” All too often, neighboring Wi-Fi networks and other emitters cause reception problems in areas that otherwise would have good reception. If your network’s performance varies by time of day or even by the minute, these ideas may help you identify the problem. Do some basic testing What you test for varies by band. Keep reading after the tests for some suggestions for how to fix found problems. For 2.4 GHz: • Run iStumbler (http://www.istumbler.com/) to determine whether other networks are running in the vicinity. iStumbler scans for networks and can display their characteristics, such as signal strength and whether security is enabled. It can’t tell you more general info about signals being generated in the spectrum range, however. • Investigate your cordless phones and microwave oven as culprits— they can both create static on the Wi-Fi line; see Set Interference Robustness (ahead). Do you have problems only when talking on the phone or making popcorn? There you go. • Also check if you have problems while Bluetooth devices are in use. Older Bluetooth equipment can interfere with Wi-Fi networks. • Do you live in an area near a hospital, or light or heavy industry? Some medical and industrial devices use the 2.4 GHz band, including microwave sealers that close bags of potato chips. You might need to switch to 5 GHz to overcome that problem. Page 146 • If you’re desperate for a solution, check out Wi-Spy, a relatively inexpensive spectrum analyzer. It can show whether there’s interference beyond Wi-Fi. (See Testing from client to base station.) For 5 GHz: • Check whether you have 5.8 GHz cordless phones. • See whether a wireless ISP might be broadcasting over 5 GHz in your area. Most wISPs are using the 5.8 GHz section of the 5 GHz band. (If that’s the case note the second bullet item in the solutions for cordless phones, below) Try a solution Here are ideas for solving some of the problems noted just previously. If cordless phones are the culprit: • Buy new cordless phones using an unused band (swapping 2.4 GHz for 5.8 GHz or vice versa). Or swap your Wi-Fi from 2.4 GHz to 5 GHz, a potentially expensive proposition, but one guaranteed to produce better results. • In 5 GHz, use lower-numbered channels; 5.8 GHz is in the highest range of channels supported by the Extreme N. (This also works for wISP interference.) • Try T-Mobile’s HotSpot@Home, which offers cordless calling from a cell phone that also includes a Wi-Fi radio. You make and receive unlimited U.S. calls for $20 per month (one line) or $30 per month (2–5 lines) over your own Wi-Fi network or any T-Mobile HotSpot. If a neighboring network is causing the problem: • Propose an informal channel usage agreement: if your neighbor and you are both using 2.4 GHz’s channel 6, switch to 1 and 11 to increase the distance between signals. In 5 GHz, you have a number of additional channels to choose from. • You (and your neighbor) could move your access points farther away from one another to reduce the signal conflict in the middle. Page 147 TIP Another way to reduce network overlap is to engage in unilateral or multilateral curtailment (you know, like the former Soviet Union and the United States). You can cut the amount of transmit power on many Wi-Fi gateways, which reduces the interference you cause. If your neighbor backs off a little, too, both sets of network improve. You know: the Prisoner’s Dilemma. To reduce transmit power from an Extreme N, run AirPort Utility, connect to the base station, and click Wireless Options in the AirPort pane’s Wireless view. Set Transmitter Power to a level below 100 percent, click OK, click Update, and then re-test. If Bluetooth is causing the problem: • A Bluetooth headset from 2002 or earlier could cause terrible interference. The standard was updated to version 1.2 in 2003, but not all devices are upgradable. Check your equipment to see. Set Interference Robustness Why not use a setting labeled Interference Robustness to more robustly resist interference and thus improve range? In short, the setting won’t help with range but it might provide a more reliable connection over short distances. Apple offers Interference Robustness for 2.4 GHz use of the Extreme N, but not for 5 GHz, which doesn’t need the additional “robustness,” as there’s much less interference. Apple has offered the option for years with little explanation. They describe it sketchily on their Web site, saying that it provides better performance in the presence of 2.4 GHz cordless phones and near working microwave ovens. A writer at Macinstruct says he figured it out: Interference Robustness instructs the base station and Mac OS X to send packets of smaller and smaller length to ensure that data gets through if interference otherwise disrupts the transmission of longer sequences. Read http://macinstruct.com/node/213 for more details. Interference Robustness doesn’t seem to make much difference in normal networks. One Web site documents testing that indicated that the setting increases power while reducing reception sensitivity, thus blasting through interference when sending data, while listening less carefully (ignoring more noise) when receiving it. Page 148 Turning Interference Robustness on is helpful only if you use Wi-Fi at a short distance from a base station and if you believe that interference is causing problems. Interference Robustness reduces the range, but can improve performance within that smaller area. Better than using Interference Robustness, if you operate 2.4 GHz cordless phones, you might consider switching to older 900 MHz phones (lower quality but often better range) or newer 5.8 GHz phones (higher price, and range is an issue); or using 5 GHz with 802.11n to avoid 2.4 GHz altogether. You can turn on Interference Robustness in Mac OS X through the AirPort menu in the menu bar: choose Use Interference Robustness. Windows has no similar option in any version. For an Extreme N, connect to your base station in AirPort Utility; click the AirPort icon, and click Wireless; then click Wireless Options to see the checkbox. Interference robustness can be a unilateral decision: If a single computer or the base station has the option enabled, there could be a performance improvement. Page 149 APPENDIX A: STREAM MEDIA WITH AIRPORT Apple continues to extend itself into the media world, and the AirPort system hasn’t been left out of the mix. When Apple introduced the AirPort Express, they made a big deal about AirTunes, Apple’s name for streaming music over a wired or Wi-Fi network to an AirPort Express, which could then dump that music out as analog or optical digital audio via a standard stereo mini-jack. Strangely, AirTunes never appeared in any other devices. In late 2006, Apple revealed plans to offer the Apple TV, initially codenamed the iTV, which would stream high-definition video and digital audio over a wired or Wi-Fi network for output via HDMI (the high-definition digital video standard), composite analog, and both digital and analog audio. The Apple TV was unveiled in early 2007 and shipped in March 2007. In this section, I cover how to best configure your Apple TV to stream video, and how to work with an AirPort Express. The big difference between the two devices, beyond video, is that Apple TV pulls content from connected computers, while the AirPort Express allows audio to be pushed to it from a copy of iTunes running on a computer on the same network. Cheap music: The AirPort Express is still being sold as I write this, and at $99, it’s not a bad deal for transferring audio over your network. You can connect an Express wirelessly or via Ethernet on an Extreme N network with no problems, except the previously mentioned network performance hit. Apple TV The Apple TV can receive content from a single computer via synchronization and store it on an internal hard disk. It can also stream content live from up to five computers on the network. The Apple TV has 802.11n built in and can use 2.4 GHz and 5 GHz bands just like the Extreme N. It also has just 10/100 Mbps Ethernet, not gigabit Ethernet, which is peculiar for a device intended to move a lot of data. Page 150 TIP If you’re using Apple TV with an 802.11g network or in the 2.4 GHz band, connecting via Ethernet lets you sync to that one enabled computer at the fastest possible rate. You can then disconnect from Ethernet and use Wi-Fi thereafter. Apple has a technical note about this: http://docs.info.apple.com/article.html?artnum=305254. TIP Reports from Apple TV users indicate that placing an object on top of the Apple TV can dramatically decrease the range of its Wi-Fi radio, if you’re using Wi-Fi as your connection method. Choose a Band The big consideration in adding an Apple TV to your network is ensuring that you have enough bandwidth to stream video while performing other tasks on the network. Also, if you sync content regularly to the Apple TV, you’ll likely want a lot of speed in order to move your movies and audio files quickly. MPEG4-compressed video used for top-resolution (1,080p or 1,080 by 1,920 pixels) requires about 10 Mbps of throughput. Apple says the maximum resolution for the Apple TV is 720p, and the iTunes Store doesn’t yet sell video at even that resolution. Thus, you need to have somewhere between 2 and 5 Mbps of solid throughput available for each Apple TV on a network that’s streaming video. An ideally configured 802.11g network should top 20 Mbps in throughput, but it’s likely to actually work at much lower speeds due to nearby networks, interference, and other factors described earlier. In contrast, an Extreme N network with only N devices connected can hit 90 Mbps. You might choose, therefore, to set up an Extreme N in the 5 GHz band. You can read Mix Legacy, New N Networks for how to best set this up. But, keep in mind that the speeds demanded for good video streaming by the Apple TV might be achievable on your network at 2.4 GHz. It depends on your particular environment—and it’s worth testing before getting rid of an older base station. Connect an Apple TV The Apple TV uses a straightforward way to connect to a network. If you plug the Apple TV into an Ethernet network with DHCP Page 151 enabled, the device automatically obtains an address. If you don’t have an Ethernet network, or are just using Ethernet for an initial sync, connect your Apple TV to your TV, power up both devices, grab your Apple Remote, and follow these steps: 1. On the TV, from the Apple TV main menu, choose Setup > Network. 2. Select Configure Wireless. 3. From the Wireless Networks screen, select your network (Figure 58), or if your network is closed (see Closed network), choose Other and enter a network name FIGURE 58 Choose your network from the list. 4. If your network has an encryption key or passphrase, use the Wireless Password screen’s visual keyboard to enter that text (Figure 59). The Apple Remote lets you select each letter one at a time. Select Done when finished. (The password is displayed on the TV screen as you type it.) 5. If your network uses static addresses or has other particular network requirements, choose Configure TCP/IP from the Network screen to enter an IP address, set DNS servers, or control other details (Figure 60). With the network connected, you now can proceed to use your Apple TV by following the instructions to pair one computer’s iTunes library. A code appears on the Apple TV, you enter that code in that computer’s iTunes link to the Apple TV, and then syncing begins! Page 152 Synchronization can take some time, as noted, over a slower network. After or instead of synchronization, you can follow instructions to set up streaming with up to five computers on the network, similarly using the Apple TV code paired with iTunes entry. FIGURE 59 Use the Apple Remote to navigate the visual keyboard and select the letters in your network passphrase. FIGURE 60 You can set TCP/IP details manually via the Network > Configure TCP/IP command. Page 153 AirPort Express and AirTunes The AirPort Express features AirTunes, a method of streaming music from iTunes (versions 4.6 and later) through the audio output port on the base station. You control the settings in AirPort Utility and then play the music via iTunes. TIP The fine folks at Rogue Amoeba offer AirFoil, a program that lets you take the sound output from any program—not just iTunes— and play it over AirTunes (http://rogueamoeba.com/airfoil/; $25, downloadable demo version). Set up music features in Airport Utility After connecting to your base station, use the Music pane in AirPort Utility to control music streaming and speaker settings (Figure 61). FIGURE 61 The Music pane lets you set AirTunes options. Here’s how the controls work: • Enable AirTunes: Click this box to turn streaming on and off, on the base station. • Enable AirTunes over Ethernet: Check this box to let both wired and wireless computers stream music. I can’t think of why you might want to restrict this, but if you’re concerned about Page 154 restricting streaming, don’t uncheck this box; instead, passwordprotect the remote speakers (see the last item in this list). • iTunes Speaker Name: This name shows in the iTunes remote speaker list. • iTunes Speaker Password: Set a password to limit use of this speaker set to people who have the password. The Verify Password field requires you to enter the password a second time to make sure you didn’t mistype it. Play music with iTunes Here are the steps for playing music via iTunes and AirPort Express: 1. In iTunes, choose File > Preferences, and then click the Advanced icon (Figure 62). FIGURE 62 Select Look for Remote Speakers Connected with AirTunes to automatically discover AirTunesequipped base stations. 2. In the General view, verify that Look for Remote Speakers Connected with AirTunes is checked (look near the middle of the view). This option causes iTunes to be aware of AirPort Express Base Stations that are plugged into stereos or powered speakers. 3. If you want to control volume only from your stereo (and not also from iTunes), select Disable iTunes Volume Control for Remote Speakers. Page 155 4. A very limited number of devices can control iTunes volume remotely, including the Apple HiFi when connected via the AirTunes jack on the AirPort Express. If you care about this behavior, you can check or uncheck Allow iTunes Control from Remote Speakers. 5. Click OK. Now that you have a configured AirPort Express on the network and the Look for Remote Speakers Connected with AirTunes checkbox is selected, iTunes should display a new pop-up menu with a speaker icon next to it in the lower right of its main window (Figure 63). FIGURE 63 Choose the AirPort Express to stream through from the pop-up menu at the lower right. A lock appears next to those that are password protected. 6. In iTunes, select a base station from the new pop-up menu. The menu lists all the AirPort Express base stations connected to stereos; Computer means the audio output option you chose on your own computer in the Sound preference pane. You can select only one item from the menu, but you can choose Multiple Speakers to play music through both your computer and other AirPort Express base stations as well (Figure 64). FIGURE 64 The Remote Speakers window lets you choose one or more speaker sets to stream through. Page 156 Quiet! The AirPort Express knows if there are no speakers attached and warns you. Here are a few more things you might like to know about AirTunes: • Two people playing music at once: If you try to play music through an AirPort Express that someone else is actively playing music through, iTunes notifies you when you press the Play button (Figure 65). If that person clicks Pause, iTunes releases that person’s control of the speakers, and within 2–3 seconds, another iTunes user can start playing music through that AirPort Express. FIGURE 65 This message appears when someone else is already playing music through a particular AirPort Express. • Password protection: You can password-protect AirPort Express music streaming (as noted a few pages earlier). For instance, if you live in a dorm, you might want to prevent pranksters from blasting through your speakers. When you try to connect to protected base stations to play music, you must enter the password (Figure 66). FIGURE 66 Connect to passwordprotected AirPort Express speakers by entering the correct password and clicking OK. Page 157 APPENDIX B: SETTING UP A SOFTWARE BASE STATION You can use a computer equipped with a Wi-Fi adapter card not just as a client on a Wi-Fi network, but also as a base station. This appendix explains how to set up a software base station under Mac OS X. Apple’s software base station has two distinct problems: • Security: You can use only WEP encryption, which I describe back in Use Built-in Encryption as a last-resort method of security. It’s definitely better than nothing, however. • Frequency: Even though 802.11n allows the use of the uncrowded 5 GHz band for less interference and better throughput, Internet sharing over AirPort works just with the busy 2.4 GHz band. SOFTWARE BASE STATION VS. AD HOC NETWORKS You needn’t create an ad hoc network (also known as a computerto-computer network, an informal network that you set up quickly, perhaps to transfer a file or to chat during a keynote speech) before setting up a software base station, and in fact, the two are mutually exclusive. Use an ad hoc network for connecting with another computer when you have no Internet connection to share. When you set up an ad hoc network by choosing Create Network from the AirPort menu, your Mac assigns itself an IP address in the 169.254.x.x range; Macs that connect to your network pick up addresses in that range so they can communicate. Bonjour services in iChat should work fine over ad hoc networks. The Software Base Station feature is found in the Sharing preference pane. Before starting, make sure you have either an Ethernet or an Internal Modem connection set up in the Network preference pane, because you can’t create a software access point without one or the other active. Page 158 For this example, I assume your Internet connection comes via Ethernet from a cable modem. Here’s what to do: 1. In System Preferences, open the Sharing pane and click the Internet button (Figure 67). FIGURE 67 In the Internet view of the Sharing preference pane in Tiger, you can share your wired Internet connection as a software base station by choosing BuiltIn Ethernet and checking AirPort. 2. From the Share Your Connection From pop-up menu, pick either Built-In Ethernet or Internal Modem (whichever matches how you access the Internet), and then select AirPort in the To Computers Using list. 3. If you want to also share a connection to wired computers connected directly to your computer, select Built-In Ethernet from the To Computers Using list. Warning! Because most Macs have a single Ethernet port, if you select Built-In Ethernet, you wind up pushing out DHCP messages over the same network connection that you’re retrieving your Internet feed from. This is generally not a good idea, but might be required in some limited circumstances. 4. Click AirPort Options to set the network name, channel, and, optionally, a WEP key (Figure 68). Page 159 FIGURE 68 Set the wireless options you want for your software base station, including a WEP password. TIP If you turn on WEP and anticipate PCs or Macs without AirPort cards ever wanting to access your network, I recommend you set the WEP key using a dollar sign, followed by the 10-digit or 26-digit hexadecimal key. When you type a dollar sign in a password field, the WEP Key Length menu dims and the OK button won’t light up until you type the correct number of matching digits in both password fields. 5. Back in the Internet view of the Sharing preference pane, click Start. Page 160 APPENDIX C: ADVANCED EXTREME FEATURES I tucked the kitchen sink here at the end, because only a few of you may be interested in the advanced features found here and there across the AirPort Utility. Revert to Older Firmware Apple isn’t perfect, although many Apple fans like to pretend they’re close to it when compared to the rest of the computer industry. Sometimes, they release software that causes their products to work more poorly than they previously performed. This has often happened with AirPort base station firmware, the software code that runs on the base station itself. Many firmware releases have turned out to have minor defects, often quickly fixed, that disable or render erratic critical features. Apple has neatly provided a way to go backward in AirPort Utility: choose Base Station > Upload Firmware (Figure 69). As long as the base station is responsive, you should be able to use this command to restore a previous firmware release. FIGURE 69 You can choose firmware that’s stored in AirPort Utility, or choose a separate firmware file. If you already have previous versions of firmware downloaded, they appear in the Upload Version pop-up menu. Otherwise, you can retrieve older firmware via the AirPort Utility: • On a Mac, hold down the Option key and choose AirPort Utility > Check for Updates. Page 161 • Under Windows, hold down the Control key and choose File > Check for Updates. Windows also requires that you click Show Details to proceed. A list of all firmware releases appears with each entry comprising a graphic of the model type and a description of that type along with the firmware release number (Figure 70). Select the checkbox next to each firmware release you'd like to retrieve, and click Download. Entries that are already stored locally are grayed out. FIGURE 70 AirPort Utility lets you retrieve any older versions of base station firmware. Page 162 You can also download these older firmware releases from Apple's Web archives at http://docs.info.apple.com/article.html? artnum=75422. AirPort Pane A handful of options in this view beg for additional explanation. Base Station settings The Set Time Automatically checkbox and field allow you to set the time on your Extreme N (and previous models) via time servers operated by Apple or that you specify yourself. You must choose your time zone manually. Setting your time in this fashion can ensure that any timed access rules you set function; see MAC address filtering. Hardware tends to lose track of time without external correction. Click the Base Station Options button to set blinking options. The Status Light pop-up menu controls whether the amber/green light on the front of the Extreme N is green when everything is situation normal—Always On (Default)—or if it blinks with activity—Flash On Activity. Wireless settings The Wireless view’s Wireless Option dialog hides several useful controls for the built-in radio. • Region: Choose the country in which you are operating your Extreme N. With the Americas model, the menu lists only countries that have approved the device. You could violate a number of laws by setting the region to a regulatory domain in which you are not using the base station! • Multicast Rate: This option concerns a subset of networking traffic that all connected computers can receive. It’s seldom used without a particular purpose in mind, so you almost certainly won’t need to change the value. • WPA Group Key Timeout: On WPA-protected networks, each connected device creates its own particular key material—based on the WPA passphrase—in concert with an access point. Each device also receives from the access point a group key that’s used for broadcast traffic sent to all devices. The timeout value increases Page 163 the entropy in encryption by ensuring that a group key doesn’t persist for very long. It does not require that any computer log in to the network again. Access Control settings The MAC Address Access Control pop-up menu lists RADIUS as one option. If you use 802.1X or WPA/WPA2 Enterprise, here is where you fill in server details provided by a network administrator or a service provider you contract with. Advanced Pane The Advanced pane has, as you can imagine, less frequently used options. Logging & SNMP settings The Extreme N can log, or note information about, many kinds of events, from users logging in, to updates of its internal clock, to specific encryption information. This view controls all those aspects. The Syslog Destination Address and Syslog Level allow an existing system logger (a server called syslog) on a Unix or Linux—or really any—system to receive messages from the base station, and place them in a text file that’s updated constantly as new messages come in. (The syslog monitor is part of Mac OS X and every Unix and Linux flavor I’m aware of; configuring it to accept these messages requires system administrator experience.) The SNMP options let the base station leverage a standard method of receiving information with a bit more sophistication than syslog. Many network management packages use SNMP for figuring out the status of network components and the traffic passing over them; and determining bad behavior by users or interlopers. If you click the Logs and Statistics button, you see additional options: • Click Logs to see a short list of the logging messages that can be sent to a syslog or SNMP server. • Wireless Clients and DHCP Clients show connections and their quality. Page 164 Bonjour settings Apple likes to look to the future, and the advanced Bonjour settings are part of that forward-looking detail. In these settings, Apple lets you set up wide-area Bonjour, a way of pushing information about services and hardware on your local network out to the global Internet by using the domain name system (DNS). In this scenario, a domain name’s DNS information, which normally contains IP addresses and mail server records, would also keep an updated list of file servers, printers, and other Bonjour-broadcasting information that could be accessed by people outside your local network The problem with that? Internet service providers and DNS hosts must support wide-area Bonjour for that to happen. Within a large local network, such as at a college, wide-area Bonjour can be supported internally, allowing networks of all scales to share resources across the campus’s wide-area network. Bonjour services on the network served by the Extreme N get shared to the next network level. Any service that uses NAT-PMP publishes information about itself via wide-area Bonjour, if that’s enabled. For practical purposes, and Apple has confirmed this, presently, home users don’t need wide-area Bonjour, and most corporations don’t have it in place. However, settings for wide-area Bonjour appear throughout AirPort Utility. IPv6 settings An explanation of IPv6 could fill pages and pages, and perhaps it will in a future edition of this book. IPv6 is the next-generation Internet protocol that will replace the current version, IPv4, which has been in use for decades. IPv6 was designed in the 1990s, but because it requires a reworking of the entire infrastructure of the Internet, it’s been slow to catch on. IPv6 has a much larger address space, allowing trillions of addresses compared to billions in IPv4. And, it allows address mobility: an address in IPv4 is usually fixed to a particular router or gateway on the Internet. With IPv6, that router or gateway can provide forwarding info so that a mobile device can be reached elsewhere, if desired, with no special effort. Page 165 Some corporate networks and some ISPs in Japan now use IPv6, which explains Apple’s support. But there’s an additional interesting option. In IPv6, you don’t need NAT, because IPv6 addresses and ports can be used directly. And many organizations have set up IPv6 tunnels on the Internet that allow IPv6 traffic to pass over the current IPv4 network. The Extreme N supports this tunneling. By default, the Extreme N is set up to allow incoming IPv6 connections and to route IPv6 traffic through these public Internet tunnels. Because Mac OS X also, by default, enables IPv6 traffic, you do face some exposure, and may wish to set IPv6 Mode to Link-Local Only, which restricts traffic to the local network, and check Block Incoming IPv6 Connections to further restrict behavior. For the Extreme N (gigabit) Apple enhanced security options, adding a checkbox for blocking incoming connections to the IPv6 view, and a new view called IPv6 Firewall with configuration choices for what IPv6 tunnels and networks can pass through. Page 166 APPENDIX D: WHAT’S NEW IN LEOPARD Leopard didn’t change the face of AirPort networking, but it did rework how AirPort and network settings appear throughout the system, consolidating those settings and making them more accessible. (Some long-time irritations weren’t fixed, unfortunately.) In this special appendix, I cover three primary areas: • The new Network preference pane, which reorganizes how you find and configure TCP/IP and other network settings for AirPort. • The revised AirPort menu in the system menu bar, which now offers live information about the networks around you. • Miscellaneous changes, ranging from Web server and printer setup changes, to updates in mounting shared AFP and Samba volumes in the Finder. Watch for spots! The occasional leopard spots ( ) in the margin of this ebook can be clicked to quickly jump to corresponding Leopard-related material in this appendix. Meet the New Network Preference Pane Leopard reorganized the Network preference pane to consolidate separate activities and information into one dashboard. The Internet Connect program is gone, replaced by features now built into the Network preference pane. A list at the left of the pane now shows all adapters and their respective status, replacing the previous interface where you used different menus from the top of the pane to access active adapters and change overall adapter settings. Set DHCP and DHCP Client ID for AirPort (p. 63 and p. 68) Here are the steps to set an AirPort adapter to use DHCP to obtain an address: 1. Open the Network preference pane. 2. Select your AirPort adapter in the list at left. 3. Click the Advanced button. Page 167 4. Click the TCP/IP button to open the TCP/IP view (Figure 71). FIGURE 71 DHCP settings are now found nested in the Advanced options for the AirPort adapter, in the TCP/IP view. 5. Now, do either or both: • Choose Using DHCP from the Configure IPv4 pop-up menu. • Enter a name into the DHCP Client ID field to use with DHCP reservation in AirPort Utility. Managing Profiles (p. 75) To create, edit, and delete profiles in Leopard, in the Network preference pane, select the AirPort adapter and then click the Advanced button to see the advanced options (Figure 72). Profiles are managed much the same as in Tiger: • Add a profile manually by clicking the button. • Delete a profile you no longer need by selecting the profile and clicking the button. • To change the preferred order in which the Mac connects to networks if more than one is available, drag a network name to a new position in the list. Page 168 FIGURE 72 In the Advanced options for an AirPort adapter, you can easily add, delete, edit, and rearrange networks with which you want to connect. • To edit an existing profile, select it and click the button; you can change the password or type of password, too (Figure 73). FIGURE 73 With the edit option, you can change the network name, security type, and password without needing to re-select the network. If you click the button to reach the dialog shown in Figure 73, above, you’re presented with a new option in Leopard: the Show Networks button. This somewhat recursive seeming choice lets you connect to a network within the edit feature, so you can change details without exiting the nested dialog (Figure 74). Page 169 FIGURE 74 Choose the network from this list, or click Other to enter a network from scratch. Advanced connection options (p. 76) To control some aspects of how AirPort connects to networks, select the AirPort adapter in the Network preference pane, and choose any of the following options: • Check Ask to Join New Networks if you want Mac OS X to alert you when there’s no network you’ve stored a profile for in the vicinity (Figure 75). Warning! This feature seems to work erratically. I have never been able to get it to work correctly and on request, but then, out of nowhere, I’ll be prompted to join a network. FIGURE 75 The checkbox would seem to indicate that Leopard would ask you join networks; it rarely asks, though. Page 170 • Click the Advanced button to reach three additional methods of control: ◊ Remember Any Network This Computer Has Joined. Checked by default, this option adds a profile for any network you join, whether a password is required or not. ◊ Disconnect from Any Wireless Network When Logging Out does just that. ◊ Require Administrator Password to Control AirPort allow you to override someone’s attempt to switch networks or turn AirPort off. NOTE Apple has eliminated the set of three weird options that never seemed to make much sense in Tiger, and that were hidden in an Options dialog: Ask Before Joining an Open Network; Automatically Join an Open Network; and Keep Looking for Recent Networks. Now, the behavior is, by default, to join any network for which a profile is stored; otherwise, Leopard asks to join a network if the Ask To Join New Networks box is checked, which it is by default. Joining any open network without asking is always a bad idea. AirPort Menu (p. 71) The AirPort menu, a drop-down menu in the system menu bar, has been refurbished slightly to improve how you find and connect to WiFi networks. Dynamic network scanning The AirPort menu is now dynamic, scanning for networks after you hold down the mouse button to select a network (Figure 76). Networks appear in alphabetical order, with the network that you’re connected to coming first, if you’re connected. A lock icon appears to the right of protected networks—ones using WEP or WPA/WPA2. Page 171 FIGURE 76 The AirPort status line at the top of the menu says it’s scanning (and shows a progress spinner) while it’s still looking for networks after you initially hold down the mouse button. Network details via the Option key In Tiger, you could hold down the Option key while clicking the AirPort menu icon, and Mac OS X would sort the networks in order of signal strength, from strongest to weakest. In Leopard, however, Option-clicking the AirPort menu icon provides details about the network (Figure 77) to which you are connected: • The MAC address or AirPort ID of the network • The channel the base station is using • The signal strength measured as RSSI (Received Signal Strength Indication), which is a relative measure of how good a signal is • The transmit rate, which shows how fast the network link is, not just how fast the base station can go TIP RSSI is measured in decibels in such a fashion that a negative number is used; -44 (minus 44), as in Figure 77 is typical. A higher number for the RSSI therefore means less signal strength: -75 is less power than -45. Page 172 FIGURE 77 Option-click the Airport menu bar icon to see network details revealed right in the menu. You can also reveal information about networks to which you aren’t connected: Option-click to open the AirPort menu, and then hover over any network in the list that you’re not connected to, in order to see the RSSI and type of encryption, if any (Figure 78). FIGURE 78 Option-click to open the menu, and then you can hover to reveal information about Wi-Fi networks to which you aren’t connected. Page 173 Miscellaneous Leopard has a variety of other changes, which affect scattered sections of the book noted below. Finding the MAC address (p. 59) In Leopard, you find the MAC address of your Wi-Fi adapter by following these steps: 1. Launch System Preferences and select the Network preference pane. 2. Select your AirPort adapter in the list of adapters on the left side of the pane. 3. Click the Advanced button. The AirPort ID is found at the bottom of the AirPort view. AirPort Utility (p. 27) AirPort Utility shipped as part of the Leopard set of utilities, so it no longer needs to be installed separately from an installer disc. (Apple also separately released a download for Tiger and for Windows XP/Vista.) Running a Web server in Leopard (p. 106) Leopard no longer includes a port-based firewall that would be a problem for running a local Web server that’s port mapped to be reached outside the network. The Leopard firewall, configured in the Security preference pane in the Firewall view, automatically opens the right connections if you enable services, such as a Web server, through the Sharing preference pane (Figure 79). Page 174 FIGURE 79 The Leopard firewall automatically opens ports as needed for services enabled through the Sharing preference pane. Add a printer in Leopard (p. 115) To let Leopard see a shared printer attached to an AirPort Extreme Base Station, an AirPort Express, or a Time Capsule, follow these steps: 1. Launch System Preferences, and select the Print & Fax preference pane (Figure 80). Page 175 FIGURE 80 The Print & Fax preference pane lets you add and manage printers. 2. Click the button. 3. Select the printer from the list that appears in the Default view (Figure 81). FIGURE 81 A new utility to add printers is launched from within the Print & Fax preference pane. Shared printers show up in the Default view. 4. Click Add. 5. Optionally, choose that printer from the Default Printer list to make it appears as the choice whenever you print. Page 176 Accessing Shared Disks (p. 127) Apple seems to have abandoned the AirPort Disk Utility (p. 128–130), part of the initial package of software that was installed with AirPort Utility, for managing disks mounted via an AirPort Extreme Base Station. Instead, Leopard manages the base station server and disks through the Finder, just like any other network volume. In any Finder window, you now see a list of servers in the new Shared category in the sidebar (Figure 82). This list shows any servers on the local network with AFP or Samba volumes available for mounting, as well as FTP servers that use Bonjour to advertise their availability. FIGURE 82 The Shared section of the sidebar shows available servers. If you select a server and enter its password, volumes appear at the right. The “Connected as” banner at the top shows the user name you’re connected as. Click Disconnect to unmount all volumes for the selected server. To mount a volume from one of these servers, follow these steps: 1. Select the server name under Shared in the sidebar. 2. Now: • To connect as a Guest user, you needn’t do anything for this step. Leopard automatically tries to connect using the Guest login, and it then shows any volumes that can be mounted in that fashion. Page 177 • To use a named account, click the Connect As button in the upper right and enter your credentials. Leopard is clever enough that for AirPort Extreme and Time Capsule shared drives that use just a password for access—no user accounts being defined—to prompt you just for that password. 3. Double click a volume that’s shown in the mounted server window to mount it on your system. By default, Leopard doesn’t show a mounted server on the actual Desktop as an icon. This can be confusing! To fix this oversight, follow these steps: 1. Choose Finder > Preferences 2. Click General. 3. Under “Show these items on the Desktop,” check Connected Servers. Interference robust enough (p. 148) The setting for Interference Robustness, a way to improve reception for a wonky AirPort connection, is no longer available in Leopard. This setting can still be set for 2.4 GHz networks via AirPort Utility for AirPort Extreme, AirPort Express, and Time Capsule, but it’s gone from Mac OS X. We were never sure if it helped much, anyway! Software Base Station (p. 158–160) Much to everyone’s chagrin, Apple just moved the location of its software base station controls; they didn’t improve those controls at all. Instead of being found in the Sharing preference pane’s Internet view, which no longer exists, network sharing is a service listed in the Sharing preference pane. Open the pane and click Internet Sharing to see the option. If you choose AirPort from the Share Connect from pop-up menu, you can then click the AirPort Options button to set the same choices as the last two releases of Mac OS X: 2.4 GHz only (despite 5 GHz networks being available, faster, and less in use), and WEP encryption only (despite WPA’s far superior quality). Page 178 ABOUT THIS BOOK In contrast to traditional print books, Take Control books offer clickable links, full-text searching, and free minor updates. We hope you find them both useful and enjoyable to read. About the Author Glenn Fleishman contributes regularly to Macworld, the New York Times, the Economist, Popular Science, and the Seattle Times. He’s the Macintosh columnist for the Seattle Times, and a contributing editor at TidBITS. Glenn spends much of his time writing about wireless networking. He co-wrote Take Control of Your Wi-Fi Security with Adam Engst, and he edits the daily Web log Wi-Fi Networking News (http://www.wifinetnews.com/) and five related wireless blogs. Glenn also appears weekly on KUOW-FM in Seattle to talk about technology (http://kuow.org/). He lives in Seattle in a bungalow with his wife and two sons. His oldest’s first word was “book,” not “Mac.” Acknowledgements The new edition of this book happened fast—Apple shipped the Extreme N, and I and the Take Control team was determined to get out a fully revised edition of the previous book—fast! I must thank Tonya Engst for her tireless and rapid work in editing; Adam Engst, a long-time friend, colleague, and collaborator, also deserves thanks for his role in fostering and perpetuating my work on Wi-Fi and AirPort. More thanks to Dan Frakes for his feedback and insight into early Extreme N troubles and fixes; the Take Control authors who have been fantastically supportive; and to a host of Take Page 179 Control pre-release technical reviewers, notably Criss Hyde, Chris Pepper, and Rich Wolfson. Thanks to Jeff Carlson for the use of his Apple TV screen photos. Thanks are also due to Apple Computer’s Teresa Brewer for her help in sorting out some early Extreme N quirks, and relaying my technical quibbles and bug reports to the AirPort team, notably Jai Chulani and John Richey. Great thanks go to my wife, Lynn, who accepted a few weeks of me sitting on a couch every night tapping away, while our second child gestated. Sure, I’m working, honey, sure! Thanks to Robert F. Unger for pointing us to the great tip on downloading older firmware releases for base stations. About the Publisher Publishers Adam and Tonya Engst have been creating Mac-related content since they started the online newsletter TidBITS, in 1990. In TidBITS, you can find the latest Macintosh news, plus read reviews, opinions, and more (http://www.tidbits.com/). Adam and Tonya are known in the Mac world as writers, editors, and speakers. They are also parents to Tristan, who thinks ebooks about clipper ships and castles would be cool. Production Credits Link-making AppleScript: Matt Neuburg List macros and leopard spots ( ): Sharon Zardetto Take Control logo: Jeff Tolbert Editor in Chief: Tonya Engst Publisher: Adam Engst Special thanks this time go to Amelia and Oliver Habicht, for helping with bicycles, and to Andrew and Monique Nielsen, for being fun and relaxing guests. Page 180 Take Control of Your 802.11n AirPort Extreme Network ISBN 1-933671-28-9 April 2008. Version 1.2 Copyright © 2008 Glenn Fleishman. All rights reserved. TidBITS Publishing Inc. 50 Hickory Road Ithaca, NY 14850 USA http://www.takecontrolbooks.com/ TAKE CONTROL books help readers regain a measure of control in an oftentimes out-ofcontrol universe. Take Control books also streamline the publication process so that information about quickly changing technical topics can be published while it’s still relevant and accurate. The electronic version of this book does not use copy protection because copy protection makes life harder for everyone. So we ask a favor of our readers. If you want to share your copy of this ebook with a friend, please do so as you would a physical book, meaning that if your friend uses it regularly, he or she should buy a copy. Your support makes it possible for future Take Control ebooks to hit the Internet long before you’d find the same info in a printed book. Plus, if you buy the ebook, you’re entitled to any free updates that become available. Although the author and TidBITS Publishing Inc. have made a reasonable effort to ensure the accuracy of the information herein, they assume no responsibility for errors or omissions. The information in this book is distributed “As Is,” without warranty of any kind. Neither TidBITS Publishing Inc. nor the author shall be liable to any person or entity for any special, indirect, incidental, or consequential damages, including without limitation lost revenues or lost profits, that may result (or that are alleged to result) from the use of these materials. In other words, use this information at your own risk. Many of the designations used to distinguish products and services are claimed as trademarks or service marks. Any trademarks, service marks, product names, or named features that appear in this title are assumed to be the property of their respective owners. All product names and services are used in an editorial fashion only, with no intention of infringement of the trademark. No such use, or the use of any trade name, is meant to convey endorsement or other affiliation with this title. This title is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple Inc. Because of the nature of this title, it uses terms that are trademarks or registered trademarks of Apple Inc.; to view a complete list of trademarks and registered trademarks of Apple Inc., visit http://www.apple.com/legal/ trademark/appletmlist.html. FEATURED TITLES Now that you’ve seen this book, you know the Take Control books have an easy-to-read layout, clickable links if you read online, and real-world info that puts you in control. Click any book below or visit our Web catalog to add to your Take Control collection! Take Control of Your Wi-Fi Security Take Control of Your Domain Names Take Control of Passwords in Mac OS X by Engst & Fleishman by Glenn Fleishman by Joe Kissell Learn how to keep intruders out of your wireless network and protect your sensitive communications! $10 Get expert help with registering, configuring, and managing your Internet domain names like a pro! $10 Create and manage strong passwords that keep your data safe without taxing your memory! $10 Take Control of Sharing Files in Leopard Take Control of Permissions in Leopard by Glenn Fleishman by Brian Tanaka Share files the smart way! Select the right hardware and software, configure your set up, and start sharing files. $10 Solve quirky problems, increase privacy, and share files better by managing Leopard permissions. $10 More Titles! Delve into even more topics, including: • Running your Mac— upgrading the OS, understanding accounts, syncing, backups, maintenance, fonts, and more. • Buying gear—Macs and cameras. • More topics—.Mac, Mail, iWeb, spam, podcasting, GarageBand, iPhone, and more. Exclusive coupon for Take Control readers! $5 off any Web order from Small Dog Electronics! Small Dog Electronics offers over 4000 Mac-compatible products, great prices, and famously superior customer service. We’re also a 100% Mac-based company. Every employee is a certiﬁed Apple Product Professional, who uses Macs at home as well as on the job. Small Dog Electronics has been part of the Mac community for more than 12 years. We’ve grown into one of the top Apple Specialists in the United States - and had great time doing it. Visit Smalldog.com and save $5 on any web order with this coupon! Small Dog Electronics Always by your side. www.smalldog.com 800-511-MACS Redeem your coupon on-line at www.smalldog.com. Limited to one use per customer. Enter coupon # bone80317339 at check out.