Metis.fi - Page 3 of 4 - ICT Training and Consulting

What are WiFi DFS frequencies and should I care?

The regulatory bodies are now strict about DFS requirements on WiFi access points. This applies to both new devices and updates to old ones. A simple firmware update may cause a lengthy delay before the network is operable.

The 5 GHz band had been in use for aviation and weather radars before it was opened for WiFi use. There are still old radars all over the place and WiFi access points mustn’t interfere with them. If an access point detects a radar signal, it must change its channel, which usually breaks connections to its clients.

This mechanism is known as Dynamic Frequency Selection or DFS. When an access point starts up it must quietly listen on the channel for at least a minute before transmitting. Weather radars will continue to use channels 120–128 and on those channels the silent wait time is 10 minutes.

During use access points must keep looking for radar type signals and must automatically switch channel accordingly. After detecting a radar the access point mustn’t return to the channel for 30 minutes, even though the detected radar signal might have come from a helicopter flying by. Only the four lowest channels 36–48 (U-NII-1) and the highest odd channels 149–165 (U-NII-3) don’t require DFS.

These rules are old but they weren’t enforced for a long time. Now both European and U.S. authorities have changed their approach. The manufacturers have to abide by these rules or their products cannot be sold in these markets. This applies to both new devices and also to updates to old equipment.

How Does DFS effect WiFI?

The delay at startup has caused many panics among network administrators already. After a simple firmware update the WiFI wouldn’t appear on the air immediately, but after a delay. The 10 minute delay is long enough for panicked administrators to reboot all devices multiple times and change cables.

The first DFS implementations tended to be too sensitive and would classify all kinds of signals as radar, even though they weren’t. This caused unexplainable interruptions in the WiFi network. Fortunately these have been mostly solved by now.

One solution is to use only DFS free channels. All devices don’t support the high U-NII-3 channels so this leaves us the lower channels from 36 to 48. In a quiet radio environment you can build your network on those channels. They tend to be crowded however, since every administrator wants to use them.

Because many administrators avoid the DFS channels, they are often unoccupied! Knowing the limitations brought by DFS you can still make use of them and get interference free coverage. In practice the access points don’t restart that often so the one minute delay isn’t really a problem. There aren’t tools available to detect radars nearby, but a one week test run is usually enough to see if DFS will cause problems on your network. There might be some occasional hiccups, but the client devices should reconnect on the new channel within 10 seconds without any manual intervention.

How to set up Ubiquiti UniFi WiFi access points with an iOS device (iPhone or iPad) in 5 minutes

If you have a very small deployment, you don’t need to set up a UniFi Controller at all. You can get by just using the iOS mobile app.

Ubiquiti has published the free UniFi.app on AppStore to manage UniFi access points. You can use it as the only means of deployment as well, but there are a few caveats. During deployment the initial connection poses the biggest challenge, since you can only work wirelessly with iOS devices. In other words: you need to connect to the WiFi in order to create it! A classical chicken-egg-problem!

The default network and password built into UniFi access points is a meaningless string of characters and numbers. On the back of each device is a QR code that needs to be scanned and decoded with the app to connect to the access point. Once you are connected the configuration is fairly straightforward. At least until you change the name of the network to something meaningful, because you are immediately disconnected… Then you just need to reconnect to the new network you just created.

On the video below these steps are shown for a two access point network. It was shot on an iPhone 5 (the smallest screen supported) just to show it is possible. With an iPad you have more screen estate to work with.

Steps:

To begin with: both access points are connected to the Ethenet network and are glowing a steady white light.

Scan the credentials for the default network
Join to the default network in iOS Settings > Wi-Fi
Set up the administrative account and country in the general settings
Configure both 2.4 GHz and 5 GHz networks on each access point: name of the network, WPA2 Personal Security and a security key (a.k.a. password)
(Since the name and password for the network changes when you configure the first access point, you need to join again to the new network at that point.)

At this point the HomeNet WiFi network is active and both access points are glowing a steady blue light.

(The UniFi.app is in English, but the iPhone user interface is in Finnish. You should still be able recognize the Wi-Fi settings anyhow. My bad – apologies)

I cannot recommend UniFi.app except for the smallest of deployments. Every access point needs to be configured separately. This is error prone and time consuming if the network is any larger. There are also very few options to configure. The access points are capable of much more. For example you cannot create multiple networks, just one per band. It is almost always better to install UniFi Controller on a workstation or a server.

How to use passwords securely

Improve your password security with this password management method – for free

Everyone knows, that passwords should be long, complex, nonsense and so forth. The problem is, such passwords are impossible to remember, especially when you need a lot of them and they need to be changed periodically. That’s why most users use the same password for all services. However, that is the worst solution. It would be more secure to write down all different passwords in your notebook. If there is a leak in one service, the hackers will try the same usernames and passwords in Facebook, GMail, Twitter etc. Usually they succeed in many cases. Then the hackers can expand the identity theft and perhaps convince your friends to step into a trap.

How should you do it?

Make up a permanent password

Make up a password that contains upper and lower case letters and a few special character and number. Start with a simple word with at least six characters, let’s say garage. Replace the r with a 4 to get ga4age for example. Replace the last e with # to get ga4ag#. Capitalize all the vowels to get gA4Ag#. That is starting to look like a proper password. Try to type it on the keyboard. Is it easy enough to type or should you change something? In the best case you should use keys alternatively from both ends of the keyboard, because that way it is faster to type with two hands. In that sense gA4Ag# is not the best choice, but will do as an example here. Avoid characters that are special to your locale. For example ü or ß would appear on every German keyboard, but may be hard to find elsewhere. Avoid also currency symbols like $, £ or €. You may one day need to type your password in a Asian internet cafe. Don’t worry about remembering this password. You will learn it by heart because you will use it everywhere and it will not change.

Make up a word for every service you use

Associate a word for every service. For example workplace account could be payday, frequent flyer account airport, pet forum doggies, email letters etc. Don’t choose the shortest words. Even better if you can come up with more personal associations. Like if you love to fly to beach resorts for vacations, use beaches for the frequent flyer account. Write down the names of the services and the associated words. You can use paper or a notebook, but even better is a file in DropBox, OneDrive, GMail or such (but then you must remember that password!) If this list leaks out, it is of no use without the permanent part and the formula.

Invent a formula to combine the two

Make up an algorithm to combine these. For example two characters from the service word, then the permanent password and the rest of the service word. That would make gA4Ag# + beaches = begA4Ag#aches. Or two characters from each, then the rest or begAaches4Ag#. However you do it, make sure your method splits the service word into at least two sections. You can also use first or last syllables instead of a character count.

These passwords are safe from both dictionary and brute force attacks. They won’t exist in any dictionary and are long enough to defend against systematically trying all character combinations. If you need to renew the password you only need to come up with a new word for the service. There is no need to ever change the permanent password or formula as long as they are kept secret. That’s why you mustn’t write them down!

Deployment

This is how far you can get as a mental excercise only. To actually deploy this takes some effort. You need to log on to every service and update your password. You only need to do this once, but it will take an afternoon or so. We all have quite a few accounts to manage. Start with the service you use most: workplace account, AppleID, Facebook, GMail… You will later come across services you didn’t remember, but always change the password to the new system as you log on.

Here is an Excel spreadsheet where you can try the different password rules described: [Download]

Weather radars in Finland

Don’t use the same WiFi channel as the closest weather radar!

European weather radars use frequencies between 5,60 and 5,65 GHz. In WiFi parlance it means channels 120, 124 and 128. If a WiFi device detects a radar signal it will either change channel or go silent for a half an hour. Either way the connection will be dropped. Your safest bet is to avoid these channels. On the other hand, there are just ten weather radars in Finland and they are pretty far apart. Do you need to avoid a channel in use in Utajärvi if you are in Helsinki? No. Usually it suffices to avoid the frequency used by the nearest radar.

Don’t be surprised when the WiFi doesn’t appear immediately. New and recently upgraded access points will listen for ten minutes for radar signals on these channels. This doesn’t sound good, but on the other hand these channels have least traffic for the very same reason.

Here is the current (3/2017) list of frequencies:

Name	Established	Position (WGS84)	Height (AMSL)	Frequency (MHz)	WiFi Channel
Anjalankoski	1994	60.9039N 27.1081E	139 m	5638	128
Ikaalinen	1994	61.7673 N 23.0764E	153 m	5644	128
Kesälahti	2014	61.9070N 29.7977E	174 m	5610	124
Korppoo	1997	60.1285N 21.6434E	61 m	5620	124
Kuopio	1995	62.8626N 27.3815E	268 m	5615	124
Luosto	2000	67.1391N 26.8969E	533 m	5618	124
Petäjävesi	2015	62.3045N 25.4401E	271 m	5628	124
Utajärvi	1997	64.7749N 26.3189E	118 m	5608	120
Vantaa	1994	60.2706N 24.8690E	82 m	5649	128
Vimpeli	2005	63.1048N 23.8209E	200 m	5639	128

This is an example of radar interference. The narrow, straight patch of ”rain” between Helsinki and Tallinn is a caused by a transmitter on channel 128. The transmitter is either in Tallinn or on the sea, because the the beam is so narrow. A transmitter closer by would cause a wider sector of interference.

Alright, it’s 802.11 but what are the characters? (a, b, g, n, ac)

What are 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac?

Originally WiFi or 802.11 was designed for barcode scanners. In a warehouse cords were inpractical, so going cordless was logical. Bandwidth requirements were very modest, so speed was not a primary design objective. This is the basis for all enterprise wireless networks of today providing videoconferencing and high speed database connections. The change has been gradual:

	Max speed / radio	Frequency (GHz)	Year
802.11	2 Mbps	2,4	1997
802.11a	54 Mbps	5	1999
802.11b	11 Mbps	2,4	1999
802.11g	54 Mbps	2,4	2003
802.11n	150 Mbps	2,4 & 5	2009
802.11ac	867 Mbps	5	2013
802.11ax	?	?	(2019)

The first redesign was 802.11a. It offered increased speed, but used the new 5 GHz band. 5 GHz radios were expensive and A never really took off. It was B, that used the 2,4 GHz band that really created the market. G brought the speeds of A to the less expensive 2,4 GHz band. N added even more speed and N was defined for both bands. 5 GHz radios were still more expensive, so cheaper devices and access points only had 2,4 GHz radios. The latest is AC, which is only defined for 5 GHz, but in practice all devices and access points are compatible with older standards (so they support also 2,4 GHz).

Isn't the maximum speed of 802.11n 600 Mbps? Yes, it is. N introduced MIMO (Multiple Input, Multiple Output) radios that could use multiple connections (four at max.) 4 x 150 Mbps is 600 Mbps. In AC there can be 8 radios that can connect to multiple clients at the same time (MU-MIMO or Multi-User MIMO). In practice mobile phones have a single radio, tablets may have two and laptops four. Each radio eats up batteries (and also adds to the manufacturing cost).

Why doesn't my device ever report these maximum speeds? In N it was possible to bond two 20 MHz channels to create a 40 MHz channel, which can transfer over twice the data. The maximum speeds are calculated using these wide channels. In AC the maximum is eight channels or 160 MHz channel width. The channel width is set at the access point, so if the access point is only using the default single channel then the speed will be limited to that. The 2,4 GHz band has so few channels that channel bonding is practical only in the 5 GHz band.

WLAN, Wi-Fi, WiFi or 802.11 – what’s the difference?

They all mean the same thing

In Europe the acronym WLAN is widely used. It stands for Wireless LAN or Wireless Local Are Network. WLAN is not a trademark, so it can be used freely. On the other hand, it is easily confused with VLAN or Virtual LAN. VLAN is a wired LAN technology that can be used to separate traffic in the wired network.

Wi-Fi is a trademark owned by Wi-Fi Alliance. Wi-Fi Alliance defines standards and tests for interoperability between Wi-Fi products. Certified products will connect with each other. In practice all products are certified by Wi-Fi Alliance, although it does not have any official status. The term Wi-Fi is in wide use in the Americas, although the dash has started to disappear: WiFi.

802.11 is a technical standard for wireless networks defined by IEEE or Institute of Electrical and Electronics Engineers. After the original 802.11 there have been addendums and extensions, that have a character as a name: a, b etc. After z the naming was continued with aa, ab, ac, ad etc.

How secure is your WiFi?

Do you have a shared password to the WiFi network? When was it last changed? Hasn’t anyone left the company since?

At first WiFi networks were unsecured. However, radio waves penetrate through walls, so eavesdropping is very simple even from a distance – encryption was required. The first method was Wired Equivalent Privacy or WEP. WEP was weak from the first day on, but yet the breaking of WEP caught the industry pants down. A new method was needed fast – WPA or Wi-Fi Protected Access was created, also known as TKIP. WPA was improved upon and today WPA2 is the preferred choice. WPA2 is fast and presently a trusted method for securing WiFi traffic.

There are two flavors of WPA2: Personal and Enterprise. In Personal there is one, shared password for the whole network. Anyone who knows the password can join the network and listen on the traffic. WPA2 Personal is good for personal and home use, why not for a small office as well. In business use people come and go, though, and the password should be changed every time anyone leaves the company. Nobody should have access to the company network after leaving or being laid off. Still, WPA2 Personal is the most common way of securing WiFi networks.

WPA2 Enterprise requires that every user has a username and a password. This is the case in Windows Active Directory (AD). You can install Network Policy Server role (NPS) to a Windows Server to provide RADIUS service to the access points (AP). The APs will verify each user’s name and password with the RADIUS server (e.g. NPS) before allowing the user to access the network. By removing or disabling a user account in the AD you can deny access to the WiFi network as well. There is no need for additional equipment or software. In practice all APs support WPA2 Enterprise and the NPS role can be installed on AD Domain Controllers (DC).

WPA3 is the latest Wi-Fi Protected Access

How can a single user cripple the WiFi network?

..and what is Airtime Fairness?

Wireless network is a shared media, where only a singe device can transmit at a time. Every device must wait for its turn and gets to transmit eventually. The problem is that the transmit speed depends on signal quality: distance and interference. Close to the access points the transmit speed can be hundreds of megabits per second, while at the edge of the network it is one megabit per second. Users have typically have quite similar needs for data transfer, it is just that some user’s bits are transferred more quickly than other’s. That is, when the device at the network’s edge gets its turn, it will use several hunded times more time – while everyone else waits. One device can use 90% of the time capacity of the network, even though the amount of data is the same. The problem has grown worse over time, because WiFi speeds have increased, but all legacy devices and speeds are still supported.

Equipment vendors have a simple solution to sell: Airtime Fairness or ATF, which is found in many systems. ATF means that the access point will transmit packets to slower devices less often. It used to be that all devices were treated equally, but in ATF the speed of the device affects who gets the turn. Older devices (using older standards) and devices further away from the access point will get even slower service, while the total throughput of the network does increase.

The access point cannot control how devices transmit. All devices compete for sending on an equal basis, but the access point will favour the faster clients when responding. Often the traffic is biased on downloads and that’s when ATF can improve the throughput.

Airtime Fairness is a good solution for intermittent problems, but it is still better to design the network so that all users are covered. Adding access points where needed will guarantee all users with a fast connection. Airtime Fairness can cover up design flaws up to a point, but it cannot fix them.

Add a Topic page to WordPress

Do you want to have an introduction to a category of posts (or by a tag). Add a page template to your theme for topic pages.

All the articles in this site are categorized. The menus are based on these categories, but there is a topic page to introduce each category. After the introduction there is a list of all articles in the category (the featured image, title and excerpt). This kind of topic page template is not typically included in WordPress themes, but you can roll your own.

Automation is the way to ease administraton. In this code example the page slug automatically determines the category of the posts displayed. E.g. if the page slug is "wordpress" then all posts in "wordpress" category are displayed at the end of the page (to be precise, the category slug is "wordpress"). You can also make such a topic page template for keywords.

Copy page.php to topic.php. If there is no page.php in your theme, copy it from the parent theme. Add Template Name to the comments at the top:

/**
 * The template for displaying topic pages
 *
Template Name: Topic
 *
 */

Towards the end of topic.php, but inside of the main <div> (or <main> element, if there is one), add:

<?php
$args = array( 
    'category_name' => get_post_field( 'post_name' ),
    'numberposts' => -1,     // All posts
    'orderby' => 'title',    // Alphabetically
    'order' => 'ASC'         // From A to Z
);
$topicposts = get_posts( $args );

foreach ( $topicposts as $post ) {
    setup_postdata( $post );
    ?>
    <article id="post-<?php the_ID(); ?>" <?php post_class(); ?>>
    <?php if ( has_post_thumbnail() ) { the_post_thumbnail('thumbnail'); } ?>
    <header class="entry-header listing">
        <a href="<?php the_permalink(); ?>">
            <?php the_title( sprintf( '<h3>', '</h3>' )); ?>
        </a>
    </header><!-- .entry-header -->
    <?php the_excerpt(); ?>
    </article><!-- #post-## -->
<?php    
}
wp_reset_postdata();
?>

There is one caveat: There are <?php and ?> at the beginning and end of the code. They are needed if the code is inserted inside of HTML code, but should be removed if inserted inside PHP code.

The $args at the beginning defines the posts to be displayed. The most important is the first one, where category_name field gets the value of the current page slug. If you want to use keywords instead, use 'tag' => get_post_field( 'post_name' ). The other fields control the count and ordering of the posts. Removing those lines would get you the defaults (5 articles at a time, ordered by time published, newest first).

To use:

Create a new page and use page template Topic
Type in the introduction you want
Use the same value for the page slug as the slug for the category (or tag)

Polylang language menu

How to create the language menu in the upper right corner using WordPress and Polylang?

This is a bilingual site: Finnish and English. There are multiple language plugins for WordPress and this site uses Polylang. Polylang is very nice and useful, but lacks the menu type so common in Finland: Finnish | Swedish | English. Writing a standalone plugin for such a menu turned out to be complicated, so this article will guide you to create it by hand.

The language menu requires changes to the theme. The best starting point is to create a child theme and there are multiple guides available to do that. When you have a child theme, add this to the style.css file:

/* Languages horizontally */ 
#language ul { margin: 0; padding: 0; } 
li.lang-item { list-style-type: none; display: inline; } 
li.lang-item:before { content: " | "; } 
li.lang-item:first-child:before { content: none; }

The functions.php file in the theme needs a definition for a new widget area:

register_sidebar( array(
        'name'          => 'Language',
        'id'            => 'language',
        'description'   => 'Polylang switcher area.',
        'before_widget' => '<div id="language">',
        'after_widget'  => '</div>'
) );

You need to add the widget area defined above to the header.php in the spot of your choice:

<aside id="language-nav" role="navigation">
    <?php dynamic_sidebar( 'language' ); ?>
</aside><!-- .language-nav-widgets -->

Finally add Language Switcher widget to Language widget are in WordPress Dashboard.

You can align the widget area to the right by adding for example this code to the style.css:

aside#language-nav {
  text-align: right;
  margin-left: auto;
}