/* BeejBløg */

Jul 9, 2011 - 4 minute read - Comments -

Configuring a Windows 7 PC as a WiFi Router

Update 2011-07-11: Primary WiFi client user ran into dismal buffering on video streaming… that’s primary usage scenario so PC as a Router is a NO-GO.  I loaded DD-WRT (following the wiki guide) and it’s working much better… should have done that in the first place, thanks bro! :)  (read something about a port forwarding bug in the standard build and went with the recommend VPN build) I finally gave up on my piece of sh_t Linksys WRT310N as a viable router… I can’t believe those guys can sell such crap… even on the latest firmware (09/09/2010 v1.0.10 build 2) it would crash and crash… I tried mixed mode, G only & N only and whenever it would have to do any significant WiFi traffic at all, it would fail… just absolute junk… amazing there’s even a market for those bricks… plus the HTTP menus were pathetically slow when you’d click around. To be fair, it is a “v1” hardware model and apparently there is a v2 out there going by the Linksys firmware downloads page. (My serial #: CSF01HB0919) Since my mobo has a built in WiFi NIC, I decided to see how hard it would be to just use what I already have rather than dinking around with finding another router that would actually work. As with anything, there are pros and cons… here’s a few off the top of my head:

  • PRO: you gain quite a bit of control leveraging less overall equipment (software firewalls are generally much more robust than a consumer router)
  • CON: you have to have your central PC powered up for any household WiFi action… in our case that seems inherently ok… wifey can hop on the central PC if I’m not using it… and if I am, then WiFi is available.

Bottom line, this works and covers all my bases so far:

Windows 7 as a Wireless Access Point
  • one time: netsh wlan set hostednetwork mode=allow ssid=XYZ key=PDQ keyUsage=persistent
  • after every reboot: netsh wlan start hostednetwork
ICS – Internet Connection Sharing Snap7
DynDNS update client The DynDNS update feature is common to all routers… it’s nice that such a simple app alternative plugs this hole so I can keep on rocking my personal domain (I host all our photos directly from my home PC via zenPhoto).
Firewall settings Since I’m plugged into a cable modem now, my PC is basically swinging directly out on the net so a software firewall is much more important now than before when I’d be more safely behind the NAT barrier of the router. 

I use the 100% free Comodo Internet Security… the UI is clean, e.g. one can resize it’s data grid based screens to view full detail (yes I’m talking about you BitDefender 2010!), I’ve never seen it jack CPU, and it provides a good mix between wizard style prompting and completely granular manual editing of the low level firewall rules.

Firewall configs are always “fun”… What worked for me just now was to select “Stealth Ports Wizard” and choose the “Alert me to incoming connections and make my ports stealth on a per-case basis” option.

*PLUS* the following individual rules under Firewall > Network Security Policy > …
(don’t forget to move them to the top so that they override any other block rules in the same bundle)

  • Application Rule on C:WindowsSystem32svchost.exe
    • For external HTTP/FTP hosting: Allow TCP Or UDP In/Out From MAC Any To BeejQuad Where Source Port Is Any And Destination Port Is In [HTTP/FTP Ports (21,80,443)]
    • For ICS client DNS “passthrough”: Allow And Log TCP Or UDP Out From In/Out [WiFi Home Access Point] To MAC Any Where Source Port Is Any And Destination Port Is In [DNS Ports (53)]
      • (interesting, normal pings would resolve fine with simple *in* enabled, but an SSL web site from the ICS client required *out* enabled as well, the firewall logs also showed a blocked packet coming from an external ip on port 53 to my central PC on a random port, but that didn’t seem to hurt… maybe my network buddy can explain this stuff)
  • Global rule
    • For ICS client Ping/ICMP support: Allow ICMP In/Out From In [WiFi Home Access Point] To MAC Any Where ICMP Message Is Any

I use Gibson Research’s “Shields Up!” (GRSU) online port scanner to check whether I’ve made any progress…

Interestingly, Comodo immediately prompted me for port 80 when GRSU scanned, but I had to use the above Stealth Ports selection to allow my port 21 rule to take effect.

Tags: Networking

Grand Mal Mocha 2011 Q4 .Net State of the Union

comments powered by Disqus