My replacement DSL Modem/Router/WAP arrived yesterday. Actually it arrived Friday but I wasn’t home so I didn’t get it until Saturday. I received the 2Wire 2701HG-B Gateway and ordered it directly from AT&T (my DSL provider). It contains the ADSL2+ broadband interface, four 10/100 Ethernet ports and 801.11b/g wireless support. My previous post discusses why I needed a new gateway.
Setup was a breeze even though I kept waiting for a problem to pop up. I had expected to just go to a web interface and be able to configure it but it doesn’t work that way. Going to the standard 192.168.1.1 IP address or the URL I used on my previous 2Wire didn’t result in any page display.
Finally I decided to follow the directions to the letter and instead of using Firefox I used Safari (which is listed as supported along with IE). I fired up Safari and instead of trying to get to the router I just clicked the bookmark to go to Apple (I clicked the bookmark because it appeared the instructions assumed the homepage was set to an Internet page unlike mine which is set to be blank). Lo-and-behold I was redirected by the router to a setup routine. A compressed disk image was downloaded to my Mac and the message was to run the contents. So I did that and from that point on it was fairly simple.
Running setup in the download begins a wizard. The first thing it does is prompt me to enter a admin password and pick a lost password hint. I like the fact that there’s no standard admin password for the 2Wire gateways. Then have to agree with a member agreement.
At this point the install asks if I already have a existing account or if I need to create one. Existing accounts are limited to their domains. Since I already have one I enter it and the setup branches and treats me like a returning user. Then I’m asked to enter the phone number I have DSL on. The rest of the install is fairly straightforward requests for information. In my case the info is pre-filled since it was already provided in the past.
Once the setup was finished I had to customize and secure the gateway for my use.
Configuration and Security
Because I had an existing wireless network it’s easier for me to change the WAP so it appears as the old network and I don’t have to change my PCs and Tivo.
Network Name: Vendors vary, but if you’re using 2Wire the wireless settings are under Home Network -> Wireless Settings. (All wireless settings I mention are on this page.) I change the network name to match what my old network name was. 2Wire’s default to a name of 2WIREXXX where XXX is the last 3 digits of the gateway’s serial number. It can be changed to anything.
Turn off SSID Broadcast: It’s not really a security setting but I don’t see any reason to broadcast the network name.
Wireless Network Security: The gateway arrived with WEP enabled and a unique WEP encryption key printed on the serial number label. WEP has always had security issues and was recently shown to be crackable within a minute or two. It’s pretty much like padlocking a screen door. It tells people you want them to stay away but anyone who wants to get in can do so with minimal effort. I change the configuration to use WPA-PSK and enter in my encryption key. WPA2-PSK has more security features but not all my devices support it.
One the subject of encryption keys I use a 64 character key generated at the Perfect Password Generator at GRC.COM. I generated a set of keys and saved them to a file. I can then carry the file from PC to PC via USB thumb drive and paste it in. Keeping it in a file isn’t a huge risk. Someone already has to be on my network to get it plus there’s no indication in the file what it’s used for.
Misc Settings: I set the mode to 802.11g only and bump the power level to 10 (one of my Macs is far away and through several walls).
Stealth Mode: Technically stealth mode violates some RFC’s that state devices should respond to all requests. Stealth mode tells the router not to respond to any unsolicited requests and is recommended for security reasons. If the router is scanned it won’t respond. If it was to respond and the query was from a hacker it might allow the hacker to exploit a vulnerability on that port. At the very least it lets them know there’s a device there and they may dig deeper looking for an exploit. On the 2Wire this is available through Firewall -> Advanced Settings. I enable “Stealth Mode” and “Block Ping“.
To check the stealth of your router you can head back to grc.com and scroll down and click the the Shields Up page. This will scan your IP and let you know if it’s visible on the Internet.
Then it was time to connect my Mac Mini and other devices. My Tivo established a connection on it’s own and I didn’t need to do anything. By the time I checked, it had already downloaded an programming update. My Mac Mini didn’t connect even though it says it saw the wireless network. I went into “troubleshoot” and several screens in, just before it wanted to change settings, the network popped up and I connected.
As much as I hate to say nice things about AT&T I have to in this case. Charging $13.50 for shipping brought the price up a little higher than if I had bought a similar item locally. The product price of $80 was comparable to what’s available from local brick and mortar stores. I consider it a small price to pay to be able to lay any connectivity problems at AT&T’s doorstep without them being able to point to a third party gateway. I ordered late Wednesday night and it arrived Friday. The kit included everything needed including cables, a DSL/phone splitter and four phone filters. My only complaint is that unlike most online stores these days there wasn’t any shipment notification email so I didn’t know to expect delivery or have a tracking number.
The intelligent setup wizard makes me nervous. In this case it worked fine and shows why they are good choices in many cases. But if something goes wrong (and nothing did go wrong here) my experience has been that they’re harder to recover from.
The web interface for the gateway seems to have lost the option to view the traffic over the WAN (DSL) connection and I’m not happy to see it go. I’ll have to do some research to see if the option is moved, hidden or really gone. It’s an option I frequently used.
It’s been well over two years since I’ve setup a new gateway/router from another vendor so they may have updated their defaults. But my experience is that 2Wire was the first gateway/router I’ve seen that tries to default to some security. This was true with my first 2Wire over a year ago. They don’t use a default admin password and they do implement WEP with a unique encryption key (although WEP is not the best choice there are devices which may not be compatible with WPA).