Extending and securing your wireless network. Part 2 of 2

In the previous article we discussed the basics of wireless networking and now we will build on that and talk about how to extend the range and secure your wireless network.

Extending range

There are four basic ways to extend a wireless network; increase power, increase antenna efficiency, relocate antenna and install range extenders.

We have already discussed the first two options so we will start with relocating the antenna. Since most installations will be a single device which contains the radio and antenna we are really talking about relocating the WAP.

You may think that centrally locating the WAP between all members provides the best coverage for a given area, and most of the time you would be right. Unfortunately there are many circumstances where range is affected by walls, appliances, plumbing or simply weaker client devices and should be moved off center to allow for these issues.

Many technicians subscribe to the even coverage theory and use a simple app such as Wifi Analyzer for Android devices or Acrylic Wifi for Windows to ensure that every point in the coverage area has adequate signal strength. This unfortunately does not take into consideration the devices used in that area, some of which may have more or less capabilities than devices in other areas. This often results in less than satisfactory coverage even with excellent equipment.


Acrylic WIFI Home – Excellent free wireless diagnostic software

The best method is to use wifi diagnostic software actually installed on the devices so that you can gain adequate signal strength for the devices you will be using in the areas you need them.


Wifi Analyzer for Android

Range extenders are devices that listen for a wireless signal from your WAP and then turn around and rebroadcast the signal. The theory is that you can place one of these half way between your WAP and the device to effectively double the range of your WAP. You could also chain these to make much larger areas of coverage.


The problem with the range extenders is that I have yet to find any that actually work well and reliably. I have installed models from many different manufacturers and even some that use the electrical wireing in your home to provide a sort of wired networking between the modules and then each module providing a separate WAP.

If simply relocating the WAP or its antenna can not provide acceptable coverage in the areas you need them, then it may be time to consider a more powerful WAP or better antenna as we have already discussed.


TP-Link 8dbi replacement antenna

If you are using a standard home WAP such as the one built into your router then you are already at a disadvantage as these are built more for economy and ease of installation than power. The first thing I normally suggest is that someone try a lower end commercial grade WAP and see what that does. I prefer the Engenius models such as the 350 for most installations as they have plenty of power, reasonable antenna for their size and are very reliable.

The Engenius 350 runs at only 2.4 GHZ and uses 802.11b/g/n. This allows for maximum compatibility with virtually any wireless device ever made. It is also extremely capable and reliable. In fact, other than lightning damage I have never had a customer need or want to replace one. The only down side is the maximum data transfer rate of 150Mb/sec which makes it unsuitable for large businesses needed data transfer capabilities or multiple HD video streams.

Engenius 350

Engenius 350

You can move up the list of products available from Engenius to get models with faster data transfer speeds. Keep in mind that when you move up to devices with more capabilities and frequencies you might also wind up with overall worse performance, check the power specs before you buy one.

Securing your network

There are numerous ways to increase the security of your wireless network including using a difficult password for access, restricting access to pre-approved devices only, hiding the network from devices, requiring static IP addresses and monitoring the network for unauthorized activity.

The first line of defense for any wireless network is always a password that is difficult for someone to guess. This does not mean the guy next to you guessing things like your dog’s name, but sophisticated computer programs running through every word in the dictionary in a few minutes, or sequentially running through every combination of letters and numbers.

You can not completely stop these type of brute force attacks but you can make them very impractical to implement. If your password is “password” typical password hacking programs can break it in a matter of seconds. If on the other hand your password is “je9^Cw311^!sO:>1gge&s#T!” then it could take years for them to guess. Remember that the wireless password is only usually entered once per device so making it very difficult is not as big an inconvenience as you may initially think.

Today most routers and devices can do at least WPA-PSK security which limits the maximum password length to 63 characters, sometimes limited to 62 by the hardware’s implementation. This is still more than enough to make it completely impractical to use a brute force crack attempt. It would be far easier for someone to break in to your home or business and put in their own hidden WAP than to crack your password.

You can also use a MAC address filter to restrict access to approved devices only. A MAC address is a hardware address that every network capable device has inside it. This is much like an IP address used with devices communicating on the internet except in theory MAC addresses do not chance. In reality they can be changed with software or even in the operating system such as in Windows 10 with ease. This makes MAC address filtering by keeping specific people out very ineffective but using it as an additional way to authenticate allowed users is still fairly effective.


In most WAPs there is a table where you can put in allowed MAC addresses and tell the device to refuse connection to any device who does not have a MAC address in this table. The MAC address for each device could be in different places but a quick search on the internet for “iphone MAC address” or whatever your device is will show you how to find the MAC address for your specific device.

It is important to note that this should be used in conjunction with a strong password and not as a replacement. If someone has a particular type of software and/or device they can see the MAC addresses of all the devices connected to your network and then use this list in conjunction with a password hacker tool to gain access to your network.

The next method of protection involves hiding the SSID of the network. The SSID is the name of the wireless network you see when you look for available networks on your device. You typically click on or tap on the name of the network and then enter the password. If you hide the SSID this name will not appear in a list and so people will not know it is there.


Virtually all devices give you the ability to join a network that is not listed. On an iPhone for example you can tap “Other” under the list of available networks and then manually enter the SSID, security type and password. Just like MAC address filtering this should never be used as a replacement for other security measures as you can see the network with specialized tools and procedures. Even for people without these specialized tools (99% of the people out there do not have access to, or money for these tools) if they get physical access to any of your devices that are on the network it will clearly show the SSID of the network it is connected to, and/or a list of memorized connections including the one you are hiding.

Although not used much any more it is possible to set some WAP devices so that DHCP does not pass through to wireless clients. DHCP is how most portable devices, and many desktops as well, get their IP address (the address that everything needs to connect to and communicate with the internet) from a device or service so that they can operate on the network. By disallowing DHCP on a wireless network the devices can not communicate even if they successfully connect to the wireless network unless they can guess a working and unused IP address, subnet mask and gateway address.

Even in cases where your WAP does not support this feature you could turn off all DHCP servers and manually assign static IP addresses to all devices on both wired and wireless networks. While this can be a pain it is something that you do once and it is done. If you keep a list of what addresses you have used then adding a new device takes an extra minute of your time. A small price to pay for additional security.

Just like the previous security methods this should never be used alone. Guessing the IP address scheme of a network is not extremely difficult by itself but when used in conjunction with other things it makes it quite difficult to overcome a multitude of defenses.

Think of it like a brick wall. If I put one brick in front of you on a sidewalk it is not difficult for you to step over or around it. If however I stack enough bricks and mortar them together I can build a wall that will take a lot of time and effort to get over, around or through. This is what we are aiming for.

Lastly is monitoring your wireless network for unauthorized access. Most WAPs have this ability built right in where you can see what devices are connected. Some even have the ability to see how much traffic each device is sending/receiving. The traffic can be a very important clue as a large percentage of people gaining unauthorized access to wireless networks are there to download files they don’t want to get caught downloading or to pass web traffic they are hiding. This could be something as “innocent” as someone cheating on their spouse or as bad as child pornography or terrorism.

If you are using all the methods of security listed in this text then you should already have a list of all the MAC addresses of the devices that are allowed to connect to your network. Compare this list to the devices that are shown to be connected in the WAP and make a note of anything that is different.

If you do have someone who gains access to your network change the SSID and password to something substantially different. Do not just chance the 1 on the end to a 2 or something as easy. Then put the MAC address of the intruder into the blacklist side of the MAC address filter banning that device from connecting. Sure, they could just change their MAC address but you need to take every step you can to prevent another occurrence.

Regardless of the reasons why someone wants on your network without you knowing, you are responsible for securing it the best you can. Under the worst cases it may take a substantial amount of time, effort and money to convince the authorities that you are an unwitting victim. This is why you need to do your best and make it as difficult as reasonably possible for others to gain access to your network.

I hope this helps you understand wireless networking and what you can do to extend your range and secure it.