Republished with permission from WatchGuard Technologies, Inc.


Expanding Your
Small Business Wireless LAN

By David M. Piscitello, President, Core Competence

Wireless LANs can reduce small business, network-related expenses in many ways, such as:

  • Eliminating the cost of wired Ethernet connections during or after construction
  • Expediting the changes you'll make to your Ethernet topology as your organization grows and office space changes.
  • Saving you from leaving most of your Ethernet cabling investment if you relocate

These kinds of considerations have made WLANs enormously appealing. Two constraints you should consider, however, are capacity and coverage. A single, properly located 802.11 b/g access point can serve about 20 employees over an unobstructed span of 100 to 200 feet indoors, with the convenience of being "always connected, anywhere." Walls, doors, and other obstructions reduce a single Access Point's (AP's) reach, and throughput declines with distance.

So what do you do when your office outgrows your one and only access point? You add more. The rest of this article explains when and how.

When do I add a second Access Point?

Capacity and coverage commonly dictate when organizations add access points. An industry rule of thumb is that a 54 Mbps AP will yield (at best) about 25-27 Mbps. Combine this with a second rule of thumb: allow 1 Mbps per user for normal Internet activities; and increase your per-user allocation if they run bandwidth-hungry applications.

While this is a reasonable starting point, consider other factors as well. Consider the impact of signal strength. Obstructions and station distance from your AP affect the data rate at which stations operate. Stations at some locations in your facility may still only achieve 1 Mbps, even when your AP's maximum data rate is 54 Mbps. Actual application throughput will be (at best) about half of the station's current data rate, further declining as multiple stations contend for each AP's shared radio channel.

When you need to meet the needs of additional office space and employees, or need to increase capacity for existing employees, it's time to add an AP.

Where do I add a second Access Point?

Consider taking a new site survey to determine the best locations for your multiple-AP deployment. Each access point will provide its own radius of transmission, often called a cell. To allow seamless roaming across your AP cells, allow slight overlap between cells. WLAN stations will automatically associate with the AP that offers the best combination of signal strength and quality.

Position your APs so that cells reach all your stations, plus all areas where users may roam. You might need to relocate your original AP. In fact, the optimal AP placement might be someplace where power and wired Ethernet connections from your APs to your "wiring closet" are not available! In such situations, before you invest in new wiring of any kind, consider using Power over Ethernet (POE) or Ethernet over Powerline (HomePlug Networking).

Try to contain your APs' radio signals within the physical envelope of your offices. This minimizes the threat of eavesdropping on your network, and prevents your network from interfering with nearby networks. Provide sufficient overlap for clients to roam, but not so much that clients will struggle to choose the stronger of two signals, or they'll flip-flop between the APs and perform poorly.

Setting up the airlink

Now that your physical devices are in place, let's move up to the link layer. To create a WLAN environment where clients can associate with the access point offering the highest signal quality and users can maintain IP connectivity as they roam, set each AP to operate on a unique, non-overlapping channel within the 2.4 Ghz ISM spectrum. For example, you might set your Firebox Edge Wireless to operate at channel 1, and a second AP to operate at channel 11.

Achieve airlink connectivity before you try to tune performance. Leave WLAN parameters such as fragmentation length, Request to Send (RTS) threshold, Deliver Traffic Indication (DTM) intervals, and transmission power at their defaults until your network functions properly. My experience is that you should not suppress network name (SSID) broadcast in beacon frames. Suppressing SSID beaconing is a weak security measure at best, and will simply cause your stations to probe for APs with the desired SSID. WLAN parameters sent in beacon and probe response frames -- 802.11b compatibility mode and available link speeds, for example -- help stations determine if they are able to associate as they discover new APs. Obviously, though, you should change the SSIDs from their factory defaults, since hackers share lists of known authentication credentials.

Configure APs and client workstations in your network to use the same SSID, authentication, and encryption parameters. You may want to begin with an open system (no encryption) until you are confident your network operates as you intended. Ideally, use Wi-Fi Protected Access version 2 (WPA2) with the Advanced Encryption Standard (AES) for link protection. If WPA2 is not available, use WPA version 1 with the Temporal Key Integrity Protocol (TKIP). If WEP is the only encryption alternative available to all adapters and APs in your WLAN, use WEP, but seriously consider enabling encrypted MUVPN connections for wireless clients from your Firebox X Edge Wireless.

When AES or TKIP is used, each client workstation must use an encryption key that is known to your AP. In larger enterprises, per-station keys can be delivered using 802.1X. Small business needs can be met by having all stations and the AP use the same pre-shared key (PSK). Make it at least 20 characters long and not easily guessed. In Windows XP environments, stations can be individually configured, or you can use the Wireless Network Setup Wizard available with Service Pack 2 to create a configuration installer program on a removable (USB) device. Run the program from the USB device to install the same wireless configuration (including PSK) on every wireless station you permit to access your internal network, thus reducing the likelihood of misconfiguration.

Setting up seamless inter-AP roaming

Now let's consider IP configuration issues. When a wireless station "goes mobile," it temporarily drops its airlink connection as it disassociates with one AP and associates with another. At the IP level, DHCP-enabled stations will renew IP information (IP address, subnet mask, default gateway...), but in many cases, stations will re-acquire the same IP address. That means application sessions might persist through this sequence of events. (Note: you can enhance the probability of IP persistence by using the DHCP Reservations option.) If a client roams from one IP subnet to another, however, the IP address must change, and application sessions will always be disrupted. The situation is worse for clients with static IP address assignments: if they associate with an AP in a different subnet, the fixed address they have is incompatible with the new IP subnet, so they lose IP connectivity altogether.

Avoid network-layer roaming (and consequent disruption) by bridging rather than routing between APs. To create a bridged network that spans several APs and Ethernet LANs, you must "uplink" your APs to a common Ethernet hub or switch. For example, if you are using a Firebox X Edge Wireless, connect all 802.11 b/g access points to the Edge's Ethernet hublet. From the Firebox X Edge Wireless Configuration, set the Network assignment to Bridge to Trusted Network. All devices connected to the Edge hublet ports, including any stations that associate with your second "standalone" AP, will be part of a bridged LAN that includes stations associated with the Edge's internal AP.

Be certain that whatever system hosts DHCP services for your network is accessible from all APs in your bridged network. You may choose to run a DHCP service on your Firebox X, or on a Windows 2003 server protected by your firewall. Choose the service that provides the DHCP options that best satisfy your policy needs. Many DHCP standard options are available from Firebox X series firewalls (e.g., restrict access by MAC address, DHCP Reservations). It is possible to:

  • Use more than one DHCP server
  • Relay DHCP service through a Firebox X Edge to a Windows server
  • Use different address pools from the same IP subnet.

But such advanced deployment considerations require careful planning and are not typically required in small business networks.


To tap the potential of wireless, many small businesses will (eventually) require multiple APs to fulfill performance and coverage needs. Deploying a multi-AP WLAN may require more planning than a single-AP WLAN, but taking a systematic approach can help your company achieve optimal results with minimal effort. If you really want to ensure adequate radio coverage, minimal interference, and glitch-free roaming between all APs in your office, make sure that your WLAN design addresses physical, link layer, and network layer requirements. Work from the bottom up, and you'll do fine.

Further Reading:

Lisa Phifer's excellent article explaining how an 802.11 station associates with an AP: " Moving Freely between WLAN Access Points" (requires free Tech Target registration)

Bernard Aboba's Unofficial 802.11 Security Web Page

      Copyrightę 2005, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.