Providing Secure Taxwise Connectivity

Providing Secure TaxWise Connectivity

Through a Public Wireless Network

Paul Snowberg – CA-02

Following is a description of how to connect a TaxAide wireless print sharing network to a public wireless network so TaxWise on line (TWO) can be supported. This approach uses a single inexpensive router in place of the PC and router shown on AARP’s documents, or the Trendnet bridge we have been using in CA-02.

If your site has the good fortune to have wired Internet access available, the connection is simple, and not addressed here. Usually, it’s just a matter of plugging the WAN side of your router into the local Ethernet network. The network’s “owner” may require you to use a specific TCP/IP address, or ask you to provide the NIC address of your router. Once connected, you should havewhat has proven to be the most stable of the TWO environments.

There are a number of advantages to the following configuration:

-You can usea single very cheap router (mine was <$20).

-PCs and printers move easily from site to site.

-The router is network visible and manageable.

-Hook up and power up in any sequence.

-Performance much better than the bridge.

-The firewall features of the routers provide security.

-Printer and file sharing should be fine.

Of course there are also some drawbacks:

-Initial setup is a little more complicated.

-Router doesn’t move easily from site to site (requiresconfiguration change).

-There’s always some danger in connecting to the “wrong” network (connecting to the site’s router instead of the AARP router).

Note: If the public wireless network you are connecting to requires a browser based sign-on procedure (enter a specific ID, accept terms and conditions, etc.) the following configuration won’t quite do it. Please see Section 2 for information on how to connect in this environment, or the AARP network document in the portal.

The basic premise here is that you can add advanced features to your cheap router with free open source software.

Here’s lots of background information:

And, a “how to” article with an error in the picture of the router hard-wired to the laptop: USE ONE OF THE LAN PORTS, NOT THE WAN PORT! Maybe it works for this specific model, but usually it doesn’t!

One of the features of the software allows you to run your router in “Client” mode, which is sort of a “router in reverse”. In this mode, the router can use its wireless radio to communicate with the public or site router that is providing the Internet connection. At the same time, the router maintains a wireless private virtual network (tax network) with its own SSID (either broadcast or not) and its own range of network addresses.

Here’s how it looks in picture form. The printer can be wireless, or a wired network printer can be plugged into any of the LAN ports on the router.

Step one is to get the router up and running on DD-WRT. The link is:

The process of flashing the firmware into the router very much depends on the individual router.

I first converted a very old US Robotics USR5461. That worked fine, but it took some tinkering as US Robotics doesn’t want to recognize a firmware file that it can’t identify as coming from them. Building the correct firmware file required combining two files. Directions were clear and it worked out OK. I also had a few old routers that simply were not supported in the dd-wrt environment.

My second attempt involved a TP Link model TP-WR740N (ver. 4.23). This was a new router ( for $19.99; free shipping). I selected this one because it was cheap, available and supported by DD-WRT. The web site has a complete list of which routers you can use, and also a list which models are not supported.

The firmware files were in:

ftp://dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2013/07-24-2013-r22118/

Step one is communicating with your router via a web browser. Make sure your wired network interface is set to obtain a network address automatically. (On my router, instructions for doing this were in Appendix 1). The TP-Link unit assigns an address of 192.168.0.1 to itself and provides a compatible address for your PC. You can log into this router using admin as the user name, and admin as the password. You now find “Firmware Upgrade” under “System Tools”.

At this point you’ll want to read the cautions and procedures for flashing your router on the dd-wrt web site. An error here can cause you to “brick” the router and you’re out the $20.

For my router, it was an easy two step process; first loading a file aptly named “factory-to-ddwrt.bin”, then rebooting the router (now using dd-wrt software) and loading “tl-wr740nv4-webflash.bin”. Once that was done, the router came up nicely under the dd-wrt software. Note that the new router software will also have the address of 192.168.1.1.

Note: The dd-wrt folks are constantly updating the software for various routers. The version (build) that was listed as “Latest Development Release”) didn’t work properly for my router; when I updated to build 22118, it worked just fine.

Note: If this all looks like a little more than you want to deal with, you can buy a router off the shelf that has the same software and almost exactly the same configuration interface. I have a BuffaloWHR-300, available for $46 at

() that works very well in this configuration and took about 15 minutes to set up. There may also be others that support the virtual interface as well.

Router Configuration.

All router configuration is done via the web interface. Connect an Ethernet cable from your laptop to one of the LAN ports on the router, start your browser and look for the router at 192.168.1.1. The router should provide your computer with an address in the same subnet.

There are only a few pages in the configuration that need to be modified, and it can all be done in a single step.

First (after the obvious stuff like passwords, etc.) is the “Setup” tab on the top row, and the “Basic Setup” tab below. Note that at the bottom of each configuration page there are buttons for “Save” and “Apply Settings”. Save updates memory and is the one you want to use until you’re done with all configuration. At that time selecting “Apply Settings” will reboot your router. If you’ve changed the router’s IP address, you’ll have to look for it at the new address.

Here’s how it looks:

Set the “Connection Type”: This will allow specify the way you’re going to connect to the wireless network (WAN). Usually, this will be “Automatic Configuration – DHCP”. If the local IT folks want you to use a specific IP address, this is where it’s entered.

Under “Optional”, you can give the router a name if you want.

The “Network Setup” is where you specify the IP address range that you want to use for your new network. Here you need to be careful. If the network you connect to uses the 192.168.1.x sub-net (a popular choice) and you use the same one, it isn’t going to work properly. If you use something like 192.168.144.x, remember that any printers you want to access via static IP addresses will have to set to that same sub-net, and the printer ports on the laptops will have to be updated.

Now, click on “Save” at the bottom of the page and then make sure that DHCP is enabled, as that will assign addresses to the client computers that access your network.

If you like your router to tell the time correctly, change the time zone to UTC -8:00 (here on the left coast) and enter time.windows.com in the Server IP/name box.

Here’s the bottom of the Basic Setup page on my router:

If you made any changes, remember to hit “Save”.

Next, we’re going to set up the Wireless connections. Select “Wireless” on the top tab, and “Basic Settings” under that:

First, select “Client” for the “Wireless Mode” and hit Save.

Now enter the SSID of the site wireless network you’re going to connect to. In my case, it’s my home network, VikingNet. The name has to be exactly the same as the SSID that is broadcast by the network you want to connect to.

Hit “Save”, and hit “Add” to establish a virtual interface. This is the network your AARP computers and printers are going to connect to. I’ve selected “Disable” for the “Wireless SSID Broadcast” (as suggested by the AARP Tech. folks); this will make the network invisible to other users while you do taxes. Hit “Save” again.

The final step is to enter the security information for the wireless network you are going to connect to, and also to establish the security key for the new tax network you are creating.

Select the “Wireless” tab, and then “Wireless Security”.

Top section is the security information required for the network you are connecting to. This could be “Disabled” is you’re connecting to a network that has no security requirement, or one of the other choices.

Below is the security information for your “new” wireless network. WPA2 Personal and AES is recommended. You can pick your own favorite password (WPA Shared Key).

When this is done, you can select “Save”, then “Apply Settings”. The router will re-boot, and you should be able to find it at its new address (for mine, it is 192.168.144.1). A glance at the upper right corner of any of the configuration screens will show if you’re connected to the site’s wireless network. Look for a WAN IP address. You should now be able to connect to the Internet and TWO. If that works, disconnect the cable between your laptop and the router and see if you can connect to the new wireless network.

Under “Status” there is a huge amount of information.

Trouble Shooting

Check the Router:

The TaxAide network is a virtual network working in conjunction with the site’s wireless network. For this reason, your wireless tax network won’t show up or allow connections if the router isn’t connected to the site network. If you don’t see the “TaxAide” network in the list of available networks, your router is not connecting properly.

In this case, you have to switch the wireless network connection on your laptop to “off” (usually a little switch somewhere around the edge, or perhaps a button above the keyboard). Then connect an Ethernet cable between the laptop and any of the LAN ports on the router. Unless the router has failed completely, you should now be able to bring up a network browser and communicate with the router by entering its IP address. In my case, that’s 192.168.144.1.

Check the upper right hand corner (in the black area) for a WAN IP. If it’s not there, you need to check that the network name and password have not changed (try connecting directly to the site’s Internet with one of the laptops). If you can’t connect with a laptop, the site may have to re-set its router. If they’ve changed the network SSID, password or other access requirements, you’ll have to go back to the configurations instructions in this document. Look on the screens shown in the “Wireless” tab. The network name is under the Wireless tab, then the Basic Settings tab. The password is under Wireless, then Wireless Security.

Once the connection has been established and you have a valid WAN IP address, you should be able to connectfrom your laptop. If that works, switch the laptop back to wireless and you should see the Tax network in the list of available wireless networks (or as an “Other Network” if have chosen not to broadcast the SSID).

Section 2 – A Network Requiring Sign-On or Password

This configuration can use most any router and does not require the use of a virtual wireless network. It uses a single PC to provide the Internet connection, and then shares that connection with the rest of the Tax network. The gateway PC can be used to do taxes also, but since all Internet traffic flows through it, any glitch (having to re-boot, etc.) will impact all the other PCs in the network.

It looks like this:

The starting assumption here is that Microsoft Internet Connection Sharing (ICS) has been set up on the PC on the left side above. This involves no more than going to “Change Adapter Settings”, right-clicking on “Properties” for the wireless network, clicking on the “Sharing Tab” and selecting “Allow other users to connect, etc.”.

This invokes a fairly primitive routing facility within Windows (note: this information is specific to Windows 7; I think XP is slightly different.)

When the sharing facility is started, Windows will assign an address of 192.168.137.1 to the Ethernet (wired) interface and provide a routing service between the Ethernet port and the wireless port. In addition, a DHCP service is provided, so that when one or more additional network components are connected to the Ethernet wired port, they will be automatically assigned addresses. Further, a Network Address Translation (NAT) facility is there to make sure network responses get routed back to the PCs where they originated.

In order to support a private wireless network for TWO access, we plug a router into the PC’s wired Ethernet port. This way, the PC connected to the site’s wireless network can first establish the connection, and all the PCs on the wireless side of the AARP router (the “Tax Network”)will be able to use it.

The PC on the WAN side of the router can also access TWO, but a little special configuration adjustment is required to make any IP addressed Tax network printeravailable to this PC.

The configurations shown are for a router flashed with DD-WRT firmware, but the capabilities exist in almost any “off the shelf” router.

First, the WAN side of the router must have a fixed address. In my tests, I assigned it 192.168.137.200. Since it’s the only component connected to the PCs wired interface, any address other than 192.168.137.1 should be fine.

Don’t forget to set the Static DNS address to 192.168.137.1 (the gateway PC).

The wireless LAN side of the router is configured for your Tax network. Best security is achieved by using WPA2 with AES encryption. Also, you can disable SSID broadcast if you want, or give the network a name that isn’t associated with tax preparation.

Here’s the configuration:

and, on the Wireless Security page:

At this point, you should be able to connect the router’s WAN port to the gateway PC and have Internet access for the PCswirelessly connected to the LAN side of the router.

Assuming the printer on the LAN side of the router has a fixed IP address (either wired or wireless), it can be accessed in the following way:

Find the “DMZ” configuration on the router. This allows a specific IP address on the LAN side of the router to be accessed from the WAN side (where the “sign on”, or gateway PC is located). The printer’s IP address is configured there. Mine was 192.168.144.120, as I use the 192.168.144 subnet for my LAN addresses.

Here’s the configuration on my router. It was under the NAT/QoS tab at the top, then under DMZ:

This allows access to the printer from the WAN side of the router where the gateway PC is.

Last, on the gateway PC only, change the port address of the printer to 192.168.137.200. This will direct print traffic to the router, and the router will pass it on to the printer on the LAN side.

If your printer allows control from a web browser, you should now be able to access it from the router address (192.168.137.200) from the gateway PC, or from its static address (192.168.144.120) from the other PCs.

I’ve only tested the connection part of this at the San Mateo main library where you have to click a box to accept their terms. I see no reason why it shouldn’t work other places, but it is possible that a carefully programmed radius server might block this kind of activity, so testing before tax season is very important.

Following are some tips on checking the PC’s connection.

Windows XP

1)Always start by putting the cursor over the little monitor icon in the lower right corner. If this says “TaxAide” (or your network’s name) go to step 3.

2)If you’re connected to the wrong network, right-click on the icon once. This will bring up a list of available wireless networks. Left-click on the TaxAide network and click on “Connect” at the bottom. If it asks for a password, enter your site’s password. If you don’t see the TaxAide network (but see other networks), there may be a router problem.

3)To see more information about the network you’re connected to, right click on the monitor icon and select “Status”. At the top of the Network Connection Status window, click on “Support”. This will show your currently assigned address; it should be something like 192.168.144.10. It will also show the address of the router (Gateway), usually something like 192.168.144.1. If you see an address like 169.254.x.y, and the folks around you are connected, re-boot your computer. If nobody’s connecting, reboot the router.