User Guide
Table of Contents
Chapter 1: Introduction / Meet LAD
Chapter 2-1: Installation Tips
Chapter 5: Connecting to the Internet
Chapter 6: Configuring a Wireless Network
Chapter 7: Connecting and Managing Clients
Chapter 8: Access Controls / Parental Controls
Chapter 10: Network Security / LateralFirewall
Chapter 13: Ethernet Packet Capture
Chapter 14: Wireless Packet Capture, Monitoring and Reports
Chapter 15: Settings, NAT Forwarding / Port Mapping and Sys Info
Configuring a Wireless Network
LAD supports 2.4Ghz, 5Ghz and 6Ghz Wi-Fi signals with installation of an appropriate Wi-Fi card. For the most recent information on hardware that has been tested with LAD, please visit http://www.lateralaccessdevice.com/hardware.htm.
LAD is capable of broadcasting simultaneously on multiple Wi-Fi channels, however, the resources available for processing the Wi-Fi activity would be shared among all of the active channels. What that means is that you would have higher per-channel performance if you have one or two channels activated versus if you have three channels activated.
When LAD is first installed, if it detects the presence of a wireless card it will automatically enable the 2.4Ghz band with SSID “LAD” and password “1234.” It is highly recommended that you change this default SSID and password when you first log into LAD. When LAD is first installed the 5G and 6G bands would not be enabled, until you manually activate them.
The Wi-Fi section of the user interface will still be available even if no Wi-Fi card is available, however, making changes to it will have no affect on the functions and operations of LAD.
- After making any changes on the Wi-Fi monitor page or the Wi-Fi channel page(s), go to "Settings" from the Main Menu and click on "Reboot" at the top of the page to reboot LAD and apply the changes. Using the reboot option on the Settings page is better than powering LAD off and on because it ensures that all data gets properly stored before rebooting (it is also easier on the hard drive).
Wi-Fi Encryption
LAD supports the personal versions of the WPA2 and WPA3 protocols. In testing we found that for most clients WPA2 works best with the 2.4G and 5G bands, while WPA3 works best with 6G. LAD works equally well with either encryption protocol, however, as a standard 6G only works with WPA3.
LAD offers a unique enhancement to the WPA3 protocol. Typically WPA3 only allows one password per SSID, however, for security it is best to have separate passwords for each client device. Through a unique implementation, LAD makes it possible for 6G clients to have individual passwords while sharing the same SSID. See “SSID / Password Options” below.
LAD does not support Wi-Fi encryption protocols prior to WPA2. Although WPA2 is not a strong encryption protocol, the older protocols are weaker.
Create a Wireless Network
To create a wireless network, log into LAD’s web-based user interface and click on “Wi-Fi.” Under “Wi-Fi Settings” checkmark “Active” and click on “Update Flags.” If you wish to disable the wireless functions at any time, simply uncheckmark “Active” and click on “Update Flags.”
Under “Wi-Fi Cards / Channels” are listed the Wi-Fi card(s) that you have installed in your LAD hardware, if available, and the channels pertaining to them. If you have installed more than one Wi-Fi card into LAD, they will all be listed here with their respective channels (individual channels are attached to their respective Wi-Fi card). Clicking on the Wi-Fi card name will bring up a new page showing its status and various performance statistics.
Click on the channel name to make changes to the channel configuration. Please note that a channel must be marked “Active” for it to function.
- If neither 5Ghz nor 6Ghz are checkmarked, the channel will broadcast on the 2.4Ghz band.
- Checkmarking “Broadcast SSID” instructs LAD to send out SSID beacons on the channel at the interval set in the Beacon Interval field at right.
- Checkmarking “BeaconOnDemand” enables the use of “hidden” beacons. See “SSID Beacon Management” below.
- If the channel is 6Ghz, “Enable WPA3” must also be checkmarked.
- When changing channels from active to inactive or vice versa, it is possible that their channel numbers may be reassigned. This has no effect on their functionality.
- When making changes to Wi-Fi channel settings, you must reboot LAD for the changes to take effect.
Please note that the first time LAD boots up, if it detects the presence of a wireless card it will automatically enable the 2.4Ghz band with SSID “LAD” and password “1234.” It is highly recommended that you change this default SSID and password when you first log into LAD.
If your LAD does not have a wireless card installed, the Wi-Fi settings page will be available to look at but none of the wireless features or functions would be available.
Multiple SSIDs
LAD may broadcast multiple SSIDs, allowing you to have up to 100 different wireless clients with different SSIDs. The limitation on this is which band you may use. The 5G and 6G bands only allow the broadcasting of one SSID per channel. The 2.4Ghz band, however, allows one broadcast SSID plus additional "secret" SSIDs.
SSID / Password Options
With LAD you have the option of using the same SSID with different passwords for different users, regardless of whether your clients are using WPA2 or WPA3. What this means is that if one client’s password becomes compromised, addressing the problem is limited to the password for that particular client – all other Wi-Fi devices would hum along as normal, with no disruption or password reconfiguration required. User passwords are set by individual user, see “Wireless Users” below for more information.
For some clients using WPA3, the system may require them to attempt to login two or three times the very first time they try to connect to LAD via Wi-Fi 6E, however for many it will work the first time, or the slight delay would be imperceptible. This minor inconvenience has to do with the way LAD works around the WPA3 protocol’s requirement for a single password per SSID.
If you wish to have multiple SSIDs available on the same channel, it is only possible with the 2.4Ghz band. For 5Ghz and 6Ghz, to have multiple SSIDs you must enable more than one channel on the same band. Keep in mind, however, that most wireless cards support up to three channels at a time, so if additional channels are desired multiple wireless cards must be installed.
It is not recommended to use both the same SSID and password for different clients, as this creates confusion in the system about which user client is which, as LAD identifies users by their individual SSID / password combination. If more than one client tries to use the same SSID / password combination, likely only one would be able to connect at a time, meaning that when one client tries to connect it will boot off the other client and vice versa.
The ability to use Wi-Fi without passwords is restricted on LAD. Aside from the fact that it is not a good idea to allow indiscriminate access to your LAN, as explained in the previous paragraph, Wi-Fi users are distinguished from each other by their SSID / password combinations.
What happens if a Wi-Fi password is stolen?
Every user gets their own Wi-Fi password, so if you know it has been compromised, you need only change the Wi-Fi password for the individual client affected. The theft of the password likely would be fairly apparent: when the hacker tries to use it, it would boot the legitimate user off the Wi-Fi network (and vice-versa), so the end-user would likely be alerted that something wasn’t working quite right.
What if I use MAC randomization?
Using the same SSID and password for all users on a network and MAC randomization creates a big weakness, by removing the ability to identify or track individual clients and the ability to disable access for individual clients. In the past systems using one SSID and one password network-wide could only track individual clients by their MAC address, however, the introduction of MAC randomization made it impossible to distinguish one user from another. In that environment, if a hacker steals the SSID and password for the network, they will blend in, appearing as just another iteration of the randomized MAC addresses. You may hope that they are only piggybacking on your home or office network to save a little money, but they could be doing much more and you would not be able to tell.
With LAD you have the capability to give all clients different passwords, so even if you employ MAC randomization, you would be able to tell your laptop from your tablet, your phone from your network printer and so on. Additionally, when reviewing LAD’s reports and analyzing network data, you will not be hindered by a myriad of phantom MACs that make it impossible to tell what is going on or who is accessing what... unless you do assign the same SSID and password to multiple clients. LAD gives you the flexibility to manage and track clients individually, as groups or not at all, as you decide.
SSID Beacon Management
Beacons are tools used by the Wi-Fi protocols for a Wi-Fi router to broadcast its SSID(s). It is a Wi-Fi message typically repeated at pre-set intervals containing information about a Wi-Fi network, so that clients can find it and attempt to connect. Depending in implementation, the client may also probe the channel for other beacons.
LAD allows the user to choose the interval between beacon broadcasts. The frequency of beacon broadcast required by different client devices is variable, so while LAD allows the user to set a frequency between 10ms and 60 seconds, some devices require 50ms intervals and others 100ms intervals. Some 6G client devices will have trouble unless the beacon frequency is set to 20ms. It all depends on the wireless client devices and may take some trial and error to find the best interval for your particular clients (which also may have different “ideal” beacon intervals on different bands).
It is also possible to have so-called “hidden” beacons, which LAD may be configured to broadcast only when a client probes for them. Some clients using the 6Ghz band, however, may work well with hidden beacons (aka hidden SSIDs) and others may not. Please note that the end-user client must also be configured to use the hidden SSID, also called non-broadcasting SSID, in its wireless settings.
With the 2.4Ghz band you may choose to forego all broadcasting of beacons, however, the 5Ghz and 6Ghz bands require that at least one beacon be broadcast.
LAD also allows the broadcast of multiple beacons, however, this capability should be used with caution. Too many beacons with short intervals would cumulatively utilize a significant amount of bandwidth and may end up slowing things down.
To manage beacons, from the Main Menu click on Wi-Fi and select the band for which you would like to adjust the beacon settings. You may change the interval between beacon broadcasts in 0.1 second increments. You may also enable “BeaconOnDemand,” which instructs LAD only to send out a beacon upon request of a client.
Wireless Users
Here is where you set individual passwords for wireless users, as well as which SSID it should use. Please note that individual wireless users will only be given access if marked “Active.”
Users are tracked by their individual User ID / SSID and password combination, so if you have multiple users using the same SSID and password, they will be tracked collectively under their common SSID / password combination.
When creating a new Wi-Fi user profile, the MAC address field will be blank. This field will populate the first time a client connects using that profile’s SSID / password combination and become a permanent entry regardless of subsequent MAC addresses used with the same SSID / password combination.
LAD gives you the option of tracking multiple clients collectively using the “Set MAC” option. By checkmarking “Set MAC” and entering the same MAC address in the “Set MAC” field at right, LAD can track two or more Wi-Fi devices as a single user, which may be useful in cases where the same human user uses two separate Wi-Fi devices.
- Match MAC: This option should be used only if necessary and with caution. It does not improve security much, since LAD let's you set up different passwords for different users. If the client's MAC address changes and you do not know the original MAC address or cannot change it back to the original MAC address, the client would be locked out of the network.
- WPA3 Only: Checkmarking this requires the user to only connect using WPA3 encryption. This option should not be checkmarked at the same time as "WPA3 Also".
- WPA3 Also: Checkmarking this allows the user to use either WPA3 encryption or WPA2 encryption. If it is not checkmarked, only WPA2 encryption may be used, unless "WPA3 Only" is checkmarked. This option should not be checkmarked at the same time as "WPA3 Only".
- In Use: Checkmark this option if you have a user who is not currently checkmarked as Active, but whose record you wish to retain. If a Wi-Fi user is not checkmarked as either Active or In Use, the system may delete or recycle the record.
- Name: Your reference for this particular user. This entry has no bearing on the settings for connecting to Wi-Fi.
- SSID: The user's SSID entry must match the SSID for the Wi-Fi channel to which you wish them to be able to connect.
You may use the duplicate function available on the Wi-Fi user page to duplicate the settings of a user when creating a new Wi-Fi user. Simply type in the new user name and click on "Duplicate." It is recommended that you change the new user's password, so as not to use the same SSID/password combination as the original user.
Password Tips
- We recommend you change the default SSIDs and passwords assigned to the channels and default Wi-Fi user when setting up your wireless network(s).
- You may assign different passwords to each Wi-Fi user, even if they use the same SSID.
- Some clients require passwords at least eight characters in length.
- Some clients have trouble with passwords that use spaces or special characters other than the standard alpha-numeric characters (A-Z and 0-9).
Broadcast Packets
In some cases you may notice Wi-Fi broadcast packets incoming to LAD on a Wi-Fi channel marked as "Allowed," but that do not appear as outgoing from LAD. The reason for this is because these broadcast packets, which are generated by the Wi-Fi client device and sent to so-called "broadcast IP addresses," are actually not routable. Ostensibly these broadcast packets are for network discovery, however, they pose more of a privacy and security risk than serving a useful purpose. Anybody who may be "listening" to your network could use the information in your packets to discover your network's topology and what devices you have located on the network. For these reasons, LAD does not support broadcast IP addresses because the dubious value of the function is not worth the risk.
Restoring Wi-Fi Channel to Default Settings
To restore a Wi-Fi channel to default settings, use one of the Set to Defaults buttons at the bottom of the page. You have a choice of restoring the channel to its original defaults for the band it is currently set to use (either 2.4Ghz, 5Ghz or 6Ghz), or you may convert it to a different bands, with the default settings for the new band.
When restoring to defaults, the channel's current SSID will be preserved. If you need to make any further changes after that, make your changes, save them and then reboot the machine by going to "Settings" from the Main Menu and clicking on "Reboot" at the top of the page.
<< Connecting to the Internet | Connecting and Managing Clients >>