Newbie questions


I’m new to Canopy equipment and also to networking so forgive me if I ask dumb questions…

I have a 5.7 AP and SM and I am just getting to know how to configure them. As I have a broadband DSL connection in my honme, I thought I would plug the AP into my DSL router and the SM into my laptop. I plugged them in and ‘voila’ I have an internet connection. That’s great! I’m rather confused about the IP addressing though. I haven’t changed the default addresses on either the AP or the SM. I beleive they are set to How can they both have the same address? My laptop has received a private IP address of from the DHCP server on the DSL router. From the laptop, I can ping the SM and access its configuration page. But I can’t access the AP?

I don’t really understand 169.254.x.x addresses. Are they any different to the addresses in the other private ranges of 10., 192.168 etc?

I can see that the SM supports DHCP and NAT and the documentation says that if these are enabled then the device acts as a layer 3 switch. If not, it acts as a layer 2 bridge. With regard to the AP, does that always act as a layer 2 bridge? Does the AP always have to be configured with a static IP address?

How do I arrange the addressing of my APs and SMs in the real world so that they can’t be accessed by computers behind the SMs or from the outside. And once I’ve done this, how do I then connect to these devices myself to manage them?

With regard to the SM IP configuration, can someone explain to me the difference between the RF Public Network Interface Configuration that is configured when NAT is enabled and the LAN1 Network Interface Configuration that is configured when NAT is disabled?

Any advice would be greatly appreciated,


What are you planning to do with your Canopy? is the default ip address of all modules. Every device on the network has to have a different ip address. That is the reason you cant access the ap from the laptop. When you type into your web browser on the laptop the first device it comes to is the sm so you get the status page. Most all store bought cable and dsl routers on the market use 192.168.x.x with a subnet mask of I have used all the brands. For a small home or office network it is a good choice. using mask it’s saying that all devices on the same network must have the first three numbers the same for you to see them on the network
All these numbers can see each other on the network. so if you had a group with 192.168.1.x and a group with 192.168.2.x they could coexist on the same hardware but be seperate networks. that the modules come with use a net mask of this allows a broader range and a seperate network from the routers. On this net mask only the first two numbers need to be the same 169.254.x.x this allows you to see every device on the network from
This is nice because on a canopy network you can keep track of all your modules. Lets say that in a small Canopy network you have 4 clusters. each cluster is tied to the isp threw bh’s. Lets say each cluster is given
cluster 1 169.254.10.x cluster 2 169.254.20.x cluster 3 169.254.30.x
cluster 4 169.254.40.x

cluster 1

bh master
bn slave
ap 1 sm to
ap 2 sm to
ap 3
ap 4
ap 5
ap 6
up to

That way you know that if you see an ip address and it has an address of 169.254.10.x it is a device attached to cluster 1.

Yes the ap always has to be configured with a static ip if not you would not know what address the dhcp server addigned to access the ap.

At the ISP i have a Cisco router that is set up for DHCP server for 10.x.x.x. My bh ties directly into that router. All Canopy modules use 169.254.x.x. On the sm end we put a dlink broadband router plugged into the WAN port. the dlink recieves a ip from the DHCP server at 10.x.x.x it in turn has its own DHCP server set up for 192.168.1.x for all the computers on that end. If the customer wants a public ip we pit that in the broadband router instead.
As for managing the system set the ip address on the computer you are planning on managing from to and you will be able to see all the modules on the network i just described. Leave open so if you install a new module you wont have a conflict. The people on the other side of the broadband router with 192.168.x.x addresses wont be able to see the canopy equipment.

I hope that all made scense.

You must also set the IP Address accessibility of the SM radio to “public” to manage it from your network operations center.

From your notebook, with an address of, you’re able to ping and browse to That’s bizarre, given the setup you’ve described.

When you ping an address not on your local network – per the description posted by Attitude0330, combining address with mask – the ping request is sent to the router to look for the foreign address. If the ping is successful, then your router knows about the network, but that makes no sense either.

Please share a few more details with us. Here’s a bit of info on IP addresses for you; I hope it makes sense. Enjoy!

IP Addressing Tutorial

Dots & Digits, Bits & Bytes

An IPv4 (Internet Protocol Version 4) address is typically written as four numbers separated by periods, or “dots.” Each IP address has an associated mask, also written as four numbers separated by dots. The four numbers – in both address and mask – each range from 0 to 255.

Each 1 to 3-digit number is the decimal (base 10) representation of an 8-digit binary (base 2) number. These 8-bit numbers (“bit” is short for “binary digit”) are composed of only the digits “0” and “1”. Decimal numbers are composed of the digits “0” through “9”.

Each 8-bit number – also called an octet or byte – ranges in value from 00000000 to 11111111. The binary value 11111111 equals the decimal value 255. That’s why an IP address’s four decimal numbers each range from 0 to 255, and why masks start with at least one “255”. The mask is the same as 11111111.11111111.11111111.00000000.

IP addresses and masks are sometimes written in hexadecimal notation – hex for short. Hex digits include 0-9 and A-F: sixteen possible values. 8-bit numbers convert to 2-digit hex numbers: 00000000 binary = 0 decimal = 00 hex; 11111111 = 255 = FF hex; 00001010 = 10 = 0A hex.

Public, Private, & NAT

“Public” IP addresses are assigned by a central governing body for use by Internet Service Providers (ISPs). ISPs then assign these addresses to their customers. Only a single customer, anywhere in the world, can use a specific block of Public addresses.

“Private” IP addresses – specified by the same governing body – can be used by anyone. Any ISP or customer in the world can use, and reuse, the same identical blocks of Private addresses. Private addresses, however, can only be used within an ISP’s or customer’s private network. Private addresses cannot be used to communicate over the public Internet.

If a PC is assigned a Private address, its address must be converted to a Public address before talking over the Internet. The process of conversion is called Network Address Translation (NAT). Meskwaki’s Internet router is configured to use NAT.

The following table lists the prefixes for the 273 (1+16+256) available Private IP address blocks. An “x” indicates the entire valid octet range, from 0 to 255, is contained in the block. All public and private addresses are classified as A, B, or C, based on the position of the first (leftmost) “0” bit in the address.

Qty. 1 Class A Network: 10.x.x.x (Class A Mask)

Qty. 16 Class B Networks: 172.16.x.x – 172.31.x.x (Class B Mask)

Qty. 256 Class C Networks: 192.168.0.x – 192.168.255.x (Class C Mask)

Network, Host, & Mask

An IP address has two parts: network and host. An IP “host” is anything with an IP address: router, switch, printer, or computer. The network portion defines a group of computers; the host portion designates a single computer. The mask tells you where the portions are split.

In Class A, B, and C networks, the split is made at the 1st, 2nd, or 3rd dot, respectively. The split, however, can be made at nearly any point in the last three octets of the address – at a dot or in the middle of a number – allowing a single “Class” network to be split into multiple subnets.

These splits cannot easily be described or visualized when they’re in the middle of a 3-digit decimal number within the address. To make any sense, the split must be understood in the context of the binary representation of the address. Here are the rules and result:

All the leading bits (minimum of eight) in a mask must be ones, all trailing bits (minimum of two) must be zeros – ones and zeros cannot intermingle. The split between ones and zeros in the mask defines the split between the network and host portions of the address.

As a result, there are only 23 valid masks out of the 33 combinations of contiguous ones and/or zeros. The following table shows the binary representation of the mask, the number of bits used (the number of leading ones) in the mask, and the decimal value of each valid mask:

00000000.00000000.00000000.00000000 0 bits Invalid Mask

10000000.00000000.00000000.00000000 1 Invalid
11000000.00000000.00000000.00000000 2 Invalid
11100000.00000000.00000000.00000000 3 Invalid
11110000.00000000.00000000.00000000 4 Invalid
11111000.00000000.00000000.00000000 5 Invalid
11111100.00000000.00000000.00000000 6 Invalid
11111110.00000000.00000000.00000000 7 Invalid
11111111.00000000.00000000.00000000 8

11111111.10000000.00000000.00000000 9
11111111.11000000.00000000.00000000 10
11111111.11100000.00000000.00000000 11
11111111.11110000.00000000.00000000 12
11111111.11111000.00000000.00000000 13
11111111.11111100.00000000.00000000 14
11111111.11111110.00000000.00000000 15
11111111.11111111.00000000.00000000 16

11111111.11111111.10000000.00000000 17
11111111.11111111.11000000.00000000 18
11111111.11111111.11100000.00000000 19
11111111.11111111.11110000.00000000 20
11111111.11111111.11111000.00000000 21
11111111.11111111.11111100.00000000 22
11111111.11111111.11111110.00000000 23
11111111.11111111.11111111.00000000 24

11111111.11111111.11111111.10000000 25
11111111.11111111.11111111.11000000 26
11111111.11111111.11111111.11100000 27
11111111.11111111.11111111.11110000 28
11111111.11111111.11111111.11111000 29
11111111.11111111.11111111.11111100 30
11111111.11111111.11111111.11111110 31 Invalid
11111111.11111111.11111111.11111111 32 Invalid

Decimal & Binary Conversion:

When converting binary to decimal, and back, use the following equivalents:

00000001 = 1
00000010 = 2
00000100 = 4
00001000 = 8
00010000 = 16
00100000 = 32
01000000 = 64
10000000 = 128

Where do these values come from? Consider the 4-digit decimal number 9999: the digits from left to right are referred to as “thousands”, “hundreds”, “tens”, and “ones”. Every digit to the left is ten times the value of the digit to its right.

The formal math notations for these decimal digits are 103, 102, 101, and 100, respectively. Ten-to-the-power-three = 1000, ten-to-the-two = 100, ten-to-the-one = 10, and ten-to-the-zero = 1. Any number raised to the power one equals itself. Any number raised to the power zero equals 1.

Now consider the 4-digit binary number 1111 – 23, 22, 21, and 20, respectively. Two-to-the-three (2x2x2) = 8, two-to-the-two (2x2) = 4, two-to-the-one = 2, and two-to-the-zero = 1. Every digit to the left is double the value of the digit to its right.

Convert binary to decimal by adding together the decimal value for each binary digit:

00000011 = 2 + 1 = 3
00011000 = 16 + 8 = 24
01000100 = 64 + 4 = 68
11000000 = 128 + 64 = 192
11111000 = 128 + 64 + 32 + 16 + 8 = 248

To convert decimal 240 to binary, regressively subtract the largest number possible until you get to zero. Note each binary equivalent subtracted, and then add the binary values together:

240 – 128 = 112 10000000 (128)
112 – 64 = 48 01000000 (64)
48 – 32 = 16 00100000 (32)
16 – 16 = 0 00010000 (16)
240 = 11110000

Convert decimal 167 the same way:

167 – 128 = 39 10000000 (128)
39 – 32 = 7 00100000 (32)
7 – 4 = 3 00000100 (4)
3 – 2 = 1 00000010 (2)
1 – 1 = 0 00000001 (1)
167 = 10100111

Thanks all very much for your responses,

fyi, I work for a WISP that is in the process of setting up and we are located in Australia.

Teknix thanks for the info, you didn’t seem convinced about my test setup but attitude0330 did seem to understand it. Just to be clear on it and also to allow me to ask a further question on that subject, my test configuration is as follows…
I connected my AP to my DSL router. The router is configured with an IP address of I didn’t changed the IP configuration of my AP, so its IP address was set to with a gateway of I connected the SM directly to my laptop. It also had its default configuration address of My laptop got its IP address of from the DHCP server running on the DSL router. So, with this setup I am able to ping the SM even though the network portion of its address was different to the laptop’s. Is this because they were directly connected and the ping didn’t have to go through a router? Another question - what about the gateway address configured on the AP. Is a valid gateway address? In my setup there was no gateway with this address so how does that affect the AP’s operation?

attitude0330, thanks for all you advice on network IP addressing. It was very very helpful. With regard to placing the broadband router between the SM and the computer. I can see how that protects the canopy system from being accessed from the someone behind the SM. So, in that case do you always need a router at every customer premise? From a security perspective, is there anything to stop a customer from unplugging the router and connecting the SM directly to their computer? If they did this they would then be able to access the canopy devices, wouldn’t they?

I’m not sure I understand what you mean when you say ‘If the customer wants a public ip we pit that in the broadband router instead.’ Do you mean that the router gets the public IP address and the computer still uses dhcp to get a private address from the router?

Also, when talking about managing the network you said to set the IP address on the computer to That is if my computer is connected directly to the network, right? What about if I want to remotely manage it, from our office say?

hope my questions aren’t getting too tedious… :slight_smile:


Devices on an an Ethernet network communicate using their MAC addresses(OSI Layer 2). Even when a network is overlaid with IP addresses (Layer 3), the Ethernet adapters still talk to each other using their MAC addresses.

When your PC ( pings the router (, the Ethernet adapter in your PC first has to learn the MAC address of the router before the ping can be sent. This is done using ARP - Address Resolution Protocol.

If you’re running Microsoft Windows, open a command window and type “arp -a”. This command gives you a table listing the IP addresses your PC has resolved to MAC addresses using ARP. You should see your router listed; if not, just browse to a web site or check your email, then it should be listed. If you ping another PC on your local network, then that PC will be added to your ARP table. The ARP entries will “age” and disappear from the list after a period of time.

ARP works by sending a Layer-2 broadcast on your LAN. To ping the router, your PC first sends a packet with IP address and a MAC address of 00-00-00-00-00-00. All devices on your LAN receive this broadcast, but only a device with a matching IP address – if one exists – will respond. If there is a response, your PC will take the MAC address from the response and add it to its ARP table. Your PC next sends the actual ping request in a packet addressed with both IP and MAC addresses and waits for a response.

When you ping an IP address not on your local network, ARP does not try to resolve the address by sending a MAC broadcast using the IP address you’re pinging. Instead it resolves the default gateway (router) address and sends the ping request to the router. It’s the router’s responsibility to find addresses outside your local network; it’s a “gateway” to other networks.

This is why I don’t understand your situation. Pinging from your PC should fail.

Trying watching the ARP table on your PC as you ping addresses both inside and outside your network. What does it show when you ping a remote DNS server? What does it show when you ping the SM?

If you want to fully understand the larger IP addressing issues suggested by Attitude0330, you need to first uderstand the underlying basics.

Good luck!

This is why I don't understand your situation. Pinging from your PC should fail.

I don't understand why it works either, but it does. I have seem the same situation, where an adapter has an IP address on a completely different subnet than the Canopy radios, and as long as it's directly connected, you can get to it. Maybe its because the only first possible place that ARP can go is down the copper used to connect to the SM. Since Canopy is all Layer-2, I just think of each radio, no matter what kind it is, as a port on a switch. In that case, a broadcast generated by a computer directly connected to an SM(switch) is going to be seen by that SM. On the other hand, if you directly connected two laptops with a crossover cable, and placed them on different subnets, they couldn't talk. Who knows.

It is also the case that if a Canopy SM is terminated into a WAN port of a broadband NAT-router, with the Canopy radios being on a subnet different from the routable IPs of the network, and the NAT addresses behind the router, that a computer with a NAT address can access the radio. They of course have to know the password. I guess this would be the same situation as mentioned above, only this time the router is inspecting the destination ip/subnet of the packet, and applies the default route of <network gateway>. The first place that packet has to hit before it gets to the core gateway would be the SM.

Just some personal experience.


In your second paragraph, does the SM on the WAN port of the router have an address on the same network as the WAN port? A ping from the NAT side of the router should succeed.

As for your first paragraph, can you duplicate this result? Can you tell me how to create a setup where I can see first-hand what you and Rebecca have found? I haven’t seen this behavior before; I’ve tried to duplicate it, but I got the results I expected: a ping fails from a PC to a SM.


In your second paragraph, does the SM on the WAN port of the router have an address on the same network as the WAN port? A ping from the NAT side of the router should succeed.

No, it is not on the same subnet. The routers have public, routable addresses, and the Canopy radios are on a private network. Users behind the NAT router can only get to the web interface of the connected SM, they cannot get any further, as in to the APs, etc. The Accessibility Param on the SM is set to Local. In theory, if a user enters any addy in their browser, the routing table would be inspected, and would apply the default route and pass the packet to our edge router. When it gets to the edge router, it would just be dropped. The only exception seems to be when trying to access the connected SM, and it works.

As for your first paragraph, can you duplicate this result? Can you tell me how to create a setup where I can see first-hand what you and Rebecca have found? I haven't seen this behavior before; I've tried to duplicate it, but I got the results I expected: a ping fails from a PC to a SM.

I will try to recreate an example the next time I am at the office.

Rebecca I do agree with teknix on your setup I wasnt paying attention well enough to your ip addresses before. To your question’s no you dont have to use a router at every sm, just make the customer’s computer’s a diffarent ip range and subnet from your modules. Like I described above if you use 169.254.x.x for your modules and 192.168.x.x for your customers equipment they wont be able to see your equipment unless they really know what they are doing. If you password protect the modules even if they do see them they wont be able to access them.

The public ip address can be used in many diffarent ways depending on why the customer wants one. Yes you can put it in the router and have the router assign dynamic private ip addresses to the computers on the other side of the router, or you could just put it in a single computer without a router. The Broadband routers give the customer a little more security and make them feel like they have a little bit of control because they get to play with the settings and you dont have to worry about them messing with the sm.

When managing the network I said DON’T use because every new module comes with that ip already in it. Use something else like Yes if your computer is connected directly to the network. Do you not have an extension of your network at your office? It really doesn’t matter whitch end of the network you are on just as long as you are connected to it you will be able to manage it.


when you figure that out I would like to see it also as I do agree with Teknix

Thanks all again for your responses.

I have played around with the arp command and below is the result of a test I did. I had the same setup as described previously. Before I pinged the SM I looked in the arp table and there was no entry for the SM. Then I pinged the SM, then looked at the arp table again and still no entry??

C:'Documents and Settings’ROstergaard>arp -a

Interface: on Interface 0x3
Internet Address Physical Address Type 00-11-95-03-9e-7a dynamic

C:'Documents and Settings’ROstergaard>ping

Pinging with 32 bytes of data&colon;

Reply from bytes=32 time<10ms TTL=255
Reply from bytes=32 time<10ms TTL=255
Reply from bytes=32 time<10ms TTL=255
Reply from bytes=32 time<10ms TTL=255

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% los
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:'Documents and Settings’ROstergaard>arp -a

Interface: on Interface 0x3
Internet Address Physical Address Type 00-11-95-03-9e-7a dynamic

Since only your router (, I presume) is listed in your ARP table, the logical conclusion would be that your router is aware of (has a route to) the 169.254.1.x network. You can confirm this by shutting down any PC apps that access the network (email, web, etc.) and waiting a few minutes until your PC’s ARP table is empty. Then ping the SM and verify that the router is again listed by ARP. This confirms that your PC has used its default gateway to find

Your setup is: PC --> SM --> AP --> (LAN) router (WAN) --> DSL?

If you want to learn what’s going on, I suggest inspecting the configurations of SM, AP, and router. Something is set in a way that causes the unusual behavior. Is NAT or DHCP server and/or client turned on in the SM (Advanced Network Config)? What are the SM’s and AP’s IP Configurations?

You can also set the SM, AP, and router back to factory defaults to start with known settings. If you default your router, however, make sure you first have all the parameters needed to reestablish Internet connectivity.

please help.

i’m going to buy a canopy system. i’ll be connecting a point-multipoint scheme. should i just buy the necessary AP’s and the SM’s? or the CMM also?
thanks. please answer to