Wake-on-LAN: Difference between revisions

Wake-on-LAN (WOL) is an Ethernet computer networking standard that allows a computer to be turned on or woken up by a network message. The message is usually sent by a program executed on another computer on the same local area network. Equivalent terms include Wake On WAN, Remote Wake-up, Power On By LAN, Power Up By LAN, Resume by LAN, Resume on LAN, Wake Up On LAN.

In case the computer being woken is communicating via Wi-Fi, a supplementary standard called Wake on Wireless LAN (WoWLAN) must be employed.^[1].

The WOL and WoWLAN standards are often supplemented by vendors to provide protocol-transparent on-demand services, for example in the Apple Bonjour wake-on-demand feature.^[2]

Wake-on-LAN support is implemented on the motherboard (BIOS) of a computer and the network interface (firmware), and is consequently not dependent on the operating system (and NIC drivers) running on the hardware. Some operating systems can control Wake-on-LAN behaviour via hardware drivers. If the network interface is a plug-in card rather than being integrated into the motherboard, the card may need to be connected to the motherboard by a cable. Motherboards with an embedded Ethernet controller which supports Wake-on-LAN do not need a cable. The power supply must meet ATX 2.01 specifications.

Wake-on-LAN is implemented using a special network message called a magic packet. The magic packet contains the MAC address of the destination computer. The listening computer waits for a magic packet addressed to it and then initiates system wake-up.

The magic packet is sent on the data link or layer 2 in the OSI model and broadcast to all NICs using the network broadcast address; the IP-address (layer 3 in the OSI model) is not used. This is why Wake-on-LAN is platform-independent. Any application, on any platform, can wake up computers running on any other platform.

It is a common misconception that because Wake-on-LAN is built upon broadcast technology it can only be used within the current network subnet. Whilst this is generally the case there are some exceptions.

In order for Wake-on-LAN to work, parts of the network interface need to stay on. This consumes standby power, much less than normal operating power. If Wake-on-LAN is not needed, disabling it may reduce power consumption slightly while the computer is switched off but still plugged in.^[3]

The magic packet is a broadcast frame containing anywhere within its payload 6 bytes of all 255 (FF FF FF FF FF FF in hexadecimal), followed by sixteen repetitions of the target computer's 48-bit MAC address.

Since the magic packet is only scanned for the string above, and not actually parsed by a full protocol stack, it may be sent as any network- and transport-layer protocol. It is typically sent as a UDP datagram to port 7 or 9, but actually it can be sent on any port.

A standard magic packet has the following basic limitations:

• Requires destination computer MAC address (also may require a SecureOn password)
• Does not provide a delivery confirmation
• May not work outside of the local (or the local segment of the) network
• Require hardware support of Wake-On-LAN on destination computer

The Wake-on-LAN implementation is designed to be very simple and to be quickly processed by the circuitry present on the network interface card (NIC) with minimal power requirement. Because Wake-on-LAN operates below the protocol layer the MAC address is required and makes IP addresses and DNS names meaningless.

A principal limitation of standard broadcast Wake-On-LAN is that broadcast packets are generally not routed. This prevents the technique being used in larger networks or over the internet. Subnet Directed Broadcasts (SDB)^[4][5] may be used to overcome this limitation. SDB may require changes to intermediate router configuration. Subnet directed broadcasts are treated as normal network packets until processed by the final (local) router. This router converts the packet into a true broadcast packet. This technique allows a broadcast to be initiated on a remote network but requires all intervening routers to forward the SDB^[6][7]. When preparing a network to forward SDB packets, care must be taken to filter such that only desired (e.g. WoL) SDB packets are permitted—otherwise the network becomes unprotected against DDoS attacks such as the Smurf Attack.

There are many ways to send the magic packet. Software is available for all modern platforms, including Windows, Apple and Linux, plus many smart phones. Also there are web sites on the Internet that allow a magic packet to be sent online without charge. Example source code for a developer to add Wake-on-LAN to a program is readily available in many computer languages.^[8][9]

Some home routers are able to send magic packets to LAN, for example routers with DD-WRT firmware have Wake On Lan client.

Wake-on-LAN can be a frustrating technology to implement. This is because it requires appropriate BIOS, network card and, sometimes, operating system and router support to function reliably. In some cases hardware may wake from one low power state but not from others. This means that due to hardware issues the computer may be waking up from the "fully off state" (S5) but doesn't wake from sleep or hibernation.

There are software tools to help with Wake-on-LAN troubleshooting. These monitoring tools allow confirmation that the magic packet has arrived at a particular PC. This allows networking issues to be isolated from other hardware issues. In some cases they also confirm that the packet was destined for a specific PC or allow magic packets to be 'promiscuously sniffed' from the network.

In Windows Vista and higher, you can also determine how the OS was powered up. You can use powercfg /lastwake in the CMD prompt and it will list the "Wake Source". The Wake-on-LAN event should also be logged in the System event log^[10].

Magic packets are sent via the data link or OSI-2 layer, which can be used or abused by anyone on the same LAN, unless the L2 LAN equipment is capable of (and configured for) filtering such traffic to match site-wide security requirements.

Firewalls may be used to prevent clients within the public WAN from accessing the broadcast addresses of inside LAN segments.

Certain NICs support a security feature called "SecureOn". It allows users to store within the NIC a hexadecimal password of 6 bytes. Clients have to append this password to the magic packet. The NIC wakes the system only if the MAC address and password are correct. This security measure significantly decreases the risk of successful brute force attacks, by increasing the search space by 48 bits (6 bytes), up to 2⁹⁶ combinations if the MAC address is entirely unknown.

Still, only a few NIC and router manufacturers support such security features.^{[citation needed]}

Abuse of the Wake-on-LAN feature only allows computers to be switched on; it does not in itself bypass password and other forms of security.

Some PCs include technology built into the chipset to improve security for Wake-on-LAN. For example, Intel AMT (a component of Intel vPro technology), includes Transport Layer Security (TLS), an industry-standard protocol that strengthens encryption.^[11]

AMT uses TLS encryption to secure an out-of-band communication tunnel to an AMT-based PC for remote management commands such as Wake-on-LAN. AMT secures the communication tunnel Advanced Encryption Standard (AES) 128-bit encryption and RSA keys with modulus lengths of 2,048 bits.^[12][13] Because the encrypted communication is out-of-band, the PC’s hardware and firmware receive the magic packet before network traffic reaches the software stack for the operating system (OS). Since the encrypted communication occurs “below” the OS level, it is less vulnerable to attacks by viruses, worms, and other threats that typically target the OS level.^[11]

IT shops using Wake-on-LAN through the Intel AMT implementation can wake an AMT PC over network environments that require TLS-based security, such as IEEE 802.1x, Cisco Self Defending Network (SDN), and Microsoft Network Access Protection (NAP) environments.^[11] The Intel implementation also works for wireless networks.^[11]

Older motherboards must have a WAKEUP-LINK header onboard connected to the network card via a special 3-pin cable; however, systems supporting the PCI 2.2 standard and with a PCI 2.2 compliant network adapter card do not usually require a Wake-on-LAN cable as the required standby power is relayed through the PCI bus.

PCI version 2.2 supports PME (Power Management Events). PCI cards send and receive PME signals via the PCI socket directly, without the need for a Wake-on-LAN cable.^[14]

Wake-on-LAN usually needs to be enabled in the Power Management section of a PC motherboard's BIOS setup utility, although on some systems, such as Apple computers, it is enabled by default. It may also be necessary to configure the computer to reserve power for the network card when the system is shut down.

In addition, in order to get Wake-on-LAN to work it is sometimes required to enable this feature on the interface card. Details of how to do this depend upon the operating system and the device driver.

Laptops powered by the Intel Centrino® Processor Technology or newer^[15] (with explicit BIOS support) allow waking up the machine using wireless Wake on Wireless LAN (WoWLAN).

In most modern PCs, ACPI is notified of the "waking up" and take control of the Power up. In ACPI, OSPM must record the "wake source" or the device that is causing the power-up. The device being the "Soft" power switch, the NIC (via Wake-on-LAN), the cover being opened, a temperature change, etc.^[10]

In the early days of Wake-on-LAN the situation was relatively simple: a machine was connected to power but switched off, and it was arranged that a special packet be sent to switch the machine on.

Since then many options have been added and standards agreed upon. A machine can be in 7 power states from S0 (fully on) through S5 (powered down but plugged in) and disconnected from power (G3, Mechanical Off), with names such as "sleep", "standby", and "hibernate". In some reduced-power modes the system state is stored in RAM and the machine can wake up very quickly; in others the state is saved to disk and the motherboard powered down, taking at least several seconds to awake. The machine can be woken from a reduced-power state by a variety of signals. In a particular example, the Gigabyte 8KNXP motherboard with built-in Intel PRO/1000 CT network adapter, there are 3 motherboard BIOS settings and 6 network adapter settings which affect wakeup. The problem is often to prevent the machine waking up immediately after going to a reduced power state.^{[original research?]}

The machine's BIOS must be set to allow Wake-on-LAN. To allow wakeup from powered-down state S5, wakeup on PME (Power Management Event) is also required. The Intel adapter allows "Wake on Directed Packet", "Wake on Magic Packet", "Wake on Magic Packet from power off state", and "Wake on Link".^[16] Wake on Directed Packet is particularly useful as the machine will automatically come out of standby or hibernation when it is referenced, without the user or application needing to explicitly send a magic packet. Unfortunately in many networks waking on directed packet (any packet with the adapter's MAC address or IP address) or on link is likely to cause wakeup immediately after going to a low-power state. Details for any particular motherboard and network adapter are to be found in the relevant manuals; there is no general method. Knowledge of signals on the network may also be needed to prevent spurious wakening.

For a machine which is normally unattended precautions need to be taken to make the Wake-on-LAN function as reliable as possible. For a machine procured to work in this way, Wake-on-LAN functionality is an important part of the purchase procedure.

Some machines do not support Wake-on-LAN after they have been disconnected from power (e.g., when power is restored after a power failure). Use of an uninterruptible power supply (UPS) will give protection against a short period without power, although the battery will discharge during a prolonged power cut.

If a machine that is not designed to support Wake-on-LAN is left powered down after power failure, it may be possible to set the BIOS to start it up automatically on restoration of power, so that it is never left in an unresponsive state. A typical BIOS setting is AC back function which may be on, off, or memory. On is the correct setting in this case; memory, which restores the machine to the state it was in when power was lost, may leave a machine which was hibernating in an unwakeable state.

Other problems can affect the ability to start or control the machine remotely: hardware failure of the machine or network, failure of the BIOS settings battery (the machine will halt when started before the network connection is made, displaying an error message and requiring a keypress), loss of control of the machine due to software problems (machine hang, termination of remote control or networking software, etc.), and virus infection or hard disk corruption. Therefore, the use of a reliable server-class machine with RAID drives, redundant power supplies, etc., will help to maximize availability. Additionally, a device which can switch the machine off and on again, controlled perhaps by a remote signal, can force a reboot which will clear problems due to misbehaving software.

For a machine not in constant use, energy can be conserved by putting the machine into low-power RAM standby after a short timeout period. If a connection delay of a minute or two is acceptable, the machine can timeout into hibernation, powered off with its state saved to disk.

The computer being woken does not know whether the wakeup signal comes from another machine on the same network or from anywhere else. If the magic packet can be made to reach a computer, it can originate anywhere (e.g., from the Internet). This can be achieved by a Virtual Private Network (VPN), which makes the remote computer appear to be a member of the Local Area Network (LAN). In the absence of a VPN, a computer connected to a router can be woken if a magic packet sent over the Internet is routed to it. This requires any firewall to be set up to allow entry of the Wake-on-LAN signal to a specified port. The port can be forwarded to the computer to be woken up; or some routers permit the packet to be broadcast to the entire LAN^[17]. However, some routers do not support this as they will not forward broadcast packets.

• Alert on LAN
• Alert Standard Format
• Desktop and mobile Architecture for System Hardware
• Intel vPro
• RTC Alarm
• Sleep Proxy Service
• Wake-on-Ring
• Wired for Management

• Troubleshooting Remote Wake-up Issues Useful WOL troubleshooting information from Intel
• AMD's Magic Packet Technology white paper Publication# 20213
• Wake-on-LAN white paper by Philip Lieberman Describes the IBM / Intel alliance that created Wake-on-LAN
• Wake-on-LAN History and How-To Guide
• Wake-on-LAN Security Best Practices (Microsoft, 2008)
• Wake On Local Area Network (LAN) WOL guide for Microsoft Windows from Energy Star (EPA)