Got network?

[Tur0k 143]

Well, with the new cables, I'm happy to report that my network is working better than ever. Very snappy!

 

 

How short are those cables? I seem to remember 12" being the minimum.

 

Thank you for the tip, I found jumbo packet support.

 

You know the VLAN setup is a little odd on the unifi line. I wasn't able to just setup vlan only networks. I had to setup corporate networks and enumerate the IPv4 subnets for each.

 

I got my new unifi us-24-250w switch in my home production environment. I took today off and was able to setup the VLANS, on my switch to match the ones I setup on the firewall.

 

I had to adjust my IPv6 request to Comcast to a /60 instead of a single /64 subnet. This gives me 16 subnets with 256 nodes per subnet from the block I get from Comcast. My management LAN, main vLAN, wifi vlan, infrastructure vlan and guest vlan all support a separate IPv6 subnet.

 

I had some trouble with IPV6 support on the unifi switch at first. My unifi controller is running on 5.0.7. For some reason if you have IGMP snooping enabled IPV6 won't pass. Supposedly it is fixed in a patch 5.1.19 and above. I will plan an upgrade to my controller sooner than later.

 

I was able to get my new firewall rules, and services permissions in place for each of the new VLANS and am 50% done testing and hardening.

 

I was able to move my wireless AP and wifi networks over to the new subnets/VLANS.

 

Now that my wifi networks are split up. My plan is to reserve the default LAN for network equipment and my management node. Next, I will move all my LAN clients to the main LAN vlan. After that, I will be moving the servers and updating the reserved ip addresses, firewall alias, and DNS records.

 

All my network equipment (firewall mini pc, 24 port switch, unifi controller (RPI 1B), home automation controller (RPI 3), 4 bay NAS, cable modem, HDHomerun prime, and 12 port patch panel) has been siting on a shelf in my furnace room. I put this in when we moved in and had planned on upgrading. Now that I have this new shiny switch I am considering picking up a network server rack like below:

 

https://www.amazon.com/dp/B01MS4NGU2/ref=cm_sw_r_cp_api_hkZYzbY4B3VKM

 

My plan will be to host set all of it in there. I am a little worried about heat build up, but I am comfortable drilling holes and adding grills for air flow.

 

Sent from my iPhone using Tapatalk

Edited September 27, 2017 by Tur0k

[Guest asrequested]

How short are those cables? I seem to remember 12" being the minimum.

 

Thank you for the tip, I found jumbo packet support. 

 

You know the VLAN setup is a little odd on the unifi line. I wasn't able to just setup vlan only networks. I had to setup corporate networks and enumerate the IPv4 subnets for each. 

 

I got my new unifi us-24-250w switch in my home production environment. I took today off and was able to setup the VLANS, on my switch to match the ones I setup on the firewall. 

 

I had to adjust my IPv6 request to Comcast to a /60 instead of a single /64 subnet. This gives me 16 subnets with 256 nodes per subnet from the block I get from Comcast. My management LAN, main vLAN, wifi vlan, infrastructure vlan and guest vlan all support a separate IPv6 subnet.

 

I had some trouble with IPV6 support on the unifi switch at first. My unifi controller is running on 5.0.7. For some reason if you have IGMP snooping enabled IPV6 won't pass. Supposedly it is fixed in a patch 5.1.19 and above. I will plan an upgrade to my controller sooner than later. 

 

I was able to get my new firewall rules, and services permissions in place for each of the new VLANS and am 50% done testing and hardening. 

 

I was able to move my wireless AP and wifi networks over to the new subnets/VLANS. 

 

Now that my wifi networks are split up. My plan is to reserve the default LAN for network equipment and my management node. Next, I will move all my LAN clients to the main LAN vlan. After that, I will be moving the servers and updating the reserved ip addresses, firewall alias, and DNS records. 

 

All my network equipment (firewall mini pc, 24 port switch, unifi controller (RPI 1B), home automation controller (RPI 3), 4 bay NAS, cable modem, HDHomerun prime, and 12 port patch panel) has been siting on a shelf in my furnace room. I put this in when we moved in and had planned on upgrading. Now that I have this new shiny switch I am considering picking up a network server rack like below: 

 

https://www.amazon.c...i_hkZYzbY4B3VKM

 

My plan will be to host set all of it in there. I am a little worried about heat build up, but I am comfortable drilling holes and adding grills for air flow. 

 

The DACs are 3 meters and the CAT6 are 3ft, 5ft and 10ft.

 

My system isn't complex enough that I need any VLANs. Although, now I have spare switches, I will never need VLANs lol. As for my firewall, I still haven't researched all of what it's capable of. 

 

I'm using the Unifi 5.5.20 controller, but there is a stable candidate release available, that has a lot of improvements.

Edited September 27, 2017 by Doofus

[Tur0k 143]

From a number of nodes on a segment perspective, I agree, VLANS are not useful for most homes.

In my use case VLAN allow me to identify and segregate devices. I then create firewall ACL permissions to limit access to internal resources, management consoles, and the Internet.

Good examples of this are:

1. guest access (no access to any internal nodes only filtered access to the Internet)

 

2. IOT devices (like security cameras, baby monitors, irrigation controllers, home automation devices) do not always need Internet access (or need limited Internet access).

 

Sent from my iPhone using Tapatalk

Edited September 27, 2017 by Tur0k

[Guest asrequested]

I wish I had your networking knowledge. I also wish I had more tech so that I could have a use for more advanced networking lol

[Tur0k 143]

Don't sell yourself short. You have quite a server rack over there. The need has been steadily growing over network security for the last 3 years. Even at work I approach the problem from the perspective of minimum access necessary.

 

On the IOT front many current security camera models were found to be weakly secured (direct access to root permissions and remote code execution) and in general easily hacked. Many have the ability to create tunnels that traverse conventional home routers. They were also found to phone home a lot.

 

What's more many of these compromised devices are being used in directed botnet attacks on the public Internet. The last 3 years has seen drastic increases in attacks using poorly secured IOT devices (sec cams, home network equipment, and compromised websites)

 

The peculiar part is that devices that record to a local NVR do not need access to the Internet aside from firmware updates. Devices that record to a cloud hosted service could be granted filtered access to the Internet by limiting communications access to the Internet to only the necessary public IPs. This is one of the main reasons I am implementing VLANS as this allows me to:

1. create not only deny/allow access to the Internet.

2. Create public IP firewall white lists based on VLAN. This would filter access to the Internet based on rules I create.

3. Limit access to management interfaces for devices on my internal network. This reduces my vulnerable surface area inside my network in the event that a compromised device is connected to my network.

 

 

Sent from my iPhone using Tapatalk

[Guest asrequested]

Don't sell yourself short. You have quite a server rack over there. The need has been steadily growing over network security for the last 3 years. Even at work I approach the problem from the perspective of minimum access necessary.

 

On the IOT front many current security camera models were found to be weakly secured (direct access to root permissions and remote code execution) and in general easily hacked. Many have the ability to create tunnels that traverse conventional home routers. They were also found to phone home a lot.

 

What's more many of these compromised devices are being used in directed botnet attacks on the public Internet. The last 3 years has seen drastic increases in attacks using poorly secured IOT devices (sec cams, home network equipment, and compromised websites)

 

The peculiar part is that devices that record to a local NVR do not need access to the Internet aside from firmware updates. Devices that record to a cloud hosted service could be granted filtered access to the Internet by limiting communications access to the Internet to only the necessary public IPs. This is one of the main reasons I am implementing VLANS as this allows me to:

1. create not only deny/allow access to the Internet.

2. Create public IP firewall white lists based on VLAN. This would filter access to the Internet based on rules I create.

3. Limit access to management interfaces for devices on my internal network. This reduces my vulnerable surface area inside my network in the event that a compromised device is connected to my network.

 

 

Sent from my iPhone using Tapatalk

How do you manage all of that? Do you have to go layer by layer or do you have a UI that collates all the data?

[Tur0k 143]

So, network ACLs can be configured on a layer 3 or higher devices. this includes layer 3 switch's, some wireless APs, nicer routers, and firewall devices.

 

I had a convoluted method to block traffic to the Internet, and between subnets on the same LAN.

Now with this new switch that supports VLANS I can group types of devices by VLAN.

 

1. Within a VLAN subnet devices can communicate with each other via the ARP table on the switch. This does not need intervention from the firewall.

NOTE: I could use the Isolation feature per switch port and wifi network to isolate those devices from each other.

Then on the firewall I create allow and deny rules on each VLAN to ip addresses, port, VLANS, the public Internet, management interfaces, etc. these policies are unforced whenever a device wants to communicate with a device that is not on the same VLAN.

 

I can take some screenshots later and make a diagram.

 

Sent from my iPhone using Tapatalk

Edited September 28, 2017 by Tur0k

[tdiguy 96]

wow, i monitor firewalls for a living and i think i have the cheapest setup here.

I use a Buffalo WZR-HP-AG300H ( with dd-wrt )

an 8 port switch and 3 wap's forget the make and model but they are all wifi ac.

and i run emby on a pi.

 

Most of my gear is mounted with some of that heavy duty double sided tape, kinda funny how much that stuff can hold.

Buffalo WZR-HP-AG300H

[Guest asrequested]

Yeah, some of these guys are very impressive.

[Happy2Play 8315]

Yeah, some of these guys are very impressive.

 

Your so modest.  

[Guest asrequested]

Your so modest.

Ha! I only have a few switches, not like these guys. Mine is in adolescence. It's a bit cheeky, at times.

[iamspartacus 40]

Upgraded my 300/300 FIOS connection to Gigabit yesterday .

 

http://www.speedtest.net/my-result/6697680955

 

Tested a DL at pretty close to line speed throughput (96MB/s) and my pfSense CPU (c2758) didn't go above 22%.  Tested the same DL via my VPN Gateway Group (3 VPN client connections to PIA grouped together) and while I could only muster 30MB/s (VPN is def. the limiting factor), my CPU only hit 30%.  So I surmise I should be capable of hitting close to line speed throughput of encrypted data with my CPU which is very encouraging.

[Guest asrequested]

I wish I had more upload bandwidth.

[Tur0k 143]

wow, i monitor firewalls for a living and i think i have the cheapest setup here.

I use a Buffalo WZR-HP-AG300H ( with dd-wrt )

an 8 port switch and 3 wap's forget the make and model but they are all wifi ac.

and i run emby on a pi.

 

Most of my gear is mounted with some of that heavy duty double sided tape, kinda funny how much that stuff can hold.

Buffalo WZR-HP-AG300H

Yea, networking and systems are more job too. Unfortunately, my home network ends up being my work Lab. I used to be wayyy worse. I used to get the old servers, firewalls, APs, and switches my work would cycle out and play with them at home. I ended up getting tired of the high electricity bills.

 

Now I physically only have a few network devices, (1 firewall, 1 switch, 1 AP). I only have 3 actual servers HTPC, soft controller (unifi running on an RPI 1B), and a home automation server (running on an RPI 3B). Most of my other services run on my firewall.

 

 

 

Sent from my iPhone using Tapatalk

Edited October 11, 2017 by Tur0k

[Tur0k 143]

Upgraded my 300/300 FIOS connection to Gigabit yesterday .

 

http://www.speedtest.net/my-result/6697680955

 

Tested a DL at pretty close to line speed throughput (96MB/s) and my pfSense CPU (c2758) didn't go above 22%. Tested the same DL via my VPN Gateway Group (3 VPN client connections to PIA grouped together) and while I could only muster 30MB/s (VPN is def. the limiting factor), my CPU only hit 30%. So I surmise I should be capable of hitting close to line speed throughput of encrypted data with my CPU which is very encouraging.

I want fiber in my neighborhood!!!

 

 

Sent from my iPhone using Tapatalk

[tdiguy 96]

@@turok

Ya electricity where i live is pretty crazy 16 cents per kw if i remember correctly. I finally have my bill down to about 130$ a month. Which is part of why i am trying to get emby running smooth on the pi as a server. I love the capabilities of dd-wrt especially the vpn .

I am thinking of upgrading my mobo / cpu to https://www.newegg.com/Product/Product.aspx?Item=N82E16813135391&ignorebbr=1 It looks like a nice cheap upgrade that would support intel quickstep hardware acceleration. Going to test out my old set up more a bit first, its a dog transcoding but it handles direct play for live tv far better than the pi did so it might be good enough. Just kinda bummed my old mobo only has a 100mb ethernet adapter.

I seem to really just have old stuff lol. Miss the days when i was single and would spend a k on a gaming rig and not give a dam.

[Guest asrequested]

OK guys. Looks like I'm going to sell both of the Unifi US-16-XG 10G 16-Port Managed Aggregation Switches and my Quanta LB6M 10G switch. Before I put them on ebay, I figured I'd give you guys first refusal at a lower price. The Unifis $300 + shipping (each) and the Quanta $100 = shipping. USA shipping, only. If interested, PM me.

[mastrmind11 717]

will you take a trade?  I have a 3 year old, can't do anything, but it very good at pushing and punching, and is well versed in the use of "no".  

 

side note, can't run network cables for shit, but is willing to learn..... supposedly.

[Guest asrequested]

will you take a trade?  I have a 3 year old, can't do anything, but it very good at pushing and punching, and is well versed in the use of "no".  

 

side note, can't run network cables for shit, but is willing to learn..... supposedly.

 

lol....Ah, I'm sorry. I have no use for your device. I hear they can be temperamental. 

[mediacowboy 438]

lol....Ah, I'm sorry. I have no use for your device. I hear they can be temperamental.

At best

[Tur0k 143]

Omg I think I found an old SUN microsystems full size 900-38 enclosed rack with heavy duty casters and PDUs already in for $99!!! It is a 38U rack.

 

Only problem is, I don't know that I would be able to fill it...

 

My end goal will be:

4U UPS

4U vm host/disk array

4U WHA receiver/amp

1u patch panel,

1U Switch

2 shelves for modem, firewall, and HDHomerun... that's it...

 

 

Sent from my iPhone using Tapatalk

Edited November 10, 2017 by Tur0k

[Guest asrequested]

You can always get more stuff, later

 

Are you going to get it?

[Tur0k 143]

Emailed him, the post said they had 3. We will see if they have any left.

 

 

Sent from my iPhone using Tapatalk

[Tur0k 143]

Well, that rack didn't work out. My wife wasn't happy with the amount of floor space the server rack would consume in our storage room. I already have my freezer and a big gun safe in there. that rack was a full size and the most space I could ever imagine needing would be 20U. I have gone the other direction for my physical redesign

 

Here is a picture of my network shelf when I first got into the house (note: I did move the AP to the crawl space, and picked up an SB6190 cable modem instead of the old 6141 I had.)

 

 

Things went south after I added my new PoE switch. It is substantially heavier and I wasn't comfortable mounting it in the same space. I had to put the switch on he shelf and the RPIs and firewall on top of that.

 

I picked up a 9U network wall rack. https://www.ebay.com/itm/9U-Wall-Mount-Network-Server-Data-Cabinet-Rack-Enclosure-With-Cooling-Fan-Black/401396250595?epid=2184725148&hash=item5d7514b7e3:g:F5UAAOSw~fpZqnNl

 

I picked up a pair of 2U 14" rack shelves.

 

My plan is to try to mount the following in it:

1U - patch panel.

2U - shelf

2 x RPIs

1x hdhomerun prime

1U - unifi US-24-250W

2U - shelf

1 x Cable Modem

1x Pfsense mini-pc

and if possible my readynas ultra4.

 

I have opted to hold off on setting the NVR and security camera system up until after i build a VMhost to build it all on. Once i am ready for it I think i may pickup a second wall mount rack for the vmhost server i will build, the whole home audio receiver i will be installing, and a large rack mount Battery backup.

 

also, here is the logical configuration of my network using VLANS.

Edited January 4, 2018 by Tur0k

[Guest asrequested]

That sounds like nice long project

 

Sounds like you're a hunter, with a gun safe and freezer?