|
ManlyWeevil posted:The clink has to be on its own AP (they use WPS and Unifi doesn't support it), so I'm stuck with the second option. Just wondering if further segmenting the VLAN off has any real benefits. Not really no. Also WPS is dogshit
|
#
?
Mar 27, 2017 19:55
|
|
|
|
| # ? May 1, 2024 02:31 |
|
|
ManlyWeevil posted:The clink has to be on its own AP (they use WPS and Unifi doesn't support it), so I'm stuck with the second option. Just wondering if further segmenting the VLAN off has any real benefits.  WPS‐only is thankfully one of the terrible security incompatibilities I have not encountered.
|
|
#
?
Mar 28, 2017 01:59
|
|
|
just popping in to say that repurposing $10 meraki access points with cucumber tony is pretty awesome.
|
|
#
?
Mar 28, 2017 03:22
|
|
|
Did not know that was a thing. Apparently you can run OpenWRT on them too.
|
|
#
?
Mar 28, 2017 14:04
|
|
|
I might do that once my license runs out, I still haven't even booted my second MR18 once. Still won't get close to the amount of features Meraki has, I really like the whole RF analysis stuff.
|
|
#
?
Mar 28, 2017 14:10
|
|
|
adorai posted:just popping in to say that repurposing $10 meraki access points with cucumber tony is pretty awesome. gently caress. Are you serious? I threw away like a dozen MR16's when our sub ran out. Oh well, they weren't even AC anyway.
|
|
#
?
Mar 28, 2017 17:35
|
|
|
adorai posted:just popping in to say that repurposing $10 meraki access points with cucumber tony is pretty awesome. Sounds awesome but Meraki 802.11n only? pass. Also Cucumber Tony costs money, but UniFi Controller is free. Why should I pay for that? *edit* WORDS HAVE NO MEANING NOTHING MATTERS 
CrazyLittle fucked around with this message at 18:04 on Mar 28, 2017 |
|
#
?
Mar 28, 2017 18:01
|
|
|
CrazyLittle posted:Also Cucumber Tony costs money, but UniFi Controller is free. Why should I pay for that?
|
|
#
?
Mar 29, 2017 00:22
|
|
|
Here's my review of the NETGEAR Mini N300 Wi-Fi Extender: It works fine, WPS is stupid and their setup tool is surprisingly nice. That is all.
|
|
#
?
Apr 3, 2017 13:56
|
|
|
Good morning networking thread. Hoping to get a little direction here. I am dabbling with putting a whole home VPN on my network (obvious reasons why with the current climate) but found when experimenting with ExpressVPN that Netflix is actively hunting down their servers and blocking them. This won't work as my kids would kill me if Netflix didn't work. I'm thinking that there has to be a way to separate some of my network traffic to go outside the VPN and the balance staying within it. However, I'd like to have the devices be able to communicate with eachother despite their connection through the VPN. My first inclination was to purchase a second router to put the devices I want 'free' of the VPN on (most of my devices that would need to be clear would be hard wired FireTVs) and then use openVPN on the router for the rest. Issue with that is that Plex would be hosted on one of the VPN devices and I doubt there'd be a way for clear devices to see and talk to it. Is there a way to mix the two routers so that they can talk but still preserving their targeted WAN status? I have an ASUS rt-n66u (technically 66n, but it's the same thing just a rebranded model) and although I haven't done any custom firmware I believe it's one of the more flexible and receptive devices to doing so. Back in the day I burned through many a Linksys router playing with firmware, shorting out connections to clear memory, etc. that I am a bit hesitant to go this route these days. Is the landscape different in 2017? Is there a solution that will let me funnel devices into openVPN or away by IP/MAC and still maintain communication in the intranet? Appreciate any insight, happy to do a network diagram but not sure it's necessary. While it's complicated looking and sprawling throughout my house it's a few unmanaged switches connected to the router. Thanks!
|
|
#
?
Apr 5, 2017 11:19
|
|
|
Are there any consumer routers that can act as a VPN client over IKEv2? I see several that can act as the server, but my google-fu isn't helping me find such a thing.
|
|
#
?
Apr 6, 2017 01:50
|
|
|
hooah posted:Are there any consumer routers that can act as a VPN client over IKEv2? I see several that can act as the server, but my google-fu isn't helping me find such a thing. I don't know of any that will act as a client. I do know you can set up P2P connections using IKEv2 on pfSense (the smaller MicroWalls I'd consider consumer grade), but I don't think client functionality exists. The only thing I've found is being able to connect it (and I assume others) to OpenVPN servers and that's about it.
|
|
#
?
Apr 6, 2017 01:57
|
|
|
Think you can just create certain firewall rules and redirect browser traffic and torrent traffic to a VPN and everything else through regular traffic. But this is like power user or prosumer territory and it means running your own box or playing around with CLI like ubnt/ mikrotek etc
|
|
#
?
Apr 6, 2017 02:42
|
|
|
Can dd-wrt handle the firewall stuff? I got that installed on my router over the weekend.
|
|
#
?
Apr 6, 2017 03:39
|
|
|
hooah posted:Can dd-wrt handle the firewall stuff? I got that installed on my router over the weekend. This is an odd question. What do you mean by "firewall stuff?" What are you trying to do and why did you install dd-wrt? What model router do you have?
|
|
#
?
Apr 6, 2017 03:47
|
|
|
Internet Explorer posted:This is an odd question. What do you mean by "firewall stuff?" What are you trying to do and why did you install dd-wrt? What model router do you have? I'm talking about what caberham mentioned in the previous post. I was on my phone and did a straight reply rather than a quote. I put dd-wrt on my Netgear WNDR3700v3 because I knew the installed firmware didn't have the capability of being any kind of VPN client.
|
|
#
?
Apr 6, 2017 03:55
|
|
|
I currently use a Cisco ASA5505 but would like to replace it with a Palo Alto device with all of the features that PA firewalls have. What would be a good replacement? PA-200? PA-500? Something else? TIA
|
|
#
?
Apr 6, 2017 04:43
|
|
|
I have a laptop that acts as a kind of router that does ip forwarding to/from a vlan interface and when the traffic gets "heavy" on the vlan network (downloading packages with apt and stuff like that) sometimes the interface just dies for short while and "Mar 31 09:14:47 ul001468 kernel: [4891033.347250] e1000e 0000:00:19.0 eth0: Detected Hardware Unit Hang:" appears in the syslog. Does anyone know why this might be? It only happens for routed traffic as far as I can tell. I've tried updating the e1000e drivers but it didn't help.
|
|
#
?
Apr 6, 2017 15:03
|
|
|
hooah posted:I'm talking about what caberham mentioned in the previous post. I was on my phone and did a straight reply rather than a quote. I put dd-wrt on my Netgear WNDR3700v3 because I knew the installed firmware didn't have the capability of being any kind of VPN client. Sorry, I'm an idiot.
|
|
#
?
Apr 6, 2017 15:23
|
|
|
You can absolutely use dd-wrt as a VPN client, but keep in mind consumer routers are lacking in CPU horsepower. It won't hold up to much bandwidth. I'm trying a few different software routers right now. pfSense throws an absolute poo poo fit and constantly reboots on my hardware. OPNsense won't even boot. Untangle is stable and seems pretty slick, but won't connect to a standard OpenVPN server, only another Untangle box.
|
|
#
?
Apr 6, 2017 15:28
|
|
|
I have Century Link DSL (I know, I will hopefully be switching soon). I use an Archer C7 in stead of the CL C2000A Modem router. I have terrible bufferbloat and ping times, which causes problems whenever I am downloading a large file or online gaming. Anything I can do on my end until I can switch? The C7 does have bandwidth control, which hasn't really had an effect, but no QoS controls.
|
|
#
?
Apr 6, 2017 16:21
|
|
|
LongSack posted:I currently use a Cisco ASA5505 but would like to replace it with a Palo Alto device with all of the features that PA firewalls have. What would be a good replacement? PA-200? PA-500? Something else? TIA The PA-200 looks somewhat comparable to the 5505 even though it has 1/3 less total throughput. Both the PA-200 and the PA-500 only have half of the 5505's IPSec throughput performance though. Since you are asking about business grade gear I am going to assume this is not for home use. In which case you might want to have a consultant or the Palo Alto sales team assist you picking the firewall that best fits your needs. There is nothing quite like putting a new firewall into production only to find out the next day that it is unable to meet your design requirements in some obscure but critical way. If you like the 5505 and just want a modernized version of it have a look at the 5506-X, its a beefy little box with over 7 times the performance of the PA-200 for only ~25% of the price. If this is for home use then personally I would just spend a few hundred on building a pfSense box and skip the licensing hassles that come with Palo Alto and Cisco gear.
|
|
#
?
Apr 6, 2017 16:33
|
|
|
TraderStav posted:Good morning networking thread. Hoping to get a little direction here. I am dabbling with putting a whole home VPN on my network (obvious reasons why with the current climate) but found when experimenting with ExpressVPN that Netflix is actively hunting down their servers and blocking them. This won't work as my kids would kill me if Netflix didn't work. I'm thinking that there has to be a way to separate some of my network traffic to go outside the VPN and the balance staying within it. However, I'd like to have the devices be able to communicate with eachother despite their connection through the VPN. This is actually rather tricky. Your edge router is going to have to two paths to the internet. One will be the VPN and the other will be the gateway provided by your ISP. (yes the VPN uses the ISP's gateway too, but don't worry about that, i'm not going to try and explain vpn encapsulation and administrative distance in conjunction with routing here) So when your router needs to send a packet to the internet it needs to decide which path to use. In routing this is called the next hop. In a normal setup a home router uses the same next hop for everything because it only has one gateway, the default one. But your router has two paths to choose from, so how does it pick? Typically the next hop is chosen based on the destination IP of the traffic using the route table. A normal home router route table looks something like this (this a more readable format than what windows/*nix/cisco/others use but it contains the same basic information. the IPs are made up): 24.15.66.19/32 - self - eth0 24.15.66.0/26 - connected - eth0 192.168.1.1/32 - self - eth1 192.168.1.0/24 - connected - eth1 0.0.0.0/0 - via 24.15.66.1 - eth0 What this says is: 24.15.66.19 is my IP on my eth0 interface. The 24.15.66.0/26 network is directly connected to my eth0 interface and anything bound for it should be sent out this interface. 192.168.1.1 is my IP on my eth1 interface. The 192.168.1.0/24 network is directly connected to my eth1 interface and anything bound for it should be sent out this interface. Traffic bound for any other network should be sent out eth0 to 24.15.66.1. Now if you have a VPN you get a new entry that looks something like (i am going to assume a policy based VPN instead of a route based one to keep things simple): 10.1.1.0/24 - via VPN - tun0 Which means: Send traffic bound for the 10.1.1.0/24 network out the VPN tunnel instead of the default gateway. Notice how the routing table is only concerned with the destination of the traffic? It does not care about where the traffic came from, only where it is going to. So in a traditional router to exempt Netflix from from an otherwise all encompassing VPN you would need a route table that looked like this (assuming Netflix uses the fictional IP range of 169.254.0.0/16): 24.15.66.19/32 - self - eth0 24.15.66.0/26 - connected - eth0 192.168.1.1/32 - self - eth1 192.168.1.0/24 - connected - eth1 169.254.0.0/16 - via 24.15.66.1 - eth0 0.0.0.0/0 - via VPN - tun0 Don't worry about how the VPN reaches the internet via 24.15.66.1, that's a more advanced topic and the VPN software will handle that anyway. So to actually do this we are going to need a router with "tunnel all" VPN functionality and support for custom routes that can override the tunnel all behavior. This should be possible on DD-WRT or pfSense but I don't actually know if it is or not. We will also need to know the IP ranges that netflix uses. According to ipinfo its a pretty long list. And that might not actually include them all. A proper Cisco (or other enterprise grade) router could skip all this and just use source routing (although source routing has security implications that must be carefully managed and planned for). But even with source routing you would need to manually exempt each netflix device from the VPN on the router. This would be a real pain with dynamic IPs and you would have to manually change the router config every time you switched between netflix watching and web surfing on your PC. Sadly the fact that netflix.com is HTTPS prevents us from solving this dynamically and cleanly with MPF based routing and layer 7 inspection on a Cisco router. I suppose you could get around this by setting up a generic HTTPS proxy with your own internal CA and some loopy routing but I think that would a bit excessive for a home use case. Another totally different option would be to use three routers and three separate networks (one to link the routers together and two for client devices in your home). You could place the routers like so (ignore the periods, they are just for spacing): internet ... | router1__________ | ....................... | router2.........router3 |.............................. | netflix network....... general internet network And then setup the VPN on router3. But then you are messing around three routers and getting a VPN through NAT, which can be annoying sometimes depending on the type of VPN. It also means that you would need to move devices between the networks depending on if you wanted to watch netflix or browse the net via the VPN, which would be annoying. On the plus side this is the only home network design I have ever come up with that is a legitimate use case for a dynamic routing protocol like OSPF or EIGRP. So there's that. So yeah, possible, but tricky and a pain in the rear end.
|
|
#
?
Apr 6, 2017 17:46
|
|
|
Awesome explanation, thank you very much. I did understand what you laid out there and see the logic. Looks like the trickiest part would be getting the right IP range for Netflix and that looks prohibitively difficult. In that last diagram, is there a set up that would allow all the devices behind the various routers to speak to another despite being connected behind different routers? My gut tells me, no.
|
|
#
?
Apr 6, 2017 17:51
|
|
|
TraderStav posted:In that last diagram, is there a set up that would allow all the devices behind the various routers to speak to another despite being connected behind different routers? Actually yes there is. In fact there are two. This sort of thing is what (real) routers are actually meant for. One method involves setting up a dynamic routing protocol on all three routers (surprisingly easy on a Cisco router really) and then letting the routers sort everything out automatically. The other method involves manually setting static routes on the routers. Assuming you went with static routes you would get route tables that look like this: Router 1: 24.15.66.19/32 - self - eth0 24.15.66.0/26 - connected - eth0 192.168.1.1/32 - self - eth1 192.168.1.0/24 - connected - eth1 192.168.2.0/24 - static via 192.168.1.2 - eth1 192.168.3.0/24 - static via 192.168.1.3 - eth1 0.0.0.0/0 - via 24.15.66.1 - eth0 Router 2: 192.168.1.2/32 - self - eth0 192.168.1.0/24 - connected - eth0 192.168.2.1/32 - self - eth1 192.168.2.0/24 - connected - eth1 192.168.3.0/24 - static via 192.168.1.3 - eth0 0.0.0.0/0 - via 192.168.1.1 - eth0 Router 3: 192.168.1.3/32 - self - eth0 192.168.1.0/24 - connected - eth0 192.168.3.1/32 - self - eth1 192.168.3.0/24 - connected - eth1 192.168.2.0/24 - static via 192.168.1.2 - eth0 0.0.0.0/0 - via 192.168.1.1 - eth0 Note that routers 2 and 3 are not performing NAT in this setup. If you went with a dynamic routing protocol instead the routing tables would look the same, you just wouldn't have to manually type in all the routes. The routers would literally tell each other about their respectively connected networks and work it all out themselves. Although you would need to make sure that eth0 on router 1 didn't participate in the dynamic routing protocol for security reasons (also easy on a Cicso router). I feel we might be reaching a point where you may need to take a CCNA class just to setup and administer your home network. Also your home network is now looking much more like a business network than a home network. I am not sure if these are the directions you wanted to go with regards to your career education and home network setup respectively. Antillie fucked around with this message at 18:23 on Apr 6, 2017 |
|
#
?
Apr 6, 2017 18:03
|
|
|
Hello! So, a little while ago I posted in the Mac thread about turning an external HD into a NAS or just about being able to access a computer's files from my iOS devices. Couldn't really find a solution, since Plex, which had been perfect, was disrupted once I purchased a VPN service. I think I have found a solution but kind of wanted to see how secure it was and if there are any holes in the plan: I turned on Remote Login on my Mac Mini, added my user account, and then copied that info into GoodReader's server connector and all my files were all there, just like I would want. The problem is, this is only working when I'm connected to my wifi. Any help here would be appreciated. Mostly want to know how to access outside my network but also have it be secure and doable with a VPN on.
|
|
#
?
Apr 6, 2017 20:19
|
|
|
Antillie posted:Actually yes there is. In fact there are two. This sort of thing is what (real) routers are actually meant for. One method involves setting up a dynamic routing protocol on all three routers (surprisingly easy on a Cisco router really) and then letting the routers sort everything out automatically. The other method involves manually setting static routes on the routers. I had studied some CCNA materials over a decade ago and had an openBSD PC as my router in my closet at one point so this was a very nice intellectual journey. But, to your point, not practical for my environment. Cost prohibitive either from a single router or multiple environment for a petty goal. I greatly appreciate vetting out the idea though.
|
|
#
?
Apr 6, 2017 21:41
|
|
|
Antillie posted:The PA-200 looks somewhat comparable to the 5505 even though it has 1/3 less total throughput. Both the PA-200 and the PA-500 only have half of the 5505's IPSec throughput performance though. Since you are asking about business grade gear I am going to assume this is not for home use. In which case you might want to have a consultant or the Palo Alto sales team assist you picking the firewall that best fits your needs. There is nothing quite like putting a new firewall into production only to find out the next day that it is unable to meet your design requirements in some obscure but critical way. It is for home, actually. I'm a firewall engineer, and at work I manage Cisco, Checkpoint and Palo Alto firewalls. I love the PAs when they have the content stuff enabled, but man are they expensive. The 5505 was a couple hundred bucks, and I spent a bet more upgrading to an unlimited license (hell, even my thermostat needs an IP address now). It's not under maintenance, though, so the software's getting a little old. I'm not sure it's even eligible for maintenance any more. I'll look into pfSense, thanks.
|
|
#
?
Apr 7, 2017 00:34
|
|
|
LongSack posted:It is for home, actually. I'm a firewall engineer, and at work I manage Cisco, Checkpoint and Palo Alto firewalls. I love the PAs when they have the content stuff enabled, but man are they expensive. The 5505 was a couple hundred bucks, and I spent a bet more upgrading to an unlimited license (hell, even my thermostat needs an IP address now). It's not under maintenance, though, so the software's getting a little old. I'm not sure it's even eligible for maintenance any more. The 5505 is still receiving updates but only for bugs and security issues. New features are only in 9.3 and later code which only runs on the X series devices. You can still get a service contract for the 5505 too if you want. Although I would guess that Cisco will EOL the thing sometime in the next year or so. There was actually a pretty major security flaw in the ASA line last year. Cisco should still be willing to give you an updated code version for that even if you don't have a service contract. I used a 5505 at home myself for several years and the only reason I moved to pfSense was due to Cisco's annoying (and expensive) licensing scheme for AnyConnect. They somewhat simplified the licensing a while back but it still costs an arm and a leg. I also wanted something that could do gigabit speeds. And I wanted ongoing software updates without needing to get new firmware images via questionable means.
|
|
#
?
Apr 7, 2017 15:38
|
|
|
Photex posted:So my wife and I are in the process of buying our first house Just to kind of cap this off, I stopped being a cheap mother fucker and decided to pay someone to run Cat6 next week before we move in. I also purchased a Edgerouter X, 8-port Unifi Switch, and a Uni-AP AC Lite.
|
|
#
?
Apr 7, 2017 17:07
|
|
during the inspection I asked the home inspector to take a peak at all the coax in the house to see if it was stapled to the studs and unfortunately all of it is so I got to thinking of trying to eliminate all my rental fees (minus a cablecard rental) from Verizon and this is what I came up with. 
|
GoldfishStew posted:Hello! So, a little while ago I posted in the Mac thread about turning an external HD into a NAS or just about being able to access a computer's files from my iOS devices. Hey sorry to be annoying but could someone help me with this or suggest another thread to help?
|
|
#
?
Apr 7, 2017 22:54
|
|
|
Antillie posted:You can still get a service contract for the 5505 too if you want. Although I would guess that Cisco will EOL the thing sometime in the next year or so. Looks like end of sale is in August. End of support is 5 years later.
|
|
#
?
Apr 8, 2017 02:33
|
|
|
To replace my ASA5505, I ordered a SG-4860 and will be picking up a 16-port switch. I have a Linksys E3000 I'm using as an AP, will be picking up an E4500 to replace it and then it will become the AP for my guest wireless network. I'll probably keep the ASA in a lab environment since I write utility programs in C# and .NET for managing firewalls via ssh and this is a good development environment. My infrastructure is around 10 years old, long past time to upgrade. Edit: unable to locate a 16-port switch, and realized I miscounted the number of ports I'd need. Thought it was 8, but realized that one of those is the uplink to the modem, and the other is the link to the AP (which will move to the firewall). So I only need 6 ports. Ended up with a Linksys EA9500 which has 8 LAN ports in addition to the WAN port. Should be enough capacity, and while this thing is way overpowered for my actual needs today, who can say what I will need tomorrow. My belief is to always buy as much machine as you can afford, even if it's overkill. It will last longer, IMO. LongSack fucked around with this message at 23:20 on Apr 8, 2017 |
|
#
?
Apr 8, 2017 06:08
|
|
|
Dumb question incoming. I've picked up a cheap PCI slot wireless adapter. It comes with an internal cable that connects to a USB header on my motherboard. What's the intended purpose of that if the network seems to work fine without it?
|
|
#
?
Apr 8, 2017 20:11
|
|
|
Possibly bluetooth?
|
|
#
?
Apr 8, 2017 20:13
|
|
|
iv46vi posted:Dumb question incoming. I've picked up a cheap PCI slot wireless adapter. It comes with an internal cable that connects to a USB header on my motherboard. What's the intended purpose of that if the network seems to work fine without it?
|
|
#
?
Apr 9, 2017 00:09
|
|
|
So, I have an Archer AC1900 (C9, v1), and an Arris Surfboard SB6141. I want to configure a VPN, both from my home and mobile devices. Additionally, I want to set up a Pi-hole as my DNS server. My intention is to flash my router with DD-WRT, install OpenVPN on the router and my mobile devices. Then, I'm going to run PIA VPN from my home connection out. I haven't set up anything like this before, but I'm about to get my Network+ cert, so I think I can probably handle it; is there anything in there that's real stupid, or is going to gently caress up my internet? I'm basically just looking for an idiot check. Would it be worth dropping some cash on some additional hardware, or should this be fine on what I've got?
|
|
#
?
Apr 9, 2017 01:29
|
|
|
(Moved over from the upgrading/parts buying thread as I didn't know about this one!) Can someone please recommend a basic wireless router/extender? I'm not even sure what the piece of hardware is called, but: - My new house (in Australia) has an ethernet port in a number of the rooms. My office is on the opposite side of the house to the wireless router/adsl modem. - As such, I have my work desktop PC plugged in directly via LAN cable which is great, but my cell phone/tablets etc receive no wifi signal. - I have a TV and an old PS3 in the same office, hooked up for Netflix/sports streaming/whatever. - Both PS3 and TV have LAN/wifi capabilities, but no means of connecting. So, I'd like something that can plug into the existing ethernet connection, send a wifi signal, and has 3 or more ethernet ports on it. It doesn't even need to be that amazing of a wifi router, as the rest of the house is covered... it's just that this area is kind of a dead zone in the house. Thanks.
|
|
#
?
Apr 9, 2017 08:54
|
|
|
BadAstronaut posted:(Moved over from the upgrading/parts buying thread as I didn't know about this one!) “Router” and “extender” are oddly enough the two things you don’t need. What you need are an access point and a switch, which could be integrated into the same device or not. What people call consumer “routers” are commonly router/switch/access point combinations—sometimes including the modem as well. You could use any device like that and just not use the routing function. Any shop that sells electronics sells them. The Ubiquiti Unifi Ap-AC Lite is a good access point and a thread favourite, but it may be a bad fit for you—you need switch functionality and you don’t need an amazing access point. I also don’t know about the availability of Ubiquiti’s stuff in Australia. I would still consider that (80 USD) + a simple switch for 20 USD, but it’s probably overkill and you’d be served just as well with a consumer combo unit. I should let someone else recommend specific models, because I haven’t bought one in a while.
|
|
#
?
Apr 9, 2017 09:17
|
|
|
|
| # ? May 1, 2024 02:31 |
|
|
OK thanks for the info. Yes I really don't need anything fancy down here. Just a couple extra LAN ports, and some kind of wifi source! Preferably in one device, though.
|
|
#
?
Apr 9, 2017 09:41
|
|