Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
joebuddah
Jan 30, 2005

IOwnCalculus posted:

If it's not connected to your router at all, then perhaps they're timing out waiting for a DHCP that will never come?

Thanks for the response. I have it both ways. I also have tried enabling DHCP on the Alfa. It can connect to my primary wifi that's why I'm confused. Lol. I may just cave and spend the $45 and buy an Archer.

Adbot
ADBOT LOVES YOU

CrazyLittle
Sep 11, 2001





Clapping Larry

CubanMissile posted:

Most people just screw a piece of plywood into the studs and mount those kinds of devices onto the wood, kinda like this:



i'm the unicum patch panel

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.


Oven Wrangler

Volguus posted:

I am using a PC with OpenBSD on it. The PC was more than $10 in its time, today ... probably not even that. Yes, it can handle my measly 250Mbps connection just fine. OpenBSD is free. And more capable than any "router" (including pfsense) could be.

Acting like an old PC is clearly cheaper than a $100 router running a tiny ARM chip isn't really considering total cost though. Yes, the capital investment is low but how much power does your PC router use running 24/7 and what are you paying for power? 50W at $0.10/kWh means an extra $40 a year, and it's hard to get much below that idling unless you have a pretty recent system or one built to be very low-power in my experience. If you already have an Atom board with a couple NICs lying around then it makes sense but your old Core 2 Quad is going to be break-even after a couple of years unless you have integrated graphics and a fair bit of success at undervolting.

Eletriarnation fucked around with this message at 17:19 on Jun 1, 2018

movax
Aug 30, 2008

My apartment came with a Nest thermostat, and I want to VLAN off that loving thing (and I should probably get better at using VLANs anyways). Am I out of luck trying to do this with my Airport Extreme Base Station?

Also thinking about loving around with RADIUS. Have a RPi or ESXi box that I could run the server on; I'm thinking the RPi is much lighter weight but I also assume that if this server goes down, so does my WiFi?

e: last question for now, on an EdgeRouter, how do I view the details of the DHCP configuration on my WAN interface? Want to see what DNS servers are getting pushed my way.

movax fucked around with this message at 22:10 on Jun 2, 2018

eames
May 9, 2009

If you use your Airport Extreme in Bridge mode you can enable the guest network and it'll tag packets on that network with VLAN 1003. This is completely undocumented and hardcoded but it works.

movax
Aug 30, 2008

eames posted:

If you use your Airport Extreme in Bridge mode you can enable the guest network and it'll tag packets on that network with VLAN 1003. This is completely undocumented and hardcoded but it works.

:aaa:

Definitely using in Bridge Mode right now, that’s kind of entertaining and good to know and saves me money! What does the regular network get tagged as, if any?

I still have to educate myself on VLANs / see what unmanaged switches like the GS105 do.

Thermopyle
Jul 1, 2003

...the stupid are cocksure while the intelligent are full of doubt. —Bertrand Russell

movax posted:

:aaa:

Definitely using in Bridge Mode right now, that’s kind of entertaining and good to know and saves me money! What does the regular network get tagged as, if any?

I still have to educate myself on VLANs / see what unmanaged switches like the GS105 do.

I've never configured a vlan and don't know much about them, but i think what unmanaged switches do with tagged frames is undefined behavior, so you have to look into your specific switch.


Tagging my poo poo like ecobee thermostat and wemo switches is a thing I always mean to do, but :effort:.

DJ Commie
Feb 29, 2004

Stupid drivers always breaking car, Gronk fix car...
All of my Internet of poo poo/dev stuff goes through a VLAN with packet capture in case something gets clever. It was as easy as setting the VLAN tag for that SSID in the UniFi controller, and some src-NAT in the RouterBoard so I had separate DHCP ranges for each SSID/tag. It decodes the VLAN for the garbage(severely limited and logged), one for guests (no NAS+limits), and the normal everything traffic.

I have an UniFi AC-LR, 450G and an old Netgear GS108. My workspace has two drops, one for each VLAN so I can have wired IoT/dev be monitored still and not need another routerboard. I'm changing to either the 960PGS or the EdgeRouter POE since my Internet connection is via a Powerbeam ac and I hate the drat powerbricks.

Niwrad
Jul 1, 2008

Couple questions about cable modems with Comcast. My Dad has had some issues at his place lately with speed. Comcast is telling him it's the cable modem which is an SB6121. On one hand it's old and EOL. But on the other it had worked fine for him for years and just seems weird to suddenly be poo poo. Is the issue likely the SB6121? And would the SB6183 be a suitable replacement to give him a little future-proofing going forward?

Which brings up another question. I'm using an SB6141. Is there any point in upgrading if I'm on a 100mbps package with my ISP? I noticed the SB6141 is EOL as well but I'm getting good speeds with it.

Rexxed
May 1, 2010

Dis is amazing!
I gotta try dis!

Niwrad posted:

Couple questions about cable modems with Comcast. My Dad has had some issues at his place lately with speed. Comcast is telling him it's the cable modem which is an SB6121. On one hand it's old and EOL. But on the other it had worked fine for him for years and just seems weird to suddenly be poo poo. Is the issue likely the SB6121? And would the SB6183 be a suitable replacement to give him a little future-proofing going forward?

Which brings up another question. I'm using an SB6141. Is there any point in upgrading if I'm on a 100mbps package with my ISP? I noticed the SB6141 is EOL as well but I'm getting good speeds with it.

It kind of depends if the issues are signal related (very likely, happens all of the time) or capacity related. Being able to bond to more channels may help for the latter but probably won't matter for the former. They'll probably have to have someone come out and fix whatever broke (water in the taps or whatever). I'm running a SB6120 and they've told me I should upgrade. I have a refurbished 6183 in a box ready to go but no actual need to upgrade yet. I don't think you need to get anything more than the 6141 for 100 megabit but you can always run a speedtest (from a wired device) to see.

This link will have the modems for service tiers for your area if you sign in. I haven't checked lately but last time I looked the 6120 was good to 150 Mb/s.
http://mydeviceinfo.xfinity.com/

ickna
May 19, 2004

I have a VPN question that I'm not quite sure how to translate into a useful google search terms, perhaps someone can help me figure this out:

I manage a couple of geographically distant LANs for different family members, and I've transitioned most of them to EdgeRouter X and Unifi setups. I would like to be able to link them up to make a sort of family WAN so we can do off-site backups to each other's NAS, check on the grandparents with IP cameras, and I can do remote administrative/tech support stuff without having to expose any more inbound ports or mess with dynamic DNS fuckery. As I understand, the ERXs have some built-in VPN features, which would be great for the LANs that don't have x86 servers running full time on them, but as best as I can tell the VPN stuff aimed more at a site to site link between two routers, and not a hub and spoke setup like I'm imagining this would be. I would love to be told I'm wrong about that, though.

My idea is to set up some kind of VPN hub/L3 router on AWS that the ERXs can connect to and talk to each other over:



I would also still need to be able to keep the OpenVPN-AS servers up on mine and my brother's LANs since we both VPN back home with our devices for unfiltered/unmonitored internet access when we are at work, and I don't want to pay for the bandwidth bill we'd rack up on AWS with our web browsing and streaming going through the hub.

Space Gopher
Jul 31, 2006

BLITHERING IDIOT AND HARDCORE DURIAN APOLOGIST. LET ME TELL YOU WHY THIS SHIT DON'T STINK EVEN THOUGH WE ALL KNOW IT DOES BECAUSE I'M SUPER CULTURED.
Fundamentally, all the VPN stuff you are going to do is a site-to-site link between two routers, even if the higher-level architecture looks like a hub and spoke setup. You can think of a VPN connection as the logical equivalent of a physical network cable - it's not exact but it's close enough to build an OK mental model of what VPNs can do.

The AWS term for what you're looking for is "transit VPC."

It is all enterprisey as poo poo, with prices to match. The sample solution they provide uses the Cisco CSR EC2 image, which goes up to $8.40/hour in EC2/licensing costs alone; feel free to work out the math for per-month pricing on that. it's six thousand dollars. per month. The data transfer costs are going to be steep, too, even if you're not using Direct Connect to a datacenter. Remote backup is surprisingly bandwidth intensive.

As nice as it would be to have a central management point with an elastic IP, you'd probably do better to just have a mesh with static routes, and each endpoint having three tunnels to all the others. EdgeOS should be able to do this without trouble; I think you can even do it from the web interface. Make sure that crypto offload is enabled.

Finally, be careful about tunneling out of work environments. At lots of places, getting caught doing that without approval is an insta-fire offense. You might just be using it to watch netflix and shitpost from work, but they don't have any way of seeing that; for all they know you're bypassing the firewall to move PCI/HIPAA/trade secret data out and malware in (or, you might have a compromised device on your home network that does the same thing without you even knowing).

H2SO4
Sep 11, 2001

put your money in a log cabin


Buglord

Space Gopher posted:

Finally, be careful about tunneling out of work environments. At lots of places, getting caught doing that without approval is an insta-fire offense. You might just be using it to watch netflix and shitpost from work, but they don't have any way of seeing that; for all they know you're bypassing the firewall to move PCI/HIPAA/trade secret data out and malware in (or, you might have a compromised device on your home network that does the same thing without you even knowing).

This is a billion percent true. Waste time on your phone, don't VPN out of your company network.

CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug
Just FYI: The Asus routers support VLAN'ing configured via SSH. A little more advanced, but there are good step by step guides on how to do it.

dogstile
May 1, 2012

fucking clocks
how do they work?

H2SO4 posted:

This is a billion percent true. Waste time on your phone, don't VPN out of your company network.

I actually grabbed a giant data plan precisely so I can hook my laptop up to it during warehouse visits.

Had nothing to do aside from test a "dead device" and "set up a NAS" at the warehouse. Also windows updates on the only PC there that hadn't been done in a very long time. Very good netflix catchup tbh, I have no idea why they scheduled me there for the whole day but whatever i guess.

ickna
May 19, 2004

Space Gopher posted:

Fundamentally, all the VPN stuff you are going to do is a site-to-site link between two routers, even if the higher-level architecture looks like a hub and spoke setup. You can think of a VPN connection as the logical equivalent of a physical network cable - it's not exact but it's close enough to build an OK mental model of what VPNs can do.

The AWS term for what you're looking for is "transit VPC."

It is all enterprisey as poo poo, with prices to match. The sample solution they provide uses the Cisco CSR EC2 image, which goes up to $8.40/hour in EC2/licensing costs alone; feel free to work out the math for per-month pricing on that. it's six thousand dollars. per month. The data transfer costs are going to be steep, too, even if you're not using Direct Connect to a datacenter. Remote backup is surprisingly bandwidth intensive.

As nice as it would be to have a central management point with an elastic IP, you'd probably do better to just have a mesh with static routes, and each endpoint having three tunnels to all the others. EdgeOS should be able to do this without trouble; I think you can even do it from the web interface. Make sure that crypto offload is enabled.

Finally, be careful about tunneling out of work environments. At lots of places, getting caught doing that without approval is an insta-fire offense. You might just be using it to watch netflix and shitpost from work, but they don't have any way of seeing that; for all they know you're bypassing the firewall to move PCI/HIPAA/trade secret data out and malware in (or, you might have a compromised device on your home network that does the same thing without you even knowing).

Excellent info, thanks!

The AWS cost is a whole lot more than I was thinking, I was assuming I would be running one of the smaller instances and rolling some kind of open source setup. I was looking into getting gigabit fiber for my own internet access, so perhaps I'll jump on that and kludge my own hub with my home x86 server using SoftEther and have the others tunnel to me.

Also good point about tunneling out of work, 'll check into the policies.


H2SO4 posted:

This is a billion percent true. Waste time on your phone, don't VPN out of your company network.

This was the idea, but we both work deep in the bowels of concrete dungeons or accidental faraday cages which meant little to no cell service.

H2SO4
Sep 11, 2001

put your money in a log cabin


Buglord

ickna posted:

This was the idea, but we both work deep in the bowels of concrete dungeons or accidental faraday cages which meant little to no cell service.

Yeah, I definitely understand that situation. In that case just make sure you've got permission. Preferably do it from a guest network and not the company's trusted wifi if possible.

Bulgogi Hoagie
Jun 1, 2012

We
p sure Apple has stopped selling the airport line in the UK. time to update the OP perhaps

Devian666
Aug 20, 2008

Take some advice Chris.

Fun Shoe
The OP was updated to reflect that. Once the airports are all out of circulation that section will be removed from the OP (probably in 4-5 months time when I'll review the OP again). Apple are still providing limited support and even provided a firmware update this year but that was only to address a serious vulnerability.

Steakandchips
Apr 30, 2009

Can you remove this line or update it from the OP:

"Updated for 2016 by Rukus, Antillie, and CrazyLittle."

It's v out of date and confuses people.

Perplx
Jun 26, 2004


Best viewed on Orgasma Plasma
Lipstick Apathy

ickna posted:

I have a VPN question that I'm not quite sure how to translate into a useful google search terms, perhaps someone can help me figure this out:

I manage a couple of geographically distant LANs for different family members, and I've transitioned most of them to EdgeRouter X and Unifi setups. I would like to be able to link them up to make a sort of family WAN so we can do off-site backups to each other's NAS, check on the grandparents with IP cameras, and I can do remote administrative/tech support stuff without having to expose any more inbound ports or mess with dynamic DNS fuckery. As I understand, the ERXs have some built-in VPN features, which would be great for the LANs that don't have x86 servers running full time on them, but as best as I can tell the VPN stuff aimed more at a site to site link between two routers, and not a hub and spoke setup like I'm imagining this would be. I would love to be told I'm wrong about that, though.

My idea is to set up some kind of VPN hub/L3 router on AWS that the ERXs can connect to and talk to each other over:



I would also still need to be able to keep the OpenVPN-AS servers up on mine and my brother's LANs since we both VPN back home with our devices for unfiltered/unmonitored internet access when we are at work, and I don't want to pay for the bandwidth bill we'd rack up on AWS with our web browsing and streaming going through the hub.


You are wrong about openvpn, it has limited functionallity though the gui but you can configure it how you like through the configuration cli, or go even more manual and edit the openvpn conf folders and files.

If i was doing this from scratch I'd use wireguard for the er-x's , and try making a full mesh vpn setup so you don't need AWS at all, you'll need dynamic dns fuckery and open ports but wireguard ports aren't really open because the every packet need to be authenticated to get any response from the server, you can't portscan for wireguard at all.

Then continue use openvpn for client access because wireguard doesn't have a windows client yet. You could do everything with openvpn on the er-x but its way slower (30Mb/s vs 95Mb/s in my experience). Also all your networks need to be on different subnets, 192.168.1.0/24 , 192.168.2.0/24 so everything has a unique address.

CrazyLittle
Sep 11, 2001





Clapping Larry

Steakandchips posted:

Can you remove this line or update it from the OP:

"Updated for 2016 by Rukus, Antillie, and CrazyLittle."

It's v out of date and confuses people.

lol yes. I would do it, but.

22 Eargesplitten
Oct 10, 2010



I see the WDR3600 has gigabit Ethernet. Is that total or can you hypothetically do 1gb down and 1gb up at the same time? Same question for the gigabit WAN port going to the modem. I’m going to have symmetrical gigabit by the end of the month.

IOwnCalculus
Apr 2, 2003





It can probably do symmetrical gigabit on the switch (local) side no problem, but I would be surprised if an 802.11n-era device is capable of routing 1Gbps up and down.

22 Eargesplitten
Oct 10, 2010



Fair enough.

I do want to get a new one soonish, but I want to finish the move and get stable before buying anything unnecessary.

Probably a Ubiquiti or something, if I can’t set one of those up I need to give up on IT.

Eletriarnation
Apr 6, 2005

People don't appreciate the substance of things...
objects in space.


Oven Wrangler
Ethernet is always full-duplex - able to transmit and receive at once - unless you're using a hub or your autonegotiation is loving up, which is not a thing I've seen except with old enterprise gear. Gigabit Ethernet is able to move 2Gbps, if you add both directions together.

Conventional wireless can't send and receive at once so it's half duplex, and even when you have something like MIMO which technically might be capable of full duplex (IDK, not a wireless expert) the number they quote you is generally going to be the sum of all radios going at once - not generally a number that a single client would be capable of even in ideal situations.

Actual inside<->outside traffic with either is also going to be potentially limited by the router CPU if it's really slow due to the need to do NAT processing. This one is considerate in saying specifically on the product page "Achieves blazing WAN to LAN throughput of over 800Mbps with hardware NAT", probably a figure that is optimistically based on large packets but still not bad.

Devian666
Aug 20, 2008

Take some advice Chris.

Fun Shoe

Steakandchips posted:

Can you remove this line or update it from the OP:

"Updated for 2016 by Rukus, Antillie, and CrazyLittle."

It's v out of date and confuses people.

I've edited that line to reduce confusion.

rizzo1001
Jan 3, 2001
I have a debian server running OpenVPN on a static ip on my home network (192.168.1.48). I'd like to also install PiHole on the instance and have it block ads on my home network as well as when I'm connected to the VPN.

Do I follow this guide and use the tun0 interface?
https://www.cyberciti.biz/faq/ubuntu-linux-install-pi-hole-with-a-openvpn/

code:
openvpn@debianvpn:~$ ip a show dev tun0
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
openvpn@debianvpn:~$ ip a show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:a0:98:fd:ef:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.48/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::2a0:98ff:fefd:ef02/64 scope link
       valid_lft forever preferred_lft forever

movax
Aug 30, 2008



I might have gotten carried away wanting to VLAN things and seduced by the promise of using UNMS for everything in the future. And spent an entire day researching if I should go full UniFi or stay EdgeMax.

redeyes
Sep 14, 2002

by Fluffdaddy
I just had to change from Comcast business to a local fiber residential ISP with double IPv4 NAT.. BUT I get full IPv6 un-blocked. I was pissed off at first but the more IPv6 stuff I learn and try to host my own stuff, the more it 'just works'. I am digging the hell out of IPv6. I've got my remote security cameras, file hosting, and even websites working fine. Surprising to me.

Thanks Ants
May 21, 2004

#essereFerrari


IPv6 is cool and good but it's the first exposure lots of people have to having to write inbound firewall rules, so just make sure you're on the case with that.

H2SO4
Sep 11, 2001

put your money in a log cabin


Buglord

redeyes posted:

BUT I get full IPv6 un-blocked.

Isn't Comcast one of the better ISPs for IPv6? What were they doing that the new provider isn't (or vice versa)?

Encrypted
Feb 25, 2016

movax posted:



I might have gotten carried away wanting to VLAN things and seduced by the promise of using UNMS for everything in the future. And spent an entire day researching if I should go full UniFi or stay EdgeMax.

Get the 16 port 150w if you are just going to use them in a single central point.

And sure why not.

Feenix
Mar 14, 2003
Sorry, guy.
Does anyone here use or have familiarity with the Orbi system by Netgear? I have an RBK50 and I just got warned today trying to play an online game on PS4 that my Nat type is 2 (Moderate.) Can this be changed anywhere?

dragon enthusiast
Jan 1, 2010
I'm moving into a new apartment and this is my first time dealing with FIOS. I think the only available connection is a coax plug on the wall. If I don't want to buy the Verizon brand router and just want a single line to my own router, what's the cheapest setup I can get away with?

22 Eargesplitten
Oct 10, 2010



I want to have an open network completely split off from my password-protected network as far as security is concerned. Is that a thing that can be done? I know VLANs are a thing, but I don't think that would do it. Is that purely an enterprise-grade thing? Would Ubiquiti be able to do it?

Dogen
May 5, 2002

Bury my body down by the highwayside, so that my old evil spirit can get a Greyhound bus and ride

Feenix posted:

Does anyone here use or have familiarity with the Orbi system by Netgear? I have an RBK50 and I just got warned today trying to play an online game on PS4 that my Nat type is 2 (Moderate.) Can this be changed anywhere?

Turn on UPnP, according to internet it’s an option under advanced

Rexxed
May 1, 2010

Dis is amazing!
I gotta try dis!

22 Eargesplitten posted:

I want to have an open network completely split off from my password-protected network as far as security is concerned. Is that a thing that can be done? I know VLANs are a thing, but I don't think that would do it. Is that purely an enterprise-grade thing? Would Ubiquiti be able to do it?

If you've got a ubiquiti controller you can setup a guest network and filter what the clients on that network can get to (let them get to the router and nothing else, for example). I haven't done any strenuous security testing with it but it seems like a commonly used feature.

Thanks Ants
May 21, 2004

#essereFerrari


dragon enthusiast posted:

I'm moving into a new apartment and this is my first time dealing with FIOS. I think the only available connection is a coax plug on the wall. If I don't want to buy the Verizon brand router and just want a single line to my own router, what's the cheapest setup I can get away with?

I think you need to ask Verizon to enable the Ethernet port on the ONT

Adbot
ADBOT LOVES YOU

Internet Explorer
Jun 1, 2005





22 Eargesplitten posted:

I want to have an open network completely split off from my password-protected network as far as security is concerned. Is that a thing that can be done? I know VLANs are a thing, but I don't think that would do it. Is that purely an enterprise-grade thing? Would Ubiquiti be able to do it?

VLANining is how you would do it and what all routers will use for a guest network. Yes, Ubiquiti gear can do it. Although I will say it's probably not a good idea to have an open network, from a technical and from a legal perspective. Unless you have a good reason to do so, I'd possibly rethink it.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply