|
Rescue Toaster posted:Has anyone setup IPv6 w/ prefix delegation and subnets at home? You basically need to use NPTv6 in order to do internal ACLs, right? My ISP provides a /56 so I thought no problem. But ACLs/filter rules cannot be written using an unknown prefix. Every layer 3 switch or router (*sense) I've checked only allows you to set filter rules on a prefix, not a mask. I cannot write a rule to allow traffic from **:**:**:01:**:**:**:** to **:**:**:02:**:**:**:** on a certain port or whatever. You'd probably need to write a DHCPv6 hook script to dynamically write the rules that open ports when using a PD prefix. I'm not aware of any consumer level routers that do that in stock firmware, but I also don't use them. This approach should be possible with VyOS/EdgeOS, probably pfSense and RouterOS too. It's also possible to use a ULA prefix (fd00::/8) internally alongside your public PD prefix and do your internal ACLs and communication with that. The way source address selection works on IPv6 is that the host will choose a ULA address when the destination is another ULA, and a public address when the destination is another public. Then you don't have to do NPTv6 and you can still do internal routing and ACLs with static prefix. SamDabbers fucked around with this message at 17:02 on Dec 8, 2021 |
#
?
Dec 8, 2021 16:59
|
|
|
|
| # ? Apr 27, 2024 14:31 |
|
|
Yeah the two 'easiest' scenarios I could come up with still have some weird issues with ACLs: 1) Only use IPv4 for internal traffic and then only a couple subnets that need internet access will get GUA IPv6 addresses straight from the router. 2) Allow ULA IPv6 addresses for internal traffic as well and then the subnets that need internet access do the same as #1, since multiple addresses per interface is no problem. In either case, writing ACLs when I don't know what my GUA prefix is so that I can disallow inter-VLAN routing except when desired is... not simple? If I want to drop traffic destined for a local IPv6 address on a different subnet. Easy to do for ULA but I can't see how to do it for the GUA addresses. Even in scenario #1, where I normally don't use IPv6 internally at all, the L3 switch still needs to route IPv6 traffic to the edge router, and I can't write an ACL that matches traffic headed to a GUA of another local subnet since I don't know what my prefix is. It's as if I'd want an iptables netfilter-style rule based on input & output interface rather than just addresses. Allow traffic to & from each internet-connected subnet's vlan interface and the router interface, but not between two vlan interfaces. Or as you say, some automated way to update all the ACLs when the prefix changes. Everyone seems to say 'ooooh NAT66 is bad, don't use it' and 'ULA is bad, don't use it!' but then in the same breath 'oh yeah ipv6 renumbering is a loving nightmare'. No poo poo, renumbering was a nightmare in IPv4 as well if you were somehow not using NAT. I'll just call up Mediacom and ask pretty please will they give me the same prefix forever. Rescue Toaster fucked around with this message at 21:23 on Dec 8, 2021 |
|
#
?
Dec 8, 2021 21:20
|
|
|
How about blocking all inter-vlan IPv6 and then permitting only ULA traffic? If you use ULA for all internal communications then you can get away with not having to get your PD prefix in your switch ACLs. IPv6 renumbering isn't so bad with dynamic DNS and host based firewalling instead of perimeter firewalling. IPv6 works well enough with a zero trust network security model but doesn't map as well onto the way we do things with IPv4.
|
|
#
?
Dec 9, 2021 00:31
|
|
|
For what it is worth, I was worried about having to renumber things frequently with ipv6 but I've had the same prefix with Comcast for 5+ years now.
|
|
#
?
Dec 9, 2021 01:32
|
|
|
SamDabbers posted:How about blocking all inter-vlan IPv6 and then permitting only ULA traffic? If you use ULA for all internal communications then you can get away with not having to get your PD prefix in your switch ACLs. I might be fundamentally misunderstanding something about IPv6 routing/discovery, but I don't think it's possible on a regular enterprise L3 switch to: 1) Allow a VLAN interface to route traffic to GUA's out in the world via the interface that connects to the router. 2) Block traffic from the same VLAN interface headed to hypothetical GUA's of local devices on another VLAN, unless you have your GUA prefix to put directly into the ACL. This is even without a ULA scheme at all, if say all your internal traffic was IPv4, or if you had no internal traffic at all, I still don't know how you'd configure a normal L3 switch to do that. Usually the routing tables are automatically updated with any local interfaces, so it's only via ACLs you can block traffic between VLANs and you must know the subnet prefix. If you want a subnet/VLAN that can access the internet, as well as a few specific ports on local machines on another subnet, you want an input ACL on that VLAN like: allow specific inter-subnet traffic (must know the other subnet's prefix to set the full destination ip) block any other inter-subnet traffic (must know the prefix to block every other subnet) allow any any (this will be routed out the default gateway if it's a GUA) Rules like these are easy to write when using NAT and IPv4 or presumably ULA. Maybe you could do something at the routing level? But most L3 switches are fairly dumb at basic routing for local interfaces, and again the prefix may not be static so you can't even write rules/config around them. JSON Bourne posted:For what it is worth, I was worried about having to renumber things frequently with ipv6 but I've had the same prefix with Comcast for 5+ years now. This is a fair counterpoint. I'd want to think through any security implications if the prefix did suddenly change, since prefixes you were trying to block might not be that prefix anymore. Also if you end up having to switch to an ISP that sucks and now you only get a /64 (or smaller!) you're going to have to switch to ULA and NAT66 anyway. Rescue Toaster fucked around with this message at 01:40 on Dec 9, 2021 |
|
#
?
Dec 9, 2021 01:36
|
|
|
Rescue Toaster posted:I might be fundamentally misunderstanding something about IPv6 routing/discovery, but I don't think it's possible on a regular enterprise L3 switch to: Yeah you're right, the catch all "allow any any" would permit things that you want to deny even if you're using ULA. A DHCPv6 hook to run an Ansible script that rewrites the switch ACLs whenever a new PD prefix is assigned might be the most workable solution for this scenario.
|
|
#
?
Dec 9, 2021 02:13
|
|
|
.
SplitSoul fucked around with this message at 09:11 on Dec 12, 2021 |
|
#
?
Dec 9, 2021 17:01
|
|
|
Is there a such thing as a decent basic dual wan router for home use? Looking to failover point to point wireless to dsl. I don't need load balancing.
|
|
#
?
Dec 9, 2021 19:53
|
|
|
CopperHound posted:Is there a such thing as a decent basic dual wan router for home use? Looking to failover point to point wireless to dsl. I don't need load balancing. Ubiquiti routers can do this if you don’t mind learning how to set them up. The EdgeRouter line is great.
|
|
#
?
Dec 10, 2021 14:05
|
|
|
I'm looking to set up a network using MoCA since it may be cheaper than paying to run hard lines in my 90's era house with a shitload of coax ports. I'm having a bad connection to the basement using powerline and wifi so this is the next step I thought I might look into but am a bit confused on the initial setup. Can anybody look at this and check if it's right? I don't know what filters or other splitters I might need in the living room, the rest of the rooms should be simple with an adapter it seems. I have a cable modem and a bunch of poo poo in the living room.  E: maybe the line from the wall goes straight to the MoCA adapter IN then OUT to the cable modem and all the poo poo downstream? That may make more sense in my head. Suburban Dad fucked around with this message at 13:07 on Dec 13, 2021 |
|
#
?
Dec 13, 2021 13:01
|
|
|
You need a filter in your cable box outside to keep your moca signal from escaping otherwise seems fine Yeah the moca adapter will have an online filter on it so the split before the adapter isn’t technically correct Dogen fucked around with this message at 17:21 on Dec 13, 2021 |
|
#
?
Dec 13, 2021 17:14
|
|
|
Hi thread I have a Ubiquiti UAP running off an ERX. Given that my UAP is now like 9 months out of support and getting pretty old is it worth it to upgrade? What's the best option? I only just realised that that AP doesn't even have 5GHz which would explain why my iPhone seems to only get about 15 Mbps down from a 300/100 Mbps connection. I'm in a medium-size apartment, have just the one AP and usually have about 12-15 Wi-Fi clients on the go at one time. 
|
|
#
?
Dec 14, 2021 09:24
|
|
|
I've been extremely happy with my omada aps https://www.amazon.com/dp/B09G5H4XS2/ I don't have any of the other omada infrastructure, I configure the wifi via the omada controller software running on one of my sundry windows vms
|
|
#
?
Dec 14, 2021 09:41
|
|
|
Azhais posted:I've been extremely happy with my omada aps  I have two Omada APs and like it better than modern ubiquiti gear. Still rolling my ERX for routing/firewall though.
|
|
#
?
Dec 14, 2021 10:21
|
|
|
I have a single UAP AC Lite (hanging off an ER-X) and don't feel like running the controller just for it, so I flashed it to OpenWRT. Now I can manage it as a standalone AP, get slightly faster single client throughput, and gained WPA3 capability. This should last me until 6E equipment is affordably available.
|
|
#
?
Dec 14, 2021 13:26
|
|
|
I got a pair of Omada APs for the house and have them wired to my Linksys MR8300 right now. I was able to just go into them through the web browser and set the SSID identical to the current wifi network in the house with no issues. The plan is to flash the MR8300 to openWRT soon though once I get some other hardware installed. Would there be any reason to also flash the Omada APs to OpenWRT firmware or nah?
|
|
|
#
?
Dec 14, 2021 13:41
|
|
|
SamDabbers posted:I have a single UAP AC Lite (hanging off an ER-X) and don't feel like running the controller just for it, so I flashed it to OpenWRT. Now I can manage it as a standalone AP, get slightly faster single client throughput, and gained WPA3 capability. This should last me until 6E equipment is affordably available. Hey AC Lite WRT buddy. I've been very happy with mine, I'm just running in bridge mode to some VLANs which feed back to the L3 switch to do all the DHCP/isolation/everything. The radar detection works fine too so I've been running on the reserved channels for my 5Ghz no problem. Speaking of switching off Unifi, copied from the infosec thread: SlowBloke posted:Maybe I missed this thru the posting but if you decided to nerd out and have a unifi controller hosted on the cloud or exposed to the web in any way, upgrade to 6.5.54 immediately, any other build is vulnerable to this log4j vuln.
|
|
#
?
Dec 14, 2021 16:53
|
|
|
Suburban Dad posted:I'm looking to set up a network using MoCA since it may be cheaper than paying to run hard lines in my 90's era house with a shitload of coax ports. I'm having a bad connection to the basement using powerline and wifi so this is the next step I thought I might look into but am a bit confused on the initial setup. Can anybody look at this and check if it's right? I don't know what filters or other splitters I might need in the living room, the rest of the rooms should be simple with an adapter it seems. I have a cable modem and a bunch of poo poo in the living room. Trip report: my cable line from outside went directly to the outlet where the modem was at. Cable internet guy had disconnected every other one in the house. We didn't use them but that really throws a wrench in getting this set up correctly.  After a bit of troubleshooting, I got it sorted and put in a POE filter where it comes into the house. Internet speed at my basement PC jumped up 10x. 
|
|
#
?
Dec 15, 2021 02:32
|
|
|
Red_Fred posted:Hi thread U6-Lite is great. Just swap them out.
|
|
#
?
Dec 15, 2021 02:39
|
|
|
FunOne posted:U6-Lite is great. Just swap them out. This is kind of what I’m thinking given I already have Unifi all rigged up on my NAS. Would it be as simple as just swapping the APs over? Do the new ones auto adopt? I had huge dramas way back getting the UAP to adopt the first time but that was with a new build of Unifi. Where I am the Ubiquiti gear seems to be about the same price as the TP link stuff too which further pushes me to stick with them.
|
|
#
?
Dec 15, 2021 07:59
|
|
|
Red_Fred posted:This is kind of what I’m thinking given I already have Unifi all rigged up on my NAS. Would it be as simple as just swapping the APs over? Do the new ones auto adopt? I had huge dramas way back getting the UAP to adopt the first time but that was with a new build of Unifi. You’ll likely need a new PoE injector. The old APs used 24V passive, the new ones use standard 802.3af/at 48V.
|
|
#
?
Dec 15, 2021 13:19
|
|
|
I have an ER-X connected to a TP-Link router as an access point. It's actually been fine. Solid wifi coverage (even out to the driveway), though I am replacing the wifi soon with an RAX45 from Costco. I did make a mistake though. I upgraded the ER-X from 1.* firmware to 2.*. It was fine for a while, but in the past week, my ER-X would become unresponsive. I had to reboot it several times. It would work for a bit then just go down randomly. So disappointing. It seemed to be issues with the DHCP/DNS server. I am running NextDNS on there, but I had no issues before upgrading to the 2.* series. And even then, when I did upgrade, it's been fine for a few months. It's kind of strange. I've downgraded to the 1.* series again. Anyone else see anything like this? Or is it just time to start thinking about a replacement for the ER-X?
|
|
#
?
Dec 15, 2021 13:54
|
|
|
RocketLunatic posted:I have an ER-X connected to a TP-Link router as an access point. It's actually been fine. Solid wifi coverage (even out to the driveway), though I am replacing the wifi soon with an RAX45 from Costco. What specific version of the 2.x branch did you have? It was somewhat broken up to 2.0.9, if I remember right.
|
|
#
?
Dec 16, 2021 01:12
|
|
|
smax posted:What specific version of the 2.x branch did you have? It was somewhat broken up to 2.0.9, if I remember right. The latest hot fix. I saw a small dip in throughput from the 1.x series, but it was fine initially. I was using 2.0.9-hotfix-2. The only thing I tried to enable more recently was IPv6, which Verizon doesn't support at the moment (but will in a month or so). Maybe I misconfigured it or something. I'm at a loss, but since downgrading, my network has been stable again.
|
|
#
?
Dec 16, 2021 01:46
|
|
|
I'm spoiled by the convenience of corporate firewalls, if I'd like an open source solution/home device without an URL filtering subscription what would be a good option to keep track if Toaster from Kitchen is looking at naughty websites or trying to sell my secrets? Avoiding trolling through syslog, something like a pfsense box that sends logs to an ELK stack?
|
|
#
?
Dec 17, 2021 09:30
|
|
|
I have a home network with a UDM PRO plus Unifi switches and AP´s. I have setup a remote access VPN as seen here: https://help.ui.com/hc/en-us/articles/115005445768-UniFi-USG-UDM-Configuring-L2TP-Remote-Access-VPN This works great for accesing my LAN when I´m away from home, both with Windows and Android clients. I have now started using PS Remote Play to use my PS4 Pro when I´m not at home. Right now I´m able to use it without the VPN but the connection is very unstable as it has to go through Sony´s servers on the way. If I try to connect with the Remote Play client when the VPN connection is active the PS4 can´t be found. Apparently this is because the PS4 transmits it´s presence on the network through broadcast packets on UDP port 987 as described here and these are not transmitted to other subnets on the LAN: https://www.reddit.com/r/PS4/comments/d3owng/ps4_remote_playing_on_different_lan_segments/ Is it possible to setup the UDM PRO in such a way that the PS4 will be registered on the VPN subnet of my LAN? It seems it can be done with the ER-X router as described on the Reddit link.
|
|
#
?
Dec 17, 2021 10:33
|
|
|
Arvid posted:Is it possible to setup the UDM PRO in such a way that the PS4 will be registered on the VPN subnet of my LAN? It seems it can be done with the ER-X router as described on the Reddit link. Phone posting and slightly distracted at the moment so I can’t be a huge amount of help, but do a search for the term “mdns repeater.” I believe it essentially duplicates broadcast traffic across subnets.
|
|
#
?
Dec 17, 2021 14:30
|
|
|
smax posted:Phone posting and slightly distracted at the moment so I can’t be a huge amount of help, but do a search for the term “mdns repeater.” I believe it essentially duplicates broadcast traffic across subnets. Thank you, I´ll try looking into that term.
|
|
#
?
Dec 17, 2021 15:11
|
|
|
Somaen posted:I'm spoiled by the convenience of corporate firewalls, if I'd like an open source solution/home device without an URL filtering subscription what would be a good option to keep track if Toaster from Kitchen is looking at naughty websites or trying to sell my secrets? Avoiding trolling through syslog, something like a pfsense box that sends logs to an ELK stack?
|
|
#
?
Dec 18, 2021 09:12
|
|
|
future ghost posted:Pfsense with pfblockerng-devel package. Either add DNSBL feeds or category blocking through the package. Aw yeah looks like the stuff that will be great for blocking ads and to follow what the home iot are trying to talk to, thanks! If I have an ISP router with fiber coming straight to it and 4 rj45, would the most reasonable thing to do be to put a switch after the router, connect a box with pfsense on it to the switch, and make the link between them a trunk with vlan1 being for the ISP uplink and vlan2 (configured on the other switch ports and routed by pfsense) for the local network?
|
|
#
?
Dec 19, 2021 23:41
|
|
|
Hi thread. We just moved houses and got Centurylink 1 GB fiber set up.  Our stuff is still in transit, so my movers have the old setup I used, which was an ER-X + 2 Unifi APs (a Lite and an LR, iirc) that I had running in our old house with the help of a MoCA bridge. The router that came with our Centurylink is having trouble reaching our basement, which makes sense due to the layout of the house, so it sounds like I may need to recreate my old setup once it gets here. Some questions: 1. Is there any reason to switch out the ER-X to something else? I didn't have too many issues with it at our old house, other than the AP controller software being slightly annoying to have to run whenever I needed to change something (which admittedly was infrequent), and speedtests maxing out at 700ish or so. I wasn't sure if that was due to the ER-X or just wifi in general though. 2. Any reason to upgrade the APs? Looks like new access points have Wifi 6 and WPA3, which I don't believe my old ones support. 3. If I'm looking at upgrading APs, should I just get rid of the Unifi stuff and look at one of the newer mesh networks?
|
|
#
?
Dec 20, 2021 16:51
|
|
|
Residency Evil posted:Hi thread. ER-X with hardware offload enabled is still plenty powerful for a gigabit connection. If you had speedtest issues over wifi it is likely the APs (or the Moca, unclear where that was in your setup), not the router. 700 on wifi is really solid though, much better than I get with a similar setup. You are unlikely to benefit a lot from new APs unless you know you have a lot of wifi6 gear, and even then probably not a lot of real world difference except in specific scenarios. Basically, if you don’t know you need it then you probably don’t right now.
|
|
#
?
Dec 20, 2021 18:03
|
|
|
thiazi posted:ER-X with hardware offload enabled is still plenty powerful for a gigabit connection. If you had speedtest issues over wifi it is likely the APs (or the Moca, unclear where that was in your setup), not the router. 700 on wifi is really solid though, much better than I get with a similar setup. You are unlikely to benefit a lot from new APs unless you know you have a lot of wifi6 gear, and even then probably not a lot of real world difference except in specific scenarios. Basically, if you don’t know you need it then you probably don’t right now. Thanks, that's helpful. I bought new moca bridges (2.0? 3.0?) at some point which brought speeds up. Sounds like I'll just try to keep using the ER-X for now. I guess the only solution for the Unify controller is either 1) buy a Dream Machine Pro 2) Buy a cloud key 3) continue using an instance on my laptop when I need it?
|
|
#
?
Dec 20, 2021 19:18
|
|
|
I recently switched from mediacom cable modem to quantum fiber as my ISP. I have a TP-Link AC190 as my wifi router but Quantum provided a C4000XG modem and wifi router as part of the package. Should I switch to using that as my wifi router or just plug my existing TP-Link into that? I can't really find specs on the X4000XG to compare.
|
|
#
?
Dec 20, 2021 21:53
|
|
|
Residency Evil posted:Thanks, that's helpful. I bought new moca bridges (2.0? 3.0?) at some point which brought speeds up. Sounds like I'll just try to keep using the ER-X for now. I guess the only solution for the Unify controller is either 1) buy a Dream Machine Pro 2) Buy a cloud key 3) continue using an instance on my laptop when I need it? I do the latter. Now that I've moved from Unifi to Omada it's simpler, but no need to migrate without a real reason like hardware failure.
|
|
#
?
Dec 20, 2021 22:01
|
|
|
So, I upgraded my old Pixel 2 to a Pixel 6, and now that I have Android 12, I see they have deprecated L2TP/IPsec VPN support, which I had been utilizing on my USG4 Pro to get back into my home network. Since it doesn't appear any better VPN support exists within Unifi, even on the UDMs at this point, what is my best option here as I've never run a VPN not on my gateway? In terms of 24/7 clients on my network, I have a PiHole and an RS815 Synology running all the time that I think are technically capable - but they may not be the best solution. My only real requirements is that it needs to be supported in Android 12, iOS, and Windows, preferably natively, but I'm willing to run an app if necessary. Is something running Wireguard the preferred option? Primary use is remote NAS access for files or Plex - I don't intentionally expose anything to the internet and rely on the VPN to get in and access as if I was local. Would like it to have the capability to at least saturate my 40mbps upstream, which has been a challenge on the USG4 apparently. Thanks in advance. ROJO fucked around with this message at 22:25 on Dec 20, 2021 |
|
#
?
Dec 20, 2021 22:05
|
|
|
clockworkjoe posted:I recently switched from mediacom cable modem to quantum fiber as my ISP. I have a TP-Link AC190 as my wifi router but Quantum provided a C4000XG modem and wifi router as part of the package. Should I switch to using that as my wifi router or just plug my existing TP-Link into that? I can't really find specs on the X4000XG to compare. I would put it in transparent bridge mode, and then let your TPLink handle everything else. You'll probably need to hit up support to get your pppoe credentials first. ROJO posted:So, I upgraded my old Pixel 2 to a Pixel 6, and now that I have Android 12, I see they have deprecated L2TP/IPsec VPN support, which I had been utilizing on my USG4 Pro to get back into my home network. Since it doesn't appear any better VPN support exists within Unifi, even on the UDMs at this point, what is my best option here as I've never run a VPN not on my gateway? In terms of 24/7 clients on my network, I have a PiHole and an RS815 Synology running all the time that I think are technically capable - but they may not be the best solution. My only real requirements is that it needs to be supported in Android 12, iOS, and Windows, preferably natively, but I'm willing to run an app if necessary. Is something running Wireguard the preferred option? What hardware is your pi-hole on and how is it deployed? I'd run Wireguard on that in your shoes most likely, even a Pi 2 can hit ~100Mbps throughput. Pi-hole has documentation on one way to set it up, though I'm personally a big fan of the LSIO docker version.
|
|
#
?
Dec 20, 2021 23:01
|
|
|
IOwnCalculus posted:I would put it in transparent bridge mode, and then let your TPLink handle everything else. You'll probably need to hit up support to get your pppoe credentials first. RPi 3B+ with a POE hat, running only Pihole currently.
|
|
#
?
Dec 20, 2021 23:10
|
|
|
ROJO posted:So, I upgraded my old Pixel 2 to a Pixel 6, and now that I have Android 12, I see they have deprecated L2TP/IPsec VPN support, which I had been utilizing on my USG4 Pro to get back into my home network. Since it doesn't appear any better VPN support exists within Unifi, even on the UDMs at this point, what is my best option here as I've never run a VPN not on my gateway? In terms of 24/7 clients on my network, I have a PiHole and an RS815 Synology running all the time that I think are technically capable - but they may not be the best solution. My only real requirements is that it needs to be supported in Android 12, iOS, and Windows, preferably natively, but I'm willing to run an app if necessary. Is something running Wireguard the preferred option? On phone but there are guides out for installing wireguard directly on the USG.
|
|
#
?
Dec 20, 2021 23:45
|
|
|
|
| # ? Apr 27, 2024 14:31 |
|
|
Did Ubiquiti really break something as simple as adding a L2TP network in 6.5? The "Add Network" button just...doesn't do anything, but it knows I've entered info--if I go to leave it prompts me to stay on the page but no error message when "Add Network" is clicked, no error message, nothing. Amazing. 
|
|
#
?
Dec 21, 2021 12:22
|
|
