|
Don Lapre posted:A synology that emulates a time capsule. The 'Time Backup' app on my synology seems to work pretty well. I've never used a Time Capsule, but I guess it does the same thing. Plus all the other cool things a Synology can do
|
#
?
Oct 27, 2016 09:12
|
|
|
|
| # ? Apr 25, 2024 09:50 |
|
|
EVIL Gibson posted:If anyone here has a bum network router just to let you know that can be a good opportunity to learn about jtag or serial communications. I had a router that had a bad firmware flash but the led activity was still going. I used a serial to USB chip I had around (originally for a electronic hackable badge our security group made) to connect to the pins and after some corrections in baud rate and error correction just saw it was stuck in a boot loop for a busybox linux deployment. Pressed enter a couple times and it stopped trying to boot up all services and gave me a login prompt which allowed me to login and flash the firmware manually. https://www.aliexpress.com/wholesale?catId=0&initiative_id=SB_20161027015450&SearchText=rs232+ttl
|
|
#
?
Oct 27, 2016 10:54
|
|
|
I recently moved to Germany and want a new router. The ISP gave us one that's serviceable but not great, and I have an old Asus N56U, but I want something with great range. Even though we just live in a 2br apartment, the walls in Germany are apparently quite dense and seem to block signals more. Was looking to stay under $150 or so if possible, so it looks like the Archer C9 is a good bet? I'm also thinking I'll buy a power line networking set since the phone drop is far away from my desktop.
|
|
#
?
Oct 27, 2016 13:49
|
|
|
spog posted:The 'Time Backup' app on my synology seems to work pretty well. In file services there is a time machine option. The mac thinks its a time machine/time capsule. https://www.synology.com/en-global/knowledgebase/DSM/tutorial/Backup_Restore/How_to_back_up_files_from_Mac_to_Synology_NAS_with_Time_Machine You can even set quotas for the user you use and it will limit the amount of storage time machine will use.
|
|
#
?
Oct 27, 2016 15:46
|
|
|
nm
|
|
#
?
Oct 27, 2016 17:57
|
|
|
So, opening ports to IPv6 hosts on my network... is there a best practice? I could obviously assign devices static IP addresses, but that gets rid of the privacy/security benefits of the fact that my computers frequently change their IPv6 address. I could just default accept incoming IPv6 traffic. I am fairly confident in my end point device firewalls on Linux, but Windows Firewalling is such a hot mess, I'd rather not. I'm using EdgeOS as my router/firewall, for what its worth.
|
|
#
?
Oct 27, 2016 21:15
|
|
|
Best practices at the home level? doubtful. Lots of ways to skin that problem though: Static-bind the specific program/service to a unique IPv6 address, and allow inbound access to that address only. Don't rely on dynamic address allocation as a form of security. "Security through obscurity" isn't secure.
|
|
#
?
Oct 27, 2016 21:48
|
|
|
CrazyLittle posted:Static-bind the specific program/service to a unique IPv6 address, and allow inbound access to that address only. Both good points. Unfortunately the application I want to open up doesn't support binding to specific addresses. Not really sure what I was thinking about with the security part, the randomized IPv6 addresses are more of a privacy thing (one less unique thing to be tracked by). I guess I was hoping there was some clever way my computer could tell the router "drk-laptop is now at IPv6 _____" and I could write a firewall rule opening the port to "drk-laptop".
|
|
#
?
Oct 27, 2016 22:16
|
|
|
What service do you want to run? Is this something on port 80 where you may not want everything exposed, or is it some weirdo thing that no other computers are going to have open anyway? On my network I allow the following on the forward chain from the internet:
thebigcow fucked around with this message at 23:11 on Oct 27, 2016 |
|
#
?
Oct 27, 2016 23:06
|
|
|
Alias a second, fixed, IP to your network interface? Your general internet traffic should use the primary randomising IP for your privacy, any servers you're running will answer to both IPs but only open the static ip/port combo on the firewalls Can your your allow you to define your open ports by MAC address? The open port would then follow a specific machine around as it address hopped. Pablo Bluth fucked around with this message at 09:23 on Oct 28, 2016 |
|
#
?
Oct 28, 2016 09:15
|
|
|
Pablo Bluth posted:Can your your allow you to define your open ports by MAC address? The open port would then follow a specific machine around as it address hopped. Unfortunately no. An inbound packet from the internet will be bound for the MAC of the outside interface of your router and the IP of whatever host behind the router is acting as the server. The router then needs to map that IP to a MAC on the internal network. In IPv6 this is handled by neighbor discovery. (assuming the internal network is a simple flat network at layer 3 like most home networks, otherwise the router will make a layer 3 routing decision instead of a layer 2 forwarding decision) The external host has no idea what the MAC of the server is unless you do something fancy at layer 7. But that entails writing your own application protocol. (unless the server is getting its IPv6 address via EUI-64 but that would still require some funky firewall logic that I have never seen as an option on a firewall) My inbound IPv6 rules at home are:
Anyway, setting up a second subnet with only static addresses on the LAN is probably the best solution. Then open the port for the static IP and have the server use its dynamic IP for all outbound traffic. Antillie fucked around with this message at 15:12 on Oct 28, 2016 |
|
#
?
Oct 28, 2016 15:09
|
|
|
Is this the place to come for questions on how come my bonded linux network connection isn't working with my cisco switch LACP and doing weird things instead?
|
|
#
?
Oct 28, 2016 19:44
|
|
|
You could ask it here, but I'd probably suggest the Cisco thread instead.
|
|
#
?
Oct 28, 2016 21:19
|
|
|
Antillie posted:Unfortunately no. An inbound packet from the internet will be bound for the MAC of the outside interface of your router and the IP of whatever host behind the router is acting as the server. The router then needs to map that IP to a MAC on the internal network. In IPv6 this is handled by neighbor discovery. (assuming the internal network is a simple flat network at layer 3 like most home networks, otherwise the router will make a layer 3 routing decision instead of a layer 2 forwarding decision) The external host has no idea what the MAC of the server is unless you do something fancy at layer 7. But that entails writing your own application protocol. (unless the server is getting its IPv6 address via EUI-64 but that would still require some funky firewall logic that I have never seen as an option on a firewall)
|
|
#
?
Oct 28, 2016 22:02
|
|
|
Krakkles posted:What's better? Airport base station + external hard drive or Time Capsule? base station and a hard drive if those are your only two options Don Lapre posted:A synology that emulates a time capsule.
|
|
#
?
Oct 29, 2016 05:27
|
|
|
Is most any router capable of routing a gigabit internet connection? Getting gigabit fiber through ATT and wondering if I'll need to upgrade my e4200 (running DD-WRT) now or if I can wait until I get more AC capable devices. I'm only talking wired performance, btw. Will my old rear end router need replacing? I'll be getting some sort of router device from ATT, so I can always go with it for now, but I'm guessing its going to be subpar piece of equipment, if my past experience with them holds true. Triikan fucked around with this message at 05:12 on Oct 30, 2016 |
|
#
?
Oct 30, 2016 05:09
|
|
|
You might as well wait and see if it works before spending any money.
|
|
#
?
Oct 30, 2016 06:49
|
|
|
Triikan posted:Is most any router capable of routing a gigabit internet connection? Getting gigabit fiber through ATT and wondering if I'll need to upgrade my e4200 (running DD-WRT) now or if I can wait until I get more AC capable devices. You won't need another router with the ATT gigabit. You have to use their equipment. You'll probably get an AC capable router anyway from them. I have a Pace 5268AC and haven't had any problems. The Arris NVG599 is the other router they deploy last I heard. I have the service and have no problem pulling gig speeds from places that can actually provide it. Most places can't though. http://www.speedtest.net/my-result/5562596218
|
|
#
?
Oct 30, 2016 06:53
|
|
|
With Comcast starting to actually enforce their bandwidth caps ($200 fee for going over by even 1 GB!?!?!) and evidence mounting that their measurements can be inaccurate, I wanted to start monitoring my bandwidth at home. I have an ERL and I'm not seeing any way to do it in their firmware. It looks like I can enable NetFlow and use something like PRTG, but that seems like overkill. Anyone have any suggestions?
|
|
#
?
Oct 30, 2016 18:09
|
|
|
Internet Explorer posted:With Comcast starting to actually enforce their bandwidth caps ($200 fee for going over by even 1 GB!?!?!) and evidence mounting that their measurements can be inaccurate, I wanted to start monitoring my bandwidth at home. I have an ERL and I'm not seeing any way to do it in their firmware. It looks like I can enable NetFlow and use something like PRTG, but that seems like overkill. Anyone have any suggestions? I was literally just going to ask this question for a different reason. I was hoping I could get bandwidth usage by month from the ERL. I've been too lazy in the past to set up SNMP monitoring and now that's bit me in the rear end because I want to figure out how much bandwidth I use while I shop around for a VPN service... Anyway, one answer to your question is to use InfluxDB + Grafana. It's not any simpler than PRTG, but it's better in almost every way.
|
|
#
?
Oct 30, 2016 18:20
|
|
|
Internet Explorer posted:With Comcast starting to actually enforce their bandwidth caps ($200 fee for going over by even 1 GB!?!?!) and evidence mounting that their measurements can be inaccurate, I wanted to start monitoring my bandwidth at home. I have an ERL and I'm not seeing any way to do it in their firmware. It looks like I can enable NetFlow and use something like PRTG, but that seems like overkill. Anyone have any suggestions? People have been asking for this feature on Ubiquiti's forums for a while, but it hasn't been implemented yet. Their reasoning is that they don't want to log it locally since the high volume of writes needed to track the data will kill the flash drives they use pretty quickly. I'm hoping they implement it with the option to use a network volume for storage or something.
|
|
#
?
Oct 31, 2016 01:03
|
|
|
They should stop being jerks and just make it so that it can talk to the Unifi controller and store it there.
|
|
#
?
Oct 31, 2016 03:30
|
|
|
Internet Explorer posted:They should stop being jerks and just make it so that it can talk to the Unifi controller and store it there. But then that would defeat the $10 premium they charge for the security gateway.
|
|
#
?
Oct 31, 2016 15:53
|
|
|
This doesn't exactly fit in this thread, but as far as I can tell there's not a perfect thread to ask, so I'll start here. I've got OpenVPN running on a DigitalOcean server, and the OpenVPN client on my Windows 10 PC. I used this guide pretty much exactly, except I used Google's DNS servers, not OpenDNS's. Everything mostly works fine, and after adding block-outside-dns to my client configuration I have no DNS leaks. The one issue I have is that whenever I navigate to a site in my browser, the browser says "Resolving host..." for 1-5 seconds. I guess DNS lookups are slow for some reason, but I have no idea how to figure out the issue. Any pointers? edit: Solved. I had to do this. Thermopyle fucked around with this message at 18:53 on Nov 1, 2016 |
|
#
?
Nov 1, 2016 18:22
|
|
|
Any opinion on powerline network transceivers? I've read about this TP-Link AV2000 that ostensibly can do up to 2GBit over your electrical copper. --edit: Nevermind. Some review mentions 430MBit practical when used in the same room. Lame.
Combat Pretzel fucked around with this message at 00:14 on Nov 4, 2016 |
|
#
?
Nov 4, 2016 00:10
|
|
|
Pablo Bluth posted:I didn't mean to suggest using the mac in that sense. Just that if your router allowed firewall rules to be defined by the mac and not ip address, then as the machine jumped around addresses, the open port on the firewall would follow it. Combine with with some some dynamic DNS for easy addressing. That would be possible on a flat layer 3 network. But it would require the router to perform NAT before firewall rule filtering. This would slow things down as normally, by performing firewall rule filtering first, not all traffic needs to be processed by NAT. So the router would either be slower or more expensive, both things that are hard to justify in the highly competitive home router market. On something more complex than a simple flat layer 3 network it just wouldn't be possible at all outside of the EUI-64 edge case (which only applies to IPv6). But since EUI-64 addresses are basically static anyway at that point you may as well just allow things by IP instead. I think this is actually just as much of an issue as the cost/performance problem. It would be very hard for users/customers to understand why a feature of their router doesn't work any more once they add a second router to the mix. I am thinking of the home office/small business case here where people may need something a bit more complex than a flat layer 3 network but don't have a dedicated networking guy on staff to take care of it or the budget for "real" networking hardware. Providing wifi at the local coffee shop, bar, library, or whatever is a surprisingly large portion of the market for consumer grade stuff. Antillie fucked around with this message at 14:51 on Nov 4, 2016 |
|
#
?
Nov 4, 2016 14:38
|
|
|
The router will have an ARP table of LAN side macs and corresponding IP addresses. Use that to convert a list of mac-port rules in to a dynamically updating set of ip-port rules that the firewall will implement. It would obviously be limited to interfaces in direct contact with the router and not machines behind further down a chain.
Pablo Bluth fucked around with this message at 16:10 on Nov 4, 2016 |
|
#
?
Nov 4, 2016 16:06
|
|
|
Pablo Bluth posted:The router will have an ARP table of LAN side macs and corresponding IP addresses. Use that to convert a list of mac-port rules in to a dynamically updating set of ip-port rules that the firewall will implement. It would obviously be limited to interfaces in direct contact with the router and not machines behind further down a chain. Doable but it would require reloading the firewall rules every time the ARP table changed. Which can be pretty frequently. So I am not sure it would be any better from a performance perspective than just doing NAT first. And while the rules are being reloaded you can't process traffic at all. Usually that doesn't matter, but if there are enough rules and/or if they get reloaded often enough it can cause issues. In fact, now that I think about it some more what happens when a server with a port forwarded to it by MAC has more than one IP? Now you have two IPs with the same MAC in the ARP table. How would the router handle that? Sure you can send the packet to the server on layer 2 but if you get the layer 3 address wrong the application on the server (IIS/Apache bindings come to mind here, but there are others) will ignore the packet. I guess you could try going by which ARP entry is newer, but that won't always be correct if the server has more than one IP and is talking on both of them. There just seem to be too many "gotchas" for this to really be feasible as a reliable feature. Antillie fucked around with this message at 19:29 on Nov 4, 2016 |
|
#
?
Nov 4, 2016 18:00
|
|
|
The original question that prompted my suggestion was talking about firewall ports on a ipv6 setup . Its clearly not a solution suitable to NAT/ port-forwarding. On a ipv6 firewall, multiple ips on a mac address would simple result in open ports to all the IPs on an interface. Up till now, MAC based firewall rules has clearly not been a worthwhile idea. However as more people transition to ipv6, I think there will be an increase the number of people who find themselves wanting a solution that provides a 'set and forget' firewall configuration in conjunction with the ip address hopping privacy extensions. On a computer using a second static ip is going to be the simplest solution, but that's not always going to be possible (I believe P.E. can't be turned off on android for example). Either you say tough, implement something UPnP-style where the device can inform the firewall to update to a new IP, or setup the firewall based on some identifier other than IP.
|
|
#
?
Nov 5, 2016 00:48
|
|
|
Seems my old D-link DIR-655 is starting to die. Looks like I'm looking at either a TP-Link Archer C7, or a Edgerouter lite. The Edgerouter does look nice, but it's $90 vs $150. Fairly general use here. Average sized home, 4 users. mostly gaming, streaming, and a NAS. Last I checked I'm getting up to 20 devices, about 8 are wired. Any nice features of the Edgerouter I should know about? It looks like it shows active network traffic for the connected devices, which would be nice to narrow down which device is eating up bandwidth at any given time. Edit: Right... no wifi on the edge. Think I'll go with the TP-link C7 then. Golluk fucked around with this message at 21:03 on Nov 5, 2016 |
|
#
?
Nov 5, 2016 20:51
|
|
|
Golluk posted:Seems my old D-link DIR-655 is starting to die. Looks like I'm looking at either a TP-Link Archer C7, or a Edgerouter lite. The Edgerouter does look nice, but it's $90 vs $150. Fairly general use here. Average sized home, 4 users. mostly gaming, streaming, and a NAS. Last I checked I'm getting up to 20 devices, about 8 are wired. Any nice features of the Edgerouter I should know about? It looks like it shows active network traffic for the connected devices, which would be nice to narrow down which device is eating up bandwidth at any given time. Another option is the Edgerouter-X paired with a UAP-AC-Lite; that should come to about $130. Although the C7 is a perfectly fine choice as well.
|
|
#
?
Nov 5, 2016 23:48
|
|
|
I picked up a SB6190 and Archer C9 after using Comcast's router/modem for 2 years and my life is much better now. Thanks thread.
|
|
#
?
Nov 6, 2016 05:08
|
|
|
Krailor posted:Another option is the Edgerouter-X paired with a UAP-AC-Lite; that should come to about $130. This is what I am using. Rock solid and customizable.
|
|
#
?
Nov 6, 2016 05:18
|
|
|
Moey posted:This is what I am using. Rock solid and customizable. Going off Amazon.ca, it looks closer to 200 CAD for both. One thing I noticed about the C7, is it doesn't have NAT, but Stateful packet inspection for security. Can't say I'm familiar with that though.
|
|
#
?
Nov 6, 2016 18:51
|
|
|
Golluk posted:One thing I noticed about the C7, is it doesn't have NAT, but Stateful packet inspection for security. Can't say I'm familiar with that though. Pretty much every consumer router that does ipv4 (hell every router I know of) does NAT, it wouldn't work otherwise on most consumer ISP connections.
|
|
#
?
Nov 6, 2016 22:21
|
|
|
I just upgraded CenturyLink service which includes a new modem/router combo, the C2100t. I've also got PrismTV that goes through it as well, so I can't just totally disable the router part I think. Looking through the settings, and comparing it to my current router, the Asus RT-N65u, it looks comparable. It's got what I care about: dual band wireless, port forwarding, and DNS host mapping (my needs are simple). It appears to have enough power to cover the whole house including the backyard (this last part is important to me). I previously had my router at the back of the house to give coverage to the backyard, and now it's back at the front because reasons, but I still get a connection on the backyard. Would I have to turn in my nerd card if I just used the ISP device and leave it at that? E: I lied! It does dns mapping but it won't let me name my public domain name to an internal IP! E2: It supports public domain names, but it just doesn't think my .us domain is a valid one! FISHMANPET fucked around with this message at 00:22 on Nov 7, 2016 |
|
#
?
Nov 7, 2016 00:08
|
|
|
grymwulf posted:Pretty much every consumer router that does ipv4 (hell every router I know of) does NAT, it wouldn't work otherwise on most consumer ISP connections. First I've heard of it, but I'm going by this line in Tom's Guide review " It has a stateful packet inspection firewall, but not a network address translation one — most routers have both..." http://www.tomsguide.com/us/tp-link-archer-c7-router,review-3289.html Under Security and Parental controls section.
|
|
#
?
Nov 7, 2016 02:18
|
|
|
Golluk posted:First I've heard of it, but I'm going by this line in Tom's Guide review " It has a stateful packet inspection firewall, but not a network address translation one — most routers have both..." We seem to be talking about different things then - it does NAT, but there is no specific NAT firewall, and you should never trust NAT to be your firewall - all it does is obfuscate your internal network. It isn't really a firewall - it does do NAT, and they may have set it up incorrectly to bypass it. http://security.stackexchange.com/questions/8772/how-important-is-nat-as-a-security-layer
|
|
#
?
Nov 7, 2016 02:40
|
|
|
grymwulf posted:We seem to be talking about different things then - it does NAT, but there is no specific NAT firewall, and you should never trust NAT to be your firewall - all it does is obfuscate your internal network. It isn't really a firewall - it does do NAT, and they may have set it up incorrectly to bypass it. This man is correct. NAT is not a security feature and should not be treated as one. Security is provided by a stateful firewall, which often runs along side NAT in most home routers.
|
|
#
?
Nov 7, 2016 16:53
|
|
|
|
| # ? Apr 25, 2024 09:50 |
|
|
Pablo Bluth posted:On a ipv6 firewall, multiple ips on a mac address would simple result in open ports to all the IPs on an interface. This would be terrible for security and would defeat one of the most common reasons servers often have more than one IP on the same interface. Pablo Bluth posted:Up till now, MAC based firewall rules has clearly not been a worthwhile idea. However as more people transition to ipv6, I think there will be an increase the number of people who find themselves wanting a solution that provides a 'set and forget' firewall configuration in conjunction with the ip address hopping privacy extensions. On a computer using a second static ip is going to be the simplest solution, but that's not always going to be possible (I believe P.E. can't be turned off on android for example). Either you say tough, implement something UPnP-style where the device can inform the firewall to update to a new IP, or setup the firewall based on some identifier other than IP. Yes people will want a "set and forget" solution. But no secure solution like that really exists right now. At the moment the choices are: A. Set a static IP and forfeit the privacy extension stuff for your server traffic. B. Use UPnP/NAT-PMP and forfeit internal firewall security. C. Don't be a server. Currently the industry is going with option A because its not really any different than IPv4 which everyone is used to and knows how to deal with. Additionally option B would run afoul of PCI/HIPAA/GLBA/<industry specific regulatory compliance requirement> and option C would mean not being in business. Now if they designed some new version of UPnP or NAT-PMP that implemented strong authentication then we could have the best of both worlds. But then you have to setup some sort of password or something that would be shared between the firewall and the internal hosts, ideally a different password for each internal host on the LAN that needs to open ports. So "set and forget" ease of use starts to go out the window at that point. For home use option B is probably the best choice. UPnP/NAT-PMP were created expressly to solve this issue in a home LAN situation where security is a secondary concern to ease of use. Antillie fucked around with this message at 17:19 on Nov 7, 2016 |
|
#
?
Nov 7, 2016 17:08
|
|