Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Red_Fred
Oct 21, 2010


Fallen Rib
Is there a recommended Ethernet router at the moment? The OP is quite old. I'm not in NA if that is relevant.

Adbot
ADBOT LOVES YOU

Red_Fred
Oct 21, 2010


Fallen Rib
Sorry forgot to mention I need WiFi too. Very small range to cover though (studio apartment).

Red_Fred
Oct 21, 2010


Fallen Rib
How hard would it be for a non-technical person to configure an EdgerouterX? I'm tossing up if I should get that and use an old combo WiFi/router as an AP or just get the Archer C5.

I've read some things that say that EdgeOS is not easy and you're forced to use the CLI at times, although maybe it used to be like that?

I really like the idea of how small, cheap and powerful the EdgerouterX is but don't want to not be able to use it properly.

Red_Fred
Oct 21, 2010


Fallen Rib

Prescription Combs posted:

There are a lot of general guides on how to do basic setup on the Ubiquiti forums.

https://community.ubnt.com/t5/EdgeMAX/bd-p/EdgeMAX

Newer code also has a setup wizard to get you going.

Alright I'm going to do it! What is the cheapest decent AP? I know everyone recommends the Ubiquiti ones but they are quite pricey (considering where I am the X + UniFi AP would be more than just buying the Archer C5). It's only for a small studio apartment that will have an Android phone and maybe some other phones when people come over, nothing else really.

Red_Fred
Oct 21, 2010


Fallen Rib
I'm going to try and use my old DSL router/modem/WiFi device as an AP until I get around to buying one. Will it be as simple as disabling the routing functionality and connecting it via a LAN port to my ERX?

My internet hasnt been sorted yet but I'm guessing if I can ping from my ERX through to the AP I should be good? Assuming the ERX is all setup correctly (used the wizard, WAN+LAN).

Red_Fred
Oct 21, 2010


Fallen Rib

Internet Explorer posted:

That should do it. Make sure you disabled DHCP on the old DSL router/modem/WiFi.

Looks like this won't work as this router seems to be locked to the old provider. Just gives me an error message when I try and connect to it. I'll try again when I actually have an internet connection.

Red_Fred
Oct 21, 2010


Fallen Rib
My fibre is finally being delivered Friday next week (only 7+ weeks!) And I'm setting up my EdgerouterX. Is it worth having another subnet? Should I have my WiFi on a separate subnet than my computer? Seems like it would be much easier to have it all on one subnet just not sure if this is best practise.

Red_Fred
Oct 21, 2010


Fallen Rib

Antillie posted:

Yeah pretty much. If you need these things, you will already know that you need them because your PCI/HIPAA compliance auditor told you or the network engineer handling the project told you.

I figured that was the case just wanted to check. I was talking about subnets actually, not vlans but it's a similar concept I guess.

Red_Fred
Oct 21, 2010


Fallen Rib
Fibre finally got delivered this morning. Confused myself by pre-configuring my ERX but after a factory reset and re-configure everything is perfect. That literally took less than 5 minutes which is awesome.

I used the wizard which sets up the default/basic firewall. Are there any rules that would be good to add? I assume the basic setup is well, basic and may need some good practise tweaks.

Red_Fred
Oct 21, 2010


Fallen Rib

Internet Explorer posted:

The way it is set up in the wizard blocks all inbound connections that have not been initiated by a source on your network, so you are good unless you find yourself needing to open (and forward) ports for hosting a game or something along those lines.

Excellent so provided my devices aren't infected I should be all good then.

Red_Fred
Oct 21, 2010


Fallen Rib
Thanks! My final question is what's the best way to accurately test my connection speed?

Red_Fred
Oct 21, 2010


Fallen Rib
That gives me pretty bizarre results. Got close to my stated speed on one then 2 Mbps on the next two. I have a 100/20 fibre connection but the nearest server for that is Australia and I'm in New Zealand so it might just be that?

Red_Fred
Oct 21, 2010


Fallen Rib
I just got given a Ubiquiti UAP and the 24v POE adapter (score!) Am I correct in thinking I can power the AP and my ERX by connecting the POE adapter between my fibre termination and port 0 of the ERX and then connect the AP to port 4? Is POE all enabled by default in the ERX? Can you have the power plug and the POE connected at the same time? I don't want to fry anything.

Red_Fred
Oct 21, 2010


Fallen Rib
Downbuzz aspect of Unifi Controller is that it needs Java. I deleted Java a few months back because I didn't need it and it sucks. It now apparently has crapware built in to the installer. Good work Oracle.

Red_Fred
Oct 21, 2010


Fallen Rib
Awesome I'll give it a shot tonight. It took me like 2 hours last night to get the AP going but that was mainly issues with the Windows firewall and the Unifi controller.

I assume you don't want the ERX connected to the POE and power adapter at the same time? I'm just thinking about the workflow of cutting this over.

Red_Fred
Oct 21, 2010


Fallen Rib

bolind posted:

Correct. One or the other. Although I'm pretty sure the HW designers have thought about this.

Seems to be working however the port0 seems to only be 100m now, is this expected? Or is my POE injector poo poo? Shouldn't matter as my connection is only 100m but still.

Red_Fred
Oct 21, 2010


Fallen Rib
My internet termination is 1gig for sure as it was when I was using the power adapter. My 24v POE is from an older UAP so maybe it's just that?

Red_Fred
Oct 21, 2010


Fallen Rib

CrazyLittle posted:

The old injectors are 100mbit

Ah right, thanks. Any idea if a UAP will run off the ERX via POE and the standard power plug?

Red_Fred
Oct 21, 2010


Fallen Rib

Viper_3000 posted:

Yeah, you need a different wall adapter than the one it ships with IIRC. the ER-X uses 5W and the UAP can use up to 6.5W, so you need something that can handle that.

Bummer. Looks like I'll just end up running the ERX off the wall plug and the UAP off the POE. Not the most elegant but saves me buying another POE injector.

Red_Fred
Oct 21, 2010


Fallen Rib
Hi thread. I recently got an IP camera which I would like to block from going to the Internet except for getting to some Time servers. Can someone please sanity check my settings:

Static map for the device:


FW ruleset:


FW interface setup:


Are those all working as I expect? How do I add an exception for some specific urls?

Red_Fred fucked around with this message at 05:09 on Feb 2, 2019

Red_Fred
Oct 21, 2010


Fallen Rib

smax posted:

Add Allow rules for the traffic you want above that block rule you already created, use the same format but set the destination as the addresses you want it to access.

If you want to do this for multiple devices, I believe there’s a way to define lists of multiple addresses, so you only have to reference that list in your rules rather than define each one separately.

I'll try this for a couple of servers and see what happens. I've just noticed that there is an option in the camera to set NTP server from Dynamic IP, does this mean my router would just give it the time? Even if the IP is set as a static IP?

Thanks Ants posted:

Is that rule actually working? Surely by the time it's leaving the PPPoE interface then it's not going to have the internal IP on any more.

I think you might be better off doing this as an inbound rule into the LAN interface, but a packet capture will confirm it.

It seems like it is as my IP camera can't seem to sync the right time if I don't set it manually. I don't know how to a packet capture :shrug:

Red_Fred
Oct 21, 2010


Fallen Rib

wolffenstein posted:

Since Red's using an EdgeRouter, it has a built-in time server. So write a destination NAT rule to forward all non-router NTP requests to the router.

edit: here have my ntp rule


Thought that might work. So the IP should be of the device I want to use the NTP and the interface the same right? So 192.168.1.59 and eth1 in my case.

Red_Fred
Oct 21, 2010


Fallen Rib

smax posted:

Add Allow rules for the traffic you want above that block rule you already created, use the same format but set the destination as the addresses you want it to access.

If you want to do this for multiple devices, I believe there’s a way to define lists of multiple addresses, so you only have to reference that list in your rules rather than define each one separately.

Hey I did this but it still seems to block everything:



If I change the bottom rule to accept my camera picks up the time properly otherwise it doesn't. When I do a packet capture with it set as above I just get broadcast packets and nothing else.

Red_Fred
Oct 21, 2010


Fallen Rib

H2SO4 posted:

Do you have those IPs hardcoded into the camera or are you using the DNS names? Because if you're using DNS it's both (1) being blocked by the firewall rules and (2) not guaranteed to return those IPs as those records usually rotate through a big list of IPs.

Aha. Yeah the camera only lets me select the URL and not put in an IP. Can I make my firewall rules a set of IPs or just the URL?

Red_Fred
Oct 21, 2010


Fallen Rib
I spent half of today trying to setup a PiVPN (so I can connect back through my home connection when I'm travelling) only to find out that my ISP is most likely using CGNAT (they won't confirm this for sure which is annoying though). Do I have any other options here?

I'm using an ER-X if that factors.

EDIT: Chatting to some of my networking buddies and apparently https hides nearly all traffic when using unsecured networks, is a VPN really necessary now?

Red_Fred fucked around with this message at 10:00 on Jun 7, 2020

Red_Fred
Oct 21, 2010


Fallen Rib
Thanks for all the responses. Sounds like I probably don’t need my own VPN now.

They only thing I need to access my network when out is for my security camera but that all runs through my Synology NAS.

Red_Fred
Oct 21, 2010


Fallen Rib

astral posted:

I would be absolutely terrified to expose my NAS to the internet at large.

This is one of those 'Set up a VPN' cases.

Well it’s not the NAS itself but it’s a thing that runs on the NAS called Synology Surveillance Station. I can only get to the cameras from an app on my phone. Nothing else on the NAS can be reached from the Internet.

Red_Fred
Oct 21, 2010


Fallen Rib
Ok so what’s my best practise here? Presumably I need to pay the one off fee to my ISP for a static IP to start with as they confirmed they use CGNAT so port forwarding is out.

But then do use the VPN from Synology? Or PiVPN? Or can I even use my ER-X?

I’m clearly a noob so I would like the one that’s easiest to setup and deal with even if that’s at the expense of some security.

Red_Fred
Oct 21, 2010


Fallen Rib

Thanks Ants posted:

If the one-off fee to remove CGNAT and move to a static IP isn't stupidly high then do that first, it will make your life easier later.

KS posted:

You could pay for a static IP (kinda cool that it's a one time cost, it's usually recurring) and VPN to your router or a machine behind it.

If the static IP is cost prohibitive, another option is to get a cloud instance, VPN your phone to that, and VPN your home network to that as well. Traffic between your phone and your home would route through the VPN endpoint. Something like this. As someone else said you're better off on an unmetered VPS endpoint instead of an AWS instance if you're going to put significant data through it. This is not completely trivial stuff if you're foreign to networking concepts.


astral posted:

Getting out of the CGNAT pool would help.

You'd want to set up a VPN server on either your Pi or your ER-X. I can't speak to how good the throughput is on these devices but a quick search suggests you might be able to expect around ~25 Mbps on the ER-X, which is hopefully enough for the security camera's bitrate.

Loooks like there's an article for it:
https://help.ui.com/hc/en-us/articles/115015971688-EdgeRouter-OpenVPN-Server

Make sure to backup your edgerouter config before starting if you go that route.

Thanks. I'll get my ISP to set a static IP for me.

I think I'll give PiVPN a go as it's easier to just wipe and start again if I gently caress it up and PiVPN has a semi GUI setup which is quite easy to use.

25 Mbps should be heaps for the camera as I think it's only 720p and 10fps or something.

:tipshat:

Red_Fred
Oct 21, 2010


Fallen Rib
This is a bit of a long shot but has anyone setup a PiVPN to work with a Synology NAS? I can connect fine using OpenVPN on my iPhone but when I try to connect the NAS it says the profile is invalid.

Some searching would lead me to believe that Synology is running a really old version of OpenVPN.

Red_Fred
Oct 21, 2010


Fallen Rib
Does anyone know why my Edgerouter outbound WAN block is not working? I have the static IP (that I want blocked from the Internet) in a firewall group and then have it set to drop all protocols with the source as that address group. It's one of two rules I have set in WAN_OUT, it's second but the other is an allow on a specific domain.

I fiddled around in Pi-Hole and realised my TP Link camera on static IP .59 has been phoning out to a couple of TP link addresses, pretty much constantly. I assume if I had successfully blocked it from going to the Internet from my Edgerouter then it wouldn't show up in Pi Hole, is that right?

I also can't see any firewall rule stats (for any rules) in the GUI, not sure if this is related?

Red_Fred
Oct 21, 2010


Fallen Rib
Is anyone able to help me troubleshoot why my switch isn't working?

I have a ERX connected from my ONT and then a Netgear 10 port unmanaged switch (Pro safe version) connected with all my devices off that. It was working all fine until midday today where the switch just stopped working. If I connect devices directly to the switch ports on the ERX they work (tried two different). I've also tried power cycling the switch but that didn't do anything. All the lights are working and I've also tried a different cable and port.

Is this maybe a routing loop with the ERX switch ports?

I have my DHCP range set outside of my static devices (static up to .61 and then DHCP from .62 on).

EDIT: It seems something has started causing issues, can't identify which host yet though. Might be my NAS.

Red_Fred fucked around with this message at 07:36 on Jul 23, 2020

Red_Fred
Oct 21, 2010


Fallen Rib

Actuarial Fables posted:

Does it just not pass any traffic at all? If you have the switch disconnected from the ERX, can devices connected to the switch reach each other?

Make any changes to your network devices recently - updates, enabled features, minor config changes?

If you have two cables connecting the switch to the ERX then a loop is possible, but that should be easy to fix by just only having one cable between the switch and ERX.

It was just the one cable between the switch and router. For a while I thought it was a particular device but then I finally just rebooted my ONT and the problem disappeared! I’ve never had to do that in 3 years but the provider may have pushed a firmware update or something.

Red_Fred
Oct 21, 2010


Fallen Rib
Is there a thread recommended POE switch? I need more ports so I can connect a Steam Link Raspberry Pi and my Samsung TV via Ethernet but I also need to be able to able to ideally power two device via POE.

My setup is as follows:

Fibre ONT > Unifi ER-x > Netgear 8 port switch > in-wall cabling to two ethernet jacks > (new poe switch).

The POE powered devices are a Unifi UAP (6W) a TP-Link NC450 camera (12W?). I may also look to add another camera at some point so three POE ports would be ideal.

The Netgear GS105PE looks like it might fit the bill but it only has two POE ports and looks like the power consumption I need might be borderline.

Red_Fred
Oct 21, 2010


Fallen Rib
Hi thread

I have a Ubiquiti UAP running off an ERX. Given that my UAP is now like 9 months out of support and getting pretty old is it worth it to upgrade? What's the best option? I only just realised that that AP doesn't even have 5GHz which would explain why my iPhone seems to only get about 15 Mbps down from a 300/100 Mbps connection.

I'm in a medium-size apartment, have just the one AP and usually have about 12-15 Wi-Fi clients on the go at one time.

:tipshat:

Red_Fred
Oct 21, 2010


Fallen Rib

FunOne posted:

U6-Lite is great. Just swap them out.

This is kind of what I’m thinking given I already have Unifi all rigged up on my NAS. Would it be as simple as just swapping the APs over? Do the new ones auto adopt? I had huge dramas way back getting the UAP to adopt the first time but that was with a new build of Unifi.

Where I am the Ubiquiti gear seems to be about the same price as the TP link stuff too which further pushes me to stick with them.

Red_Fred
Oct 21, 2010


Fallen Rib
Cross-posting from the Home Automation thread as this probably belongs here:

quote:

Semi Networking question but it's related to HA so I'll try here. I have now setup HA on a RPi4 I had and it's all working pretty well. I've read that it is best to VLAN off HA and all IOT devices together. Is the guide below roughly what I need to follow to do that? Bit of a networking dummy but that guide seems straight forward enough.

https://xdeb.org/post/2020/unifi-edgerouter-guest-iot-vlan/

I'm running an ER-X and Unifi on my NAS. Will probably need to upgrade my AP to support 5Ghz networks soon as well.

I've done a bit more reading and it kind of sounds like using VLANs when you're super good at networking might just be a nightmare?

Red_Fred
Oct 21, 2010


Fallen Rib
Hoping to get a sanity check please:

Current setup:
ER-X > UAP (via POE injector) + TP-Link camera (via POE injector)

This works OK but is stuck with 2.4 GHz, no support and no way to expand as there is no switch next to these devices. So my TV, Apple TV etc. are using Wi-Fi.

Proposed setup:

ER-X > Edgeswitch 10XP > Unifi AP 6 Lite + TP-Link camera + Samsung TV + Apple TV + (future camera)

Am I correct that the ES-10XP would power the AP and camera (+another in future) via POE? TP-Link camera says 12V DC, Max 12W.

Red_Fred
Oct 21, 2010


Fallen Rib

Rexxed posted:

I think the Unifi 6 Lite needs 48V PoE and the Edgeswitch is only able to output 24V PoE. Not sure what your camera would need but you'd probably need a separate injector or a different switch to supply the AP with power.

Ok so I could use that switch and pass through POE from a 48V injector?

Do you know of a switch that could do what I need? Ubiquiti is preferred but not key.

EDIT: looked here: https://help.ui.com/hc/en-us/articles/115000263008-UniFi-Supported-PoE-Output-and-Input-Modes#2

And that says US-8-60W might be what I need?

Adbot
ADBOT LOVES YOU

Red_Fred
Oct 21, 2010


Fallen Rib
I need to swap out my UAP as it’s out of support and recently has started being a little flakey. Probably due to no 5Ghz.

I’m keen to stick with Ubiquiti as I have an ER-X and I’m used to the setup so will likely grab a U6 Lite.

However I also wanted to get a managed switch to power the AP and some cameras and potentially split out a VLAN for my IOT devices.

It looks like where I am it’s a bit tricky to find the 8 port 60w POE switch, is the newer Lite version ok instead? Some reviews were not that positive but that was a while ago.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply