Moving away from UniFi

I moved toward UniFi in a big way last year. I bought a UDM Pro, two Nano HD access points, and three (eventually buying a fourth) Flex Mini switches. The Flex Mini seemed like a very good buy, $29 for a 5 port managed ethernet switch. My home network was such that switches were daisy chained together, so this small managed gig switch seemed like a good fit.

I think part of me wanted an all-in-one solution, and UniFi delivers that. It’s nice to be able to run enterprise auth for Wifi without needing a separate authentication server, for example. The single view for all your devices is very, very nice.

But, as time went on, I discovered that everything isn’t as rosy as it first appears.

I had been having something of a bit of a performance issue, and ran across something that was a fairly major issue with the UDM Pro… The 8 LAN ports on it? Apparently, they share a 1 gig switching fabric. For eight gig ports. Why would they put out a “Pro” level device, meant for businesses and pro-sumers with such a glaring flaw?

I’ve seen pictures of other peoples gear, where they ran a single cable from one of those ports (or from the 10G LAN interface) to another switch, leaving the rest empty. Why have a device like a UDM Pro if one of the main “features” of it is so hobbled that the fix is to basically not use that feature?

So, do I have anything else good thing to say about UniFi? Absolutely. Their gear held value pretty well over the approximately 7 months I owned it. I shipped the UDM Pro out to that buyer today, and, so far, I’m much happier with my new network.

February 24, 2021 at 9:39 pm Leave a comment

Catalyst 1000 Switches – What they don’t tell you

Not too long ago, I saw this video by Network Chuck about Cisco Catalyst switches. About the coolest part of these switches is the ability to stack them, so you can manage them from a single IP address. This means you can configure things once like VLANs and other management functions in one place, and assign port configurations through the same interface to multiple switches.

I also saw this video by Lawrence Systems, which makes them sound not quite as nice, but still pretty good.

On the plus side, you get real Cisco switches. And, you don’t have ongoing license fees. They aren’t the cheapest, but they are pretty inexpensive, considering the company who made them, and run Classic IOS, something I’m familiar with from my former job.

So, I bought a C1000 switch, 8 port, PoE. I didn’t have much trouble getting the basic config on it. Pressing the button for the 3-4 seconds resulted in me getting to the WebGUI pretty quickly. So far, so good.

I had a bit of trouble getting the new code downloaded from Cisco’s site, but it didn’t delay me very long. I had a bit of trouble with updating with the WebGUI, but the “archive download-sw” command worked fine.

Ultimately, I got everything working fine with the first switch.

So, I picked up a 2nd switch. I also bought a pair of used Cisco SFP’s from eBay, since they would be required for the single IP management.

With the 2nd switch, I had lots of issues. The process to use the button to do easy setup did not seem to work. I don’t know how many times I tried, but I couldn’t get it to work.

So, Console cable, right? Well, neither of the models I bought came with one and I couldn’t locate one. (I have one on order)

So, I fired up wireshark. At some point, I had this hooked up to the rest of the network, and spotted that the switch had picked up an IP address via DHCP. Great, right? Put that in the browser, and it – well, I got prompted for credentials, but the default credentials don’t seem to work.

I believe while looking at the wireshark trace, I saw that it was attempting to download a config file. AHA!

I ended up downloading Transfer for my Mac, a nice looking TFTP server. Download it from their site and you get a free trial period, but after I was done with it, I ended up buying it. That way, if I need one in the future, I have it. Plus, I was thankful that I didn’t have to wait until my serial cable arrives in a couple of days.

Anyhow, I downloaded the config from my other switch, changed the IP address in the config, plus probably another minor change or two, and dropped it into the directory that Transfer uses, renaming it appropriately to one of the filenames it was trying to grab.

Bingo! After that loaded, I was able to login and updated the firmware to match the other switch, then went to bed.

I did have problems with it the next day, but after struggling with it a while, I was able to get into it. I saw it pull the file via TFTP again, after which it rebooted, so I renamed my config file so future attempts would fail. After that, I think all was good.

What I discovered that I don’t recall seeing anywhere, was related to management via a single switch IP. So, Lawrence System’s video mentioned you had to use SFP ports for this functionality. No problem. They are on eBay at reasonable prices (about $13 each). Unfortunately, once you change the port to a Stack port, it loses the ability to carry data traffic – It’s not seen as a switch port anymore.

Which means that if you have a single cable running between two areas where you want switches, and you want to use a single management IP, like I have, well… You can either run management across that link, or run data traffic across it. To do what I wanted, I would need two cables between the areas – one for management, and one for traffic.

I did try a workaround… I created a VLAN for”single IP management”… I plugged the Stack ports on each switch into an access port on this new VLAN, with the idea that it would trunk across the data connection that ran between the two switches… This didn’t seem to work, though. I didn’t play around with it very long, so perhaps this concept will work, but I was not successful.

At any rate, I’ve got a pair of Cisco switches now that I don’t expect to have trouble with for years. I can’t quite manage them as easily as I expected, but it is good enough for my use.

February 7, 2021 at 4:06 pm Leave a comment

eero Wifi – Likely my final post about it

I’ve been using eero for my wifi needs for probably a few years now.  They were among the first of the Mesh Wifi systems that came out.  For me, it was down to the eero or the Luma wifi system.  Luma seemed to have more advanced features, but early reports on the functionality of it were not encouraging.  I may have even had a pre-order in place for it at one point.  One interesting thing was that Amazon was backing them (to some degree).

Anyhow, I got my eero system and was pretty happy with it.  It was a very simple system, in terms of daily operation.  It seemed to work well, with little input from me.  Perhaps a bit too well, as I recall one time (I think I posted about it here) where my network was segmented from my the eero that was connected to the Internet, and it was routing the traffic from the entire rest of my home across the Wifi to the eero that was connected to the Internet.  As I recall, I noticed there was only one cable hooked to the back of the eero that goes to the Internet, and I realized – Wait!  That’s not supposed to be that way.  But everything still worked.

That said, the eero does lack customization and some features.  One in particular is the ability to run a second SSID (other than the Guest SSID).  To make a long story short, I ended up with 4 eeros for my main Wifi network, and two for my secondary Wifi network. Ok, I really didn’t need 4 for my main network – Three did the job well, but I added a beacon that I didn’t absolutely need.

The eero does a very good job for a simple home.  It has visibility into what devices are on your network, but not much in the way of visibility into what those devices are doing.  The do offer a subscription service to block malware and a limited number of additional categories of sites, but you don’t get that full device-level log of activity directly from the eero.

I think part of the problem for me came when Amazon bought eero.  There was apprehension around what Amazon might do with the deep data that is potentially available to them, being the gateway out of my network to the Internet  I understand that the eero privacy policy did not change as a result of that purchase, so as long as that holds true, we shouldn’t have any privacy issues (at least, from the assurance of an eero developer that often posts on the eero sub-reddit).  It’s entirely possible that Amazon just bought them to have a simple-to-use, but very reliable brand they could sell to customers of their product line of tablets, streaming boxes, assistants, etc.

But, the simple fact is that the eero sees all of your port 53 DNS requests in clear text.  Looking at the MAC address of individual devices can reveal the maker of the device.  If you put that info together with the DNS names of where the individual devices are communicating, you can get a pretty good idea of what devices a customer has.

Now again, I say this is “part” of the problem.  I don’t have any reason to believe Amazon is doing this, or planning to do so any time soon.  This potential privacy issue, along with the lack of some features has recently led me to move away from the eero product line.

I will still say that it’s a great line of wifi devices for a non-technical person that just wants Wifi that works with minimal headaches.

June 20, 2020 at 9:59 am Leave a comment

My Tesla Ordering Experience

I’ve wanted a Tesla for years.  The Model S has been arguably the best looking EV since they started producing them.  I still can’t afford one, but I think I can afford a Model 3, now that the Standard Range ($35,000) version is finally out.

Since the Federal rebate on Telsa vehicles halved on Jan 1, and it is set to halve again soon, and they’ve recently released these new, lower cost versions, I realized that now may be about my best time to get one.  So, last Monday, I ordered a Standard range Model 3.  The expected delivery date was 6 – 8 weeks.

Since my order, I’ve learned that the SR and the SR Plus versions do not include floor mats.  Fortunately, they can be purchased on Tesla’s website for a bit over $100 after tax.  They also have a nice looking all weather frunk mat for about $70 before tax.

Another thing that did bother me about the interior of the SR was that it didn’t appear to include covers for the storage section (in front of the cup holders).  I looked for 3rd party products to fill that gap, but didn’t find any.  So, I looked on eBay, and found the center console section (perhaps taken from a wrecked Model 3?) for sale.  The entire section (including the armrest) was listed for a little under $1000 in at least one entry, and a separate listing for the front section was over $300.  If I were very handy (or maybe just more confident in my automotive abilities), that would have been a viable option.  Additionally, I like the look of the phone holder that doesn’t come with the SR.

The SR Plus also is a bit faster than the SR, though that doesn’t matter much to me.  The additional 20 miles of range is a bit more cushion for trips, which would be useful.

The power drivers seat on the SR Plus and the “vegan” leather seats would just be a bonus, as a manual cloth covered seat would have been fine as far as I’m concerned.

Ultimately, on the Friday after I ordered, I called and changed my order to a SR Plus.  I did make another change to my order, to drop the cost a bit, to make up for going to the SR Plus.

After the order was registered in their system, my estimated delivery was changed to 2 – 4 weeks.

Late on Friday evening, I took another look at my Model 3 page, and found that a VIN number had been assigned, as well as a delivery date…. Monday!

So, I ordered on a Monday, and after changing the order on a Friday, my car will be on Monday around noon.

March 23, 2019 at 10:47 am Leave a comment

Amazon Subscribe and Save – Why I quit…

This is really more feedback for Amazon than anything else.  I’m posting it here as I could not find any way of getting this feedback to Amazon without bothering a customer service person for a chat or a phone call.  And chances are probably just as good of my post being seen by someone who cares at Amazon here as if I went through a Chat or Phone call with a customer service person.  Perhaps greater even.

I’ve used Subscribe & Save for many years.  I used to really like the service, but I’ve just cancelled all of the orders I had.  Here’s my list of reasons:

1. Items I was subscribed to kept getting pulled out of the Subscribe & Save program.  Over the years, this has happened numerous times and it’s pretty annoying to have made a commitment to buy a product on a schedule, only to find they they aren’t going to live up to their end of the deal anymore.  Fewer items that I am interested in available for Subscribe & Save makes it hard to maximize any savings through the program, since you save a larger percentage by getting more items delivered in a month.

2. I don’t know exactly when it happened, but I think somewhere in the last 5 years, they changed the way you control when subscriptions get delivered.  I seem to remember it being easier to put off a delivery, setting it to deliver in a specific month, than it is now.

3. With a recent order coming up, I tried to skip the delivery, as I didn’t need any more tea just yet.  I thought I had successfully done it, but it showed up anyhow.  I still have two unopened boxes from the last order, and now I have another six.  We’ll use them eventually, but we’ve probably got enough tea for all of 2019 now.

4. Even with an item has not been pulled from the eligible items, you are not guaranteed to get the item.  I had a subscription in place for an item that I only needed about once every 6 months, as it was a bulk purchase.  I had been running low on this item, and finally ran out.  I wasn’t concerned though, as I had a subscription.  About a week before it should have shipped, I got an Out of Stock email, but “We’ll keep trying”.  Not long after it should have arrived, I got a “Delivery Delayed” email.  I get it, things happen, so you’ll ship it when it’s ready.  Five days later, I got a “Delivery Cancelled” email.  So, they just gave up?

This last point really bugs me.  Perhaps I’m being idealistic here, but it would seem that part of the advantage of the Subscribe & Save program is that Amazon has a pretty good idea of the amount of stock they need to have on-hand for everything customers are subscribing to.  Sure, people delay items, add more items, and remove some items, but there should be a baseline of predictability that a massive data oriented company like Amazon can take advantage of, to make sure they have the bulk of items people want in stock when they want them.  They are scheduled orders.  It shouldn’t be that hard.

Anyhow, I’ve decided that I’m done with Subscribe & Save.  I guess issue #4 was the last straw.

February 10, 2019 at 12:19 pm Leave a comment

Adventures in Mac Data Recovery

A few days ago, I attempted to update my wife’s aging iMac (2009 era) to High Sierra.  I ended up at a screen telling me something about a disk error.  After that, it seemed to be in a boot cycle, where it simply returned to a similar screen with a slightly different message.

I found some CLI commands to make my own USB installer.  Ultimately, when I booted from it, I ended up with a message saying it could not install.  Thinking that perhaps the hard drive was going, I think I attached an external drive and tried to install to it, ending with the same failure.  At some point throughout this process I made the colossal mistake of formatting the internal hard drive.  We can get back to that later.

I knew I needed to get my wife a new machine, as this one is quite old and the next release of Mac OS X won’t support this hardware.  Fortunately, Best Buy had a sale on the higher end iMac with the smaller screen, which is just what I thought she needed.

Got it home, booted it up and connected to my NAS to restore her TimeMachine backup.

Uh oh.  It saw her backup there, but it said something about No Volumes.  I tried booting from the same USB stick to reinstall her new iMac, and ended up with the same sort of generic failure reasons I had been getting since after the original disk error on the first iMac.

Apparently, my installer was bad.

I moved her old iMac to my desk and was running a variety of tools to scan the hard drive, trying to recover whatever data I could.  The one that seemed to get the best results was Disk Drill, which seemed to have been able to recover the HFS directory structure and everything.  About $80 later, I could try restoring it.  Unfortunately, it was unclear if it was possible to simply have it restore the files to their original locations, so I tried having it restore to an external drive.  About 30 GB into the copy, it seemed to hang.  The iMac was still working, but no more data seemed to get moved.  I thought that perhaps I should try another method.

While researching my problem, I had previously found a link that talked about fixing Time Machine backups.  This involved running some CLI commands that seemed likely to potentially break things, so I took a few minutes to figure out how to backup my Time Machine sparsedisk bundle.  After looking around a bit, I found a page recommending SuperDuper for the task.  Using SuperDuper, I created a new sparsedisk bundle as the destination, and let it copy.  I think somewhere north of 19 hours later, it was done.

I followed the steps found on this blog entry on my copy of the data, leaving the original unaltered.

Everything went well for the repair portion, but the final steps involved editing a .plist file that should have been sitting in the root of the sparsedisk, but it was missing for some reason.

So, I tried running the repair steps on the original TimeMachine backup.  It failed.

In a last ditch effort to get TimeMachine working, I copied the com.* files from the original TM backup over to my SuperDuper copy.  I figured since the repair worked on it, perhaps I can just take the files that didn’t seem to get copied, and move them over as well, and finish the process.

I built a new Mac OS X installer (using this great little tool that I sorta wish I had found originally), reinstalled OS X on the new iMac, then tried the TM restore.  I pointed to the new TM backup I had made, and was happy to see that it saw it, and that it saw backup data there.  I started the restore process, which, probably around 3 hours later, completed successfully.

I rebooted, and it came up and worked.  I was able to login to my wife’s account and her data seemed to be in-tact.

I have since set up SuperDuper to clone her drive on a schedule to an external drive.  I’ll probably start the Time Machine backup process as well in a few days or so, once we feel secure that her files are fine, so she’ll have a few backups just in case.

June 15, 2018 at 12:50 pm Leave a comment

Channels DVR

Many years ago, I used SageTV for my DVR.  After it was sold to Google, I tried MythTV with some success.  I’ve since used Plex briefly, and the HD Homerun DVR for several months.  Recently I tried SageTV again, the open source version.  It’s still very much like it was years ago, with the AndroidTV app working very well now.  Controlling the app with the ShieldTV remote could be better, though.  There’s also the lack of a IOS version, and I don’t think it plays well with other apps sharing HD Homerun tuners, though this may have been addressed.

Plex has a few issues.  No grid guide is a big one.  Another is you can’t watch a show while it’s recording.  Commercials are removed from recordings, not just marked.

While looking at a Plex forum, I read about Channels, an IOS app for watching TV with an HD Homerun tuner which has a DVR component.  I had seen this app before but didn’t try it due to the cost.  After reading more about the app, I found that it gets rids of all my complaints about Plex.  It also allows for remote connections, so you could even stream TV from it remotely, like Plex.

The cost is a bit steep, being $24.99 for the AppleTV app, another $14.99 for the iPhone/iPad app.  I think there are similar prices for AndroidTV, Amazon FireTV, and other versions.  The DVR feature is $8 per month after your first month…  So, it’s a bit expensive, but it’s very good (I think Android versions have various states of support for the DVR feature.).

Regardless of the price, I can say this is about the best DVR experience I’ve run across yet on AppleTV.  The user interface is very  intuitive.  It integrates well with the AppleTV, including support for adding shows to the top bar on the AppleTV home screen.

The DVR component runs on just about anything, even the ShieldTV.  It can use the hardware acceleration on the ShieldTV for transcoding, and if your processor supports Quick Sync, it is supported as well.

I’ve chosen to run mine under docker in UnRAID.  It works very well, even when transcoding.

It still early days of my trying it, but I’m pretty happy with it so far.

May 20, 2018 at 8:22 pm Leave a comment

Running a PA-VM on KVM under UnRAID

Getting PanOS up and running on KVM under UnRAID was not easy.

I started with the KVM version of the PA-VM firewall and copied that to my ISOs directory.

Through trial and error, I finally got it working.  In the UnRAID UI, I selected two separate CPUs, about 9.5 GB of memory, the i440fx-2.11 machine type, with the SeaBIOS and the USB controller to the default 2.0 (EHCI).

I manually copied the image to the appropriate directory for this VM.  I did have to add multiple brX interfaces (via the networks settings page) to be able to add multiple NICs to the VM.

When booting up, I encountered a problem where it would reboot multiple times on its own.  Finally, I was given the maintenance prompt.  I did a factory reset, and afterward, it booted as I would expect.  At this point, I could log in and set the IP address and everything seemed to be working as expected.

Posting here to help anyone else who wants to try running a PA-VM on UnRAID.

Edit:  Also, set the NICs to type e1000 in the XML (not in the form).  I think VirtIO is supposed to be supported, but they didn’t seem to work until set to e1000.

May 8, 2018 at 2:41 pm Leave a comment

Adventures in DNS

I just posted about my new PA-220 firewall and mentioned URL filtering.  I have a number of categories blocked, including web-advertising, adult content, malware, etc.  But you can always make something better, right?

The PA-220 has a feature to enforce safe search with various search engines.  Unfortunately, it seems to not work very well on my iPhone, or in Safari on my Mac.  It could be the 8.0.2 firmware, or perhaps it’s something that I’m doing wrong.  In any case, I wanted to fix it, as it was annoying.

Both Google and Bing support a feature to enable Safe Search for your network via DNS.  What you have to do is, when someone requests google.com, make your DNS return a CNAME record for forcesafesearch.google.com.  While this might sound easy, as I discovered, its a bit more complex than perhaps it should be.

First, the DNS proxy feature in my PA-220 does support configuring static entries, so I could add an entry for http://www.google.com, but I can’t set it to CNAMEs, only IP addresses.  I  would have to hard code the IP address for forcesafesearch.google.com, which could potentially change at any time, breaking things.

After a bit of research, my first candidate to truly do the CNAME change was found.

DNSmasq

On my unRaid box, I installed a docker of Pi-Hole, which is a DNS based system (meant for the Raspberry Pi, but capable of running on other platforms) which blackholes DNS queries to Web advertising sites, etc.  It uses DNSmasq and has the ability to run DHCP as well as DNS.  With this integration, it can resolve local hostnames to their DHCP assigned addressing.  I could do that now by adding static entries to my DNS Proxy instance on the PA-220, but it wouldn’t pick up on DHCP entries.  But, alas, DNSmasq treats a CNAME entry added manually differently than I had hoped.  It will ignore it unless it has that record defined somewhere, such at a static definition or via DHCP…  It won’t resolve an external CNAME like a normal query and return it.  And since if I were to define forcesafesearch.google.com as an A record in DNSmasq, that would really defeat the whole purpose of using the CNAME.

Pi-Hole does have a very nice modern web interface with statistics, graphs, and it looks extremely easy to whitelist or blacklist sites.  It gives you great visibility into what devices on your network are doing the most DNS lookups, and if you are wondering where your IoT devices go on the Internet, you can even filter the logs to see what an individual device is performing lookups against, assuming you have all your devices directly querying Pi-Hole, instead of chained like I’m doing here.  In fact, you can even disable the blocking functionality if you like.  With it disabled, it won’t block, but you’ll be able to see all the statistics and logs it has to offer, even showing you what it would have blocked.  Today, it has blocked about 8.8 percent of my DNS queries, though I haven’t really noticed much different than when I simply go through my PA-220.

Dingo

While looking for other DNS packages that could do this CNAME trick, I ran across one that looked very interesting for a different reason.  Dingo is effectively a DNS resolver that takes requests in on port 53, and resolves them over encrypted HTTP/2.  It can be used with both Google and OpenResolve (by OpenDNS).  I installed it as another docker and it seems to work fine.  I did increase it to use 25 worker threads instead of the initial 10.  I don’t know if I’ll keep using this or not, but I’ll see how it goes.

Bind

Other research turned up some settings for Bind that would let me add the CNAME records I needed to for Google and Bing to enforce safe search, and yet another Docker was installed.  The one I chose included Webmin for easy administration of Bind.  It worked just fine.

So, now I have the initial DNS queries pointing to the PA-220, taking advantage of the Threat/URL Filtering there, then forwarding to a docker running Bind to handle google and bing domains, which forwards to Pi-Hole (which I may end up removing from this chain), and finally to Dingo to perform the actual DNS lookups over encrypted HTTP/2.

Whew!

That sounds like a lot, but not including the PA-220 (which was doing this job before), I’ve added three hops that all exist on the same box.

May 21, 2017 at 7:48 pm Leave a comment

The PA-220 Firewall is here!

The PA-220 has 8 ports of Gigabit goodness on the front, aside from the management port.

The PA-220 supports some pretty high-end features, making it suitable for use in a small business office.  First, there is High Availability mode (HA), if you have a pair of PA-220s and duplicate your connectivity (even to your WAN, so you’d need a switch between a Cable/DSL modem and the pair of firewalls)  Another big feature is LACP support (Link Aggregation Control Protocol), so you could have multiple connections between your firewall and an Ethernet switch.  This redundancy is something that small offices would likely want, as when the WAN connection is down, there is probably work that can’t be done.

The PA-220 comes with a template and hardware to mount it sideways on a wall, something that I plan to do at some point but haven’t gotten around to yet.

Since the speed that the PA-220 handles traffic is limited to about 500 Mbps firewalled, and down to about 150 Mbps with Threat enabled, I recommend only putting relatively low speed or volume devices directly on the ports of the firewall itself, if the primary thing they are communicating to is also on the local LAN.  You could always add a rule in for intrazone traffic to be allowed and not place any Threat profiles on that rule, giving you the maximum 500 Mbps speed to the internal network.

I’ve got it in place, doing SSL decryption, Threat, URL filtering, Wildfire, and GlobalProtect VPN.  It seems to perform pretty well so far.

May 21, 2017 at 11:20 am 7 comments

Older Posts


Categories

  • Blogroll

  • Feeds