Posts filed under ‘Networking’

Moving away from UniFi

I moved toward UniFi in a big way last year. I bought a UDM Pro, two Nano HD access points, and three (eventually buying a fourth) Flex Mini switches. The Flex Mini seemed like a very good buy, $29 for a 5 port managed ethernet switch. My home network was such that switches were daisy chained together, so this small managed gig switch seemed like a good fit.

I think part of me wanted an all-in-one solution, and UniFi delivers that. It’s nice to be able to run enterprise auth for Wifi without needing a separate authentication server, for example. The single view for all your devices is very, very nice.

But, as time went on, I discovered that everything isn’t as rosy as it first appears.

I had been having something of a bit of a performance issue, and ran across something that was a fairly major issue with the UDM Pro… The 8 LAN ports on it? Apparently, they share a 1 gig switching fabric. For eight gig ports. Why would they put out a “Pro” level device, meant for businesses and pro-sumers with such a glaring flaw?

I’ve seen pictures of other peoples gear, where they ran a single cable from one of those ports (or from the 10G LAN interface) to another switch, leaving the rest empty. Why have a device like a UDM Pro if one of the main “features” of it is so hobbled that the fix is to basically not use that feature?

So, do I have anything else good thing to say about UniFi? Absolutely. Their gear held value pretty well over the approximately 7 months I owned it. I shipped the UDM Pro out to that buyer today, and, so far, I’m much happier with my new network.

February 24, 2021 at 9:39 pm Leave a comment

Catalyst 1000 Switches – What they don’t tell you

Not too long ago, I saw this video by Network Chuck about Cisco Catalyst switches. About the coolest part of these switches is the ability to stack them, so you can manage them from a single IP address. This means you can configure things once like VLANs and other management functions in one place, and assign port configurations through the same interface to multiple switches.

I also saw this video by Lawrence Systems, which makes them sound not quite as nice, but still pretty good.

On the plus side, you get real Cisco switches. And, you don’t have ongoing license fees. They aren’t the cheapest, but they are pretty inexpensive, considering the company who made them, and run Classic IOS, something I’m familiar with from my former job.

So, I bought a C1000 switch, 8 port, PoE. I didn’t have much trouble getting the basic config on it. Pressing the button for the 3-4 seconds resulted in me getting to the WebGUI pretty quickly. So far, so good.

I had a bit of trouble getting the new code downloaded from Cisco’s site, but it didn’t delay me very long. I had a bit of trouble with updating with the WebGUI, but the “archive download-sw” command worked fine.

Ultimately, I got everything working fine with the first switch.

So, I picked up a 2nd switch. I also bought a pair of used Cisco SFP’s from eBay, since they would be required for the single IP management.

With the 2nd switch, I had lots of issues. The process to use the button to do easy setup did not seem to work. I don’t know how many times I tried, but I couldn’t get it to work.

So, Console cable, right? Well, neither of the models I bought came with one and I couldn’t locate one. (I have one on order)

So, I fired up wireshark. At some point, I had this hooked up to the rest of the network, and spotted that the switch had picked up an IP address via DHCP. Great, right? Put that in the browser, and it – well, I got prompted for credentials, but the default credentials don’t seem to work.

I believe while looking at the wireshark trace, I saw that it was attempting to download a config file. AHA!

I ended up downloading Transfer for my Mac, a nice looking TFTP server. Download it from their site and you get a free trial period, but after I was done with it, I ended up buying it. That way, if I need one in the future, I have it. Plus, I was thankful that I didn’t have to wait until my serial cable arrives in a couple of days.

Anyhow, I downloaded the config from my other switch, changed the IP address in the config, plus probably another minor change or two, and dropped it into the directory that Transfer uses, renaming it appropriately to one of the filenames it was trying to grab.

Bingo! After that loaded, I was able to login and updated the firmware to match the other switch, then went to bed.

I did have problems with it the next day, but after struggling with it a while, I was able to get into it. I saw it pull the file via TFTP again, after which it rebooted, so I renamed my config file so future attempts would fail. After that, I think all was good.

What I discovered that I don’t recall seeing anywhere, was related to management via a single switch IP. So, Lawrence System’s video mentioned you had to use SFP ports for this functionality. No problem. They are on eBay at reasonable prices (about $13 each). Unfortunately, once you change the port to a Stack port, it loses the ability to carry data traffic – It’s not seen as a switch port anymore.

Which means that if you have a single cable running between two areas where you want switches, and you want to use a single management IP, like I have, well… You can either run management across that link, or run data traffic across it. To do what I wanted, I would need two cables between the areas – one for management, and one for traffic.

I did try a workaround… I created a VLAN for”single IP management”… I plugged the Stack ports on each switch into an access port on this new VLAN, with the idea that it would trunk across the data connection that ran between the two switches… This didn’t seem to work, though. I didn’t play around with it very long, so perhaps this concept will work, but I was not successful.

At any rate, I’ve got a pair of Cisco switches now that I don’t expect to have trouble with for years. I can’t quite manage them as easily as I expected, but it is good enough for my use.

February 7, 2021 at 4:06 pm Leave a comment

eero Wifi – Likely my final post about it

I’ve been using eero for my wifi needs for probably a few years now.  They were among the first of the Mesh Wifi systems that came out.  For me, it was down to the eero or the Luma wifi system.  Luma seemed to have more advanced features, but early reports on the functionality of it were not encouraging.  I may have even had a pre-order in place for it at one point.  One interesting thing was that Amazon was backing them (to some degree).

Anyhow, I got my eero system and was pretty happy with it.  It was a very simple system, in terms of daily operation.  It seemed to work well, with little input from me.  Perhaps a bit too well, as I recall one time (I think I posted about it here) where my network was segmented from my the eero that was connected to the Internet, and it was routing the traffic from the entire rest of my home across the Wifi to the eero that was connected to the Internet.  As I recall, I noticed there was only one cable hooked to the back of the eero that goes to the Internet, and I realized – Wait!  That’s not supposed to be that way.  But everything still worked.

That said, the eero does lack customization and some features.  One in particular is the ability to run a second SSID (other than the Guest SSID).  To make a long story short, I ended up with 4 eeros for my main Wifi network, and two for my secondary Wifi network. Ok, I really didn’t need 4 for my main network – Three did the job well, but I added a beacon that I didn’t absolutely need.

The eero does a very good job for a simple home.  It has visibility into what devices are on your network, but not much in the way of visibility into what those devices are doing.  The do offer a subscription service to block malware and a limited number of additional categories of sites, but you don’t get that full device-level log of activity directly from the eero.

I think part of the problem for me came when Amazon bought eero.  There was apprehension around what Amazon might do with the deep data that is potentially available to them, being the gateway out of my network to the Internet  I understand that the eero privacy policy did not change as a result of that purchase, so as long as that holds true, we shouldn’t have any privacy issues (at least, from the assurance of an eero developer that often posts on the eero sub-reddit).  It’s entirely possible that Amazon just bought them to have a simple-to-use, but very reliable brand they could sell to customers of their product line of tablets, streaming boxes, assistants, etc.

But, the simple fact is that the eero sees all of your port 53 DNS requests in clear text.  Looking at the MAC address of individual devices can reveal the maker of the device.  If you put that info together with the DNS names of where the individual devices are communicating, you can get a pretty good idea of what devices a customer has.

Now again, I say this is “part” of the problem.  I don’t have any reason to believe Amazon is doing this, or planning to do so any time soon.  This potential privacy issue, along with the lack of some features has recently led me to move away from the eero product line.

I will still say that it’s a great line of wifi devices for a non-technical person that just wants Wifi that works with minimal headaches.

June 20, 2020 at 9:59 am Leave a comment

Adventures in DNS

I just posted about my new PA-220 firewall and mentioned URL filtering.  I have a number of categories blocked, including web-advertising, adult content, malware, etc.  But you can always make something better, right?

The PA-220 has a feature to enforce safe search with various search engines.  Unfortunately, it seems to not work very well on my iPhone, or in Safari on my Mac.  It could be the 8.0.2 firmware, or perhaps it’s something that I’m doing wrong.  In any case, I wanted to fix it, as it was annoying.

Both Google and Bing support a feature to enable Safe Search for your network via DNS.  What you have to do is, when someone requests google.com, make your DNS return a CNAME record for forcesafesearch.google.com.  While this might sound easy, as I discovered, its a bit more complex than perhaps it should be.

First, the DNS proxy feature in my PA-220 does support configuring static entries, so I could add an entry for http://www.google.com, but I can’t set it to CNAMEs, only IP addresses.  I  would have to hard code the IP address for forcesafesearch.google.com, which could potentially change at any time, breaking things.

After a bit of research, my first candidate to truly do the CNAME change was found.

DNSmasq

On my unRaid box, I installed a docker of Pi-Hole, which is a DNS based system (meant for the Raspberry Pi, but capable of running on other platforms) which blackholes DNS queries to Web advertising sites, etc.  It uses DNSmasq and has the ability to run DHCP as well as DNS.  With this integration, it can resolve local hostnames to their DHCP assigned addressing.  I could do that now by adding static entries to my DNS Proxy instance on the PA-220, but it wouldn’t pick up on DHCP entries.  But, alas, DNSmasq treats a CNAME entry added manually differently than I had hoped.  It will ignore it unless it has that record defined somewhere, such at a static definition or via DHCP…  It won’t resolve an external CNAME like a normal query and return it.  And since if I were to define forcesafesearch.google.com as an A record in DNSmasq, that would really defeat the whole purpose of using the CNAME.

Pi-Hole does have a very nice modern web interface with statistics, graphs, and it looks extremely easy to whitelist or blacklist sites.  It gives you great visibility into what devices on your network are doing the most DNS lookups, and if you are wondering where your IoT devices go on the Internet, you can even filter the logs to see what an individual device is performing lookups against, assuming you have all your devices directly querying Pi-Hole, instead of chained like I’m doing here.  In fact, you can even disable the blocking functionality if you like.  With it disabled, it won’t block, but you’ll be able to see all the statistics and logs it has to offer, even showing you what it would have blocked.  Today, it has blocked about 8.8 percent of my DNS queries, though I haven’t really noticed much different than when I simply go through my PA-220.

Dingo

While looking for other DNS packages that could do this CNAME trick, I ran across one that looked very interesting for a different reason.  Dingo is effectively a DNS resolver that takes requests in on port 53, and resolves them over encrypted HTTP/2.  It can be used with both Google and OpenResolve (by OpenDNS).  I installed it as another docker and it seems to work fine.  I did increase it to use 25 worker threads instead of the initial 10.  I don’t know if I’ll keep using this or not, but I’ll see how it goes.

Bind

Other research turned up some settings for Bind that would let me add the CNAME records I needed to for Google and Bing to enforce safe search, and yet another Docker was installed.  The one I chose included Webmin for easy administration of Bind.  It worked just fine.

So, now I have the initial DNS queries pointing to the PA-220, taking advantage of the Threat/URL Filtering there, then forwarding to a docker running Bind to handle google and bing domains, which forwards to Pi-Hole (which I may end up removing from this chain), and finally to Dingo to perform the actual DNS lookups over encrypted HTTP/2.

Whew!

That sounds like a lot, but not including the PA-220 (which was doing this job before), I’ve added three hops that all exist on the same box.

May 21, 2017 at 7:48 pm Leave a comment

The PA-220 Firewall is here!

The PA-220 has 8 ports of Gigabit goodness on the front, aside from the management port.

The PA-220 supports some pretty high-end features, making it suitable for use in a small business office.  First, there is High Availability mode (HA), if you have a pair of PA-220s and duplicate your connectivity (even to your WAN, so you’d need a switch between a Cable/DSL modem and the pair of firewalls)  Another big feature is LACP support (Link Aggregation Control Protocol), so you could have multiple connections between your firewall and an Ethernet switch.  This redundancy is something that small offices would likely want, as when the WAN connection is down, there is probably work that can’t be done.

The PA-220 comes with a template and hardware to mount it sideways on a wall, something that I plan to do at some point but haven’t gotten around to yet.

Since the speed that the PA-220 handles traffic is limited to about 500 Mbps firewalled, and down to about 150 Mbps with Threat enabled, I recommend only putting relatively low speed or volume devices directly on the ports of the firewall itself, if the primary thing they are communicating to is also on the local LAN.  You could always add a rule in for intrazone traffic to be allowed and not place any Threat profiles on that rule, giving you the maximum 500 Mbps speed to the internal network.

I’ve got it in place, doing SSL decryption, Threat, URL filtering, Wildfire, and GlobalProtect VPN.  It seems to perform pretty well so far.

May 21, 2017 at 11:20 am 7 comments

Palo Alto PA-220

About a month ago, Palo Alto announced their new 8.0 firmware, along with some new hardware.  The most exciting new product to me, personally, is their new PA-220.

The PA-200 is a unit I have a lot of experience with.  It’s got 4 Gig ports for traffic, supports 100 Mbps of firewall throughput, dropping to 50 Mbps with Threat prevention enabled.  It’s a good unit for a small office.

The PA-220 is better, sporting 8 Gig ports for traffic, 500 Mbps of firewall throughput, dropping to 150 Mbps with Threat enabled.  It is without fans, and since it uses EMMC for storage (32 GB), there shouldn’t be any moving parts to break down.

Basically, it’s got more power than a PA-500, the same number of ports, and it’s in an even smaller package than the PA-200.

Best of all, it’s at a much better price point than the PA-200.

March 7, 2017 at 11:20 pm 1 comment

Eero – Features

Speed test

The IOS app has a built-in speed test that seems to use Internet connected servers under the control of Eero.  This appears to be a speed test from your gateway Eero to servers managed by Eero.  It doesn’t let you test your raw WiFi speed, which would be nice, so you can see exactly how good your coverage is from a given device at a given location.  So far, I’ve not been terribly impressed with their implementation of a speed test.  From my IOS device, connected to the Eero wifi network, I can run the Ookla speed test app, and get pretty much max speed from my Internet connection, but the results shown in the Eero IOS app are routinely much lower than my ISP actually provides.  I believe they are working to improve this.

Connected Devices

The IOS app gives you a nice list of Connected Devices, along with devices that were recently on your network.  You can see a nickname you’ve manually assigned for each device, or the hostname for some (such as Macs and IOS devices), along with a guess at who makes the device based upon the MAC address.  A downside here is that some devices use “Private” MAC addresses, which they aren’t supposed to do, making it harder to identify them.  It is nice that you can give them a Nickname once you figure out what they are, though.

Guest Network

I had the opportunity to try out the Guest Network feature this weekend.  The IOS app has a “Guest access” section.  Pop over there, hit a toggle switch to enable it, and you have a second SSID up and running, which is segmented from your normal network.  This is perfect for sharing network access with people who aren’t often at your home, and who you don’t want to have access to devices on your network – Just the Internet.  When you hit the “Share guest network” button, it brings up the familiar IOS interface so you can send it in an iMessage or an email.  In my case, I just looked at the pre-generated password and typed it in.  If you want to share your main network, there’s a button for that too.

Family Profiles

This is a feature I like, but it doesn’t do as much as I expected…  You can create a family profile for each of your kids and add their devices to their profile.  There’s a pause button next to each of them, allowing you to pause the Internet for each profile with a tap.  You can also set a schedule… The initial one defaults to the name “Bedtime”, which is 10 PM for my girls on school nights.  When a device is paused, if they attempt to browse to a website, they get a message indicating it’s paused, so they aren’t just left staring at a spinning icon, wondering why the website isn’t loading.  That probably only works for HTTP sites, but it’s a good start.

Another good use for this feature is to help identify devices.  Create a profile called “Unknown”, and place a single device that you’ve been unable to identify into that profile, then pause it.  At that point, look around and figure out what can’t access the Internet.

I really did hope for more with this feature, however.  When I read that Eero added “Family Profiles”, I think I expected content filtering.  The ability to set a content filter for each profile, so you can block your little ones (and yourself!) from bad things on the Internet.  Ideally, you’d be able to create your own customized list of categories to block with some sensible defaults, assign each Family Profile with a content filter profile, and have some way to see what is being blocked and by which profile.

I do understand that some companies don’t want to do content filtering.  No method is perfect, but having some method to guard against little Suzie ending up accidentally reaching a porn site would be a good thing.   A few years ago, if you went to show your kids the White House web page and, out of habit, went to “.com” instead of “.gov”, you might be surprised at the kind of site you reached.  Some level of content filtering would stop some accidents like that.

Why not get a dedicated content filtering device, like a Circle?

An Eero engineer on the reddit Eero forum basically warns against using a Circle with the Eero, due to the fact that it uses ARP poisoning to intercept traffic.  It sounds a bit on the messy side, and like it may not always catch everything.  I did read one customer who seemed to indicate it was working well for him, but I’m skeptical.

Perhaps they could partner with Circle?  Update their hardware to work something like Circle does…  The Eero would be the perfect place to control it.

Other Alternatives to Circle?

I do believe there are a few other devices that could be your Internet router, then run Eero in bridge mode, allowing the router to do all the filtering.  One that looks pretty good is the torch router, but at $249, it’s pricey, especially considering the money spent on the Eero system.  And the torch router includes Wifi, which we don’t really need with the Eero.

August 16, 2016 at 8:43 pm 1 comment

Eero – A few weeks in

I’ve been running with the Eero Wifi system in my home for a few weeks now.  I did have an issue where the IOS app stopped seeing devices as they connected and disconnected from my network.  Ultimately, I seemed to have fixed it, though I’m not entirely sure how.

My troubleshooting basically consisted of disconnecting the switches from each other and the power from all the Eeros, booting up my main Eero and waiting until it was online, then attaching each switch, one at a time, finally adding back the other Eeros.  That’s the basic idea at least.  I ended up taking a few switches out, as I didn’t need them with the improved WiFi coverage.

My network consisted of daisy-chained Ethernet switches…  Not the best design – It would have been better to have a central switch and home-run a CAT5 from each of the rooms to the central switch.

Anyhow, my network was basically like so:

Living Room: Two switches
Bed Room: Two switches
Den: Two switches

LR was linked to BR with a CAT5 cable, and BR was linked to the Den with a CAT5 cable.

Since each room now has a wire attached Eero access point, I took the step of removing a switch from the Bed Room and Den, giving me fewer overall hops.

Anyhow, I think this problem has been fixed now for a little over a week.

Other than that issue, which seems to be resolved now, it’s been pretty great in terms of WiFi coverage.

 

August 16, 2016 at 7:49 pm Leave a comment

Eero surprise

I just had a surprising discovery about my Eero.  I made a mistake!

On Thursday evening, I installed it in my home.  First, I attached it to my cablemodem, as instructed by the iPhone app, then I attached two more units to my network in other parts of my home.  Everything has been working well since.

I remembered a day or two ago thinking about that main Eero unit.  I didn’t seem to remember attaching it to my primary ethernet switch.  But I must have, right?  It’s been working fine.

Tonight, I was in the living room where the main Eero is, and I looked at it, only to find that it had a single ethernet cable attached, which runs to my cablemodem.  It was not physically connected to my network at all!

As it turned out, at least one of the other Eero units has been connected back to the main Eero using the wifi mesh.  And my network has been working very well.  We’ve been streaming Netflix, stream shows on the AppleTV from the cloud, playing an MMO game, etc.

So, congratulations Eero – the fact that my entire network was connected to the Internet across your wifi mesh, and I didn’t notice… Well, that’s great!

I did correct this issue this evening by adding a cable from the main Eero to my primary ethernet switch.  I understand that some lag was introduced in an MMO game for about 20 seconds or so when I attached it, but it seemed to adjust to the network topology change and keep right on going.

July 24, 2016 at 8:49 pm Leave a comment

Eero arrives – First look

My three pack of Eero devices arrived today.  I attached them each to a ethernet switches around my home, so I’m not using the wireless mesh capabilities of these units.

Installation went very smoothly.  I performed a quick series of speed tests (using the Ookla speed test app).  Virtually everywhere inside my home, I’m now getting speeds in excess of 40 Mbps down.  Close to an Eero?  Closer to 85-95 Mbps.  Out around the pool, I got around 30 Mbps for the most part, with one exception around 10 Mbps..

The parental controls features of the Eero aren’t quite what I had hoped.  When I think Parental Controls, I think internet filtering.  In the Eero, at least in the current form, it appears that this only covers grouping devices to a person, and having the ability to set schedules for when those devices have Internet access, pausing the Internet, and that sort of thing.   A similar feature advertised by Luma appeared to do things like this, plus filtering. I understand they have been putting out multiple updates each month, so hopefully a future update will include filtering based on family profile settings.

I’ve experimented with multiple access points in my home before, and those experiments always seemed to not work out quite as well as I had hoped.  If you give them different SSIDs, you have to switch networks from time to time, depending on where you are.  If you name the SSID the same on multiple APs, I’ve found issues with wireless devices “sticking” to a given AP.  Say you are in one part of the house, connected to AP1, and you move to another part of the house, near AP2.  It seems that as long as AP1 is somewhat within range, your wireless device will stay connected to it, even though there is a better signal available.

I have not really seen this problem with the Eero.  If I walk around my home, it seems like my iPhone moves to whichever Eero I’m closest to, judging by the number of bars my iPhone shows.  So far, I’m pretty impressed with the coverage.  I’ve generally wired most devices, but that may change with the Eero system in my home…

Hopefully, I’ll have more news to report in the next few weeks or so.

Update:  I removed part of this entry related tosomething  I thought was not in Eero yet, but I found it the next morning.

July 21, 2016 at 10:54 pm Leave a comment

Older Posts


Calendar

November 2021
S M T W T F S
 123456
78910111213
14151617181920
21222324252627
282930  

Posts by Month

Posts by Category