Updates everything
This commit is contained in:
Jonathan Hodgson
parent
ea220efc38
commit
7cf34b3650
24 changed files with 1305 additions and 11 deletions
162
content/blog/019-my-new-home-network.md
Normal file
162
content/blog/019-my-new-home-network.md
Normal file
|
|
@ -0,0 +1,162 @@
|
|||
---
|
||||
title: My New Home - Network
|
||||
date: 2023-02-08
|
||||
tags:
|
||||
- Privacy
|
||||
- My New Home
|
||||
description: >
|
||||
I recently bought a new House. In this post, I discuss my network setup as
|
||||
part of a series of posts about the setup.
|
||||
---
|
||||
|
||||
So, we have finally moved into our new home. The buying process took far too
|
||||
long, I am sick to death of dealing with solicitors, but we are now in. I hope
|
||||
this will become a series of blog posts in which I detail the setup process.
|
||||
This particular post will be the network.
|
||||
|
||||
My initial intention had been to buy some land and build a house. However, the
|
||||
process of doing so in the UK was ... annoying, so instead we went for a new
|
||||
build. We found the property early enough in the build process that we were able
|
||||
to make various requests. One of which was for the electrician to run Cat-6
|
||||
ethernet cable throughout the house before the walls were plastered. The cables
|
||||
all run into our under-stairs cupboard which I managed to convince my wife to
|
||||
give me as a server room.
|
||||
|
||||
The majority of our rooms have 2 ethernet sockets in opposite corners. Our
|
||||
lounge has 4, one in each corner. Our hall and landing both have celling mounted
|
||||
ports for access points. I think this is probably more than we need, but at the
|
||||
time we didn't know how we'd lay the rooms out, so we put in more than we
|
||||
thought we'd need. I think this was a good choice. Running ethernet is much
|
||||
easier when you don't have plaster to contend with. And they are just sockets on
|
||||
the walls -- they are no uglier than mains, telephone or coax sockets.
|
||||
|
||||
## Network Gear
|
||||
|
||||
In terms of the network gear, I decided to take the plunge and try TP-Links
|
||||
Omada line. I think it is fair to say that in the pro-sumer arena, Ubiquity are
|
||||
the most popular. However, they are also expensive. I watched a lot of YouTube
|
||||
and decided that TP Link's product catered for my needs.
|
||||
|
||||
I bought:
|
||||
|
||||
* [A Router / firewall](https://amzn.to/3HwPACO) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B08SWR1K56/))
|
||||
* [A Switch](https://amzn.to/3I1rB07) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B08W4PM24H/))
|
||||
* [An Access Point](https://amzn.to/3RCFkxw) ([Non-Associates Link](https://www.amazon.co.uk/gp/product/B09ZF7HPFB/))
|
||||
|
||||
I won't go into too much detail on the individual devices I got as copying me is
|
||||
a pretty bad idea. You want to make the decision based on the size of your
|
||||
network, the speeds you need and the sorts of devices you want to attach.
|
||||
|
||||
## Network Configuration
|
||||
|
||||
I run the TP Link Omada Controller in a Docker container on my home server. I
|
||||
have had no issues with it at all so far.
|
||||
|
||||
In terms of the software itself, I would say that it's not quite on a par with
|
||||
Ubiquity's product, however, it is more than sufficient for my needs and I would
|
||||
think more than sufficient for most home users and small / medium businesses.
|
||||
|
||||
The only area I found it to be a little lacking was the firewall configuration.
|
||||
However, before I explain that, it would be helpful for me to explain the VLANs
|
||||
I have on my network. In case you don't know, a VLAN is a virtual network. It is
|
||||
useful for categorising and segregating devices. I have seen many examples
|
||||
across the internet of people who setup tens of VLANs for their home network.
|
||||
However, I think any security gains you may get from that are outweighed by the
|
||||
added complexity maintaining it. I have opted for two VLANs.
|
||||
|
||||
My first VLAN is for trusted devices. Trusted devices are my computers, my
|
||||
wife's computers, our phones and my server. These are able to communicate
|
||||
with each other and the internet.
|
||||
|
||||
My second VLAN is for smart devices. These are devices that have no business
|
||||
talking to each other or the internet. The only device they can communicate with
|
||||
is my server running Home Assistant, an NTP server and a DNS server.
|
||||
|
||||
This can all be achieved easily with the Omada software. Where it is lacking is
|
||||
in its inability to set up stateful firewall rules. I would like to configure
|
||||
the firewall so that devices on my trusted network can communicate with devices
|
||||
on the smart VLAN, and the smart devices should be able to reply. Meaning, from
|
||||
my laptop, I cannot SSH into [my vacuum](/blog/i-got-a-robot-vacuum/) because
|
||||
that requires 2 way communication. There is talk [on
|
||||
Reddit](https://libreddit.kavin.rocks/r/HomeNetworking/comments/mrxsbg/tplink_omada_switch_acls_arent_stateful/)
|
||||
that future firmware may support this, but at the moment it doesn't. I have got
|
||||
around this by using my server as a jump box to SSH from as smart devices are
|
||||
able to connect to this, although I'd prefer a stateful firewall solution.
|
||||
|
||||
I am also not able to force all DNS requests to my DNS server. On some router /
|
||||
firewall solutions, you can force all outbound traffic on port 53 (DNS) to a
|
||||
particular device. I have to rely on devices honouring the server specified via
|
||||
DHCP. However, they seem to be doing this. They are unable to communicate with
|
||||
any other servers so even if they are only honouring my choices because they
|
||||
have no choice, I don't really care.
|
||||
|
||||
## NTP
|
||||
|
||||
One of the issues I overlooked when planning my network setup was that of the
|
||||
Network Time Protocol (NTP). I have Chrony running on my server, but many
|
||||
devices don't allow you to specify an NTP server. Instead, they just silently
|
||||
fail, and leave you scratching your head whilst trying to correlate times in log
|
||||
files. A particularly annoying case of this had a device default to a date in
|
||||
January 2022. Whilst debugging an issue, it was January 2023 and I completely
|
||||
missed the fact that it was a year out for far too long.
|
||||
|
||||
It should be possible to configure an NTP server via DHCP. However, the Omada
|
||||
software doesn't [appear to support
|
||||
it](https://community.tp-link.com/en/business/forum/topic/256680). Eventually, I
|
||||
might allow my Pi Hole to manage IP assignment which would allow me to configure
|
||||
the appropriate DHCP options, although that would still be reliant on devices
|
||||
obeying it.
|
||||
|
||||
For now, I have pointed the domains I saw being used at my server, which appears
|
||||
to have worked.
|
||||
|
||||
## Network Connection
|
||||
|
||||
Another issue I came across is that some mobile apps for self hosted programs
|
||||
don't work without an internet connection. I [raised an
|
||||
issue](https://github.com/advplyr/audiobookshelf-app/issues/566) for
|
||||
Audiobookshelf. The owner responded quickly and after a few screenshots
|
||||
acknowledged the bug. This is not supposed to be a knock on the app -- I have
|
||||
been hugely impressed by the speed of responses I've had from the team who work
|
||||
on it. It is instead supposed to highlight the fact that many tools are not
|
||||
tested against the sort of non-standard setup I have here. As a result, I am
|
||||
going to run into issues that I wasn't expecting.
|
||||
|
||||
In the case of Audiobookshelf, it looks like one of its libraries checks for
|
||||
internet connectivity rather than network connectivity. After checking my
|
||||
pihole's logs, it turns out that Android devices make regular (unencrypted)
|
||||
requests to <http://connectivitycheck.gstatic.com>. This is used to identify
|
||||
captive portals as well as verify internet connectivity. Fortunately for me,
|
||||
being unencrypted, I can host a simple webserver and point that domain at it on
|
||||
my network. So that's what I did. The relevant NGINX config is below:
|
||||
|
||||
```nginx
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name connectivitycheck.gstatic.com;
|
||||
|
||||
location / {
|
||||
return 204;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
After this, the app started working as expected.
|
||||
|
||||
## WPS
|
||||
|
||||
WPS is a method of connecting to a network without having to enter a password.
|
||||
It generally involves pushing a button on your access point and a button on your
|
||||
phone / device then "magically" the device is on your network. This method of
|
||||
connection has been shown to have several security weaknesses. Many modern
|
||||
solutions, including Omada and Ubiquiti have stopped providing this as an
|
||||
option.
|
||||
|
||||
I approve of this decision, it is something I would have disabled if it had been
|
||||
present. However, my printer has no other way of connecting to the network. No
|
||||
ethernet and no way to enter a password. I think I'll probably have to dig out
|
||||
an old router that does support WPS and hope that after connecting, the printer
|
||||
will have a web interface that allows me to change the network configuration. If
|
||||
not, I may have to just plug a small SBC into it and run a cups server on that.
|
||||
Loading…
Add table
Add a link
Reference in a new issue