Network configuration: Difference between revisions

These are notes on the configuration of my home network.

Hardware

In structured media panel

• DOCSIS modem provided by Spectrum (no WiFi)
• Ubiquiti Edgerouter (ERX); eth0 = WAN and switch0 = 4 ports LAN

In eLab rack

• 10 port Cisco SG300-10 1G managed switch
• Bellman, an Intel NUC
• Wenda, a Synology
• Murre, a Linux desktop
• Brother laser printer
• Two power supplies, a Cyberlink and a TrippLite

In the kitchen downstairs,

• Vilo 6 AP set in bridge mode

The access point was moved downstairs to put it closer to where we usually use it.

The router has a 24vdc supply connected to its coaxial port. Initially I used a POE injector but it was throttling throughput to 100Mbps and that became a problem when Spectrum started giving us 300Mbps service.

Services

• Firewall via ERX
• WLAN wildsong2 2.4GHz via VILO 6
• WLAN wildsong 5GHz via VILO 6
• DHCP is on the ERX
• DNS is currently via Pihole (dnsmasq) on Bellman
• Public DNS (both hosting and resolving) via Cloudflare. Cloudflare gets a 5 star rating.

TODO: set up a PBX so that I can use my vintage phones. Maybe even put one in the kitchen again!

TODO: Better backups (always)

Wired network

• Bellman server
• Murre Linux Mint desktop
• Other random gadgets come and go including a few Raspberry Pi's

Services in Docker

Cloudflare Zero Trust is now being used to hide all services running in Docker containers on W6GKD and on Bellman.

This includes wiki.wildsong.biz and hupi.org.

They can be moved between W6GKD and Bellman whenever the need arises.

More notes on Cloudflare

Wireless via Vilo 6

Laptops

• Plover
• Stellar
• Swift
• A new Chromebook that does not have a name yet

Devices

• Squeezebox (2.4 only)
• 6 FEIT dimmers (2.4 only)
• 4 Martin Jerry switches (2.4 only)
• Random other ESP32 and ESP8266 and nRF and Pi devices come and go.

Configuration notes

2024-12-10 Reconfiguring for an IoT VLAN.

Routed instead of VLAN https://www.youtube.com/watch?v=MOfwt_AO-CUFile:Sg300vlan.avif

VLAN settings

Cisco likes to think of VLAN1 as the default but ERX does not seem to understand that, so, I set up 10, 100, and 200 as follows,

• VLAN1 = the default for Cisco
• VLAN10 = LAN = 192.168.123.x
• VLAN100 = IoT, 192.168.100.x
• VLAN200 = Test, 192.168.200.x

EdgeRouter-X aka ERX

DHCP - Switched from dhcpd to dnsmasq - for 2 reasons. 1. dhcp will update dns 2. good VLAN support

So far it looks like making that switch also tagged the DHCP responses for VLAN too. Works well.

I used a combination of CLI and GUI and found instructions here to be helpful.

Dashboard->VLAN tab-> "Add Interface"

VLAN ID = 10, Interface = switch0, IP address=192.168.123.254/24, Description = LAN

NOTE, the UAC can directly support VLANs, so the IoT network on it is set to VLAN100. That's why the ERX port 4 is set to TRUNK mode

Cisco SG300-10

Its name is switch3d5bf4 which works for me! Username and password by default set to cisco/cisco. See label on the back for current setting.

2024-12 I got this SG300-10 managed switch on eBay so I could experiment with VLANs. (It replaced an unmanaged DLink 8 port.) The SG300 uses a 12V barrel connector for its external power supply. I like the switches with built-in AC power but this product does not have that feature. Also I preferred the non-POE hardware because on eBay they often sell equipment without power supplies, and the matching POE power supplies cost more than the switches.

2024-12-21 Updated its firmware from 1.3.5.58 to 1.4.11.5

MAC 50:67:ae:3d:5b:f4

Power supply: I have it on a 12V 4.8A brick, I think it needs about 36W MAX

There is a GUI, put it on the LAN at http://192.168.123.254/ --static assignment in the ERX.

Step1. Reset to factory defaults.

From eBay it had who knows what programmed into it. I reset it. I used a serial cable, null modem, and USB-RS232 adapter to program it. It detects baud, hit enter twice to tell it. The reset command is "reload". You can pin it too, there is a hole on the front panel.

I think it gets stuck on its baud rate, I still have to mess around with the speeds. Today it likes 115,200.

I was able to get access via SSH going by enabling some ancient settings in my .ssh/config file.

Host cisco
  User bwilson
  IdentityFile ~/.ssh/id_rsa_cisco
  Hostname 192.168.123.254
  Port 22
  HostkeyAlgorithms +ssh-rsa
  KexAlgorithms +diffie-hellman-group1-sha1
  PubkeyAcceptedKeyTypes +ssh-rsa

Step 2. Set it up.

Supposedly you can do everything from the GUI. Whatever. I use minicom on a serial port on Murre so that temporarily losing my network connection is less painful.

Mode settings include: General | Access | Trunk | Customer | Private VLAN - Host | Private VLAN - promiscuous

General means it's a 802.1q compliant trunk port

conf t # enter configuration mode
# create the vlans
vlan database
vlan 10
vlan 100
vlan 200
end
conf t
int gi7 # select gig port 7 (bench)
switchport mode access # change from TRUNK to ACCESS
switchport access vlan 200 # attach to TEST vlan
no shut # enable the port
end # leave config mode
show vlan # show current settings

Repeat as needed to program all 10 ports, then save the running configuration to the startup configuration to persist it. You can see all the details on a particular port with

show interfaces switchport gi7

You can do more than one port at a time, for example, move 2 and 3 (Wenda and Murre) and 4 to VLAN 10 and ports 5 and 6 to VLAN 100 (IoT).

conf # enter configuration mode
int gi2
switchport mode access
switchport access vlan 10
no shut
end
...repeat for gi3 and gi4

conf
int gi5
switchport mode access
switchport access vlan 100
no shut
end
...repeat for gi6

Set the uplink port to trunk and tag the packets

int gi10
switchport mode trunk
switchport trunk allowed vlan add 10,100,200
no shut

switch3d5bf4#show vlan
Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN

Vlan       Name           Tagged Ports      UnTagged Ports      Created by    
---- ----------------- ------------------ ------------------ ---------------- 
 1           1                            gi1-3,gi9-10,Po1-8        V         
 10         10               gi9-10              gi4                S         
100         IoT              gi9-10             gi5-6               S         
200        Test              gi9-10             gi7-8               S  

...and if things appear to be working, commit your changes

copy running-config startup-config

When I applied the commands from a ssh shell from downstairs and the connection dropped, the switch probably reset. I was able to shell right back in. USE MINICOM.

BTW, pings from the switch are crazy fast, like 0ms response times.

Step 3. Energy: for now I left it up to the IEEE, I could force energy saving through the "short cable" setting.

TRUNK = everything

History

2023-12-3 v2.0.9-hotfix.7 on VILO 6

2023-11-08 To access Home Assistant from work, it has to be reachable over a normal port, which means 443 or possibly 8443. Since I put TLS onto HA, I can't pass it through the free version of Varnish/Hitch. But I don't think I need to. So I am going to try port forwarding on port 8443 for HA and see if it goes through the Company firewall.

2023-08-18 Changed rules for Traccar GPS to Home Assistant.

2023-02-23 Changed firewall rules limit SSH port 22 to work, vultr, tektonic. Secret! LOL I did this by editing config.boot as described below.

2022-08-24 Put it on a 24V supply and programmed eth4 for POE pass-thru. Eliminated POE injector and increased speeds to Internet from 100 to 300Mbs.

2022-02-25 Updated the boot file and rebooted.

2022-02-25 Checked the DDNS set up but not convinced it does anything since it says "1 Jan 1970' in "show dns dymanic status"

2022-02-18 Installed Wireguard on the ERX

2022-02-17 Updated to 2.0.9 firmware; I wonder what (of significance to me) changed.

2019-08-04 DNS on the ERX basically was too hard to manage, so it's back on Bellman. Including DHCP for integration. DDNS is still on the ERX.

2018-06-29 as mentioned above, ERX is now doing all DHCP and DNS service via DNSMASQ.

2018-12-19 installed 1.10.8 firmware

Use bwilson account to get access

You can SSH into it (ssh gw) or go to its web interface.

Port forwarding to Bellman

• SSH (using secret port #) I changed both the firewall and bellman to use the same port number.
• Asterisk (UDP for RTP, 5060-5061 for SIP)
• 8443 (goes to Varnish/Hitch on Bellman)
• HTTPS on port 443 goes to the Home Assistant port 8123 on Bellman

Masquerade for outbound traffic

DNS and DDNS set up

This router does DDNS to Cloudflare. For internal web access use https://gw/#Services/DNS -- but I set it up with CLI. When debugging keep in mind it's using ddclient and you can open up the executable if you want because it's just perl source code.

Another tip - grab the ddclient source from github and look at the sample files.

Command line: ssh [/cdn-cgi/l/email-protection [email protected]] (from Bellman typically)

configure
set service dns dynamic interface eth0 service custom-cloudflare protocol cloudflare
set service dns dynamic interface eth0 service custom-cloudflare server www.cloudflare.com

set service dns dynamic interface eth0 service custom-cloudflare host-name bellman.wildsong.biz
set service dns dynamic interface eth0 service custom-cloudflare login "[/cdn-cgi/l/email-protection [email protected]]"
set service dns dynamic interface eth0 service custom-cloudflare password "API KEY GOES HERE"

set service dns dynamic interface eth0 service custom-cloudflare options "zone=wildsong.biz ssl=yes"
set service dns dynamic interface eth0 service custom-cloudflare options "zone=wildsong.biz use=web ssl=yes"

# inside dns
set system static-host-mapping host-name geoserver.wildsong.biz inet 192.168.123.2

commit
save
exit

For good hints, see GreenUkr at https://community.ui.com/questions/EdgeRouter-X-DNS-local-hosts-resolved-using-Dnsmasq/dd3b1d6a-b018-4c31-bda0-b5ddf464392d

To see current settings:

show service dns
dns {
    dynamic {
        interface eth0 {
            service custom-cloudflare {
                host-name bellman.wildsong.biz
                login [/cdn-cgi/l/email-protection [email protected]]
                options "zone=wildsong.biz ssl=yes"
                password PASSWORD REDACTED, SEE PSONO DATABASE ENTRY FOR CLOUDFLARE
                protocol cloudflare
                server www.cloudflare.com
            }
        }
    }
    forwarding {
        cache-size 400
        listen-on switch0
        name-server 1.1.1.1
        name-server 1.0.0.1
        options domain=wildsong.biz
        options local=/wildsong.biz/
        options local=//
        options server=/wiki.wildsong.biz/1.1.1.1
        options server=/www.wildsong.biz/1.1.1.1
        options server=/dart.wildsong.biz/1.1.1.1
        options server=/aurora.wildsong.biz/1.1.1.1
        options server=/wildsong.biz/1.1.1.1
        options dhcp-authoritative
    }
}

I put some static DHCP mappings in for gw and bellman even though they are not normally on DHCP and this makes name lookups for them work.

Use this command to get status:

show dns dynamic status

Force update:

update dns dynamic interface eth0

Test

ddclient -daemon=0 -debug -verbose -noquiet -file=/etc/ddclient/ddclient_eth0.conf

This makes me nervous but it's saying it is a WARNING.

Dec 21 02:51:10 ubnt ddclient[28406]: WARNING:  file /var/cache/ddclient/ddclient_eth0.cache, line 3: Invalid Value for keyword 'ip' = 
Dec 21 02:51:11 ubnt ddclient[28406]: WARNING:  skipping update of bellman.wildsong.biz from <nothing> to 71.8.165.46.

Firewall ruleset

In the Port Forwarding tab, turn off the feature that automatically allows port forwarded traffic.

In the WAN_IN ruleset, I have these rules now

1. Allow established/related
2. Drop invalid state
3. Accept media traffic - ports 10000-20000 both TCP and UDP
4. Accept all Twilio traffic for North America (using a group)
5. Accept SSH destination bellman port 22 (ssh_whitelist only)
6. Accept HTTPS destination bellman port 443 and port 8443

Tuning a firewall rule remotely by editing config.boot

I like using vi to make small changes to the existing config, I only have to use a few unfamiliar commands that way.

1. Log in via ssh (goto bellman first and then ssh [/cdn-cgi/l/email-protection [email protected]]).
2. Assume rootly powers, sudo -s
3. Make a copy of the config file, for example, cd /config; cp config.boot config.boot.geoserver
4. Edit the copy, vi config.boot.geoserver
5. Use these commands

configure
load config.boot.geoserver
compare saved

If the changes look like what you actually want, go for it, the worst thing that you can do is lock yourself out of your network!

commit

The new config is now operational. Test it, edit and commit again if you want, until it works. If you want at this point you could reload the old config and you are back where you were:

# Fall back to old config
load config.boot
commit

OR move forward

save
exit 

and that's it.

Getting hammered from the Internet on my Asterisk server

Set up a whitelist for Twilio and block all other outside SIP traffic.

"Simply create an address group, name it "whitelist" and add the allowed IP addresses.

Now go to the firewall tab and look for the ruleset that blocks the traffic. Add a new rule and allow the traffic for this address group under the source/destination tab - depending on what you want to whitelist. Be sure to check the rule order so the "allow" comes before any "reject" or "drop". Otherwise the connection might be rejected/denied before the whitelist rule gets even checked..."

It appears to be working; I can still see attempts in the "STATS" tab for WAN-IN but nothing on the Asterisk console. This should reduce the work that Bellman has to do, checking ACL lists.

Getting syn flooded from 23.225.141.70

ssh 192.168.123.1
configure

# Find a good rule number to use
show firewall name WAN_IN

# Add the rule to blacklist the attacker

set firewall name WAN_IN rule 40 action drop
set firewall name WAN_IN rule 40 source address 23.225.141.70
set firewall name WAN_IN rule 40 protocol tcp

commit; save

# Did not work!

delete firewall name WAN_IN rule 40
commit; save

# Heavy handed, but we're running all services on HTTP anyway
# Just drop port forwarding for port 80!

show port-forward

rule 4 {
    description HTTP
    forward-to {
        address 192.168.123.2
        port 80
    }
    original-port 80
    protocol tcp
}
...

delete port-forward rule 4
commit; save

This worked. For now anyway.

Unifi

Use vastra or admin account to get access to UniFi server in Docker.

2018-11-05 WAP Firmware revision is 3.9.27.8537; as of today, 3.9.54.9373 is available but not worth installing.

Resources

Cisco SG300

Initial configuration

Configure a VLAN on a switch GUI

Configure port to a vlan interface CLI

Green ethernet settings