Network configuration
These are notes on the configuration of my home network.
Hardware
In structured media panel
- DOCSIS modem provided by Spectrum (no WiFi)
- Ubiquiti Edgerouter (ERX); eth0 = WAN and switch0 = 4 ports LAN
- Unifi AP-AC-Lite access point; Unifi controller in Docker on Bellman
- Bellman, an Intel NUC
In eLab rack
- 8 port DLINK 1G unmanaged switch
- Wenda, a Synology
Services
- Firewall via ERX
- Firewall on Bellman via IPTABLES
- WLAN wildsong2 2.4 GHz
- WLAN wildsong5 5 GHz
- DHCP via ERX router
- DNS via dnsmasq on Bellman
- Public DNS (both hosting and resolving) via Cloudflare. Cloudflare gets a 5 star rating.
TODO: set up a really lightweight SIP server (Asterisk is fine I suppose) so that I can use my vintage phones. Maybe even put one in the kitchen again! Make Twilio do most of the work.
TODO: Allow network to function when Bellman is down = move DNS to router, I've tried a couple times now. See the ERX section. Maybe running it on Bellman is not so bad.
TODO: Better backups (always)
Wired network
- Bellman server
- Murre Windows 10 Desktop
- Other random gadgets come and go including a few Raspberry Pi's
- 1 Grandstream Android phone (called "studio")
Wireless via Unifi
Laptops
Devices
- Squeezebox (2.4 only)
- 6 FEIT dimmers (2.4 only)
- 3 Martin Jerry switches (2.4 only)
- Random ESP32 and ESP8266 and nRF and Pi devices come and go.
Configuration notes
EdgeRouter-X aka ERX
2019-08-04 DNS on the ERX basically was too hard to manage, so it's back on Bellman. Including DHCP for integration. DDNS is still on the ERX.
2018-06-29 as mentioned above, ERX is now doing all DHCP and DNS service via DNSMASQ.
2018-12-19 installed 1.10.8
Use bwilson account to get access
You can SSH into it or go to its web interface.
I have a basic firewall set up here; there are additional rules on Bellman.
Port forwarding to Bellman
- SSH
- Asterisk (UDP for RTP, 5060-5061 for SIP)
- HTTP,HTTPS
- 8080-9300 for testing sundry Tomcat services
Masquerade for outbound traffic
DNS and DDNS set up
This router does DDNS to Cloudflare. For internal web access use https://gw/#Services/DNS -- but I set it up with CLI. When debugging keep in mind it's using ddclient and you can open up the executable if you want because it's just perl source code.
Another tip - grab the ddclient source from github and look at the sample files.
Command line: ssh bwilson@gw (from Bellman typically)
configure set service dns dynamic interface eth0 service custom-cloudflare protocol cloudflare set service dns dynamic interface eth0 service custom-cloudflare server www.cloudflare.com set service dns dynamic interface eth0 service custom-cloudflare host-name bellman.wildsong.biz set service dns dynamic interface eth0 service custom-cloudflare login "[email protected]" set service dns dynamic interface eth0 service custom-cloudflare password "API KEY GOES HERE" set service dns dynamic interface eth0 service custom-cloudflare options "zone=wildsong.biz ssl=yes" set service dns dynamic interface eth0 service custom-cloudflare options "zone=wildsong.biz use=web ssl=yes" # inside dns set system static-host-mapping host-name geoserver.wildsong.biz inet 192.168.123.2
commit save exit
For good hints, see GreenUkr at https://community.ui.com/questions/EdgeRouter-X-DNS-local-hosts-resolved-using-Dnsmasq/dd3b1d6a-b018-4c31-bda0-b5ddf464392d
To see current settings:
show service dns
dns {
dynamic {
interface eth0 {
service custom-cloudflare {
host-name bellman.wildsong.biz
login [email protected]
options "zone=wildsong.biz ssl=yes"
password fb9cc5f333317ce88eba8940cec05e6efdf36
protocol cloudflare
server www.cloudflare.com
}
}
}
forwarding {
cache-size 400
listen-on switch0
name-server 1.1.1.1
name-server 1.0.0.1
options domain=wildsong.biz
options local=/wildsong.biz/
options local=//
options server=/wiki.wildsong.biz/1.1.1.1
options server=/www.wildsong.biz/1.1.1.1
options server=/dart.wildsong.biz/1.1.1.1
options server=/aurora.wildsong.biz/1.1.1.1
options server=/wildsong.biz/1.1.1.1
options dhcp-authoritative
}
}
I put some static DHCP mappings in for gw and bellman even though they are not normally on DHCP and this makes name lookups for them work.
Use this command to get status:
show dns dynamic status
Force update:
update dns dynamic interface eth0
Test
ddclient -daemon=0 -debug -verbose -noquiet -file=/etc/ddclient/ddclient_eth0.conf
This makes me nervous but it's saying it is a WARNING.
Dec 21 02:51:10 ubnt ddclient[28406]: WARNING: file /var/cache/ddclient/ddclient_eth0.cache, line 3: Invalid Value for keyword 'ip' = Dec 21 02:51:11 ubnt ddclient[28406]: WARNING: skipping update of bellman.wildsong.biz from <nothing> to 71.8.165.46.
Firewall ruleset
In the Port Forwarding tab, turn off the feature that automatically allows port forwarded traffic.
In the WAN_IN ruleset, I have 6 rules now
- Allow established/related
- Drop invalid state
- Accept media traffic - ports 10000-20000 both TCP and UDP
- Accept all Twilio traffic for North America (using a group)
- Accept SSH destination bellman port 22
- Accept HTTPS destination bellman port 443
- Accept destination bellman port 8080-9300 - Docker Tomcat (including ElasticSearch)
Tuning a firewall rule remotely
I like using vi to make small changes to the existing config, I only have to use a few unfamiliar commands that way.
- Log in via ssh (goto bellman first and then ssh bwilson@gw).
- Assume rootly powers, sudo -s
- Make a copy of the config file, for example, cd /; cp config.boot config.boot.geoserver
- Edit the copy, vi config.boot.geoserver
- Use these commands
configure load config.boot.geoserver compare saved
If the changes look like what you actually want, go for it, the worst thing that you can do is lock yourself out of your network!
commit
The new config is now operational. Test it, edit and commit again if you want, until it works. If you want at this point you could reload the old config and you are back where you were:
# Fall back to old config load config.boot commit
OR move forward
save exit
and that's it.
Getting hammered from the Internet on my Asterisk server
Set up a whitelist for Twilio and block all other outside SIP traffic.
"Simply create an address group, name it "whitelist" and add the allowed IP addresses.
Now go to the firewall tab and look for the ruleset that blocks the traffic. Add a new rule and allow the traffic for this address group under the source/destination tab - depending on what you want to whitelist. Be sure to check the rule order so the "allow" comes before any "reject" or "drop". Otherwise the connection might be rejected/denied before the whitelist rule gets even checked..."
It appears to be working; I can still see attempts in the "STATS" tab for WAN-IN but nothing on the Asterisk console. This should reduce the work that Bellman has to do, checking ACL lists.
Getting syn flooded from 23.225.141.70
ssh 192.168.123.1 configure # Find a good rule number to use show firewall name WAN_IN # Add the rule to blacklist the attacker
set firewall name WAN_IN rule 40 action drop set firewall name WAN_IN rule 40 source address 23.225.141.70 set firewall name WAN_IN rule 40 protocol tcp
commit; save # Did not work!
delete firewall name WAN_IN rule 40 commit; save
# Heavy handed, but we're running all services on HTTP anyway # Just drop port forwarding for port 80!
show port-forward
rule 4 {
description HTTP
forward-to {
address 192.168.123.2
port 80
}
original-port 80
protocol tcp
}
...
delete port-forward rule 4 commit; save
This worked. For now anyway.
Unifi
Use vastra or admin account to get access to UniFi server in Docker.
2018-11-05 WAP Firmware revision is 3.9.27.8537; as of today, 3.9.54.9373 is available but not worth installing.
