|
|
|
|
Thread Tools | Display Modes |
02-26-2020, 10:22 PM | #1 |
Scooby Specialist
Member#: 58504
Join Date: Mar 2004
Chapter/Region:
South East
Location: Ready to try OpenECU.org!!!
Vehicle:2004 STi Aspen White / Silver |
Home Networking Thread - Step in here
It's getting so much more complicated to keep China and North Korea out of my house.
Every couple of years I have to get even more tinfoil hat with my home setup, and now I'm stuck and need help. My setup (believe it or not this is actually simplified from what it used to be): CableModem -> Router -> VLANs Router firmware is Asus-Merlin VLAN-1 is for biz devices only VLAN-2 is for kids devices VLAN-3 is for a bunch of IoT devices VLAN-4 is for transient devices & guests The router is configured to get the latest WAN IP and update DNSomatic.com. I have verified this is working and DNSomatic reports the proper WAN IP. DNSomatic is configured to update the new IP address to DynDNS.com and OpenDNS.com I use OpenDNS to filter sites by content to better control what the kids can or can't get to. I use DynDNS to associate a hostname to my dynamic IP. I run a VPN server on my router in order to allow me to remotely connect to my network from outside. This works well. I recently enabled the VPN client on my router, and use a split VPN tunnel to route some devices thru the VPN and others thru the WAN interface. This also works. My paid VPN service does not provide me with a unique IP. Here are my issues: I initially created the split VPN tunnel to route all traffic thru the VPN tunnel and then had a short list of (high bandwidth) devices I specifically excluded. But I quickly found out that so many sites and services block known VPN server IPs that it was damn near pointless. Couldn't connect to banking sites, airline sites, and others. So I ended up flipping it around where all traffic goes thru the WAN interface (as normal) and specifically list devices I want to go thru the VPN tunnel to the server. My second problem is killing me. My router updates DNSomatic properly, but when DNSomatic passes that to DynDNS, then DynDNS does it's own IP check, and ends up seeing the IP address of my VPN service, not my WAN IP. So DynDNS doesn't associate the proper WAN IP with my hostname, and thus I am unable to remotely connect to my network. Help?
* Registered users of the site do not see these ads.
|
02-27-2020, 06:12 AM | #2 |
Scooby Specialist
Member#: 4103
Join Date: Feb 2001
Chapter/Region:
MWSOC
Location: Brookfield
Vehicle:2016 Mazda6 Red |
The really annoying thing to me is I know exactly what you are saying, but don't know enough to help.
Good luck though. |
02-27-2020, 08:06 AM | #3 |
Scooby Specialist
Member#: 11222
Join Date: Oct 2001
Vehicle:2019 Serta i5000 Black |
It looks like you are using a vpn for anonymizing, not security, so of course you are going to be frustrated by legitimate websites. They want to protect themselves and their customers.
VPNs are supposed to be used for remote access through a locked down firewall. A proxy server (usually in your own DMZ) is used for web acess through a locked down firewall. Last edited by Ken-Ohki; 02-27-2020 at 08:12 AM. |
02-27-2020, 08:17 AM | #4 |
Scooby Specialist
Member#: 700
Join Date: Jan 2000
Chapter/Region:
MAIC
Location: BANNED!
Vehicle:99 Impreza RS Silverthorn Metallic |
I use Unifi
https://www.ui.com/unifi/unifi-ap-ac-pro/ The management is easy to sort your VLANs. Wish I could tell you why and how. Bought two. Didn't know they are meant for malls, farms and factories. Just to illustrate how far it goes, my sister-in-law's house is about a 150 yards away in our townhome suburbia. When she walks back from our and is almost at her doorstep, she still have 1 bar of our wifi. Annoys her coz she can't unlock her August Locked door. |
02-27-2020, 08:34 AM | #5 |
Scooby Newbie
Member#: 34631
Join Date: Mar 2003
Chapter/Region:
MAIC
Location: Momma Didn't Love Me
|
Firewall
Blacklist on Host IDS The IDS and proper firewalls can be virtualized if you're not keen on hardware. I've never done that for a home network where streaming and gaming might be most impacted so can't say how that will turn out but surely someone has examples. @ Snoopy: turn down your radio, bro. |
02-27-2020, 08:57 AM | #6 |
Scooby Specialist
Member#: 700
Join Date: Jan 2000
Chapter/Region:
MAIC
Location: BANNED!
Vehicle:99 Impreza RS Silverthorn Metallic |
I like being able to watch Netflix whilst I walk around our neighborhood.
|
02-27-2020, 09:01 AM | #7 |
Scooby Newbie
Member#: 34631
Join Date: Mar 2003
Chapter/Region:
MAIC
Location: Momma Didn't Love Me
|
That would be nice. How far away from b-more are you? I need to start old-man speeding walking, I only have tmobile's pleb tier data plan and got some shows to catch up on.
|
02-27-2020, 09:04 AM | #8 |
Scooby Specialist
Member#: 292403
Join Date: Aug 2011
Chapter/Region:
Tri-State
Location: In Van Down By Rockaway River
Vehicle:2012 Legacy Graphite |
Are you talking about targeted ads? What's making you think China/ North Korea are in your system? haha
|
02-27-2020, 09:09 AM | #9 |
Scooby Specialist
Member#: 700
Join Date: Jan 2000
Chapter/Region:
MAIC
Location: BANNED!
Vehicle:99 Impreza RS Silverthorn Metallic |
|
02-27-2020, 02:35 PM | #10 | |
Scooby Newbie
Member#: 7121
Join Date: Jun 2001
Chapter/Region:
MWSOC
Location: D2F.1 = D2F.2, D2F.3 = D2F.4
|
Quote:
Our company once had an IT guy that was saying that his Ubiquti APs were way better than the Aruba APs he replaced them with. He then went to go on about how he can see signal for blocks away. This was in front of many of his peers, and also in front of an Aruba engineer. That engineer proceeded to school him on why signal distance is not a function of a good or bad AP, it is a function of not correctly configuring his APs. And drew it out to further explain showing the AP as a radio tower broadcasting to a walkie talkie, and then the walkie talkie trying to communicate back but it couldn't make the distance. Needless to say, I haven't heard him talk about how great his APs are because of signal range. Edit: Oh, and I use those APs as well in my house. I have 2 in my house because 2 level 4100 sq ft with 12 ft ceilings both upstairs and downstairs. It needs it, because of client transmit limitations. It is recommended you set your 5GHz level to high and 2.4GHz to medium. You can also fine tune from there to more granular signal levels. |
|
02-27-2020, 03:24 PM | #11 |
Scooby Specialist
Member#: 46134
Join Date: Oct 2003
Chapter/Region:
TXIC
Location: Ignoranimosity
|
I have a PA-200 so I'm not worried.
|
02-27-2020, 03:30 PM | #12 |
Scooby Guru
Member#: 8343
Join Date: Jul 2001
Chapter/Region:
MWSOC
Location: Atlanta, GA
Vehicle:2005 2012 Jeep 2013 DGM BRZ |
You could always run a server through AWS or some other virtual hosting provider. There are scripts out there that help automate the process. Unlikely you'll see AWS IPs get blocked.
I'm a little confused by the second issue, why don't you just route the Dyn traffic through the WAN interface? Dyn listens on port 8245 to bypass transparent proxies, you can probably create some kind of rule to force TCP/8245 traffic out the right interface, or NAT it to your WAN IP. It also updates to members.dyndns.org so depending on what that resolves to you could route that destination out the right interface. |
02-27-2020, 04:52 PM | #13 | ||
Scooby Newbie
Member#: 487006
Join Date: Jun 2018
Chapter/Region:
Tri-State
Location: Earth
Vehicle:17' STI not wrb... |
Quote:
Quote:
Either way best of luck, you're not the only one going "tin foil hat" mode. These IoT devices are getting rather peculiar with the outside traffic they attract , be it Korea or whomever. |
||
02-27-2020, 09:56 PM | #14 |
Scooby Newbie
Member#: 34631
Join Date: Mar 2003
Chapter/Region:
MAIC
Location: Momma Didn't Love Me
|
I'm not near balmore, sugah. It's just a good starting point for directions anywhere but there. You're safe inside another beltway, no thanks. I'll walk around listening to prerecorded music on my old pocket supercomputer like a normal poor person then.
|
02-27-2020, 10:22 PM | #15 | |
Scooby Specialist
Member#: 58504
Join Date: Mar 2004
Chapter/Region:
South East
Location: Ready to try OpenECU.org!!!
Vehicle:2004 STi Aspen White / Silver |
Quote:
I was making a joke. ;-) But all kidding aside, the incoming assaults on my network are nearly constant from botnets. I used to keep a ssh port open to connect remotely to my NAS. But when I looked at the connection logs...oh. my. God. Dozens of times a day I'd get connections from random IPs trying the default or obvious credentials. I was automatically blocking IPs with repeated failed attempts...that list became thousands long. I ended up disabling the ssh port, and even disabled the admin account. And there's been about 900 blocked malicious sites on my router since Jan 1. Not worried about ads...block those on my devices...I used AdAway on my phones and tablets and it's highly effective. If I wanted to be extra blocky I'd pull together a Pi-Hole. |
|
02-27-2020, 10:28 PM | #16 | |
Scooby Specialist
Member#: 58504
Join Date: Mar 2004
Chapter/Region:
South East
Location: Ready to try OpenECU.org!!!
Vehicle:2004 STi Aspen White / Silver |
Quote:
|
|
02-27-2020, 10:50 PM | #17 | |
Scooby Guru
Member#: 8343
Join Date: Jul 2001
Chapter/Region:
MWSOC
Location: Atlanta, GA
Vehicle:2005 2012 Jeep 2013 DGM BRZ |
Quote:
I also used to run a VM with root/root just to capture what people were doing which is also fun to inspect. |
|
02-28-2020, 12:31 AM | #18 |
Scooby Newbie
Member#: 34631
Join Date: Mar 2003
Chapter/Region:
MAIC
Location: Momma Didn't Love Me
|
a pi-hole is a blacklist at the front of your network with a nice gui. Just use a blacklist on the clients. Or if you have anything on the front end that has a hosts file.
|
02-28-2020, 02:08 AM | #19 | |
Scooby Newbie
Member#: 7121
Join Date: Jun 2001
Chapter/Region:
MWSOC
Location: D2F.1 = D2F.2, D2F.3 = D2F.4
|
Quote:
|
|
02-28-2020, 06:27 AM | #20 | |
Scooby Specialist
Member#: 4103
Join Date: Feb 2001
Chapter/Region:
MWSOC
Location: Brookfield
Vehicle:2016 Mazda6 Red |
Quote:
Now I know why my phone has a hard time switching over to cellular in the driveway. |
|
02-28-2020, 07:27 AM | #21 |
Scooby Specialist
Member#: 82243
Join Date: Mar 2005
Chapter/Region:
Tri-State
Location: Philly
Vehicle:13' BMW X3 35i |
What data are you concerned about that you're rooting over VPN through your home connection? Isn't pretty much everything SSL now?
Regarding ssh, disable password authentication and use keys. |
02-28-2020, 09:10 AM | #22 | |
Scooby Specialist
Member#: 46134
Join Date: Oct 2003
Chapter/Region:
TXIC
Location: Ignoranimosity
|
Quote:
https://github.com/cowrie/cowrie Its a python script setup to mimic outputs of linux commands to be used as a honeypot. Its actually kinda cool. You can do all of the honeypot research without even sacrificing a VM that you have to kill and re-spin. Last edited by BGPunk2001; 02-28-2020 at 09:25 AM. |
|
02-28-2020, 11:25 AM | #23 |
Scooby Newbie
Member#: 7121
Join Date: Jun 2001
Chapter/Region:
MWSOC
Location: D2F.1 = D2F.2, D2F.3 = D2F.4
|
I recommend getting a wifi analyzer app on your phone Wifi Analyzer for Android is good. I'm sure there is similar stuff for iOS. Usable signal is really around -70dB and stronger. So, you want to dial your signal to where you see around -70dB at the fringes of where you need your wifi to be and then you can do some things with rssi that gets quite a bit more complicated but you can drop clients that aren't getting a good enough signal to be useful. Also, best practices show that you set your minimum connection speed for your 2.4GHz above 1mbit/s. 6mbit/s minimum is a good place to be. This will also keep those devices from being able to stay connected at a useless signal.
|
02-28-2020, 11:34 PM | #24 | |
Scooby Specialist
Member#: 58504
Join Date: Mar 2004
Chapter/Region:
South East
Location: Ready to try OpenECU.org!!!
Vehicle:2004 STi Aspen White / Silver |
Quote:
My wife and I own a small biz that she runs out of our home. So she handles customer payment info, our customer database, payroll, taxes, etc. And of course our normal banking and personal email, etc. So having an extra layer of encryption isn't an unreasonable precaution. And since the FCC has effectively allowed ISPs to legally collect and sell our personal data, sites we visit, etc. then some additional privacy is not a bad thing either. Not that anyone would find it especially interesting to see me shopping for phone holders, look up how to replace the trim motor on my boat, my daughter watch Gray's Anatomy, and see how bad I am playing Ground War. If the wife and I are going to watch freaky midget hermaphrodite beastiality orgy hoof fetish porn together, I'll fire up Tor on top of the VPN. As for going back to SSH, I find running the VPN server on my router is better to give me access to my internal Network, and it requires both a 512-bit key as well as a password. |
|
02-29-2020, 04:09 PM | #25 |
Scooby Newbie
Member#: 15553
Join Date: Feb 2002
Chapter/Region:
TXIC
Location: Austin, Texas
Vehicle:'19 Shelby GT350 Tesla MYP/22 Ram 2500 LL |
I can fap to this!
My network is taking forever, but mainly because I’m waiting on my shop to be done/making excuses. Your VLAN setup is similar to what I’d like to do, but I need to fix the network setttings for the online gaming crap for the kids. |
Thread Tools | |
Display Modes | |
|
|