Welcome to the North American Subaru Impreza Owners Club Thursday March 28, 2024
Home Forums Images WikiNASIOC Products Store Modifications Upgrade Garage
NASIOC
Go Back   NASIOC > NASIOC Miscellaneous > Off-Topic

Welcome to NASIOC - The world's largest online community for Subaru enthusiasts!
Welcome to the NASIOC.com Subaru forum.

You are currently viewing our forum as a guest, which gives you limited access to view most discussions and access our other features. By joining our community, free of charge, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is free, fast and simple, so please join our community today!

If you have any problems with the registration process or your account login, please contact us.







* As an Amazon Associate I earn from qualifying purchases. 
* Registered users of the site do not see these ads. 
Reply
 
Thread Tools Display Modes
Old 02-26-2020, 10:22 PM   #1
f4phantomii
Scooby Specialist
 
Member#: 58504
Join Date: Mar 2004
Chapter/Region: South East
Location: Ready to try OpenECU.org!!!
Vehicle:
2004 STi
Aspen White / Silver

Default Home Networking Thread - Step in here

It's getting so much more complicated to keep China and North Korea out of my house.

Every couple of years I have to get even more tinfoil hat with my home setup, and now I'm stuck and need help.

My setup (believe it or not this is actually simplified from what it used to be):

CableModem -> Router -> VLANs

Router firmware is Asus-Merlin

VLAN-1 is for biz devices only
VLAN-2 is for kids devices
VLAN-3 is for a bunch of IoT devices
VLAN-4 is for transient devices & guests

The router is configured to get the latest WAN IP and update DNSomatic.com. I have verified this is working and DNSomatic reports the proper WAN IP.

DNSomatic is configured to update the new IP address to DynDNS.com and OpenDNS.com

I use OpenDNS to filter sites by content to better control what the kids can or can't get to.

I use DynDNS to associate a hostname to my dynamic IP.

I run a VPN server on my router in order to allow me to remotely connect to my network from outside. This works well.

I recently enabled the VPN client on my router, and use a split VPN tunnel to route some devices thru the VPN and others thru the WAN interface. This also works. My paid VPN service does not provide me with a unique IP.

Here are my issues:

I initially created the split VPN tunnel to route all traffic thru the VPN tunnel and then had a short list of (high bandwidth) devices I specifically excluded. But I quickly found out that so many sites and services block known VPN server IPs that it was damn near pointless. Couldn't connect to banking sites, airline sites, and others.

So I ended up flipping it around where all traffic goes thru the WAN interface (as normal) and specifically list devices I want to go thru the VPN tunnel to the server.

My second problem is killing me.

My router updates DNSomatic properly, but when DNSomatic passes that to DynDNS, then DynDNS does it's own IP check, and ends up seeing the IP address of my VPN service, not my WAN IP. So DynDNS doesn't associate the proper WAN IP with my hostname, and thus I am unable to remotely connect to my network.

Help?
* Registered users of the site do not see these ads.
f4phantomii is offline   Reply With Quote
Sponsored Links
* Registered users of the site do not see these ads.
Old 02-27-2020, 06:12 AM   #2
tcs007
Scooby Specialist
 
Member#: 4103
Join Date: Feb 2001
Chapter/Region: MWSOC
Location: Brookfield
Vehicle:
2016 Mazda6
Red

Default

The really annoying thing to me is I know exactly what you are saying, but don't know enough to help.

Good luck though.
tcs007 is offline   Reply With Quote
Old 02-27-2020, 08:06 AM   #3
Ken-Ohki
Scooby Specialist
 
Member#: 11222
Join Date: Oct 2001
Vehicle:
2019 Serta i5000
Black

Default

It looks like you are using a vpn for anonymizing, not security, so of course you are going to be frustrated by legitimate websites. They want to protect themselves and their customers.

VPNs are supposed to be used for remote access through a locked down firewall. A proxy server (usually in your own DMZ) is used for web acess through a locked down firewall.

Last edited by Ken-Ohki; 02-27-2020 at 08:12 AM.
Ken-Ohki is offline   Reply With Quote
Old 02-27-2020, 08:17 AM   #4
Snoopy
Scooby Specialist
 
Member#: 700
Join Date: Jan 2000
Chapter/Region: MAIC
Location: BANNED!
Vehicle:
99 Impreza RS
Silverthorn Metallic

Default

I use Unifi

https://www.ui.com/unifi/unifi-ap-ac-pro/

The management is easy to sort your VLANs. Wish I could tell you why and how.

Bought two. Didn't know they are meant for malls, farms and factories. Just to illustrate how far it goes, my sister-in-law's house is about a 150 yards away in our townhome suburbia. When she walks back from our and is almost at her doorstep, she still have 1 bar of our wifi. Annoys her coz she can't unlock her August Locked door.
Snoopy is offline   Reply With Quote
Old 02-27-2020, 08:34 AM   #5
lag
Scooby Newbie
 
Member#: 34631
Join Date: Mar 2003
Chapter/Region: MAIC
Location: Momma Didn't Love Me
Default

Firewall

Blacklist on Host

IDS


The IDS and proper firewalls can be virtualized if you're not keen on hardware. I've never done that for a home network where streaming and gaming might be most impacted so can't say how that will turn out but surely someone has examples.


@ Snoopy: turn down your radio, bro.
lag is offline   Reply With Quote
Old 02-27-2020, 08:57 AM   #6
Snoopy
Scooby Specialist
 
Member#: 700
Join Date: Jan 2000
Chapter/Region: MAIC
Location: BANNED!
Vehicle:
99 Impreza RS
Silverthorn Metallic

Default

I like being able to watch Netflix whilst I walk around our neighborhood.
Snoopy is offline   Reply With Quote
Old 02-27-2020, 09:01 AM   #7
lag
Scooby Newbie
 
Member#: 34631
Join Date: Mar 2003
Chapter/Region: MAIC
Location: Momma Didn't Love Me
Default

That would be nice. How far away from b-more are you? I need to start old-man speeding walking, I only have tmobile's pleb tier data plan and got some shows to catch up on.
lag is offline   Reply With Quote
Old 02-27-2020, 09:04 AM   #8
Salvation27
Scooby Specialist
 
Member#: 292403
Join Date: Aug 2011
Chapter/Region: Tri-State
Location: In Van Down By Rockaway River
Vehicle:
2012 Legacy
Graphite

Default

Are you talking about targeted ads? What's making you think China/ North Korea are in your system? haha
Salvation27 is offline   Reply With Quote
Old 02-27-2020, 09:09 AM   #9
Snoopy
Scooby Specialist
 
Member#: 700
Join Date: Jan 2000
Chapter/Region: MAIC
Location: BANNED!
Vehicle:
99 Impreza RS
Silverthorn Metallic

Default

Quote:
Originally Posted by lag View Post
That would be nice. How far away from b-more are you? I need to start old-man speeding walking, I only have tmobile's pleb tier data plan and got some shows to catch up on.
I near the Mormon Temple here in the Beltway. Safe from Balmore, hon.
Snoopy is offline   Reply With Quote
Old 02-27-2020, 02:35 PM   #10
aod
Scooby Newbie
 
Member#: 7121
Join Date: Jun 2001
Chapter/Region: MWSOC
Location: D2F.1 = D2F.2, D2F.3 = D2F.4
Default

Quote:
Originally Posted by Snoopy View Post
I use Unifi

https://www.ui.com/unifi/unifi-ap-ac-pro/

The management is easy to sort your VLANs. Wish I could tell you why and how.

Bought two. Didn't know they are meant for malls, farms and factories. Just to illustrate how far it goes, my sister-in-law's house is about a 150 yards away in our townhome suburbia. When she walks back from our and is almost at her doorstep, she still have 1 bar of our wifi. Annoys her coz she can't unlock her August Locked door.
Except having your signal cranked like that is actually a detriment. Ideally you want the signal to only go as far as any usable client can transmit back from. When the signal is too high like that, your clients won't effectively be able to roam from one AP to another (assuming you have enough space or enough obstructions that warrants more than one AP). Also, your clients are more likely to not drop to 2.4 GHz when they need to and will just stick to 5 GHz even when they can't communicate back. You should set your signal so it is just usable to outside in your yard and not beyond. Your clients and your neighbors will thank you.

Our company once had an IT guy that was saying that his Ubiquti APs were way better than the Aruba APs he replaced them with. He then went to go on about how he can see signal for blocks away. This was in front of many of his peers, and also in front of an Aruba engineer. That engineer proceeded to school him on why signal distance is not a function of a good or bad AP, it is a function of not correctly configuring his APs. And drew it out to further explain showing the AP as a radio tower broadcasting to a walkie talkie, and then the walkie talkie trying to communicate back but it couldn't make the distance. Needless to say, I haven't heard him talk about how great his APs are because of signal range.

Edit: Oh, and I use those APs as well in my house. I have 2 in my house because 2 level 4100 sq ft with 12 ft ceilings both upstairs and downstairs. It needs it, because of client transmit limitations. It is recommended you set your 5GHz level to high and 2.4GHz to medium. You can also fine tune from there to more granular signal levels.
aod is offline   Reply With Quote
Old 02-27-2020, 03:24 PM   #11
BGPunk2001
Scooby Specialist
 
Member#: 46134
Join Date: Oct 2003
Chapter/Region: TXIC
Location: Ignoranimosity
Default

I have a PA-200 so I'm not worried.
BGPunk2001 is offline   Reply With Quote
Old 02-27-2020, 03:30 PM   #12
dwx
Scooby Guru
 
Member#: 8343
Join Date: Jul 2001
Chapter/Region: MWSOC
Location: Atlanta, GA
Vehicle:
2005 2012 Jeep
2013 DGM BRZ

Default

You could always run a server through AWS or some other virtual hosting provider. There are scripts out there that help automate the process. Unlikely you'll see AWS IPs get blocked.

I'm a little confused by the second issue, why don't you just route the Dyn traffic through the WAN interface? Dyn listens on port 8245 to bypass transparent proxies, you can probably create some kind of rule to force TCP/8245 traffic out the right interface, or NAT it to your WAN IP. It also updates to members.dyndns.org so depending on what that resolves to you could route that destination out the right interface.
dwx is offline   Reply With Quote
Old 02-27-2020, 04:52 PM   #13
AmericanJager
Scooby Newbie
 
Member#: 487006
Join Date: Jun 2018
Chapter/Region: Tri-State
Location: Earth
Vehicle:
17' STI
not wrb...

Default

Quote:
Originally Posted by f4phantomii View Post

Here are my issues:

I initially created the split VPN tunnel to route all traffic thru the VPN tunnel and then had a short list of (high bandwidth) devices I specifically excluded. But I quickly found out that so many sites and services block known VPN server IPs that it was damn near pointless. Couldn't connect to banking sites, airline sites, and others.

So I ended up flipping it around where all traffic goes thru the WAN interface (as normal) and specifically list devices I want to go thru the VPN tunnel to the server.
No real way around this from what I can see. Most ISP's are getting rather tricky and are intentionally blocking known vpn traffic, it's how they are. Along with said popular sites.


Quote:
Originally Posted by f4phantomii View Post
My second problem is killing me.

My router updates DNSomatic properly, but when DNSomatic passes that to DynDNS, then DynDNS does it's own IP check, and ends up seeing the IP address of my VPN service, not my WAN IP. So DynDNS doesn't associate the proper WAN IP with my hostname, and thus I am unable to remotely connect to my network.

Help?
I'm not to familiar with DynDNS. However, if it is a paid/supported service you might be able to request no IP verification? Something to look into.

Either way best of luck, you're not the only one going "tin foil hat" mode. These IoT devices are getting rather peculiar with the outside traffic they attract , be it Korea or whomever.
AmericanJager is offline   Reply With Quote
Old 02-27-2020, 09:56 PM   #14
lag
Scooby Newbie
 
Member#: 34631
Join Date: Mar 2003
Chapter/Region: MAIC
Location: Momma Didn't Love Me
Default

Quote:
Originally Posted by Snoopy View Post
I near the Mormon Temple here in the Beltway. Safe from Balmore, hon.
I'm not near balmore, sugah. It's just a good starting point for directions anywhere but there. You're safe inside another beltway, no thanks. I'll walk around listening to prerecorded music on my old pocket supercomputer like a normal poor person then.
lag is offline   Reply With Quote
Old 02-27-2020, 10:22 PM   #15
f4phantomii
Scooby Specialist
 
Member#: 58504
Join Date: Mar 2004
Chapter/Region: South East
Location: Ready to try OpenECU.org!!!
Vehicle:
2004 STi
Aspen White / Silver

Default

Quote:
Originally Posted by Salvation27 View Post
Are you talking about targeted ads? What's making you think China/ North Korea are in your system? haha
I was being facetidious...fastititious...

I was making a joke. ;-)

But all kidding aside, the incoming assaults on my network are nearly constant from botnets.

I used to keep a ssh port open to connect remotely to my NAS. But when I looked at the connection logs...oh. my. God.

Dozens of times a day I'd get connections from random IPs trying the default or obvious credentials. I was automatically blocking IPs with repeated failed attempts...that list became thousands long.

I ended up disabling the ssh port, and even disabled the admin account.

And there's been about 900 blocked malicious sites on my router since Jan 1.

Not worried about ads...block those on my devices...I used AdAway on my phones and tablets and it's highly effective.

If I wanted to be extra blocky I'd pull together a Pi-Hole.
f4phantomii is offline   Reply With Quote
Old 02-27-2020, 10:28 PM   #16
f4phantomii
Scooby Specialist
 
Member#: 58504
Join Date: Mar 2004
Chapter/Region: South East
Location: Ready to try OpenECU.org!!!
Vehicle:
2004 STi
Aspen White / Silver

Default

Quote:
Originally Posted by dwx View Post
You could always run a server through AWS or some other virtual hosting provider. There are scripts out there that help automate the process. Unlikely you'll see AWS IPs get blocked.

I'm a little confused by the second issue, why don't you just route the Dyn traffic through the WAN interface? Dyn listens on port 8245 to bypass transparent proxies, you can probably create some kind of rule to force TCP/8245 traffic out the right interface, or NAT it to your WAN IP. It also updates to members.dyndns.org so depending on what that resolves to you could route that destination out the right interface.
I need to check into this further.
f4phantomii is offline   Reply With Quote
Old 02-27-2020, 10:50 PM   #17
dwx
Scooby Guru
 
Member#: 8343
Join Date: Jul 2001
Chapter/Region: MWSOC
Location: Atlanta, GA
Vehicle:
2005 2012 Jeep
2013 DGM BRZ

Default

Quote:
Originally Posted by f4phantomii View Post
I was being facetidious...fastititious...

I was making a joke. ;-)

But all kidding aside, the incoming assaults on my network are nearly constant from botnets.

I used to keep a ssh port open to connect remotely to my NAS. But when I looked at the connection logs...oh. my. God.

Dozens of times a day I'd get connections from random IPs trying the default or obvious credentials. I was automatically blocking IPs with repeated failed attempts...that list became thousands long.

I ended up disabling the ssh port, and even disabled the admin account.
It's been that way for years now. I used to run a honeypot system at a large SP and across a large swath of unused (dark) IP space you'll see hundreds of attempts...per second.

I also used to run a VM with root/root just to capture what people were doing which is also fun to inspect.
dwx is offline   Reply With Quote
Old 02-28-2020, 12:31 AM   #18
lag
Scooby Newbie
 
Member#: 34631
Join Date: Mar 2003
Chapter/Region: MAIC
Location: Momma Didn't Love Me
Default

a pi-hole is a blacklist at the front of your network with a nice gui. Just use a blacklist on the clients. Or if you have anything on the front end that has a hosts file.
lag is offline   Reply With Quote
Old 02-28-2020, 02:08 AM   #19
aod
Scooby Newbie
 
Member#: 7121
Join Date: Jun 2001
Chapter/Region: MWSOC
Location: D2F.1 = D2F.2, D2F.3 = D2F.4
Default

Quote:
Originally Posted by f4phantomii View Post
I used to keep a ssh port open to connect remotely to my NAS. But when I looked at the connection logs...oh. my. God.

Dozens of times a day I'd get connections from random IPs trying the default or obvious credentials. I was automatically blocking IPs with repeated failed attempts...that list became thousands long.

I ended up disabling the ssh port, and even disabled the admin account.
I also saw far too many attempts on my ssh port even with a jail system blocking unauthorized attempts for a few hours. I now run ssh on a different arbitrary port and I haven't seen a single attempt. Give that a try if you miss being able to ssh in.
aod is offline   Reply With Quote
Old 02-28-2020, 06:27 AM   #20
tcs007
Scooby Specialist
 
Member#: 4103
Join Date: Feb 2001
Chapter/Region: MWSOC
Location: Brookfield
Vehicle:
2016 Mazda6
Red

Default

Quote:
Originally Posted by aod View Post
Except having your signal cranked like that is actually a detriment. Ideally you want the signal to only go as far as any usable client can transmit back from. When the signal is too high like that, your clients won't effectively be able to roam from one AP to another (assuming you have enough space or enough obstructions that warrants more than one AP). Also, your clients are more likely to not drop to 2.4 GHz when they need to and will just stick to 5 GHz even when they can't communicate back. You should set your signal so it is just usable to outside in your yard and not beyond. Your clients and your neighbors will thank you.

Our company once had an IT guy that was saying that his Ubiquti APs were way better than the Aruba APs he replaced them with. He then went to go on about how he can see signal for blocks away. This was in front of many of his peers, and also in front of an Aruba engineer. That engineer proceeded to school him on why signal distance is not a function of a good or bad AP, it is a function of not correctly configuring his APs. And drew it out to further explain showing the AP as a radio tower broadcasting to a walkie talkie, and then the walkie talkie trying to communicate back but it couldn't make the distance. Needless to say, I haven't heard him talk about how great his APs are because of signal range.

Edit: Oh, and I use those APs as well in my house. I have 2 in my house because 2 level 4100 sq ft with 12 ft ceilings both upstairs and downstairs. It needs it, because of client transmit limitations. It is recommended you set your 5GHz level to high and 2.4GHz to medium. You can also fine tune from there to more granular signal levels.
Thank you for that.

Now I know why my phone has a hard time switching over to cellular in the driveway.
tcs007 is offline   Reply With Quote
Old 02-28-2020, 07:27 AM   #21
ptirmal
Scooby Specialist
 
Member#: 82243
Join Date: Mar 2005
Chapter/Region: Tri-State
Location: Philly
Vehicle:
13' BMW X3 35i

Default

What data are you concerned about that you're rooting over VPN through your home connection? Isn't pretty much everything SSL now?

Regarding ssh, disable password authentication and use keys.
ptirmal is offline   Reply With Quote
Old 02-28-2020, 09:10 AM   #22
BGPunk2001
Scooby Specialist
 
Member#: 46134
Join Date: Oct 2003
Chapter/Region: TXIC
Location: Ignoranimosity
Default

Quote:
Originally Posted by dwx View Post
It's been that way for years now. I used to run a honeypot system at a large SP and across a large swath of unused (dark) IP space you'll see hundreds of attempts...per second.

I also used to run a VM with root/root just to capture what people were doing which is also fun to inspect.
Here's a good one if you tweak it well enough to be believable:

https://github.com/cowrie/cowrie

Its a python script setup to mimic outputs of linux commands to be used as a honeypot. Its actually kinda cool. You can do all of the honeypot research without even sacrificing a VM that you have to kill and re-spin.

Last edited by BGPunk2001; 02-28-2020 at 09:25 AM.
BGPunk2001 is offline   Reply With Quote
Old 02-28-2020, 11:25 AM   #23
aod
Scooby Newbie
 
Member#: 7121
Join Date: Jun 2001
Chapter/Region: MWSOC
Location: D2F.1 = D2F.2, D2F.3 = D2F.4
Default

Quote:
Originally Posted by tcs007 View Post
Thank you for that.

Now I know why my phone has a hard time switching over to cellular in the driveway.
I recommend getting a wifi analyzer app on your phone Wifi Analyzer for Android is good. I'm sure there is similar stuff for iOS. Usable signal is really around -70dB and stronger. So, you want to dial your signal to where you see around -70dB at the fringes of where you need your wifi to be and then you can do some things with rssi that gets quite a bit more complicated but you can drop clients that aren't getting a good enough signal to be useful. Also, best practices show that you set your minimum connection speed for your 2.4GHz above 1mbit/s. 6mbit/s minimum is a good place to be. This will also keep those devices from being able to stay connected at a useless signal.
aod is offline   Reply With Quote
Old 02-28-2020, 11:34 PM   #24
f4phantomii
Scooby Specialist
 
Member#: 58504
Join Date: Mar 2004
Chapter/Region: South East
Location: Ready to try OpenECU.org!!!
Vehicle:
2004 STi
Aspen White / Silver

Default

Quote:
Originally Posted by ptirmal View Post
What data are you concerned about that you're rooting over VPN through your home connection? Isn't pretty much everything SSL now?

Regarding ssh, disable password authentication and use keys.
It's a combo of security and privacy.

My wife and I own a small biz that she runs out of our home. So she handles customer payment info, our customer database, payroll, taxes, etc. And of course our normal banking and personal email, etc. So having an extra layer of encryption isn't an unreasonable precaution.

And since the FCC has effectively allowed ISPs to legally collect and sell our personal data, sites we visit, etc. then some additional privacy is not a bad thing either.

Not that anyone would find it especially interesting to see me shopping for phone holders, look up how to replace the trim motor on my boat, my daughter watch Gray's Anatomy, and see how bad I am playing Ground War.

If the wife and I are going to watch freaky midget hermaphrodite beastiality orgy hoof fetish porn together, I'll fire up Tor on top of the VPN.

As for going back to SSH, I find running the VPN server on my router is better to give me access to my internal Network, and it requires both a 512-bit key as well as a password.
f4phantomii is offline   Reply With Quote
Old 02-29-2020, 04:09 PM   #25
Vectors2Final
Scooby Newbie
 
Member#: 15553
Join Date: Feb 2002
Chapter/Region: TXIC
Location: Austin, Texas
Vehicle:
'19 Shelby GT350
Tesla MYP/22 Ram 2500 LL

Default

I can fap to this!


My network is taking forever, but mainly because I’m waiting on my shop to be done/making excuses.

Your VLAN setup is similar to what I’d like to do, but I need to fix the network setttings for the online gaming crap for the kids.
Vectors2Final is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

All times are GMT -4. The time now is 07:21 AM.


Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Powered by Searchlight © 2024 Axivo Inc.
Copyright ©1999 - 2019, North American Subaru Impreza Owners Club, Inc.

As an Amazon Associate I earn from qualifying purchases.

When you click on links to various merchants on this site and make a purchase, this can result in this site earning a commission
Affiliate programs and affiliations include, but are not limited to, the eBay Partner Network.