Tim's blah blah blah

My home network configuration

Over the years I’ve grown my home network to the point I need to document it, which I did here. Hopefully this helps others as much as myself. Maybe I should just use the ISP’s modem instead of having a VLAN-aware collectd-powered fq_codel-sporting router, but that would be too simple now wouldn’t it?

Goal / requirements

Implementation

History

I used to have a Netgear R7800 WiFi router, which had pretty good WiFi coverage, worked well with OpenWRT, had sufficient processing power to support whatever, and sported a gigabit switch. However it was limited to 4 ports, had no SFP cage, and WiFI was built-in making it difficult to find a spot that was close to all the cabling and provided good WiFi throughout my home. With this background, I started to investigate alternatives.

Ethernet

Router

I’ve experimented with a MikroTik RB2011 & RB3011, and Edgerouter X SFP.

Mikrotik RB2011/RB3011

MikroTik is a Latvian company that sells affordable and advanced networking products with a steep learning curve and cryptic but comprehence product version numbers. The RB2011 is an entry-level router with 5 Gbit and 5 100 Mbit switch ports and an SFP cage with an Atheros MIPS AR9344 SoC. The RB3011 is the bigger brother with 10 Gbit ports and more overall horsepower thanks to the quadcore Qualcomm ARM IPQ-8064.

MikroTik has their own operating system called RouterOS, which is very powerful but has a steep learning curve. Their GUI works well but is equally daunting. A big plus for RouterOS is that you can export the full configuration state to a text file and port this to another RouterOS device. Migrating between MikroTik devices is therefore very easy.

Ubiquiti Edgerouter X SFP

Basics:

VLAN: https://help.ui.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch Firewall: https://help.ui.com/hc/en-us/articles/204952154 Firewall/VLAN: https://xdeb.org/post/2020/unifi-edgerouter-guest-iot-vlan/ Hardening: https://www.manitonetworks.com/ubiquiti/2016/7/26/ubiquiti-hardening Enable hardware offloading: https://help.ui.com/hc/en-us/articles/115006567467 Set static host names: https://gist.github.com/plembo/6bb4491ebbfbce049c7efce0634d57f0 EdgeOS primer: https://blog.dftorres.ca/?p=2196 Enable dnsmasq: https://help.ui.com/hc/en-us/articles/115002673188-EdgeRouter-DHCP-Server-using-Dnsmasq QoS smart queue: https://help.ui.com/hc/en-us/articles/216787288-EdgeRouter-Quality-of-Service-QoS-#3 General guide: https://networkjutsu.com/how-to-configure-edgerouter-lite-part-two/ General guide 2: https://www.gregpakes.co.uk/setting-up-edgerouter-x-with-lan-segregation-and-vpn-access/

Bonus:

Get statistics over SNMP: https://github.com/jbehrends/monitoring_scripts/blob/master/graphite/edgerouter_metrics.sh IKEv2 VPN: https://www.creekside.network/en/2020/09/21/how-to-install-ikev2-vpn-server-on-edgeos-or-vyos/ Wireguard: https://hm37.net/guide/edgeos-wireguard-vpn/ and https://www.adamintech.com/install-wireguard-on-ubiquiti-edgerouter-edgeos/

# Setup config via web wizard

show configuration commands

# Setup pubkey & login
# Source: various
# Ensure no whitespace at end of key -- https://blog.pcfe.net/hugo/posts/2019-06-18-add-ssh-key-to-edgerouter/
scp ~tim/.ssh/id_rsa.pub ubnt@192.168.1.1:

configure;
loadkey ubnt id_rsa.pub
set service ssh disable-password-authentication
set service unms disable

compare; commit; save

# Set system parameters
# Source: various
configure;
set system host-name edgerouterx
set system offload hwnat enable
set system offload ipsec enable
set system domain-name lan
set system analytics-handler send-analytics-report false
set system crash-handler send-crash-report false
set system systemd journal
set system time-zone Europe/Amsterdam

# Set trusted ntp servers
delete system ntp server
set system ntp server 0.nl.pool.ntp.org
set system ntp server 1.nl.pool.ntp.org
compare; commit; save


# Set up VLANs
# Source: https://help.ui.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch

delete interfaces switch switch0 address
delete interfaces switch switch0 vif 1 address  172.17.99.1/24
set interfaces switch switch0 vif 1 address  172.16.99.1/24
set interfaces switch switch0 vif 1 description LAN
delete interfaces switch switch0 vif 10 address 172.17.10.1/24
set interfaces switch switch0 vif 10 address 172.16.10.1/24
set interfaces switch switch0 vif 10 description Guest
delete interfaces switch switch0 vif 20 address 172.17.20.1/24
set interfaces switch switch0 vif 20 address 172.16.20.1/24
set interfaces switch switch0 vif 20 description IoT


# dhcp/dnsmasq
delete service dhcp-server shared-network-name vlan1 subnet 172.17.99.0/24
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 start 172.16.99.100 stop 172.16.99.254
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 default-router 172.16.99.1
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 dns-server 172.16.99.1

delete service dhcp-server shared-network-name vlan10 subnet 172.17.10.0/24
set service dhcp-server shared-network-name vlan10 subnet 172.16.10.0/24 start 172.16.10.100 stop 172.16.10.254
set service dhcp-server shared-network-name vlan10 subnet 172.16.10.0/24 default-router 172.16.10.1
set service dhcp-server shared-network-name vlan10 subnet 172.16.10.0/24 dns-server 172.16.10.1

delete service dhcp-server shared-network-name vlan20 subnet 172.17.20.0/24
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 start 172.16.20.100 stop 172.16.20.254
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 default-router 172.16.20.1
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 dns-server 172.16.20.1

set interfaces switch switch0 switch-port vlan-aware enable

# Set T-mobile WAN to tagged VLAN 300
set interfaces ethernet eth0 vif 300
set interfaces ethernet eth0 vif 300 description T-mobile
set interfaces ethernet eth0 vif 300 firewall

set service nat rule 5010 outbound-interface eth0.300

# Switch port trunk (tagged 10, 20, default 1)
set interfaces switch switch0 switch-port interface eth1 vlan pvid 1
set interfaces switch switch0 switch-port interface eth1 vlan vid 10
set interfaces switch switch0 switch-port interface eth1 vlan vid 20
# Local ports: server & hue & appleTV
set interfaces switch switch0 switch-port interface eth2 vlan pvid 1
set interfaces switch switch0 switch-port interface eth3 vlan pvid 1
set interfaces switch switch0 switch-port interface eth4 vlan pvid 1

delete service dhcp-server shared-network-name LAN

compare;
commit; save

# update to dnsmasq

set service dhcp-server use-dnsmasq enable 

set service dns forwarding listen-on switch0.1
set service dns forwarding listen-on switch0.10
set service dns forwarding listen-on switch0.20

compare; commit; save

# Static ips/host names
set system static-host-mapping host-name proteus.lan inet 172.16.99.2
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping proteus ip-address 172.16.99.2
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping proteus mac-address 94:C6:91:12:5E:EC

set system static-host-mapping host-name gs108e.lan inet 172.16.99.3
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping gs108e ip-address 172.16.99.3
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping gs108e mac-address 78:D2:94:2F:81:F8

set system static-host-mapping host-name UAP-LR1-Office.lan inet 172.16.99.10
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping UAP-LR1-office ip-address 172.16.99.10
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping UAP-LR1-office mac-address 18:E8:29:93:E1:66

set system static-host-mapping host-name UAP-LR2-Living.lan inet 172.16.99.11
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping UAP-LR2-Living ip-address 172.16.99.11
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping UAP-LR2-Living mac-address 18:E8:29:E6:00:2E

set system static-host-mapping host-name appletv-living.lan inet 172.16.99.20
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping appletv-living.lan ip-address 172.16.99.20
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping appletv-living.lan mac-address D0:03:4B:26:85:0C

set system static-host-mapping host-name philips-hue.lan inet 172.16.99.21
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping philips-hue.lan ip-address 172.16.99.21
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping philips-hue.lan mac-address 00:17:88:79:93:47

set system static-host-mapping host-name esp-mobile.lan inet 172.16.99.30
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping esp-mobile.lan ip-address 172.16.99.30
set service dhcp-server shared-network-name vlan1 subnet 172.16.99.0/24 static-mapping esp-mobile.lan mac-address 84:0D:8E:8F:52:F5

set system static-host-mapping host-name esp-bathroom.lan inet 172.16.20.2 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-bathroom.lan ip-address 172.16.20.2 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-bathroom.lan mac-address 84:0D:8E:8F:50:65

set system static-host-mapping host-name esp-testing.lan inet 172.16.20.3 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-testing.lan ip-address 172.16.20.3 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-testing.lan mac-address 84:F3:EB:0D:BD:4D

set system static-host-mapping host-name esp-kidsroom.lan inet 172.16.20.4 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-kidsroom.lan ip-address 172.16.20.4 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-kidsroom.lan mac-address 2C:F4:32:4A:A3:3E

set system static-host-mapping host-name esp-living.lan inet 172.16.20.5 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-living.lan ip-address 172.16.20.5 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-living.lan mac-address 84:0D:8E:8F:55:6C

set system static-host-mapping host-name esp-camganymede.lan inet 172.16.20.6 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-camganymede.lan ip-address 172.16.20.6 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-camganymede.lan mac-address FC:F5:C4:30:11:C8

set system static-host-mapping host-name esp-bedroom.lan inet 172.16.20.7 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-bedroom.lan ip-address 172.16.20.7 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-bedroom.lan mac-address 84:F3:EB:0D:C1:B8

set system static-host-mapping host-name esp-iapetus.lan inet 172.16.20.8 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-iapetus.lan ip-address 172.16.20.8 
set service dhcp-server shared-network-name vlan20 subnet 172.16.20.0/24 static-mapping esp-iapetus.lan mac-address 84:0D:8E:8F:4E:11


# Set services, hardened

configure
delete service gui listen-address 172.17.99.1
set service gui listen-address 172.16.99.1
set service gui older-ciphers disable

delete service ssh listen-address 172.17.99.1
set service ssh listen-address 172.16.99.1
set service ssh port 22
set service ssh protocol-version v2
commit; save


# Set QoS

set traffic-control smart-queue WAN_QUEUE wan-interface eth0.300
set traffic-control smart-queue WAN_QUEUE upload rate 50mbit
set traffic-control smart-queue WAN_QUEUE download rate 50mbit
commit; save

# Define zone based firewall
# - WAN to ALL: only established/related
# - WAN to LAN: only established/related, port 80, 443, some others
# - LAN to ALL: allow
# - Guest to ALL: only to WAN
# - IoT to x: only to LAN
# - Local: always accepted traffic from the router

### WAN to X

set firewall name WAN_TO_ALL default-action drop

set firewall name WAN_TO_ALL rule 10 action accept
set firewall name WAN_TO_ALL rule 10 description 'accept established/related'
set firewall name WAN_TO_ALL rule 10 state established enable
set firewall name WAN_TO_ALL rule 10 state related enable

set firewall name WAN_TO_ALL rule 20 action drop
set firewall name WAN_TO_ALL rule 20 description 'drop invalid'
set firewall name WAN_TO_ALL rule 20 state invalid enable

### LAN to X
### LOCAL to X
set firewall name FW_ACCEPT default-action accept

### GUEST to X
set firewall name FW_DROP default-action drop

set firewall name GUESTIOT_TO_LOCAL default-action drop

set firewall name GUESTIOT_TO_LOCAL rule 10 action accept
set firewall name GUESTIOT_TO_LOCAL rule 10 description 'accept dns'
set firewall name GUESTIOT_TO_LOCAL rule 10 log disable
set firewall name GUESTIOT_TO_LOCAL rule 10 protocol udp
set firewall name GUESTIOT_TO_LOCAL rule 10 destination port 53

set firewall name GUESTIOT_TO_LOCAL rule 20 action accept
set firewall name GUESTIOT_TO_LOCAL rule 20 description 'accept dhcp'
set firewall name GUESTIOT_TO_LOCAL rule 20 log disable
set firewall name GUESTIOT_TO_LOCAL rule 20 protocol udp
set firewall name GUESTIOT_TO_LOCAL rule 20 destination port 67-68

set firewall name GUESTIOT_TO_LOCAL rule 30 action drop
set firewall name GUESTIOT_TO_LOCAL rule 30 description 'drop invalid'
set firewall name GUESTIOT_TO_LOCAL rule 30 state invalid enable

### IOT to X

set firewall name IOT_TO_LAN default-action drop

set firewall name IOT_TO_LAN rule 10 action accept
set firewall name IOT_TO_LAN rule 10 description 'accept to proteus'
set firewall name IOT_TO_LAN rule 10 log disable
set firewall name IOT_TO_LAN rule 10 destination address 172.16.99.2

set firewall name IOT_TO_LAN rule 20 action drop
set firewall name IOT_TO_LAN rule 20 description 'drop invalid'
set firewall name IOT_TO_LAN rule 20 state invalid enable

### Delete original firewall
delete interfaces ethernet eth0 firewall in 
delete interfaces ethernet eth0 firewall local
commit;save

delete firewall name WAN_IN
delete firewall name WAN_LOCAL
commit;save


### Enable policies

set zone-policy zone WAN interface eth0.300
set zone-policy zone WAN default-action drop
set zone-policy zone WAN from LOCAL firewall name FW_ACCEPT
set zone-policy zone WAN from LAN firewall name FW_ACCEPT
set zone-policy zone WAN from GUEST firewall name FW_ACCEPT
set zone-policy zone WAN from IOT firewall name FW_DROP

set zone-policy zone LAN interface switch0.1
set zone-policy zone LAN default-action drop
set zone-policy zone LAN from LOCAL firewall name FW_ACCEPT
set zone-policy zone LAN from WAN firewall name WAN_TO_ALL
set zone-policy zone LAN from GUEST firewall name FW_DROP
set zone-policy zone LAN from IOT firewall name IOT_TO_LAN

set zone-policy zone GUEST interface switch0.10
set zone-policy zone GUEST default-action drop
set zone-policy zone GUEST from LOCAL firewall name FW_ACCEPT
set zone-policy zone GUEST from WAN firewall name WAN_TO_ALL
set zone-policy zone GUEST from LAN firewall name FW_DROP
set zone-policy zone GUEST from IOT firewall name FW_DROP

set zone-policy zone IOT interface switch0.20
set zone-policy zone IOT default-action drop
set zone-policy zone IOT from LOCAL firewall name FW_ACCEPT
set zone-policy zone IOT from WAN firewall name FW_DROP
set zone-policy zone IOT from LAN firewall name FW_ACCEPT
set zone-policy zone IOT from GUEST firewall name FW_DROP

set zone-policy zone LOCAL local-zone
set zone-policy zone LOCAL default-action drop
set zone-policy zone LOCAL from IOT firewall name GUESTIOT_TO_LOCAL
set zone-policy zone LOCAL from WAN firewall name WAN_TO_ALL
set zone-policy zone LOCAL from LAN firewall name FW_ACCEPT
set zone-policy zone LOCAL from GUEST firewall name GUESTIOT_TO_LOCAL

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable

compare; commit; save

# Port forwarding

set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward wan-interface eth0.300
set port-forward lan-interface switch0.1

set port-forward rule 10 description https-proteus
set port-forward rule 10 forward-to address 172.16.99.2
set port-forward rule 10 forward-to port 443
set port-forward rule 10 original-port 443
set port-forward rule 10 protocol tcp

set port-forward rule 20 description http-proteus
set port-forward rule 20 forward-to address 172.16.99.2
set port-forward rule 20 forward-to port 80
set port-forward rule 20 original-port 80
set port-forward rule 20 protocol tcp

set port-forward rule 30 description IKE-ESP-proteus
set port-forward rule 30 forward-to address 172.16.99.2
set port-forward rule 30 forward-to port 500
set port-forward rule 30 original-port 500
set port-forward rule 30 protocol udp

set port-forward rule 40 description IKE-AH-proteus
set port-forward rule 40 forward-to address 172.16.99.2
set port-forward rule 40 forward-to port 4500
set port-forward rule 40 original-port 4500
set port-forward rule 40 protocol udp

set port-forward rule 50 description ssh-proteus
set port-forward rule 50 forward-to address 172.16.99.2
set port-forward rule 50 forward-to port 10022
set port-forward rule 50 original-port 10022
set port-forward rule 50 protocol tcp

set port-forward rule 60 description mqtt-proteus
set port-forward rule 60 forward-to address 172.16.99.1
set port-forward rule 60 forward-to port 8883
set port-forward rule 60 original-port 1883
set port-forward rule 60 protocol tcp

compare; commit ; save

# Set up SNMP for monitoring and logging
# source: https://github.com/jbehrends/monitoring_scripts/blob/master/graphite/edgerouter_metrics.sh
# source: https://help.ui.com/hc/en-us/articles/205223500-EdgeRouter-SNMP
set service snmp community public authorization ro
set service snmp listen-address 172.16.99.1
set service snmp ignore-interface switch

Get statistics via collectd/SNMP

LoadPlugin snmp

<Plugin snmp>
  <Data "load1">
    Type "if_octets"
    Table true
    Instance "IF-MIB::ifDescr"
    Values "IF-MIB::ifInOctets" "IF-MIB::ifOutOctets"
  </Data>
  <Data "std_traffic">
    Type "if_octets"
    Table true
    Instance "IF-MIB::ifDescr"
    Values "IF-MIB::ifInOctets" "IF-MIB::ifOutOctets"
  </Data>
  <Host "my.lab.dev">
    Address "172.16.99.1"
    Version 2
    Community "public"
    Collect "std_traffic"
    Interval 30
  </Host>
</Plugin>

Debugging

No static DHCP lease mac address specified for static mapping ’esp-camganymede.lan' under shared network name ‘vlan20’. DHCP server configuration commit aborted due to error(s).

Switch

I’m using Netgear GS108PE which gives me 8 VLAN-aware ports, and 4 PoE ports to power my APs.

WiFi

AP

I chose Ubiquiti AP AC LR for their good performance/price ratio.

#networking #security #server #smarthome #unix