I have wanted to upgrade my network for a while and a recent event finally made me do it. I received a notice from my shit ISP indicating I was approaching my monthly cap, just 5 days into the month. I was using two Nighthawks, the RAX120 and AX6, two of the most absolute, piece of shit routers from day one, that have ever been created in the fucking universe, BTW. I checked my PoS network and notices some crazy traffic coming from somewhere but couldn't really get much info. This was really my fault running these two POS routers in the first place and not really having much else in place but here I am.

All of that to say, I'm not really a networking person and I wanted to get some feedback on my “upgraded” system. I don't mind tinkering with the network and learning more about networking in general so, anything technical is fine with me.

Here are some of the details with a diagram of my layout. Again, not a network person so, sorry for the shit diagram.

** Main House**

• 2200 sq/ft, 2 story
• Main Living, downstairs

ADU/Backyard Office

• 120 sq/ft
• Hard wired, 2x CAT6A

Internet

• Down: <1100 Mpds (at fucking best)
• Up: <35 Mbps (at fucking best)

Proposed Hardware

• Modem: Arriss SB8200 (Had it forever)
• Ethernet Router: Ubiquiti Cloud Gateway Ultra (UCG-Ultra)
• PoE Switch: Ubiquiti Ultra 8-port GbE PoE switch

Main House

• Upstairs WiFi AP: Ubiquiti AP U7 In-Wall

• Downstairs WiFi AP: Ubiquiti U7 Lite 2.5 GbE

  Backyard Office / ADU

• WiFi Access Point: Ubiquiti U7 Lite 2.5 GbE

Other Stuff

• Pi running PiHole
• NAS for occasional video and pic dumps, often times over WiFi
• Family of 5, kids sure love streaming :/
• WFH 50%

Sorry for all the info, I’m just tired of battling with this absolute horseshit network for far too long and would rather put the time in building a proper network without going too crazy.

Attached are pics of my network devices.

Hi all. Hoping someone can answer my question. I've set up a surfshark open VPN client on my home router (an Asus AX8) but it's causing me some issues.

I live in the UK and my kid loves watching cartoons on the BBC through our smart TV. Because the BBC app is location locked to the UK it doesn't work with the VPN on, and even when I've turned the VPN off in the router settings, my location seems to jump around all over the place, and I've confirmed this with IP location searches.

I'm aware I could run VPNs on every other device, but I'd really like to put my entire network behind the VPN (other than the TV) if possible. Is there a way of creating an exception for my TV so that it can bypass the VPN? If so can anyone advise how to do it? OR is there a way of location locking my VPN to show as being within the UK? Normally apps on my devices I can choose where I'm located, that doesn't seem to be an option on the router.

Any advice appreciated! Thanks!

Purely a curiosity on my part... But has anyone ever looked at how their Microsoft Teams calls get routed? During Teams calls I'll check OpenWrt to see the endpoint IP I'm sending all my traffic to, then do a traceroute to that IP. So far, I think, it's always been a bizarre path.

For instance, today:

$ tracepath 52.115.76.111
 1?: [LOCALHOST]                      pmtu 1500
 1:  OpenWrt.lan                                           1.200ms 
 1:  OpenWrt.lan                                           1.511ms 
 2:  ...                              15.008ms 
 3:  ...                            18.429ms asymm  4 
 4:  ...                            22.477ms asymm  5 
 5:  six2.microsoft.com                                   39.117ms asymm  6 
 6:  ae32-0.icr02.mwh01.ntwk.msn.net                      40.610ms 
 7:  be-162-0.ibr04.mwh01.ntwk.msn.net                   190.062ms asymm 15 
 8:  be-2-0.ibr04.fra30.ntwk.msn.net                      78.997ms asymm 12 
 9:  be-8-0.ibr02.dsm05.ntwk.msn.net                      77.944ms asymm 12 
10:  51.10.19.124                                         78.474ms asymm 11 
11:  104.44.54.110                                        75.460ms asymm 10 
12:  no reply
^C

I think that:

• mwh01 = Moses Lake, WA
• fra30 = Frankfurt
• dsm05 = Des Moines, Iowa
• ibr04 = ??

Assuming I'm right on those names - and the hostnames can be trusted - what a strange way to route traffic...

Most the time when I check these Teams IPs I'm just routing through Southern states before being sent back to the Eastern US, but today's was weird enough I thought I should ask if anyone else ever looks at these things.

First, a caveat: I'm not running pure DD-WRT, but a GL-iNet router that has some UI shim (and possibly other stuff) running on top of DD-WRT.

The issue I'm seeking help on is that I am seeing odd behavior with client resolution, where sometimes lan device names will resolve, and sometimes they won't. When they won't, there's a thing I can do in the UI and it'll start working again for a while, until it doesn't.

The other variable is that I've got all outbound traffic going through a VPN, and DNS servers configured by the VPN. This does, and always has, worked, and DNS tests always confirm that external DNS requests are going to those servers.

The issue is that I want all LAN hosts to resolve using the leases. And sometimes this works, but sometimes it stops working and LAN hosts don't resolve. I can fix this by toggling the "DNS Server Settings" between "DNS Proxy" with the IP of the router as the proxy, and "Automatic" (which, it appears to me, just sets resolution to the VPN settings). Toggling in either direction works, at least temporarily. Although I can't replicate it at the moment, there was a time where I'd toggle in one direction (to "Proxy" probably) and LAN resolution would work but no WAN domain names would resolve until I switched it back to "Automatic."

Oh -- one other oddity: I disabled the "Allow Custom DNS to Override VPN DNS" which made things behave better, in general -- it may be why I can no longer reproduce the "external domains don't resolve" issue.

The behavior makes me suspect a couple of things:

1. Applying the switch is restarting some service -- probably masq -- and possibly temporarily changing the configuration thereof.
2. I have dns-masq misconfigured s.t. it's not falling back to the VPN-configured servers

I had a third thought, but it's gone now.

So, my question really boils down to how I need this configured such that my .lan hosts resolve via leases, but everything else goes through the VPN DNS servers. I avoid going in and changing things via the shell, but I'm not afraid to; I just prefer to have it done through the UI.

In the UI, there are three toggles, all off: rebinding attack protection; override DNS settings for all clients; and allow custom DNS to override VPN DNS. Then there's the "Mode" with options "DNS Proxy," "Automatic," "Encrypted DNS," and "Manual DNS." I have only used Automatic and Proxy. Finally, when Proxy is enabled, there's a proxy server address which, as I've said, is set to the LAN IP of the router.

I think I need to be on "DNS Proxy" as I'm using dns-masq. But to ensure dns-masq is using whatever current VPN DNS configuration setting is active, do I need to configure something in dns-masq? I randomly choose a new VPN exit node once a day, which probably doesn't change the DNS configuration (they don't have that many DNS servers), but does restart the network when it happens (although, I do not think the restart triggers the issue).

https://help.ui.com/hc/en-us/articles/115003173168-Zone-Based-Firewalls-in-UniFi

ZBF looks really cool! I watched this video, and rushed to try it... only to discover my UXG Pro hasn't been released yet. I feel like a kid who found out Christmas has been delayed due to warm weather!

Goals: Find a router with at least 2 2.5gb ports with a long software support (5+ years)

List of Custom firmware's updated & relevant in 2024

1. OpenWrt
2. DD-WRT
3. FreshTomato (Searched compatible HW (https://wiki.freshtomato.org/doku.php/hardware_compatibility), no matches)
4. AUSU only: Asuswrt-Merlin https://asuswrt-merlin.net/ && https://github.com/gnuton/asuswrt-merlin.ng

Good list https://www.reddit.com/r/openwrt/comments/1gs0qgi/wifi_6_router_options_with_25gbe_ports/

1. GL.iNet GL-MT6000(Flint 2) $159.00 https://www.amazon.com/GL-iNet-GL-MT6000-Multi-Gig-Connectivity-WireGuard/dp/B0CP7S3117 OpenWrt

2. ROG Rapture GT-AX6000 Dual 2.5G WAN/LAN Ports, $215 Asuswrt-Merlin

3. ASUS RT-AX88U PRO AX6000 $220 Asuswrt-Merlin

4. TP-LINK TL-XTR8488 Turbo AX8400 $254 https://www.aliexpress.us/item/3256807531774383.html OpenWRT's https://openwrt.org/toh/views/toh_available_16128_ax-wifi

5. Sinovoip Banana Pi BPi-R3 Mini $150 + 2.5gb SPF's OpenWRT's recommended list

6. TUF Gaming AX6000 (TUF-AX6000) $200 https://www.asus.com/us/networking-iot-servers/wifi-routers/asus-gaming-routers/tuf-gaming-ax6000/ OpenWRT's recommended list

7. ADTRAN SDG-8632 TA 904 2ND GEN IP GATEWAY ROUTER WIFI 6E MESH 17600073F1S US $299.99 OpenWRT's recommended list

No Third party FW support! (But right specs)

• https://www.tp-link.com/us/home-networking/wifi-router/archer-be700/v1/#overview

2.5gb+

• ROG Rapture GT-BE98 $799.99 gnuton/asuswrt-merlin.ng

• ROG Rapture GT-AXE16000 2.5G WAN/LAN port, 1 10Gbps WAN/LAN $599.99

• QNAP QHora-301W $400 2 10Gbps WAN/LAN (Poor reviews about reliability)

• TP-Link Tri-Band BE15000 WiFi 7 Router Archer BE700 $349.99 https://www.tp-link.com/us/home-networking/wifi-router/archer-be700/v1/#overview

• 2. ROG Rapture GT-AX11000 PRO $299.99 1x 2.5 Gbps 1x 10Gbps Asuswrt-Merlin

2.5GB WAN, 1gb LAN's

1. Asus TUF-AX3000_V2 $92.90 https://www.aliexpress.us/item/3256806575492981.html Only 1gb LAN's (RJ45 for 2.5 Gigabits BaseT for WAN x 1, RJ45 for Gigabits BaseT for LAN x 4) FreshTomato & gnuton/asuswrt-merlin.ng, release date: June 2022 https://techinfodepot.shoutwiki.com/wiki/ASUS_TUF-AX3000_v2 https://www.digitalcitizen.life/asus-tuf-gaming-ax3000-v2-review/ https://www.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/tuf-gaming-ax3000-v2/

2. OpenWrt One $95.63 aliexpress.us/item/3256807640431354.html Only 1gb LAN (RJ45 for 2.5 Gigabits BaseT for WAN x 1, RJ45 for Gigabits BaseT for LAN x 1) OpenWrt, release date: October 2, 2024

3. ROG Rapture GT-AXE11000 2.5G WAN/LAN port or two 1Gbps $299.99

4. RT-AXE7800 $229.99

Skip numbers 5~6

7. RT-AX86U Pro AX5700 $184.00 2.5 Gbps LAN, odd Asuswrt-Merlin

8. TP-Link AX5400 OR TP-Link AX3000 $109.99 https://www.amazon.com/TP-Link-WiFi-AX3000-Smart-Router/dp/B0BTD7V93F

9. https://mikrotik.com/product/l009uigs_2haxd_in https://www.balticnetworks.com/products/mikrotik-l009-router-with-2-4-ghz-802-11b-g-n-ax-dual-chain-wireless-l009uigs-2haxd-in $115.95

10. https://mikrotik.com/product/hap_ax3 $139.00

11. https://mikrotik.com/product/chateaulte18_ax $299.00

12. https://mikrotik.com/product/rb4011igs_5hacq2hnd_in $275.00

13. Banana Pi BPI-R4 Wifi 7 Router board with MTK MT7988A design,4G RAM and 8G eMMC onboard https://banana-pi.org/en/bananapi-router/155.html

https://www.reddit.com/r/openwrt/comments/vkw8ju/budget_25gb_router_for_openwrt_dont_care_about/ If I didn't need wireless: NanoPi R5S-LTS $65.00

Other options

https://www.aliexpress.us/w/wholesale--Celeron-N5105-2.5G-LAN.html // A Celeron N5105 powered mini PC from aliexpress with 2.5G ports, $150ish, plus a USB wifi adapter, $30?

Basically I wanna have a Banana Pi BPi-R4 as my home router running OpenWRT and have a UniFi U6+ plugged in to act as my AP.

Can anyone foresee any problems with such a setup. Basically gonna have my homelab and TV stuff all running through the setup. So everything from Home Assistant to Navidrome to Jellyfin to Immich, etc, etc.

I found this a very interesting look at the current tools and techniques available to reduce reliance on IPv4 and NATs. While I don't foresee IPv4 going away any time soon, and I'm not sure IPv6 is an improvement per se, I do like to tinker with IPv6 in the home LAN.

(Edit: to be clear, I am not the author.)

TLDR: Why do so many routers support >1Gbit/s on their WiFi while only having 1Gbit/s ethernet interfaces?

So, I've been upgrading parts of my home setup and have a router (without AP) that has 2.5G interfaces. My PC also has a 2.5G interface, but that only going to the router is kinda useless (the ISP offers 1G).

The place my PC is at is also a good position for an AP. So, I went looking for a cheap second hand wifi router and stumbled upon quite a few that were boasting >1G connection speeds, not only AX but also AC. Now I know this is often a combined theoretical Max, but still a lot offer >1G for the single band.

The vast majority of these routers, though, have 1G Ethernet ports. Putting that between my PC and router reduces that linkspeed and I can't actually reach over 1G for the WiFi devices as well. Why would you sell a product like that. Undoubtedly those radio's were more expensive but their in a package that can't fully utilize them. I can think of some reasons: marketing, radio's are mostly not fully utilized anyways, helps with latency, maybe?

Does anyone know why it's done like this?

I'm looking to replace my old Netgear Nighthawk with a new router. Currently my house does have some dead zones which we make up for using a powerline. But the powerline isn't always stable and we have to switch wifi networks depending on where we are in the house.

My question is, is it better to get a mesh network or a standard router with either range extenders (ex: TP-Link OneMesh) or mesh features (ex: Asus AiMesh)? I couldn't really find any article that listed the differences between mesh routers and standard routers with extendable features. They only compare mesh routers with standard routers.

More info:

Preferably, I would like to go with the standard router for the higher speeds and extra ports but I'm afraid that won't solve our dead zone issues. Also, buying two or three standard routers is way more expensive than a mesh network with multiple satellites.

Speed and signal strength are important for me since both I and my brother WFH and do online gaming. Unfortunately, the home office (where the router is) and bedrooms (where we game and where my brother works) are on opposite sides of the house. Another note is that when the garage opens, my brother loses signal in his room for some reason. I haven't experienced that despite being closer to the garage than him

Hello, For some context I am moving into my first home. I am looking for a network solution to use and will last a long time. My original idea was just getting a new wifi 7 router maybe a gaming one since gaming is my passion but I got talking to my friend and he has a ubiquity Dream Machine and talks really highly about it and I would love this/something similar to it. He showed me all the features it does and the layout of the UI etc. Being able to add security cameras to it and such is something I very much so want a long with a lot of the other things it can do. I am good with technology I am a software engineer and I currently have things such as netalertX and adguard home running on a mesh network so I can and would be willing to set things up.

Is this the only only type of device that does this kind of thing or are there others? Any suggestions or alternatives I like to look at options before buying.

Side note budget is relatively high aka I am willing and unless given alternatives I like more going to be going with the dream machine and the other required items from them. Thanks :)

I just fought getting a 3rd party range extender working and wanted to share what I learned.

Equipment:

Macard re1200 range extender and Gigaspire blast u4 GS2028E router

After setup of the Macard extender, all 3 lights were solid green meaning that it connected and authenticated to the router. However, devices connected (wirelessly) to the macard could not access the internet.

What I found that fixed it was I had to enable the "ARP spoofing" security flag in the Gigaspire's settings. The initial user ID and password are printed on the label on the back of the router so use that to log in.

I created a whitelist access profile. That ensures that the whole WAN is blocked except what is exceptionally whitelisted. I started with an empty whitelist. The LAN is rightfully accessible and the WAN is rightfully inaccessible.

The router does not use DSL. Instead, it uses a USB mobile broadband LTE modem. The modem has its own website which gives SMS capability. The modem is technically upstream to the router, so it is blocked when the WAN blocking profile is enabled. I want to whitelist the modem so that when I am blocking WAN access I can still reach the web UI of the modem and monitor SMS msgs.

Fritzbox is designed so that all attempts to directly access an IP is blocked if whitelisting is in play. IP addresses cannot be whitelisted, only URLs using FQDNs. So I did “nslookup 10.10.50.8” to get the hostname of the modem. Then I whitelisted the hostname. That does not work. The modem is still blocked.

Was looking into this today and this video came up, so thought I'd share

Summary:

This video is about securing Cloudflare tunnels with VLANs and an internal firewall.

The speaker, Jim, argues that while Cloudflare tunnels are a great technology, they can introduce security risks because all the traffic that comes into your network is visible to Cloudflare. To mitigate these risks, Jim suggests segmenting your internal network and adding extra layers of security.

Here are the key steps to secure Cloudflare tunnels with VLANs and an internal firewall according to Jim:

• Create a Mac VLAN for the Cloudflare tunnel. This will isolate the traffic coming from the tunnel from the rest of your network.
• Add an internal firewall rule to allow traffic only from the Mac VLAN to the specific port where your service is running. This will restrict the Cloudflare tunnel's access to only the resources it needs.
• Configure your firewall to perform IDS/IPS on the traffic coming from the Cloudflare tunnel. This will help to identify and block malicious traffic.

By following these steps, you can add extra layers of security to your network and reduce the risk of a breach even if your Cloudflare tunnel is compromised.

Jim also mentions that a next-generation firewall can be used for additional security benefits. This type of firewall can perform deeper inspections of traffic and provide better protection against sophisticated attacks.

Overall, the video provides a good overview of the security risks associated with Cloudflare tunnels and how to mitigate those risks using VLANs and an internal firewall.

cross-posted from: https://lazysoci.al/post/13500180

I have the Pi-Hole acting as the DHCP server and DNS server too and this works fine for 23 hours and then it flops and I don't understand why.

Basically after 24 hours, all devices just disconnect from the router and when I try and reconnect them, they say they're unable to get an IP address.

But before they drop connection, they all report the DNS server as the Pi-Hole.

If I change my DHCP to static and connect to my router, I see that the Pi-Hole is still connected with its static IP just fine.

If I factory reset the router and then add the same SSID and password, the Pi-Hole automatically reconnects and then all devices can reconnect again, so I'm unsure what the issue is.

Can someone break this down. I feel stupid for not understanding what's happening here.

Hopefully I am in the right community.

So I have a router, a TP Link Archer AX53, nice router. I wanted to improve the signal in my room and bought a TP link Deco X10. So CAT 6 cable to my room, connect my router and deco.

I thought this might just be a quick tick to add the deco as a mesh device and boom problem sorted.

Now I know this is not a simple WiFi 6 mesh setup, seems like the deco and archer modem does not work together, they make their individual network points.

Does anyone know a solution or am I stuck with two networks. Not end of the world but would have been nice if it can be one mesh network

I didn't even know cat 8 cabling was a thing.

Thought this was interesting. Maybe it can help someone who's in a similar position to myself and looking at their options

Everyone was kind enough to ram my brain chock full of knowledge about switches and I came away feeling like I can explain it to other people. (please don't test me on this, I'll fail)

But now I'm trying to figure out how I want my network to look and so it's best I ask the people smarter than me that actually understand what I'm trying to do.

My house is an average sized, end of terrace in a big city and so while I can get decent Internet speeds, I get lots of WiFi signal congestion with neighbours, buildings, etc.

In my present router, which I really need to replace, I have my NAS and cable box plugged in via Ethernet, everything else is connected via WiFi. That's a bunch of phones, a couple laptops, and a couple Raspberry Pi's (including my one with all my home services, like Home Assistant and my Pi-Hole).

The design I'm cooking up, is that my NAS would be on a virtual LAN with no direct access to the Internet, my Raspberry Pis would have Internet access. I don't need to worry about my smart home devices having Internet access since they're all Zigbee devices. But I plan to switch my cable box to an IPTV box and I'm also wanting to get a video doorbell and security camera for the garden, so that's at least three virtual local area networks. Four if I add a guest network.

My questions are really simple ones and you're probably gonna laugh at how stupid they are… can I do this all with a single switch? Do I need a separate access points for each VLAN or can I have multiple vLANs on a single AP? How many ports should I be looking at on my switch? Would four be enough for my set-up? Also managed is best right?

Okay, I've been watching lots of YouTube videos about switches and I've just made myself more confused. Managed versus unmanaged seems to be having a GUI versus not having a GUI, but why would anyone want a GUI on a switch? Shouldn't your router do that? Also, a switch is like a tube station for local traffic, essentially an extension lead, so why do some have fans?

There are apparently only two documented ways to reverse tether an Android via USB to a linux host:

• openVPN method
• Gnirehtet

OpenVPN dead
I really wanted the #openVPN method to work because I’m a fan of reducing special-purpose installations and using Swiss army knives of sorts. In principle we might expect openVPN to be well maintained well into the future. But openVPN turns out to be a shit show in this niche context. Features have been dropped from the Android version.

Gnirehtet dying
Gnirehtet works but it’s falling out of maintenance. ~~It’s also unclear if~~ #Gnirehtet really works without root. There is mixed info:

• Ade Malsasa Akbar from Ubuntubuzz claims root is not needed (and devs agree).
• OSradar claims root is needed. (edit: they are mistaken)

If anyone has managed to reverse tether an unrooted Android over USB to a linux host using free software, please chime in. Thanks!

update on Gnirehtet

Gnirehtet indeed works without root. But some apps (like VOIP apps) fail to detect an internet connection and refuse to communicate.

#askFedi

Let me explain my current setup so that I can explain the problem...

For redundancy, I have two internet providers at home. One of them is DSL and the router is located at the entrance hall. The other one is cable and the connection point (and therefore the modem/router) is at the living room. My workstation is in another room on the opposite end of the apartment.

To connect all that, I bought a set of powerline adapters from TP-Link, one with 3 ports and WI-FI extender and two with 3-ports alongside with a load balancer multi-wan router, with 5 ports also from TP-Link.

Right now, I have one the multi-wan router connected to one powerline adapter (one port for each wan), another adapter at the entrance hall connected to the LAN of the DSL router, and the adapter with Wi-FI extender connected to the Cable router.

The wired part works. My workstation connects to the router and I get an IP from it. The router can connect with both WANs and my connection seems stable. My problem is in the wireless part. From my phone, it says it is connected but it can not resolve any external connection.

At first I thought the wi-fi was getting confused with the different DHCP servers, but even after disabling DHCP on DSL/Cable routers (not using it anyway because I am connecting through the "multi-wan" router, right?) the connection is still not going through. I can access the management part of the Wi-FI extender and it seems to be on the same subnet as the multi-wan router, so I guess it can connect to it, but the actual connection outside simply doesn't happen.

Is this setup so out of ordinary? Should I just forget about the wi-fi extender and add a "real" access point in the living room? I guess I could accept that the mobile devices need to be aware of the separate WAN routers, but it would be a lot nicer if they could all connect transparently...