I recently upgraded my home network by buying, configuring and installing a hobbyists’ “performance” router, the Edge Router LITE from Ubiquiti. This after years of sticking with crappy consumer line Netgear products after getting royally screwed by Linksys (just as it was getting acquired by Cisco). This article is about acquiring, setting up and finally putting that router into place (today, as it happens) and what was involved.
Geek Cred aside: I worked as a Senior Network Engineer back in the 90’s just after dropping out of grad school (Physical Chemistry) for Sprint International (they were a subsidiary of Sprint, selling high bandwidth to international/global telecomm customers). For about 18 months I helped document, design and configure these vast (size of a washing machine) routers called Cisco 7503s (now HP?). We did most of our configuration with scripts that are uncannily like the ones you can (and I do) use to configure the EdgeRouter. UNCANNY. Almost as if Network engineering and hardware design were a very small community of IT professionals all using the same architecture and assumptions to get things done.
First I should say that I completed an audit of all my network connected devices in the household including all the ways each device could be connected (some have both WiFi and network cable abilities). This wasn’t just for geeky wanking but because I wanted to set up house-wide DNS And DHCP services (okay, that’s geeky wanking too, but at ANOTHER LEVEL).
Anyhow, the upshot of the audit was that my household of 3 adult humans and one adult cat possesses about 32 network-attached devices (most of them mine or of a utility nature – Wireless access points, Nest thermostat and smoke detectors, and a wireless audio system). This is as complex as a small business, and there were many things to consider in order to get the network working well, both inside the house as well as traffic coming and going to/from the Internet (cue dramatic music here).
Let’s give a geeky network design’s total rundown of services and configuration to factor in. I’ll note here what I chose to implement and what I didn’t:
- LAN
- IPv4 addressing
(implemented at router) - IPv4 subnetworks
(implemented at router) - IPv4 VLANs
(not implemented – considered it though) - DHCP
(implemented at router) - DNS
(implemented at household OSX Server) - UPNP
(implemented at router)
- IPv4 addressing
- DMZ
(I have a port set aside on the router, but it’s not configured and nothing’s plugged in) - Router
- Firewall – SPI
(implemented) - IPv6 DHCP Delegation
- IPv6 addressing
(implemented on WAN side) - DNS Forwarding
(implemented) - NAT
(implemented – masquerade) - NTP
(implemented) - TCP Offload Engine
(implemented)
Keeping an eye on this as some games report disconnects. - VPN
(not implemented – no need) - Dynamic DNS
(not implemented – no need) - Static Routing
(automatic/dynamic) - OSPF Routing
(not implemented) - PPPoE
(not implemented – no need)
- Firewall – SPI
- Administration (implemented at router)
- WAN access firewalled
- Secured Web-based SSL Admin GUI
- Secured SSH Admin Console
- Non-standard administrator account
- Router configuration automatically backed up and versioned
(to location on household server, then backed up automatically
So these are the basic services and configuration choices. There’s more I could do:
- I have a primitive guest network set up, but I could throttle it and isolate it physically (for example to the DMZ LAN) instead of just using software session isolation and do other things to keep it less available/more secure. But for now there’s no strong need.
- I could implement VLANs for better device/traffic control, Quality of Service and some security concerns. I think I would need to upgrade my switches to managed switches. Not all of them are managed and that can get expensive, depending on the number of ports.
- I could configure QoS settings. I might, but it’s not a priority right now.
- I could also implement web caching. But this is also not a priority just yet.
I will post this for now and move on to a discussion of hard line versus WiFi infrastructure and considerations and evolution for the next post. Eventually I plan to scrub the configuration file I used clean of any secrets or identifying information (hacker fodder) and post it and talk about specifics in the configuration I finally settled on.