My Beautiful Home Network
by
mo 
A Quick Intro
My beautiful home network is an ongoing project that was inspired by my needs, as a network security professional and as someone who is looking at packets for a living, whenever i had any issues with my home network like having no internet, before calling the ISP, it came like second nature to ping the local gateway first (which was my router at the time, then evolved into a Sophos UTM running on an Oracle Virtualbox Virtual Machine on Ubuntu Linux on an Intel NUC located somewhere at home), then check the status of the ADSL modem, the physical line and the status of the router connected to the ADSL modem, check whether the DNS is working correctly and maybe take some packet captures on the router.
Some of the advanced troubleshooting functionality was not possible at first with the simple modem that came from the ISP, lacking any kind of command line functionality, a simple interface that provides no ways to carry out the advanced functions needed to do the basic troubleshooting, it just didn’t cut it!
How it Started
Then the evolution happened, i got myself a more advanced router that was DD-WRT flashable which i got mainly because i wanted a router with stronger Wifi signal… I also needed a computer with a GUI that i could login to remotely & securely to be able to check in case anything needed checking then afterwards i needed to link two distant houses with a strong Wifi signal (or a very long ethernet cable?) so i got myself a pair of Ubiquiti Networks’ long range Wifi antennas, then afterwards i got a small Intel NUC PC which was repurposed later into many many other things…
The Result
Dual WAN running in active/active mode with failover in case one link is down.
A UTM with web traffic filter & IPS.
A long distance Wifi link between two distant buildings.
So here i go and write about it to some level of detail.
Things I Use & Why
ASUS RT-AC66U DD-WRT Flashed
This is my main router, the heart of the network connecting everything together… In other words, my single point of failure but i can’t complain because it’s too stable, till now, to implement soon is to add a second router as backup 🙂
|
|
|
DD-WRT interface, unlimited configuration options |
For those unfamiliar with DD-WRT, it’s an open source router firmware that provides many many functionalities that are not available in any firmware provided by any router manufacturer.
Using DD-WRT, i can create custom bash scripts and add them to the router’s startup routine to do whatever i need, from starting openvpn and connecting to my VPN provider to monitoring the status of my main local gateway (the Sophos UTM) and forcing connected clients to change their default gateway using DHCP in case the UTM is down for any reason.
The Disadvantage
The only disadvantage running a router with DD-WRT is that not all firmwares released are tested thoroughly on all hardware, although new firmware is released regularly and security vulnerabilities are patched, in order to find the optimum version for your hardware you will have to check the DD-WRT forums for the specific hardware model you want to flash, otherwise it’s almost a “set and forget” but don’t forget to update the firmware in case there is a serious security vulnerability, by the way there are lots of helpful people on the forums who test newly released versions and report back issues.
Netgear Nighthawk R7000 DD-WRT Flashed
This is the Wifi router in the second house also flashed with DD-WRT, for quite some time it was basically functioning as a layer 2 wireless switch forwarding traffic to the local gateway and was actually not doing any “routing” therefore was invisible to layer 3 traffic, no advanced functionality was needed here so i kept it running the default firmware until I added a second WAN link and needed a firmware that was able to connect to an OpenVPN server.
|
|
|
The Nighthawk R7000 working hard in the living room |
External VPN Gateways
Think about the VPN as a layer of privacy (not anonymity), much like the concept of Security in Depth, one layer alone it’s not enough but it’s better than nothing… at least privacy from the eyes of the ISP, if you are not using any kind of VPN then check this excellent report from Freedom on the Net and check the status of your country, of course if you are still concerned about privacy then you can use Tor in addition to VPN.
The DD-WRT router can establish OpenVPN tunnels with external gateways and route all the internet traffic through the tunnel so you don’t need to configure every device on the network to use the VPN, just set it up on the router and it works for any device in your network.
If you are too skeptical about using someone else’s VPN service then you can go DIY and create your own VPN service, check also this excellent article about setting up your free VPN server in the cloud and another article here.
|
|
|
Freedom on the Net shows a measure of how free each country’s is |
Intel NUC
The heart of my home network, NUC “Next Unit of Computing” is a “Barebone Computer” because it ships without RAM or HDD and you have to buy those separately… It is basically a small computer that’s even smaller than a regular router and it looks nice in the living room too!
|
|
|
Intel NUC sitting in the living room |
Sophos UTM 9 Free Home Edition (Thanks Sophos!)
|
|
|
The Sophos UTM has a beautiful interface |
Running on a Virtual Machine on Ubuntu on Intel NUC, i love having a UTM in my network! I can do lots of things:
-Generate & schedule amazing executive reports to see how the network is being utilized.
-Block web ads (around 2k ad requests blocked/day), malware, malicious websites, etc…
-Firewall blocking external traffic, it’s mostly blocked at the internet router anyways, but it’s good to have extra security… What happened to Defense in Depth?
-IPS protecting against 3089 malware signatures at the time of this writing, yay!
-Dual Active/Active WAN with failover, double WAN speed (on multiple connections) and more guaranteed internet uplink, why not?
|
|
|
Yes, it’s a home network but still, the UTM provides very useful insights to find out where all that bandwidth is going and what has been blocked |
Ubuntu 18.04 LTS Bionic Beaver (At the time of this writing and yes, i like the name!)
I love Ubuntu, it really combines being both being user friendly with a nice GUI and being a “linux” distro with all the CLI applications and tools needed for troubleshooting!
|
|
|
Ubuntu is beautiful to look at and very practical to use |
A pair of Ubiquiti Networks’ Nanobeams
Basically long range Wifi antennas, used to connect two distant houses together to be on the same LAN, mainly for sharing the internet connection and even more important, sharing the Plex Media Server over LAN which makes it possible to stream content way faster than through internet! Ideally these should be kept outside on the roof but i decided to keep them inside as a protection from weather conditions although they are built to tolerate that to some extent.
|
|
|
NanoBeam simply hanging on a floor lamp |
Plex Media Server
Of course, although not a component of the network, it’s very important to mention the media server, the holy grail of entertainment at home where everything nice comes from 🙂
Challenges
Placing The UTM in The LAN
As mentioned earlier, the UTM is running on a VM, so it’s a necessity to set it up to appear to other network devices as if it’s physically present in the network independent of the physical machine it’s running on, in the VM world, there is only one way to this correctly : Set the UTM virtual adapters in Bridged Adapter mode, this allows them to have their own MAC addresses and appear to other network devices as if they are physically independent.
|
|
|
The UTM’s virtual adapters have to be connected in “Bridged” mode |
Interfaces Configured
|
|
|
Having two WAN interfaces looks beautiful |
In total, i have three interfaces configured
Internal is the one advertised to other network devices as the default gateway.
WAN1 As the name implies, this is WAN1 interface.
WAN2 Also as the name implies 😊
Advertising the UTM as the default gateway
I could not place the Intel NUC running the Sophos UTM physically in-line so i had to find another way to redirect all internet traffic to it, at the end i tweaked some settings in the DD-WRT router to NOT advertise itself as the default gateway but instead advertise the internal interface of the UTM via DHCP.
|
|
|
Configuring DD-WRT to advertise another device as the default gateway |
What if the UTM fails for any reason
If the UTM fails, internet access will be lost so i wrote a simple bash script below on the DD-WRT router to check if the UTM is down by pinging the internal interface, if it’s down then the router changes its DHCP settings to advertise itself as the default gateway instead, the downside here is that a reboot is needed to force all LAN connected devices to use the new gateway settings acquired from DHCP so there is just 30 seconds to one minute of downtime so it’s better that losing internet for a much longer time.
|
#!/bin/sh |
Final words
I am very happy with my relatively sophisticated home network, it’s always a good chance to break out of the norm and learn something new!
It’s also such a good place to practice my hobby, which is often accompanied by complaints from other home dwellers who sometimes complain about why a certain website is not working, but hey, it’s so much fun!
I have a UTM here with web filtering running so it’s normal that something breaks, some even complained why they cannot see web ads and that the web does not look beautiful without them!
Recent Comments