Hello, Tildes Tech Support Team,

I'm doing some Homelab stuff. And I'm looking for a way to set up an inexpensive back-up Internet connection. Less about having a connection when I'm home and Internet goes out (Phone hotspot works in a pinch), but more about getting in and getting statuses of stuff when I'm not home and Internet drops.

For background, I have a Ubiquiti Unifi Dream Machine Pro that can do WAN failover. My primary Internet connection is through Verizon Fios. The UDM and the Fios ONT are directly connected via ethernet; I'm not using Verizon's crappy home router. Also, I rarely lose Internet connectivity. This really is just a Homelab experiment to see if it can be done.

I've seen some stuff about getting a cheap, refurb smartphone and a cheap MVNO plan like Google Fi that nets me a handful of GB a month, and then tethering the UDM to the phone somehow (maybe through some cheap router in bridge/passthrough mode like a GLinet travel router). Has anyone had any experience doing this?

But...I actually have a secondary Internet connection already. My apartment complex has WiFi across the complex and for each unit. That I unfortunately have to pay for, even though I don't use it -- I want FULL control over my home network. But since I do have it, is there a way I can take advantage of this? I'm thinking something like a reverse AP, if that exists. But it has to pass through the IP from the apartment WiFi.

I know there will likely be issues with double NATing. But depending on the services/things I'm trying to access or keep access to, that may not be a factor. Like my Unifi hardware talking with the Unifi cloud access stuff. I think double NAT shouldn't matter.

Anyway, appreciate whatever you all got!

Edit: Decided to go with the Ubiquiti Dream Machine Pro. Thank you for all the suggestions and advice!

Hey Tildenauts,

I'm planning to help a local nonprofit replace their aging hardware firewall pro bono. I have a fair amount of experience with networking and security, especially where web servers are concerned, but I haven't setup a hardware firewall recently enough to know off the top of my head which are the best options here.

The organization is fairly small but on its way to medium sized, around 30 employees at the moment but will likely expand to 50+ in coming years. So I'm looking for a solution that will comfortably scale up to 100 employees. There is remote work, accessing their local server via VPN, so something that comes bundled with a user friendly VPN client would be ideal. I haven't seen their physical setup yet but I know their server gets a lot of use. Not all employees use it remotely on a regular basis but many do.

From past experience I know that Cisco, Sophos and SonicWall are potential options. Cisco seems to be pushing their Meraki platform pretty hard but I don't think this organization needs a subscription based solution.

Anyone have recommendations for hardware firewalls I should consider? Any potential footguns I should know about?

Thanks in advance!

I'd normally post this on reddit...but I thought I'd give the Tildes Tech Support Team a try.

I have a Ubiquiti Unifi Cloud Gateway Ultra and I'm trying to better understand zone firewall management and VLANs and all that.

I'll start with a screenshot. I'm only changing the two settings highlighted in red.

I'm trying to understand the difference between two firewall policy settings:

1. Action = Allow ONLY, AND Connection State = Return Traffic
2. Action = Allow AND Auto Allow Return Traffic checked, AND Connection State = All

I have two VLANs -- "Internal" and "Lab." Each is in their own policy zone, also called "Internal" and "Lab." The "Internal" VLAN does not have the "Isolate Network" option checked, but "Lab" does.

What I want is devices in "Internal" able to initiate and maintain connections with devices in "Lab." But I don't want devices in "Lab" able to initiate connections to devices in "Internal."

With Policy 1, "Internal" can't reach "Lab" nor vice versa. Hmm.

With Policy 2, "Internal" can ping and SSH into devices in "Lab," but not the other way around. Perfect; that's what I want.

And now my question(s): What is the difference between these two policies? To me, they look the same. But clearly the end results say they're not. So what's actually going on here? Additionally, assuming I could get Policy 1 to do what I want, is Policy 2 more vulnerable from a cybersecurity perspective than Policy 1?

If it helps, here's a screenshot of my zone matrix, with focus on source "Internal" and destination "Lab."

Thanks!

I like to periodically audit my home computer infrastructure for upgrades/replacements. Mostly this is so I don't have to make an impulse purchase when something inevitably fails, but it's also nice to keep up to date on the state of the art.

I'm currently trying to reassess my home home networking, and I am a bit overwhelmed by everything. So I'm hoping that the residents of Tildes can help me out a bit with recommendations.

I would classify myself as a fairly budget consumer. I'm on a less than 1Gbit Xfinity plan, and have mostly cobbled together my current system from collected parts over the years. My DNS/DHCP is handled by my primary router, an aging T-Mobile Asus device I picked up years ago and loaded with Merlin. A few years ago I picked up an Eero system on discount, and I have been using that in bridge mode to provide mesh Wifi around the house.

The system I have in place is working great. It occurs to me though, that most of the parts are getting old enough that I can't replace them directly. I'm definitely not going to be able to find my specific router easily, and the first gen Eeros are also getting harder to find. I also think I might not be doing myself any favors with the chain of multiple devices being cobbled together. Perhaps it's time to look for a mesh system with the flexibility that my Asus/merlin router offers.

So let's hear it. What sort of networking equipment is everyone using these days? What do you like about it? Any killer features that I have been missing while living under a rock?

So, I want to achieve something particular regarding my home network.
I want to have 2 routers, one is my main router that everything connects to except for my devices where I stream things from, and when it comes to streaming devices, I want those to use a different router that plugs into the main router

Why? I have been selected for the focalmeter panel and that device is connected to a router to

1. intercept all packets going to the router it is setup with
2. replaces the hostnames of all the devices with a random selection of letters (think HH123-4) and I don't want that to happen with my servers. (aka it takes over the DHCP service on the router)

part 1 kinda bothers me but 2 is such a nuisance for when I am doing SSH, So my solution is to get a secondary router for the "streaming" part of my network, hook that router up to my main router and then let the focalmeter take over the DHCP service of that secondary router and so everything it does impacts only the streaming part of my network. Like the focalmeter could literally fuck up the secondary router and my servers and machines I use for non-streaming reasons would not be affected in any way.

My streaming devices need to be able to access my servers to be able to access my jellyfin but that's the only necessary connection I can think of atm. Although it would be nice if I can have the devices on my main network access my streaming devices over the network too.

All that to say, when looking up how to get 2 routers work side-by-side like that with both their DHCP services up and running but not conflicting, I dont really know what to look for. Am I trying to setup a subnet or is there some other word for the network architecture I am trying to achieve?

I come in search for somebody who knows a thing or two about VLANs or, if possible, had set it up for themselves at home (or work).

I have Mikrotik router and Ubiquiti Unifi APs. My goal is to have three separate SSIDs on my APs to differentiate clients. One group would be closest family (group 1), another friends (2) and the last one would be QR-setup guest wifi (3).

The reason is security. I run 24/7 server at home with many services that I don't want other people than #1 to see. But I also run ie. DNS there that I would like all to see (all three groups; or make them use other DNS via DHCP-set-DNS, ie. 1.1.1.1).

So far I believe everything from that list is doable with the right knowledge (that I have yet to achieve). But I would also like some other things and that's part of why I'm asking here.

• Is it possible to initiate connection from #1 to device in #2? Ie. from server to Raspberry that serves as temperature sensor for Home Assistant? Is it some built-in functionality like "higher number VLAN can access all lower numbers" or do I have to setup some exception on my router for speciric IP and port? Or specific LAN port (I have 24 port router, yet not everything is connected via ethernet)
• Do I have to set it all up in specific order? I have read that I can cut myself off from accessing my router if I setup VLAN incorrectly and that's what I don't want to do :-)

If you know how to setup VLAN and could provide some points to kinda carve the path I could stick to, I would be really grateful! I do not want manual of step-by-step instructions, rather some points to follow so I don't fall for something important I missed.

I will of course read up on it myself and will experiment a bit (I have old RB133 or maybe even RB433 around that I can use for learning), but it would be great to have some pointers.

Thanks in advance for any advices or recommendations.

so I have a setup where I have a NUC that has docker on it, one of the containers is my nextcloud that I use for sharing my files across my computers.

I also have a synology NAS which is connected to my NUC via NFS and the files themselves are stored on that NFS file via a docker volume mount.

Hopefully that made sense.

My problem: not often but it does happen where my router has an issue, today it just needed a restart. another time it was cause I deliberately disconnected it from the power not realizing it would mess up the connection between my NUC and my NAS.
Why is this an issue? it causes my nextcloud to freeze up as the files it is supposed to share are no longer available. necessitates me restarting my NUC to get the connection going again.
Thankfully hasn't happened often but still something that can be scary in the moment. My question is, is this just one of the pitfalls I have to accept of utilizing a NAS the way I am or is there a way to connect a Synology to a NUC and ensure router issues don't cause the nextcloud docker instance to freeze?

Hey all,

We're working on a press-freedom / anti-censorship project and we're testing a variety of scenarios in which a journalist's internet traffic is being monitored by a hostile state. We'd like to simulate an ISP's access to the journalist's traffic so we can run some packet collection and other tests to see what it looks like.

What's the best way to do this? Put a few routers in series and collect on the last one?

[SOLVED]

... well, this is in many ways very unsatisfying, because I have no idea why this worked, but I seem to have fixed it.

Server A has two Ethernet ports, an Intel I219V and a Killer E3100. Several months ago, when trying to debug sporadic btrfs errors (I had my RAM installed incorrectly!), I had disabled some unused devices in BIOS, including the Killer Ethernet port.

Since I had no other ideas, and it seemed like this was somehow specific to this server, I just re-enabled the Killer port and switched the Ethernet cable to that port. I'm now getting 300 Mb/s transfers from my wireless devices to my server, exactly as expected.

I'm gonna like... go for a walk or something. Thank you so much to everyone who helped me rule out all of the very many things this could have been! I love this place, you all are so kind and supportive.

Original:

I'm trying to debug a perplexing networking situation, and I could use some guidance if anyone has any.

Here's my setup:

• UniFi Security Gateway
• UniFi Switch Lite
• Two UAPs
• Two servers, A and B, connected to the USW-Lite with GbE
• Many wireless devices, connected to the UAPs

Here's what I'm experiencing:

• Network transfers from the wireless devices to server A (as measured by iperf3 tests) are very slow. Consistently between 10 and 20 Mb/s.
• Network transfers from server A to all devices are expected speeds. 900-1000 Mb/s to server B, 350-ish Mb/s to wireless devices.
• Network transfers between server B and all devices (in both directions!) are expected speeds.
• Network transfers from the USG to server A also seem slow, which is odd. Only about 60 MB/s.
• Network transfers from the USG to server B and the wireless devices is about 300 MB/s

So, specifically network transfers from any wireless device to server A are slow, and no other connections have any issues that I can see.

Some potentially relevant details:

• Server A is running Unraid
• Server B is running Ubuntu
• Wireless devices include a Fedora laptop, an iPhone, and a Macbook Pro
• UniFi configuration is pretty straightforward. I have a few ports forwarded, a guest WiFi network (that none of these devices are on), a single default VLAN, and two simple "Allow LAN" firewall rules for Wireguard on the USG. No other firewall or routing config that I'm aware of.

If anyone has any thoughts at all on how to continue debugging, I would be immensely grateful! I suppose the next step would be to try to determine whether it's the networking equipment or the server itself that is responsible for the throttling, but I'm not sure how best to do that.

Pretty much what the title says - I’ve been looking for something small and not too expensive to run a few VMs on recently, and I’m just genuinely amazed at where the tiny SBC space is at right now.

The Celeron N5105 seems to be the go to choice at the moment. You can get an entire machine running that CPU that’s slightly smaller than an old double CD jewel case, for $150. Less than $200 if you want 16GB RAM and a fast NVMe SSD in there too. Four decent quality 2.5GbE NICs thrown in as a bonus. And it’s not that much slower than my expensive full size desktop from late 2020.

Part of me thinks I’m just getting old - phones have been plenty of people’s primary computer for years now, after all - but there’s something about having a real standalone x86 PC that size for literally 1/5th the price of a flagship phone that just blows my mind.

EDIT: Crisis averted! The problem was with the modem and not the devices connecting to it. I'm not sure why the first person I called at the ISP couldn't help me. In reality, the second person I called also didn't help, but something magically started working after talking with them a second time and rebooting the modem about 5 more times, so it turns out I don't need a new WiFi router at this time. That said, I will take these suggestions to heart, as I may be buying one anyway as a backup for when this inevitably happens again.

TL;DR: I probably need a new wifi router and want one that isn't malware and will work even if the company I bought it from goes under or stops making it.

Long version:
So today my wifi stopped working. I use an Apple Airport Extreme (the tower one that has a Time Machine backup in it). I've had it for 5 or 10 years and it's worked fine during that time, other than replacing the hard drive it backs up to. My spouse and I were sitting on the couch after lunch surfing the web on our phones, when we suddenly couldn't reach anything. The router itself appears fine. We can connect to it and see other devices that are connected to it, but for some reason, it's no longer communicating with the cable modem via the WAN port. It still backs up the computers in our house, though. I have tested the cable that was connecting it to the cable modem, and it appears fine. I can connect my computer directly to the cable modem without issue using the same cable. So my guess is that the WAN port is hosed.

However, I'm suspicious that something else is going on for 2 reasons. #1, the cable company (Spectrum) made me replace my cable modem last week. I did that, got my Airport connected to it, and after a call to tech support got it up and running. It's been working for the past week. I suspect the modem may have updated or changed configuration without me knowing it and that's the real cause here. They sent me a Wifi router with the modem, but will charge me $5.00/month if I keep it. I'd rather own the hardware. #2, I have an older Airport Express that was working the last time I used it. I replaced it with the newer model about 5 years ago so I could do backups. It fails to work in the same way. It seems like the WAN port isn't communicating with the cable modem. So, if there's some way to verify that the WAN ports on my Airports are or aren't working, I'd be interested to hear about it.

I am able to connect a wired ethernet switch to the cable modem and all devices on the switch can see the Internet just fine. I tried connecting both Airports to the switch via their WAN ports while the switch was connected to the cable modem, but that did not work. (Or at least, I couldn't connect to the internet via either Airport.)

So, on the off-chance that both my Airports have a similar failure, I need to replace them. I have gotten suggestions from others, but have been pretty unhappy with them. I have the following requirements:

• Absolutely must not store any information about me in the cloud (for example as Ubiquiti apparently does)
• Absolutely must not rely on any sort of connection to the manufacturer to work properly and must not phone home without my permission
• Preferably not a poorly made device that will die in 3 years
• Must work properly and at full speed with Apple devices
• Must not require a phone app to configure
• Must have ~3 ethernet ports so I can hardwire in my TV devices (AppleTV, TiVo, etc.)

Things I don't need, but aren't a deal-breaker if it has it:

• The ability to configure every little setting. I prefer to set it and forget it.
• Mesh networking. My house is not huge, the cable modem is in the middle of the house and my single Airport base station has good coverage of the entire house.

If you know of any device like this, please share!

I'm running out of time to finish the spend requirements on a credit card promotion. I was planning on buying a VR headset, but I realized there was something that would actually be much more useful; a new router.

The market for consumer routers has been really strange; We are on the sixth generation, yet it's super common for consumer routers to be two or three generations behind, especially the less expensive ones. So much of the stuff on the market only goes up to 802.11n, and half of the time the firmware they include is halfway broken or is missing important features.

So I'm looking for a router that is relatively future-proof. I want Wifi 6. I want something that won't be interrupted by the microwave. Open source firmware would be excellent, but not a requirement. I don't need mesh networking; my house is not that big. I do want it to be relatively inexpensive; I'd consider $300 to be a hard limit unless someone has a persuasive arguement to justify the cost.

I would also prefer to avoid Netgear. I have no idea how they stay in business with the mountains of problems I have had with their products and their horrible support. The last time I owned a Netgear product, I was forced to give them my email address to download the driver and they illegally added it to their marketing mailing list without my permission. I don't do business with people who betray me.

I've been wondering about this for a while whenever I'm on a metered connection or a capped one.

It'd be cool if I could use my vps to help save data in exchange for latency. Having it download and compress any compressible materials before serving them would be a godsend, but it sounds very edge case-y given how places like youtube deliver videos in bite size peices

Does something like this sound at all possible, or should I just assume it's too niché and look for other data saving ways?