|
H110Hawk posted:As in, secure it from unauthorized use? 802.11x EAP-TLS is the real answer here. Some systems will let you reset macsec on carrier loss but that seems obnoxious to fix each time you do a firmware update on your AP. Install a cert on your AP, trust it on your USG, and refuse access to anyone else. I'm making a bunch of logical leaps here on what the USG supports out of the box. Thanks, looks like I'll be setting up a RADIUS server to go with it.
|
#
?
May 9, 2020 23:23
|
|
|
|
| # ? May 22, 2024 00:45 |
|
|
LRADIKAL posted:Thanks, looks like I'll be setting up a RADIUS server to go with it. I don't think user auth is required, you just need a CA + client + server cert to stand up EAP-TLS as I understand it. Finding an article that has the AP as the client is obnoxiously hard. It does look like a USG can be your RADIUS server though if you want. Your could just setup PEAP and call it a day, no one is actually going to use your ethernet port. https://help.ui.com/hc/en-us/articles/115007253447-Intro-to-Networking-AAA-802-1X-EAP-RADIUS https://help.ui.com/hc/en-us/articles/115004589707-UniFi-USW-Configuring-Access-Policies-802-1X-for-Wired-Clients H110Hawk fucked around with this message at 23:46 on May 9, 2020 |
|
#
?
May 9, 2020 23:26
|
|
|
I want to do it so I can do it again later, and if one of my few turbo nerd friends asks about my security I have an answer so thanks for the tips!
|
|
#
?
May 10, 2020 02:56
|
|
|
LRADIKAL posted:I want to do it so I can do it again later, and if one of my few turbo nerd friends asks about my security I have an answer so thanks for the tips! Trust me don't try to use freeradius no matter how luxurious your neckbeard. Use something canned like the usg or windows server or something. Eap-tls w/ certs gets you mutual device authentication, then your clients on the ap can be sent to a captive portal vlan and clients with auth creds (cert+token(username+password)) can get through. "NAC" is the term for the policy server implementing 802.11x, and wpa2-enterprise is the network type if you have to choose in your client. Enjoy annoying all your friends who ask for your wifi password.
|
|
#
?
May 10, 2020 03:25
|
|
|
I have unifi APs and the unifi controller lives on the unifi cloudkey which I also have. I have one wifi network at home, lets call it HOME1. HOME1 is connected to all devices at in the house. Including the electricity and gas "smart" meter. This loving meter phones home hundreds of megabytes a month. I have no idea what sort of data it is hoovering up from my network. So I wanted a separate wifi network which is segregated from HOME1 and all my normal devices. I tried creating HOME2 via this this menu (I had had it enabled, but I have unchecked Enabled for now):  Can someone please advise why HOME2 (as depicted above) never works properly when enabled? I.e. it can be detected by devices, but when they try to connect to it, they either can't connect, or if they do for a few minutes, they can't use the internet.
|
|
#
?
May 10, 2020 11:01
|
|
|
You've put it on VLAN2, what devices on your network know about that VLAN? Have you configured it on switches, on your gateway etc.?
|
|
#
?
May 10, 2020 11:20
|
|
|
Thanks Ants posted:You've put it on VLAN2, what devices on your network know about that VLAN? Have you configured it on switches, on your gateway etc.? Uhhhh. The switches are all dumb switches. The gateway hasn't had anything configured in it for VLAN2. I literally thought just since HOME1 is not on any vlan, if I put the HOME2 on a new vlan, it would 'just work' and not communicate with other devices on the network since it's on its own network and just be able to phone home via the internet whatever it wants.  Clearly I am an idiot. How do I make it work?
|
|
#
?
May 10, 2020 11:43
|
|
|
Steakandchips posted:Uhhhh. You need at least web-smart switches to set up vlans or if you don’t have any idea how to set one, just get a UniFi switch. Also you need a router/gateway able to manage multiple lan networks, again if you don’t have any idea how to do so, get a UniFi router(udm or usg) SlowBloke fucked around with this message at 12:21 on May 10, 2020 |
|
#
?
May 10, 2020 12:18
|
|
|
Disconnect your meters from the wifi. Problem: solved. They can zwave home their data if they want it so badly.
|
|
#
?
May 10, 2020 14:23
|
|
|
Can UniFi access points do any sort of firewalling in the AP itself? I've not used them in ages but you might be able to designate a network as a guest network which only lets devices talk to the Internet and isolates them from each other, and you can limit them to say 100Kbps per client.
|
|
#
?
May 10, 2020 14:42
|
|
|
Thanks Ants posted:Can UniFi access points do any sort of firewalling in the AP itself? I've not used them in ages but you might be able to designate a network as a guest network which only lets devices talk to the Internet and isolates them from each other, and you can limit them to say 100Kbps per client. Client groups will rate limit at the AP, and guest policies are the only way to do client isolation that i'm aware of. You can enable guest policies without enabling the captive portal, although I haven't used either.
|
|
#
?
May 10, 2020 15:42
|
|
|
H110Hawk posted:Disconnect your meters from the wifi. Problem: solved. They can zwave home their data if they want it so badly. SlowBloke posted:You need at least web-smart switches to set up vlans or if you don’t have any idea how to set one, just get a UniFi switch. Right, so, SlowBloke says I need: 1. A smart switch or a Unifi Switch. 2. A router to manage multiple LANs or a Unifi router. I don't really want to be getting a smart switch or a unifi switch. But if I'm getting a smart switch now, I'd want one to have at least a few, i.e 3 or more 10gigabit RJ45 ethernet ports on it and it be fanless. I don't really want to go down that route right now though as that's just needless expense for segregating stupid IoT crap. Q1. My existing Mikrotik Hex should be able to do handle multiple LANs, right? Q2. Anyway to do this without needing smart switches? H2SO4 posted:Client groups will rate limit at the AP, and guest policies are the only way to do client isolation that i'm aware of. You can enable guest policies without enabling the captive portal, although I haven't used either. Q3. If I set up a Guest Network checked here (with VLAN unchecked):  and keep Guest Portal offline:  will this do what I want, i.e. set up a new wifi network that's segregated from other devices, and can only to get access to the internet? And I wouldn't need the smart switch and/or messing with the VLANs?
|
|
#
?
May 10, 2020 16:25
|
|
|
Did you create vlan 2? If the vlan doesn't exist I don't think it will work.
|
|
#
?
May 10, 2020 16:37
|
|
|
Steakandchips posted:Yeah, that's not happening, unfortunately. What value do you get from the wifi connection? What happens if your wifi breaks for a month? (I have no clue how this works.)
|
|
#
?
May 10, 2020 16:48
|
|
|
Steakandchips posted:Yeah, that's not happening, unfortunately. 10gig copper and fanless are not compatible statements. 10Gbe gets stupid hot.
|
|
#
?
May 10, 2020 17:44
|
|
|
Buff Hardback posted:10gig copper and fanless are not compatible statements. I’ve just bought two rj45 sfp+ for my fanless switch. They get stupid hot yes but it’s not impossible(as long as you don’t fill the switch with them)
|
|
#
?
May 10, 2020 17:48
|
|
|
SlowBloke posted:I’ve just bought two rj45 sfp+ for my fanless switch. They get stupid hot but it’s doable(as long as you don’t fill the switch with them) SFPs are a magical breed. Actual native 10Gbe ports on a switch though, that's where it gets sketchy.
|
|
#
?
May 10, 2020 17:49
|
|
|
Buff Hardback posted:SFPs are a magical breed. Actual native 10Gbe ports on a switch though, that's where it gets sketchy. If you don’t mind unmanaged, asus does a 8port gigabit plus two port 10gbase-t (xg-2008) otherwise plenty of choices with mikrotik(which should be a easier model to pick up if steak router is a hex) to be coupled with s+rj45 SlowBloke fucked around with this message at 18:00 on May 10, 2020 |
|
#
?
May 10, 2020 17:52
|
|
|
Did you actually create a new network in the "Network" pane, called something like VLAN, and tag it with the right VLAN identifier? You can't just point an AP/SSID to a vlan without having created the actual corresponding VLAN network in the router. For example, I have "VLAN30 IOT" tagged to vlan 30 in my network pane, and attach my IoT SSID to vlan30, then apply firewall rules to segregate out vlan30 from everything i care about. Alternatively, just use the guest network functionality. edit: oh wait, I didn't realize you didn't have a USG/UDM, just the standalone APs and a controller. Yeah you at least need a router that will handle vlans. I'm not even sure if the unifi guest network functionality works without a USG/UDM. ROJO fucked around with this message at 18:40 on May 10, 2020 |
|
#
?
May 10, 2020 18:37
|
|
|
I don't think the guest functionality does, but for segregation you can use any router that understands VLANs. You just lose some convenience. I used Tomato and then an ER-X before I got a UDM.
|
|
#
?
May 10, 2020 19:27
|
|
|
Dd-wrt can do it out of the box but  did it for a iot thing that required internet access but not LAN.
|
|
#
?
May 10, 2020 19:37
|
|
|
withoutclass posted:Did you create vlan 2? If the vlan doesn't exist I don't think it will work. Well I checked the box in that window and typed in VLAN2, but I don't think that is what you mean... (can you tell I'm not that familiar with networking?  )H110Hawk posted:What value do you get from the wifi connection? I am assuming you mean what value do I get from the electricity/gas meter being connected to the wifi. The value in it is that my wife doesn't bitch at me that her special snowflake eco-electricty provider isn't getting all the data it needs about how we use gas and electricity. H110Hawk posted:What happens if your wifi breaks for a month? (I have no clue how this works.) Buff Hardback posted:10gig copper and fanless are not compatible statements. Sigh. Maybe in a few years then I hope. Or maybe I can put it in the other room. SlowBloke posted:If you don’t mind unmanaged, asus does a 8port gigabit plus two port 10gbase-t (xg-2008) otherwise plenty of choices with mikrotik(which should be a easier model to pick up if steak router is a hex) to be coupled with s+rj45 Thanks, I'll google those. ROJO posted:Did you actually create a new network in the "Network" pane, called something like VLAN, and tag it with the right VLAN identifier? You can't just point an AP/SSID to a vlan without having created the actual corresponding VLAN network in the router. For example, I have "VLAN30 IOT" tagged to vlan 30 in my network pane, and attach my IoT SSID to vlan30, then apply firewall rules to segregate out vlan30 from everything i care about. I did not do this. ROJO posted:edit: oh wait, I didn't realize you didn't have a USG/UDM, just the standalone APs and a controller. Yeah you at least need a router that will handle vlans. I'm not even sure if the unifi guest network functionality works without a USG/UDM. Thanks, this is good to know. Discussion Quorum posted:I don't think the guest functionality does, but for segregation you can use any router that understands VLANs. You just lose some convenience. I used Tomato and then an ER-X before I got a UDM. Guess I'm googling Mikrotik and VLANs!
|
|
#
?
May 10, 2020 20:00
|
|
|
I had my first serious issue with the UDM. Sat down last night for an evening of gaming. My first Overwatch match was normal 32ms network latency. Overwatch has shown me 32ms consistently for the past 2 years. I never have any networking blips with my fiber connection. The next match gave me 1000ms spikes and disconnects on repeat. Totally unplayable. I also couldn't connect to the local IP of the udm. There were no upgrades or speed tests enabled. I am on the latest version. This seemed to stabilize after 15 minutes or so, and I risked another game. The same thing happened. Any tips on what to look out for? After some googling. I turned my expected internet speed down and disabled DPI and rebooted the device. It seems fine since then. I can't keep having this happen unexepectedly, though. Everything else is pretty much default set up. I was pretty let down, but I'm sure there is a solution. edit: Cat6 directly to the UDM, BTW also edit: the dashboards showed no anomalies at all. I didn't figure out how to look at a system log, but all the built in reporting was perfect looking. headcase fucked around with this message at 20:45 on May 10, 2020 |
|
#
?
May 10, 2020 20:40
|
|
|
Steakandchips posted:
If you're looking to do this, you're much better off buying UniFi switching and routing gear. Gonna be a much smaller learning curve than trying to stitch two different platforms together without an existing familiarity with networking concepts.
|
|
#
?
May 10, 2020 21:41
|
|
|
H2SO4 posted:If you're looking to do this, you're much better off buying UniFi switching and routing gear. Gonna be a much smaller learning curve than trying to stitch two different platforms together without an existing familiarity with networking concepts. The poster above you is why I don't really want to go full unifi, i.e. they are good at APs, but their other stuff... Sometimes it is a bit a hit and miss. My current Mikrotik Router and HP Procurve switches are rock solid. They Just Work, no faffing, no spikes of lag, nothing, never ever need restarts or janitoring.
|
|
#
?
May 10, 2020 21:48
|
|
|
Tested the Cat6 cables recently pulled at my house. Most worked great; one didn't work at all (besides a brief link light flicker on connection) and another only negotiated at 100Mb the first time, but handily did Gb on two subsequent attempts. This isn't an issue I've personally run into before, so I'm academically curious whether temporary speed downgrades are a strong signal of degraded cable (eg I just threw out an unrelated Cat5e patch cable that reliably only negotiates 100) or if they're not that worrisome. For reference, the full path here involves two laptops w/ iperf, two USB-C ethernet dongles, two patch cables, and the wall run / its keystone jacks, all components nearly brand new. The other 7 cables I tested all worked flawlessly the first time 
|
|
#
?
May 10, 2020 22:13
|
|
|
bitprophet posted:Tested the Cat6 cables recently pulled at my house. Most worked great; one didn't work at all (besides a brief link light flicker on connection) and another only negotiated at 100Mb the first time, but handily did Gb on two subsequent attempts. That smells like damaged cables in the wall. If you paid someone to do this you should ask them back out with your test results. If it pulls up as 100meg/half it's broken, if iperf can't rip through the same speed as if you directly connect the laptops using a jumper cable it's broken. They can use a TDR to determine to the inch where the cable is damaged. A cable installer should know what iperf is, or what a 100meg/half duplex connection means. Iperf is one of the programs their "certifier" runs even if it's completely hidden to them so you should trust it.
|
|
#
?
May 10, 2020 22:31
|
|
|
Steakandchips posted:The poster above you is why I don't really want to go full unifi, i.e. they are good at APs, but their other stuff... Sometimes it is a bit a hit and miss. My current Mikrotik Router and HP Procurve switches are rock solid. They Just Work, no faffing, no spikes of lag, nothing, never ever need restarts or janitoring. IMO if you're not willing to janitor (and don't want/need IDS/IPS), going USG/Unifi switchgear is a better bet than the UDM or UDM-pro for now.
|
|
#
?
May 10, 2020 22:59
|
|
|
I've said it a few times in here, but I've had my parents on a USG/USW/UAP stack for years now and it has been by far the best technology decision I have ever made.
|
|
#
?
May 10, 2020 23:25
|
|
|
H110Hawk posted:That smells like damaged cables in the wall. If you paid someone to do this you should ask them back out with your test results. If it pulls up as 100meg/half it's broken, if iperf can't rip through the same speed as if you directly connect the laptops using a jumper cable it's broken. They can use a TDR to determine to the inch where the cable is damaged. A cable installer should know what iperf is, or what a 100meg/half duplex connection means. Iperf is one of the programs their "certifier" runs even if it's completely hidden to them so you should trust it. I can't think of a good reason NOT to have that flaked-out-initially cable re-run along with its completely busted companion, unless it's going to be a lot of extra work. Just hope it is not a general problem with that part of the run (they are to the same drop location). FWIW I am using iperf here and I'm lucky I even noticed the 100Mb issue. I'm very braindead today. "The number starts with 9? must be in the 900s like all the other tests! ... wait that's 93, not 930 ..." 
|
|
#
?
May 10, 2020 23:35
|
|
|
I guess I can only hope they stabilize it before it wears me out. Any tips on settings that will make it last longer than a week without poking it?
|
|
#
?
May 10, 2020 23:36
|
|
|
bitprophet posted:Yea I'm still working with them (it's a general contractor w/ prior experience running network cables) for a pile of other things through this coming week; this was simply the first time I could test the jacks without getting paint on my laptops. Guy specifically said he would re-run anything that doesn't work. Have them rip the cable out and carefully inspect it. I bet you find sharp object damage that you can punch a hole in the wall to repair and repull.
|
|
#
?
May 10, 2020 23:37
|
|
|
headcase posted:I guess I can only hope they stabilize it before it wears me out. Any tips on settings that will make it last longer than a week without poking it? Turning off DPI will likely fix the problem. Turn it back on after some patches.
|
|
#
?
May 11, 2020 00:38
|
|
|
Internet Explorer posted:Turning off DPI will likely fix the problem. Turn it back on after some patches. Thanks. If that is the case, then I am a happy camper.
|
|
#
?
May 11, 2020 00:57
|
|
|
Yeah, the UDM still sounds like a bit of a headache, but my USG and all my other stuff has been rock solid. These times are only indicative of how often I update things, not stability (then it would be years): ....which in itself is a good lesson on using ubiquiti.....let the updates mellow in the wild a bit before you apply. ROJO fucked around with this message at 02:14 on May 11, 2020 |
|
#
?
May 11, 2020 01:59
|
|
|
ROJO posted:Yeah, the UDM still sounds like a bit of a headache, but my USG and all my other stuff has been rock solid. These times are only indicative of how often I update things, not stability (then it would be years): i went back to my ER-X. was using a USG 3P, was having latency issues gaming, turned DPI off, it helped but would still spike to hell. went back to ER-X, 0 problems. I have 2 AC-LITE AP's going with the ER-X. solid equipment minus my usg giving me problems. it was nice looking at all the extra stats and controlling everything from the controller, but i cant be having spikes like that while gaming, too frequent to ignore.
|
|
#
?
May 11, 2020 02:38
|
|
|
I set up a reverse proxy for my network using the letsencrypt docker container. Everything was working just fine last night, but for some reason it's stopped recerse proxy-ing today for whatever reason. Container's up and running and I still can access the default page on 80 as per usual. I took a look at the container logs and nothing is standing out. Any recommended places to start poking around? e: Now trying it again after a few hours everything is working just fine. Weird. So now that this is apparently sorted out, any recommendations for a landing page? Heimdall has some interesting stuff, but routing that all through another container might be a pain in the rear end. Warbird fucked around with this message at 03:29 on May 11, 2020 |
|
#
?
May 11, 2020 03:23
|
|
|
edit: hey cloudflare thanks for the dupe post
|
|
#
?
May 11, 2020 03:40
|
|
|
derk posted:i went back to my ER-X. was using a USG 3P, was having latency issues gaming, turned DPI off, it helped but would still spike to hell. went back to ER-X, 0 problems. I have 2 AC-LITE AP's going with the ER-X. solid equipment minus my usg giving me problems. it was nice looking at all the extra stats and controlling everything from the controller, but i cant be having spikes like that while gaming, too frequent to ignore. Have had no issues with my USG with DPI and IPS enabled, even with latency dependent gaming. Not trying to say your experience is invalid, just throwing another data point out. Maybe it's the difference between the 4P and the 3P? Granted this is only with despicable 300/15 Comcast internet, nothing approaching gigabit.
|
|
#
?
May 11, 2020 04:04
|
|
|
|
| # ? May 22, 2024 00:45 |
|
|
Warbird posted:I set up a reverse proxy for my network using the letsencrypt docker container. Everything was working just fine last night, but for some reason it's stopped recerse proxy-ing today for whatever reason. Container's up and running and I still can access the default page on 80 as per usual. I took a look at the container logs and nothing is standing out. Any recommended places to start poking around? I use organizer and put everything behind cloudflare. ROJO posted:Have had no issues with my USG with DPI and IPS enabled, even with latency dependent gaming. Not trying to say your experience is invalid, just throwing another data point out. Maybe it's the difference between the 4P and the 3P? IIRC max throughput on USG with IDS/IPS is only like 200Mbps at best
|
|
#
?
May 11, 2020 04:50
|
|