1. 23

  2. 23

    A couple of other tips for the budding dev-turned-network-technician:

    • Buy a cable tester. Buy a cable tester.. Buy. A. Cable. Tester.
    • Label your ports. Label your ports. Label. Your. Ports.
    • Always strip more than you think you’ll need, and cut things to proper length. You can’t cut cables longer.
    • Don’t strip twisted pair with your teeth. Just don’t.
    • Invest in some RG6 tie-downs to pin the cables neatly if you aren’t fishing them through walls.
    • If you have the option, run the APs off of PoE. Keep all of that together in your gear closet, because you’re going to want to…
    • …run all of the gear off of battery backups. A decent UPS is cheap these days, and there’s no reason your network should go out if the power does.
    • Put IoT/other stuff into it’s own subnet and/or VLAN (as you fancy), lock it down, give static leases. If you have infrastructure stuff (displays, printers, whatever) that’s wireless, consider giving those things their own dedicated network
    • Go fix your bufferbloat.
    • Setup your router to get time from a good NTP pool.
    1. 2

      Put IoT/other stuff into it’s own subnet and/or VLAN (as you fancy), lock it down, give static leases. If you have infrastructure stuff (displays, printers, whatever) that’s wireless, consider giving those things their own dedicated network.

      I’ve been thinking about putting my IoT & home automation devices in a separate SSID, subnet, and broadcast domain to declutter the main router and avoid potentially insecure devices (hostile DHCP servers), but I’m curious if there’s a way to get stuff that relies on multicast (like SSDP ) working across subnets?

      1. 2

        I am also curious. Can I use a separate iot vlan and allow connections into but not out of it?

        1. 2

          I do this with my guest network I provide for NYCMesh using OpenBSD pf. My concern is about broadcast/multicast based discovery protocols not working across subnets. Roku, WeMo, etc. use protocols like this for device discovery.

        2. 1

          I’m curious if there’s a way to get stuff that relies on multicast (like SSDP ) working across subnets?

          It’s possible but can be a bit tricky - using something like Avahi to reflect mDNS between subnets can help. I’ve managed to get it working for some devices (Chromecast for example) and not for others (Sonos speakers) but the “not working” is more a result of me running out of time rather than it being impossible.

      2. 5

        I’d like to add adjust your power into this!! There is no need to be that rude neighbor who cranks their APs power to the absolute max. This can lead to weird problems not just in your network, but in others as well.

        Also if you’re running something like Meraki, the “rogue AP” feature is a problem. Leave those settings on the default, getting block happy leads to problems with everyone.

        1. 4

          I once did a really dumb thing overprovisioning…three sonicwall wireless APs within 80 yards or so of each other as the crow flew. Turning down the power significantly was the only way to resolve some of the chaos that resulted.

          1. 1

            I have one AP per 8 users in our office, this leads to a huge number of APs. I’m in a very crowded office building with a bazillion APs though so this really took a lot of fine tuning, but it’s what has worked absolutely the best thus far.

            3 APs within 80 yards is totally reasonable if you have hundreds of competing APs in a single office building. :)

        2. 4

          The GeoIP tip was smart, I hadn’t thought of that before.

          1. 5

            This issue also led to tools like Speedtest connecting to the wrong test servers many states away and severely underestimating performance.

            Semi-related note, I have been using https://fast.com lately and I’m much happier with the information it provides and how quickly. The settings can be changed after your first test is completed.

            1. 1

              Yeah! Used it recently to find out that I had 1 Gbit/s in my apartment. Been using it ever since. The concept is just great; enter fast.com and watch the speed.

              1. 3

                Fun fact: Netflix also bought slow.com for the same service :).

                1. 1

                  I did not, and will from now recommend that to the next person who needs a speed test. :-)

          2. 3

            Multiple bands (2.4 GHz and 5 GHz) should also have the same SSID. Don’t put 5 GHz on its own SSID

            In that setup, pretty much all devices I’ve ever seen tend to fall back to 2.4 very very easily and quickly (when 5 still works) and practically never upgrade to 5.

            1. 4

              Enable band steering on your access points.

              1. 2

                huh, TIL that’s a thing. Not supported in OpenWrt apparently? but “802.11r Fast Transition” is supported now

            2. 3

              I know the group-think is Ubiquity but I recommend Mikrotik as it’s more capable and better bang for the buck. Out of the box, the quick web-based set-up will get you up and running but there’s a lot more to learn as they’re nearly equivalent in terms of features with more expensive kit from Cisco and Juniper.

              A small office needs a router (for example, a hex-S) configured for “Controlled Access Point system Manager” (CAPsMAN) and a couple of POE-capable dual-band AP’s (I like the CAP-ac and the HAP ac-lite). Devices like printers, phones, storage, servers, etc. all get plugged into a switch (I like the Cloud Router Switch models some have integrated WiFi which saves deploying an AP). Set up an internal DNS zone and DHCP that gives that server to the clients. Use static leases for the permanent devices and dynamic pools for various purposes.

              I’ll return to edit this later.

              1. 4

                I’m full aware of the group-think. I’m part of it. :P

                However, seeing the recent security issues[1] with MikroTik, I would be wary. Also, the software stack is to me ancient. I do like MikroTik, having consider them myself many times. And I’m sure they do the job just fine. I’m not just into the old 90-ish look of everything. The Windows application looks like it’s from the Windows 98 era.

                Seeing that you are more experienced, what are your thoughts on their security practices, etc.?

                [1] https://threatpost.com/thousands-of-mikrotik-routers-hijacked-for-eavesdropping/137165/

                1. 2

                  I agree the Winbox tool looks terribly dated but I, and suspect many others, rarely use it other that to get kit to an initial state and prefer the CLI.

                  Regarding security, their out of the box configuration was (until recently) inadequate. They left services exposed and assumed their users understood it was up to them to block the ports or turn off the services. They didn’t. This is compounded by the multiple release branches where bugfix is stable but a month or more behind on patches but current sometimes sees behavior or performance regressions. That assumes users actually perform the upgrades. Their price puts them in the small/home user range but their model and documentation is oriented toward professionals who have time and spare kit to test configurations[1]. This all puts Mikrotik’s reputation on the sharp end of the stick.

                  [1] It’s a hobby for me but it’s not unreasonable to assert that if you depend on something that you have a test environment other than your live production/corporate one.

                2. 3

                  Mikrotik doesn’t have 802.11r, which I consider critical for any multi-AP setup, also their multi-AP management solution, CAPsMAN, is lacking many feature and it’s quite buggy. I’ve deployed over 50 Mikrotik APs and routers over the years, but today I would only deploy something with 802.11r.

                  I would still deploy Mikrotik routers though. I don’t like Ubiquiti routers at all.

                3. 4

                  The Hacker News version has dome interesting discussion. Top comment so far basically says just go with Ubuquiti with details on the benefits.

                  1. 2

                    I posted this because it’s has a number of practical tips for setting up a small network, some of which I’ve made use of myself at various times in the past.

                    I might add to their advice about having a large enough DHCP pool, there’s no reason to limit yourself to a /24 IPv4 address space - if you’re NAT’d anyway, you might as well assign DHCP addresses from the space to avoid the risk that you’ll run out if, say, you have an office event with more people with phones and laptops than you normally expect. And of course, IPv6 exists and much of the internet makes use of it!