HW #1 - TiVo over MoCA Peculiarities

 Over time, I have learned some peculiarities about the TiVo system:

• When I originally used the TiVo Bolt with a couple of TiVo Minis, I had all connections over Ethernet.  That worked out fine, but I did discover that the Minis did not let go of their tuners which resulted in an enormous amount of traffic over the ethernet lines.  Even placing the equipment on a separate vlan only partially solved the problem.
• Early on you were able to select the TiVo button on the Minis and cause the Mini to release its hold on the TiVo Bolt tuner.
• When I had the equipment blow out due to a power surge, I opted to get the TiVo Edge.  Updating the Edge and the Minis brought me into a condition in which I was unable to release the Minis from the Edge tuner.  I have since learned that they changed the TiVo Minis and thus they might be able to release the tuners somehow.
• Because of the amount of traffic for the TiVos on Ethernet, I decided to run the connections over MoCA.  I have a Verizon FIOS ONT that I connect to and ended up putting the Edge and the Minis on channel 15 in order to get it to work.  This was acceptable and now the traffic between the Minis and the Edge are isolated from my Ethernet, or so I thought.
• Since I needed to setup the TiVo Edge as a MoCA bridge, I was surprised to learn that the Ethernet connection to the Edge was absolutely hammering the unmanaged Ethernet switch it was plugged into.  This is to be expected since apparently the TiVo minis do not go directly to the TiVo Edge but actually go out the bridge, bounce off of the Ethernet switch and back to the TiVo Edge.  Normally, only the port that the TiVo Edge is plugged into shows any traffic (flashing LED).  Without the Ethernet switch, there would be a lot of traffic to deal with.

Tips #8 - Using a Router as an Access Point with Multiple SSIDs

In the course of helping someone out on Reddit about their setup, it occurred to me that there have been multiple instances of people asking about using an old router as an access point.  It also helps if you consider the advice peppered with multiple VLANs and multiple SSIDs.  Lets assume you have a Wi-Fi router and want to use another router as an access point (lets call it AP).  Further, lets assume that you have two VLANs you wish to use.  Here are some things to consider (not in any particular order):

• You probably will want to do a Wi-Fi survey to see where your neighbors are parked on the Wi-Fi spectrum and figure out from there how you want to minimize interference - I recommend Acrylic Wi-Fi as the tool to use, there is a free version.  There are also some tools under Kali Linux as well.
• If you have a mobile device, you will generally want to seamlessly switch between Wi-Fi sources.  To do this, you are going to want to have the Wi-Fi router and AP on different Wi-Fi channels.  So, as a general rule walking around your house will cause your cell phone to connect to the Wi-Fi source with the strongest signal. If on the other hand the one SSID is on the same Wi-Fi channel on both devices you could wind up with them interfering with each other.
• We will assume you have VLANs that you are using to separate the networks.
• I make it a point to have different SSIDs based on the vlan it is connected to, so if you have 2 VLANs, you should use 2 SSIDs (different names). 
• Always make sure that the SSIDs have the same passphrase across the devices, but use two different passphrases for two different SSIDs. Then the SSIDs will be cryptographically separate from each other.
• Most smart home devices will use the 2.4GHz spectrum, rarely will you see it connect to 5.4GHz, so you could in effect only need the 2.4GHz spectrum for the smart devices and that may influence your choice for how you set up each SSID.
• If you have smart TVs, I would try to use Ethernet as much as is possible to connect them; video chews up a lot of Wi-Fi bandwidth.
• Don't setup the AP in bridge mode; that implies that you are going through the WAN port. There is no need to do that if you are using it as an access point. Connect the cable from a port on LAN side of the router to one of the ports on the Linksys LAN side. This cable should be designated as a trunk line, i.e. it will be carrying multiple VLANs.  By doing it that way, you will keep the one SSID to one vlan mantra unaltered.  Setup the VLANs accordingly.
• In the AP vlan setup do not setup a DHCP server, but use a DHCP relay mode instead, and point the relay address to the router vlan IP address. That way a connection to the AP will use the router to get it's IP address (which also means it will get it's DNS info from the same source).

This is simple but effective and I have used this approach many times to success.

Zone Based Routing and the Edgerouter-X

I am attempting to use an Edgerouter-X (ERX1 for short) to provide specific, controlled access between vlans and certain equipment.  The first use case will be entirely composed of port forwarding, but between multiple vlans.  First case is to define what I mean by setup:

The New Setup for vlans on ERX1

• ERX1-1 will be connected to Media Router for access to the Media vlan
• ERX1-2 will be connected to Main Switch for access to the Admin vlan for configuration
• ERX1-5 will be connected to Main Switch for access to other vlans as a trunk line
• ERX1 vlans will be setup as normal, always getting IP from DHCP and doing DHCP Remote to keep the gateways pure

The following Zones will be defined:

• Local (ERX1 itself)
• Admin
• Media
• Personal
• IOT
• LAN3
• DMZ

The following special defined accesses are:

• Port 8123 of the HA-IOT server on IOT vlan <-> every IP on LAN3 vlan
• HA-IOT server on IOT vlan <-> data server ports on Personal vlan
• ports for Plex server on Personal vlan <-> every IP on the Media vlan
• ports for Plex server on Personal vlan <-> every IP on the LAN3 vlan
• every IP on the Media vlan <-> data server ports on Personal vlan
• Docker container ports in the Development vlan <-> the MQTT server on the HA-IOT server in the LAN3 vlan
• every IP on the LAN3 vlan <-> Media equipment ports on the Media vlan
• specific IPs on the DMZ <-> data server ports on Personal vlan
• Some of these alternate connections are going to require the device to be on the same subnet

Group Definitions needed:

• port 8123 on HA-IOT Server on IOT vlan
• data server ports on Personal vlan
• Plex server ports on Personal vlan
• MQTT server port on IOT vlan 
• Media equipment ports on Media vlan
• Specific IPs on the DMZ vlan

The first items on the ERX1 that need to be completed for setup include resetting the ERX1 to default, setting up an initial default router setup with two subnets, defining the Admin vlan, setting up the main switch to accommodate connection to the Admin vlan and to the Media vlan (with the WAN port).  From there I should be able to update the ERX1 as I go.

Project #23 - What Makes Sense to ChangeUp in the Network?

What makes sense in the changeup of my network?

I do have a problem in the way that things are partitioned:

1. vlans are just that, they are setup to not have connection to each other.  This is by design, and I went out of my way when I setup my Edgerouter-12 to force vlan isolation even though by default vlans can talk to each other.

2. I actually setup some vlans so that the elements in those vlans would only be able to talk outside the router to the internet and not to each other.  This was a security design.

3. I made sure that vlans that were isolated to other vlans were not able to modify any of the settings on my Edgerouter-12 except for the admin vlan.  This was a security design.

4. I have a couple of specific computers that are allowed to contact other vlans.  This was by design and allows me to monitor equipment as necessary without having to give all my equipment the same level of access.  This was a security design.

5. The above way of partitioning has resulted in some problems with being able to get to certain servers.  I actually need the following:

• I need to be able to get to port 8123 of my HA-IOT server, on the IOT vlan, from the LAN3 vlan which contains my iPhones, iPads, and laptops.
• My HA-IOT server needs to get to the data servers in the Server vlan
• My Plex server resides in the Server vlan and both the Media and the LAN3 vlan need to get to it
• My Media equipment needs to get to the data servers in the Server vlan
• For testing purposes I need to have some Docker containers in the Development vlan be able to get to the MQTT server on the HA-IOT server in the LAN3 vlan
• My iPhones, iPads, and laptops on the LAN3 vlan need to be able to get to Media equipment on the Media vlan
• Some of these alternate connections are going to require the device to be on the same subnet

So, this means that there needs to be overlap between the different vlans, but at the same time it needs to be controlled.  I do have an additional Edgerouter-X which I can use for that purpose.  This will be an exploration of what I can accomplish.  This Edgerouter-X will not be used as a normal router, but will in fact be the way that I can provide a controlled interface between vlans.  If the router is removed, then everything will go back to the way it was before.  This will also give me a chance to try out zone based routing on the Edgerouter-X.

Patch Panel Connections

  DwnFR            DwnBRM       Attic       Kitchen                         LftFire
+------+   (3)   +------+    +------+    +-------+               (2)    +-----------+   (4)
| PP#4 +---------+ PP#5 |    | PP#9 |    | PP#12 |           +----------+  PP#6     +----------+
+--+---+         +--+---+    +--+---+    +-+-----+           |          +--+--------+          |
   |                |           |          |                 |             |                   |  SideRm
   |                |           |          |(1)              |      +------+               +---+---+
   |                |           |          |                 |      |                      | PP#10 |
   |(1)             |(1)        |(1)       |                 |      |    RtFire            +---+---+
   |                |           |          |                 |      |        +------+  (3)     |
   |                |           |          |                 |      |        | PP#7 +----------+
   |                |           |          |                 |      |        +------+
   |                |           |          |                 |      |
   |           +----+-----------+----------+-----------------+-+    |(2)
   +-----------+                  PP#1                         |    |
               +-+-----------+------------------+------------+-+    |
                 |           |    Toolroom      |            |      |
                 |(1)        |                  |            |      |
                 |           |                  |(5)         |(1)   |
            +----+--+        |(9)               |            |      |
      Hutch | PP#11 |        |               +--+---+    +---+------+-+
            +----+--+        |               | PP#2 |    |    PP#8    |
                 |           |               +--+---+    +---+--------+
                 |(2)        |          Outtool |            |
                 |           |                  |            |
                 |           |                  |            |
                 |           |                  |            |
                 |           |                  |(1)         |(3)
                 |           |                  |            |              Table
               +-+-----------+------------------+------------+-+   (3)    +-------+
               |                  PP#3                         +----------+ PP#13 |
               +-----------------------------------------------+          +-------+
                                         Rack

Diagram completed at http://asciiflow.com/.  Rectangles are patch panels, connecting lines have the number of Ethernet cables between.