Help needed with home network configuration

[Johann Spies]

For many years I have used my desktp as a network/firewall server with
two interfaces one facing the internet (through ADSL) and the other the
local network.

Now I have a fibre connection and for a month both connections will be
available in parallel.

I have decided to use my Raspberry Pi3 as the firewall/network server in
future but have after many hours failed to do so successfully.

First I have tried a similar Shorewall setup that I have on my desktop
and after failing successful connections I tried ufw with no success.

First ufw:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To Action  From
-- --  
Anywhere   ALLOW IN192.168.0.0/24

Anywhere   ALLOW OUT   192.168.0.0/24
53/udp ALLOW OUT   192.168.0.0/24
443/tcpALLOW OUT   192.168.0.0/24

(Ihave added the last two lines which I thought should not be
necessary).

I get this in the log:

Mar  9 12:14:15 pi3 kernel: [403782.469448] [UFW BLOCK] IN=eth0
OUT=eth1 
MAC=b8:27:eb:63:94:ea:1c:5a:3e:e0:29:fe:08:00:45:00:00:3c:50:e8:40:00:3f:06:fb:f2
SRC=192.168.0.10 DST=207.36.95.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=20712 DF PROTO=TCP SPT=53337 DPT=443 WINDOW=5840 RES=0x00 SYN
URGP=0

My shorewall configuration:

Zones

#ZONE   TYPEOPTIONS IN  OUT
#   OPTIONS OPTIONS
fw  firewall
net ipv4
loc ipv4

Interfaces
#ZONE   INTERFACE   BROADCAST   OPTIONS
loc eth0detect
tcpflags,nosmurfs,routefilter,logmartians
neteth1detect
tcpflags,nosmurfs,routefilter,logmartians

Policy

#SOURCE DESTPOLICY  LOG LEVEL   LIMIT:BURST

loc $FW ACCEPT
$FW loc ACCEPT
$FW net ACCEPT
loc net ACCEPT
net all DROPinfo
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT  info

snat

#ACTION SOURCE  DESTPROTO   PORT   IPSEC
MARK   USERSWITCH  ORIGDEST   PROBABILITY
#
# Rules generated from masq file /etc/shorewall/masq by Shorewall
5.0.15.2 - Fri Feb 24 08:52:03 SAST 2017
#
MASQUERADE  192.168.0.0/24  eth1

Rules

DNS(ACCEPT) $FW net
SSH(ACCEPT) loc $FW
SSH(ACCEPT) $FW loc
SSH(ACCEPT) $FW net
SSH(ACCEPT) loc net
HTTP(ACCEPT) $FWnet
HTTPS(ACCEPT) $FW   net
FTP(ACCEPT) $FW net
FTP(ACCEPT) loc $FW
SMTP(ACCEPT)loc $FW
SMTP(ACCEPT)$FW net:195.190.146.50
DNS(ACCEPT) loc $FW
Ping(DROP)  net $FW
Ping(ACCEPT)loc $FW
ACCEPT  loc net icmp
ACCEPT  $FW net icmp
ACCEPT  $FW loc icmp

In sysctl.conf I have

net.ipv4.ip_forward=1
net.ipv4.conf.all.log_martians = 1

$ sudo ifconfig
eth0  Link encap:Ethernet  HWaddr b8:27:eb:63:94:ea
  inet addr:192.168.0.9  Bcast:192.168.0.255  Mask:255.255.255.0
  inet6 addr: fe80::dbe4:63c:a02b:cb1e/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:11223527 errors:0 dropped:0 overruns:0 frame:0
  TX packets:4414187 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:3648814410 (3.3 GiB)  TX bytes:381642127 (363.9 MiB)

eth1  Link encap:Ethernet  HWaddr 00:e0:4c:20:bf:5d
  inet addr:192.168.1.249  Bcast:192.168.1.255  Mask:255.255.255.0
  inet6 addr: fe80::9d48:f754:2113:9a80/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:103887 errors:0 dropped:0 overruns:0 frame:0
  TX packets:91137 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:124760139 (118.9 MiB)  TX bytes:13325394 (12.7 MiB)

$ ip route ls
default via 192.168.1.1 dev eth1
default via 192.168.1.1 dev eth1  metric 204
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.9
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.249
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.249  metric 204


I really do not know the way forward from here.  Help will be
appreciated.

Regards
Johann


-- 
Because experiencing your loyal love is better than life itself,
my lips will praise you.  (Psalm 63:3)

Re: Help needed with home network configuration

[Reco]

Hi.

On Fri, Mar 09, 2018 at 04:30:53PM +0200, Johann Spies wrote:
> For many years I have used my desktp as a network/firewall server with
> two interfaces one facing the internet (through ADSL) and the other the
> local network.
> 
> Now I have a fibre connection and for a month both connections will be
> available in parallel.
> 
> I have decided to use my Raspberry Pi3 as the firewall/network server in
> future but have after many hours failed to do so successfully.

A suboptimal idea IMO. These Broadcom chipsets are only good for video
output, their 100Mbps "Ethernet" is actually hardwired to USB, and their
WiFi is a PITA (I used Raspberry Pi3 as WiFi AP for half a year. Never
again). They make good SPI programmers though.

If you need a good Debian-friendly router, I suggest buying Linksys ACM
1200, 1900 or 3200.


> First I have tried a similar Shorewall setup that I have on my desktop
> and after failing successful connections I tried ufw with no success.
> 
> First ufw:
> 
> $ sudo ufw status verbose
> Status: active
> Logging: on (low)
> Default: deny (incoming), allow (outgoing)
> New profiles: skip
> 
> To Action  From
> -- --  
> Anywhere   ALLOW IN192.168.0.0/24
> 
> Anywhere   ALLOW OUT   192.168.0.0/24
> 53/udp ALLOW OUT   192.168.0.0/24
> 443/tcpALLOW OUT   192.168.0.0/24
> 
> (Ihave added the last two lines which I thought should not be
> necessary).
> 
> I get this in the log:
> 
> Mar  9 12:14:15 pi3 kernel: [403782.469448] [UFW BLOCK] IN=eth0
> OUT=eth1 
> MAC=b8:27:eb:63:94:ea:1c:5a:3e:e0:29:fe:08:00:45:00:00:3c:50:e8:40:00:3f:06:fb:f2
> SRC=192.168.0.10 DST=207.36.95.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63
> ID=20712 DF PROTO=TCP SPT=53337 DPT=443 WINDOW=5840 RES=0x00 SYN
> URGP=0

An "iptables-save" output would be welcome. There are many frontends to
netfilter, but nothing beats the original "iptables".

Reco

Re: Help needed with home network configuration

[Dan Purgert]

Johann Spies wrote:
> For many years I have used my desktp as a network/firewall server with
> two interfaces one facing the internet (through ADSL) and the other the
> local network.
>
> Now I have a fibre connection and for a month both connections will be
> available in parallel.
>
> I have decided to use my Raspberry Pi3 as the firewall/network server in
> future but have after many hours failed to do so successfully.
>
> [...]
>
> I really do not know the way forward from here.  Help will be
> appreciated.
>
> Regards
> Johann

The rpi is a little anemic (especially given "fiber" connectivity).  If
you're looking for a debian-based box, why not something like a Ubiquiti
EdgeRouter?  I've used them all over the place - quite solid little
units, most of them are a steal at twice the price.

Granted, they're somewhat geared towards "businesses", and so don't come
with wifi built in. You could add a UniFi access point, or if having an
"all-in-one" solution is desired, their more "consumer-oriented" AmpliFi
line may be a good fit.

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[Gene Heskett]

On Friday 09 March 2018 10:18:23 Reco wrote:

>   Hi.
>
> On Fri, Mar 09, 2018 at 04:30:53PM +0200, Johann Spies wrote:
> > For many years I have used my desktp as a network/firewall server
> > with two interfaces one facing the internet (through ADSL) and the
> > other the local network.
> >
> > Now I have a fibre connection and for a month both connections will
> > be available in parallel.
> >
> > I have decided to use my Raspberry Pi3 as the firewall/network
> > server in future but have after many hours failed to do so
> > successfully.
>
> A suboptimal idea IMO. These Broadcom chipsets are only good for video
> output, their 100Mbps "Ethernet" is actually hardwired to USB, and
> their WiFi is a PITA (I used Raspberry Pi3 as WiFi AP for half a year.
> Never again). They make good SPI programmers though.
>
> If you need a good Debian-friendly router, I suggest buying Linksys
> ACM 1200, 1900 or 3200.

I will also highly recommend the higher end Buffalo's. I have a $70 mail 
order Netfinity, now quite a few years old, reprogrammed with the real 
dd-wrt. It has bounced every attack now for around 8 years. And I mean 
every. I do not have its radio enabled unless my boys are on site with 
their smartphones. And its not bridged to my local net anyway, only to 
the internet.

> > First I have tried a similar Shorewall setup that I have on my
> > desktop and after failing successful connections I tried ufw with no
> > success.
> >
> > First ufw:
> >
> > $ sudo ufw status verbose
> > Status: active
> > Logging: on (low)
> > Default: deny (incoming), allow (outgoing)
> > New profiles: skip
> >
> > To Action  From
> > -- --  
> > Anywhere   ALLOW IN192.168.0.0/24
> >
> > Anywhere   ALLOW OUT   192.168.0.0/24
> > 53/udp ALLOW OUT   192.168.0.0/24
> > 443/tcpALLOW OUT   192.168.0.0/24
> >
> > (Ihave added the last two lines which I thought should not be
> > necessary).
> >
> > I get this in the log:
> >
> > Mar  9 12:14:15 pi3 kernel: [403782.469448] [UFW BLOCK] IN=eth0
> > OUT=eth1
> > MAC=b8:27:eb:63:94:ea:1c:5a:3e:e0:29:fe:08:00:45:00:00:3c:50:e8:40:0
> >0:3f:06:fb:f2 SRC=192.168.0.10 DST=207.36.95.10 LEN=60 TOS=0x00
> > PREC=0x00 TTL=63 ID=20712 DF PROTO=TCP SPT=53337 DPT=443 WINDOW=5840
> > RES=0x00 SYN URGP=0
>
> An "iptables-save" output would be welcome. There are many frontends
> to netfilter, but nothing beats the original "iptables".
>
> Reco



-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: Help needed with home network configuration

[john doe]

On 3/9/2018 3:30 PM, Johann Spies wrote:

For many years I have used my desktp as a network/firewall server with
two interfaces one facing the internet (through ADSL) and the other the
local network.

Now I have a fibre connection and for a month both connections will be
available in parallel.

I have decided to use my Raspberry Pi3 as the firewall/network server in
future but have after many hours failed to do so successfully.

First I have tried a similar Shorewall setup that I have on my desktop
and after failing successful connections I tried ufw with no success.

My shorewall configuration:

Zones

#ZONE   TYPEOPTIONS IN  OUT
#   OPTIONS OPTIONS
fw  firewall
net ipv4
loc ipv4

Interfaces
#ZONE   INTERFACE   BROADCAST   OPTIONS
loc eth0detect
tcpflags,nosmurfs,routefilter,logmartians
neteth1detect
tcpflags,nosmurfs,routefilter,logmartians

Policy

#SOURCE DESTPOLICY  LOG LEVEL   LIMIT:BURST

loc $FW ACCEPT
$FW loc ACCEPT
$FW net ACCEPT
loc net ACCEPT
net all DROPinfo
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT  info

snat

#ACTION SOURCE  DESTPROTO   PORT   IPSEC
MARK   USERSWITCH  ORIGDEST   PROBABILITY
#
# Rules generated from masq file /etc/shorewall/masq by Shorewall
5.0.15.2 - Fri Feb 24 08:52:03 SAST 2017
#
MASQUERADE  192.168.0.0/24  eth1

Rules

DNS(ACCEPT) $FW net
SSH(ACCEPT) loc $FW
SSH(ACCEPT) $FW loc
SSH(ACCEPT) $FW net
SSH(ACCEPT) loc net
HTTP(ACCEPT) $FWnet
HTTPS(ACCEPT) $FW   net
FTP(ACCEPT) $FW net
FTP(ACCEPT) loc $FW
SMTP(ACCEPT)loc $FW
SMTP(ACCEPT)$FW net:195.190.146.50
DNS(ACCEPT) loc $FW
Ping(DROP)  net $FW
Ping(ACCEPT)loc $FW
ACCEPT  loc net icmp
ACCEPT  $FW net icmp
ACCEPT  $FW loc icmp



Given your policies your rules file is almost not needed.


In sysctl.conf I have

net.ipv4.ip_forward=1
net.ipv4.conf.all.log_martians = 1



Shorewall takes care of this.
You need to set 'IP_FORWARDING=Yes' in /etc/shorewall/shorewall.conf and 
logmartians is properly set in /etc/shorewall/interfaces.


If your willing to play with multiple ISP configuration you should look 
on shorewall.org and for the corresponding examples provided with the 
Shorewall.



$ sudo ifconfig
eth0  Link encap:Ethernet  HWaddr b8:27:eb:63:94:ea
   inet addr:192.168.0.9  Bcast:192.168.0.255  Mask:255.255.255.0
   inet6 addr: fe80::dbe4:63c:a02b:cb1e/64 Scope:Link
   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
   RX packets:11223527 errors:0 dropped:0 overruns:0 frame:0
   TX packets:4414187 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:1000
   RX bytes:3648814410 (3.3 GiB)  TX bytes:381642127 (363.9 MiB)

eth1  Link encap:Ethernet  HWaddr 00:e0:4c:20:bf:5d
   inet addr:192.168.1.249  Bcast:192.168.1.255  Mask:255.255.255.0
   inet6 addr: fe80::9d48:f754:2113:9a80/64 Scope:Link
   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
   RX packets:103887 errors:0 dropped:0 overruns:0 frame:0
   TX packets:91137 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:1000
   RX bytes:124760139 (118.9 MiB)  TX bytes:13325394 (12.7 MiB)

$ ip route ls
default via 192.168.1.1 dev eth1
default via 192.168.1.1 dev eth1  metric 204
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.9
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.249
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.249  metric 204


I really do not know the way forward from here.  Help will be
appreciated.



If your interfaces are not configured by dhcp in your shorewall config 
you should use SNAT() and not MASQUERATE in /etc/shorewall/snat.


Do you want to buy some new hardware or can you elaborate on what you 
would like to have?


--
John Doe

Re: Help needed with home network configuration

[Johann Spies]

I see I have broken the thread by adding [SOLVED] to the subject.

Just to keep it in this thread:

I have tried a third option: arno-iptables-firewall.

Now I can reach the internet from the local network.  I still don't
understand why I could not
get it working with Shorewall which I have used for many years.

Johann

On 10 March 2018 at 11:04, Johann Spies  wrote:
> Thanks Bob.
>
> Regards
> Johann
>
> On 9 March 2018 at 23:50, Bob Weber  wrote:
>> On 3/9/18 2:52 PM, Johann Spies wrote:
>>
>> On 9 March 2018 at 17:31, Bob Weber  wrote:
>>
>> There are other things that you can do once you get the basics working.  I
>> have a caching DNS (with dns crypt to opendns to keep dns querys from being
>> forged) and ntp server on my router and I use the shorewall redirect command
>> to force all internal machines to use these servers instead of going outside
>> to the internet for each inside machine.
>>
>> Bob, can you share your dns setup please.  My bind9 now gives me problems:
>> e.g. named[25623]: error (network unreachable) resolving
>> 'activity-stream-icons.services.mozilla.com...'
>> but I can ping the outside world.
>>
>> Regards
>> Johann
>>
>> Answers from previous messages also.
>>
>> The eth0 port needs to be static.  If it wasn't and dchp changed the address
>> then all the local net machines couldn't connect to it to use it as a router
>> since they need to know its exact address.  My interfaces file is as
>> follows:
>>
>> #This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>>
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> auto eth0
>> iface eth0 inet static
>> address 172.16.0.1
>> netmask 255.255.0.0
>> network 172.16.0.0
>> broadcast 172.16.255.255
>> dns-nameservers 127.0.0.1
>> dns-search weberhome.net
>>
>> # auto eth1 -- dont need auto since using netplug
>> iface eth1 inet dhcp
>>
>> 
>> My internal net is 172.16.0.0/16 and is from the days I worked as net admin
>> for a local school so you will have to change these to 192.168 if you
>> use them (or keep the 172 net for your system).  Notice eth1 is DHCP since
>> it has to connect to the ISP via the ISP's routers and addresses.  I have a
>> pi3 that I have played with.  At one point I had a second ethernet port
>> attached through a usb adapter and I don't remember it being slow or the
>> main port being slow.  I even installed KDE and played with a 7" touch
>> display.  The only reservation I have about the pi is the flash drive.  I
>> just don't trust them... especially for something that just needs to work
>> all the time (that is why I use raid).
>>
>> I'll first post the pertinent  lines in my shorewall files (bingo is my
>> firewall machine .. a small form factor intel atom board running debian
>> testing with 2 sata drives in raid1 configuration):
>>
>>  interfaces
>> ###
>> ?FORMAT 2
>> ###
>> #ZONE   INTERFACE   OPTIONS
>> Ex  eth1
>> dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
>>
>> Loc eth0dhcp,tcpflags,nosmurfs,routefilter,logmartians
>>
>>  zones
>> ###
>> #ZONE   TYPEOPTIONS IN  OUT
>> #   OPTIONS OPTIONS
>> Bingo   firewall# Bingo
>> Loc ipv4# Local 172 network
>> Ex  ipv4# The Internet
>>
>>
>>  policy
>> ###
>> #SOURCE><-->DEST<--><-->POLICY<><-->LOG LEVEL<->LIMIT:BURST
>> Bingo   Loc ACCEPT
>> Bingo   Ex  ACCEPT
>> Loc Ex  ACCEPT
>> Ex  all DROPinfo
>>
>> # THE FOLLOWING POLICY MUST BE LAST
>> all all REJECT  info
>>
>>
>> --- rules
>> 
>> #ACTION><-->SOURCE<><-->
>> DEST<-->PROTO<->DEST<-->SOURCE<><-->ORIGINAL<-->RATE<--><-->USER/<->MARK
>> #<-><--><--><--><--><-->
>> PORT<-->PORT(S)><-->DEST<--><-->LIMIT<-><-->GROUP
>> #
>> #SECTION ESTABLISHED
>> #
>> #SECTION RELATED
>> #
>> #
>> ?SECTION NEW
>> Ping/ACCEPT Loc all
>> #
>> allowBcast  Loc Bingo   all
>> HTTP/ACCEPT Loc:172.16.0.0/16   Bingo
>> ACCEPT  Loc:172.16.0.0/16   Bingo   tcp 3128
>> POP3/ACCEPT Loc:172.16.0.0/16   Bingo
>> SMTP/ACCEPT Loc:172.16.0.0/16   Bingo
>

Re: Help needed with home network configuration

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, Mar 10, 2018 at 11:06:12AM +0200, Johann Spies wrote:
> I see I have broken the thread by adding [SOLVED] to the subject.

But only because gmail is a broken mail user agent: it seems to have
dropped the In-Reply-To header. The change of subject shouldn't
be a problem.

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlqjouwACgkQBcgs9XrR2kbI1gCfQ4BHqBySnJceooezmZfvp5if
S8cAmwQpiqhvXniIW/BOVUOocIVUODr5
=qfds
-END PGP SIGNATURE-

Re: Help needed with home network configuration

[David Wright]

On Fri 09 Mar 2018 at 12:31:35 (-0500), Gene Heskett wrote:
> On Friday 09 March 2018 10:18:23 Reco wrote:
> 
> > Hi.
> >
> > On Fri, Mar 09, 2018 at 04:30:53PM +0200, Johann Spies wrote:
> > > For many years I have used my desktp as a network/firewall server
> > > with two interfaces one facing the internet (through ADSL) and the
> > > other the local network.
> > >
> > > Now I have a fibre connection and for a month both connections will
> > > be available in parallel.
> > >
> > > I have decided to use my Raspberry Pi3 as the firewall/network
> > > server in future but have after many hours failed to do so
> > > successfully.
> >
> > A suboptimal idea IMO. These Broadcom chipsets are only good for video
> > output, their 100Mbps "Ethernet" is actually hardwired to USB, and
> > their WiFi is a PITA (I used Raspberry Pi3 as WiFi AP for half a year.
> > Never again). They make good SPI programmers though.
> >
> > If you need a good Debian-friendly router, I suggest buying Linksys
> > ACM 1200, 1900 or 3200.
> 
> I will also highly recommend the higher end Buffalo's. I have a $70 mail 
> order Netfinity, now quite a few years old, reprogrammed with the real 
> dd-wrt. It has bounced every attack now for around 8 years. And I mean 
> every. I do not have its radio enabled unless my boys are on site with 
> their smartphones. And its not bridged to my local net anyway, only to 
> the internet.

When you reprogram routers with dd-wrt, does that allow it to do, say,
wired bridging even though the manufacturer's formware doesn't allow
for that? Or is wired bridging something that requires certain
hardware inside the box? What's your bridging topology? I though you
might have an article on your website… :)

Cheers,
David.

Re: Help needed with home network configuration

[Gene Heskett]

On Wednesday 14 March 2018 22:24:26 David Wright wrote:

> On Fri 09 Mar 2018 at 12:31:35 (-0500), Gene Heskett wrote:
> > On Friday 09 March 2018 10:18:23 Reco wrote:
> > >   Hi.
> > >
> > > On Fri, Mar 09, 2018 at 04:30:53PM +0200, Johann Spies wrote:
> > > > For many years I have used my desktp as a network/firewall
> > > > server with two interfaces one facing the internet (through
> > > > ADSL) and the other the local network.
> > > >
> > > > Now I have a fibre connection and for a month both connections
> > > > will be available in parallel.
> > > >
> > > > I have decided to use my Raspberry Pi3 as the firewall/network
> > > > server in future but have after many hours failed to do so
> > > > successfully.
> > >
> > > A suboptimal idea IMO. These Broadcom chipsets are only good for
> > > video output, their 100Mbps "Ethernet" is actually hardwired to
> > > USB, and their WiFi is a PITA (I used Raspberry Pi3 as WiFi AP for
> > > half a year. Never again). They make good SPI programmers though.
> > >
> > > If you need a good Debian-friendly router, I suggest buying
> > > Linksys ACM 1200, 1900 or 3200.
> >
> > I will also highly recommend the higher end Buffalo's. I have a $70
> > mail order Netfinity, now quite a few years old, reprogrammed with
> > the real dd-wrt. It has bounced every attack now for around 8 years.
> > And I mean every. I do not have its radio enabled unless my boys are
> > on site with their smartphones. And its not bridged to my local net
> > anyway, only to the internet.
>
> When you reprogram routers with dd-wrt, does that allow it to do, say,
> wired bridging even though the manufacturer's formware doesn't allow
> for that? Or is wired bridging something that requires certain
> hardware inside the box? What's your bridging topology? I though you
> might have an article on your website… :)

With dd-wrt, port forwarding with NAT can be done, a very limited 
bridging, which is how you see my web site. Its actually this machine.

As for the wireless, I only have it bridged to the WAN side of the 
network, but I'm pretty sure it can be bridged in either or both 
directions. So this machine, nor any of the others on my home net are  
not visible to the wireless, only the internet can be used. I don't 
recall how I do it ATM, because 99% of the time the radio is disabled. 
If I enable it, one of the neighbors auto connects and can use 80 GB a 
month w/o giving me a clue unless I am logged into the router annd see 
the connection lease. So I only enable the radio when my boys are in 
town.  Sorry I can't be more specific but its been yonks since I've 
programmed it.

> Cheers,
> David.



-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: Help needed with home network configuration

[Don Armstrong]

On Wed, 14 Mar 2018, David Wright wrote:
> When you reprogram routers with dd-wrt, does that allow it to do, say,
> wired bridging even though the manufacturer's formware doesn't allow
> for that?

openwrt and dd-wrt both allow wired bridging[1] (or pseudo-bridging by
routing if your wireless hardware doesn't support that).


1: I suppose there might be some network hardware which doesn't support
actual bridging of wired interfaces, but I've yet to see such an
example.
-- 
Don Armstrong  https://www.donarmstrong.com

You think to yourself, hey, it's a test tube, for God's sake. Pretty
soon, though, the rush from a test tube isn't enough. You want to
experiment more and more. Then before you know it, you're laying in
the corner of a lab somewhere with a Soxhlet apparatus in one hand,
a three neck flask in the other, strung out and begging for grant
money.
 -- Tim Mitchell, 1994 Ig Nobel Chemistry Prize Speech

Re: Help needed with home network configuration

[David Wright]

On Thu 15 Mar 2018 at 10:18:20 (-0700), Don Armstrong wrote:
> On Wed, 14 Mar 2018, David Wright wrote:
> > When you reprogram routers with dd-wrt, does that allow it to do, say,
> > wired bridging even though the manufacturer's formware doesn't allow
> > for that?
> 
> openwrt and dd-wrt both allow wired bridging[1] (or pseudo-bridging by
> routing if your wireless hardware doesn't support that).
> 
> 
> 1: I suppose there might be some network hardware which doesn't support
> actual bridging of wired interfaces, but I've yet to see such an
> example.

I think the router I've been using for the last few years is one.
Although the User Manual from May 2013¹ has a brief section on
bridging, the June 2014² revision is missing that part. Both have
a "Wireless Repeating" link on the figure for Advanced Wireless
Settings, but the link is not present in the actual configuration
screen on the device.

In any case, the May 2013 manual says that to use it as a repeater,
even wired, you have to set security to WEP or None. That's no use.

I wandered into BestBuy and couldn't find much about bridging on
any of their router boxes. (Obviously I'm eschewing so-called
WiFi Wireless Repeaters.) What I'm trying to ascertain is that
all the wired bridging functionality is performed by the software
and not any special hardware in the device.

Required topology:


╲│╱   ╲│╱ ╲│╱
 ┌───┐ ┌───┐   ┌───┐
 │W L╞CAT5 │W L╞═PC│ ROKUs │
[Modem]══╡A A╞═╡A A╞   │  etc  │
 │N N╞ │N N╞   └───┘
 │   ╞═PC  │   ╞═PC
 └───┘ └───┘


¹ WNDR3400v3_UM_10May2013.pdf
² WNDR3400v3_UM_19June2014.pdf

(Thanks to Gene, too)

Cheers,
David.

Re: Help needed with home network configuration

[rhkramer]

On Thursday, March 15, 2018 09:42:25 PM David Wright wrote:
> On Thu 15 Mar 2018 at 10:18:20 (-0700), Don Armstrong wrote:
> > On Wed, 14 Mar 2018, David Wright wrote:
> > > When you reprogram routers with dd-wrt, does that allow it to do, say,
> > > wired bridging even though the manufacturer's formware doesn't allow
> > > for that?
> > 
> > openwrt and dd-wrt both allow wired bridging[1] (or pseudo-bridging by
> > routing if your wireless hardware doesn't support that).
> > 
> > 
> > 1: I suppose there might be some network hardware which doesn't support
> > actual bridging of wired interfaces, but I've yet to see such an
> > example.
> 
> I think the router I've been using for the last few years is one.
> Although the User Manual from May 2013¹ has a brief section on
> bridging, the June 2014² revision is missing that part. Both have
> a "Wireless Repeating" link on the figure for Advanced Wireless
> Settings, but the link is not present in the actual configuration
> screen on the device.
> 
> In any case, the May 2013 manual says that to use it as a repeater,
> even wired, you have to set security to WEP or None. That's no use.
> 
> I wandered into BestBuy and couldn't find much about bridging on
> any of their router boxes. (Obviously I'm eschewing so-called
> WiFi Wireless Repeaters.) What I'm trying to ascertain is that
> all the wired bridging functionality is performed by the software
> and not any special hardware in the device.
> 
> Required topology:
> 
> 
> ╲│╱   ╲│╱ ╲│╱
>  ┌───┐ ┌───┐   ┌───┐
>  │W L╞CAT5 │W L╞═PC│ ROKUs │
> [Modem]══╡A A╞═╡A A╞   │  etc  │
>  │N N╞ │N N╞   └───┘
>  │   ╞═PC  │   ╞═PC
>  └───┘ └───┘
> 
> 
> ¹ WNDR3400v3_UM_10May2013.pdf
> ² WNDR3400v3_UM_19June2014.pdf

I haven't paid attention to this thread from the beginning, but looking at the 
sketch, I'm wondering what the purpose of the 2nd router is?  Why not instead 
of a router put a switch there, and then (assuming you need another WiFi 
access point at that position), plug the 2 PCs and a wireless access point 
(not sure of the right name) into the switch.

(That, in essence. is how my local LAN is setup except I have a router with 
two switches and two wireless access points, each plugged into one of the 
switches (different parts of the house).

Re: Help needed with home network configuration

[Joe]

On Thu, 15 Mar 2018 23:26:38 -0400
rhkra...@gmail.com wrote:

> On Thursday, March 15, 2018 09:42:25 PM David Wright wrote:
> > On Thu 15 Mar 2018 at 10:18:20 (-0700), Don Armstrong wrote:  
> > > On Wed, 14 Mar 2018, David Wright wrote:  
> > > > When you reprogram routers with dd-wrt, does that allow it to
> > > > do, say, wired bridging even though the manufacturer's formware
> > > > doesn't allow for that?  
> > > 
> > > openwrt and dd-wrt both allow wired bridging[1] (or
> > > pseudo-bridging by routing if your wireless hardware doesn't
> > > support that).
> > > 
> > > 
> > > 1: I suppose there might be some network hardware which doesn't
> > > support actual bridging of wired interfaces, but I've yet to see
> > > such an example.  
> > 
> > I think the router I've been using for the last few years is one.
> > Although the User Manual from May 2013¹ has a brief section on
> > bridging, the June 2014² revision is missing that part. Both have
> > a "Wireless Repeating" link on the figure for Advanced Wireless
> > Settings, but the link is not present in the actual configuration
> > screen on the device.
> > 
> > In any case, the May 2013 manual says that to use it as a repeater,
> > even wired, you have to set security to WEP or None. That's no use.
> > 
> > I wandered into BestBuy and couldn't find much about bridging on
> > any of their router boxes. (Obviously I'm eschewing so-called
> > WiFi Wireless Repeaters.) What I'm trying to ascertain is that
> > all the wired bridging functionality is performed by the software
> > and not any special hardware in the device.

I'd have thought that hardwired hubs are long gone, that all devices
with multiple Ethernet ports are switches and therefore software-based.
Indeed, many routers can be configured as VLANs.

I had a different problem recently, trying to work out which of a few
high-bandwidth 802.11ac routers could be configured in pairs as wireless
point-to-point links, which also uses the term 'bridging', and no, they
can't all do it. But documentation is usually very poor for the
lesser-used functions of most things. 'Bridging' is also used to mean
wireless repeating, which is a different thing again.

> > 
> > Required topology:
> > 
> > 
> > ╲│╱   ╲│╱ ╲│╱
> >  ┌───┐ ┌───┐   ┌───┐
> >  │W L╞CAT5 │W L╞═PC│ ROKUs │
> > [Modem]══╡A A╞═╡A A╞   │  etc  │
> >  │N N╞ │N N╞   └───┘
> >  │   ╞═PC  │   ╞═PC
> >  └───┘ └───┘
> > 
> > 
> > ¹ WNDR3400v3_UM_10May2013.pdf
> > ² WNDR3400v3_UM_19June2014.pdf  
> 
> I haven't paid attention to this thread from the beginning, but
> looking at the sketch, I'm wondering what the purpose of the 2nd
> router is?  Why not instead of a router put a switch there, and then
> (assuming you need another WiFi access point at that position), plug
> the 2 PCs and a wireless access point (not sure of the right name)
> into the switch.

The network between the routers is a low-security DMZ, with access to
the main network only through the port-forwarding of the second router.

I have an Internet router, which provides occasional wireless for
visitors, and a server acting as a firewall leading to the rest of the
network, so there's no wireless access to the main network, though I do
have an old wireless router that I can plug in if I need it temporarily.

-- 
Joe

Re: Help needed with home network configuration

[rhkramer]

On Friday, March 16, 2018 04:48:50 AM Joe wrote:
> On Thu, 15 Mar 2018 23:26:38 -0400
> rhkra...@gmail.com wrote:

...

> > I haven't paid attention to this thread from the beginning, but
> > looking at the sketch, I'm wondering what the purpose of the 2nd
> > router is?  Why not instead of a router put a switch there, and then
> > (assuming you need another WiFi access point at that position), plug
> > the 2 PCs and a wireless access point (not sure of the right name)
> > into the switch.
> 
> The network between the routers is a low-security DMZ, with access to
> the main network only through the port-forwarding of the second router.
> 
> I have an Internet router, which provides occasional wireless for
> visitors, and a server acting as a firewall leading to the rest of the
> network, so there's no wireless access to the main network, though I do
> have an old wireless router that I can plug in if I need it temporarily.

Ahh, understood, thanks! 

I haven't had the need to do that, and I'm not quite sure how I would go about 
it, but (thinking on the fly now), I might try putting a switch immediately 
after the modem, with two routers plugged into that, then a router and one 
firewall (and one WAP) for the DMZ, and the 2nd router, with a stonger 
firewall, 
and 2nd WAP for the LAN.

(I like switches ;-)  (Of course, most routers incorporate a switch, iiuc.)

Re: Help needed with home network configuration

[rhkramer]

On Friday, March 16, 2018 08:53:00 AM rhkra...@gmail.com wrote:
> I haven't had the need to do that, and I'm not quite sure how I would go
> about it, but (thinking on the fly now), I might try putting a switch
> immediately after the modem, with two routers plugged into that, then a
> router and one firewall (and one WAP) for the DMZ, and the 2nd router,
> with a stonger firewall, and 2nd WAP for the LAN.
> 
> (I like switches ;-)  (Of course, most routers incorporate a switch, iiuc.)

Oh, thinking about it a little more (but not much ;-) , I may be assuming that 
the modem has the capability to serve as a, I guess you'd call it a DHCP 
server--mine does.  (Although I don't use it that way--in my case, I installed 
and prefer to use a Ubiquiti edge router immediately after the modem (with the 
modem in "bridge mode" (in at least one sense of the way "bridge" is used)--I 
forget all the reasons--oh, now I remember--I have some VOIP phones on the 
LAN, and the Ubiquiti lets me set up some QOS stuff to give them higher 
prioritiy.)

If my modem didn't have that capability, or maybe even if it did, I might rout 
everything through a (probably, again, a Ubiquity edge router), then to one 
router for the DMZ and one router for the LAN.  

(I wish my brain worked more like it did  when I was younger.  Well, at least 
in some respects ;-)

Re: Help needed with home network configuration

[Dan Purgert]

David Wright wrote:
>
> --1yeeQ81UyVL57Vl7
> Content-Type: text/plain; charset=utf-8
> Content-Disposition: inline
> Content-Transfer-Encoding: 8bit
>
> On Thu 15 Mar 2018 at 10:18:20 (-0700), Don Armstrong wrote:
>> On Wed, 14 Mar 2018, David Wright wrote:
>> > When you reprogram routers with dd-wrt, does that allow it to do, say,
>> > wired bridging even though the manufacturer's formware doesn't allow
>> > for that?
>> 
>> openwrt and dd-wrt both allow wired bridging[1] (or pseudo-bridging by
>> routing if your wireless hardware doesn't support that).
>> 
>> 
>> 1: I suppose there might be some network hardware which doesn't support
>> actual bridging of wired interfaces, but I've yet to see such an
>> example.
>
> I think the router I've been using for the last few years is one.
> Although the User Manual from May 2013¹ has a brief section on
> bridging, the June 2014² revision is missing that part. Both have
> a "Wireless Repeating" link on the figure for Advanced Wireless
> Settings, but the link is not present in the actual configuration
> screen on the device.

That's probably talking about "WDS bridging", not what Don is talking
about.  That's an entirely different can of worms.

> Required topology:
>
>
> ╲│╱   ╲│╱ ╲│╱
>  ┌───┐ ┌───┐   ┌───┐
>  │W L╞CAT5 │W L╞═PC│ ROKUs │
> [Modem]══╡A A╞═╡A A╞   │  etc  │
>  │N N╞ │N N╞   └───┘
>  │   ╞═PC  │   ╞═PC
>  └───┘ └───┘
>
>
> ¹ WNDR3400v3_UM_10May2013.pdf
> ² WNDR3400v3_UM_19June2014.pdf

"PC" on the left side won't be able to talk to anything connected to the
right side (unless you punch holes in the "WAN" of the right-side
router). Suppose if that's your goal, it'll work fine (barring
double-NAT for the right-side devices, if that matters).

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[Dan Purgert]

Joe wrote:
> [...]
> I'd have thought that hardwired hubs are long gone, that all devices
> with multiple Ethernet ports are switches and therefore software-based.
> Indeed, many routers can be configured as VLANs.

Hubs pretty much are.  Not entirely sure where you're thinking switches
are "software-based" though. Switching is typically done in ASICs these
days ... 

>
> I had a different problem recently, trying to work out which of a few
> high-bandwidth 802.11ac routers could be configured in pairs as wireless
> point-to-point links, which also uses the term 'bridging', and no, they
> can't all do it. But documentation is usually very poor for the
> lesser-used functions of most things. 'Bridging' is also used to mean
> wireless repeating, which is a different thing again.

Honestly, I'd never trust an "all-in-one" consumer router for that (even
if it "supports" it on the box). Pair of purpose-built radios (e.g.
Ubiquiti AirMAX) would probably do best for that situation.

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[David Wright]

On Thu 15 Mar 2018 at 23:26:38 (-0400), rhkra...@gmail.com wrote:
> On Thursday, March 15, 2018 09:42:25 PM David Wright wrote:
> > On Thu 15 Mar 2018 at 10:18:20 (-0700), Don Armstrong wrote:
> > > On Wed, 14 Mar 2018, David Wright wrote:
> > > > When you reprogram routers with dd-wrt, does that allow it to do, say,
> > > > wired bridging even though the manufacturer's formware doesn't allow
> > > > for that?
> > > 
> > > openwrt and dd-wrt both allow wired bridging[1] (or pseudo-bridging by
> > > routing if your wireless hardware doesn't support that).
> > > 
> > > 
> > > 1: I suppose there might be some network hardware which doesn't support
> > > actual bridging of wired interfaces, but I've yet to see such an
> > > example.
> > 
> > I think the router I've been using for the last few years is one.
> > Although the User Manual from May 2013¹ has a brief section on
> > bridging, the June 2014² revision is missing that part. Both have
> > a "Wireless Repeating" link on the figure for Advanced Wireless
> > Settings, but the link is not present in the actual configuration
> > screen on the device.
> > 
> > In any case, the May 2013 manual says that to use it as a repeater,
> > even wired, you have to set security to WEP or None. That's no use.
> > 
> > I wandered into BestBuy and couldn't find much about bridging on
> > any of their router boxes. (Obviously I'm eschewing so-called
> > WiFi Wireless Repeaters.) What I'm trying to ascertain is that
> > all the wired bridging functionality is performed by the software
> > and not any special hardware in the device.
> > 
> > Required topology:
> > 
> > 
> > ╲│╱   ╲│╱ ╲│╱
> >  ┌───┐ ┌───┐   ┌───┐
> >  │W L╞CAT5 │W L╞═PC│ ROKUs │
> > [Modem]══╡A A╞═╡A A╞   │  etc  │
> >  │N N╞ │N N╞   └───┘
> >  │   ╞═PC  │   ╞═PC
> >  └───┘ └───┘
> > 
> > 
> > ¹ WNDR3400v3_UM_10May2013.pdf
> > ² WNDR3400v3_UM_19June2014.pdf
> 
> I haven't paid attention to this thread from the beginning, but looking at 
> the 
> sketch, I'm wondering what the purpose of the 2nd router is?  Why not instead 
> of a router put a switch there, and then (assuming you need another WiFi 
> access point at that position), plug the 2 PCs and a wireless access point 
> (not sure of the right name) into the switch.

The diagram shows the hypothetical relationship of the two routers.
Both should be transmitting WiFi with the same SSID so that a laptop
can wander between them transparently. The Rokus don't wander while
in use, but they should be able to be placed arbitrarily within range
of either router.

The left PC would probably be used mainly for playing files and
internet into hifi. The right PCs might be a docked laptop, a
server, and perhaps a wired Roku. But everything should behave as
if it was in one network on one router.

> (That, in essence. is how my local LAN is setup except I have a router with 
> two switches and two wireless access points, each plugged into one of the 
> switches (different parts of the house).

But that means you have five/six pieces of equipment to connect up.
I can see advantages in my separate modem and router (for one thing,
the modem is currently on the left above and the my router is in the
position of the one at the right) but buying two switches and two WAPs
seems a bit extreme. I'm servicing a house, not a small businesss.

Cheers,
David.

Re: Help needed with home network configuration

[David Wright]

On Fri 16 Mar 2018 at 13:09:00 (-), Dan Purgert wrote:
> David Wright wrote:
> >
> > --1yeeQ81UyVL57Vl7
> > Content-Type: text/plain; charset=utf-8
> > Content-Disposition: inline
> > Content-Transfer-Encoding: 8bit
> >
> > On Thu 15 Mar 2018 at 10:18:20 (-0700), Don Armstrong wrote:
> >> On Wed, 14 Mar 2018, David Wright wrote:
> >> > When you reprogram routers with dd-wrt, does that allow it to do, say,
> >> > wired bridging even though the manufacturer's formware doesn't allow
> >> > for that?
> >> 
> >> openwrt and dd-wrt both allow wired bridging[1] (or pseudo-bridging by
> >> routing if your wireless hardware doesn't support that).
> >> 
> >> 
> >> 1: I suppose there might be some network hardware which doesn't support
> >> actual bridging of wired interfaces, but I've yet to see such an
> >> example.
> >
> > I think the router I've been using for the last few years is one.
> > Although the User Manual from May 2013¹ has a brief section on
> > bridging, the June 2014² revision is missing that part. Both have
> > a "Wireless Repeating" link on the figure for Advanced Wireless
> > Settings, but the link is not present in the actual configuration
> > screen on the device.
> 
> That's probably talking about "WDS bridging", not what Don is talking
> about.  That's an entirely different can of worms.

That's what I don't want, if it means the router-router connection
is wireless because (a) we have the CAT5 cable available and
(b) poor wireless transmission between the two areas is the problem
I'm trying to solve.

> > Required topology:
> >
> >
> > ╲│╱   ╲│╱ ╲│╱
> >  ┌───┐ ┌───┐   ┌───┐
> >  │W L╞CAT5 │W L╞═PC│ ROKUs │
> > [Modem]══╡A A╞═╡A A╞   │  etc  │
> >  │N N╞ │N N╞   └───┘
> >  │   ╞═PC  │   ╞═PC
> >  └───┘ └───┘
> >
> >
> > ¹ WNDR3400v3_UM_10May2013.pdf
> > ² WNDR3400v3_UM_19June2014.pdf
> 
> "PC" on the left side won't be able to talk to anything connected to the
> right side (unless you punch holes in the "WAN" of the right-side
> router). Suppose if that's your goal, it'll work fine (barring
> double-NAT for the right-side devices, if that matters).

Well, I *think* that that "punching" is the functionality that some
routers have and others don't. I'm trying to determine whether the
router Left does anything out of the ordinary other than notice rather
heavy traffic out of one port. If not, then I could put our current
router as Left and buy a better one for Right.

I think the double NAT is essential as Left can only send to one MAC
and therefore one IP address out of the CAT5 port.

What I need to contradict in my previous post is that the two routers
*can* use different SSIDs, because anything that roams is able to
switch between different SSIDs. The Rokus don't roam in that sense,
and can manually select between different networks if and when we
move them about. (They are three different models with different
pros and cons.)

So I think what I want is something like
http://smallbusiness.chron.com/run-two-routers-off-one-cable-connection-56718.html
and not (so much) something like
http://smallbusiness.chron.com/setting-up-wireless-routers-same-ssid-68675.html
where the router-router link is LAN-LAN.
But I'd be happy to try the second method instead if that meant
I could keep this router. Not, however, if I had to use WEP/None
for security. (I can't work out the relevance of that demand in
the User Manual.)

Cheers,
David.

Re: Help needed with home network configuration

[David Wright]

On Fri 16 Mar 2018 at 08:48:50 (+), Joe wrote:
> On Thu, 15 Mar 2018 23:26:38 -0400
> rhkra...@gmail.com wrote:
> 
> > On Thursday, March 15, 2018 09:42:25 PM David Wright wrote:
> > > On Thu 15 Mar 2018 at 10:18:20 (-0700), Don Armstrong wrote:  
> > > > On Wed, 14 Mar 2018, David Wright wrote:  
> > > > > When you reprogram routers with dd-wrt, does that allow it to
> > > > > do, say, wired bridging even though the manufacturer's formware
> > > > > doesn't allow for that?  
> > > > 
> > > > openwrt and dd-wrt both allow wired bridging[1] (or
> > > > pseudo-bridging by routing if your wireless hardware doesn't
> > > > support that).
> > > > 
> > > > 
> > > > 1: I suppose there might be some network hardware which doesn't
> > > > support actual bridging of wired interfaces, but I've yet to see
> > > > such an example.  
> > > 
> > > I think the router I've been using for the last few years is one.
> > > Although the User Manual from May 2013¹ has a brief section on
> > > bridging, the June 2014² revision is missing that part. Both have
> > > a "Wireless Repeating" link on the figure for Advanced Wireless
> > > Settings, but the link is not present in the actual configuration
> > > screen on the device.
> > > 
> > > In any case, the May 2013 manual says that to use it as a repeater,
> > > even wired, you have to set security to WEP or None. That's no use.
> > > 
> > > I wandered into BestBuy and couldn't find much about bridging on
> > > any of their router boxes. (Obviously I'm eschewing so-called
> > > WiFi Wireless Repeaters.) What I'm trying to ascertain is that
> > > all the wired bridging functionality is performed by the software
> > > and not any special hardware in the device.
> 
> I'd have thought that hardwired hubs are long gone, that all devices
> with multiple Ethernet ports are switches and therefore software-based.
> Indeed, many routers can be configured as VLANs.

I guess I missed where "hubs" came into the conversation. Anyway,
I was hoping to carry on using the current router if that were
possible, but might have to bite the bullet and buy two replacements
for it.

> I had a different problem recently, trying to work out which of a few
> high-bandwidth 802.11ac routers could be configured in pairs as wireless
> point-to-point links, which also uses the term 'bridging', and no, they
> can't all do it. But documentation is usually very poor for the
> lesser-used functions of most things. 'Bridging' is also used to mean
> wireless repeating, which is a different thing again.

Yes, and wireless repeating is rather ambiguous. I want the repeater
to be a wireless device, but connected to the other one by a CAT5 cable.

> > > Required topology:
> > > 
> > > 
> > > ╲│╱   ╲│╱ ╲│╱
> > >  ┌───┐ ┌───┐   ┌───┐
> > >  │W L╞CAT5 │W L╞═PC│ ROKUs │
> > > [Modem]══╡A A╞═╡A A╞   │  etc  │
> > >  │N N╞ │N N╞   └───┘
> > >  │   ╞═PC  │   ╞═PC
> > >  └───┘ └───┘
> > > 
> > > 
> > > ¹ WNDR3400v3_UM_10May2013.pdf
> > > ² WNDR3400v3_UM_19June2014.pdf  
> > 
> > I haven't paid attention to this thread from the beginning, but
> > looking at the sketch, I'm wondering what the purpose of the 2nd
> > router is?  Why not instead of a router put a switch there, and then
> > (assuming you need another WiFi access point at that position), plug
> > the 2 PCs and a wireless access point (not sure of the right name)
> > into the switch.
> 
> The network between the routers is a low-security DMZ, with access to
> the main network only through the port-forwarding of the second router.

OK, assuming you're talking about my diagram and not rhkramer's paragraph
(which doesn't have two routers), I guess you mean Left is the main
network and Right is the second router. I don't want "low security",
and I'm not sure what the implications of the term DMZ is.

What you see in the diagram is what I want to set up, except I haven't
specified exactly which item is wired to which port on which router,
or which wifi device is positioned close to which router.

> I have an Internet router, which provides occasional wireless for
> visitors, and a server acting as a firewall leading to the rest of the
> network, so there's no wireless access to the main network, though I do
> have an old wireless router that I can plug in if I need it temporarily.

This is a house rather than a B&B; there's no guest network here.
Every device needs access to the Internet and to every other device
on both routers (except the only access we'd expect *to* the Rokus
would be to ping them to see if we'd left the TV on).

As I mentioned in my previous post, there is a scheme involving a
LAN-LAN connection rather than LAN-WAN between the routers, but
I haven't figured out whether I'd benefit from that in the sense
of being able to

Re: Help needed with home network configuration

[Don Armstrong]

On Thu, 15 Mar 2018, David Wright wrote:
> On Thu 15 Mar 2018 at 10:18:20 (-0700), Don Armstrong wrote:
> > 1: I suppose there might be some network hardware which doesn't
> > support actual bridging of wired interfaces, but I've yet to see
> > such an example.
> 
> I think the router I've been using for the last few years is one.

The software might not support it, but if openwrt or ddwrt can run on
the hardware, they should support bridging.

> Required topology:
> 
> ╲│╱   ╲│╱ ╲│╱
>  ┌───┐ ┌───┐   ┌───┐
>  │W L╞CAT5 │W L╞═PC│ ROKUs │
> [Modem]══╡A A╞═╡A A╞   │  etc  │
>  │N N╞ │N N╞   └───┘
>  │   ╞═PC  │   ╞═PC
>  └───┘ └───┘

I suggest that you instead run the second router as a switch with an
attached wireless AP instead, and if necessary, create additional
wireless networks which both APs broadcast for visitors/DMZs, and
additional VLANs/VPNs to do your DMZ/high security area. [You can also
add additional wireless APs and/or switches if you need them, too.]

Of course, you'll have to run openwrt or ddwrt to actually do this; most
built-in router firmware doesn't let you do this, because otherwise you
might not buy the more expensive "enterprise" kit.

-- 
Don Armstrong  https://www.donarmstrong.com

No matter how many instances of white swans we may have observed, this
does not justify the conclusion that all swans are white.
 -- Sir Karl Popper _Logic of Scientific Discovery_

Re: Help needed with home network configuration

[David Wright]

On Fri 16 Mar 2018 at 10:24:36 (-0700), Don Armstrong wrote:
> On Thu, 15 Mar 2018, David Wright wrote:
> > On Thu 15 Mar 2018 at 10:18:20 (-0700), Don Armstrong wrote:
> > > 1: I suppose there might be some network hardware which doesn't
> > > support actual bridging of wired interfaces, but I've yet to see
> > > such an example.
> > 
> > I think the router I've been using for the last few years is one.
> 
> The software might not support it, but if openwrt or ddwrt can run on
> the hardware, they should support bridging.

I can make sure the router I buy can run openwrt or ddwrt, but it
would be handy to know if I need to buy two or whether the current
one can at least do the job at one end of the diagram.

> > Required topology:
> > 
> > ╲│╱   ╲│╱ ╲│╱
> >  ┌───┐ ┌───┐   ┌───┐
> >  │W L╞CAT5 │W L╞═PC│ ROKUs │
> > [Modem]══╡A A╞═╡A A╞   │  etc  │
> >  │N N╞ │N N╞   └───┘
> >  │   ╞═PC  │   ╞═PC
> >  └───┘ └───┘
> 
> I suggest that you instead run the second router as a switch with an
> attached wireless AP instead,

So you're saying that a router can run as a switch. This is presumably
by just ignoring the WAN port and using just the LANs?¹ And what does
buying a WAP do that the wireless on the router can't cope with?

> and if necessary, create additional
> wireless networks which both APs broadcast for visitors/DMZs,

I don't have any visitors and I don't know what I'd do in a DMZ.

> and
> additional VLANs/VPNs to do your DMZ/high security area.

I haven't got a DMZ or a "high security area". When I mentioned
security,  it was because I don't want to run WEP/None security
on the wireless instead of the current WPS2/AES. For who knows
what reason, using any sort of bridging/repeating functionality
in the router necessitated reducing the wireless to WEP. Perhaps
the router has 16 bytes of memory and it can't do too many things
at once.

> [You can also
> add additional wireless APs and/or switches if you need them, too.]

Um, look, there's one house, one wife, small budget, and the current
box count is already at two.

Let's just imagine there's a wireless-proof gauze screen between the
two halves of the house. One router in each half is up to the task
of covering its half but no more. At the moment, one half of the
house (ironically the side with the modem) has next to no coverage.

> Of course, you'll have to run openwrt or ddwrt to actually do this; most
> built-in router firmware doesn't let you do this, because otherwise you
> might not buy the more expensive "enterprise" kit.

¹ ie what's outlined in this one
http://smallbusiness.chron.com/setting-up-wireless-routers-same-ssid-68675.html

Cheers,
David.

Re: Help needed with home network configuration

[Don Armstrong]

On Fri, 16 Mar 2018, David Wright wrote:
> On Fri 16 Mar 2018 at 10:24:36 (-0700), Don Armstrong wrote:
> > The software might not support it, but if openwrt or ddwrt can run
> > on the hardware, they should support bridging.
> 
> I can make sure the router I buy can run openwrt or ddwrt, but it
> would be handy to know if I need to buy two or whether the current one
> can at least do the job at one end of the diagram.

It's likely that they can run ddwrt or openwrt, but you'd have to check.

> > I suggest that you instead run the second router as a switch with an
> > attached wireless AP instead,
> 
> So you're saying that a router can run as a switch. This is presumably
> by just ignoring the WAN port and using just the LANs?¹

Yes, assuming you disable the dhcp server on the second router. [Or you
could bridging the WAN port into the lan bridge, and use all of the
ports. You'll need openwrt to do that; most router firmware doesn't
support that setup.]

> And what does buying a WAP do that the wireless on the router can't
> cope with?

Nothing; my point was just that's what you should do with your existing
equipment. [IE, totally ignore the router functionality of the second
router.]

> Let's just imagine there's a wireless-proof gauze screen between the
> two halves of the house. One router in each half is up to the task of
> covering its half but no more. At the moment, one half of the house
> (ironically the side with the modem) has next to no coverage.

> ¹ ie what's outlined in this one
> http://smallbusiness.chron.com/setting-up-wireless-routers-same-ssid-68675.html

Right; this is basically how you cover areas where a single AP won't cut
it.


-- 
Don Armstrong  https://www.donarmstrong.com

I would like to be the air
that inhabits you for a moment
only. I would like to be that unnoticed
& that necessary.
 -- Margaret Atwood "Poetry in Motion" p140

Re: Help needed with home network configuration

[David Wright]

On Fri 16 Mar 2018 at 12:49:16 (-0700), Don Armstrong wrote:
> On Fri, 16 Mar 2018, David Wright wrote:
> > On Fri 16 Mar 2018 at 10:24:36 (-0700), Don Armstrong wrote:
> > > The software might not support it, but if openwrt or ddwrt can run
> > > on the hardware, they should support bridging.
> > 
> > I can make sure the router I buy can run openwrt or ddwrt, but it
> > would be handy to know if I need to buy two or whether the current one
> > can at least do the job at one end of the diagram.
> 
> It's likely that they can run ddwrt or openwrt, but you'd have to check.
> 
> > > I suggest that you instead run the second router as a switch with an
> > > attached wireless AP instead,
> > 
> > So you're saying that a router can run as a switch. This is presumably
> > by just ignoring the WAN port and using just the LANs?¹
> 
> Yes, assuming you disable the dhcp server on the second router. [Or you
> could bridging the WAN port into the lan bridge, and use all of the
> ports. You'll need openwrt to do that; most router firmware doesn't
> support that setup.]
> 
> > And what does buying a WAP do that the wireless on the router can't
> > cope with?
> 
> Nothing; my point was just that's what you should do with your existing
> equipment. [IE, totally ignore the router functionality of the second
> router.]
> 
> > Let's just imagine there's a wireless-proof gauze screen between the
> > two halves of the house. One router in each half is up to the task of
> > covering its half but no more. At the moment, one half of the house
> > (ironically the side with the modem) has next to no coverage.
> 
> > ¹ ie what's outlined in this one
> > http://smallbusiness.chron.com/setting-up-wireless-routers-same-ssid-68675.html
> 
> Right; this is basically how you cover areas where a single AP won't cut
> it.

That's all been a great help, thanks. I think I can see paths
forward. I'm going to be reading a lot of specs.

Cheers,
David.

Re: Help needed with home network configuration

[Dan Purgert]

David Wright wrote:
> On Fri 16 Mar 2018 at 13:09:00 (-), Dan Purgert wrote:
>> David Wright wrote:
>> >
>> > --1yeeQ81UyVL57Vl7
>> > Content-Type: text/plain; charset=utf-8
>> > Content-Disposition: inline
>> > Content-Transfer-Encoding: 8bit
>> >
>> > On Thu 15 Mar 2018 at 10:18:20 (-0700), Don Armstrong wrote:
>> >> On Wed, 14 Mar 2018, David Wright wrote:
>> >> > When you reprogram routers with dd-wrt, does that allow it to do, say,
>> >> > wired bridging even though the manufacturer's formware doesn't allow
>> >> > for that?
>> >> 
>> >> openwrt and dd-wrt both allow wired bridging[1] (or pseudo-bridging by
>> >> routing if your wireless hardware doesn't support that).
>> >> 
>> >> 
>> >> 1: I suppose there might be some network hardware which doesn't support
>> >> actual bridging of wired interfaces, but I've yet to see such an
>> >> example.
>> >
>> > I think the router I've been using for the last few years is one.
>> > Although the User Manual from May 2013¹ has a brief section on
>> > bridging, the June 2014² revision is missing that part. Both have
>> > a "Wireless Repeating" link on the figure for Advanced Wireless
>> > Settings, but the link is not present in the actual configuration
>> > screen on the device.
>> 
>> That's probably talking about "WDS bridging", not what Don is talking
>> about.  That's an entirely different can of worms.
>
> That's what I don't want, if it means the router-router connection
> is wireless because (a) we have the CAT5 cable available and
> (b) poor wireless transmission between the two areas is the problem
> I'm trying to solve.

Why not scrap "router 2" (on the right), and use a switch?  If you need
wifi, throw in a Ubiquiti UAP-AC-LITE with the switch, and call it a
day.

If it's a bit of "well, I have this stuff already; and can't really
afford new stuff ..."

(1) TURN OFF all the "all-in-one router" features -- DNS, DHCP, etc.
(2) Set the "LAN" address of Router2 (right router) to something in the
network provided by Router1 -- e.g. 192.168.0.2
(3) Plug the cat5 cable from Router1 into LAN1 of Router2, IGNORE the
"WAN" port.
(4) If you have two different WiFi SSIDs, rename Router2 to the same
SSID as Router1 (Password too).

I think I got the other bits from below up here as well ... 


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[Celejar]

On Fri, 16 Mar 2018 13:13:30 - (UTC)
Dan Purgert  wrote:

> Joe wrote:
> > [...]
> > I'd have thought that hardwired hubs are long gone, that all devices
> > with multiple Ethernet ports are switches and therefore software-based.
> > Indeed, many routers can be configured as VLANs.
> 
> Hubs pretty much are.  Not entirely sure where you're thinking switches
> are "software-based" though. Switching is typically done in ASICs these
> days ... 
> 
> >
> > I had a different problem recently, trying to work out which of a few
> > high-bandwidth 802.11ac routers could be configured in pairs as wireless
> > point-to-point links, which also uses the term 'bridging', and no, they
> > can't all do it. But documentation is usually very poor for the
> > lesser-used functions of most things. 'Bridging' is also used to mean
> > wireless repeating, which is a different thing again.
> 
> Honestly, I'd never trust an "all-in-one" consumer router for that (even
> if it "supports" it on the box). Pair of purpose-built radios (e.g.
> Ubiquiti AirMAX) would probably do best for that situation.

FWIW, I recently followed these directions:

https://wiki.openwrt.org/doc/recipes/atheroswds

to use an old Buffalo WZR-HP-G300NH to bring network connectivity to a
server in a location without ethernet cabling and lacking wireless
hardware. The Buffalo is configured as a wireless client connecting to
the main switch / router / AP (a TP-Link Archer [A]C2600), and the
Buffalo's wired switch is bridged to the rest of the network. The
TP-Link and Buffalo are both running OpenWRT [LEDE].

I'm not sure if I'm using the terminology correctly, but what this
means in practice is that I have one big network, with all wireless and
wired clients of the main AP [except those on the guest wireless
network, of course], as well as the wired clients of the Buffalo, on
the same network. [I haven't enabled access point functionality on the
Buffalo, since I don't need it.]

Works flawlessly, once I managed to follow the directions correctly ;)
This is the opposite of common multi-ap solutions, that use wired
backhaul and provide wireless connectivity to clients. In my
configuration, I use the 2.4 GHz wireless band for the "backhaul" (my
main wireless clients are using the 5 GHz band), and the server is
wired to the Buffalo.

Celejar

Re: Help needed with home network configuration

[Dan Purgert]

Celejar wrote:
> On Fri, 16 Mar 2018 13:13:30 - (UTC)
> Dan Purgert  wrote:
>
>> Joe wrote:
>> > [...]
>> > I'd have thought that hardwired hubs are long gone, that all devices
>> > with multiple Ethernet ports are switches and therefore software-based.
>> > Indeed, many routers can be configured as VLANs.
>> 
>> Hubs pretty much are.  Not entirely sure where you're thinking switches
>> are "software-based" though. Switching is typically done in ASICs these
>> days ... 
>> 
>> >
>> > I had a different problem recently, trying to work out which of a few
>> > high-bandwidth 802.11ac routers could be configured in pairs as wireless
>> > point-to-point links, which also uses the term 'bridging', and no, they
>> > can't all do it. But documentation is usually very poor for the
>> > lesser-used functions of most things. 'Bridging' is also used to mean
>> > wireless repeating, which is a different thing again.
>> 
>> Honestly, I'd never trust an "all-in-one" consumer router for that (even
>> if it "supports" it on the box). Pair of purpose-built radios (e.g.
>> Ubiquiti AirMAX) would probably do best for that situation.
>
> FWIW, I recently followed these directions:
>
> https://wiki.openwrt.org/doc/recipes/atheroswds
>
> to use an old Buffalo WZR-HP-G300NH to bring network connectivity to a
> server in a location without ethernet cabling and lacking wireless
> hardware. The Buffalo is configured as a wireless client connecting to
> the main switch / router / AP (a TP-Link Archer [A]C2600), and the
> Buffalo's wired switch is bridged to the rest of the network. The
> TP-Link and Buffalo are both running OpenWRT [LEDE].
>
> I'm not sure if I'm using the terminology correctly [...]

Yep, you've got the terms right.  

Does the buffalo also provide wifi access to other clients close to it?
or is it JUST trying to pretend that it's a client device to the
TP-Link?

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[Celejar]

On Tue, 3 Apr 2018 11:30:24 - (UTC)
Dan Purgert  wrote:

> Celejar wrote:
> > On Fri, 16 Mar 2018 13:13:30 - (UTC)
> > Dan Purgert  wrote:
> >
> >> Joe wrote:
> >> > [...]
> >> > I'd have thought that hardwired hubs are long gone, that all devices
> >> > with multiple Ethernet ports are switches and therefore software-based.
> >> > Indeed, many routers can be configured as VLANs.
> >> 
> >> Hubs pretty much are.  Not entirely sure where you're thinking switches
> >> are "software-based" though. Switching is typically done in ASICs these
> >> days ... 
> >> 
> >> >
> >> > I had a different problem recently, trying to work out which of a few
> >> > high-bandwidth 802.11ac routers could be configured in pairs as wireless
> >> > point-to-point links, which also uses the term 'bridging', and no, they
> >> > can't all do it. But documentation is usually very poor for the
> >> > lesser-used functions of most things. 'Bridging' is also used to mean
> >> > wireless repeating, which is a different thing again.
> >> 
> >> Honestly, I'd never trust an "all-in-one" consumer router for that (even
> >> if it "supports" it on the box). Pair of purpose-built radios (e.g.
> >> Ubiquiti AirMAX) would probably do best for that situation.
> >
> > FWIW, I recently followed these directions:
> >
> > https://wiki.openwrt.org/doc/recipes/atheroswds
> >
> > to use an old Buffalo WZR-HP-G300NH to bring network connectivity to a
> > server in a location without ethernet cabling and lacking wireless
> > hardware. The Buffalo is configured as a wireless client connecting to
> > the main switch / router / AP (a TP-Link Archer [A]C2600), and the
> > Buffalo's wired switch is bridged to the rest of the network. The
> > TP-Link and Buffalo are both running OpenWRT [LEDE].
> >
> > I'm not sure if I'm using the terminology correctly [...]
> 
> Yep, you've got the terms right.  
> 
> Does the buffalo also provide wifi access to other clients close to it?
> or is it JUST trying to pretend that it's a client device to the
> TP-Link?

I'm not using the Buffalo to provide wireless connectivity to any
clients. The page I linked to does have instructions for doing that,
but I don't need it.

Celejar

Re: Help needed with home network configuration

[Dan Purgert]

Celejar wrote:
> On Tue, 3 Apr 2018 11:30:24 - (UTC)
> Dan Purgert  wrote:
>> [...]
>> 
>> Yep, you've got the terms right.  
>> 
>> Does the buffalo also provide wifi access to other clients close to it?
>> or is it JUST trying to pretend that it's a client device to the
>> TP-Link?
>
> I'm not using the Buffalo to provide wireless connectivity to any
> clients. The page I linked to does have instructions for doing that,
> but I don't need it.

Good deal.  Using the buffalo as a wifi repeater would kill throughput
for everything connected to it :)


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[David Wright]

On Fri 06 Apr 2018 at 10:00:31 (-), Dan Purgert wrote:
> Celejar wrote:
> > On Tue, 3 Apr 2018 11:30:24 - (UTC)
> > Dan Purgert  wrote:
> >> [...]
> >> 
> >> Yep, you've got the terms right.  
> >> 
> >> Does the buffalo also provide wifi access to other clients close to it?
> >> or is it JUST trying to pretend that it's a client device to the
> >> TP-Link?
> >
> > I'm not using the Buffalo to provide wireless connectivity to any
> > clients. The page I linked to does have instructions for doing that,
> > but I don't need it.
> 
> Good deal.  Using the buffalo as a wifi repeater would kill throughput
> for everything connected to it :)

I was under the impression that this would work even with consumer
grade routers if the backhaul was on a different band or, with dual
radio routers, a different channel from the clients.

Cheers,
David.

Re: Help needed with home network configuration

[Dan Purgert]

David Wright wrote:
> On Fri 06 Apr 2018 at 10:00:31 (-), Dan Purgert wrote:
>> Celejar wrote:
>> > On Tue, 3 Apr 2018 11:30:24 - (UTC)
>> > Dan Purgert  wrote:
>> >> [...]
>> >> 
>> >> Yep, you've got the terms right.  
>> >> 
>> >> Does the buffalo also provide wifi access to other clients close to it?
>> >> or is it JUST trying to pretend that it's a client device to the
>> >> TP-Link?
>> >
>> > I'm not using the Buffalo to provide wireless connectivity to any
>> > clients. The page I linked to does have instructions for doing that,
>> > but I don't need it.
>> 
>> Good deal.  Using the buffalo as a wifi repeater would kill throughput
>> for everything connected to it :)
>
> I was under the impression that this would work even with consumer
> grade routers if the backhaul was on a different band or, with dual
> radio routers, a different channel from the clients.
>

It's a nuance in the semantics of what it means to "repeat" wifi.
Suffice to say, in order to "repeat" wifi, you have one radio splitting
its time between pretending to be an AP for a client device, and
pretending to be a client device to the upstream AP.


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[David Wright]

On Fri 06 Apr 2018 at 16:26:47 (-), Dan Purgert wrote:
> David Wright wrote:
> > On Fri 06 Apr 2018 at 10:00:31 (-), Dan Purgert wrote:
> >> Celejar wrote:
> >> > On Tue, 3 Apr 2018 11:30:24 - (UTC)
> >> > Dan Purgert  wrote:
> >> >> [...]
> >> >> 
> >> >> Yep, you've got the terms right.  
> >> >> 
> >> >> Does the buffalo also provide wifi access to other clients close to it?
> >> >> or is it JUST trying to pretend that it's a client device to the
> >> >> TP-Link?
> >> >
> >> > I'm not using the Buffalo to provide wireless connectivity to any
> >> > clients. The page I linked to does have instructions for doing that,
> >> > but I don't need it.
> >> 
> >> Good deal.  Using the buffalo as a wifi repeater would kill throughput
> >> for everything connected to it :)
> >
> > I was under the impression that this would work even with consumer
> > grade routers if the backhaul was on a different band or, with dual
> > radio routers, a different channel from the clients.
> >
> 
> It's a nuance in the semantics of what it means to "repeat" wifi.
> Suffice to say, in order to "repeat" wifi, you have one radio splitting
> its time between pretending to be an AP for a client device, and
> pretending to be a client device to the upstream AP.

Then I'm not sure why you wrote "Good deal". I'd be wanting the
wireless connectivity described above as not needed, though obviously
on a separate band/channel. Were you implying that that would kill
throughput for everything too?

Cheers,
David.

Re: Help needed with home network configuration

[Dan Purgert]

David Wright wrote:
> On Fri 06 Apr 2018 at 16:26:47 (-), Dan Purgert wrote:
>> 
>> It's a nuance in the semantics of what it means to "repeat" wifi.
>> Suffice to say, in order to "repeat" wifi, you have one radio splitting
>> its time between pretending to be an AP for a client device, and
>> pretending to be a client device to the upstream AP.
>
> Then I'm not sure why you wrote "Good deal". I'd be wanting the
> wireless connectivity described above as not needed, though obviously
> on a separate band/channel. Were you implying that that would kill
> throughput for everything too?

If he's using the buffalo device to "repeat" the wifi signal (which he
isn't), then yes the throughput would tank.


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[David Wright]

On Sat 07 Apr 2018 at 20:17:56 (-), Dan Purgert wrote:
> David Wright wrote:
> > On Fri 06 Apr 2018 at 16:26:47 (-), Dan Purgert wrote:
> >> 
> >> It's a nuance in the semantics of what it means to "repeat" wifi.
> >> Suffice to say, in order to "repeat" wifi, you have one radio splitting
> >> its time between pretending to be an AP for a client device, and
> >> pretending to be a client device to the upstream AP.
> >
> > Then I'm not sure why you wrote "Good deal". I'd be wanting the
> > wireless connectivity described above as not needed, though obviously
> > on a separate band/channel. Were you implying that that would kill
> > throughput for everything too?
> 
> If he's using the buffalo device to "repeat" the wifi signal (which he
> isn't), then yes the throughput would tank.

OK, I'll just assume you don't know. Anybody else actually doing this
(separate band (like 2/5 GHz) or channel (like channel 1/6/11) for the
backhaul (inter-router) link)?

Cheers,
David.

Re: Help needed with home network configuration

[Dan Purgert]

David Wright wrote:
> On Sat 07 Apr 2018 at 20:17:56 (-), Dan Purgert wrote:
>> David Wright wrote:
>> > On Fri 06 Apr 2018 at 16:26:47 (-), Dan Purgert wrote:
>> >> 
>> >> It's a nuance in the semantics of what it means to "repeat" wifi.
>> >> Suffice to say, in order to "repeat" wifi, you have one radio splitting
>> >> its time between pretending to be an AP for a client device, and
>> >> pretending to be a client device to the upstream AP.
>> >
>> > Then I'm not sure why you wrote "Good deal". I'd be wanting the
>> > wireless connectivity described above as not needed, though obviously
>> > on a separate band/channel. Were you implying that that would kill
>> > throughput for everything too?
>> 
>> If he's using the buffalo device to "repeat" the wifi signal (which he
>> isn't), then yes the throughput would tank.
>
> OK, I'll just assume you don't know. Anybody else actually doing this
> (separate band (like 2/5 GHz) or channel (like channel 1/6/11) for the
> backhaul (inter-router) link)?

If you have a device repeating a WiFi signal, it *will* use the same
channel as the upstream AP.  It *cannot* use a different channel.

In the event you have a dual-band AP, and the following conditions are
true

  - 5GHz uplink
  - 2.4 GHz for clients

Then you are not "repeating" the WiFi signal to the downstream client
devices (and the throughput losses I mentioned would not come into
play).

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[Celejar]

On Fri, 6 Apr 2018 10:00:31 - (UTC)
Dan Purgert  wrote:

> Celejar wrote:
> > On Tue, 3 Apr 2018 11:30:24 - (UTC)
> > Dan Purgert  wrote:
> >> [...]
> >> 
> >> Yep, you've got the terms right.  
> >> 
> >> Does the buffalo also provide wifi access to other clients close to it?
> >> or is it JUST trying to pretend that it's a client device to the
> >> TP-Link?
> >
> > I'm not using the Buffalo to provide wireless connectivity to any
> > clients. The page I linked to does have instructions for doing that,
> > but I don't need it.
> 
> Good deal.  Using the buffalo as a wifi repeater would kill throughput
> for everything connected to it :)

Yes, I did have that impression. I even worry about whether its
repeating function is hurting wifi for everything on the 2.4 GHz band,
even those connecting to the TP-Link, but I really don't have much on
2.4 to begin with, just a couple of legacy devices (printer, old
Android phone) that don't support 5 GHz and aren't using much bandwidth.

Celejar

Re: Help needed with home network configuration

[Celejar]

On Sun, 8 Apr 2018 00:32:05 - (UTC)
Dan Purgert  wrote:

> David Wright wrote:
> > On Sat 07 Apr 2018 at 20:17:56 (-), Dan Purgert wrote:
> >> David Wright wrote:
> >> > On Fri 06 Apr 2018 at 16:26:47 (-), Dan Purgert wrote:
> >> >> 
> >> >> It's a nuance in the semantics of what it means to "repeat" wifi.
> >> >> Suffice to say, in order to "repeat" wifi, you have one radio splitting
> >> >> its time between pretending to be an AP for a client device, and
> >> >> pretending to be a client device to the upstream AP.
> >> >
> >> > Then I'm not sure why you wrote "Good deal". I'd be wanting the
> >> > wireless connectivity described above as not needed, though obviously
> >> > on a separate band/channel. Were you implying that that would kill
> >> > throughput for everything too?
> >> 
> >> If he's using the buffalo device to "repeat" the wifi signal (which he
> >> isn't), then yes the throughput would tank.
> >
> > OK, I'll just assume you don't know. Anybody else actually doing this
> > (separate band (like 2/5 GHz) or channel (like channel 1/6/11) for the
> > backhaul (inter-router) link)?
> 
> If you have a device repeating a WiFi signal, it *will* use the same
> channel as the upstream AP.  It *cannot* use a different channel.
> 
> In the event you have a dual-band AP, and the following conditions are
> true
> 
>   - 5GHz uplink
>   - 2.4 GHz for clients
> 
> Then you are not "repeating" the WiFi signal to the downstream client
> devices (and the throughput losses I mentioned would not come into
> play).

There are also apparently some units (even consumer grade ones), that
have two diferent radios both on (different) 5 GHz bands, so one could
use one for client access and one for uplink (although I have no
experience with this):

https://www.linksys.com/us/r/resource-center/basics/multiple-wifi-bands-difference/

Celejar

Re: Help needed with home network configuration

[Dan Purgert]

Celejar wrote:
> On Fri, 6 Apr 2018 10:00:31 - (UTC)
> Dan Purgert  wrote:
>
>> Celejar wrote:
>> > On Tue, 3 Apr 2018 11:30:24 - (UTC)
>> > Dan Purgert  wrote:
>> >> [...]
>> >> 
>> >> Yep, you've got the terms right.  
>> >> 
>> >> Does the buffalo also provide wifi access to other clients close to it?
>> >> or is it JUST trying to pretend that it's a client device to the
>> >> TP-Link?
>> >
>> > I'm not using the Buffalo to provide wireless connectivity to any
>> > clients. The page I linked to does have instructions for doing that,
>> > but I don't need it.
>> 
>> Good deal.  Using the buffalo as a wifi repeater would kill throughput
>> for everything connected to it :)
>
> Yes, I did have that impression. I even worry about whether its
> repeating function is hurting wifi for everything on the 2.4 GHz band,
> even those connecting to the TP-Link, but I really don't have much on
> 2.4 to begin with, just a couple of legacy devices (printer, old
> Android phone) that don't support 5 GHz and aren't using much bandwidth.

Pretty much it boils down to "repeaters" ... well, repeat.  The smarter
ones these days (i.e. not linksys,etc) *MAY* only repeat when they have
a connected client.

Otherwise it's "Rx a frame [from the AP], Tx that frame". In effect,
this will halve the throughput capacity of your WLAN (on that channel /
frequency, anyway).


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[Dan Purgert]

Celejar wrote:
> On Sun, 8 Apr 2018 00:32:05 - (UTC)
> Dan Purgert  wrote:
>> If you have a device repeating a WiFi signal, it *will* use the same
>> channel as the upstream AP.  It *cannot* use a different channel.
>> 
>> In the event you have a dual-band AP, and the following conditions are
>> true
>> 
>>   - 5GHz uplink
>>   - 2.4 GHz for clients
>> 
>> Then you are not "repeating" the WiFi signal to the downstream client
>> devices (and the throughput losses I mentioned would not come into
>> play).
>
> There are also apparently some units (even consumer grade ones), that
> have two diferent radios both on (different) 5 GHz bands, so one could
> use one for client access and one for uplink (although I have no
> experience with this):

Well, nice that they're starting to do that ... it's still a Linksys, so
(not having any experience with it either), I'd lean toward it not being
that great of a device.

But then again, my views are skewed by dealing with equipment that'll
handle 50-60 (active) connections per radio (anything more, and there's
simply not enough bandwidth on the AP -- granted wave-2 ac / MU-MIMO is
quite interesting in that regard).

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[David Wright]

On Mon 09 Apr 2018 at 10:21:46 (-), Dan Purgert wrote:
> Celejar wrote:
> > On Sun, 8 Apr 2018 00:32:05 - (UTC)
> > Dan Purgert  wrote:
> >> If you have a device repeating a WiFi signal, it *will* use the same
> >> channel as the upstream AP.  It *cannot* use a different channel.
> >> 
> >> In the event you have a dual-band AP, and the following conditions are
> >> true
> >> 
> >>   - 5GHz uplink
> >>   - 2.4 GHz for clients
> >> 
> >> Then you are not "repeating" the WiFi signal to the downstream client
> >> devices (and the throughput losses I mentioned would not come into
> >> play).
> >
> > There are also apparently some units (even consumer grade ones), that
> > have two diferent radios both on (different) 5 GHz bands, so one could
> > use one for client access and one for uplink (although I have no
> > experience with this):
> 
> Well, nice that they're starting to do that ... it's still a Linksys, so
> (not having any experience with it either), I'd lean toward it not being
> that great of a device.

That's a shame. I was moving towards linksys after Reco's suggection earlier.

> But then again, my views are skewed by dealing with equipment that'll
> handle 50-60 (active) connections per radio (anything more, and there's
> simply not enough bandwidth on the AP -- granted wave-2 ac / MU-MIMO is
> quite interesting in that regard).

I'm sorry I'm not in your league, being merely a home user trying
to improve coverage around the house. I was aiming to make just
one purchase to further that end. I couldn't afford to have the place
wired up like a data centre.

Cheers,
David.

Re: Help needed with home network configuration

[Reco]

Hi.

On Fri, Apr 13, 2018 at 09:17:06AM -0500, David Wright wrote:
> On Mon 09 Apr 2018 at 10:21:46 (-), Dan Purgert wrote:
> > Celejar wrote:
> > > On Sun, 8 Apr 2018 00:32:05 - (UTC)
> > > Dan Purgert  wrote:
> > >> If you have a device repeating a WiFi signal, it *will* use the same
> > >> channel as the upstream AP.  It *cannot* use a different channel.
> > >> 
> > >> In the event you have a dual-band AP, and the following conditions are
> > >> true
> > >> 
> > >>   - 5GHz uplink
> > >>   - 2.4 GHz for clients
> > >> 
> > >> Then you are not "repeating" the WiFi signal to the downstream client
> > >> devices (and the throughput losses I mentioned would not come into
> > >> play).
> > >
> > > There are also apparently some units (even consumer grade ones), that
> > > have two diferent radios both on (different) 5 GHz bands, so one could
> > > use one for client access and one for uplink (although I have no
> > > experience with this):
> > 
> > Well, nice that they're starting to do that ... it's still a Linksys, so
> > (not having any experience with it either), I'd lean toward it not being
> > that great of a device.
> 
> That's a shame. I was moving towards linksys after Reco's suggection earlier.

I'd like to state for the record that my suggestion implied installing
Debian on the router. In the case of those Linksys models - Debian for
armmp sub-architecture.

I have no experience with the stock Linksys ACM 1200 'firmware', nor
I'm intending to gain such experience.

Currently the thing is able to provide reasonable WiFi coverage across
~100 m² for 10 clients, which is enough for me. YMMV.


> > But then again, my views are skewed by dealing with equipment that'll
> > handle 50-60 (active) connections per radio (anything more, and there's
> > simply not enough bandwidth on the AP -- granted wave-2 ac / MU-MIMO is
> > quite interesting in that regard).
> 
> I'm sorry I'm not in your league, being merely a home user trying
> to improve coverage around the house. I was aiming to make just
> one purchase to further that end. I couldn't afford to have the place
> wired up like a data centre.

Back in the day I used two Raspberry Pi for improving WiFi coverage.
It was very straightforward, although somewhat unconventional
configuration - two WiFi APs with the same SSID ('AP name' in layman
terms), each brigded to the same wired VLAN. Worked better than I was
anticipated, although I haven't bothered with 802.1n.

Reco

Re: Help needed with home network configuration

[Dan Purgert]

David Wright wrote:
> On Mon 09 Apr 2018 at 10:21:46 (-), Dan Purgert wrote:
>> Well, nice that they're starting to do that ... it's still a Linksys, so
>> (not having any experience with it either), I'd lean toward it not being
>> that great of a device.
>
> That's a shame. I was moving towards linksys after Reco's suggection earlier.
>
>> But then again, my views are skewed by dealing with equipment that'll
>> handle 50-60 (active) connections per radio (anything more, and there's
>> simply not enough bandwidth on the AP -- granted wave-2 ac / MU-MIMO is
>> quite interesting in that regard).
>
> I'm sorry I'm not in your league, being merely a home user trying
> to improve coverage around the house. I was aiming to make just
> one purchase to further that end. I couldn't afford to have the place
> wired up like a data centre.

The second statement is modifying the first.  (Small) Business
networking pays the bills - I can't go out and have stuff falling over
and dying on me.  But then, that's where the Ubiquiti stuff comes in for
me.  Just as inexpensive as soho kit ... but performs significantly
better.


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[Dan Purgert]

Reco wrote:
> Back in the day I used two Raspberry Pi for improving WiFi coverage.
> It was very straightforward, although somewhat unconventional
> configuration - two WiFi APs with the same SSID ('AP name' in layman
> terms), each brigded to the same wired VLAN. Worked better than I was
> anticipated, although I haven't bothered with 802.1n.

Realistically, that's pretty much what a "regular" wifi AP is (well,
except most of them that I'm familiar with run busybox, and come in an
enclosure :) ). 


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Help needed with home network configuration

[rhkramer]

On Saturday, April 14, 2018 03:57:08 AM Reco wrote:
> Back in the day I used two Raspberry Pi for improving WiFi coverage.
> It was very straightforward, although somewhat unconventional
> configuration - two WiFi APs with the same SSID ('AP name' in layman
> terms), each brigded to the same wired VLAN. Worked better than I was
> anticipated, although I haven't bothered with 802.1n.

Out of curiosity, did they run on two different radio channels, or the same?

Re: Help needed with home network configuration

[Reco]

Hi.

On Sun, Apr 15, 2018 at 08:05:12AM -0400, rhkra...@gmail.com wrote:
> On Saturday, April 14, 2018 03:57:08 AM Reco wrote:
> > Back in the day I used two Raspberry Pi for improving WiFi coverage.
> > It was very straightforward, although somewhat unconventional
> > configuration - two WiFi APs with the same SSID ('AP name' in layman
> > terms), each brigded to the same wired VLAN. Worked better than I was
> > anticipated, although I haven't bothered with 802.1n.
> 
> Out of curiosity, did they run on two different radio channels, or the same?

That's the best part. Several APs can have different channels in this
configuration, theoretically it's even possible for them to have
different bands (one with 2.4Ghz and another one with 5Ghz).
But convincing a WiFi station (a client) to seamlessly switch (the way
802.11r describes it) between APs in such scenario is impossible.
So I came to manually setting the same channel for both APs, and
changing it once per week.

Reco

Re: Help needed with home network configuration

[rhkramer]

On Sunday, April 15, 2018 12:48:35 PM Reco wrote:
>   Hi.
> 
> On Sun, Apr 15, 2018 at 08:05:12AM -0400, rhkra...@gmail.com wrote:
> > On Saturday, April 14, 2018 03:57:08 AM Reco wrote:
> > > Back in the day I used two Raspberry Pi for improving WiFi coverage.
> > > It was very straightforward, although somewhat unconventional
> > > configuration - two WiFi APs with the same SSID ('AP name' in layman
> > > terms), each brigded to the same wired VLAN. Worked better than I was
> > > anticipated, although I haven't bothered with 802.1n.
> > 
> > Out of curiosity, did they run on two different radio channels, or the
> > same?
> 
> That's the best part. Several APs can have different channels in this
> configuration, theoretically it's even possible for them to have
> different bands (one with 2.4Ghz and another one with 5Ghz).
> But convincing a WiFi station (a client) to seamlessly switch (the way
> 802.11r describes it) between APs in such scenario is impossible.
> So I came to manually setting the same channel for both APs, and
> changing it once per week.

Thanks!

Re: Help needed with home network configuration:[SOLVED]

[Johann Spies]

Thanks again for all the inputs.

I have tried a third option: arno-iptables-firewall.

Now I can reach the internet from the local network.  I still don't
understand why I could not
get it working with Shorewall which I have used for many years.


Regards
Johann

-- 
Because experiencing your loyal love is better than life itself,
my lips will praise you.  (Psalm 63:3)

Re: Help needed with home network configuration:[SOLVED]

[Joe]

On Fri, 9 Mar 2018 23:22:36 +0200
Johann Spies  wrote:

> Thanks again for all the inputs.
> 
> I have tried a third option: arno-iptables-firewall.
> 
> Now I can reach the internet from the local network.  I still don't
> understand why I could not
> get it working with Shorewall which I have used for many years.

If you have time, and the inclination, run Shorewall one more time,
then the command

iptables -S > shore.rules

Then run arno again, and do the same to make arno.rules. The listings
will be quite different, but really ought to do the same job, and you
may be able to see why they don't.

I tried a few firewall tools long ago, and gave up because they weren't
very transparent. If you write iptables commands directly, you can be
reasonably sure of what's going on.

-- 
Joe