What is Everyones Thoughts

Posted on
Sat Apr 07, 2018 5:23 am
DaveL17 offline
User avatar
Posts: 6744
Joined: Aug 20, 2013
Location: Chicago, IL, USA

Re: What is Everyones Thoughts

The following is pretty OT for the forum (but I think T for the thread :D ).

After considering the linked article in the OP, doing a bit of extra studying, and following the resources below, I now have the following setup on my network:

  • Corporate LAN - my main LAN which supports desktops and laptops, phones, NAS, etc. It has a wifi network.
  • IoT VLAN - supports automation devices. This LAN also has a wifi network (same AP as the Corporate LAN, but different SSID--I only have one AP). The corporate network can communicate with this VLAN, but not the other way around.
  • Zombie VLAN - supports things that need Internet access but don't need to talk to the other LANs (i.e., blu-ray players, etc.) The corporate network can communicate with this VLAN, but not the other way around.
  • VPN - virtual private network.

So, for example (there's lots more):
  • Chamberlain MyQ bridge - needs Internet but doesn't need access to anything on the LAN. It goes on the Zombie VLAN since the excellent MyQ plugin gets its information from the MyQ server over the Internet and not the bridge itself.
  • Blu-ray players - need Internet for firmware updates and whatnot but no local LAN communication at all. Definitely Zombie VLAN.
  • Smart TVs - Zombie VLAN.
  • AVRs - Zombie VLAN.
  • Rokus - Corporate VLAN. These are our main streaming devices. They need access to NAS content.
  • TiVos - I've left these on the Corporate LAN because they also need access to NAS content.
  • Magic Home WiFi RGB Controller - this needs wifi and local communication with Indigo and the new Flux/LED plugin so it goes on the IoT VLAN.

I was nervous about adding the VPN, but it turned out to be incredibly easy with the Unifi Controller. I found the following combination of resources to be all I needed (note that the Unifi instructions don't include the step where you must create the RADIUS VPN user account--but the YouTube video does).

https://help.ubnt.com/hc/en-us/articles/115005445768-UniFi-L2TP-Remote-Access-VPN-with-USG-as-RADIUS-Server
https://youtu.be/ote3Zv0XdyU
https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-user-remote-vpn-setup-quot-for-dummies-quot/td-p/2169437

Screen Shot 2018-04-07 at 5.44.45 AM.png
Screen Shot 2018-04-07 at 5.44.45 AM.png (128.55 KiB) Viewed 1905 times


I plan to add a guest network (with wifi and Internet but no communication with other LANs), but haven't done that yet. I'm also still considering what to do about things like Sonos (the OP article talks about that a bit). Definitely not regretting my move to all Unifi.

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Mon Apr 09, 2018 9:33 am
DaveL17 offline
User avatar
Posts: 6744
Joined: Aug 20, 2013
Location: Chicago, IL, USA

Re: What is Everyones Thoughts

A little bit more to add to this setup. Over the weekend, I added a guest WiFi network (on its own VLAN) which has access to Internet but not to the Corporate LAN or any of the other VLANs. I now have five networks using one USG and three WiFi networks using one WAP (AP-AC-Lite in my case) all with different rights and authorities. I am extremely happy with the way this has worked out.

A note about using the VPN--it's not exactly like being connected while home. For example, things like Bonjour don't work the same as they do when connected "normally".* For example, things that would usually show up under Finder like other Macs and my NAS don't show up when connected via VPN. You can still connect to them, it's just done differently. Right-click on the Finder icon and select "Connect to Server..."

For my NAS:
Code: Select all
afp://ip_address_of_nas

For Screen Sharing:
Code: Select all
vnc://ip_address_of_mac

For Indigo, it's just like being home. Select [Connect to Remote Server] in the Indigo client application and enter the IP address of the server machine. Of course, this will still work over the Reflector, too.

Two other steps I took to get this working the way I wanted:
(1) I put the VPN profile at the top of the list under Network - Set Service Order.
(2) Within the VPN profile, I ticked "Route all traffic over VPN connection".

* Apparently, it's possible to get Bonjour to work over the VPN--but it sounds like it requires several hoops to jump through and, since the above works just fine, I didn't bother.

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Mon Apr 09, 2018 9:42 am
Sharek326 offline
User avatar
Posts: 377
Joined: Jul 20, 2014
Location: Lansford, PA

Re: What is Everyones Thoughts

I like your breakdown Dave I may steal a few of your ideas (Zombie VLAN) to include in what I have already been doing. Thanks

Posted on
Mon Apr 09, 2018 10:25 am
DaveL17 offline
User avatar
Posts: 6744
Joined: Aug 20, 2013
Location: Chicago, IL, USA

Re: What is Everyones Thoughts

Great! Glad that it was helpful. Please share anything you learn.

The more security, the better!


Sent from my iPhone using Tapatalk

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Mon Apr 09, 2018 10:57 am
siclark offline
Posts: 1960
Joined: Jun 13, 2017
Location: UK

Re: What is Everyones Thoughts

Nice write up. I use Ubiquite edge router lite rather than USG and unifi APs. Tempted to move to USG but can't justify the cost and as the edge lite works so well done really want to spend the time to set something else up.
I also have vpn to home set up and use really good. If only I could automate getting the iPhone to use it without having to manually turn it on!

I have several SSIDs set up, home network, IoT with only external access and no LAN, and then IoT with LAN and a guest one. The reason for the separate LAN networks is I use WPA2 Enterprise and radius for the home network with every user getting their own username and password.
The guest and IoT external only are just setup on the AP as guest SSIDs and have access to other devices prevented there. Not sure if putting them on their own vlan offers any extra protection there
The IoT with LAN is then filtered for Mac addresses. I know it can be spoofed but is an extra step for someone to take.

What I can't do is figure out how to get the home network to talk to the IoT one but prevent it going to the other way.

And then I run Domotz in my NAS and get updates when new devices join to check I know them. Could do this from the unifi or fingscan plugins as well I guess.




Sent from my iPhone using Tapatalk

Posted on
Mon Apr 09, 2018 2:21 pm
CliveS offline
Posts: 761
Joined: Jan 10, 2016
Location: Medomsley, County Durham, UK

Re: What is Everyones Thoughts

DaveL17 wrote:
I was nervous about adding the VPN, but it turned out to be incredibly easy with the Unifi Controller. I found the following combination of resources to be all I needed (note that the Unifi instructions don't include the step where you must create the RADIUS VPN user account--but the YouTube video does).

https://help.ubnt.com/hc/en-us/articles/115005445768-UniFi-L2TP-Remote-Access-VPN-with-USG-as-RADIUS-Server
https://youtu.be/ote3Zv0XdyU
https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-user-remote-vpn-setup-quot-for-dummies-quot/td-p/2169437

I plan to add a guest network (with wifi and Internet but no communication with other LANs), but haven't done that yet. I'm also still considering what to do about things like Sonos (the OP article talks about that a bit). Definitely not regretting my move to all Unifi.


Thanks for the right click on Finder shortcut for Screen Sharing, still learning about the Apple way after years of Microsoft (still got a couple of Dells running Win7, one for Blue Iris camera server and the other was used when I wanted to run the 30 day trial of Indigo and hd no mac hardware!)

I have gone OTT on UniFi as well, great bits of kit and almost filled up a UniFi 24 port switch.

Just installed a link to the garage for the Dahua cameras using the new NanoStation 5AC Locos

Like you I found the VPN setup links after I got an ear bashing from @Ianbrown when I mentioned TeamViewer as a good remote viewer. The last time I looked ages ago it had to be done with SSH, Terminal and Black Magic so I was well happy when Willie Howe put up that video.

Now I have no holes in the firewall and a WiFi on the Corporate Lan that needs a 19 character password and MAC address filtering and a guest network with no password but MAC address filtering for Internet only.

I would like to have the VPN turn on automatically when I leave the house, has anyone any ideas how to do that on the iPhone or MacBook?
It is a pain having to turn it on going out and off when I return and I have forgotten and can't get to the network!

CliveS

Indigo 2023.2.0 : macOS Ventura 13.6.3 : Mac Mini M2 : 8‑core CPU and 10‑core GPU : 8 GB : 256GB SSD
----------------------------------------------------------------------------------
The best way to get the right answer on the Internet is not to ask a question, it's to post the wrong answer

Posted on
Mon Apr 09, 2018 3:21 pm
siclark offline
Posts: 1960
Joined: Jun 13, 2017
Location: UK

Re: What is Everyones Thoughts

Haha, I use teamviewer all the time for remote viewer despite having a VPN and a vnc viewer app on my iphone. Weirdly stopped using VNC as found teamviewer more reliable.

Teamviewer doesnt involve external ports being opened on router so why is VPN preferable to teamviewer?

To auto start VPN on an iphone, for all connections, or just on some apps, you need to use Apple Configurator, to effectively setup a deployed iPhone, as you would in a corporate environment.

Posted on
Mon Apr 09, 2018 3:57 pm
CliveS offline
Posts: 761
Joined: Jan 10, 2016
Location: Medomsley, County Durham, UK

Re: What is Everyones Thoughts

siclark wrote:
Haha, I use teamviewer all the time for remote viewer despite having a VPN and a vnc viewer app on my iphone. Weirdly stopped using VNC as found teamviewer more reliable.

Teamviewer doesnt involve external ports being opened on router so why is VPN preferable to teamviewer?

To auto start VPN on an iphone, for all connections, or just on some apps, you need to use Apple Configurator, to effectively setup a deployed iPhone, as you would in a corporate environment.


Only you know the VPN password (hopefully) where as you have to log into Teamviewer and as Ian states in his post http://forums.indigodomo.com/viewtopic.php?f=269&t=20174&hilit=teamviewer&start=60#p154982 they have a few bugs and to quote him "You are also putting your trust in a third-party that could be breached. Do they have the appropriate safeguards in place? If you ask them, they would say yes. Experian, Target, Home Depot, Yahoo and the rest would have said the same thing."

Never heard of the Apple Configurator, would that allow me to autostart VPN on loss of WiFi and autostop again when WiFi is reconnected?

CliveS

Indigo 2023.2.0 : macOS Ventura 13.6.3 : Mac Mini M2 : 8‑core CPU and 10‑core GPU : 8 GB : 256GB SSD
----------------------------------------------------------------------------------
The best way to get the right answer on the Internet is not to ask a question, it's to post the wrong answer

Who is online

Users browsing this forum: No registered users and 3 guests

cron