Skip to content

Technology

2024 Network Revamp

In the current state- I have WAN -> UXG-Lite -> Everything else.

But, there are quite a few things which drives me crazy about unifi...

  1. No "easy" support for IPv6 GIF tunnels- I have an entire /48 block of IPv6 addresses I would like to use. I don't want to go do a bunch of hacks to get this to work.
  2. Traffic policies, etc, only work when apparently you use the Unifi as the primary DNS. I don't want to do this.
  3. Unifi's Layer 3 routing protocol support, is still questionable. But, at least it supports OSPF now....
  4. I honestly hate its ACL interface. Its... horrible when you have lots of zones, lots of ACLs, etc.

To meet these needs, I decided to pick up a new hEX refresh

For 59$ shipped, this thing is nearly half of the price as the EdgeRouters used to sell for- back before the Unifi line was even introduced- and Unifi was known for the most cost-effective routers in existence.

In addition, for this price point- it has extremely respectable hardware specs, and is more then capable of handling my gigabit fiber.

The Goals

I want to remove the UXG from being in-line with general lab traffic. It does NOT work... at all, with traffic handled by other routers. It, just produces broken graphs, charts, etc.

I WOULD use the USW-24-Pro as a router.... BUT, it has a ton of issues...

It, honestly, sucks as a layer 3 router. (And- also, breaks many of the unifi features when you use it as a layer 3 router.... No traffic inspection, for example... despite the traffic still flowing through the UXG/UDR/etc...) Broken routing.

So- instead, I'll let Unifi do what Unifi is good at- Managing simple LAN traffic with upstream delegation.

I'll use the new Mikrotik hEX, to do what the Unifi is not good at. Managing multiple VPN tunnels, terminating GIF tunnels, and handling routing... using BGP for internal route propagation.

Won't, really be any changes for the lab subnets- HOWEVER, I will be re-locating the hEX, and UXG ouside of my server rack- which will allow my rack to be completely unplugged, without affecting LAN traffic.

The Plan

The hex will be added logically, directly behind the incoming WAN connection.

Its duty, will be simple.

  1. Maintain PPPoe connection.
  2. Maintain IPv6 GIF tunnel.
  3. Perform IPv6 Suffix Remapping (Aka, It takes the public ipv6 suffix, and remaps to a private suffix- this makes my internal devices and subnets immune to any external changes. For example- if my ISP ever offers native IPv6- I can adopt it with no internal changes needed.)
  4. Perform NAT for IPv4 traffic.
  5. Perform Port Forwarding
  6. ACLs for WAN -> Edge (Edge, is the zone between WAN & TRUST / PUBLIC)
  7. ACLs for TRUST -> Edge (Trust Zone- refers to everything in my "Lab")
  8. ACLs for PUBLIC -> Edge (Public Zone- Aka, LAN traffic, Users, Guest subnets, etc.)
  9. Maintain VPN Client Access
  10. Maintain Outgoing VPN Tunnels

Logical Routing Diagram

Logical Diagram, showing major Zones marked.

flowchart TD
    subgraph OUTER
        WAN 
    end

    WAN--> | PPPoe| HEX

    subgraph EDGE
        HEX
    end

    subgraph PUBLIC
        UXG
        UXG["Unifi UXG-Lite"] --> V_LAN & V_Guest & V_LAN_Isolated
    end

    HEX --> |Static| UXG
    HEX --> |BGP| 100G
    subgraph TRUSTED
        100G["CRS504-4XQ"] --> V_Kubernetes & V_Server & V_Storage
    end

    100G --> | BGP | EDGEMAX

    subgraph UNTRUSTED
        EDGEMAX["EdgeRouter"] --> V_IOT & V_SECURE & V_MGMT
    end

Physical Diagram

Here is a physical diagram, with the major locations marked, and connection type.

flowchart TD
    WAN

    subgraph Office
        MC["Media Converter"]
        SW-B[CSS610-8G-2S]

    end


    subgraph Closet["Server Closet"]
        UXG["UXG-Lite"]
        HEX["hEX Refresh"]
        SW-L["USW-Lite 8 POE (LAN)"]
        SW-S["USW-Lite 8 POE (Secure)"]

    end

    subgraph Rack["Server Rack"]
        100G[CRS504-4XQ]
        Edge["EdgeMax"]

        %% Layer 2 Switches
        10G["USW-Aggregation"]
        1G["USW-24-Pro"]

        S_1G["Servers 1G"]
        S_10G["Servers 10G"]
        S_100G["Servers 100G"]
    end

    %% Access Points
    AP1["UAP-AC-PRO"]
    AP2["U6 Pro"]
    SW-G["USW-Flex (Garage)"]
    SW-T["USW-Flex (Livingroom)"]

    %% OUTER --> EDGE
    WAN --> | GPON |MC
    MC --> | 1G CAT6 | HEX

    %% EDGE --> Trust
    HEX --> | 1G CAT6 | 1G

    %% EDGE --> PUBLIC
    HEX --> | 1G CAT6 | UXG

    %% PUBLIC
    UXG --> | 1G POE |SW-L
    SW-L --> | 1G POE |SW-G
    SW-L --> | 1G POE |SW-T   

    %% TRUST
    1G --> |10G DAC | 100G    
    1G --> |10G MMF| 10G
    100G --> |10G DAC| 10G

    10G --> | 10G SMF| SW-B

    1G --> | 1G CAT6| SW-S



    1G --> | 1G CAT6 | S_1G
    10G --> | 10G Twinax | S_10G
    100G --> | 100G DAC| S_100G

    %% IOT
    1G --> | 1G CAT6| Edge

    %% Access Points
    SW-L --> | 1G POE |AP1 & AP2

Individual Zones

EDGE

The Edge zone is responsible for performing ACLs between OUTER/WAN, and Internal Zones.

It also performs NAT for IPv4 traffic, and prefix mapping for IPv6 traffic.

It handles route propagation using BGP.

And, it handles traffic policies for external traffic. (aka, selective routing of traffic through tunnels.)

PUBLIC / LAN

Since, Unifi is actually pretty good at managing LAN subnets- I am going to set it up as if the hEX router is the ISPs router.

It will have a delegated /58 IPv6 Prefix, which will give it the ability to automatically manage, and delegate /64 blocks as needed to any subnets it manages.... up to 64 subnets.

It will also be delegated a /18 block of IPv4 addresses, which will allow it to automatically manage, and delegate up to 64 x /24 blocks of IPv4 addresses.

As such- this allows the ability for it to automatically assign and maintain up to 64 internal subnets, as needed for various purposes. Although, realistically, only 2 subnets are actually used here.

  1. General LAN Traffic (aka, normal Wifi). NAT handled by the hEX.
  2. Guest / Internet Only (Isolated subnet, which can ONLY talk to the internet. NOTHING internally. This- is used for certain devices, like... My cat-feeder, and, Guest wifi access. Wireless Isolation enabled too.). Outbound to WAN is NAT-ed here.

As.... many of the Unifi features only works, when it is used as the primary DNS/DHCP server- it will be used as the primary DNS/DHCP server.

TRUST / Homelab / Servers

The majority of my server rack lives in the "TRUSTED" Zone. Everything here is routed using the 100G CRS504-4XQ, which does an amazing job. Very minimal ACLs are applied here, rather- Vlans are used for isolation here needed..

Since, everything in my lab is running proxmox, with the exception of a Synology- All of my firewall rules are done in Proxmox (Synology does its own Layer 3 ACLs). This is fantastic, as the firewall rules are stored WITH the VMs. I can manage everything in one place. All of my VMs/LXCs have configured firewall policies via Proxmox.

Routes are propagated to/from hEx using BGP. I have found, BGP w/BFD works really nicely for internal routing, and load balancing. Extremely fast route propagation, and EXTREMELY customizable, as needed.

For Addressing-

  1. /16 block of IPv4 addresses will be delegated to this zone. This gives 256 total /24 usable subnets.
  2. /56 block of IPv6 addresses will be delegated to this zone. This gives 256 total /64 usable subnets.

DNS is handled by Technetium as the primary DNS server. The backup/failover DNS is handled by a Bind9 server, using zone transfers from the primary.

DHCP is also handled by Technetium.

All physical servers with hardware clocks, are automatically configured as a NTP pool, via Ansible playbooks. Chrony is used here.

All Virtual Machines, LXCs, etc... are configured to use said NTP pool, via Ansible Playbooks.

UNTRUSTED / IOT / Security / etc...

As someone who does a lot of home automation, I have a lot of IOT devices. I also have lots of security cameras, etc.

I have been using an old EdgeRouter, I purchased over a decade ago, for maintaining these zones. It- works perfectly. It also can propagate routes using BGP, (or RIP/OSPF), and does support BFD.

This zone, is more or less, completely isolated inside of the network.

The devices inside of this zone- Can't really talk to anything.

There is no access outside of the subnets, with very few limitations. No DNS. NTP is provided by the EdgeMAX. DHCP is provided by the EdgeMAX.

  • My ESPHome Subnet, can talk to home assistant. Home assistant can talk to it.
  • My generic IOT subnet, cannot talk to anything. Home assistant can talk to it. (This is for devices, such as Kasa- that I don't want phoning home. BUT, home assistant can fetch/control them).
  • V_Secure- The only access allowed into this subnet- is from my reverse proxy to the blue iris interface. No access is allowed to external.
  • V_Management - Management interfaces for switches, routers, etc. Separate VRFs are used on devices to isolate the management traffic, from everything else.

Final Words

I am not doing this, to fix an issue, Honestly- I really wanted to experiment with the new hex refresh routers.

The hardware seems extremely capable, and the price point is really hard to beat.

If- this works as I have planned- It should also make network management quite a bit easier.

Windows 11 - Restore Old Context Menu

Want the old right-click context menu back?

Copy/paste the below script into an administrative command prompt. Thats it.

:: Set "Old" Explorer Context Menu as Default
reg add "HKEY_CURRENT_USER\SOFTWARE\CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" /ve /f

:: Remove Explorer "Command Bar"
reg add "HKCU\Software\Classes\CLSID\{d93ed569-3b3e-4bff-8355-3c44f6a52bb5}\InprocServer32" /f /ve

:: Restart Windows Explorer. (Applies the above settings without needing a reboot)
taskkill /f /im explorer.exe
start explorer.exe

:: Empty Comment (Prevents you from having to press "enter" to execute the line to restart explorer.exe)

Surge Protection - Entire Home, Rack-Only, etc.

A few months back, I noticed one of my ESP32s, got smoked during a few nasty thunderstorms.

And- it got me thinking- what happens if a large surge hits my house?

Is, it going to smoke my fridge? My TV? How about my server rack full of expensive gear?

So- I went on a project to upgrade the surge protection for my house.

Vertiv rPDU - A reasonably priced, 120v, individually switched and metered PDU.

For years- I have been using a combination of Sonoff S31 Plugs and a Kasa HS300 Strip to monitor, and measure my power consumption.

This- allowed me to fully visualize my rack's power consumption, into a sankey diagram.

However- the form-factor of neither solution was ideal, and as my rack has become nearly full, I needed a better solution as PDUs filled with smart-plugs, isn't exactly ideal.

The issue is, there are not many 120v PDUs, for a 24U rack. As a matter of fact, there are not many zero-U PDUs at all for 24U racks.

But- I finally found an option, for a fully managed PDU, with INDIVIDUALLY metered and switched outlets, which CAN2 plug into a standard 120v outlet.

Synology Multipath SMB, and iSCSI

So... normally when you want faster networking, you can just upgrade to faster NICs (10g, 25, 40, 50, 100g.. etc...).

However, in the case of my Synology DS423+, you get, two 1G ethernet ports with no expansion.

You would think the best course of action, would be to leverage LACP- however that is NOT the case.

Enabling Multichannel can double the amount of bandwidth per client, where as LACP, depending on hashing, only gives benefit up to the performance of one port.

This post details how to enable multipath for SMB, and how to configure iSCSI on linux with multiple paths.

Proxmox - Solutions to random errors.

This- is a short post which details how to resolve a few random errors you may experience with proxmox.

This post is for you, IF, you are experiencing any of these errors:

  • "System booted in EFI-mode but 'grub-efi-amd64' meta-package not installed! Install 'grub-efi-amd64' to get updates."
  • "Couldn't find EFI system partition. It is recommended to mount it to /boot or /efi."
  • "/etc/kernel/proxmox-boot-uuids does not exist."

Detecting a weird packet loss issue.

So- I recently installed a Quad 100G Mikrotik CRS504-4XQ-IN Router into my lab recently and moved a few servers over to 100G NICs.

Around the time I did this- I also started experiencing tons of random, hard to pinpoint instances of latency across my network.

I validated flow-control was enabled for the network- and I checked various port counters to look for errors.

This- issue took me around a week or two to finally pinpoint.... this post- is going through a bit of the steps taken.

Proxmox - Setup Debian Cloud-Init Templates

This post documents the steps needed to create a minified debian cloud image template, which you can easily clone, and have a running VM in seconds with no configuration needed.

This includes common packages, ssh-keys, IP information.

The end result of this project is...

  1. You clone a template, and start it.
  2. The cloned VM automatically starts up, updates itself, and starts running, with common packages installed, and your ssh details pre-configured.
  3. A slimmed down distribution, without excess (My end result was a 400M image.)
  4. No need to edit the VM after cloning, other then adding CPU/RAM, or other hardware as needed.

Proxmox - Import OVA

A random thing I recently came across while testing out LibreNMS-

I discovered they have a published .ova, which I wanted to import into Proxmox. However, proxmox as of this post, does not have a easy option to support importing this.

This- is a quick post, containing the commands you need, to import the ova.

Removing a stripe from a zfs pool

In my quest to optimize on power usage, One of my servers has a zfs pool consisting of 4x 8T disks, in striped mirrors configuration.

For this particular pool, IOPs and performance is not needed. As well, I am using barely 10% of the available space in this particular pool.

So- I decided to remove a pair of disks, to save a miniscule amount of energy.

Reusing EMC Drives in other systems

So, I picked up a EMC-branded 1.92TB PM1633 SAS drive off of ebay, to toss into my ceph cluster.

After acquiring it, I slapped it into my Dell MD1220, and was surprised that it was not appearing in proxmox.

This is a short post to help correct this issue.

Building a ceph cluster

My adventures in building out a small clustered ceph environment for redundant VM / Container storage.

Quote

Ceph is a great way to extract 10,000 IOPs from over 5 million IOPs worth of SSDs! -XtremeOwnage

2023 Prime Day Deals

Interested in home automation? Here are a few of the prime day deals I would personally recommend.

Note, this is not a kitchen-sink post full of non-relaxant links, but, rather, a list of things I have hands on experience with.

Every single product linked below, will work with Home Assistant, 100% LOCALLY, without any required cloud services or subscriptions.

If, you need reasons as to why required cloud services are bad, see Reasons to avoid cloud products