Alex's blog

Reconfiguring our home network, part 2

Published on

To follow-up on part 1: In brief, we got it working.

When last I left off, I was hoping to use hestia as a router. While that probably would have worked, it would have needed some VLAN fiddling to isolate the outside and inside of the network properly, and it would have meant considerable trouble any time the server itself went down, since someone has to connect to it via SSH to enter its disk encryption key before it will finish booting. Instead, we opted to buy a dedicated router. After a false start with a router that turned out to be from an apparently-defunct company, and which strangely didn't support IPv6 despite being a gigabit Ethernet router with quite a few advanced features, we bought a Ubiquiti EdgeRouter X SFP, which was very well-reviewed. This unit worked quite well, and within a few hours I had everything rearranged with it at the core of the network (I kept the switch, even though the router has enough ports; the wired hosts connect to the switch, and the Wi-Fi APs directly to the router, since they're topologically switches). While I was setting up the router, I discovered it has configurable passive (i.e. non-negotiating, thereby highly Etherkill-capable) PoE support; unfortunately, only for 24 volt devices, and our main access point, though it supports PoE, wants 12 volts. Our outdoor AP, though, turned out to be 24 volts, so we were able to take the PoE injector previously powering it out of the equation (salvaging a much-needed extra Ethernet cable).

While the router was comparatively easy, even given that I was trying to avoid disrupting the existing functioning of the network where I could, I couldn't get the new modem working; I still had the old modem/router/AP combo unit serving as the modem, with its DHCP server and Wi-Fi functions disabled and its "forward everything" setting pointed at the new router's static address on its segment, then the router set with a static route to it for 0.0.0.0/0. This worked perfectly, but I wasn't happy to keep the old hardware. I was on hold with the ISP for an hour and a half or so, but once I got on the phone with an actual person, we got it resolved pretty quickly; all that needed to happen was to whitelist the new modem's MAC address (a process slightly frustrated by a typographical error). As soon as that was done, it rebooted itself and the router got a DHCP lease from the ISP. Naturally, though, it was a different address from our previous one, so I had to go update my DNS entries, which was itself a difficult process because I had created a routing table entry (in an attempt to be able to talk to the modem's administrative interface) that ended up directing swathes of traffic to entirely the wrong place. With that removed, I was able to get to the DNS control panel and fix the name entries, putting my various personal services back into reachability.

Regrettably, the ISP specifically told me when I asked (since I was on the phone anyway) that they don't currently support IPv6, so, for the moment, I remain on my previous IPv6 solution (a Wireguard tunnel to a VPS in New York that has an embarassingly-small block of IPv6 addresses, which at the moment only covers hestia). I'd like to set up a better tunnel, preferably one that would give me a whole /64 so the whole network could have IPv6. Some time ago, the ISP was dropping ICMP within their network somewhere, which prevented setting up a Hurricane Electric IPv6 tunnel, but they must have stopped; with a firewall rule to allow ICMP traffic, they were able to ping us, so a project for sometime soon will be setting up tunnelled IPv6 for the whole network (I've already got the tunnel itself running, I just have to figure out routing and advertise the prefix through NDP so hosts on the network can get addresses).

Anyway, the entire pile of hardware has now been shoved atop a convenient high place where the AP has good sight lines, and hopefully nobody will have to think about it too much unless they (I) want to. Victory!

Tagged: