|
⇤ ← Revision 1 as of 2023-10-02 16:18:24
Size: 2858
Comment: access and stuff I want to do
|
Size: 3355
Comment: add mDNS notes
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 44: | Line 44: |
= Stuff to fix = == mDNS == Apparently mDNS doesn't work properly. Unifi solves this by running an mDNS proxy between VLANs, which makes stuff like Chromecast just work if you put them into a separate IOT VLAN, but Mikrotik doesn't have that. * https://forum.mikrotik.com/viewtopic.php?t=174354 * https://old.reddit.com/r/mikrotik/comments/grk6ci/mikrotik_and_mdns/ Just pipe all VLANs to a box and run an mDNS proxy/repeater on it. It should be in the avahi package on linux. |
helian replaces my old Unifi USG 3P gateway. I wanted something a bit faster, more capable (like builtin Wireguard support), and more tweakable. The Unifi has been a solid performer, I just wanted more. I bought it and meant to get around to installing it, but needing to learn their interface for configuring the whole network again put me off it for a while. Until my Unifi router stopped working, so then there was no excuse.
helian is a Mikrotik RB5009UPr+S+IN, here's some info about it:
a review and teardown: https://www.servethehome.com/mikrotik-rb5009upr-s-in-poe-router-mini-review-marvell-arm/
the homepage: https://mikrotik.com/product/rb5009upr_s_in
I was eyeing off the CRS326-24G-2S+RM, then realised it'd be way more useful to get something with POE-out as well, otherwise I'd still be stuck dealing with two device for routing and switching, so the hilariously overkill number of ports was off the cards for now.
And the RB5009 is a really good replacement in that sense. I've replaced a separate router and bulky POE switch with a single, small device that does both, and puts out way less heat. Heat that probably knocked out the Unifi router >_>
Features and uses
- 1Gbps upstream to ISP (ethernet)
- PoE to switches and wifi APs
- DHCP IPv4 and IPv6 from ISP, provides a static public v4 address, and /48 delegated prefix to the LAN
- Custom firewalling of course
- Forwarded ports for SSH and HTTPS to internal servers
- Wireguard VPN server
- Separate VLAN for IOT devices (considered less trustworthy)
- This was a bit tricky to nut out, I used bridge VLAN filtering to get the correct behaviour
- Makes use of what the manual calls "hybrid ports", as they're untagged for the LAN and tagged for IOT, going to the Unifi wifi APs
- DHCP server for LAN and IOT segments, lots of static leases for everything on the network
Access
This is just good practice stuff.
- Create a new user account, add an SSH key for auth, and set a strong password
- Disable the admin account
- Lock down access so it's only manageable from the LAN, and ideally from a couple of workstations on specific physical ports
- Get my wildcard TLS cert on there and protect the web UI
- Use winbox or CLI for management, this is pretty easy to setup
Stuff I want to do
Get onto DN42 and learn some routing: https://dn42.eu/
- Monitor traffic with SNMP and whatever else they've got
Setup a station to receive TZSP packet sniffing streams
- This sounds like what I imagined a few years ago when I started at Arista, separating the packet capture from the analysis and visualisation
- This can then be fed to something like Snort IDS, and Netflow/IPFIX-based traffic accounting
Stuff to fix
mDNS
Apparently mDNS doesn't work properly. Unifi solves this by running an mDNS proxy between VLANs, which makes stuff like Chromecast just work if you put them into a separate IOT VLAN, but Mikrotik doesn't have that.
Just pipe all VLANs to a box and run an mDNS proxy/repeater on it. It should be in the avahi package on linux.