Oisteink @ Oisteink @feddit.nl

Posts

0

Comments

511

Joined

2 yr. ago

The “normal” use-case would be that some IPTV providers will have iptv and “internet” on separate vlans

I have a dream machine myself and I’m so sorry I got it. It can do quite a bit, but I can’t have more than one vlan upstream - and it can’t handle igmp forwarding…. It’s shiny though with a nice gui and apps

Vlans are virtual lans. So no extra equipment, but your router (as minimum) must support them. If your AP also supports them, you send two vlan through one cable (trunking), and attach each vlan to its own SSID on the AP. There will be no connection between devices on SSID1/Vlan1 and devices on SSID2/vlan2. It’s like you have two cables. To make a connection between those devices you must tell your router to forward the packets between the virtual lans.

That’s the whole trick - you see one cable, but inside it’s like 4000 cables. It’s the same inside your switch/router with vlan support - you see one physical port, but it’s 4000 inside - one for each of the 4000 cables. Each one works and behaves like a physical one. You get data in from one, and can forward it upstream to internet or into one of the other nic’s/cables as that’s what a router does

They are not hard once you grasp the idea. They are like separate networks on layer 2(link) - layer 1 (physical) can be shared.
So you get several separate networks for the price (and equipment) of one. If you want to reach a device on one vlan from another it needs to be forwarded by something.

It gets a bit complicated here - as your idea of the network is on layer 4 where tcp and udp and other protocols live. As you don’t want to connect one vlan to the other - you want something that has access to both vlans to forward your layer 3 data (IP) between the links. This is your router. It will have a virtual network card on each vlan. You can tell your router to send data from one network card to the other to forward the data.

I suck at explaining- so you probably better off doing an Udemy network primer or read up a little bit. Good things to understand are the first 4 layers of osi model and routing.

It’s not hard and you can learn how to use it by poking stuff and googling a bit. Just imagine each vlan as a “copy” of your equipment (layer 1) cables and all. Your switch will have to support it, and if you want to trunk (run several vlans though one link) you need support on the other end as well.

/endwalloftext

Checking logs is perhaps the only real reason I can see for reserved ip-s. But then again you can do reverse lookups - and like I said in another reply ipv6 is dynamic by nature, so any device will only stay on the same ip for the configured amount of time.
You might not know, but several of your devices might already be communicating using ipv6 on your home network. Both windows and iOS will use link (osi layer 2) local IPv6 and mdns for discovery and communication. This is not true if your switch denies IPv6 but you’d need a level 2 switch or some way to block IPv6 multicast for that.

I see no reason to put iot devices on the same lan as my servers/home network, and I never suggest that to friends.

I do believe vlans has a place in a home network - to separate guests from home network. Several of the home routers that provide a guest SSID will use vlans. It’s a basic part of openWRT and most home routers. One vlan for upstream and one or two(guest) for inside

TLDR; don’t reserve IP’s

We all did back in the 90’s. But this is kinda counter to the idea of dynamic leasing of IP addresses.
The only reason I see for reserving IP’s would be to do some based on cidr ranges (bad practice) or because you need some shitty software that only handle IP’s and not hostnames.

Just liberate yourself and get used to not having control over IP. It will prepare you for ipv6 where dynamic addresses are part of the spec.

Your local dns server should be set up to register devices on ip lease - something all dns servers I’ve worked with last 20 years can manage. With properly set ip search domains this means that you can reach your devices by hostname, or by fqdn if you’d want that.

Also note that .local is a special tld reserved for mdns/zeroconf. Do not set up your dns server to serve this. You’d be better off using something like .LAN - this means that mdns/zeroconf can co-exist nicely on your lan.

Regarding vlans: this is something completely different as this is level 2 in osi. Each vlan is like a separate network - there needs to be routing to reach one from the other. I would agree that vlans are nice when used properly - to section and separate devices. One vlan for IoT devices - to keep them out of your safe home network - is a fairly common thing. A separate vlan for servers, one for management perhaps, one for guest-network and one for your normal home devices.

I use 4 vlans at home each with a /16 network from the 10/8 range. And the only static (not reserved dhcp) that I use are for dns and gateway. At work I still set up some sites where infrastructure like switches/routers etc are on static - and take this into account when I set up the ip pool(s). I’m those cases I’ll exclude the top end of the network and put the rest in the pool. Some like to do the opposite end, and some don’t care and just use all as pool and count on arp/ping to avoid conflicting leases (bad practice).

I’d replace Debian with openbsd. That’s my go to solution for labs at work.
At home I use a ubiquity thingy (the round box) as I used ubiquity at my previous work. It’s utter shit and the UI goes dead a few days after each hard reset. But it works and I use Tailscale for connecting to stuff at home, so no need to replace it yet

I’d say both opn/pf sense are fairly easy to get started with. Now for something small I’d suggest openwrt.

For a full setup you can’t beat xxsense as firewall and router and stand alone AP’s for WiFi.

This is pointless - I don’t agree to the view that iOS and Android are equal - anymore than windows and Linux are equal.

The same goes for the companies behind - one sell devices the other sell ads through their free services.

The customisation you speak about is the same like what browser-bars introduced on pc’s ages ago. Some users have a good working one, but non technical people can end up being tricked in adding one without understanding. That is why it has a cost - nobody can easily swap out the dialer on iOS to listen in. On Android it’s standard functionality

Self hosting is not for everyone. You need to understand backup, redundancy and recovery. That would be the main reason I don’t recommend self-hosting. Bitwardens self-hosting package are mature enough for me.

So it’s more about loosing all your passwords than someone breaking in to your vault

I’m not sure you can compare the is to each other. It’s like comparing Ubuntu to Windows and say they are equal as you can demicrosoft windows.
I’m not sure you can compare apple to Google either. One gives away their os for free and make their money from user data, the other charge their users silly amounts and make their money from devices and cuts of app publisher’s sales. To me that’s a big difference.
As any user can install an app that “takes over your internets” without rooting there’s only trust keeping other apps from doing the same. Customisation comes at a cost, and many people don’t understand that.

Ok. I’m quite the IT person myself, and I can say I’d not recommend you running your own either.

No - that would only be true if both OS are equally secure in the first place. No matter how you behave you are limited by that. So equal behaviour on each system does not yield the same result.

Freedom is not security or privacy, but sure you (or someone else) can change your dialer on android and that can’t be done on iOS.

I’m not sure if you’re dense or just pretending. You talk about a piece of software and I refer to their faq. I’m sure you have researched your claims and read up on this software….

No sorry - if you want to claim knowledge without even checking their FAQ I’m fine with that.

Probably - but not as easy as your android device. Ask the black hats if they prefer their victim on iOS or android - it should help identify the most insecure device.

Maybe read up on their FAQ (1)?

Because a password manager is critical and if you ask me I’d say no. If you have the know how and understand the risk you won’t be asking