hpr_transcripts/hpr2538.txt

Episode: 2538
Title: HPR2538: My geeky plans for the new house.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2538/hpr2538.mp3
Transcribed: 2025-10-19 05:03:03

---

This is HPR Episode 2538 entitled My Geeky Plans for the New House.
It is hosted by ITWI's and in about 27 minutes long and carrying an explicit flag.
The summary is, ITWI's talks about the new Geek infrastructure in his house.
This episode of HPR is brought to you by archive.org.
Support universal access to all knowledge by heading over to archive.org forward slash donate.
Support universal access to all knowledge of the new Geeky Plans for the New House.
Support universal access to all knowledge of the new Geeky Plans for the New House.
Support universal access to all knowledge of the new Geeky Plans for the New House.
Support universal access to all knowledge of the new Geeky Plans for the New House.
Support universal access to all knowledge of the new Geeky Plans for the New House.
Hey guys and girls, Nate Weiss calling from theNateWeiss.com podcast.
And since I am in between houses at the moment and running a busy company,
I don't have a lot of time to podcast.
Although I do have a lot of time to paint and I decided to combine both
and do kind of a series on being a Geek who is moving.
And in the previous shows, while I was painting this rather large living room,
I thought it would be a good idea to record a show.
So you're going to have some ambient noises from the cathedral that is not yet filled with furniture.
And you will have some this, which is the sound of the brush.
Just close your eyes.
Think of Mr. Miyagi.
I'll do a Mr. Miyagi here.
Paint on.
Paint on.
I'm doing all of the kind of, you know, karate kids stuff here.
Paint on.
Paint on.
Don't meet me in an allele.
I'm a real karate guy when I'm done with this.
That being said, I thought it would be a good idea to do a show on, you know,
being a Geek who is moving house.
So in the first chapter, installment, episode, whatever you want to call it.
Urge.
And we talked about, we talked about how I moved my cloud infrastructure to Office 365 from Google.
The second one I talked about what it's like to be a Geek was on the move,
was, you know, currently in between houses and who has to survive literally out of his backpack.
But today, in chapter three, I would like to talk to you about the new infrastructure in my new house.
Now, my philosophy is simple.
Less is more.
Although it's really nice to have a lab and God knows what amounts of geeky infrastructure to toy with.
At the end of the day, my philosophy is that I would very much like to just get things done and do those in a very productive and efficient manner.
That being said, I'm just get coffee here.
I decided to go for an optimal setup in my new house.
And that optimal setup meant that I had to redesign the network from the ground up.
Now, before we get started, coffee, I'll describe the situation.
Our new house is fairly large.
It's about 300 square meters in two floors.
So the ground floor and the floor with the bedrooms.
And we have a little building to the side, which I'm looking at right now, which is this...
I need to find a garage building with the door and two windows, which is going to be the office of our company.
These two buildings are connected via cat5 cable, so that's good.
And the challenge that I had was make sure that I get wireless coverage everywhere,
because we are cable cutters. We do not have...
We do not have just basic cable. We just only have Netflix, Wi-Fi, and that's it.
So we need pretty good Wi-Fi coverage, because there are only a few points in the house where there is a network connection.
So there's one in the living room behind the TV, which will be nice.
The ISPs router is in the garage.
And there is one connection upstairs, which also has a cat5 connection.
That's basically it.
Because I was triggered to...
That's not good, that's cold water.
Oh yeah, that's because I pressed the wrong button.
Not very smart of me.
So I'm going to get my coffee again.
So when I started to look at hardware, I first had to look at the architecture of my design,
because we have a company, and this company is an IT consultancy company,
and we give trainings in our new offices, so we are going to have guests there.
So immediately we are faced with a delicate and a nice challenge, which is,
how do you divide up your network in that new fancy house of yours,
to make sure that you can live a digital life with all of your digital devices,
and be connected to everything including your own data.
Have an office or a company that can access its data,
and that might also include foreign persons like, for example, staff,
wherever to hire them, or trainees, which I'm going to get.
And then of course there is the different blast zone, which are the strangers,
which are the people that come in here, that come here to follow one of these trainings,
which is just neat connectivity, and of course there is me, the geek,
thenightwise.com geek who likes to experiment and download and stuff like that.
So putting all of these things on one network is a bad idea.
You never know, so I decided to think long and hard how am I going to do this?
And I was inspired by the city of Carcasson.
If you don't know, the city of Carcasson, this is called too.
What the? My coffee maker is broken.
That's not good. Cold coffee. Not good at all.
Oh well, no coffee then.
So I was inspired by Carcasson. Now Carcasson is a walled city.
It's a city in the south of France that is fortified,
and that has not one, but two walls around it.
If the first wall were to be breached, there is still a second wall
to protect the city, and the attackers are caught between the first and the second wall
and they get their ass whooped.
So I thought, you know what, that would be a great way to design my infrastructure,
to have these concentric circles inside each other with increased security.
So here's what I came up with.
I have my internet connection, and right behind my internet connection
there is my ISP's modem router.
There's a modem there, and there's a router there, and it hands out IP packages
to whatever device you connect to either the LAN or the wired or the wireless ports.
And for your average Joe, this is fine.
This is absolutely fantastic, no problem.
And that is one of the places I do not ever want to put anything
that is even somewhat personal or confidential.
Because that router is managed by my ISP,
and I know what it's like when you're a tech, you have the night shift,
you're bored out of your skull, and you are thinking what to do now.
Let's poke around people's network.
Let's see what's on there.
So behind that router from my ISP,
I immediately put my own router firewall,
and my own router firewall is an edge router X by ubiquity.
If you are a network geek, you might want to consider this device,
not pushing you to buy anything, but this is pretty cool stuff.
It's really a nice piece of kit that has a lot of possibilities
for a device that is so small, that is so cheap, and yet so powerful.
It costs about 50 bucks, which is ridiculous.
And it has all of the fancy stuff that you wanted to have.
It can do, it has a firewall built-in, router, routing tables,
border gateway protocol, multiple subnets, VLAN, power over ether and that,
everything for 50 bucks.
When you think about it, it's hilarious.
I'm moving this very, very, very heavy cloth,
a piece of furniture here that is from the previous owner, and I hate it.
I hope that he will come and pick it up pretty soon,
because I don't like it.
But I have to move it, because I'm going to paint behind it.
And I'm sorry, move it again.
I have no idea how I'm going to get this out of the house without
springing major muscle like this.
Okay, so that being said, it's a great router, and that is my,
the router that protects my network.
Careful, careful, nightwise.
Try not to damage the house before you move in.
And this router basically divides my network into different zones.
And let's get back to the Carcasson analogy here.
So you have my router, my ISP's router, which is the outer defense zone of my network.
It is connected to the internet directly.
There is a firewall on there.
And, well, quite frankly, it's okay.
It's nice, you know.
No problem with that, works fine.
And that is my outer zone of defense.
It's managed by somebody else, which I don't care.
And in the zone, in the subnet behind that, which is the 192-168-1110 subnet,
I will put all of my geeky, nerdy stuff.
I will do all of my experimental stuff.
I will put some of my servers there.
I will probably have my BitTorrent client running and handing out ISOs to the world of open source distributions,
because I'm a good guy.
I like to share.
And I also do all of the experimental stuff there, no problem whatsoever.
That's my play zone.
It's a big DMZ zone.
If any, any ports get forwarded from the internet to my network,
it's going to be here in this zone, my DMZ slash play zone.
Any devices that are IoT and that do not need to be in the network of my clients,
being the technical tone, not the financial one.
I put there as well.
For example, my Plex server.
I put it there.
It's great.
I can access it from wherever.
So I can stream my Plex stuff.
I download a lot of YouTube stuff to keep and stream it off my Plex.
I like doing that.
I have archives of all backups of all of my old shows on there that I ripped from DVD legally.
It's my Plex server.
I put it there.
That's great.
Anything that is accessible to my clients that needs to be accessible without needing to be in the same subnet,
it's there.
Let me see what else is there.
Oh yeah, my Raspberry Pi whole DNS server, which I connect to when I don't want to get spammed.
That's there as well.
An SSH endpoint, so I can SSH in from anywhere and use stuff like SSH Shuttle,
which is an SSH VPN client, and set up encrypted connections from wherever I am,
all self-hosted.
That all goes into the 192 zone, and that works great.
Then, after that, there's my edge router.
And behind my edge router, there is another zone, which is the 172.16.60 zone.
And that's the zone for all of my clients.
My Macs are in there, my workstations are in there, both private and for my company.
We're only two of us. I'm not going to build different subnets for my company and for ourselves.
We don't have that. We have an integration.
So that's where all the clients live, and all the IoT devices that require those clients.
So what's there?
My Philips Hughes are there.
My Sonos player is there.
My laptops are there.
And stuff like that, all client-related stuff.
Also on there is a, and now I got a check to get the type right,
a ubiquity wireless access point that I'm going to buy a second one once we move into the offices.
And that machine has type number.
What's the type of this thing?
The APAC Pro, a professional grade SSID, and it's access point.
And the SSID that it broadcasts is the one that I use both for all of my clients related, for all of my clients.
So that's the second line, you know, that's behind my edge router here.
That's behind the second wall.
It is protected from the DMC by my edge router firewall.
And it is protected from the internet by both my router's ISP and my firewall, my edge router firewall.
And then it's time for level three.
Because what you can do with the edge router is create two subnets.
You can create one on one port, and you can create one on the other port.
You can also play around with VLANs and stuff, but I decided to go with the subnet because it gives me some possibilities.
And on there, on that second subnet, I've created, which is 172, 1650 zero, are my servers.
For example, my NAS drive.
That NAS drive houses all of the data from a company.
There is a personal server there that houses all of the data that we personally want to keep that we don't want on the company servers.
And that's there.
And those two servers are the only things that are there.
You have a very high subnet number.
I think I do a slash 20, 20 full.
I think it's slash 23.
I have to check.
So I only have two or three hosts in there.
No DHCP.
I mean, you can't accidentally plug in something to that network.
Not going to happen.
Not going to work.
And this is where my servers live.
Now, here comes the third wall of my line of defense.
Where I basically, well, close off all of the traffic to that server,
aside from the ports that I want to be open.
So port 139, I think, for Samber.
And that's it.
I have to go in ports the same thing.
Only the ports that need to be open get opened up.
So if you breach my ISP's router, well, tough.
Then you get onto my DMZ.
Then you need to breach my edge router.
And you will end up either in my, perhaps you'll,
you'll be hacking one of my clients.
You'll end up into my client lab.
Ooh, whoopty do.
You are one, you've breached one wall.
And.
But then you still need to breach the last wall.
You still need to get onto the third segment of my network,
which houses my server and all of the information there.
So the only thing that I haven't mentioned is that my clients,
including the guests that we have in our company,
that are in the 1672 60 VLAN because, well,
all of the clients are there.
But they, subnet, but they are on a separate VLAN,
which is my lost line of defense to keep out,
unwanted guests onto my servers.
So that's my setup for my new home, network-wise.
And I like the Carcasson inspiration that I got because it's really a layer of approach.
And it's something that I have been telling companies to do because they have this fancifier wall.
It protects us from the interest, from the dangers of the internet.
Yes, yes, it does.
Oh, that's my baggie.
It protects you from the danger from the internet.
That's true.
But you also have people working from home.
And these people who work from home, you know,
they just basically take their fancy laptop.
Go home.
Sorry, that's paint coming out of the back.
It's not me.
And...
Oh, it's disgusting.
I'm really sorry.
So this is the trick.
When you paint from a bucket, you know,
put a plastic bag in the bucket.
And when you're done, cut a hole in the plastic bag and squeeze out the rest of the paint
back into the paint container.
But also, always make sure that there's no one around because it makes a very...
a very, you know, icky sound.
But it does pull back the number, the amount of waste paint that you get every session
and you get to recover as much as possible.
It's so there.
Now, that being said.
So that is how networks get infected.
You have a great fancy firewall.
That's great.
And then, you know, Joe from Sales leaves home, plugs in that company laptop
onto his home network that is riddled with spyware because his oldest daughter
loves to download.
I don't know what from, I don't know where.
The machine gets infected and most of the time, they have local admin rights
because, you know, life...
An ITer's life wouldn't be interesting enough if you didn't.
And the PC gets infected.
And the next day, they come back to work.
And they just walk by your fancy firewall and plug in to your network.
And that entire investment that you made, sorry for the noise I'm cleaning my hands.
Pretty lot of paint on them though.
All the investment that you made in a fancy firewall is absolutely wasted
because people can physically walk past your firewall and plug in infected machines
into your network, which we call the dirty, dirty feet analogy.
So you have cleaned the house and people come in by the back door with muddy feet
and trample over your house.
And that's how servers get infected, you know.
In fact, you don't hack the firewall and you don't go after the server.
You just infect the stupid asshole clients and wait until he literally walks in to the company
and infect the network with that way.
So that's my approach to having a layered subnet, especially for your service,
is firewall law of the rest of the network.
And that's how I set it up here.
So even my wireless access points, that's the only place where I do do a layer two separation.
I use a separate SSID and I put them on a separate VLAN.
So they can access the internet, but they do not see the rest of my client network.
And that's my setup.
This is twofold.
It's either on one end.
It's to protect me from the people who are my guests.
I don't want people who are my guests to sniff around and, you know, learn all kinds of interesting things about my network.
I don't want somebody who is either in my class or in a lecture that I'm giving.
I use a little bit bold, which decides the wire shark or end map my entire network.
That's one, two.
I don't want my experimental stuff to come in contact with my professional activities.
I don't want to infect my network by accidentally downloading, I don't know,
somewhere, and accidentally infecting my own network and compromising my data.
So don't want that.
And I do not trust IoT devices.
Although I have a few, let's see, I have, I just scrubbed the paint off the tiles here before I leave.
Let me see.
I have two sonos, which I'm going to make.
I'm going to have three sonos soon.
I have two sonos.
I have some Philips Hughes.
I have a FOSCAM IoT webcam.
You know, stuff like that.
And these things don't always get patched right.
And sometimes they have holes.
And sometimes they get infected.
And how do you infect them?
Well, of course, with the dirty feed strategy, you just infect some windows client on the network with the Java exploits.
You scan the network for any interesting devices.
And while you use those interesting devices, you just open up some ports and what have you.
And you can do some interesting things.
You can let your malware use the IoT devices on the same network to wreak havoc.
And, you know, not something you want.
And this is not always in your control.
Because, well, probably frankly, windows and operating systems get updated on a regular basis.
But sometimes, you know, these Chinese providers of IoT devices just say,
we start going out of business.
And it never gets patched.
It never gets fixed.
And the security vulnerability inside your network continues to exist.
And that's something that you do not want.
So that's why I have my layered approach.
So in all, I still want it to be simple.
And I want it to be cheap.
I wanted to have some geeky hardware to play with without having to spend, you know, corporate bucks to get it done.
And the ubiquity devices are actually very good at doing just this.
And I am very happy with them.
And there were little bits.
They're a little harder to set up than your average.
I don't know.
Then your average dealing router.
But all in all, it went pretty fast.
I think it was up or running after 20 minutes.
And I was amazed at the possibilities that I have.
So as I scrub away a painting error that I did here.
Which is not going to come off.
I want to, you know, give you some inspiration about how I have set up my new network in my new house.
And what my philosophy is regarding all of this.
And I hope you enjoyed it.
My painting adventures for today are done.
I am off home to eat and work a little bit more.
And hopefully we'll see you soon.
You've been listening to Hacker Public Radio at HackerPublicRadio.org.
We are a community podcast network that releases shows every weekday Monday through Friday.
Today's show, like all our shows, was contributed by an HBR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
Hacker Public Radio was founded by the digital dog pound and the Infonomicon Computer Club.
And it's part of the binary revolution at binwreff.com.
If you have comments on today's show, please email the host directly.
Leave a comment on the website or record a follow-up episode yourself.
Unless otherwise status, today's show is released on the creative commons,
and the contribution, share a light, free to our license.