lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hpr-knowledge-base/hpr_transcripts/hpr3622.txt

237 lines
21 KiB
Plaintext
Raw Permalink Normal View History

Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00
Episode: 3622
Title: HPR3622: My Network Setup.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3622/hpr3622.mp3
Transcribed: 2025-10-25 02:18:37
---
This is Hacker Public Radio Episode 3,622 for Tuesday the 21st of June 2022.
Today's show is entitled, My Network Setup.
It is part of the series networking.
It is hosted by some guy on the internet and is about 23 minutes long.
It carries a clean flag.
The summary is how I've constructed my home network.
Hello and welcome to another episode of Hacker Public Radio.
I'm your host, some guy on the internet.
Today I'm going to be talking to you about my network upgrade.
My network used to be just the ISP's modem slash router slash switch combo box that they give you.
Then I bought a TP link.
I think it was the AX6000 gaming router and I put the ISP combo box in bridge mode
and managed the network with the AX6000 from TP link.
The TP link AX6000 was a nice router.
I had great coverage for the amount of space that I have.
So we got pretty good coverage.
It allowed you to have a guest network and a primary network.
But you couldn't really do manual subnetting and segregate your network to provide more efficiency and security.
So I wanted to upgrade and do something a little bit better.
But keep in mind I'm not a network guy.
So I needed to do a lot of studying first.
I'm pretty happy with TP link.
And I wanted to stay with that.
But I also look in the PF sense.
I was looking at the net gear routers that they sell.
And the wait time to receive one was just unknown because of the global supply shortage.
And because I had no idea when I'll ever get one.
I figured I'd just stick with TP link for the gateway as well as for the switch access point and everything else.
Plus I saw the hardware controller.
I like the idea of trying to use one device to manage all the other devices.
And I've, you know, no experience with it.
I figured that will be a little bit easier for me to do versus trying to use the software controller and loading it.
Impossible to like a Raspberry Pi or something like that.
I just wanted minimal amount of work in this learning exercise.
Because if I break the network, I needed to be able to bring it back without any sort of questions as to rather not.
I built the software correctly or installed it correctly.
Or if they were going to be any issues with, you know, the public build that's for the Raspberry Pi.
So I got, I sent the ISP's combo box back, bought an identical one from Micro Center.
And, you know, you say 15 bucks when you do that because you start renting their combo box.
And I just used one to bring in the internet with.
I could have gone with a cheaper model, but I figured if anything happened,
and I really, really needed to just set up a basic network until I finished learning what I'm doing,
at least this thing has Wi-Fi and all that good stuff on it.
The TP-Link AX6000 is in storage.
So I still have that as well. I'm probably going to end up just selling it on eBay or something after a while.
I don't know yet.
Okay, so now for my current setup, I'm running for the Gateway.
I have the TP-Link ER605.
This TP-Link Echo Roho 605.
For the Manage Switch, it is the TP-Link TL-SG 2210P version 3,
or the JetStream 8 port Gigabit Smart Switch Manage PoE Switch.
I'm going to leave links in the description because I know that these names are kind of terrible for podcasting.
My access point is the TP-Link EAP 660 HD.
Again, links are going to be in the description.
Follow by the TP-Link Omada Hardware Controller.
Now, when you first get the controller and just set it up, you have to create a user account,
you know, the administrator account, which will give you...
It's a simple little prompt that walks you through how you want to set up like a hotel, a house, an office, etc.
And then you can begin adopting other Omada devices into it.
I would recommend holding off adopting all the other devices.
Just adopt the Gateway first.
That way, you can set up your LAN the way you want.
I'm using a Class C home network.
So it's going to be that basic 192168 network block.
Or IP block, I mean.
In my setup, my LAN is on a 192168 zero one LAN.
And I keep all of my devices on the LAN.
Now, to TP-Link, they separate them by devices and clients.
Devices are the things that make up your network.
You know, your Gateway, your Switch, your access points.
And clients are going to be all the other things, you know, cell phones, laptops, etc.
I created about four other subnets after that.
And then I started adopting my AP and all the other devices for the network to AP, the Switch and all.
Gave them all fixed addresses.
And I set up my LAN to have a slash 28 cedar.
I choose the slash 28 because it's a smaller network.
And I don't expect to have that many devices on the LAN network.
Just the things needed to build the network itself.
And when I need to manage it, there's just enough wiggle room for me to slide on there.
I have a set IP for myself.
And then other than that, everything is just handled by DSP.
And then I'll go and give them, probably give them a fixed IP as well as I need to add more devices to the LAN.
I created another subnet called the Resistance.
It is on the slash 27.
It is where my family is located, all of our devices there.
And I have it broken down in the show notes so that you can see the details of it.
Following the resistance, there's the T100 network.
That is my guest network. It is also on the slash 27.
Then there's the T1000 network.
It is the IoT network.
And it is also on the slash 27.
And finally, last but not least, there's SkyNet.
That is the administrative network.
That's where I'm going to be with the devices that I'm tinkering around with.
It is on the slash 28.
And I don't expect to have many devices on that.
Just mean Raspberry Pi's and whatever else I plan to tinker with.
All right. I have rules set up in the Access Control or ACL rule list or whatever it's called to separate the networks and not allow communication between them.
So the LAN has the ability to communicate with all the other networks because it is where all the devices are.
But I have rules set up to where none of the other networks and their clients are able to speak to specifically the gateway, the hardware controller, or the access point, or the switch.
I don't want anything on the network being able to reach the LAN in general or those specific devices.
So there are multiple rules layered up in there just to spell out that.
But the LAN can communicate with them just to be able to handle basic network.
The LAN network is the only network that does not have an SSID or Wi-Fi capability.
All the other networks have Wi-Fi connected to them.
They have pretty simple yet sophisticated passwords.
And I created QR codes for a couple of them like the guest network and the family network.
So that way when I want to bring on new devices, it'll be a little bit easier to bring them on.
Most of the networks are also hidden except for the guest network.
Now the simple yet sophisticated term that I use there.
What I mean by that is I didn't want to go with a tremendously long password.
I wanted something that was going to be easier to put in especially on some of the IoT devices that don't allow keyboards to connect.
We have to use small screens and things to punch them in.
And it was a pain trying to put in this big 60-something character password.
So I went ahead and went with something that's very difficult that you cannot just guess.
But it's not tremendously long as well.
Each of the subnets also have VLANs attached to them to help segregate the traffic a little bit more.
Just a little extra security there.
Not only is everything on their own network and have rules that say that most of these networks cannot communicate with each other.
But they're also VLAN tagged.
Now the SkyNet network, that's the only network that I do have rules allowing me to sit on SkyNet and communicate with guests and family.
So SkyNet can talk to T100 and resistance.
And that's just because there are no devices on that network just clients me and the Raspberry Pi's.
I don't mind being able to just reach out and communicate with whatever that's there.
Because I'm going to have servers on the, well, one server on the resistance and maybe one on the T100 as well.
The switch that I'm using does use sort of their own, I guess, layer three type technology with VLAN routing.
And I can, you know, route directly with a specific device on a different subnet.
But the reason I didn't go with that and just allowed one network to be able to communicate with the others, you know, SkyNet being able to communicate with resistance and T100 is because sometimes the fixed IPs don't stick, especially when you're moving a device from one network to another.
So say, for instance, I bring a server, which when I say server here, most of the time I'm talking about Raspberry Pi's.
I use them as servers because they're small lightweight, low, low power, just wonderful devices.
So I set one up on the SkyNet and it's got a fixed IP on SkyNet.
I got it, you know, completely configured on SSH then when I'm done, I go ahead and move that device from SkyNet over to resistance.
So that way the folks on resistance can be able to use it. So it's like a next cloud setup or whatever, right?
Move that device over there. There's going to be some, sometimes there's some IP issues and I haven't quite figured out what they are yet.
I have searched the farms and CP link has, you know, acknowledged that yes, fixed IPs have problems right now.
And they put out some beta software, but I'm a little bit hesitant with using it right now.
I'm going to wait a little bit before I do that. I still have to update my network software.
And again, a little hesitant about doing that just yet.
So I'm just going to wait, keep an eye on it, probably contact CP link and figure out a few details before I do that.
When setting up the inner VLAN routing, you would have to go under the administrative tab down there.
And it was the settings tab. You click on settings and it'll bring up a new menu on the left hand side.
And then from there, you can go over to profiles and then under profiles, you click groups.
And then under groups, you can set up the, I guess, you know, IP ranges or whatever.
Sorry about that. I have to keep pausing my recording because the air condition comes on and that's what that loud humming is.
So I'm, you know, doing the best I can here. So under profiles, you select groups and then you can, you know, create these groups of IP addresses
that you want to be able to communicate. And then from groups, well, well, first you create the groups of the devices, I mean, they won't be able to communicate just because you created a group.
So I can put like my desktop laptop and phone in one group and call it admin.
Then I move over to network security, that tab, under network security, under network security, there's ACL.
Those are the access control lists or rules or whatever you want to call it.
Now when you get under that tab, you have a choice of the gateway ACL, the switch ACL or the EAP ACL, the EAP is the, you know, your Wi-Fi.
So I under the switch ACL, that's where I set up all the rules for networks that are denied access to other networks.
And then you can also use those groups and say, hey, this group, which contains my desktop laptop and phone is able to communicate with another device that's located on a separate network.
You can also create groups like what I created was the group of the devices, you know, the gateway switch and access point and hardware controller.
And I use that group to deny access with all the other networks. So none of the other networks have access to that group of devices as well as the network that those devices exist on.
These ACL rules work in order of like top down. So whatever is at the top rule, rule number one, you want to be basically the things that are permitted and let it flow down.
So at the very top, I have denied access to gateway and land and all of that stuff and below that is all the other deny access between network community, you know, all the other networks can't communicate with each other.
I hope that makes sense. It's kind of strange saying it on the podcast, but seeing it is pretty easy.
Now, under the wired network, you select the land option under wired networks on the TP linkle model set up here under that same menu that I was talking about.
It'll bring up the list of, you know, lands that you've created subnets that you've created. Those are the networks and then you can switch over to the profile tab and create profiles for, you know, again, they work similar to groups.
I created a profile where I put all the V lands in and then I limited the port that the access point is connected to to only accept traffic through V lands.
So, you know, I don't want anything to be able to access the land network now wirelessly or any other otherwise.
So, just restricting as much traffic as I possibly can to the V lands and segregation through ACL rules.
Like if I didn't do the V land limitation to that port using this profile that I created, the only other option would have been able to allow all traffic through that port.
Which is fine because I mean, it's only an AP connected to it and the networks are, you know, hidden and they have passwords and all of that on them.
So, it's not too big of a deal, but I still wanted to be able to narrow things down, no room for error basically.
Now, this sounds easy with me saying it like this, but I demolish the network dozens.
I mean, absolute does. I have a paper clip on my desk right now and I'm going to give this thing a name because each of the devices have that little pinhole on them that you stick a paper clip and then reset the device back to factory default.
I've had to do that so many times. I mean, whoof. Now, under my wireless networks, the most of them have both the two and a half and the five Geekahertz except for the guest network.
That one's only on the two and a half because, well, I don't have that many guests and when I do, they're usually only here about maybe 10 minutes, most something like that.
So, they don't need to have the five and I don't want guests to impact the rest of the network. So, I'm also going to eventually put some limitations on it.
So, if someone was here for like, say an hour and they tried to stream like 4K footage, but my wife was working or something like that, I don't want the guest network to impact the rest of the network.
So, I'll slap some limitations on that. Make it reasonable. You can still get your 1080p down, but no 4K or anything crazy like that.
The guest network, T100, also has this little check mark whenever you're creating a guest network or when you're creating wireless networks, they have an option, would you like to make it a guest network.
And it's just a little check box that you click. I use that here on mine. I don't know exactly what those rules are that they implement that makes it a guest network.
But my guess for that would be it's some sort of no communication between devices on the network. So, each device can only just communicate beyond the network with the internet.
I haven't set up any sort of VPNs or anything like that with my home network yet, but in the future I will.
I have a little travel router that I use from time to time, not off because I don't go anywhere anymore, but I was using it.
And I'm going to eventually just tinker around with that. It's one of those little GLI net. I think mine is the AR750S code name slate.
And it's a nice little, nice little travel router. I'm going to probably take that out with my laptop and a couple raspberry pies and see what I can do with it.
Eventually in the future I'm going to create another subnet called R&D research and development.
And I'm going to try self hosting some things on my LAN. And that's another network. I'm going to probably make it another slash 28 or maybe a slash 29.
Just limit it down really good and you know, V landed off all of that good stuff and see if I can self hosted device in that subnet out to the open world.
And just tinker around a little bit. I've been doing a lot more with a load node as well because I because I I'm just getting into this whole networking thing.
In the past I ran a minecraft server on my network when I had just a regular flat network and I don't understand what sort of threats I made myself subject to because I didn't know.
Whenever you see the YouTube videos on how to set up a your own minecraft server, they never really tell you exactly what could happen just that it's dangerous to do it, but they still show you how to do it.
So you know, you do an open port and blah, blah, blah. So I got a little node server and I just left it up there for a while. It's running next cloud.
I have a what do you call that thing that SL certificate or whatever it is, you know, where you get the HTTPS. I don't know what it's called, but I have that set up on it.
So it's a little more secure and I've been just checking the logs on that thing and holy crap, like the amount of people hammering on that thing day in and day out really lets me know that back when I was running that minecraft server on my network.
I could have been exposed to God knows what I have no idea.
But to this day, I have not experienced any sort of identity that for anything. So I'm guessing no one really cared enough or maybe they just didn't get in.
Maybe they did and nobody wanted to do anything with the data that they received. I don't know.
But I have much more awareness now of what could happen to you, the amount of attacks that happen.
And I've been learning more about SSH and how to secure SSH and all of that. And that'll be another show for another day.
I just want to let you know that I am aware of the threats that are online and how to somewhat secure a device before hosting it on my network.
So all of this is just practice on making sure that I can first secure the network.
And I'm going to set up a couple of honeypots on the network using Raspberry Pi Zero's and just leave them around on the different networks and just see if anybody takes one.
And I guess after about six, seven months or whatever, just letting that run because with the Raspberry Pi Zero's, this source lightweight low power, you can let them run for like seven months and never really even notice it.
So I have three Raspberry Pi Zero, two W's or W2, whatever the name thing is.
And I'm just going to spread them around on the network and the different sub-dance, leave them wide open and set up the little email thing so that way I can get a message.
If somebody does try to break into them, that means for one, my network is compromised somewhere and two, you know, at least I'll have a way of identifying it rather than find out later on when all of our devices are connected.
All of our devices and our identities have been compromised.
So before we go, I'm just going to talk to you real quick about the show notes.
This is basically the documentation that I use for designing my networks.
When I first set up the networks, I didn't use the subnet strategy that I'm using right now.
You'll see the different subnets in the show notes.
I tried to set up my subnets using the LSM, the veritable link subnet masks.
And I ran into a number of issues with that.
I finally got it somewhat working and decided to scrap that.
It took too much time.
I could have got the show out much, much earlier, but I kept tinkering and tinkering and constantly breaking the network, locking off devices from the network.
I actually ended up locking off the hardware controller.
The access point, it was a nightmare, but no more of that.
I just went with this more simplified way and the show notes will have everything broken down.
I just want to let you know that in there I have MAC addresses and stuff that have been, I cleaned it up.
So they're not actual MAC addresses and you can tell that by looking at them.
I cleaned all of that stuff up and these are all internal IP addresses.
So not to worry about any threats with that.
And for the user names and stuff that's in the document, I'm cleaning it up just given it generic user for the name and stuff like that.
And I have to also the links for the devices.
But I'm happy with the show notes.
There's basically just my documentation cleaned up to be made public for you guys to see and understand more about my network.
So thank you guys for listening.
I'm sorry for the air conditioning just kicked back in and I'm going to wrap this up now.
You guys take it easy.
You have been listening to Hacker Public Radio at Hacker Public Radio does work.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording podcasts, click on our contribute link to find out how easy it really is.
Hosting for HBR has been kindly provided by an honesthost.com, the internet archive and our things.net.
On the Sadois status, today's show is released on our Creative Commons Attribution 4.0 International License.
Reference in New Issue Copy Permalink