Sorry sir … it won’t happen again sir.
I shall leave you to it - you seem to have got some inertia on this thread now so I am curious as to where it eventually goes / where you get to take it.
Yeah the ISP supplied kit is much better from a security perspective these days. A lot of hifi guys put those ISP routers into modem only mode and bang a Draytek or ASUS Router in as they have better specs/features/performance - they do need hardening.
Another recommendation is check the UpNP option, this is something that should really be disabled on a Router, some I’ve seen have it set to enabled out of the box, makes playing PS/XBox online games easier to get going but is a security risk/weakness.
Yeah right, like you can really stay away… 
1 Like
That is a very good point … a lot of people see that in the router options and think that you need to enable it for UPnP servers and clients to be able to work on the network … they don’t get that that particular option is actually enabling or disabling the ability for the router to be (to a degree) reconfigured and has nothing to do with UPnP Media Servers and UPnP Media Clients…
I can … I mean … Oh nuts! 
Hi @Chocky,
The thing here though is that VLANs etc. aren’t actually a requirement for a reliable working network.
We can root around in the weeds and implement all sorts of security measures and discuss vulnerabilities and so on but for someone who has an internet connection provided by an ISP who just wants to stream music reliably none of this is actually going to be relevant and pretty much everything that we have been discussing above would make an average customer who just wants their Lina / Bartok / Rossini / Vivaldi to play music even more convinced that networking is difficult - and networking itself ISN’T difficult and DOESN’T HAVE TO BE.
This is why I’m interested in seeing where this thread goes as I’m absolutely sure that for a typical “user” who just wants their network to be reliable for playing Jazz at 3am in the morning there is very little here that is relevant.
Phil
3 Likes
VLANs are absolutely not a requirement to stream music, but nor is security in any form. It’s a bit like saying brakes (or maybe more appropriately a safety belt) aren’t a requirement to drive fast. True on one level, but maybe abstracting away some of the other considerations. And I agree with you that VLANs are maybe “A-level” stuff which I wasn’t planning on diving into until much later on. I also agree with @Chocky that VLANs aren’t infallible. Nor is a Chubb lock, but it’s better than a Yale and a damn sight better than no lock at all.
Mrs Struts used to work in market research and they have a saying there “where you sit is where you stand”, which for the non-native English speakers roughly translates to "your views and opinions almost invariably correlate to your position in society (geographically, socio-economically etc.). In your case @Phil I can’t help thinking that your views on simplicity are heavily coloured by the types of problems that cause the average customer to contact dCS support. Your points are well argued and well taken but I still do not buy that the simplest solution is always the best and that one size fits all. There are just too many other factors at play here as I’ve tried to illustrate.
Totally agree with your second point. On the first one I agree it’s a risk, but I opened this thread to create awareness about some of the issues and share ideas on how best to solve them. Nobody is compelled to read it or follow any of the advice here. I am truly surprised at the level of sophistication here, but clearly this thread has attracted the vanishingly small percentage of Phil 's "Group 3"s among the random collection of audiophiles that make up the forum readership and maybe that was inevitable. I was thinking of starting with some more basic topics (unfortunately Phil “stole” many of them in a great post in another thread) and gently working forwards from there, maybe that was naïve. Angus’s point about disabling or changing the passwords on default administrator accounts on anything and everything connected to the network is IMO the best advice here so far, but yes, someone somewhere is bound to find even that confusing or screw it up.
At the end of the day we’re all consenting adults and everyone needs to take responsibility for their decisions on their level of sophistication and ambition relative to their technical abilities. I hope nobody ties themselves in knots as a result of following any of the advice here. But I am also convinced that if folks disregard it, whether through ignorance or a conscious decision (especially some of the points about security), they could end up deeper in the pit of misery than they ever imagined possible, and streaming music will be the very least of their problems.
But these are all great points and something for all of us to bear in mind as we share ideas and experience here going forwards.
Love the idea of this thread, and fully intend to post answers to the numbered questions this weekend.
For now, I can say with recently discovered certainty that I’m much closer to the noddy end of the spectrum than I am the other end.
No default passwords here, but absolutely zero problems with a mesh network for a smallish home. The Rossini and the Nucleus+ are wired, but there’s plenty that’s not. Even my NAS isn’t wired to the hub — it’s via an Eero in the garage. Works perfectly. I’m sure there’s MORE perfection to be had, but in Noddyland for now, all is well. Zero problems, zero (known?) hacks, and smooth streaming and incremental backups (local and offsite).
I don’t think I get any gold stars, though 
1 Like
I put my hand up as being one of them…
I have now disabled UPnP in my router.
Thanks @GusGus for the tip.
Great thread @struts001
1 Like
You’re right @TheFlash , it was ambiguously worded. I went back and added a clarification. Sorry again for getting your blood pressure up.
1 Like
No gold star Ben, but you do get a heart. Te aroha me te rangimarie!
1 Like
I agree, as things stand, VLANs are too complex for most people, yet splitting out networks within the house is becoming increasingly necessary. It really needs the vendors of switches, routers and access points to simplify the process so that it becomes easy.
This is not only a potential a selling point in its own right, but they could sell their routers, access points and switches as a bundle by making the kit work seemlessly together.
A few manufacturers are moving in this direction (such as Ubiquiti and TP-Link), but most keep their product development costs to an absolute minimum (to the point some routers can’t even be relied upon to stay up without needing rebooting relatively frequently).
I must confess, I think I blush 
I’ve often been tempted to do this to make it easier for my wife to print when her printer runs out of toner, or so I can change the picture showing in on the Meural frame in my study without changing network, but the attack on the office network showed that keeping the networks completely seperate saved our bacon.
I so want to do this and very nearly did the same, but it will cause issues with devices such as the children’s night monitors, which connect directly (you can stream, but the security risk doesn’t make me inclined to do this).
I could probably get around this by creating exceptions to the rule in the same way you have, and that is likely the way forward.
Incidentally, I didn’t realise the Nest units try to use the home network to communicate with each other (this is relevant as we use them too). My understanding was that they have two WiFi networks, one for internal communication, the other for external, but it would make sense for them to only use one except for emergencies to save power.
I did this at one point, but found we were accumulating an ever-growing number of wireless networks, which was proving detrimental especially at 2.4GHz. If I could prune our other networks, I’d bring this back…
Guests have to ask me nicely if they want to print something! 
1 Like
Some more random thoughts on networking and some recommendations based on experience gathered over the years.
As @Phil pointed out, for network reliability wired is almost always preferable to wireless. There are three main reasons for this:
- Congestion. Wireless uses so called unlicensed spectrum. That means anyone can use it (unlike a mobile network for instance where the mobile operator has licensed it from the government). This spectrum is limited and can only be divided into a small number of non-overlapping channels. If you open wireless networks from a phone or a PC how many networks do you see? In my apartment in central Stockholm I can see 63 from my listening room. The more different networks on a channel the worse signal-to-noise ratio and the greater the chance of drop-outs. Of course in a detached house in a rural setting this will likely not be an issue at all.
- Interference. wifi is not the only thing that uses this spectrum. Lots of wireless devices like cordless phones, baby monitors, Bluetooth and lots of other things do too. Also microwave ovens and certain other appliances emit EMR in the 2.4GHz band (one of the two unlicensed bands on which wifi works) which can cause interference. If your wifi glitches when the microwave is on switch to 5GHz!
- Clutter. Walls and furnishings absorb and reflect the signals, sometimes predictably, sometimes highly unpredictably. Someone here said they lived in a Faraday cage, the load-bearing walls in my turn-of-the-century apartment are 18 inches thick. Go figure.
All-in-all there are quite a lot of challenges to providing good wifi coverage but, maybe surprisingly, having it planned and installed professionally is a service very few consumers are willing to pay for.
The next problem is that when they install your internet ISPs will typically draw the cable to the nearest power socket to the door. If the modem is also your wifi access point this may not be the place from where to get the best coverage in the places you want it.
Given that very few houses/flats are wired for internet this raises the question how to deliver internet around the house. Most opt for wireless and start running into the above problems.
I would strongly recommend considering installing cabling if you are having these sorts of problems, or even if not but you are doing other building work with which the installation of cabling could be combined. You can thank me later.
Two other solutions to this problem are MESH networks where wireless networks extend themselves and PowerLine Connectivity (PLC) where you run ethernet through your mains wiring. MESH networks have grown much better over the last few years and I have lots of friends for whom they work well. I also get lots of requests for help from people for whom they are not working. I don’t think I have met anyone who has had a completely pain-free experience with PLC.
Two things that can help:
- Segregation of duties. Having worked with enterprise networks it was natural to me to have a separate router/firewall, switch (or switches) and access points. But many consumers just use the all-in-one box provided by their ISP. It’s similar to audio, separates can perform much better than all-in-one boxes (think Vivaldi!). This also has the advantage that the placement of everything can be optimized. Access points can be placed where they give best coverage, not where it’s easiest and cheapest for the ISP. Interestingly I have now gone back to an integrated solution (apart from wireless access points) in the form of a Ubiquiti Unifi Dream Machine Pro (UDM-Pro). I see several others here are using them. Although there are plenty of good products on the market, I have been extremely happy since switching from Cisco to Ubiquiti many years ago and this is what I use in my projects and recommend to my friends. For many people’s requirements the new Dream Router (UDR) is an excellent scaled down version with much of the same functionality.
- Power over Ethernet (PoE). This is kind of the opposite to PLC. Instead of the ethernet going over the power line this is where the power is sent over the ethernet cable. This allows units with relatively low power consumption (there are different versions ranging from about 25W to about 60W) can be situated anywhere an ethernet cable can be run and don’t require a power socket you do however require a power delivery switch or an injector). This is great for things like ceiling mounted access points and small switches. One of my personal favourites is the Unifi Flex Mini. This €40-odd little wonder is a 5-port managed switch which can run off a wall wart or PoE and which is perfect for situations when you just don’t have enough ports, such as under a television or in a gaming corner. Of course you don’t have to use the smart switch functionality, you can use it as a dumb switch too. But you have the option.
Of course if the earlier posts are anything to go by this is unlikely to be read by anybody who didn’t know all this and a lot more already! Please let me know your thoughts, and share your experiences and opinions or neat solutions you have come across. I’ve already learned a lot here, please keep it coming!
Just for the record I have no affiliation with Ubiquiti whatsoever other than as a happy customer.
2 Likes
I have to echo the sentiment above, it’s worth using wired connections whereever possible.
The only problem I have with Ubiquiti’s Dream Machine Pro is that, every few months, its config would become corrupt forcing us offline until I re-configured everything (restoring from a backup would work, but I found it just bought us another week or so before it crashed again).
I ended up pulling the Dream Machine Pro from the network, but have continued to use their switches and access points with one of their Cloud Keys instead - this setup has now been quite happily chugging away for well over a year, so I can recommend most of their equipment. It’s (relatively) easy to use and very cost-effective.
1 Like
Really sorry to hear that Jeremy. I have never had a single issue with any of the handful I have installed (otoh I have had a number of problems with the old style cloud keys). I certainly would’t have recommended it if I had! Was Ubiquiti support not able to isolate the root cause?
2 Likes
The UDM Pro units are on the original internal architechture and took a long time to be alligned with the more modern units such as the UDM SE and UDR. Earlier this year they were all updated to V3 and since then have been solid. I’ve been using and managing Ubiquiti since pretty much the start of them arriving in the UK, the hrdware has come a long way in the ease of use and stability department, such that I’m happy to recommend it to friends and family if appropriate.
Unlike most other smilar devices the UDM updates/licence are included, usually there’s a monthly or annual fee involved.
If we don’t have a controller on site - we used to have to manage things with a local computer, now we do it all with a Cloud Portal. TP Link have similar with their Omada Portal (looks an awful lot like the Ubiquiti one 
) If you buy either brand from Broadbandbuyer in the UK they supply a 3 year sub to their Portals, save setting them up yourself, nice to have if you have a large home, multiple buildings or locations.
I agree this thread will appear daunting to a non IT person but it does show that if someone has issues with the home network they can post a help request and will get some good advice and maybe as a result take a bit of pressure off dCS tech.
I don’t look at VLANs and SSIDs as primarily security mechanisms, I look at them as a means to segregate things to make management and troubleshooting simpler. At a simple level splitting the main network and VOIP traffic. In the UK BT are turning off most of the old style copper telephone network, starting mid 2024 thru 2025 I believe, therefore it’ll be over to VOIP or Mobile for the majority in the near future, dead spots and special cases will be left alone I’ve read.
1 Like
This is a good point Angus.
I don’t know if you were aware of this @jandersonhill. If not it is the subject of endless threads on the Unifi forum but is fairly neatly summarised in this article which I haven’t fact-checked but is consistent with my own observations and opinions. Depending on when you suffered your problems they may well have been associated with the 1.x or 2.x Unifi OS. Again, I don’t recall suffering any specific problems back then. According to my notes my own unit, bought 10/21, shipped with 1.10.0 (and is now on 3.1.16). I’m not going to suggest you give it another try, that’s your call, but as Angus says 3.x is generally considered a big step forward architecturally but above all from a functionality perspective (although I’ll give @Phil hiccups if I mention them here! 
).
Angus, I assume it is these Unifi OS architecture changes you are referring to above, correct? Are you aware of any significant hardware version changes to the UDM-Pro (or UDM-SE)?
1 Like
Like all hardware that lasts a while in production there are revisions, to fix bugs, enhance performance, add features or quite likely due to Covid to swap to an alternative supplier - maybe a new pcb plant or a different chip with the same or similar/acceptable specs, rev 10 would seem to be such.
https://ubntwiki.com/products/unifi/unifi_dream_machine_pro
To be honest, I didn’t spend long trying to get to the root cause for a couple of reasons. The first was that when one failed, it often refused to reboot at that point and needed a full reset to recover. The second was that we needed the network running as we both work from home much of the time, so it was often a race to get everything re-configured.
The other problem I found was that configuring WAN2 as a backup proved flakey and I eventually migrated to a modern version of Vyatta (DANOS), before finding development appeared to have stopped and moving to Sophos XG. Both of which have proved utterly reliable (and faster at routing 1Gb traffic).
It’s clear that I must be in a minority or installers wouldn’t keep using them and I’m still a huge proponent of their other kit (the software on their access points is actually more reliable than my previously experience of Cisco).
Thanks Angus. I understand every living product is undergoing constant change/evolution at the BoM level. Just wanted to check that your comments about things being stable since V3 referred to to UniFi OS and not some major hardware revision I didn’t know about.