I live in a “faraday chamber” of a house. Corrugated steel siding, 1.5” drywall/gypson board 8-12” steel I-beams, elevated living space. rebar reinforced concrete filled cinder blocks ground level. Main living area is raised 15ft due to being in hurricane alley outside the levees of New Orleans. That should give a good image. Mesh systems never worked well for obvious reasons so I went to a Unifi network
UDM SE
16 port managed switch (for camera expansion)
8 port managed (for all living room electronics)
2 wired AP’s upstairs
1 meshed IoT 2.4 network AP for living room electronics (dCS, PS5, Apple TV, Trinnov etc) and Tesla outside
2 meshed AP’s downstairs
Separate SSIDs
Main- all mine and wife’s phones, iPads laptops etc
IoT
2 kids have their own
Each isolated from the others
In total about 30-50 devices depending on how many of the kids are at home. 2 at University 1 at home. It’s amazing how many there are once they are all tracked down.
I’ve got years of reused cat3-5 network cables which is my weak point. Awaiting a monoprice delivery tomorrow for the weekends project updating all cabling to an overkill cat8, price was negligible with 6a so I went for it for the increased shielding
Always change any Admin passwords on hardware such as Routers, Printers, NAS Boxes, Switches (the more capable models have a web interface with an Admin user) because the defaults are all out there on the Internet for anyone to find and use in a hack attempt. Sometimes it makes sense to create a new AdminUser and disable the default as the name Admin or Administrator is ubiquitous.
NAS boxes like Synology and QNAP are under constant attack, here’s a useful guide from QNAP, the advice applies in a more general ways so worth a glance even if you don’t own a QNAP. https://marketing.qnap.com/download/17748/?version=en-pdf
Setting a Static IP linked to a devices MAC Address is a useful tool, I tend to set them for things like Printers, NAS boxes and Streamers, if something is playing up and intermittently dropping off from being visible, setting a Static can help - sometimes 2 devices “pull” the same IP address from the Router (or whatever is doing the DHCP role) and one of them “loses” and drops off the network.
A proper firewall is worth considering and doesn’t need to cost mega bucks, Home versions of Untangle, pFsense or OpenWRT are all free/cheap. I use a Ubiquiti Dream Machine because that’s what we supply at work, works well with a nice user interface these days.
Reading up on Virtual Networks, VLANs and tagging traffic plus Wi-Fi SSIDs is useful as part of segregating the traffic on your network as are Guest Networks and isolating foreign/visiting devices. A mate is into bikes, his pal brought a laptop round to connect to his new bike, I was on a train and Zen Security called me to let me know they’d blocked my mates Internet as it was firing out thousands of Spam messages - from the laptop as it turned out it was riddled with Malware. If he’d connected it in his house rather than the bike shed (loose term, it has a bike lifter onto the first floor ) which had it’s own broadband the Malware could have jumped onto his home computers.
Any Dial In/Port Forwarded traffic is locked to the Public IP or IPs of the trusted people allowed access, typically to remote access cards like Dell iDRACs or HP iLo, I have multiple work Servers at home running various Apps such as our ticketing system.
Nice Jeremy. Now you go to the top of the class. I have something quite similar and that is one of the areas I was going to come onto further on. My virtual networks are Main, Boy, IoT, Audio, and Guest, each with their own associated wireless LANs. My idea is that:
Anything on Main can access the internet and anything anywhere on the LAN (although the contents of the NAS are of course in different accounts and much is 2FA-protected).
Boy, a network just for my 12 y o son’s PC, iPad and iPhone - he’s a gamer, mostly FIFA and Minecraft and downloads tons of crap including java “mods” from the internet and sometimes even my malware detection regime can’t keep up. Anything here can access the internet but absolutely nothing on any other VN.
Anything on IoT can access the internet but no other device on IoT and nothing on the other VNs. I found I needed to set up specific routing rules so my two Nest smoke alarms could speak to each other and my printer could speak to PCs (something to do with the scanner, can’t remember what) but on the whole this has caused surprisingly few problems.
Anything on Audio can talk to anything else on Audio and the internet. Audio is separate mostly so I can manage QoS, but also so I can connect my wireless speakers (Devialet Phantoms) to their own WLAN on a different 5GHz band to everything else. They are very flaky and need optimum conditions to avoid dropouts.
Guest was meant to allow internet access but not connecting to anything else. But then guests couldn’t print, add stuff to playlists, play peer-to-peer games, or a ton of other things that the Strutslets wanted to do, so that caused more problems than it was worth. And since I don’t seem to be able to stop Mrs Struts and the Strutslets sharing the Main wifi password with guests automatically via their iPhones the Guest network has fallen into disuse.
I hadn’t considered the home vs private angle. I use my work laptop as my primary client and it has access to pretty much everything. So if any threat entered via my work network I could potentially be hosed. Food for thought.
Yes, Apple, maybe with the best intentions, has created a whole raft of challenges for network administrators. The first was the introduction of private WiFi addresses which screws up MAC address authentication as well as a lot of convenience features like device identification functionality. Then there is the whole keychain thing. Jeez, what a headache! Still love them though…
Belt-and-braces is good. That’s what a lot of this stuff is about, but here I’m clearly preaching to the choir!
That was indeed one of the points I was trying to make, even if I suspect you might be an outlier here. But I don’t want to speak too soon. Keep 'em coming folks!
Lots of great stuff there Angus but this is the most important one IMO. If folks only take away one thing from this thread so far that would probably be it.
Aye defo a lot of jargon/tech terms bandied about but I reckon that the folk perusing this forum are reasonably clued up and/or wanting to find out a bit more about how things work in relation to their dCS kit and networks, already some good basic advice posted.
From what I’ve been seeing over the last quite-a-few years, certainly with ISP supplied kit, routers and their wireless networks are now coming with their passwords and passphrases set to unique strings and not common across devices so this is already being dealt with as far as the masses are concerned…
Kit that you buy yourself over the counter usually has fixed initial login details but then that’s down to you as the owner / user to set up.
I shall leave you to it - you seem to have got some inertia on this thread now so I am curious as to where it eventually goes / where you get to take it.
Yeah the ISP supplied kit is much better from a security perspective these days. A lot of hifi guys put those ISP routers into modem only mode and bang a Draytek or ASUS Router in as they have better specs/features/performance - they do need hardening.
Another recommendation is check the UpNP option, this is something that should really be disabled on a Router, some I’ve seen have it set to enabled out of the box, makes playing PS/XBox online games easier to get going but is a security risk/weakness.
That is a very good point … a lot of people see that in the router options and think that you need to enable it for UPnP servers and clients to be able to work on the network … they don’t get that that particular option is actually enabling or disabling the ability for the router to be (to a degree) reconfigured and has nothing to do with UPnP Media Servers and UPnP Media Clients…
The thing here though is that VLANs etc. aren’t actually a requirement for a reliable working network.
We can root around in the weeds and implement all sorts of security measures and discuss vulnerabilities and so on but for someone who has an internet connection provided by an ISP who just wants to stream music reliably none of this is actually going to be relevant and pretty much everything that we have been discussing above would make an average customer who just wants their Lina / Bartok / Rossini / Vivaldi to play music even more convinced that networking is difficult - and networking itself ISN’T difficult and DOESN’T HAVE TO BE.
This is why I’m interested in seeing where this thread goes as I’m absolutely sure that for a typical “user” who just wants their network to be reliable for playing Jazz at 3am in the morning there is very little here that is relevant.
VLANs are absolutely not a requirement to stream music, but nor is security in any form. It’s a bit like saying brakes (or maybe more appropriately a safety belt) aren’t a requirement to drive fast. True on one level, but maybe abstracting away some of the other considerations. And I agree with you that VLANs are maybe “A-level” stuff which I wasn’t planning on diving into until much later on. I also agree with @Chocky that VLANs aren’t infallible. Nor is a Chubb lock, but it’s better than a Yale and a damn sight better than no lock at all.
Mrs Struts used to work in market research and they have a saying there “where you sit is where you stand”, which for the non-native English speakers roughly translates to "your views and opinions almost invariably correlate to your position in society (geographically, socio-economically etc.). In your case @Phil I can’t help thinking that your views on simplicity are heavily coloured by the types of problems that cause the average customer to contact dCS support. Your points are well argued and well taken but I still do not buy that the simplest solution is always the best and that one size fits all. There are just too many other factors at play here as I’ve tried to illustrate.
Totally agree with your second point. On the first one I agree it’s a risk, but I opened this thread to create awareness about some of the issues and share ideas on how best to solve them. Nobody is compelled to read it or follow any of the advice here. I am truly surprised at the level of sophistication here, but clearly this thread has attracted the vanishingly small percentage of Phil 's "Group 3"s among the random collection of audiophiles that make up the forum readership and maybe that was inevitable. I was thinking of starting with some more basic topics (unfortunately Phil “stole” many of them in a great post in another thread) and gently working forwards from there, maybe that was naïve. Angus’s point about disabling or changing the passwords on default administrator accounts on anything and everything connected to the network is IMO the best advice here so far, but yes, someone somewhere is bound to find even that confusing or screw it up.
At the end of the day we’re all consenting adults and everyone needs to take responsibility for their decisions on their level of sophistication and ambition relative to their technical abilities. I hope nobody ties themselves in knots as a result of following any of the advice here. But I am also convinced that if folks disregard it, whether through ignorance or a conscious decision (especially some of the points about security), they could end up deeper in the pit of misery than they ever imagined possible, and streaming music will be the very least of their problems.
But these are all great points and something for all of us to bear in mind as we share ideas and experience here going forwards.
) which had it’s own broadband the Malware could have jumped onto his home computers.
