Automating the Home

Last Christmas the girlfriend asked for an Echo Dot. At the time I thought the regular Echo was ridiculously over-priced and the Dot just plain dumb — why can’t any of them act as a Bluetooth speakerphone?! — but I got her one anyways because who am I to judge spending money on silly gadgets.

At first she used it for reminders, timers, music, and audible books in the kitchen. Then she steadily expanded with another Dot in her bedroom, a Wink hub, some TP-Link outlets, and assorted smart bulbs to about a half-dozen lamps / fixtures in her home.

Now, for practically my whole adult life I’ve used a couple of cheap GE remote-controlled outlets for the lamps in my bedroom so that I’m not getting into bed in the dark or fumbling around for a lamp’s on / off switch. Every time I’ve looked into changing over to something more advanced I’ve felt it wasn’t worth the expense nor the hassle…

But the girlfriend’s setup has grown on me. HA products keep getting simpler and cheaper and Alexa’s capabilities keep expanding. The tipping point for me was Alexa Smart Home Device Groups and discovering the 8-pack of Sengled ZHA bulbs. The Sengled’s have had coupons for 15-30% off for the holidays, bringing them as low as $6.50/ea — making it cheaper to upgrade my fixtures with smart bulbs than smart switches, plus saving me the the hassle of messing with electrical wiring in a home that I’m not planning to live in much longer.

My hardware assemblage so far:

Originally I wanted SmartThings + Echo Plus figuring I wouldn’t be able to cover my house and detached garage / office / theater from one hub, but ST is doing the job just fine despite not being in the best position. I’ve deployed one of the Hue Color kits in the master bedroom and several Sengled bulbs in the office, with Echos for each plus another in the kitchen. Over my holiday stay-catation I’ll be deploying the rest — an Echo for each living space and bulbs in the most used fixtures / lamps.

I may still decide to wire in a few smart relays for my outdoor lights — getting them on a schedule is highly appealing, and they really demand local control that preserves automation. Best as I can tell, nobody makes outdoor-rated smart bulbs yet.

And maybe some motion sensors to activate the stairway and upstairs hallway lights.


Going through all of this, I find myself wishing that Ubiquiti hadn’t screwed the pooch on mFi. The vision was there… but they basically made every wrong decision possible when it came to execution. I hope they’ll take another crack at it some day while embracing open standards and connectivity.

AmpliFi’d

Irma took me out for a few days, but I’m back!

Lately I’ve been trying to make sure all of the tech at my girlfriend’s home can actually be managed by her, should I be hit by a bus and fall into a coma. I was in the process of building a Sophos XG UTM, decided to buy a Circle instead. Kids needed a computer, so I got them an LG ChomeBase instead of going through the hassle of making Windows secure and kid-safe. She had some home automation going with a Wink Hub, Echo Dots, and an assortment of LED smart bulbs, so I handed down my EcoBee3 when I upgraded to the 4.

The EdgeRouter PoE and UAP-AC-Lite combo were the remaining weakest link in terms of self-management and control. The ER is wholly unsuitable for mere mortals, and while the UAP could theoretically be reset and managed entirely via the phone app… that would be another hassle to deal with in my absence.

And I also had a coverage gap I wanted to address. I’d place her AP in an alcove to keep everything neat and tidy, but it’s a horrible spot for 5GHz propagation to the back patio where I often work. Dropping a UAP-AC-M or UAP-AC-Lite near the area and using the wireless uplink feature would have solved it, but that’s adding more complexity where I want less.

Enter AmpliFi Mesh:

AmpliFi Mesh

The early reviews on this product weren’t all glowing, from the technologist’s perspective it has a number of compromises and a purposeful lack of features, but from the I want a multi-AP setup that the girlfriend can easily manage from her phone perspective it ticks all the boxes. Since the initial launch they’ve simplified the product line, the Base and LR mesh kits are gone and the HD Mesh kit has dropped a couple hundred bucks down to $349 retail. I picked up a used kit on eBay for $200-ish and I’m not sure which version it is.

I’ve configured the system in bridge mode behind the EdgeRouter while I figure out how to replicate my site-to-site VPN. The Mesh units are placed in the laundry room downstairs and the hallway upstairs, and I am bathing in glorious 5GHz coverage where previously it was spotty. I’m sure it’s not the absolute fastest using 2.4GHz for backhaul but the Internet connection here is ~60Mb/s and I’ve no trouble achieving that throughout the home despite this being an apartment complex with a bazillion 2.4GHz APs in view.

So far, I’m liking it a lot… it addressed my pain points at an affordable price and is gorgeous to boot. Since I’m just using the wireless functions there isn’t much to dislike, but one minor nit is that it doesn’t support Guest access in bridge mode.

Would recommend for situations where an EdgeRouter / USG + UAPs are overkill and a high-quality simple solution is desirable.

Update: Troy Hunt put together a thorough review of an AmpliFi install with lots of screenshots.

AD Dynamic DNS Updates from EdgeRouter DHCP

Today was the day that I de-commissioned DHCP on my home Active Directory servers. The one area that gave me a little trouble was figuring out how to get Dynamic DNS for clients working with AD DNS. All of the guidance I could find was for BIND.

Here are the commands I used:

set service dhcp-server use-dnsmasq disable
set service dhcp-server dynamic-dns-update enable true
set service dhcp-server global-parameters 'ddns-updates on;'
set service dhcp-server global-parameters 'update-static-leases on;'
set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-rev-domainname="in-addr.arpa.";'
set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-domainname="AD-DOMAIN-NAME.";'

Replace LAN with the name of the DHCP server instance on the EdgeRouter, and AD-DOMAIN-NAME with your AD domain (note the trailing period). The " are necessary to escape the quotation marks within the CLI — make sure to copy those as-is.

Breaking this down step-by-step:

set service dhcp-server use-dnsmasq disable

This configures the ER to use ISC’s DHCPd instead of dnsmasq.

set service dhcp-server dynamic-dns-update enable true
set service dhcp-server global-parameters 'ddns-updates on;'
set service dhcp-server global-parameters 'update-static-leases on;'

I’m not sure the first one is necessary here, but we’re configuring DHCP to perform DNS updates on clients’ behalf and to include static DHCP clients.

set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-rev-domainname="in-addr.arpa.";'
set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-domainname="AD-DOMAIN-NAME.";'

Finally, we configure each DHCP scope for updates to the forward and reverse zones.

Chromebooks May be Habit-forming

I’ve recently discovered Chromebooks:

2017-08-08 15.53.46

Ok, it’s not like I just heard about them, but it was over the past few weeks that I realized they can serve a useful purpose.

  1. I needed a cheap portal serial terminal. Beagle Term and a cheap USB -> RJ45 serial cable fit the bill perfectly.
  2. I wanted a device to leave at my girlfriend’s for casual use. Never cared to Android tablets, didn’t want to spend real money on an iPad or a Windows tablet with a decent CPU. The Chromebook works nicely for this.
  3. The girlfriend’s kids have started 3rd grade and need access to a computer for school assignments. Was going to give them one of these Chromebooks… but she’d prefer they use something not portable and eventually I snagged a good eBay deal on an LG Chromebase instead.
  4. My mother needs access to a computer. For both her and the kids, giving them a computing environment that’s real difficult to screw up is high on the priority list. ChromeOS is perfect for this.

My Chromebook of choice is the Asus C300SA — 3lbs, 13.3″ screen, 4GB RAM, and a legit 10+ hours of battery life. The best part is that Amazon regularly offers reboxed returns at a low price, I’ve picked up four for $100-$115/ea.

Weak points are the sub-1080p display, non-backlit keyboard, and of course, the N3060 dual-core CPU (~989 CPU Mark score). Not gonna sugar-coat it, this thing strains under the load of 10-20 browser tabs I routinely have open… but it does far better than those cheap Windows tablets on Z-series Atom quad-cores.

Apps are also a weakness. For the kids and mom, the browser is all they really need. For myself… I need more, and I’m not real impressed with the selection and quality of what’s available in the Chrome Store in the categories I care about. I don’t want to go the Crouton / Linux route either, as that disables many of the security features of ChromeOS. I think I’d be happiest using the Chromebooks as thin clients to Windows. Guacamole and the various Chrome RDP clients haven’t been appealing to me from a UX perspective, so I’ll be digging into Horizon next.

Regardless, for $100-ish the Pros far outweigh the Cons. They’re not good enough to be my only PC, but they are good enough to be the only PC that I take with me.

Lab Progress: Cabling

Ethernet and console cables finally arrived, so it was a busy and sweaty morning of cable routing for the lab. Still need to hook up power, move my Home Production stack over w/ the US-16-XG, and figure out how I’m going to lay out the 10GbE stuff and a few other miscellaneous items.

 

2017-07-20 15.09.13 Lab Progress.jpg

TIL: DNAT before Firewall

Was adjusting some firewall rules and verifying them from the outside, and discovered that an unexpected port was being allowed, but only on the secondary WAN connection.

This particular setup uses dual WANs in a failover configuration, but has a ton of DNAT rules to allow inbound traffic on the secondary WAN because port-forward can only apply to one wan-interface. Here’s some relevant CLI:

set firewall group port-group web port 80
set firewall group port-group web port 443
set firewall group port-group web port 8080

set service nat rule 100 description wan2-web
set service nat rule 100 destination group address-group ADDRv4_eth7
set service nat rule 100 destination group port-group web
set service nat rule 100 inbound-interface eth7
set service nat rule 100 inside-address address 10.10.10.10
set service nat rule 100 inside-address port 8080

What I was seeing was that an inbound request to 443 was being allowed from anywhere, despite having firewall rules restricting access to certain IP ranges. Upon further examination I discovered that the request was being sent to 8080 on the inside.

And I immediately suspected my error: DNAT rules are processed before Firewall rules. Turning up logging on the FW and DNAT rules quickly confirmed that was the case.

Whoops.

My other mistake here is that I probably shouldn’t be using inside-address port in my DNAT rules. The guide I followed to originally configure these DNAT rules suggested that they were necessary, but that is not the case and translating port numbers is definitely not the behavior I was looking for.

Lab Progress Report

UPS dropped off some rack shelves and an ES-48-Lite today, which means the only thing holding me up from starting to get this lab racked up and online is time and rack screws.

A kind soul on the Ubiquiti Discord offered me a good deal on an ERLite-3, pair of ERPro-8, and a ES-16-XG so the total amount of Ubiquiti gear available for labbing is going to be fairly impressive!

On hand I’ve got:

Waiting to be delivered:

The end goal here is to be able to run mock deployments with a pair of every class of EdgeRouter and build out complex internetworking without ever having to physically touch the boxes.

Final (maybe?) Update on ER-X / ER-X-SFP Aggregate Performance

It has been confirmed to me that the ER-X / ER-X-SFP have only one 1 Gb/s link between the SoC and switch. Since every packet that enters the SoC through that link will have to exit the same path, 1 Gb/s is the maximum aggregate throughput.

I’ve not been able to garner any interest in why bi-directional testing take a substantial performance hit. I may try some earlier firmware releases in the future but for now I’m moving on from this subject.