Our Homestead

Before I start posting about all of my home networking projects, I should probably describe the home and property. This is it:

Satellite view of my property showing the main house, pool, and detached garage / apartment.

The lot is 1.5 acres, roughly 180×400 if it were perfectly rectangular, with the front of the house about 120′ from the road. The house itself is the standard 40×30 box on a crawl space, with another 25×30 of garage / utility room and bonus room above. An addition off the garage provides a larger living room with a high vaulted ceiling. There’s attic access in the main part of the house, knee wall access on either side of the bonus room, and from the back side I can reach the living room’s attic space. There’s also some attic above the bonus room but the a/c ducts leave no room to get in there.

There’s a detached garage that was converted to a 2-bedroom apartment and came with tenants who pay half my mortgage. It also has attic access.

There’s a pool house that is basically a glorified shed. There’s an open area in the middle with small rooms to either side. One had been a proper bathroom but at some point in the past vandals ripped out the copper pipes.

So that’s what I’m working with. I have plans to bring Ethernet and in-wall access points to several rooms, blast WiFi across as much of the outdoors as I can reasonably manage, use 60GHz PtMP gear as wireless backhaul links for all three structures, give my tenants their own access point in the apartment, and much more.

My next post will be about deploying the PtMP gear.

UniFi Protect moves away from self-installs

Much online rage has been spilled this weekend over UniFi Protect not being made available for self-installation. If you’ve not been paying attention, UniFi Protect is a new NVR platform from Ubiquiti. Presently Ubiquiti says that UniFi Video will continue to be developed and supported… but nobody expects this to continue for very long. Protect is the new hotness, and since Ubiquiti doesn’t charge for their software, it is unimaginable that they will continue putting resources towards two separate products that do the same thing.

Today, the only way to get Protect is on the UCK-G2-PLUS — which has just launched for $199 with an 8-core ARM SoC w/ 3GB RAM and an easily upgradeable 1TB 2.5″ hard drive. Support for the UAS-XG — an attractive but otherwise bog standard 1U server with a $1,999 MSRP — is coming soon.

People are miffed for a variety of reasons. The G2+ offers very limited storage options. The UAS-XG is a fair value compared to buying an equivalent server from an Enterprise vendor, but it’s incredibly expensive relative to DIY or other thrifty options. There’s presently no middle ground.

And with the UAS-XG being a standard Intel server running Ubuntu 16.04 LTS, there’s no technical reason that Protect can’t be offered for self-installs. Using Docker — as they’ve done with UNMS, and had alluded to providing for Protect during the Beta cycle — would greatly reduce the support challenges of providing self-installable software for Linux.


I’m not sure how I feel about this. I have 5 UVC-G3-Flex cameras that I have been planning to deploy on the G2+ w/ Protect, with the expectation that if I was happy with the platform over time I would replace 6 Ring Spotlights, 4 Amazon CloudCams, and probably add a couple more.

That’s all within the advertised capabilities of the G2+, but with its limitation of a single 2.5″ drive it won’t be able to meet my continuous recording retention targets. I happen to have a 2nd G2+ already so maybe this isn’t a total deal-breaker for me, if it turns out that I really love Protect, but right now I’m questioning if Ubiquiti’s camera platforms are worth the lock-in and premium pricing.

I already have an NVR server that is substantially more powerful than the UAS-XG, an unlimited camera license for Sighthound, and a bunch of Reolink cameras from my old house which are comparable in quality to the G3 Flex.

I’m Baaaack!

Personal stuff has limited my participation in the Ubiquiti community for much of this year, but I’m finally getting my head back above water. The biggest news is that I bought a new-to-me house on 1.5 acres and have been consolidating households with my girlfriend and her children.

New home means lots of upcoming technology projects:

  • Pulling Ethernet to every room in the main house.
  • 60GHz Mikrotik PtMP link between the main house, pool house and detached garage apartment.
  • Building out a fully isolated network for the apartment dwellers.
  • Radius-assigned VLANs for wireless devices.
  • UniFi Protect and 5x UVC-G3-Flex deployment using a UCK-G2-PLUS.
  • Deciding on more permanent placement of APs, which are presently strewn haphazardly across the attic. Or possibly replacing most of them with UAP-IW-AC.
  • Getting complete coverage of the front and back yards using a combination of UAP-AC-M, UMA-D, and UAP-AC-M-Pro — there’s roughly 100′ of depth in the front yard and 200′ beyond the pool house.
  • Attempting to order 2Gb/s fiber service from Comcast.

I’m also back to dogfooding the USG with plans to bring a USG-XG-8 into service as soon as a couple of show-stopping bugs are resolved.

Automating the Home

Last Christmas the girlfriend asked for an Echo Dot. At the time I thought the regular Echo was ridiculously over-priced and the Dot just plain dumb — why can’t any of them act as a Bluetooth speakerphone?! — but I got her one anyways because who am I to judge spending money on silly gadgets.

At first she used it for reminders, timers, music, and audible books in the kitchen. Then she steadily expanded with another Dot in her bedroom, a Wink hub, some TP-Link outlets, and assorted smart bulbs to about a half-dozen lamps / fixtures in her home.

Now, for practically my whole adult life I’ve used a couple of cheap GE remote-controlled outlets for the lamps in my bedroom so that I’m not getting into bed in the dark or fumbling around for a lamp’s on / off switch. Every time I’ve looked into changing over to something more advanced I’ve felt it wasn’t worth the expense nor the hassle…

But the girlfriend’s setup has grown on me. HA products keep getting simpler and cheaper and Alexa’s capabilities keep expanding. The tipping point for me was Alexa Smart Home Device Groups and discovering the 8-pack of Sengled ZHA bulbs. The Sengled’s have had coupons for 15-30% off for the holidays, bringing them as low as $6.50/ea — making it cheaper to upgrade my fixtures with smart bulbs than smart switches, plus saving me the the hassle of messing with electrical wiring in a home that I’m not planning to live in much longer.

My hardware assemblage so far:

Originally I wanted SmartThings + Echo Plus figuring I wouldn’t be able to cover my house and detached garage / office / theater from one hub, but ST is doing the job just fine despite not being in the best position. I’ve deployed one of the Hue Color kits in the master bedroom and several Sengled bulbs in the office, with Echos for each plus another in the kitchen. Over my holiday stay-catation I’ll be deploying the rest — an Echo for each living space and bulbs in the most used fixtures / lamps.

I may still decide to wire in a few smart relays for my outdoor lights — getting them on a schedule is highly appealing, and they really demand local control that preserves automation. Best as I can tell, nobody makes outdoor-rated smart bulbs yet.

And maybe some motion sensors to activate the stairway and upstairs hallway lights.


Going through all of this, I find myself wishing that Ubiquiti hadn’t screwed the pooch on mFi. The vision was there… but they basically made every wrong decision possible when it came to execution. I hope they’ll take another crack at it some day while embracing open standards and connectivity.

AmpliFi’d

Irma took me out for a few days, but I’m back!

Lately I’ve been trying to make sure all of the tech at my girlfriend’s home can actually be managed by her, should I be hit by a bus and fall into a coma. I was in the process of building a Sophos XG UTM, decided to buy a Circle instead. Kids needed a computer, so I got them an LG ChomeBase instead of going through the hassle of making Windows secure and kid-safe. She had some home automation going with a Wink Hub, Echo Dots, and an assortment of LED smart bulbs, so I handed down my EcoBee3 when I upgraded to the 4.

The EdgeRouter PoE and UAP-AC-Lite combo were the remaining weakest link in terms of self-management and control. The ER is wholly unsuitable for mere mortals, and while the UAP could theoretically be reset and managed entirely via the phone app… that would be another hassle to deal with in my absence.

And I also had a coverage gap I wanted to address. I’d place her AP in an alcove to keep everything neat and tidy, but it’s a horrible spot for 5GHz propagation to the back patio where I often work. Dropping a UAP-AC-M or UAP-AC-Lite near the area and using the wireless uplink feature would have solved it, but that’s adding more complexity where I want less.

Enter AmpliFi Mesh:

AmpliFi Mesh

The early reviews on this product weren’t all glowing, from the technologist’s perspective it has a number of compromises and a purposeful lack of features, but from the I want a multi-AP setup that the girlfriend can easily manage from her phone perspective it ticks all the boxes. Since the initial launch they’ve simplified the product line, the Base and LR mesh kits are gone and the HD Mesh kit has dropped a couple hundred bucks down to $349 retail. I picked up a used kit on eBay for $200-ish and I’m not sure which version it is.

I’ve configured the system in bridge mode behind the EdgeRouter while I figure out how to replicate my site-to-site VPN. The Mesh units are placed in the laundry room downstairs and the hallway upstairs, and I am bathing in glorious 5GHz coverage where previously it was spotty. I’m sure it’s not the absolute fastest using 2.4GHz for backhaul but the Internet connection here is ~60Mb/s and I’ve no trouble achieving that throughout the home despite this being an apartment complex with a bazillion 2.4GHz APs in view.

So far, I’m liking it a lot… it addressed my pain points at an affordable price and is gorgeous to boot. Since I’m just using the wireless functions there isn’t much to dislike, but one minor nit is that it doesn’t support Guest access in bridge mode.

Would recommend for situations where an EdgeRouter / USG + UAPs are overkill and a high-quality simple solution is desirable.

Update: Troy Hunt put together a thorough review of an AmpliFi install with lots of screenshots.

AD Dynamic DNS Updates from EdgeRouter DHCP

Today was the day that I de-commissioned DHCP on my home Active Directory servers. The one area that gave me a little trouble was figuring out how to get Dynamic DNS for clients working with AD DNS. All of the guidance I could find was for BIND.

Here are the commands I used:

set service dhcp-server use-dnsmasq disable
set service dhcp-server dynamic-dns-update enable true
set service dhcp-server global-parameters 'ddns-updates on;'
set service dhcp-server global-parameters 'update-static-leases on;'
set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-rev-domainname="in-addr.arpa.";'
set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-domainname="AD-DOMAIN-NAME.";'

Replace LAN with the name of the DHCP server instance on the EdgeRouter, and AD-DOMAIN-NAME with your AD domain (note the trailing period). The " are necessary to escape the quotation marks within the CLI — make sure to copy those as-is.

Breaking this down step-by-step:

set service dhcp-server use-dnsmasq disable

This configures the ER to use ISC’s DHCPd instead of dnsmasq.

set service dhcp-server dynamic-dns-update enable true
set service dhcp-server global-parameters 'ddns-updates on;'
set service dhcp-server global-parameters 'update-static-leases on;'

I’m not sure the first one is necessary here, but we’re configuring DHCP to perform DNS updates on clients’ behalf and to include static DHCP clients.

set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-rev-domainname="in-addr.arpa.";'
set service dhcp-server shared-network-name LAN shared-network-parameters 'ddns-domainname="AD-DOMAIN-NAME.";'

Finally, we configure each DHCP scope for updates to the forward and reverse zones.

Chromebooks May be Habit-forming

I’ve recently discovered Chromebooks:

2017-08-08 15.53.46

Ok, it’s not like I just heard about them, but it was over the past few weeks that I realized they can serve a useful purpose.

  1. I needed a cheap portal serial terminal. Beagle Term and a cheap USB -> RJ45 serial cable fit the bill perfectly.
  2. I wanted a device to leave at my girlfriend’s for casual use. Never cared to Android tablets, didn’t want to spend real money on an iPad or a Windows tablet with a decent CPU. The Chromebook works nicely for this.
  3. The girlfriend’s kids have started 3rd grade and need access to a computer for school assignments. Was going to give them one of these Chromebooks… but she’d prefer they use something not portable and eventually I snagged a good eBay deal on an LG Chromebase instead.
  4. My mother needs access to a computer. For both her and the kids, giving them a computing environment that’s real difficult to screw up is high on the priority list. ChromeOS is perfect for this.

My Chromebook of choice is the Asus C300SA — 3lbs, 13.3″ screen, 4GB RAM, and a legit 10+ hours of battery life. The best part is that Amazon regularly offers reboxed returns at a low price, I’ve picked up four for $100-$115/ea.

Weak points are the sub-1080p display, non-backlit keyboard, and of course, the N3060 dual-core CPU (~989 CPU Mark score). Not gonna sugar-coat it, this thing strains under the load of 10-20 browser tabs I routinely have open… but it does far better than those cheap Windows tablets on Z-series Atom quad-cores.

Apps are also a weakness. For the kids and mom, the browser is all they really need. For myself… I need more, and I’m not real impressed with the selection and quality of what’s available in the Chrome Store in the categories I care about. I don’t want to go the Crouton / Linux route either, as that disables many of the security features of ChromeOS. I think I’d be happiest using the Chromebooks as thin clients to Windows. Guacamole and the various Chrome RDP clients haven’t been appealing to me from a UX perspective, so I’ll be digging into Horizon next.

Regardless, for $100-ish the Pros far outweigh the Cons. They’re not good enough to be my only PC, but they are good enough to be the only PC that I take with me.

Lab Progress: Cabling

Ethernet and console cables finally arrived, so it was a busy and sweaty morning of cable routing for the lab. Still need to hook up power, move my Home Production stack over w/ the US-16-XG, and figure out how I’m going to lay out the 10GbE stuff and a few other miscellaneous items.

 

2017-07-20 15.09.13 Lab Progress.jpg

TIL: DNAT before Firewall

Was adjusting some firewall rules and verifying them from the outside, and discovered that an unexpected port was being allowed, but only on the secondary WAN connection.

This particular setup uses dual WANs in a failover configuration, but has a ton of DNAT rules to allow inbound traffic on the secondary WAN because port-forward can only apply to one wan-interface. Here’s some relevant CLI:

set firewall group port-group web port 80
set firewall group port-group web port 443
set firewall group port-group web port 8080

set service nat rule 100 description wan2-web
set service nat rule 100 destination group address-group ADDRv4_eth7
set service nat rule 100 destination group port-group web
set service nat rule 100 inbound-interface eth7
set service nat rule 100 inside-address address 10.10.10.10
set service nat rule 100 inside-address port 8080

What I was seeing was that an inbound request to 443 was being allowed from anywhere, despite having firewall rules restricting access to certain IP ranges. Upon further examination I discovered that the request was being sent to 8080 on the inside.

And I immediately suspected my error: DNAT rules are processed before Firewall rules. Turning up logging on the FW and DNAT rules quickly confirmed that was the case.

Whoops.

My other mistake here is that I probably shouldn’t be using inside-address port in my DNAT rules. The guide I followed to originally configure these DNAT rules suggested that they were necessary, but that is not the case and translating port numbers is definitely not the behavior I was looking for.