As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Helping You Build A Better [Home Network]
AngelHedgie
Registered User regular
Registered User regular
I've seen a lot of responses - both in here and in threads in other sections - where forumgoers struggle with networking at home. The hope here is to help get some of this stuff demystified for the neophyte, and show people that running your own home network is easier than it looks. We'll even discuss some more advanced items that are easier than you'd think (like getting a Pi Hole running on your network, letting you say goodbye to online ads across your network.)
So, What's In A Router Anyway?
Let's start with the one piece of network gear that many people have - a router. The reality is that there's a lot going on in said device - more than one would think. First off, the term "router", in networking parlance, refers to a device that routes packets between two networks with different subnet definitions. As such, it will have two ports with two different IP addresses - we refer to the address internal to our own network (usually 192.168.0.1) as the "near" side, and the side that get an address from our ISP as the "far" side. But as you've noted, your "router" does more than that - this is because it's a purpose built appliance with a number of components inside, such as:
Higher end routers may even have things like Quality of Service (QoS) settings, which allows the router to prioritize packets based on function, so that things like communications and games run better when there's traffic on the network. There are even mesh routers which use special wireless networking protocols to interlink multiple physical units to provide physical network access in areas where running a cable may be difficult.
Now, how much router you need depends on your network and the devices you're using. If all you have connected to it is your smartphones, a laptop that only gets light use, and a streaming device, then a basic router will do the job fine. If, on the other hand, you have a ton of connected devices, you're gaming frequently online, and/or have smart home devices - you'll want to consider a more powerful router that supports things like QoS and guest networks, while people with large houses or who want to supply connectivity to an unconnected workshop should look into mesh solutions to bridge large gaps in coverage. That said, no matter what sort of router you get, always change the default settings such as password and network name/passcode. The default passwords for most major brands of router are well known, and not changing them makes you vulnerable - so get them changed!
So, What's In A Router Anyway?
Let's start with the one piece of network gear that many people have - a router. The reality is that there's a lot going on in said device - more than one would think. First off, the term "router", in networking parlance, refers to a device that routes packets between two networks with different subnet definitions. As such, it will have two ports with two different IP addresses - we refer to the address internal to our own network (usually 192.168.0.1) as the "near" side, and the side that get an address from our ISP as the "far" side. But as you've noted, your "router" does more than that - this is because it's a purpose built appliance with a number of components inside, such as:
- A multi-port switch, so that multiple devices can be hooked to it for network access.
- A Dynamic Host Control Protocol (DHCP server, so that your network devices can be given addresses dynamically, instead of being statically assigned (though there are cases when a device needs a static IP.)
- A Domain Name Service (DNS) relay, to let your devices know how to resolve domain names. (That said, most consumer grade routers just relay the location of a DNS service online, whether it's your ISP's DNS server or one run by a large online entity like Google or Cloudflare.)
- A wireless access point, to allow devices to connect wirelessly to the network. There may even be guest networks that the router isolates.
- A lightweight web server to provide a front end to manage the router.
Higher end routers may even have things like Quality of Service (QoS) settings, which allows the router to prioritize packets based on function, so that things like communications and games run better when there's traffic on the network. There are even mesh routers which use special wireless networking protocols to interlink multiple physical units to provide physical network access in areas where running a cable may be difficult.
Now, how much router you need depends on your network and the devices you're using. If all you have connected to it is your smartphones, a laptop that only gets light use, and a streaming device, then a basic router will do the job fine. If, on the other hand, you have a ton of connected devices, you're gaming frequently online, and/or have smart home devices - you'll want to consider a more powerful router that supports things like QoS and guest networks, while people with large houses or who want to supply connectivity to an unconnected workshop should look into mesh solutions to bridge large gaps in coverage. That said, no matter what sort of router you get, always change the default settings such as password and network name/passcode. The default passwords for most major brands of router are well known, and not changing them makes you vulnerable - so get them changed!
XBL: Nox Aeternum / PSN: NoxAeternum / NN:NoxAeternum / Steam: noxaeternum
AngelHedgie on
+11
Posts
Advertisements are everywhere online these days - and worse, they are often vectors for various types of network attacks. Beyond the security issues, ads are bloat, making web pages load slowly. And while its possible to install browser based blocking, companies like Google (which makes its money on advertising) are pushing back on such solutions. Wouldn't it be nice if you could just deal with ads at the network level, protecting every device on your network?
Well, you can - by using a Pi-hole. This small device uses the Domain Name Service system to kill ad requests at the root, preventing them from being served to you. And because its been done at the network level, it applies to every device on your network. Furthermore, there are ways to further enhance your Pi-hole, allowing you to use actual domain names to access your router, or adding more security to your DNS requests.
While Pi-hole can run on a number of platforms, the name comes from the original design idea - to be run on a Raspberry Pi, which is a small, inexpensive computing platform that can be used for a number of tasks, from embedded electronics to media to retrogaming. While Pi-hole will run on most Raspberry Pi platforms (it needs only 512 MB of memory and about 52 MB of storage), it's recommended to use a Raspberry Pi 4 since it has a devoted gigabit Ethernet jack. (This is going to become a key part of your network, so you want to use a wired connection for it, and the gigabit connection will improve performance.) It's also recommended to go with kits, as these will have all the components you'll need (I used the CanaKit Raspberry Pi 4 2GB Starter Kit, as it came with an active cooling solution.)
What You'll Need
Besides your kit, you'll want to get a monitor with an HDMI port, a keyboard, and a mouse for initial setup. Also, on your computer you'll want to install an SSH client and a VNC client for remote management - you can find PuTTY (SSH) and RealVNC on Ninite, which will allow you to install both cleanly. Set up your Pi as per your kit's instructions, and install Raspbian - a Debian variant designed for the Pi. (A lot of instructions online recommend installing it without the GUI, but that requires being extremely comfortable with management via command line. Since we have VNC available, go ahead and install Raspbian with the GUI, but not with any additional addons. (That said, you'll still want to be comfortable using a command line as a lot of Linux configuration is done via it, GUI or no.)
Configuring Raspbian For Remote Operation
You'll want to set up Raspbian to be managed remotely over your network - this way, you can just run the Pi headless (that is, without a physical user interface.) Once you've gone through initial configuration, click on the little raspberry icon in the upper left, then Preferences>Raspberry Pi Configuration. On this window, select the Interfaces tab, and enable both SSH and VNC. We also want to set a static IP address on eth0 (the Ethernet interface), so right click on the arrow icon in the upper right, and select Wireless and Wired Network Settings. In the window that comes up, select to configure the eth0 interface, then place a static IP address in your network range in the IPv4 Address field (if your router is at 192.168.0.1, you'll want to put the Pi at 192.168.0.xxx, where xxx is a value in your network range between 2 and 255.)
With this done, the Pi is now configured to be accessed remotely. You can now disconnect it from the monitor, and connect it to where you'll want it to be running on your network. On your computer, start up RealVNC Viewer, and log into the static IP address you defined above. You'll be asked for the login information set up during the Raspbian initial install, and once logged in, you'll now have the Viewer showing you the Pi's desktop. From now on, you'll manage the Pi remotely through the Viewer.
Installing Pi-Hole
Now that we're running remotely, it's time to actually install Pi-hole. Open up a terminal window by clicking the terminal icon on the bar at the top, and type in the following two commands in order:
The first line sets up the installer from pi-hole.net, while the second runs the installer as root (sudo is a Unix command to run what follows it as the superuser, a.k.a. root.) Once you do this, you'll get the installer telling you that you're now installing Pi-hole. The first few screens will tell you about how to donate to support Pi-hole, as well as the need for a static IP address (which we set up already.) The next screen will ask what interface to use for network access - select eth0. You'll now be given a selection of who your upstream DNS provider will be (this is who the Pi-hole will go to in order to resolve URIs.) Pi-hole provides details on each, but for most users, either Google or Cloudflare are recommended (the latter especially, as they discard logs after 24 hours and don't sell data, as well as allowing DNS over HTTPS (though this takes a bit more work to enable on the Pi-hole.)) You'll be able to change this later, so don't worry about your selection.
The next screen gets to the heart of what makes Pi-hole work - the blocklists used to generate the gravity values used to determine which requests get sent to /dev/null. In addition to ads, the default lists also track known malware domains and tracking domains - leave all these selected, and move on. You'll then be asked which protocols to enable - just leave both selected. Finally, Pi-hole will show you the current network settings, and ask if you want to use them as a static address. Since we configured that already, select Yes. You'll get a warning about the router possibly trying to assign the address - we'll be setting up the Pi-hole to handle DHCP requests, so that won't be a problem. Finally, you'll be asked if you want to turn on the web interface - select yes, and then yes to installing lighttpd, a lightweight web server.
You'll be asked next if you want to log queries - while useful for troubleshooting, this will eat at the SD card's life. We can turn off logging in the web interface, so leave it on. The final screen will give information on how to log into the web interface, and the custom password for logging in. Hit enter, and you'll see Pi-hole come online. Finally, there's one last command we want to run, because the random password you got may be tough to remember - in the terminal, type in:
and enter in a new password when prompted.
Pi-hole is now active, but it's not currently being used by your devices. Let's change that.
Setting Up Pi-Hole for DNS and DHCP
There are a few ways to set up Pi-hole with your devices, but I recommend making it your DHCP server as well as your DNS server to remove overhead on the router. To do this, we need to first turn off the router's DHCP server - follow the instructions in the router's web interface to do so. Once that's done, log into the Pi-hole web interface, and go to Settings, then DHCP. Toggle the DHCP server on, then select the range of addresses to be served, as well as the router's IP address. For the domain name, you can give it anything you'd like (though it's recommended that you avoid any of the major TLDs.) Finally, you can set the lease length, though the default of one day should be fine. Click Save at the bottom, and the Pi-hole will now be working as the DHCP server as well as the DNS server, and all your devices will now be protected.
That's only necessary if you're keeping the router as the DHCP server, as then it needs to know how to tell your other devices that the Pi-Hole is your new DNS server. Since we're using the Pi-Hole as the DHCP server as well, it automatically informs all devices that it is also the DNS server.
Okay, I've been having some interesting problems with my home internet. I get my internet through Spectrum, and I'm using an ARRIS SURFboard SBG6900-AC modem and router.
What's been happening is that many times during the day my internet will just "drop out". That is, I'm connected to the WiFi network, but the connection switches from "Connected, secured" to "Connected, no internet" and stays that way for a bit, sometimes up to minutes at a time.
At first I thought it was just my phone, since I got a bargain version from Google. However, I just built a new PC, and didn't skimp on anything, and have noticed it happening quite often. What's more, I got even more suspicious when I had to download and install things. This problem seems to occur nearly exclusively when I'm downloading files, particularly large ones.
It made me think back- many of the other times I've encountered this have been when we've been using the WiFi pretty heavily (i.e. my wife watching Youtube in HD while I also watch Netflix on our phones, me downloading three games at a time, online gaming, trying to stream).
So my question is three-fold:
1. Is it possible I'm seeing this because of the router? If so, how do I fix it? Are there setting I should change on the router to maximize transfer rate, or something?
2. Is this more likely to be due to shitty behavior by my ISP, and if so, what do I do?
3. How can I distinguish between these two scenarios?
So, now we've got a working Pi-hole - but it's just stock. There are a number of quality of life improvements we can make to improve things.
Save Your SD Card With Log2RAM
So, you may have heard about early model Teslas self-bricking a few months back - this was due to logging in the internals pushing the flash memory past its maximum write capacity, and thus causing it to fail. Something similar can happen with the logs on your Pi - constant writing can prematurely wear out the Pi's SD card. To prevent this, we can add Log2RAM - a set of scripts that sets /var/log (where all system logs get written) to something called a RAMdisk - a virtual disk held in the Pi's RAM. In addition, it sets up CRON (a Unix automation tool) jobs to write the contents of /var/log to the SD card on a regular schedule - by default, this is done daily and on shutdown/reboot.
The GitHub archive lined above has instructions for installing Log2RAM either via the Debian APT package manager (a tool for managing installs) or through manual download. (And since it's hosted on GitHub, you can also just clone the repository via Git and install that way - though if you're comfortable doing that, you probably don't need this walkthrough.)
Set Up A Home Domain
NB: This configuration method is no longer necessary as of Pi-hole 5.1. If using 5.1 or later, domain configuration can be handled via the Local DNS Configuration screen on the Pi-hole Dashboard.
Back when we set up the Pi-hole as a DHCP server, we got to define a domain name for our network. Domain names like our host's are human readable ways to define network domains, and the locations within - this is the whole purpose of the Domain Name Service, to turn "34.98.75.234" into "penny-arcade.com". Furthermore, since the Pi-hole runs our domain, it's considered authoritative for it, which means that we could define actual domain names for the static devices on our network. Doing so, however, will take a bit more work (but not much!)
Step one is to tell dnsmasq where it can find the listing of our domain hosts, which is done by adding another config file to it: (The tee command is basically a more flexible pipe that pushes the result of the first command both to the console and to the file name given. The name comes from a plumbing T-connector that splits a pipe into two.)
Now that we've told dnsmasq where it can find a hosts list of our network, lets create that list. To do that, we'll need to generate the file with root, so you can use one of the following commands in the console: (Nano is an in-console text editor that's decently new user friendly, with the various commands listed at the bottom of the window and some WYSIWYG elements like arrow keys moving the cursor. Mousepad is a Notepad clone that will pop open in a separate window when invoked.)
This will now allow you to edit the hosts file and add records - you'll want to do so in the format "IPAddress DomainName HostName" as shown below: Of course, you'll want to replace "hedgienet" with the domain you defined in the DHCP server screen, and the addresses with the ones for your own devices. When done, save the file and close the editor.
Finally, we need to restart the DNS server so that it will recognize the new entries:
Once restarted, you can now access your hosts using the defined domain names instead of their IP addresses.
Next, we'll cover improving DNS security.
This is why I really do not like the all in one router/modem combos that ISPs are enamored of, because a problem with one can impact the other. To answer your questions - Yes, you're probably overloading the router, which is causing it to cut out. The problem here is that you have a single device that's doing two things badly, instead of two devices that each do something well. I would recommend having Spectrum take back the combo router/modem and bring you (and I know they have them, since I'm a Spectrum customer as well) a standalone cable modem. Then I would get your own router, and make sure it's a solid one - I'd be looking at either the Nighthawk (I use a Nighthawk R7960P personally) or Orbi mesh router lines from Netgear in your circumstance, as you need a router with the ability to handle both a large number of devices and high data throughput.
(Also, from a security perspective, I much prefer running my network on hardware I own, which is why I prefer segregation between my cable modem (which is on Spectrum's side of the fence) and my router (which is on my side.))
Any suggestions to help ameliorate the issue temporarily whilst we're holed up for the pandemic? Any settings I could tinker with?
So, I looked at the router documentation, and it doesn't seem to have any Quality of Service support, which would allow it to prioritize connections.
The best thing I can recommend at the moment is to try to connect as many devices as you can via wired connections. One thing that most people don't realize is that a Wi-Fi network connection has more overhead than an Ethernet connection.
I do think this thread is skewing a little far on the techie side of things, but since it's primarily techie people here I'm not sure how far. So, any tech newbs reading, please ask questions! It's hard to gauge what other people don't know.
You can't give someone a pirate ship in one game, and then take it back in the next game. It's rude.
- basic modem, router, and AP recommendations for apartments and small houses
- choosing an ISP, service speed, data caps
- basic wireless network security
I can chip in on some of these after work.
You can't give someone a pirate ship in one game, and then take it back in the next game. It's rude.
I should use this to get off my ass and put up a proper (non-software) Engineering thread over in DnD.
Your standard consumer grade router is basically a purpose built computer designed to manage your entire network (hence why they have all those bits mentioned above - that's basically the effective minimum to have a working home network these days.) And like any other computer, they have their limits. Wireless networking has made this worse, because while a finite number of Ethernet jacks does impose a limit on wired connections, you can keep connecting more and more wireless devices to your poor router until it raises the white flag. It's also worth noting that a wireless connection takes more overhead for a router to maintain, since it's not just pushing electrons down a wire, but transmitting a signal out to be heard by other devices (and not just the target device either, which makes wireless less secure by its very nature.) If your router is being sluggish due to high wireless use, one fix you may be able to do is to just run a physical connection to devices like consoles, streaming devices, smart TVs, and other bandwidth hogs - it's easier for a router to push bits through a wired connection. Also, if your router is multiband, make sure that devices that support newer wireless standards are using the bands that can take advantage of them - putting your console on the 2.4GHz band means that it won't be able to use features like beamforming and MU-MIMO.
That said, the hardware in your router matters. First off, avoid combination router/cable modem units:
Second, consider your usage and needs. If your household only has light to moderate network usage - web browsing, some light streaming, etc. - a basic router will be fine. But if you've got people gaming and streaming from multiple rooms simultaneously, you'll want a router with some genuine horsepower under the hood, as well as features to improve performance:
Finally, there are mesh routers. These routers use multiple units that interconnect using a special wireless communication channel separate from normal wireless networking, creating a widescale network without requiring running cables everywhere. Some systems like Google WiFi use standardized nodes that interconnect in a true mesh, while others like Netgear's Orbi have one central "master" unit that then connects to satellite units that provide both wired and wireless access. Mesh routers can provide wide coverage over large spaces, while not requiring running wires through walls - but at the same time won't be as effective as an actual wired network.
Thanks again
For hardware recommendations, I like to point people to review lists put out by reputable sites that test the physical hardware, like Tom's Guide, Consumer Reports, or The Wirecutter. There are a few commonalities that I see when looking at these lists, though:
You have to whitelist www.googleadservices.com to make Google Shopping work again, though this will open up Google's text-based ads in search results.
the "no true scotch man" fallacy.
I've championed Eero a lot before and they've brought out a version that's only $250 regular price and does a great job. Something worth considering in place of Google WiFi now.
Cables: Inserting Plug A Into Jack B
Network cables are the backbone of the network, allowing you to plug devices into your router, letting them communicate. Standard network cables are unshielded twisted pair (UTP) cables - this means that the cable actually contains pairs of internal wires that are twisted together (specifically, there are four color coded sets - blue, orange, green, and brown - with one wire being solid and the other having a white stripe) that has no metal shielding from interference. (For specialized applications, there are shielded twisted pair (STP) cables - but these sell at a premium, due to the shielding in the cable.) The cable will terminate with an RJ-45 plug, which looks a lot like the classic RJ-11 phone plug, only wider (since it has double the conductive wires.) Network cables today come in three common ratings:
While you can make cables, I really don't recommend doing so. Network cables can be cheaply purchased in bulk through vendors like Amazon or Monoprice - make sure that the plugs have relief jackets (these look like sleeves that extend from the plug down the cable a short way, and help relieve stress on the cable.)
For exceptionally long runs (for example, running a line between two houses or to an outbuilding), fiber is a solid choice for doing so as it has high throughput over long distances, and is non-conductive. However, it's also more expensive, as you will need not only the fiber cable, but adapters on each end to convert back to standard Ethernet.
Switches: Because Four Jacks Is Not Enough
A switch is a network device that allows multiple devices to interconnect through it - and share an upstream network connection, with the switch sending packets to their proper destinations by looking at the Media Access Control (MAC) address on the packet. Switches can have a massive number of ports (rackmount switches usually come in multiples of 24, for example,) but consumer grade switches usually come in 5 and 8 port flavors. In addition, switches come in two types: managed and unmanaged. Unmanaged switches are basically plug and play - plug into power, plug your devices in, and they'll now be on the network. Managed switches can provide further control over your network, as they can provide things like QoS and other administrative functions.
When buying a switch, make sure to confirm which Ethernet standards it supports - a switch that only supports 100Mb/s cannot handle gigabit communications, even if everything else on your network can. For my own network, I use a Netgear GS105Ev2 managed switch as the house's backbone in the network closet, and Netgear GS308 unmanaged switches in my living room and bedroom to connect all the devices there. Both are more on the "prosumer" side with metal cases and more advanced features for the managed switch - if you need something a bit more inconspicuous, the Netgear GS208 unmanaged switch is the same functionality as the GS308, but in a sleek plastic shell and back facing ports.
Edit: A little rumination on the history of switches (or, Hedgie Explains Why You Whippersnappers Have It Good As He Adjusts His Onion):
In addition, the ports on the network gear of that era were basically dumb mechanical connectors, and if you tried to chain together two hubs/switches with a regular cable, the result would be nothing, because the new device wouldn't be able to communicate properly. Instead, you would need to buy (or more likely make) something called a crossover cable - this is a cable where the transmit pins on one plug are connected to the receive pins on the other, and vice versa. Eventually, hardware manufacturers would add one or two ports at the end which would have manual switches to change the transmit/receive pins in the port itself, so you wouldn't need a crossover cable - and then eventually developed ports that can autonegotiate connections, making manual switches unnecessary. Today, the ports on modern network equipment are all capable of autonegotiation, so this sort of management is a thing of the past.
I found this to be very educational, especially his discussion on why he (a network professional) chooses more "prosumer" grade equipment for at home, as opposed to professional rackmount gear. There's also bits on Power over Ethernet and Network Attached Storage that some of you will find interesting (and if you want me to talk about these, let me know!)
Enlist in Star Citizen! Citizenship must be earned!
A Short Digression On DNS
So, before we get into how we can improve our security with DNS, it will help to explain how DNS works. The Domain Name System was created to give users on the internet a way to dynamically resolve a human readable domain name (for example, "penny-arcade.com") to an IP address (34.98.75.234). With the way the Pi-hole is configured, this process goes like this:
Upstream DNS servers like the ones run by Google and Cloudflare have a different process that they go through, called a recursive lookup. The DNS system is hierarchal, with domains (both "three letter domains" (TLDs) and country code domains) slowly moving up to the DNS root server (which in actuality is a cluster of servers located around the world.) If one of these servers needs to look up "penny-arcade.com" (say that their existing cache record has expired and is no longer valid, for example,) they follow a different process:
Now, the bad news is that because DNS is such an old part of the internet, having existed for decades at this point, it was built in an era where security wasn't as much of an issue as it is today. As a result, DNS requests are sent in plaintext, which can be intercepted and used to track you. We can mitigate this by one of two ways:
DNS over HTTPS with cloudflared
In the first strategy, we're going to set up a connection to CloudFlare, which provides DNS over HTTPS services. Because we want to use this encrypted channel, we need to set up a special client locally that knows how to send DNS requests over HTTPS, called the CloudFlare daemon, or cloudflared for short. (For Unix novices, daemons are processes that run in the background to provide services. Pi-hole is built on top of several of these daemons, to provide both the DNS resolution and the web front end, to name a few examples.) As such, installation will take a few steps here.
Step 1 is to get the daemon installed on our Pi. First, we want to get the compiled binary from CloudFlare's repository:
Note the ".tgz" extension at the end. This means that the binary is in an compressed tape archive file (also known as a "tarball"), a standard means of packaging binaries in Unix. Of course, this does us no good, so we need to unpack it into something more usable:
tar here is a standard Unix utility for handling tape archive files, and the flags here are telling it to decompress (z) and extract (x) the given file (f) in a "verbose" (v) manner which will list every file extracted. Now that we have the fully uncompressed daemon binary, we need to place it where it needs to live to be usable, as well as tell the system that the folder contains executable code:
cp is short for "copy", and copies the uncompressed cloudflared folder to /usr/local/bin, a location where available local binaries are placed for use. chmod alters the permissions on the file or folder targeted - in this case, we're adding the execute (x) permission. Finally, we need to verify that the binary runs:
Now that we have the binary installed, we need to set it up to run in the background. While the instructions I linked to have both manual and automatic configuration, we're explicitly going to use the manual process, because the automatic process installs the daemon under the root user, which is a serious security flaw. With the manual process, we'll create a "cloudflared" user who will act as a sandbox ffor the process:
Again, there's a bunch of flags here. We're using the -s (shell) flag to assign our new user to have no login shell (since nobody should be logging into this user.) -M tells useradd that cloudflared should have no user directory, and -r makes cloudflared a system user. Now that we have our user, we want to standardize the options it will use when it starts cloudflared. We'll need to open the file for editing with one of the following two commands:
Then in the file, we add the following line:
Edit: Cloudflared can work with any DNS provider that supports DNS over HTTP - the example has been updated to point to the Google DNS servers.
What we're doing here is creating a reference that contains the command arguments we want to run cloudflared with. Since Pi-hole courrently runs off port 53 (the standard DNS server port), we need to tell cloudflared to run on another port (in this case, 5053), and we need to tell it which upstream DNS servers to connect to (8.8.8.8 and 8.8.4.4 are the addresses for the Google DNS servers.) That said, since we created/moved files under root (note the sudo commands above), cloudflared can't access the config file or the binary because it doesn't have ownership. We want it to be able to, so we'll need to grant ownership using chown:
Finally, we need to set up a script for systemd (the system daemon, which is used to initialize a Linux system on startup) to get cloudflared running if we ever reboot the Pi. Once again, we'll be opening a file, this time in the systemd folder:
In this script, we'll be adding the following configuration:
Note in the ExecStart line the $CLOUDFLARED_OPTS reference - this calls back to the configuration we set up earlier. Finally, we need to enable systemd to run the process at startup, then tell it to start cloudflared, and finally check the status of the cloudflared process:
Congratulations - we now have cloudflared running locally on our Pi. Now, we need to tell Pi-hole to route DNS requests through cloudflared, instead of the DNS server we've been using. Log into the Pi-hole interface, then go to Settings > DNS. You'll notice on the right side of the screen a section for custom upstream DNS servvers. In Custom 1, type in the following:
The "127.0.0.1" part is a special IP address called the loopback address, which tells Pi-hole to refer to itself internally, while "#5053" tells it to use port 5053 - the port that cloudflared is running under. Uncheck the providers on the left you were using before (because we don't want the Pi-hole sending requests to anything but cloudflared), and click Save.
And with that, you're done. Pi-hole will now route all DNS requests through cloudflared, which will communicate to the CloudFlare DNS server over HTTPS.
I got the cloudflared service set up. I typo'd the ExecStart and put user instead of usr so it took me a bit to get that fixed up. (side note, I'm a relative linux/pi newb so I had to google that you have to enter 'q' to exit out of the systemctl status screens otherwise I was stuck for a while.
But I did get that fixed up and just for good measure I rebooted my pi and the status does show as running. In regards to the pi-hole configuration, when you're specifying the custom 1 entry, do I not need to also uncheck the box for the existing upstream DNS on the left hand side of that screen (currently set to cloudflare, just not https). Or does setting the Custom 1 field override the Upstream DNS Servers settings on the left? Cuz we don't want both, right?
EDIT: derp, I suck at reading the entire post, nevermind.
Enlist in Star Citizen! Citizenship must be earned!
I'm not the best network guy but I can try to answer some questions if folks have them as well.
Decent article.
I'd be a little bit cautious about the phrase "Wi-Fi doesn't scale well." For home users, that's generally true.
At a business, we scale out Wi-Fi by adding more access points and wiring each of those access points back to the central network with an Ethernet cable.
At home, you usually have a single access point (which is inside your router). With a mesh system, you have multiple access points, but they're all communicating wirelessly. (Mesh is better than a single access point, but it's worse than having multiple access points all connected back to the network by cables.)
It is possible for a home user to get a similar experience as a professionally-built business Wi-Fi network. If you own your own home, I highly recommend getting Ethernet wiring (CAT-6) installed, especially if the home has multiple floors or is otherwise very large.
If you don't want to install Ethernet wiring, or you can't (because you rent), then powerline Ethernet and MoCA Ethernet are good fallback options. I'm sure you (or I, or somebody else) will describe those later in this thread.
the "no true scotch man" fallacy.
For residential use, do I need to buy a CloudKey in order to use Ubiquiti APs? The internet seems divided on this.
You can run one off of a Raspberry Pi or any old PC laying around. You need one to run their APs I believe but don't have to buy their expensive hardware if you don't want since the software is free I believe.
I'm not sure I would advocate powerline ethernet over a mesh solution. I have my in-laws setup with two access points on either side of their house, with powerline in between. Works great, except since it is opposite sides of the house the powerline has to be on different circuits, and something keeps killing the connection. So every few weeks they will complain about no internet access, and it is always because the powerline isn't communicating again.
Caveats abound, but I feel like those two solutions are probably similar in their ease of installation/reliability (generally).
Still trying to decide how to make that setup more reliable (switch to a wifi mesh? Some kind of a watchdog on their computer that tries to reset the powerline adapter every so often?).
Doing a 5 minute power down of the modem sometimes "solves" the issue for a while. Likewise turning off the router. The modem, router, and ethernet cables are brand new (within the last two months). :sad:
No. You don't even need the software running if you don't want to to do the fancier tools like captive portal and whatnot. You can install it on your pc, setup your configuration, and either turn it back on when you want to update/fiddle with your settings, leave it running forever, or turn it off and the APs will just keep on keeping on. I have been using ubiquiti stuff for like 5 years now and it's the best.
I have since bought a cloud key because it's extremely easy management of the system (and I have one at my parent's house so I can manage their connection and run their updates and whatnot) but certainly not required.
We recently upgraded to fttc internet which comes into the house and connects to an ISP modem which I have connected to a Netgear R8000 for wifi. When we upgraded, the ISP gave us a new modem which is an Eir F3000, which is just a rebranded Huawei device. The annoying thing is that this new modem doesn't allow you to specify a custom DNS server, which means my pi-hole has stopped working. I've tried looking into replacement modems but I'm kind of at a loss at the differences in dsl vs vsdl vs adsl and whether or not a new modem will actually be compatible with my ISP. Is there a way of knowing this ahead of time, or do I just need to call up the ISP and go "hey this thing is garbo, what'll work as a replacement?"
@Tav - If you're wanting to replace the modem, then yes, you'll need to ask your ISP for what they need on their end to get it to work. That said, it sounds like they gave you a combo modem/router - there are ways to work around that without replacing your existing router (though they do tend to be a pain.)
Yeah it's a modem/router combo. I have the wifi turned off on it and it just feeds into a router I have here because the last box they gave me was awful.
That works fine - just a few things to do to make it as smooth as possible:
* Since you're not relying on the cable modem/router (CMR) to provide any services, turn off DHCP and DNS on it if possible, and assign your personal router (PR) a static IP address on the WAN.
* If the CMR allows port forwarding or DMZ configuration , set it to forward all ports to the PR static IP address.
* Make sure that the local network masks for the CMR and PR local networks are different - i.e. if the CMR has a network mask of 192.168.0.x, set the PR network mask to 192.168.2.x.
yeah its not possible to disable the DNS, which is why I was asking about the replacement
I think this will do the trick so i'm going to try it
This seems stupid. Is there a better way to do this, or as usual has Microsoft made something needlessly complex?
Your printer doesn't have its own network spool? Most printers today are designed as network devices to be directly connected to the network without having to be attached to a computer.
You shouldn't need to worry about the CMR DNS on the PR network - since you control that network, you should be able to define where local devices on that network get their DNS queries resolved.