Enterprise-Grade Network on a Budget
by jptrsn in Circuits > Wireless
6003 Views, 36 Favorites, 0 Comments
Enterprise-Grade Network on a Budget
This is my attempt to document everything that I've done to create my home network. It wasn't a "do-it-all-now" kind of project, more like a snowball that rolled out of control pretty early on. So I'll attempt to justify the effort and (reasonably low) expense of setting up a home network that will rival commercial-grade network infrastructure. Admittedly, it's not quite enterprise grade (hello clickbait title), but I don't feel the need to implement a RADIUS server to authenticate myself to my own network. Basically, it's as robust, fast, and includes some of the features found on a commercial network.
The outcome is a network with two access points (on either side of my apartment), a single DHCP server so that I can access network shares from any device, a network-attached storage device for backing up my PC (and potentially for sharing media, if I weren't using a Plex server), parental controls on all devices except those of my own choosing, a "sandboxed" guest network that allows visitors internet access without exposing any of my own devices, and really fast internet access from my streaming devices (so as to minimize buffering).
Ultimately, I haven't spent much on the setup. There is no specialty hardware to purchase, and no specialty software that requires any kind of a license. If you've had wireless internet for more than a few years, and have upgraded your network hardware at any point (and hung on to your older router), chances are you've got everything you'll need to get started. Well, you may not have long lengths of ethernet cable laying around, but that's relatively inexpensive if you buy it in the right place.
Description & Justification
This is my attempt to document everything that I've done to create my home network. It wasn't a "do-it-all-now" kind of project, more like a snowball that rolled out of control pretty early on. So I'll attempt to justify the effort and (reasonably low) expense of setting up a home network that will rival commercial-grade network infrastructure.
- I live in an apartment building. That means lots of networks competing for not a lot of space in the frequency spectrum.
- My building has concrete walls, which are the enemy of wireless signals.
- I stream everything, so I need a good connection for my televisions.
- I have small children, and I want to secure my network against all the things I don't want my kids to stumble across.
- I have a lot of devices. Probably too many. But I like them to work well.
- I don't let my guests onto my network. Sorry, but I just don't trust them to bring clean devices into my trusted area.
- I work from home, and I have a moral and ethical obligation to keep my clients' information secure.
- I like messing with things. As I'm writing this, my coffee maker is in pieces because I wanted to repaint the hot plate. I'm that much of a let-me-mess-with-things kind of person.
Hopefully those 8 reasons are enough to convince you. If you're still wondering, then you might want to check out Troy Hunt's blog post about keeping his wireless network to himself.
Equipment
There are a few things you'll need to set up a multi-room, multiple-access-point, multiple-wireless home network.
Hardware:
- A dual-band router that supports DD-WRT. I use a TP-Link TL-WDR3600 as my main router. It's only 60 bucks, and supports DD-WRT. Be sure to check the router database before you buy, as recent FCC regulations mean that fewer manufacturers will be allowing open source firmware
- A secondary router that also supports DD-WRT. I'm using a TP-Link TL-WR740N, which I've had for years. They may be discontinued, but any router that uses the same chipset as your primary should work. (Actually, any router that will run DD-WRT would work, but keeping with the same chipset gives you more options).
- An external hard drive. Not strictly necessary, but I happened to have a USB-powered external drive at hand. If you're running Windows 10 Pro, you'll be able to use a network drive as a backup location with the default backup solution. If you're running a more basic version, I'm sure there are backup solutions that will allow you to use a network drive as a location for your saves.
- Cat-5E or Cat-6 Network cable. Probably lots of it. I live in a two-bedroom apartment, and I've run about 150 feet or so. It's cheap, no reason not to. And honestly, it really beats using wireless repeaters, like by a lot. If you don't need a device to be wireless (like your desktop), do yourself a favor and run a cable to it. You'll be happy you did. If you're renting (like me), Cat-5E is fine. If you're a homeowner and intend to stay there a while, spring for Cat-6, but only for runs shorter than about 150 feet. For longer runs, Cat-6 will perform the same as 5E, so no point springing for the fancy stuff. Also, don't buy this from a big box electronics retailer, because you'll probably end up paying way too much for it. Instead, get it from an electronics supply store or from Amazon.
- Ethernet cable crimping tool. Not strictly necessary, but you'll be happy you dropped the 15 bucks or so that one of these puppies costs. Or ask a nerd friend to borrow theirs.
- Various Ethernet cables. You could make all the short ones yourself as well as the long ones, but using a known-good one (usually one comes with the router) is a good way to ensure that you won't brick your device.
Software:
- You'll need DD-WRT on your router(s). You could possibly do it without, but then why would you be reading these instructions?
- A computer of some kind. Yup.
That's seriously all you're going to need. Chances are you've already got at least one router. Check if it'll work at the router database. If you've got an old one kicking around, why not mess with it? My family have a standing order not to throw out any electronics, even if they're broken. I've officially revived two routers with this, and they're still running strong.
Flashing Your Router(s)
I'm not going to give instructions here, for a number of reasons.
Firstly, the instructions are slightly different for every model. Find yours in the router database, and follow the instructions. Or do what I did, and start with an old router you're not using, and practice on that. It's really quite easy to do. But please, please, please, follow the directions closely, and only flash firmware over a wired connection to the device. Also, don't skip the 30-30-30 resets: they really do make a difference.
If you have questions about any of this, take a look through the forums. Chances are, someone has asked and answered your exact question, and you won't need to wait to get an answer.
You're going to need DD-WRT on both routers. Some OEM firmware might work for the secondary router (and indeed, I've used an ancient DLink with stock firmware in the past), but it's much easier if you've got the same interface as these instructions. Plus, you'll have a way more configurable router on your hands.
Run, Cable, Run
You're going to want to run cable between your primary router's location (and it really shouldn't be in the basement), and the spot where you want your repeater.
If your cable company installed your modem in the basement (and they often do where I live), run a cable from there up to the main floor, and put your router on the main floor. In an ideal situation, your router would be suspended in mid-air in the exact middle of the room in which you want the best signal, but no one wants to live like that. Instead, find a spot that's somewhat central, and where you can get the router up off the floor.
Regardless of where your equipment is located, you'll need a cable run between your modem and main router, and a second cable run between your main router and the secondary router. All other connections can be made to either router, either through a wired or wireless connection.
There are lots of good references for crimping network cable ends, so I won't cover that in this instructable. If you're able to find this set of instructions, you're probably pretty good at finding other instructions, and even at making things using a combination of tools and hands.
Main Router: Setup
You're going to have one router that will handle all the heavy lifting, and the other one (or more than one if you're so inclined) will just act as a repeater and forwarder. I'm using the WDR-3600 as my primary. Power it on, and plug it directly into your computer through one of the LAN ports on the back. Don't plug it into your modem yet.
You'll want to assign it a static IP that you'll easily remember. I'm using 192.168.1.1 for mine, but you're welcome to use 192.168.0.1 or 10.0.1.1. Just make sure you remember it, as you'll be needing to access this page fairly regularly. I'll be referencing 192.168.1.1 throughout this instructable, so if you're using a different one, perform the necessary mental substitutions.
And plug it into your computer through an ethernet cable. It will really make your life a lot simpler when you're doing things like changing the WiFi settings, or working on the next router. Trust me, just plug it in. Brave the back of your desk, bring a flashlight, and plug that sucker in.
Navigate to your router's IP address, and enter a password. Yes, you need to enter a password. No, don't use admin-admin as a username and password combination. No, don't write it down on a sticky note and attach it to the router. Definitely don't save it in your browser. Has the internet not taught you yet? It doesn't have to be ultra-secure, but really, it should at least be a little bit secure.
Now click on the setup tab.
Give your router a name. You'll be getting close to this piece of equipment, and every friend needs a name. I called mine Big Boy, because reasons. You'll then want to set up the primary IP (as I mentioned above), and remember it. You'll also want to enable the DHCP server, and set it to start distributing addresses at X.X.X.129 (it's gotta match your router's IP subnet, but I'll explain the specific reason for 129 in a later step).
For the DNS servers, you'll set them up to use Family Shield DNS servers from OpenDNS. Make sure you enter something for all three DNS servers so that your router won't default to using your ISP's DNS, which would negate any utility of setting this up in the first place.
208.67.222.222 208.67.220.220 208.67.220.123
This will prevent a lot of malicious sites from being accessed from within your network, regardless of the device that's being used. Good for kids, for keeping bad content off your computer (oh, and while you're at it, disable flash in your browser), and generally making the internet less fun. But don't worry, as your network's IT Admin (yes, you can buy a t-shirt that says that now), you can pick and choose who gets unfettered access to the internet's seedy underbelly.
You can now connect your router to your modem if you wish, but it's not strictly necessary for the remaining steps. Just don't forget that step, as it would mean you'd have no internet access through your amazing network.
Now on to the WiFi settings. Click on the Apply Settings button, and move on to the next step.
Main Router: Pick a Channel
You're going to need to pick a good channel for your wireless networks. If you live far away from any neighbours, no need to worry about this. If you're like me and you live in a WiFi jungle, take the time to pick a good network channel. I've no idea how much of a difference it makes, but it makes me feel better about myself.
You can use an app on your phone to check the spectrum, or you can use the tools built into DD-WRT. On your router's home page, click on the status tab, then choose Wireless. At the bottom of that screen, you'll see an option for a Site Survey. Click it, and make sure that your browser isn't blocking the pop-up window that tells you all the goodies about what channels will work well.
Now find a channel from 1 to 11 that doesn't have any competition. That's the channel you'll use. If there aren't any free, pick the one that has the least amount of traffic. Generally, stay away from 1, 3, 6, 9, and 11, and try to get as far away from the competition as possible. In my case, that's a challenge, so I've gone with channel 2.
Oh, and FYI, that is not my network that has a hidden SSID and no security. That's just a really bad idea. Don't do that. You can hide your network's name, but there's no need to open your network up.
Now head over to the wireless tab at the top, and enter your network name and configuration. If you're using a dual band router, you'll have the option to set up two networks. Give them different names (I've blanked out the names of my networks in one of the images), and assign them to a fixed channel. This is important - don't set the channel to auto - assign it to a set channel.
Don't worry about the virtual interface just yet. We'll get to that, I promise. Click on the Apply Settings button, and move on to the next step.
Main Router: Secure That Network, Soldier!
Okay, we've got our networks named and located, but they're not secured yet. Yeah, we're gonna have to go ahead and fix that.
From the Wireless menu, click on wireless security. This will let you choose the type of security you want to apply. I highly recommend WPA2-Personal AES. No, you don't have to read up on all the techie-stuff related to it. Basically, if you're using WEP, you might as well just leave your wallet stuffed with cash on the curb. If you're not using any security, you might as well just post your bank account information on Twitter. Okay, I know, extreme examples, but WPA2 is really the best standard we've got that's widely supported.
You may be wondering: "do I need TKIP or AES or both?" Well, the answer to that question (aside from someone yelling "NEEEERRRRRRRD" at you in a Homer-Simpson-esque fashion) is that if you have older devices, you may need TKIP. I'm talking about devices from 10 years ago or so. Try it with just AES, and if you can't connect with a device, enabled TKIP+AES. Stay away from just plain old TKIP.
And if you're really feeling adventurous, you can try running a RADIUS server, but I'm not going to touch that with a ten foot clown pole.
Change your settings, then hit apply.
Main Router: Masq That DNS
The final step of setting up Family Shield is to use DNSMasq to prevent circumventing their DNS servers through direct assignment on a computer. If all of that was gibberish to you, don't worry about it. Just follow these steps and you'll be all set.
On your main router, click on the Services tab. In the bottom DNSMasq section, enable all three options. In the additional settings box, copy and paste these instructions, then click apply settings.
no-resolv strict-order server=208.67.222.222 server=208.67.220.220
Set Up Your Secondary Router
Unplug your computer from the main router, and plug it into a LAN port on the back of your secondary router. Don't connect anything else at this point, and if you're using a wireless connection on your computer, turn off your wireless adapter. You don't want network collisions.
Navigate to your secondary router's IP address. It's probably set to the default 192.168.1.1 address. We're going to need to reassign this router to a static address on the same subnet. I use 192.168.1.2 as the address. Enter that address as your router's local IP address, and click apply. You'll then need to wait a bit for the router to reset, then navigate to the new address of 192.168.1.2. All our changes to the secondary router will now take place at this address.
Basic Setup
Click on Setup, and enter the following information:
WAN Connection Type should be set to Disabled.
Local IP Address: 192.168.1.2 Subnet Mask: 255.255.255.0 Gateway: 192.168.1.1 Local DNS: 192.168.1.1
You then want to check the box to Assign WAN Port to Switch.
Change the DHCP Type to DHCP Forwarder, and enter the DHCP Server address of 192.168.1.1. This will mean that your main router will be responsible for handing out network addresses, and there won't be any conflicts when you connect through your secondary router.
Click Save, then move on to wireless setup.
Wireless Setup
Click on the Wireless tab, and enter the same network name, but pick a different channel for this network. This will let your devices seamlessly transition between the two networks without dropping a connection.
Then, click on Wireless Security and enter the same settings as you did on the original: WPA2-PSK, AES, and enter the same password.
Now that everything looks good, click on Apply Settings at the bottom, and move on to the next step.
Why Add a Guest Network?
I'll say it again: I don't let other people onto my wireless network. I have media shares, all sorts of useful stuff connected, my printer, and so on. I don't want just anyone being able to join my network, see and access any of that stuff, and potentially bring communicable diseases into my network, sneezing their gross infected files all across my network.
If you haven't heard of the rash of ransomware attacks, how much do you pay in rent for that rock you're living under? I keep backups of my important data, but I also don't want anyone bringing that garbage into my network. I don't go as far as Troy Hunt does, but mostly because of the effort it would take to explain to my parents just how nasty that stuff can be.
Instead, I've created a guest network that they can use. In fact, when I changed over and prevented them from joining my primary network, I simply changed the network name and password for my primary, and made the guest network use the saved credentials on their devices. They haven't yet noticed a difference.
Convinced? Great, let's move on.
You're not convinced? Okay, no worries. Just ignore the guest network steps. You can always just reformat your computer and say goodbye to all the local data you counted on when your computer gets ransomed.
Seriously, it's cheap insurance. You may never need it, but never worrying about finding out the hard way is good enough reason for me.
Create the Guest Network
A lot of this information has come from the DD-WRT Wiki and some other sources, but with a few changes I had to make to accommodate the multiple router setup I've got.
We're going to go back to the main router for this step. So navigate back to 192.168.1.1, and enter your admin user and password. We're going to add a "Virtual Interface"
Click on the Wireless tab. You'll have the option to create a virtual interface for your wireless, and if you've got a dual band router, you can create a virtual interface for either 2.4GHz or 5GHz. I didn't bother with a 5GHz guest network, as 2.4GHz is plenty fast enough, and if it isn't, my guests are welcome to use their mobile data connection.
Click the blue Add button, choose the AP wireless mode, and enter a different wireless network name (SSID). Check the box for the advanced settings, and duplicate the settings below:
- AP Isolation: will prevent guests from seeing each other on your network. Turn it on.
- Network Configuration: set to unbridged so that guests can't see your non-guest networks.
- Masquerade/NAT: will allow the router to assign IP addresses to guest. This has to be on.
- IP Address: set to a different subnet (the third number in the series). I have mine set to 192.168.2.1
- Subnet Mask: set to 255.255.255.0
Now click the blue Save button at the bottom of the page, then click on the Wireless Security tab. We're going to set the security to the same mode (WPA2 Personal AES), but use a different password for your guest network. There's no use in having a guest network that's got the same password, after all!
Now click the Apply Settings button, and move on to the next step.
Give Guests Their Own Addresses
We're going to put all guests on a separate subnet so they can't easily try and access internally shared resources. This may sound confusing, but it's basically like putting them on a different street where they can't park their car in front of your house. Or in your driveway. Or in your garage. Or through your living room wall.
Click on Setup, then choose the Networking tab. In the Bridging section, we're going to add a bridge. Click the blue Add button, and enter bridge name br0. Add another and call it br1. Click the Save button at the bottom of the page, and give it a minute to respond.
For br0, set STP to Off. For br1, set STP to On, enter the IP address 192.168.2.1, and subnet mask of 255.255.255.0. This will point all guests to a different DHCP server, giving them addresses on the other street, keeping them safely away from our nice clean streets, driveways, garages, and living rooms.
But we're not quite done with this step yet! We need to set up a second DHCP server that will actually do the address assigning!
Scroll to the bottom of the window, to the DHCPD section. We're going to add another DHCP server, assign it to interface br1, and start it at 100, with a max of 50 and a lease time of 3600.
Okay, now you can save and apply settings.
Pipe Your Guests Straight Out the Door
Now that we've got the guest network set up, we need to isolate it. Basically, guests should have a direct pipeline out to the internet, but shouldn't be able to see anything internal.
Navigate to the Administration tab, and click on Commands. In the text box, paste the following code, then click Save Firewall.
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.1/27 --dport 53 -j DNAT --to 8.8.8.8<br>iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.1/27 --dport 53 -j DNAT --to 8.8.8.8 iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr) iptables -t nat -A PREROUTING -i br0 -s 192.168.1.128/25 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr) iptables -t nat -A PREROUTING -i br1 -s 192.168.2.0/24 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr) iptables -t nat -A PREROUTING -i br1 -s 192.168.2.0/24 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr) iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP iptables -I INPUT -i br1 -j DROP
If you're curious, these rules accomplish the following:
- Reroute addresses outside of the filtered range to Google's DNS servers
- Reroute addresses inside the filtered range to OpenDNS Family Shield DNS servers, even if the configuration on the computer has been changed
- Reroute addresses on the guest network to OpenDNS Family Shield DNS servers
- Drop all network traffic from the guest network to the internal networks
- Drop all network traffic from the internal network to the external network
Get Around That Filter!
If you're like me, you want complete control over your network. That includes deciding not only to filter, but whom to filter. You can get some really amazing security products, but they don't let you mess with things nearly as much as I'd like.
The way we've set things up, all addresses from 192.168.1.129 and up will be routed through OpenDNS Family Shield DNS servers. All guests will also get routed through that direction. And all addresses automatically assigned will be within these ranges, so we don't need to do anything to lock down devices.
But we can choose which devices we want to unlock by assigning them static IP leases outside the filtered range. Do this by going to your main router's configuration page at 192.168.1.1, and click on Services.
Now you can set up some static leases. You'll need to know the MAC addresses (the hardware address associated with a specific hardware network adapter) to assign these static addresses, but those are easy to get. Open a second tab in your browser, and go to your main router's configuration page, then click on Status > LAN. This will show you a list of all devices that have a connection to your network.
If you haven't already, connect to your wireless with the devices you'd like to bypass the filters. In my case, it's my phone, my main computer, my raspberry pi, and my printer. The only reason for a static address for my printer is so that it's easier to get to the configuration page, but putting it in the unfiltered group just happens to be convenient.
Copy the MAC address from the browser tab that lists your clients, and paste it into the MAC address field in the other tab under the Static Leases section. Give it a host name that makes sense (but you can't use spaces), and assign it an IP address outside the filtered range. I've chosen to start at 192.168.1.10, but you can just as easily start at 100. Just make sure to avoid conflicts.
Do this for any and all devices you want to set up to bypass.
Click on Save, then Apply Settings. If your devices are already connected, they won't be given a new address until they disconnect and reconnect. An easy way to do this quickly is to use the Reboot Router button at the bottom of the page.
Attach Your Network Storage
Network-Attached Storage is a useful setup to have. While this setup is much less powerful than a dedicated NAS device, if you're using it for storage that's available across all your devices, this is a pretty handy way to set things up.
The main router I'm using happens to have built-in USB support. If yours does not, then you'll want to skip this step.
To use a USB hard drive with DD-WRT, you'll need to use a supported file system. I'm using FAT32. Both NTFS and exFAT are not supported, so you'll need to reformat your drive if it's currently using either of those file systems. This is apparently more difficult than it should be in windows. I have a mac as well, so I used the disk utility to format the drive in FAT32. You can also look up any number of free utilities to accomplish this same task in windows 10.
Once it's formatted, plug it into your router, then navigate to the router homepage 192.168.1.1. Click on Services > USB, and enable Core USB Support, USB Storage Support, and Automatic Drive Mount. Click on Apply Settings, and you should see information populate in the Disk Info section.
Now click on NAS, and enable Samba. Click on Apply Settings, and give it a second to refresh. Under Shares, click the dropdown menu for path, and select your device. It will probably have something like sda in the path name. Give it a name (I used NAS), and change access to Read/Write. You don't want to make it public. Instead, add a user and password, and give it access to the NAS share. Once that's all done, click on Apply Settings.
Connect to Your NAS
Now comes the tricky part. Windows 10 is apparently very finicky about connecting to Samba shares. I spent over an hour trying to figure out why my shared device wouldn't show up in my network pane in windows explorer. Turns out the solution is super easy.
Open a new window in windows explorer, and in the address bar, type in \\192.168.1.1\NAS if you named your network attached storage the same as I did. If not, substitute your device name after the trailing backslash. It will prompt you to enter a username and password, which you can then type in. Then, in your window list on the left side, right click, and choose "Pin to Quick Access"
Now you can configure your backup to use the NAS. Click on the windows 10 icon to open the start menu, and type backup. That should let you open Backup and Restore (Windows 7). Under the schedule option, click on Change Settings. Choose your network drive as the backup location, then click close. Finally, click Backup Now and let windows complete a backup. You can adjust the schedule as you wish.
Limitations & Troubleshooting
Now that you've gone through all that rigmarole, you may need some help troubleshooting. And you know what they say about an ounce of prevention... There are about 35.274 of them in a kilogram.
The best thing to do is to save your configuration. On your main router, navigate to the Administration > Backup page, and click the blue Backup button. This will download a helpfully-named nvram.bak file to your computer. I'd recommend renaming it to something that makes sense, especially since if you get the wrong file when restoring, it can brick your router. Don't ever restore from someone else's backup, and don't restore from a backup taken from a different version of DD-WRT on the same router.
In my case, I've named the backup file to match the router's (arbitrary) name. I then moved it into a backup folder on my computer.
Now do the same thing for your secondary router. Download the file, rename it, and move it into a logical place you'll go looking for it.
If anything ever goes wrong with your network, you'll be able to restore using these files. And if you're anything like me, you'll probably break your network just infrequently enough to forget how you set everything up in the first place.
In fact, that's the whole reason for this instructable. Now I have a handy reference for when I break stuff.
However, there are some limitations to this setup.
- Clever users will be able to bypass the filter by assigning themselves an IP address outside the filtered range. Not a likely circumstance, but it's possible. When leaving a back door in the network for ourselves, we're also opening the possibility that others could use it.
- The NAS backups may be vulnerable to ransomware attacks. While it's convenient to backup to a network attached storage device, anything that's visible to your computer is also visible to potential malware. It is a really good idea to keep multiple, redundant backups, and have at least one that's not constantly visible to your computer. That way, if you fall victim to a ransomware attack, you'll have access to all your data and you can tell the ransomers to take a hike.