Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Is this safe?

  • 31-03-2023 06:02AM
    #1
    Registered Users, Registered Users 2 Posts: 19,120 ✭✭✭✭


    Hi all,

    I hope I have come to the right place. I would just like a sanity check before I do something stupid!

    We've got a 90mbps VDSL connection at the moment. We are getting a fibre optic connection in the coming weeks (the speedpipe is in our utility room but fibre hasn't been blown yet). As we are a "home office" family we have decided to retain the VDSL connection (dropping down to 50/10 tariff on that) and use it as a backup, should the main fibre connection go down for whatever reason. I actually have less faith in the ability of the operator of the fibre line to maintain decent QoS than the existing VDSL operator.

    Originally I was thinking I would just go to the utility room and plug the router into the fallback if the main went down but of course then I got to thinking about a failover solution. I should state at this point that speed is unimportant. We took the fibre because there's no installation cost as long as we sign up for a contract. We will drop down to the slowest speed offering (100mbps) on the fibre as soon as possible.

    The current setup is cheap and it works really well for our needs. I have a VDSL wired only modem->cheap 2 port €20 travel router running openWRT->managed PoE switch->Ubiquiti APs/wired LAN. I use VLANs to separate everything, so my kids use a "kid safe" network that dead ends naughty stuff, my guests use their own network, IoT devices get their own, smart DNS requiring devices like the firestick gets their own and then there's the untagged main network that everything else goes on.

    I was thinking about getting a replacement openWRT capable router that supports more than 1 WAN port but the current router is adequate, so I thought why can't I put another VLAN capable managed switch between the router's single WAN port and the VDSL modem/Fibre ONT. That should work using VLANs I guess. The single WAN port on the cheap router would then be a mirror image almost of the single LAN port on the same router, which already has several VLANs trunked on it as described above.

    But then I went a step further in this thought exercise....why can't I use my existing 48 port switch where I have several free ports that will never be used otherwise to do the switching for the WAN side also? It has a bad smell, but if I am careful and make sure only tagged traffic on VLANs x and y is allowed through the 3 ports on the switch that I would use, is it a safe solution? It "feels" somehow wrong to have WAN side stuff "mingling" on the LAN side switch but is it actually risky if the VLANs are set up properly? Can an attacker from outside penetrate the switch somehow and "get out" of his VLAN and directly into my home network without having to pass through the router's firewall?

    Is this a stupid idea? Should I just get a cheap 4 port VLAN capable switch or forget the switch and try to find a reasonably priced 3 or 4 port openWRT capable router instead? In this age of sky high electricity prices I am more mindful of every new glowing led in the server cabinet! Hence the idea of using what I already have. I appreciate your thoughts on this.



Comments

  • Registered Users, Registered Users 2 Posts: 2,780 ✭✭✭niallb


    There's nothing stopping you running a WAN network in a VLAN on part of the switch. Subscribe to the vendor's security alert status beforehand.

    The weakness is that there is now a public IP address giving access to the device that all your LAN devices are connected to. You're probably pretty safe so long as you make sure your management VLAN isn't available on your WAN ports. You'll have to failover between the VLAN ports on your openwrt router, but your 48 port switch is likely to perform better than a cheap 4 port switch. Biggest question is what model is the existing switch?



  • Registered Users, Registered Users 2 Posts: 19,120 ✭✭✭✭murphaph


    Cheers @niallb it's a Netgear FS752TPS. I don't know if it would really perform all that well compared to a modern 4 port switch like say https://www.amazon.de/Netgear-Netzwerk-Switch-l%C3%BCfterlos-VLAN-Verwaltung-Metallgeh%C3%A4use/dp/B07PHNTV45/ which costs peanuts. I don't really need the performance though, if I'm only connecting to a 100mbps fibre and a 50mbps vdsl WAN setup, do I?

    Intuitively the separate switch in front of the router feels much safer, for someone like me who considers themselves to be a "competent googler" when it comes to these things but not a "tinkerer" and certainly no expert. I tend to set these things up once and leave them running for years but now that we are getting a second broadband connection it seems time to revisit the setup.

    I believe (I haven't logged into the switch in years) the management stuff is all on the untagged "main" LAN as it's accessible from any PC on my home network (not guest etc. network-these are all tagged VLANs). It would be super important then to only allow tagged packets through the 3 WAN ports on the switch, nothing untagged and obviously only the 1/2/3 VLANs applicable to the WAN side should be passed and everything else dropped by the switch. I can't remember off hand if the switch allows that configuration. If it doesn't I would need to make my main home network into a tagged VLAN as well but that's more work than I am prepared to do lol. If that is the case I would probably just go for the cheap switch in front of the router solution.



  • Registered Users, Registered Users 2 Posts: 2,780 ✭✭✭niallb


    That should be at least as good as what you already have. I thought the 48 port might have been something more powerful that had come your way.

    If you're just passing the data it should be up to it.

    My first response to keeping the number of devices and power consumption down would be to replace both the extra switch and the router with an Edgerouter X from Unifi. €46 plus your local VAT at the moment. I've had one at home running a gigabit fiber link with failover ability for a few years and I'm very pleased with it. The interface is a little different to openwrt, but it's got all the same abilities. I've just upgraded to the SFP version with the intention of eventually running my fiber straight into it and run a single wifi access point off the POE out. With that on a UPS I should be able to match my laptop's battery life through powercuts as they come. That version is out of stock for the last few months though.

    https://eu.store.ui.com/collections/operator-edgemax-routers/products/edgerouter-x



  • Registered Users, Registered Users 2 Posts: 19,120 ✭✭✭✭murphaph


    I like Unifi stuff (my 3 APs are Ubiquiti ones, forget the model now and they have served me very well and not a rip off either). I will certainly consider it. Currently I use my openWRT cheapo router to do VLANs, set up a "safe" kids VLAN, host a VPN server so I can access my cameras when on holiday and I will use it for failover in future. If the Edgerouter X can do those things it would fit the bill as a replacement for my existing router and a possible cheap switch in front of it.

    Does the Edgerouter allow load balancing as well as pure failover? I could subscribe to two "low speed" connections at around 50mbps each and then use both day to day, load balanced in the router. In the event of one failing, 50mbps/10mbps would be sufficient for both of us to at least continue working uninterrupted.

    What's the advantage of going straight into the SFP port? Eliminating the active ONT? I have no practical experience with fibre optics yet. I think our FTTH provider supplies a Genexis Fibertwist base plate (FTU) and then an active ONT "lid" that twists into the base plate (DIY install) but I am hearing that a passive "lid" that just exposes the light signal comes in the box also and can be used instead if you have your own compatible SFP module so this might be an option for me later too. Maybe it makes sense to hold off. Can the SFP port support more than one fibre ISP? I ask because it looks like a second FTTH operator will also lay fibre here soon. I guess not. Are there twin SFP port models available I wonder? (Now we are seeing scope creep set in lol!)

    What's the difference between the Edgerouter X and Ederouter Lite?



  • Registered Users, Registered Users 2 Posts: 2,780 ✭✭✭niallb


    If you've enough RAM I believe the current EdgeOS allows you to load balance up to 55 WAN connections, but that might be a bit beyond the entry level model!

    I've normally used Failover here rather than Load Balancing as there's a big difference in speed and cost for the backup link. I've done real load balancing in other places using pfsense, but you need to plan your load balancing on paper to get the best value out of it.

    You can set things up so that one of you in the house uses connection ISP_1 as your primary link and only switches to ISP_2 if ISP_1 fails. Set up the other user/s to use ISP_2 by default failing over to ISP_1 if ISP_2 is unavailable. Load Balancing isn't going to turn two 50Mb links into a 100Mb one, but what it can do is give you each a 50Mb link with much less contention. You can also set things up so that web traffic uses one link and VPN or remote desktop traffic uses the other for both of you.

    The ER Lite is older, but could handle 1Gbit up and 1Gbit down simultaneously. The ER-X can only handle 1Gb in total. Not a problem for you. The Edgerouter 4 is the modern equivalent. A big advantage for you with the ER-X is that it has a built in switch and VLANs might be easier to configure.

    The only advantage to me of considering taking the fiber into the SFP port is getting rid of one more power supply from the UPS - it's just for the sake of it! It's not the SFP ports job to directly support two different ISP frequencies, but if you could find a module that made it happen it would probably have an SFP+ version. I think it's unlikely!



  • Advertisement
  • Registered Users, Registered Users 2 Posts: 19,120 ✭✭✭✭murphaph


    I am tending towards getting the ER-X to try it out. It looks like it will do everything I use openWRT to do. I found a new one on eBay here for €38 inc VAT delivered so I will order that I think but we're away for a few days so I don't want to order it just yet and leave it sitting on the porch.



  • Registered Users, Registered Users 2 Posts: 19,120 ✭✭✭✭murphaph


    Oh and it seem it can run openWRT (I didn't really expect that) if I decide I need some openWRT functionality that edgeOS doesn't provide, though it looks like it will be able to do everything I need out of the box. The routing is a bit different, by default it seems it will allow inter-VLAN routing and this must be locked down if unwanted (eg between IoT network and main LAN) whereas with the zone based firewall defalts of openWRT this is disabled by default and must be enabled. One to watch for is all. Looking forward to trying this.



  • Registered Users, Registered Users 2 Posts: 19,120 ✭✭✭✭murphaph


    So the "new" one I found for €38 was actually used but allegedly in new condition. Well, I couldn't reach the web interface using the default IP address and I was annoyed at this so I lodged a complaint straight away before doing anything else. In fairness they immediately agreed to send me a new replacement. Once this arrived I hit the factory reset on the first unit and it worked. So now I have two of them for €38. I guess it doesn't hurt to have a spare. The FTTH crew was here again today and laid the rest of the speed pipe out to the public road. Hopefully the fibre will be blown soon and I'll be able to test it out.



  • Registered Users, Registered Users 2 Posts: 19,120 ✭✭✭✭murphaph


    A step closer to the second WAN today (actually the primary WAN as it will be much faster than my existing VDSL connection). The FTU has been installed and the line tested back to the PoP:

    IMG_20230422_104232004.jpg

    Don't ask me why but boards keeps rotating the image. The FTU/ONT base is not mounted on the ceiling ;-) The actual ONT will be sent by post. Usage of it is optional if you want to use your own fibre modem/SFP module. I will use it in my setup with the ER-X. The plastic cover with the text on it is just temporary and will be removed by turning it anti-clockwise and the ONT is installed by turning it clockwise into the wall mounted base plate. The idea is that the user can be "upgraded" later to other services I think, without any new splicing having to be done.



Advertisement