recommendations on home networks - quite advanced.

[Mick]

I need some advice on home networks... bomb proof and tunneling in to fix issues!

Here is how we normally set it up:

Basically all wiring is in cat6 or cat5e

Switch I normally get a netgear gigabit 48 switch (un-managed)

From experience I will only use draytek for the WIFI repeating.

**** Now here is the part where it can be problematic, I usually use BT or Virgins original modems/routers, turn off the wifi and stick them in DHCP mode (modem mode) from 100-254 and static anything past 10-99 (192.168.0.1-254)

192.168.0.1 (BT or Virgin modems)
192.168.0.2 Switch if managed
192.168.0.3 - 9 Draytek Repeaters
192.168.0.10 - 99 Static equipment (nas drives etc)
192.168.0.100 - 254 Normal DHCP Operation

----------------
Where sometimes the problems exist, BT Infinity you cannot tunnel into them for configuration.

BT Infinity has 2 pieces of equipment, the Modem, the infinity router. Can I use a draytek Vigor to control the whole operation ?

So basically what would you change, what would you do in terms of access to the network externally, If I get a call on Sunday that the wifi is not working, how do I handle getting in and fixing it from my home?

I really want one standard way of handling everything, that is why I was asking about the home server previously. But I do not think that is the right answer.

Mick

 

[Mick]

Ok After a conversation with Mowax (thanks).

I am thinking about the following.

---------------------------

For BT Infinity - keep the Huawei Modem (HG612) - get rid of BT HUB - and use a Dreytek Vigor Router (non wifi)

For Virgin Media - Put the Hub in modem mode - and use a Dreytek Vigor Router (non wifi)

---------------------------

For Wifi Repeating Use:

Ap700 Dreytek Access Points
Ap800 Dreytek Access Points


Depending on the wifi needs and access the above two choices (the Ap700 works fantastic from experience)
---------------------------

Switch Use:

Netgear Unmanaged 48/24 Port Gigabit switch

This is a grey area... and I am welcome to suggestions! But was thinking un-managed so not to mess up Sonos integration- Sonos can be a fecker with managed switches due to STP and sometimes Jumbo Frames.
---------------------------

Network Setup:

192.168.0.1 (BT or Virgin modems)
192.168.0.2 Switch if managed
192.168.0.3 - 9 Draytek Repeaters
192.168.0.10 - 99 Static equipment (nas drives, cctv, etc)
192.168.0.100 - 254 Normal DHCP Operation (computers, phones, tablets, etc)

I am happy with this it just works for me and is the norm now.
---------------------------

So apart from the switch (which I would love some suggestions... not to expensive), I think I have a decent setup for a home network?


Now does anyone have any info on tunneling with Draytek Vigors over VPN?

Be nice to here from someone that has done this kind of setup where they can login to the home network over a VPN and sit on the network like a normal machine, and access all the equipment and routers etc.

Thank you for reading
Mick

 

[copex]

i use a lot of drayteks at work they are overpriced an horrid (in my opinion) but well documented Vigor VPN Setup

personally i have a billion 7800n (its been rock solid from day one) and i use a PPTP to access my home network from where ever i am on mobile/desktop/tablet.

the only tip is don't use 192.168.0.0/24 use something like 192.168.85.0/24 when setting up vpn's remote and host have to be on different address ranges.

hope it helps

 

[Mick]

Hi Copex, thank you for that.

I have found dreytek to be the most reliable routers/wifi I have ever used... I plug them in and they just work!

Do not get me wrong the home environment is not a business or work - probably what you are used too!

So you keep the IP range seperate, are they on the same subnets?

Sorry mate, I did this a long long time ago when I did my MCP, and its not coming back lol.

Mick

 

[Him Her]

Draytek horrid? Oh dear! IMHO, damn good piece of kit for the money - installed fecking loads, as in pallet-loads.

Some peculiarities when tunnelling in (VPN) but if you are aware of potential issues then they work just fine.

1 - LAN-LAN is generally no issue just go IPSec, needs a decent router both ends. Draytek either end works fine but Cisco to Draytek etc is fine too. Start off with PPTP and once it's proven and stable move up to IPSec - it's a link issue, there's an overhead on the line and some circuits just won't have IPSec!

2 - Remote to LAN, stick with PPTP. Windows IPSec is crap and that's what most people will have. The Draytek IPSec client ain't too hot either.

VPN server issues an IP address, a bit like DHCP, it will be on the target network so any device you want to connect over the tunnel must be on a different subnet to the target LAN (or any subnets).

Depends on your objective but I always installed my target LAN on a 192.x.x.x subnet and stayed on a 10.x.x.x subnet to avoid conflicts...

 

[Him Her]

Maybe a quick additional post - apologies if this is all well-known...

For a network device to route correctly all the destination addresses must be unique. So, you can't route off your 192.168.0.0 network to another 192.168.0.0 network as the packet will drop before it gets to the router. It's a subnet mask thing - I won't bore you with the details unless you ask

Bringing up a VPN tunnel inserts a virtual network adaptor into your local network stack and assigns an address from the remote network onto the device that raises the tunnel. If that device is a router, the entire remote network is visible to the connected network and ANY device on the local network can connect. If that device is a single unit (PC, tablet, smartphone or whatever) it gets assigned an address on the remote network and only the single unit can connect to the remote network.

If there is more than a single local or remote network then they must ALL have differing network addresses I.e. if you have two connected subnets of 192.168.0.x and 192.168.1.x these work fine. But, if at each end there is a network of 192.168.2.x, even if separated by routers either end, they will NOT be visible to each other. ALL networks in the chain must have unique addresses.

Watch out for subnet masks I.e. 192.168.1.0 with subnet mask 255.255.255.0 is different to 192.168.0.0 BUT if the subnet mask is 255.255.0.0 they are the same!

If anyone is interested I can explain in more detail...

 

[Mick]

Go for it, subnets always done my nut in, it was 11 years ago lol when I was learning about them


Sent from my iPhone.

 

[Him Her]

Go for it, subnets always done my nut in, it was 11 years ago lol when I was learning about them


Sent from my iPhone.

Okay, put the beer down - been buried in the 'black arts' for decades lol

Forget fractional subnet masks - just think subnet masks with 255 and 0 in them for now. A subnet mask has four parts separated by dots i.e. 255.255.255.0

These correspond to the four parts of the IP address I.e. 192.168.0.1

When a device tries to send a packet it looks at its own address and the destination and uses the subnet mask to decide if they are on the same network or not. So, sending from 192.168.0.1 to 192.168.0.2 with a subnet mask of 255.255.255.0 means compare the first three parts (the 255 parts of the subnet mask) and ignore the last part (the 0 part of the subnet mask). In this case they are the same I.e. 192.168.0 so the packet gets launched on the local network.

If you were sending from 192.168.0.1 to 192.168.1.2 (subnet mask 255.255.255.0) the third part of the IP address is different I.e. 192.168.0 is different to 192.168.1 so the sender launches the packet to the default router (gateway). The router is assumed to know where the destination is.

Erm, that bit okay?

 

[Mick]

Keep going I know all that.


Sent from my iPhone.

 

[Him Her]

Keep going I know all that.


Sent from my iPhone.

Ah, you want to know about the fractional masks then...lol

The IP address and the subnet mask are decimal representations of the underlying binary I.e.

192.168.0.1 is 11000000.10101000.00000000.00000001
192.168.0.2 is 11000000.10101000.00000000.00000010
255.255.255.0 is 11111111.11111111.11111111.0000000

If you AND the bits from all three numbers then they are the same I.e. 192.168.0.1 = 192.168.0.2 ( the last part after the last dot is ignored because the last part of the mask is 00000000). You get the same result if you AND each IP address with the mask.

The interesting part comes when the mask changes to something like 255.255.255.192, try again...

192.168.0.1 is 11000000.10101000.00000000.00000001
192.168.0.2 is 11000000.10101000.00000000.00000010
255.255.255.192 is 11111111.11111111.11111111.11000000

Hmm, doing a logical AND gives the same result???

What if you change the IP addresses to:

192.168.0.1 is 11000000.10101000.00000000.00000001
192.168.0.128 is 11000000.10101000.00000000.10000000
255.255.255.192 is 11111111.11111111.11111111.11000000

Hello, result is different? Before, we compared 192.168.0 with 192.168.0, now we are comparing 192.168.0.0 with 192.168.0.128 or, more correctly 11000000.10101000.00000000.00xxxxxx with 11000000.10101000.00000000.10xxxxxx

The last part of the subnet mask said look at the left most 2 bits of the IP address - that's what the x.x.x.11000000 means.

Hmm, I think I might explain this better at an earlier part of the day lol

 

[Him Her]

Keep going I know all that.


Sent from my iPhone.

Ah, you want to know about the fractional masks then...lol

The IP address and the subnet mask are decimal representations of the underlying binary I.e.

192.168.0.1 is 11000000.10101000.00000000.00000001
192.168.0.2 is 11000000.10101000.00000000.00000010
255.255.255.0 is 11111111.11111111.11111111.0000000

If you AND the bits from all three numbers then they are the same I.e. 192.168.0.1 = 192.168.0.2 ( the last part after the last dot is ignored because the last part of the mask is 00000000). You get the same result if you AND each IP address with the mask.

The interesting part comes when the mask changes to something like 255.255.255.192, try again...

192.168.0.1 is 11000000.10101000.00000000.00000001
192.168.0.2 is 11000000.10101000.00000000.00000010
255.255.255.192 is 11111111.11111111.11111111.11000000

Hmm, doing a logical AND gives the same result???

What if you change the IP addresses to:

192.168.0.1 is 11000000.10101000.00000000.00000001
192.168.0.128 is 11000000.10101000.00000000.10000000
255.255.255.192 is 11111111.11111111.11111111.11000000

Hello, result is different? Before, we compared 192.168.0 with 192.168.0, now we are comparing 192.168.0.0 with 192.168.0.128 or, more correctly 11000000.10101000.00000000.00xxxxxx with 11000000.10101000.00000000.10xxxxxx

The last part of the subnet mask said look at the left most 2 bits of the IP address - that's what the x.x.x.11000000 means.

Hmm, I think I might explain this better at an earlier part of the day lol

 

[Mick]

I know the binary part too.

I understand how packets are accepted and rejected.

The part which I always found a a little tricky was what made the subnets talk to each other.

Why does 192.168.0.1 not talk to 192.168.2.100 across a simple LAN, what is needed in the 255.255.0.0 (subnet)

It's weird as I kinda know how to make subnets talk to each other I just never got why

Mick

 

[Him Her]

I know the binary part too.

I understand how packets are accepted and rejected.

The part which I always found a a little tricky was what made the subnets talk to each other.

Why does 192.168.0.1 not talk to 192.168.2.100 across a simple LAN, what is needed in the 255.255.0.0 (subnet)

It's weird as I kinda know how to make subnets talk to each other I just never got why

Mick

With that mask those two subnets will talk to each other provided all devices involved are using 255.255.0.0 but to understand why...

Perform a logical AND between the subnet mask and the IP address for each network i.e.

192.168.0.1
AND 255.255.0.0

= 192.168.0.0 (the network number)

192.168.2.100
AND 255.255.0.0

= 192.168.0.0 (the network number)

The networks are the same, the packet gets sent locally. But, with the wrong subnet mask...


192.168.0.1
AND 255.255.255.0

= 192.168.0.0 (the network number)

192.168.2.100
AND 255.255.255.0

= 192.168.2.0 (the network number)

The two networks are different so instead of ARPing for a local device the sender ARPs for the default gateway and sends the packet to the router instead.

 

[Mick]

I knew that 255.255.0.0 would work, I knew that 255.255.255.0 would not work.

is it basically saying check these are the same ?

Example

192
255

255 is checking that 192 is the same

192.168
255.255

255.255 is checking that 192.168 is the same

192.168.0
192.168.1
255.255.255

This wont work as 255 is telling them to be the same?

but

192.168.0
192.168.1
255.255.0

This is saying make sure that the first two parts of the network is set... and the .0 does not need to be the same?

Mick

 

[Him Her]

In a nutshell, yes. The bits in the subnet mask tell the IP stack which part of the IP address is the network and which part is the node (PC, tablet etc.).

For the devices to communicate locally the network portions must be the same. With a subnet mask of 255.255.0.0 the IP stack is only going to check the 192.168 part but if the subnet mask is set to 255.255.255.0 the IP stack checks 192.168.x and, in your example:

192.168.0
192.168.1
255.255.255

The last parts of the addresses being considered are different. They are two separate networks. With 255.255 they aren't.

 

[Mick]

Thank you for all that Him Her, I think you need a good maths background to understand this more.

Which I do not have, left school at 15 to work in a plumbers factory lol!!!

Smoked more brain-cells than I remember (don't do that anymore) I still add up on my fingers lol

But I am getting there, and appreciate the small lessons mate.

Mick

 

[Him Her]

I'm not the maths super-guru lol All this stuff twigged on the train back from Glasgow, trying to figure out how to pass the MCSE TCP/IP exam.

Could be more to do with being in IT from 1980 when binary was essential to take advantage of the limited hardware and IP was just a twinkle lol

The thing is, most people see all the nice GUI stuff nowadays but all that is built on the original design so a lot looks completely stupid and we wouldn't do it like that now - hence IPv6.

If you think it would be of any interest I'm happy to do a sort of TCP/IP brain-dump - hurts for a while but people will get over it!

 

[copex]

So Him Her has done a master class in networking, i don't need to go in to detail.

i agree draytek routers are good & stable. but i still think they are horrid.

Subnets are created to separate areas of your network for security and/or to hold down broadcasts. Computers constantly ‘talk’ to each other. If you have a network of 10 computers, the talking (opening files or programs) or broadcasting packets that are sent out during networking is not much traffic at all. However if you have 10,000 computers talking and passing data, you will have thousands of computers passing data and your network will slow down from all of the information. If you still don’t understand, invite 10 friends over for a get together. It’ll get noisy but you can still hear every conversation. Now, go to a rock concert with 10,000 screaming fans. Get the picture.

Subnetting allows you to divide areas of your network out to prevent this. So here comes the golden question. How can you get them to ‘talk’ when you need to? With the installation of a Layer 3 Switch or a router, these subnets can talk.

as you are doing home networking, i would be surprised if you needed more than 50 ip address, so you could use a 255.0.0.0 subnet its not correct but it dose not really matter on a small network though using 225.225.225.32 may cause issues.

my point on the vpn's about using a 192.168.85.0/24 address range is it will help avoid routing issues when connecting to VPN's most drateks have a default range 192.168.1.0/24, so if you where in the pub and a client called to say there network was not working and the pubs ip range was 192.168.1.0/24 you would have issues talking to the remote network. ( read Him Her post to find out why )

another tip trusts between networks with firewalls and AV installed

 

[Him Her]

So Him Her has done a master class in networking, i don't need to go in to detail.

i agree draytek routers are good & stable. but i still think they are horrid.

as you are doing home networking, i would be surprised if you needed more than 50 ip address, so you could use a 255.0.0.0 subnet its not correct but it dose not really matter on a small network though using 225.225.225.32 may cause issues.

my point on the vpn's about using a 192.168.85.0/24 address range is it will help avoid routing issues when connecting to VPN's most drateks have a default range 192.168.1.0/24, so if you where in the pub and a client called to say there network was not working and the pubs ip range was 192.168.1.0/24 you would have issues talking to the remote network. ( read Him Her post to find out why )

another tip trusts between networks with firewalls and AV installed

Okaaay! If I offended you copex, I apologise, not intended. BTW, your subnet mask, even if it was 255.255.255.32, would cause a problem, it's invalid, sorry...

 

[globetechpbx]

hi not sure I am getting it right with a subnet of 255.255.255.192 you get an IP of 192.168.0.1 or does it start at 192.168.0.128 ?