steeb/home_network_notes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Page: Dang networks are sure things
Pages
Dang networks are sure things Extreme Networks WS-AP3825I - How to flash with OpenWRT Software Notes Where is the fuckin' thing
28 Dang networks are sure things
steeb edited this page 2024-10-29 06:03:09 -07:00
Table of Contents

Revamped the network

What was the impetus?

The WiFi here has been pretty terrible for a while. Upgrading our internet speed at home made things better, but not great. Last year I ran a bunch of ethernet through the attic which did help overall, but performance over wireless was still badly lacking. I needed to reboot devices often and ASUS's documentation for their routers was, frankly, dogshit.

Main Causes

  • Old equipment

    • ASUS AX-92U (x2 in mesh)
    • Motorola Surfboard.. something (replaced prior to this project, but the routers gaslighted me into thinking the new modem was a problem...)

  • Spaghetti network

    • No VLANs
    • No special firewall controls
    • The 2.4GHz band is flooded with IoT devices

  • Mostly using free/cheap/used equipment

    • This isn't changing THAT much... but now I have a 24-port PoE switch

What to do?

  • Upgrade to 1Gbps internet (and replace the modem)
    • (new) Hitron CODA DOCSIS 3.1
  • Upgrade the (primary) access points
    • 2x (new) Zyxel WiFi 7 BE11000 Wireless MultiGig Pro Access Point
  • Upgrade Neatgear switch to PoE switch
    • Datto E24v3
  • Add additional access points
    • Option 1: Re-use the ASUS APs (no PoE)
    • Option 2: Add some Ruckus R700 APs (older, but more compatible with the stupid Pi Zeros)
      • This is currently implemented but kind of sucks -- can't do subnets without double-NAT (can't assign addresses from router) and can't set an IP range, meaning I can't easily restrict internet access for IoT devices
    • Option 3: (Most likely) Buy a few Extreme Networks WS-AP3825i (done) APs to flash with OpenWRT and addon to the local network.
  • Disable internet for 2.4GHz network
    • This is dependent on the previous point, which is still a WIP
  • Re-run bad ethernet runs
    • Last thing left to do here is to replace the wall jack in dorkHole with a single-jack keystone plate cover and remove the extra cable
    • Luckily, all other cables were long enough to go where they needed to go
    • As a bonus, even ran another line to the garage for another AP
  • Add new runs for the APs
    • If we stick with ASUS, I need to either also run power or find convenient places to install them
    • Ruckus APs will be easier, as they are PoE powered
    • New runs have been done for the library, servers, and the garage - unlikely that I'll need more at this time
    • However, one more run can be theoretically run to the master bedroom to really make sure there are no deadspots in the back yard, although the current setup works just fine, frankly.
  • Upgrade bedroom switch connections to 2.5Gb
    • There is now a 2.5Gb switch in gayCloset. Currently, only the run to the (1Gb) switch in the bedroom and the Datto PoE switch have lines to them.

Device-specific notes

Ruckus R700

EDIT: These will be replaced soon. The Zyxel APs not running OpenWRT are forgivable since they are at least fast, but these things honk butt, run slow, and have zero-day exploits that, while they don't effect me, have not been patched so do not invoke confidence. I've purchased 4x Extreme Networks WS-AP3825i APs which can be flashed with OpenWRT to replace them. That being said, they are still in use, so the following section remains.

These are old devices with trash webpage interfaces that use older security than TLS 1.2 (which basically means no web browsers can get to them.) In order to get around this issue, you need to first setup some old security standards for SSH, and then remote into them and disable HTTPS access and enable HTTP access.

First, modify ~/.ssh/config with the following

Host '<ip address>'
        Ciphers +aes128-cbc
        HostKeyAlgorithms +ssh-rsa
        PubkeyAcceptedAlgorithms +ssh-rsa

This enables the older SSH-RSA protocol for this single client, so that you don't need to downgrade all SSH connections.

After that, you should be able to SSH into the device with ssh <ip address> - unlike normal SSH connection establishment, it will ask for both a username and then a password. The default username on a freshly reset AP is super, with a password of sp-admin.

Once SSH'd into the device, run the following commands:

set https disable
set http enable

My experience with the first device was that at this point, you'll lose connection and the AP will reboot. Once back up, configure as normal by browsing to http://<ip address>.

This won't be a security issue as these devices themselves will not be exposed to the internet - in fact, hopefully everything on the 2.4GHz network (all we are using these old APs for) will be restricted from internet access, as every one of the is either a camera or smart home device, which is all handled by Home Assistant.