How I Overengineered My Home Network¶
A long while back I stumbled across Ben Balter's post "How I over-engineered my home network for privacy and security on HN, and appreciated his thoughtful, yet excessive, approach to designing his home's network.
I created this note while architecting my own home network.
10000-ft View¶
My physical network looks something like this:
My logical network looks like this:
Basic Requirements¶
- Securely separate "somewhat trusted" vs "not-trusted" devices
- Provide ad-blocking DNS, make all devices use it
VLAN¶
With the network segmented using VLANs:
| VLAN | Subnet | Domain | Name | SSID | Zone |
|---|---|---|---|---|---|
| 1003 | 172.1.1.x | guestwifi.home | Guest WiFi | guest-wifi | GUEST |
| 3 | 172.1.3.x | iot.home | IoT WiFi | iot | UNTRUSTED |
| 4 | 172.1.4.x | ha.home | Home Assistant | N/A | GUEST |
| 5 | 172.1.3.x | iot-voice.home | IoT Voice WiFi | iot-voice | UNTRUSTED |
| 6 | 172.1.3.x | iot-tv.home | IoT TV WiFi | iot-tv | UNTRUSTED |
| 10 | 192.168.1.x | mgmt.home | Management | N/A | LAN |
| 11 | 192.168.1.x | wired.home | Wired | N/A | LAN |
Each wireless SSID is assigned to a separate VLAN.
Each wired connection is assigned a VLAN by defining VLAN IDs on each switch on the network:
Edgerouter X Ports
| Interface | Description | VLAN (PID) | VLAN (VID) |
|---|---|---|---|
| eth0 | WAN/Internet | ||
| eth1 | Core Switch | ||
| eth2 | Living Room TV | ||
| eth3 | Home Assistant | ||
| eth4 | Living Room Wifi |
Wireless¶
The WAPs broadcast three SSIDs: guest-wifi, iot-voice, and iot-voice; the latter two being hidden.
Firewall¶
My firewall uses zone-based policies to specifically enable traffic between zones.
| Source | Destination | Policy |
|---|---|---|
| LAN | ALL | Allow |
| LOCAL | ALL | Allow |
| WAN | IN | Established |
| GUEST | LAN | Deny |
| GUEST | WAN | Allow |
| GUEST | LOCAL | Deny except DHCP/DNS |
| UNTRUSTED | LAN | Deny |
| UNTRUSTED | WAN | Deny |
| UNTRUSTED | GUEST | Established |
| GUEST | LOCAL | Deny except DHCP/DNS |
Router Setup¶
Getting Started¶
The EdgeRouter X is based on Vyatta, a Linux-based router distribution based on Debian Jessie, which implements a declarative configuration system by which all aspects of the device's configuration can be managed through the CLI.
The configuration system is installed via standard Debian packages:
Upon logging, you are in the "operational" mode.
To configure the system you have enter "configuration" mode:
Now you are able to use the set, delete, and show commands to modify the system.
- Changes are staged until they are committed using
commit - Changes can be discarded with
discard - Changes are written to disk using
save - Return to operational mode using
exit
Changes are saved to the /config directory, where they survive reboots and firmware upgrades:
- The contents of
/config/scripts/firstboot.d/are executed once after each firmware update. - .deb packages in
/config/data/firstboot/install-packages/are automatically installed after firmware updates.
Further Reading¶
- Getting Started
- Boot Process
- Backing Up Config Directory
- Backup and Restore Configuration
- Run Operational Mode Command from Scripts
- Archiving and Managing the Configuration Files
Basic Commands¶
-
Show configuration
-
Show configuration as commands
-
Show all public keys
-
Delete a user's public key
Administration Setup¶
The first thing we'll do is secure our access to the EdgeRouter X by disabling password authentication.
SSH Setup¶
-
Generate coniferadmin SSH keypair
-
Add key to ssh-agent
-
Copy key to router
-
Load key on router and disable password authentication
-
Log into the router
DHCP/DNS Setup¶
Set Router Domain¶
Setup DNSMasq¶
Rename DHCP Servers¶
configure
edit service dhcp-server
rename shared-network-name LAN to shared-network-name mgmt.home
rename shared-network-name LAN-WLAN-Untrusted to shared-network-name guestwifi.home
rename shared-network-name WLAN-IoT to shared-network-name iot.home
top
commit; save; exit
Setup 1.1.1.1 DNS¶
We'll be running AdGuard DNS separately on the network, but let's configure the EdgeRouter's built-in DNS server to use secure DNS in case certain devices use it:
sudo mkdir /config/dnsmasq
sudo chown dnsmasq:nogroup /config/dnsmasq
configure
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server 1.0.0.1
set service dns forwarding name-server '2606:4700:4700::1111'
set service dns forwarding name-server '2606:4700:4700::1001'
set service dns forwarding options dnssec
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
set service dns forwarding options dnssec-check-unsigned
set service dns forwarding options dnssec-timestamp=/config/dnsmasq/dnsmasq.time
delete system name-server
set system name-server 127.0.0.1
commit; save; exit
show dns forwarding nameservers
show dns forwarding statistics
Create Static DNS Entry for Unifi Controller¶
To manage the onsite UniFi infrastructure (WAPs, USW-Lite-8-POE, etc...), I have a UniFi Controller running on a Raspberry Pi.
We need to make sure the IP address of the server is static:
configure
delete system static-host-mapping host-name unifi.home
set system static-host-mapping host-name unifi.home inet 192.168.1.74
commit;save;exit
Setup Captive DNS¶
To ensure all DNS traffic goes through our AdGuard DNS server, we use enable captive DNS using source and destination NATs:
Setup VLANs / Subnets¶
configure
set interfaces switch switch0 vif 1003 address 172.16.1.1/24
set interfaces switch switch0 vif 1003 description 'guestwifi.home'
set interfaces switch switch0 vif 1003 mtu 1500
set interfaces switch switch0 vif 2 address 172.16.2.1/24
set interfaces switch switch0 vif 2 description 'printer.home'
set interfaces switch switch0 vif 2 mtu 1500
set interfaces switch switch0 vif 3 address 172.16.3.1/24
set interfaces switch switch0 vif 3 description 'iot.home'
set interfaces switch switch0 vif 3 mtu 1500
set interfaces switch switch0 vif 4 address 172.16.4.1/24
set interfaces switch switch0 vif 4 description 'ha.home'
set interfaces switch switch0 vif 4 mtu 1500
set interfaces switch switch0 vif 10 address 192.168.10.1/24
set interfaces switch switch0 vif 10 description 'mgmt.home'
set interfaces switch switch0 vif 10 mtu 1500
set interfaces switch switch0 vif 11 address 192.168.11.1/24
set interfaces switch switch0 vif 11 description 'wired.home'
set interfaces switch switch0 vif 11 mtu 1500
set interfaces switch switch0 vif 12 address 192.168.12.1/24
set interfaces switch switch0 vif 12 description 'wifi.home'
set interfaces switch switch0 vif 12 mtu 1500
set interfaces switch switch0 switch-port interface eth1 vlan vid 1003
set interfaces switch switch0 switch-port interface eth1 vlan vid 2
set interfaces switch switch0 switch-port interface eth1 vlan vid 3
set interfaces switch switch0 switch-port interface eth1 vlan vid 4
set interfaces switch switch0 switch-port interface eth1 vlan vid 10
set interfaces switch switch0 switch-port interface eth1 vlan vid 11
set interfaces switch switch0 switch-port interface eth1 vlan vid 12
set service dns forwarding listen-on switch0
set service dns forwarding listen-on switch0.1003
set service dns forwarding listen-on switch0.2
set service dns forwarding listen-on switch0.3
set service dns forwarding listen-on switch0.4
set service dns forwarding listen-on switch0.10
set service dns forwarding listen-on switch0.11
set service dns forwarding listen-on switch0.12
Setup DHCP Servers¶
configure
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name guestwifi.home authoritative enable
set service dhcp-server shared-network-name guestwifi.home subnet 172.16.1.0/24 default-router 172.16.1.1
set service dhcp-server shared-network-name guestwifi.home subnet 172.16.1.0/24 dns-server 172.16.1.1
set service dhcp-server shared-network-name guestwifi.home subnet 172.16.1.0/24 domain-name guestwifi.home
set service dhcp-server shared-network-name guestwifi.home subnet 172.16.1.0/24 lease 86400
set service dhcp-server shared-network-name guestwifi.home subnet 172.16.1.0/24 start 172.16.1.50 stop 172.16.1.200
set service dhcp-server shared-network-name printer.home authoritative enable
set service dhcp-server shared-network-name printer.home subnet 172.16.2.0/24 default-router 172.16.2.1
set service dhcp-server shared-network-name printer.home subnet 172.16.2.0/24 dns-server 172.16.2.1
set service dhcp-server shared-network-name printer.home subnet 172.16.2.0/24 domain-name printer.home
set service dhcp-server shared-network-name printer.home subnet 172.16.2.0/24 lease 86400
set service dhcp-server shared-network-name printer.home subnet 172.16.2.0/24 start 172.16.2.50 stop 172.16.2.200
set service dhcp-server shared-network-name iot.home authoritative enable
set service dhcp-server shared-network-name iot.home subnet 172.16.3.0/24 default-router 172.16.3.1
set service dhcp-server shared-network-name iot.home subnet 172.16.3.0/24 dns-server 172.16.3.1
set service dhcp-server shared-network-name iot.home subnet 172.16.3.0/24 domain-name iot.home
set service dhcp-server shared-network-name iot.home subnet 172.16.3.0/24 lease 86400
set service dhcp-server shared-network-name iot.home subnet 172.16.3.0/24 start 172.16.3.50 stop 172.16.3.200
set service dhcp-server shared-network-name ha.home authoritative enable
set service dhcp-server shared-network-name ha.home subnet 172.16.4.0/24 default-router 172.16.4.1
set service dhcp-server shared-network-name ha.home subnet 172.16.4.0/24 dns-server 172.16.4.1
set service dhcp-server shared-network-name ha.home subnet 172.16.4.0/24 domain-name ha.home
set service dhcp-server shared-network-name ha.home subnet 172.16.4.0/24 lease 86400
set service dhcp-server shared-network-name ha.home subnet 172.16.4.0/24 start 172.16.4.50 stop 172.16.4.200
set service dhcp-server shared-network-name native.home authoritative enable
set service dhcp-server shared-network-name native.home subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name native.home subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name native.home subnet 192.168.1.0/24 domain-name native.home
set service dhcp-server shared-network-name native.home subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name native.home subnet 192.168.1.0/24 start 192.168.1.50 stop 192.168.1.200
set service dhcp-server shared-network-name mgmt.home authoritative enable
set service dhcp-server shared-network-name mgmt.home subnet 192.168.10.0/24 default-router 192.168.10.1
set service dhcp-server shared-network-name mgmt.home subnet 192.168.10.0/24 dns-server 192.168.10.1
set service dhcp-server shared-network-name mgmt.home subnet 192.168.10.0/24 domain-name mgmt.home
set service dhcp-server shared-network-name mgmt.home subnet 192.168.10.0/24 lease 86400
set service dhcp-server shared-network-name mgmt.home subnet 192.168.10.0/24 start 192.168.10.50 stop 192.168.10.200
set service dhcp-server shared-network-name wired.home authoritative enable
set service dhcp-server shared-network-name wired.home subnet 192.168.11.0/24 default-router 192.168.11.1
set service dhcp-server shared-network-name wired.home subnet 192.168.11.0/24 dns-server 192.168.11.1
set service dhcp-server shared-network-name wired.home subnet 192.168.11.0/24 domain-name wired.home
set service dhcp-server shared-network-name wired.home subnet 192.168.11.0/24 lease 86400
set service dhcp-server shared-network-name wired.home subnet 192.168.11.0/24 start 192.168.11.50 stop 192.168.11.200
set service dhcp-server shared-network-name wifi.home authoritative enable
set service dhcp-server shared-network-name wifi.home subnet 192.168.12.0/24 default-router 192.168.12.1
set service dhcp-server shared-network-name wifi.home subnet 192.168.12.0/24 dns-server 192.168.12.1
set service dhcp-server shared-network-name wifi.home subnet 192.168.12.0/24 domain-name wifi.home
set service dhcp-server shared-network-name wifi.home subnet 192.168.12.0/24 lease 86400
set service dhcp-server shared-network-name wifi.home subnet 192.168.12.0/24 start 192.168.12.50 stop 192.168.12.200
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq enable
configure; save; exit
Setup Firewall¶
### CLEANUP
configure
delete firewall name ALLOW_ALL
delete firewall name ALLOW_DNS_DHCP
delete firewall name ALLOW_DNS_DHCP_WEB_SSH
delete firewall name ALLOW_ESTABLISHED
delete firewall name ALLOW_PLEX
delete firewall name ALLOW_PLEX_REMOTE
delete firewall name ALLOW_WIREGUARD
delete firewall name ALLOW_ALL_IPv6
delete firewall ipv6-name ALLOW_ALL-IPv6
delete firewall ipv6-name ALLOW_ESTABLISHED-IPv6
delete firewall ipv6-name ALLOW_ESTABLISHED_IPv6
commit;save;exit;
show configuration commands | egrep firewall
configure
## Reusable rules to allow established connections and drop invalid packets
# IPv4 rules
edit firewall name ALLOW_ESTABLISHED
set default-action drop
set enable-default-log
set rule 1 action accept
set rule 1 state established enable
set rule 1 state related enable
set rule 2 action drop
set rule 2 log enable
set rule 2 state invalid enable
top
# IPv6 rules (ICMP is required because of how IPv6 works)
edit firewall ipv6-name ALLOW_ESTABLISHED_IPv6
set default-action drop
set enable-default-log
set rule 1 action accept
set rule 1 state established enable
set rule 1 state related enable
set rule 2 action drop
set rule 2 log enable
set rule 2 state invalid enable
set rule 100 action accept
set rule 100 protocol ipv6-icmp
top
# Allow all connections
edit firewall
copy name ALLOW_ESTABLISHED to name ALLOW_ALL
set name ALLOW_ALL default-action accept
delete name ALLOW_ALL enable-default-log
top
edit firewall
copy ipv6-name ALLOW_ESTABLISHED_IPv6 to ipv6-name ALLOW_ALL_IPv6
set ipv6-name ALLOW_ALL_IPv6 default-action accept
delete ipv6-name ALLOW_ALL_IPv6 enable-default-log
top
## Allow DNS/DHCP to Local from anywhere
edit firewall
copy name ALLOW_ESTABLISHED to name ALLOW_DNS_DHCP
edit name ALLOW_DNS_DHCP
set rule 600 description "Allow DNS"
set rule 600 action accept
set rule 600 destination port 53
set rule 600 protocol tcp_udp
set rule 700 description "Allow DHCP"
set rule 700 action accept
set rule 700 destination port 67,68
set rule 700 protocol udp
top
## Allow Wireguard to Local
edit firewall
copy name ALLOW_ESTABLISHED to name ALLOW_WIREGUARD
edit name ALLOW_WIREGUARD
#set firewall name ALLOW_WIREGUARD rule 600 description "Allow Wireguard"
set rule 600 description "Allow Wireguard"
set rule 600 action accept
set rule 600 destination port 51820
set rule 600 protocol udp
top
## Allow guestwifi.home Access to Plex on Monolith
# - https://support.plex.tv/articles/201543147-what-network-ports-do-i-need-to-allow-through-my-firewall/
edit firewall
copy name ALLOW_ESTABLISHED to name ALLOW_PLEX
edit name ALLOW_PLEX
set rule 600 description "Allow Plex TCP"
set rule 600 action accept
set rule 600 destination port 8324,32400
set rule 600 destination address 192.168.11.182
set rule 600 protocol tcp
set rule 700 description "Allow Plex UDP"
set rule 700 action accept
set rule 700 destination port 32410,32412,32413,32414
set rule 700 protocol udp
top
edit firewall
copy name ALLOW_ESTABLISHED to name ALLOW_PLEX_REMOTE
edit name ALLOW_PLEX_REMOTE
set rule 600 description "Allow Plex TCP"
set rule 600 action accept
set rule 600 destination port 32400
set rule 600 destination address 192.168.11.182
set rule 600 protocol tcp
top
## LAN to Local (to router)
edit firewall
copy name ALLOW_DNS_DHCP to name ALLOW_DNS_DHCP_WEB_SSH
edit name ALLOW_DNS_DHCP_WEB_SSH
set rule 100 action accept
set rule 100 protocol icmp
set rule 200 description "Allow HTTP/HTTPS"
set rule 200 action accept
set rule 200 destination port 80,443
set rule 200 protocol tcp
set rule 800 description "Allow SSH"
set rule 800 action accept
set rule 800 destination port 22
set rule 800 protocol tcp
top
commit
## Zone Setup
# Remove existing WAN Rules
delete interfaces ethernet eth0 firewall
delete firewall name WAN_IN
delete firewall name WAN_LOCAL
# WAN Zone
set zone-policy zone wan default-action drop
set zone-policy zone wan from local firewall name ALLOW_ALL
set zone-policy zone wan from lan firewall name ALLOW_ALL
set zone-policy zone wan from guest firewall name ALLOW_ALL
set zone-policy zone wan interface eth0
# LAN Zone
set zone-policy zone lan default-action drop
set zone-policy zone lan from local firewall name ALLOW_ALL
set zone-policy zone lan from wan firewall name ALLOW_PLEX_REMOTE
set zone-policy zone lan from guest firewall name ALLOW_PLEX
set zone-policy zone lan from wireguard firewall name ALLOW_ESTABLISHED
set zone-policy zone lan interface switch0
set zone-policy zone lan interface switch0.10
set zone-policy zone lan interface switch0.11
set zone-policy zone lan interface switch0.12
# GUEST Zone
set zone-policy zone guest default-action drop
set zone-policy zone guest from local firewall name ALLOW_ALL
set zone-policy zone guest from wan firewall name ALLOW_ESTABLISHED
set zone-policy zone guest from lan firewall name ALLOW_ALL
set zone-policy zone guest from untrusted firewall name ALLOW_ESTABLISHED
set zone-policy zone guest from wireguard firewall name ALLOW_ALL
set zone-policy zone guest interface switch0.4
set zone-policy zone guest interface switch0.1003
# LOCAL Zone (to Router)
set zone-policy zone local default-action drop
set zone-policy zone local from wan firewall name ALLOW_ESTABLISHED
set zone-policy zone local from lan firewall name ALLOW_DNS_DHCP_WEB_SSH
set zone-policy zone local from guest firewall name ALLOW_DNS_DHCP
set zone-policy zone local from untrusted firewall name ALLOW_DNS_DHCP
set zone-policy zone local from wireguard firewall name ALLOW_WIREGUARD
set zone-policy zone local local-zone
# UNTRUSTED Zone
set zone-policy zone untrusted default-action drop
set zone-policy zone untrusted from lan firewall name ALLOW_ALL
set zone-policy zone untrusted from guest firewall name ALLOW_ALL
set zone-policy zone untrusted from local firewall name ALLOW_ALL
set zone-policy zone untrusted interface switch0.2
set zone-policy zone untrusted interface switch0.3
# WIREGUARD Zone
set zone-policy zone wireguard from guest firewall name ALLOW_ALL
set zone-policy zone wireguard from lan firewall name ALLOW_ALL
set zone-policy zone wireguard from wan firewall name ALLOW_WIREGUARD
set zone-policy zone wireguard interface wg0
commit; save
Setup Wireguard¶
Next, we'll setup Wireguard to allow securely accessing the router from unprotected networks.
cd /tmp
# Download the appropriate version
curl -qLs https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20210606-2/e50-v2-v1.0.20210606-v1.0.20210914.deb -o wireguard.deb
sudo dpkg -i wireguard.deb
wg genkey | tee /dev/tty | wg pubkey
# Private key: abc
# Public key: xxx
configure
# Adjust the address route as necessary
set interfaces wireguard wg0 address 192.168.33.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key abc
commit
### Setup client then do the following
set interfaces wireguard wg0 peer def allowed-ips 192.168.33.2/32
commit
save
Setup mDNS¶
Some devices, like Chromecasts, use mDNS to enable their magic. However, since our network is segmented, we have to use an mDNS repeater to proxy mDNS messages between VLANs / subnets:
configure
set service mdns repeater interface switch0.1003
set service mdns repeater interface switch0.4
set service mdns repeater interface switch0
commit; save; exit
Info
The mDNS repeater simply repeats messages between subnets, so devices are aware of the existence of devices on other subnets. However, firewall rules need...
Setup IGMP Proxying¶
set protocols igmp-proxy interface switch0 role upstream
set protocols igmp-proxy interface switch0.1003 role downstream
set protocols igmp-proxy interface switch0 threshold 1
set protocols igmp-proxy interface switch0 alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface switch0.1003 threshold 1
set protocols igmp-proxy interface switch0.1003 alt-subnet 0.0.0.0/0
commit; save; exit
show ip multicast mfc
show ip multicast interfaces
Hardware Offloading¶
Advanced Commands¶
- Show all iptables rules
Core Switch Setup¶
My "core switch" is a Ubiquiti USW-Lite-8-POE Layer 2 managed switch.
Ports¶
| Port | Description | VLAN(s) |
|---|---|---|
| 1 | Upstairs Guest Bedroom | |
| 2 | Downstairs Guest Bedroom (Left) | |
| 3 | Kitchen | |
| 4 | Downstairs Guest Bedroom (Right) | |
| 5 | Unknown | |
| 6 | Master Bedroom | 1003 |
| 7 | Living Room | 1003 |
| 8 | Family Room | 1003 |
UniFi Raspberry Pi¶
UniFi Controller is running as a Docker image on a BalenaOS-based Raspberry Pi host.
Accessing Host¶
Docker Admin¶
The image used is: https://hub.docker.com/r/jacobalberty/unifi
- Show running containers:
balena ps - Update container image:
balena pull jacobalberty/unifi
balena stop <container id>
balena rm <container id>
balena run -d --restart unless-stopped --init -p 8080:8080 -p 8443:8443 -p 3478:3478/udp -e TZ='America/Los_Angeles' -v /mnt/data/unifi:/unifi --name unifi jacobalberty/unifi:latest
balena run -d --restart unless-stopped --init -p 8080:8080 -p 8443:8443 -p 3478:3478/udp -e TZ='America/Los_Angeles' -v /mnt/data/unifi:/unifi --name unifi jacobalberty/unifi:latest
Miscellaneous¶
AdGuard Setup¶
services:
adguardhome:
image: adguard/adguardhome
container_name: adguardhome
ports:
- 53:53/tcp
- 53:53/udp
- 784:784/udp
- 853:853/tcp
- 3000:3000/tcp
- 80:80/tcp
- 443:443/tcp
# mac_address: 02:42:c0:a8:84:24
networks:
vlan:
ipv4_address: 172.16.4.2
volumes:
- adguard_work:/opt/adguardhome/work
- adguard_conf:/opt/adguardhome/conf
restart: unless-stopped
networks:
vlan:
driver: ipvlan
driver_opts:
parent: enp1s0.4
ipam:
driver: default
config:
- subnet: 172.16.4.0/24
gateway: 172.16.4.1
volumes:
adguard_work:
adguard_conf:
Network Setup¶
sudo nmcli con mod enp1s0.4 ipv4.addresses 172.16.4.2/24
sudo nmcli con mod enp1s0.4 ipv4.gateway 172.16.4.1
sudo nmcli con mod enp1s0.4 ipv4.dns 192.168.1.1
sudo nmcli con mod enp1s0.4 ipv4.method manual
sudo nmcli con up enp1s0.4
sudo nmcli connection delete enp1s0.4
References¶
- Adguard Home Setup
- How to create a Docker macvlan with user defined IP and MAC address using Compose
- How to Configure Network Connection Using ‘nmcli’ Tool
- How to delete connection by name via Network Manager
Setting up Plex Remotely¶
- SSH into admin@monolith and type:
- Restart sshd
kill -n 1 <pid of sshd> - Open a remote tunnel
ssh -l coniferadmin -L 8888:127.0.0.1:32400 monolith.iot.home - Open
http://127.0.0.1:8888/web
Alternate¶
- As admin edit
/etc/config/ssh/sshd_configand setAllowTcpForwarding yes - Restart sshd
kill -n 1 <pid of sshd> - Open a remote tunnel
ssh -l coniferadmin -L 8888:127.0.0.1:32400 monolith - Open
http://127.0.0.1:8888/web
Configuring Remote Access¶
# Enable DNAT from WAN to Plex Server
set service nat rule 8 description 'Allow Plex Remote'
set service nat rule 8 destination port 42451
set service nat rule 8 disable
set service nat rule 8 inbound-interface eth0
set service nat rule 8 inside-address address 172.16.3.182
set service nat rule 8 inside-address port 32400
set service nat rule 8 log enable
set service nat rule 8 protocol tcp
set service nat rule 8 source group
set service nat rule 8 type destination
# Enable WAN access to Plex Server
set firewall name untrusted-from-wan rule 3 action accept
set firewall name untrusted-from-wan rule 3 description 'Allow Plex Remote'
set firewall name untrusted-from-wan rule 3 destination address 172.16.3.182
set firewall name untrusted-from-wan rule 3 destination port 32400
set firewall name untrusted-from-wan rule 3 log enable
set firewall name untrusted-from-wan rule 3 protocol tcp
set firewall name untrusted-from-wan rule 3 source group address-group Plex_Remote
# Enable DNAT from guestwifi.home to iot.home
set service nat rule 12 description 'Redirect Plex'
set service nat rule 12 destination port 42451
set service nat rule 12 inbound-interface switch0.1003
set service nat rule 12 inside-address address 172.16.3.182
set service nat rule 12 inside-address port 32400
set service nat rule 12 log enable
set service nat rule 12 protocol tcp
set service nat rule 12 type destination
set service nat rule 13 description 'Redirect Plex (iot-tv.home)'
set service nat rule 13 destination port 42451
set service nat rule 13 inbound-interface switch0.6
set service nat rule 13 inside-address address 172.16.3.182
set service nat rule 13 inside-address port 32400
set service nat rule 13 log enable
set service nat rule 13 protocol tcp
set service nat rule 13 type destination
set service nat rule 14 description 'Redirect Plex (iot.home)'
set service nat rule 14 destination port 42451
set service nat rule 14 inbound-interface switch0.3
set service nat rule 14 inside-address address 172.16.3.182
set service nat rule 14 inside-address port 32400
set service nat rule 14 log enable
set service nat rule 14 protocol tcp
set service nat rule 14 type destination
set service nat rule 5005 description 'Masquerade for Plex (guestwifi.home)'
set service nat rule 5005 destination address 172.16.3.182
set service nat rule 5005 destination port 32400
set service nat rule 5005 log enable
set service nat rule 5005 outbound-interface switch0.1003
set service nat rule 5005 protocol tcp
set service nat rule 5005 type masquerade
set service nat rule 5006 description 'Masquerade for Plex (iot-tv.home)'
set service nat rule 5006 destination address 172.16.3.182
set service nat rule 5006 destination port 32400
set service nat rule 5006 log enable
set service nat rule 5006 outbound-interface switch0.6
set service nat rule 5006 protocol tcp
set service nat rule 5006 type masquerade
set service nat rule 5007 description 'Masquerade for Plex (iot.home)'
set service nat rule 5007 destination address 172.16.3.182
set service nat rule 5007 destination port 32400
set service nat rule 5007 log enable
set service nat rule 5007 outbound-interface switch0.3
set service nat rule 5007 protocol tcp
set service nat rule 5007 type masquerade
- Enable Hairpin NAT
TODO¶
- Migrate from Raspberry Pi to Home Assistant-based UniFi Controller
- Update HA config to separate Supervisor network from main interface network
Last update: 2023-03-30