New toys

Routerboard and switch have arrived, they appear to be intact but can’t test them at work. I went with a Netgear GS108T “smart” switch since it has the right feature set and I’ve not had too much of a bad experience with consumer level kit from Netgear before now. I hope that this doesn’t turn into another “you get what you pay for” saga, since I really can’t afford a “proper” managed gigE switch!

The antennas I’ve got are 26cm long, bigger than I expected. Doubt we’ll have any issues getting a good signal with them though!

The WAP

Components for the WAP:

1 x RouterBoard 411U with RouterOS Level 4
2 x Omni Antenna 2.4GHz – 7dB
2 x ReSMA Socket (Male) to N-Type Plug Adapter
2 x U.fl-Nfemale Pigtail Cable
1 x RB411U Indoor Case
1 x 24V 0.8A UK Power Supply
1 x R2N 802.11 b/g/n miniPCI Card

Total inc VAT+delivery: £140.81

This is fairly competitive in price with consumer-level kit with a similar feature set (e.g. multiple SSIDs, VLAN mapping, RADIUS support etc.)

I bought all of these components from LinITX.com.

I was originally considering a Cisco/Linksys branded WAP for similar money, but given how much smaller this solution will be, along with the SSH-based configuration and much richer feature set I decided to go with the DIY solution.

Should be delivered tomorrow!

The plan

Currently our network consists of:

A router/firewall running OpenBSD, doing PPPoE to an ADSL2 modem in bridge mode
An 8 port unmanaged GigE switch
A pair of Edimax WAPs, set up to be both a bridge and access points
A 5 port unmanaged GigE switch on the “other half” of the network

There are a number of wired clients, most notably:

Fileserver (singularity), again, running OpenBSD and serving files over AFP
Media device (photon), this is a Mac Mini of some vintage which refuses to die
My desktop (nova), which sits on the WLAN connected segment of the network in the bedroom
Along with anything else with an ethernet port

Addressing is handled by DHCP, and autoconf for IPv6. We have a /28 for the main clients and a /48 for IPv6.

WLAN security is WPA2, with one SSID.

This is a fairly basic home networking environment, granted with most of the configuration done the hard way. The plan is to achieve three main goals:

1. Beef up security and improve stability, implementing QoS
2. Replace the Edimax WAPs (which are crap)
3. Implement a guest network, with VLAN segregation and a seperate SSID

Point 1 will be achieved by:

– Implementing a RADIUS server to control network access and authentication
– Implementing WPA2-Enterprise (again, linked back to the RADIUS server)
– Implementing IPSec for certain services
– Implementing segregation between network guests and the private network

Point 2:

– Constructing a custom WAP using RouterBoard components
– Finding a replacement solution for the wireless bridge

Point 3:

– Using the new WAP, set up two seperate SSIDs and map these to VLANs
– Using a new managed GigE switch, enforce port-based authentication (802.1X)
– Also enforce the segregated guest VLAN between WAP and router, with seperate pf rules on the router to control guest access to the Internet
– QoS on both the WAP (to limit total transfer rate of guest wireless clients and ensure QoS for private clients) and on the switch (to prioritise VoIP traffic)

Misc.:

– Set up SNMP monitoring for all network equipment and servers
– Experiment with potential for performance boost by using Jumbo Frames etc.

This should be quite an interesting exercise, since it’ll involve learning about a number of new technologies. The WAP is ordered, just trying to decide on a managed switch now.

You get what you pay for

When we moved into our new flat I was faced with a problem. As with all people that rent, we’re stuck in a position where we can’t drill holes in the walls to run cat 6 from room to room. I’d already decided where most of our kit would be, in the living room, but the only logical place for my desk and its associated machine was the bedroom.

Given the inability to do the right thing and run a nice cheap cable between the two places I had to consider either wireless or powerline networking. In the end I went with the wireless option, mostly because I just think powerline networking is a bit of a gimmick and none of the kit I looked at seemed worth the money. I also found a really cheap pair of WAPs to use as a bridge.

This is where the moral of the story comes in, which is that you get what you pay for. At the time this was an acceptable compromise since money was short with the move and all, and I needed a quick fix. The WAPs in question are Edimax’s EW-7416APn V2, they cost about £40 each (which is less than half any competitor product). They are small, reasonably well built and work, ish.

The ish is the problem, I don’t like things which don’t work properly. I also don’t like companies which are disinterested in making things work properly. The first thing wrong with them is the shoddy web config interface. I dislike web config interfaces on devices like these generally, and these have a particularly buggy one. They also tend to lock up every week or so.

These things I could probably cope with. The real kicker is IPv6, or their lack thereof. I noticed this when I recently got a new laptop (Macbook Pro, the new 13″ one) and tried to get IPv6 working on it. I was expecting this to be a struggle (since OS X isn’t good with IPv6) and it was, but surprisingly not Apple’s fault.

I have my network set up to autoconfigure IPv6 addresses using router solicitation, clients configure themselves automatically with an IPv6 address comprised of the network prefix and an address determined by their MAC address. I’d like to use DHCPv6, but that’s another story. I noticed that the Mac was refusing to do this, no matter what I tried. Running rtadvd with debug on on the router revealed that it was hearing the Mac’s solicitations, but not sending anything back. I need to investigate this further, weekend is going to involve Wireshark.

Configuring the Mac with a manual IPv6 address seems to work fine, but there’s some rather odd behavior with ICMPv6 pings. My guess is that the Edimax WAPs are doing some kind of odd firewalling which isn’t configured correctly, or their implementation of Ethernet is just plain broken and it’s mangling frames… Will find out soon.

Anyway, all of this is potentially forgivable, IPv6 is quite new (ha!), so I contact Edimax’s support team to get a support ticket opened and start to work with them to fix the issues. Their response:

“Please note that EW-7416APn V2 isn’t support IPv6. This applies to all Edimax 11n routers and access points.”

Well that’s not a very helpful response really. Not sure where I’m going to go from here, I’ll still investigate exactly what the things are doing and go back to Edimax once I know, I somehow doubt they’ll be interested in fixing the issue though. I’ve already decided to replace these WAPs with something a little bit less cheap (more on that tomorrow) and I’ll likely just cut my losses and sell the things. It’s a shame though, since I have a feeling they are likely quite nice hardware, just with woefully lacking software.

I need to remember, cheaper != better.

On blogs

I realised that if I keep waiting to start blogging until I’d produced a blogging website, that I’d never begin to blog and thus never feel the urgent need to produce a blogging website necessary to actually do so. Thus I am here, to try and break that cycle.

This blog will hopefully chart some of the more interesting projects I work on, likely starting with my quest for a better wireless access point. We’ll see what else I get onto later.