Ideal home network or “spiteful perfectionist to himself”

As the technical director of Qrator Labs, Artyom ximaera Gavrichenkov, says , DDoS-mitigation begins where the strength and time of one good system administrator ends.

On the day of the system administrator, who in Qrator Labs consider it a professional holiday even more than the day of the programmer, we thought about what could be said about this in Habré, what exactly did everyone come across? ..
')
The solution was found quickly, because there is a place where each person can be a system administrator at any convenient, and sometimes unsuccessfully, forced, time point - at home.

Home networks are an object of pride and special, extremely careful planning. If at work we often want to be “faster and cheaper”, then at home there can be no compromise - only the best and most reliable.

Having compiled a list of 10 questions, we asked all colleagues who had spent at least a little more time than what was required to unpack the router out of the box, to respond and share their own stories. How interesting it turned out - to judge you. We also asked to answer the questions of the system administrator Habrahabr Vadim Pas Rybalko and the employee of the Get Jerry bar Alexander Shoohurt Savitsky.

In the comments, we offer everyone who wants to answer the same 10 questions - let's see how carefully you treat your home network, and if there is something that distinguishes it from your neighbor's network.

Attention! The opinion of the company's employees may not coincide with the corporate position of the company's management.

1. How many devices are in your home network?

Sergey Tkachuk , Qrator: 8: Desktop, laptop, three smartphones, portable consoles. Sometimes an e-book is added.

Alexey Starkov , Qrator: About 5.

Ilya forefinger Urvachev , Qrator: Total number: 18. Of these: wearable devices (6): 4 phones, 2 tablets; wearable laptops: 2; stationary laptop: 1; multimedia: 2 SmartTV + 1 video recorder (home video surveillance); network devices: 2 mikroTik-a (wifi + switch); peripherals: 1 network multifunction device + 1 telephone (a510 ip). Server grouping (2): border router (intel d510), multipurpose server (xeon E3-1230) are both gentoo linux.

Andrei serenheit Leskin , Qrator: Where I live now, and where not all of my pieces of iron have yet been transported, about 10.

Dmitry Shemonaev , Qrator: While there are 8 of them: Juniper SRX100H firewall, TP-Link access point, Fujitsu server, Supermicro server, D-Link DES-3200 switch, RIPE Atlas probe, laptop, iPhone.

Sergey Kutsenko , Qrator: ~ 8-10.

Alexey Berezin , Qrator: Five - router, desktop (win10), MB Air, iPhone 5, Chinese smartphone-android.

Vadim Rybalko , Habrahabr: In general, plus or minus constantly two or three, sometimes four laptops, about as many smartphones, several tablets, AppleTV, potentially networked media players or a gaming console. This is not counting the "specialized devices". Plus or minus the usual story.

Alexander Savitsky , Get Jerry: There are about 25 devices in my home network, of which about 20 are permanently connected.

2. In addition to full-fledged desktops and laptops - what kind of peripherals are there (NAS, “smart” devices - just plug-in equipment)?

Sergey Tkachuk : Consoles and additional software on the router (Entware). As a NAS while using the desktop.

Alexey Starkov : The router has USB for connecting drives, but I don’t use it.

Andrei Leskin : Where I live now is 2. Scales with an apload to the cloud and Chromecast, PlayStation, PS Vita.
Where I lived before: Everything is the same, except for adding a home file dump, where movies \ series \ music \ storage for cloud-based file storage and which only fantasy doesn’t want, connected directly to the TV.
Finally, at the dacha, where there was an opportunity to think everything at once: Less peripherals, but there is the Raspberry Pi, which acts as a temperature demon, and if anything, screaming at the mail if the house has become very cold.

Dmitry Shemonaev : There is no such thing yet, but if a TV appears, it will definitely be with Ethernet.

Sergei Kutsenko : Phones + router acts as a NAS + torrent, chromeCast.

Alexey Berezin : None. I do not feel any need in it. Internets in
TV is something strange.

Vadim Rybalko : One dual-drive NAS, one mini-server based on a thin client (in fact, a full-fledged computer), a wireless printer. Potentially, a couple of IP cameras. The devices of the “smart home” do not attract much attention so far, by virtue of the total curvature and mutual incompatibility today.

Alexander Savitsky : This pool, in addition to laptops and smartphones, includes several TVs, NAS, a pair of game consoles, a pair of Apple TV set-top boxes and an MFP - nothing specific.

3. What is important for you in the key to creating a home network, what are the main requirements?

Sergey Tkachuk : Stability of work, reliability of the channel (in terms of losses), the band. Home idyll slightly podgazhivaet Intel 7260 network card on a laptop, wildly losing packets when using the channel at 40MHz.

Alexey Starkov : Convenience of connecting from different rooms, i.e. coating. The number of devices is small, the intensity is low, so the setting is not very critical.

Ilya Urvachev : Stable wifi, which does not need to restart and / or suffer, but just set up and forget, the ability to have minimal latency in places where PCs can be installed (games, yes), multimedia should never stutter and freeze, the ability to connect remote " offices ”(parent’s apartment, dacha), do it yourself and as for yourself (now no / (d | tp) link / -k).

Andrei Leskin : To work and not stupid, the movie could be watched from any device anywhere (sometimes problems with FullHD and air), especially with noisy air.

Dmitry Shemonaev : The ability to segment the network is important for me, so at home there are 3 vlan: HOME, MANAGEMENT, LAB. HOME includes a home laptop, iphone and satin probe. MANAGEMENT includes all management interfaces (switch, IPMI, virtual router management interfaces). In LAB everything else.

Sergey Kutsenko : 5 GHz wi-fi an / ac range; WPA2; QOS; upnp.

Alexey Berezin : Productivity, simplicity, stability of work. KISS!

Vadim Rybalko : The performance of the wireless segment is not as important as reliability, because there are many interferences in an apartment building. It is important to cover a wireless network without "blind zones", the presence of more or less stable Internet access.

Alexander Savitsky : In view of the rather large number of devices when creating a home network, the main requirement for me was the ability of the router to serve this entire zoo. The second requirement is the ability to work in a network of wireless devices throughout the home without loss of signal quality. The third is scalability.

4. What are the nominal (operator tariff) and actual connection parameters (screenshot of the speedtest type speed meter)?

Sergey Tkachuk : Operator tariff - 100M, in fact, the speed is not very different:


Alexey Starkov : Nominal 100 Mbit / s, really:


Ilya Urvachev : 100Mbps FD - it suits me (if I am not mistaken - this wifi test was launched).

Andrei Leskin : Where I am now: Pain and suffering. ADSL 20/2 with shutdown at midnight, speedtest shows the same.
Where I was before: 100/100 full. If you cling to the wire to the router, it reaches the desired values. By air - not always.
At the dacha: Everyone has different ways, the Internet is provided with whistles from mobile operators, depends on the weather \ signal level \ distance of the tower.

Dmitry Shemonaev : 50 megabits from Beeline and a static IP address. The speed rather corresponds to the tariff.

Sergei Kutsenko : Unlimited tariff from 50Mbps.

Alexey Berezin : There will be no screenshots, the tariff is 100MBit anlim. Powered by 100MBit anlim. Everything is good, this speed is enough, the operator (2KOM) breaks down infrequently, is inexpensive.

Vadim Rybalko : ISP tariff of 50 Mbit / s in both directions, plus a static public address. The actual measurements more or less coincide with the stated.

Alexander Savitsky : My tariff implies a 100-megabit connection, and it should be noted that the provider often honestly gives me exactly a hundred. Of course, sometimes, during peak loads, the speed may drop to 70-75% of the nominal, but this is not a problem.

5. What is in your environment with frequency cramming and how do you solve this problem at the level of a Wi-Fi network?

Sergey Tkachuk : In the 5GHz zone, everything is perfect - there is nobody nearby. 2.4 is slightly worse, but Channel 6 is surprisingly clear. With the installation of the router, I didn’t bother too much - it lies under the “desktop” table, the signal at 80% of the antenna power is enough for the whole apartment.

Alexey Starkov : I am adding power. In fact, in rooms far from the router it is rather bad, and from time to time I switch the channel to a more free one. Caught about a dozen different networks.

Ilya Urvachev : A surprising moment is right here - around a huge number of networks, but only in the general corridor, inside - only one’s own and neighboring networks are visible. I think the main reason is that the house is monolithic and the walls and floors do a good job of shielding.

Andrei Leskin : Ether at 2 GHz is packed to capacity everywhere, so the dual AP is 2.4 and 5 GHz. 5 GHz free broadcast at all. And at the dacha, besides me, only the neighbor has Internet.

Dmitry Shemonaev : Everything is bad, so the laptop is connected with a wire.

Sergey Kutsenko : * opa. ~ 40 access points in wi-fi visibility; after unsuccessful attempts to change channels in the 2.4 band, I drag all devices into the 5 GHz band.

Alexey Berezin : Like in any apartment building made of cardboard (panel house), everything is bad with frequency utilization. Mainly due to the sidor of rt / mgts, which put the grandmothers to replace the TV and the phone with the new-fashioned figure in the form of GPON, which suddenly turns out to be with Wi-Fi on and whistles 200 meters around. In the case - I do not use the 2.4 GHz band at all. 5 GHz decays much faster with the distance from the source and penetrates worse through obstacles such as walls, more channels in the air - you can pick up an empty sufficient width. In this range, it is still possible to obtain stable connectivity on the current 802.11ac. Further, I suspect, and in 5 GHz there will be a raid of debilov from the twisted powerful transmitters “Schaub in my swallow in the yard was innet”.

Vadim Rybalko : The 2.4 GHz band is utilized quite strongly, especially in the evenings. Hope for him not worth it. The 5 GHz band is almost empty, and we use it.

Oleksandr Savitsky : In my environment, the frequencies are scored unevenly and not very much: around me there are about 6-7 neighboring Wi-Fi points and they are all missing around the frequencies set by routers by default. The 5 GHz band is expectedly not used.

6. Describe the “home setup”: the devices used, the specifics of the LAN / WAN settings

Sergey Tkachuk : The provider works with PPPoE via FTTB, from the switch of the provider to the router in the apartment is two-pair copper. On the router itself, everything is boring: DHCP with flat addressing (MAC-bound for “its” devices - everyone else gets addresses from the pool “at the end” home / 24), Dynamic DNS, and sometimes IPv6-tunnel from Hurricane Electric.

Alexey Starkov : Setap out of the box. The router through pppoe is connected to the provider’s cisco in the corridor, WiFi comes from it, configuration via DHCP.

Ilya Urvachev : Provider -> d510 -> MTik switch is the core of the network, and then we assemble a wifi-ap switch and everything else. Perhaps there are no specific features, everything is in mana and on stackoverflow.

Here one could tell a lot of pain about l2tp (and kernel support patches), but thank God beeline refuses it.

Here you could tell a lot of pain about any dlink / tp-link (specifically those instances that got to me) that cannot live without regular reboots or “leave” the network if someone suddenly decides to download something big via local wifi, but now There is MirkoTik who does not suffer from this.

It would be possible to write here that writing rules for iptables with NAT'on is difficult, but it is difficult to do this by and large only the first time.

Andrei Leskin : Two laptops, two phones, a couple of tablets, + - to study glands, chromecast, consoles. I try to make everything as simple as possible: 192.168.X.0 / 24 with DHCP. In some cases, static IP is made for specific glands.

Dmitry Shemonaev : A wire from the provider comes to the MSE, a switch is connected to it, where all the other devices are connected.

Sergey Kutsenko : Provider router: 2-band wi-fi / ac over the wire another router is connected to it (used as NAS + torrent), all other devices are wifi connected, preferably to 5 GHz.

Enabled upnp for forwarding ports torrent; QOS is configured prioritizing http traffic; sometimes increasing the priority for certain mac-addresses; sometimes turn on mac filter; A landline telephone is connected to the router; A TV set-top box is connected via LAN.

Alexey Berezin : About WAN - the provider is almost adequate. Lachit on MAC, but at least pure white DHCP, without any PPP-bugbear.

LAN is a little more interesting. Until recently, there was some simple TP-Link as a router - so the LAN was simple. Flat addressing on all devices, port forwarding for RDP, DynDNS application from no-ip.com.
Now, after replacing the router with Mikrotik hAP ac, the possibility of network segmentation has appeared (dividing by vlan for wire / wire, allocating virtual glasses that live on a stationary computer into a separate vlan - all with its addressing). Goodies about DynDNS and port forwarding remained. This is just the beginning, I will continue to do all sorts of different jokes with authorizations (mostly wireless, EAP / TLS, non-openvpn home network access point, IPv6 support, pampering with VRF etc is possible).

Vadim Rybalko : Since the main area of ​​work is the fuss with Tsiski and servers, the boxes a la all-in-one were not entirely satisfied. First of all, due to the fact that it was necessary to place the router in the geographical center of the apartment. I tried several, none satisfied the needs, and practically with all were complaints about the stability of the work. In the previous setup, there was a Cisco 871 router and several 3COM access points, but they were morally outdated in terms of performance characteristics (but not in terms of functionality). In the current setup, I drew attention to the Ubuquiti Unifi series - it turned out to be almost perfect for me. The center is a managed 8-port (actually 10 ports) Unifi switch. It has PoE in almost all ports. Connected to it are a USG router, two access points of the AC standard, and everything else network hardware. The Unifi controller is connected to it in the form of a small Unifi Cloud Key device. All that can be powered by PoE, powered by PoE. On the balcony it is planned to install an outdoor access point with a small sector antenna to cover the network of the part of the park, where it is planned to spend a lot of time. But it is more fun. It is not planned to open it for guests in the light of recent legislative initiatives.

Oleksandr Savitsky : My home network is quite simple: since not a twisted pair enters the house, but an optical cable, a converter is installed at the entrance, a router is behind it, an uncontrolled switch (for several wired devices) and a Wi-Fi access point are connected to it. In addition to all wireless devices, a ripiter is attached to it, to which one wired device is connected.

I did not set up any specific ones: both the router and the Wi-Fi point work on settings that differ little from the basic ones.

7. How many providers provide accessibility from your home network, if more than one. What for?

Sergey Tkachuk : One and a half. In the event of war or a power outage, I take out a smartphone from Yota and distribute the Internet from it to the laptop.

Alexey Starkov : One.

Ilya Urvachev : 2.5 provider: beeline (main) + net-by-net (reserve, almost not used and not paid) + MGTS constantly jerks me with my gpon - maybe someday they don’t.

Andrei Leskin : Where I am now is the only one. In the country: the main mobile operators with the Internet. 3 pieces or something. Change as needed. Yota cuts VPN, you need to connect another. Beeline has a traffic limit, but a good lane. Megafon strip is worse, more limits. Depending on the need, the tool is selected. Recently used only Beeline.

Dmitry Shemonaev : While one, there is a reserve in the form of distribution of the Internet through the phone.

Sergey Kutsenko : One provider, in case of shutdown I use Yota.

Alexey Berezin : Basic - one. There is always an emergency in the form of the Internet from OpSoS'a.

Vadim Rybalko : One provider. Virtually no home router can organize a normal dual WAN (although many have this capability). Rarely when the “last mile” falls off, sometimes subsidence is somewhere on the operator’s network or its joints. If there is no internet for a while, it is not a disaster, if something happens, you can force traffic to the LTE router.

Alexander Savitsky : I use the services of one provider, more than enough.

8. Security - what are your main approaches to protecting devices from compromise or unauthorized access?

Sergey Tkachuk : Iptables, fresh software, reasonable software settings. On a laptop and a phone, everything is encrypted, but on the desktop there is no important information - this is a machine for entertainment.

Alexey Starkov : Firmware updates, access via ssh to the router is closed from the Internet, WPA2 for WiFi, in general, that's all.

Ilya Urvachev : From providers and the Internet: border with normal linux + iptables. From the wifi side: wpa2 without wps, separate guest network with wpa2, separate guest-guest network for neighbors. For internal devices: only ipv4 and only NAT are internal devices themselves win: only user accounts, curtailed rights and other oppression are internal devices themselves: only those devices that need to go there (for example, a printer or DVR on the Internet have nothing to do).

Andrei Leskin : Encrypted disk, rub keys after 2 hours of non-use.
- Setup FileVault2;
- Disable Fast User Switching (REVERT IT);
- Setup Firmware Password;
- sudo pmset -a destroyfvkeyonstandby 1;
- sudo pmset -a standbydelay 3600;
+ encrypted backups.

Dmitry Shemonaev : On the ITU, only ssh on the router itself is open from the outside. External connections to external IP are reset.

Sergey Kutsenko : WPA2 / encrypted partitions on disks for critical data.

Alexey Berezin : Like the State Duma. Close and do not let go. The best protection against compromise - depriving the possibility of compromise. Well, that is, at least it is necessary to break off all the non-initiated from the inside. Well, the glory of the RKN and MNU - do not allow walking to compromised URLs.

Vadim Rybalko : Outside, everything is covered except for the thrown SSH port to the server. There is a uPNP opening ports to applications, here convenience has conquered paranoia. From the inside, you can surf the Internet without restrictions, on the WPA2-PSK wireless network with AES. On Unifi Cloud Key and NAS can be accessed from the outside using proprietary cloud services.

Alexander Savitsky : I restricted access to the admin panel of the router and access point not only with a complex password, but also a white list. The Wi-Fi network itself is divided into two: the main one, access to which only the white list has access to, and the guest one with password authorization.

9. Physical infrastructure: whether the holes were drilled, the wires were hidden under the baseboards, etc. How far are you ready to go in the question of organizing a home network: throw a wire or start a repair? Argument is needed.

Sergey Tkachuk : I live in a rented apartment, so my maximum is to hide the cable in the plinth, which I did. Now you can see only two pieces of cable - from the point of entry into the apartment (at the level of the ankle) down to the plinth, and from the plinth to the router (hid behind the desktop body, so it is not visible).
When my own apartment appears, I will keep my ideal scheme for a very long time.

Alexey Starkov : A funny story - the repairmen brought 3 parallel cables to the apartment, one to each room, naturally no one was going to give me three ports in the tsiska. Special sockets are everywhere, but only one works - there is a router in it. I am not ready to repair, I think to hang a router on the street. The reasoning is that the repair is just finished, and I only need a stable network at work, the rest of the time I can suffer.

Ilya Urvachev : Briefly - already. Longer:
0) No half measures - only hardcore;
1) Options like rolling around a twisted pair or stuffing it under a plinth are completely unacceptable from the word;
2) The apartment has recently experienced a major overhaul in 3 years (a separate topic for conversation - how to make a major overhaul without a budget) - for each of them for the end stationary devices (PC / TV / etc), the wires should be laid in the corrugation, the inputs of the providers moved around;
3) The network core (servers and routers) are located specifically for this created mezzanine - goo.gl/photos/WbdvqrnkYeaRtW2U8 , by the way - this is how an electrician was done goo.gl/photos/Z9mTV1AZTrGUiGFT7 (for a two- bedroom apartment );
4) Providing devices on the balcony (smartTV and maybe something else) - throw a twisted pair on the balcony.

Andrei Leskin : Where I live now is a rented apartment, we live without it. Where I used to live there was also a rented apartment, it was necessary for the NAS to dig out an old router that worked in the “wireless network card” mode. That is, from the NAS to the wire, then through the air to the main entry point. And at the dacha at the stage of laying electricity during construction, he also spread a network outlet to each room. In thoughts to make a roaming network.

Dmitry Shemonaev : On this occasion, I did not bother so far, but if the infrastructure grows, then most likely it will move to some small separate room so that it does not make noise.

Sergei Kutsenko : All that does not eat the band is connected via wifi, by wire as close as possible to the router. The only exception is a TV set-top box to which a twisted pair is stretched across the baseboard into another room.

Alexey Berezin : I live in a rented apartment. You can settle down, but laziness and somehow there is no need. All in baseboards where you can. In my KVA (if it appears once) there will be a repair taking into account the weak point, I like the order.

Vadim Rybalko : In the current setup, the network is assembled in a closet (temporary housing and many holes are not worth it). In the new apartment, at the stage of repair, a lot of network cable was secretly laid with reserve; Ethernet access points for the ceiling chandeliers in two rooms for access points were connected. Communication center is located in the corridor under the ceiling on a separate shelf.

Alexander Savitsky : Yes, when organizing a home network, I had to drill a couple of holes and lay cables through the boxes. But since most of the devices on the network are wireless, the problem with the wires was solved with a little blood. However, if I had to scatter cables throughout the dwelling, I would do it with the help of mortgages left in the construction stage and external ducts, since I still want the wires not to spoil the interior.

10. How is your home network different from your neighbor’s home network and why is it better?

Sergei Tkachuk : The fact that the router is configured a little smarter than the neighbor, and the cable is neatly hidden. In addition, the router is based on a steep chip and is able to Entware - I have a “reserve for the future”, if I suddenly get a channel wider than 100M, and I can turn almost any Linux software (now it has a personal site).

Alexey Starkov : I have special sockets in the walls, well. And this is not much better, it is done according to the principle “got out of the box - it works - don't touch”.

Ilya Urvachev :
- Few people will use the x86_64 router (atom atom) on linux at home and rely on all sorts of l2tp and sticking it into the kernel (as it is costly and senseless to shovel userspace traffic) (a separate example beeline);
- Few people will be at home to make a closed guest network + wifi-hotspot for neighbors;
- Few people will be friends torrent + dlna + smarttv and cover it with automation;
- Few will place a separate access point on the balcony (there is a twisted pair);
- Few people will bother at home with asterisk;
- Few people will cover motion (which is motion-project.imtqy.com ) with their web-gui (and probably no one will do it on html + js + nginx + ssi and a little bit on bash);
- Few people will do their own multiroom-multimedia (though I, too, threw not finished);
- Few people will zabbix gash;
- Few will be a local gentoo mirror;
- Few people will explain samsung mfu that scans in daddies on dates on the smb ball should be laid out;
- Few people will take only WD-Black for torrents / file storages / etc, and I highly recommend if I try.

Andrei Leskin : Where I now all take the provider pieces of iron, which are almost always China, which does not work well. I select adequate pieces of iron for tasks. I am very fond of mikrotiki, but they do not know how to ADSL, so I had to take Asus (in the stock firmware is dull, but there is firmware enthusiasts, Tomato, etc.). Tomato even once patched when a terabyte hard drive was connected to the old router.
Where I lived before Mikrotik! They are more difficult to master, but once set up (realizing what is what), you put them on the shelf for a year and forget. It just works.
At the dacha I am D'Artagnan.

Dmitry Shemonaev : I did not look at my neighbors, so I don’t know.

Sergei Kutsenko : I do not think that there are any particular differences.

Alexey Berezin : As soon as I break into my neighbor, I will find out. This will be the second question.
after "What the fuck do you smoke some shit on the pot ?!"

Vadim Rybalko : The presence of 5 GHz - fortunately, pop routers do not broadcast in this range (although with the advent of the AC masses, everything can change). At the same time, in terms of scalability, the network topology is more like a small business network than a home network. Better coverage of the wireless network at the expense of several points right in the center of the premises under the ceiling.

Oleksandr Savitsky : My home network differs from its neighbors in that there are many times more devices in my service, and this is provided not by a single wireless router, but by a bunch of “router + switch + WiFi point”. It is difficult to say what it is better for, but I know for sure that the security level of neighboring networks is much lower than mine.

All involved - with a holiday! , — .