Home Network Setup

Discussion in 'Networking, Telcos and ISPs' started by oj88, Jun 4, 2013.

  1. potpot2

    potpot2 PhilMUG Addict Member
    Supporter

    Joined:
    Oct 15, 2007
    Messages:
    2,284
    Likes Received:
    363
    Gender:
    Male
    Location:
    Malate
  2. max_Moon

    max_Moon Well-Known Member

    Joined:
    Jan 4, 2013
    Messages:
    454
    Likes Received:
    255
    The Amplifi Alien just got updated with a new firmware version. The Amplifi app got updated too. Now the WiFi router supports Homekit Security. While I'm well aware that perfect security is a myth, being able to apply some basic security rules for HomeKit accessories especially IoT and smart home devices is better than nothing.
     
  3. Edelheid

    Edelheid PhilMUG Addict Member

    Joined:
    Sep 11, 2013
    Messages:
    759
    Likes Received:
    616
    Gender:
    Female
    Location:
    Auckland, NZ
    It's a pleasant surprise to see another HKSR-compatible router, especially in the current environment where eero and Linksys Velop have no plans to add them to other routers going forward. The only unfortunate part about the Amplifi Alien is that HKSR only works if it's used as a single node. I've only tried the said firmware during beta, but I've since unplugged it and haven't gone to check if that's no longer the case. If it becomes a mesh (either wireless/wired backhaul) it doesn't work. This is still better than nothing though. If one can cover his entire home with a single Amplifi Alien while requiring HKSR it's another router to consider for consumers.

    Addendum: I reached out to Ubiquiti for clarification and they advised that it still only works for standalone routers, but they plan to add support for mesh setups in the future after ensuring no critical issues crop up in its present state.
     
    #1043 Edelheid, Jul 15, 2022
    Last edited: Jul 15, 2022
    max_Moon likes this.
  4. MharDelaCruz

    MharDelaCruz Active Member
    Supporter

    Joined:
    Dec 4, 2008
    Messages:
    570
    Likes Received:
    122
    Gender:
    Male
    Location:
    Marikina City
    I hope someone can provide some help. I just realized a few months back that my internet speed is slowing down, I even raised a ticket to PLDT and then I was told that the speed is normal, so they ask me to test by turning off WiFi and then connecting directly to the LAN port and it did show the actual speed which is close to my subscribed speed. And then the agent asked me how many devices are connected to the Wifi. It is then that I realized that there are several 'network device' that are connected (which I am not familiar with). So, I started to list/create an inventory of all my devices (and smart devices). I started to filter/block the MAC address of those network devices but then to discover after a few days a new network device connected. I have several 'neighbors' working in call centers and while asking around discovered that there is a tool to get the password (forcefully), I am using a 20-digit password. I must do this check every other day just to make sure that I blocked the unwanted devices. It did bring back my internet speed. I am now using an app that notifies me when a new device tries to connect. So, the help/question I have for this group:
    1. What router should I use, that cannot be easily hacked?
    2. Is there any app that can stop this?
     
  5. Leon21

    Leon21 Active Member

    Joined:
    Aug 5, 2010
    Messages:
    829
    Likes Received:
    119
    Location:
    Greenhills, San Juan
    To start: have you changed your password or are you using the same 20-digit password for your WiFi network? A 20-character password cannot be easily hacked considering all the permutations, and doing so would cost a lot of time and money. Another thing: is your router secure, meaning, you're the only one who can access the settings of the router (i.e. your login credentials are strong)? Are your devices the only one physically connected to your router/modem?
     
  6. MharDelaCruz

    MharDelaCruz Active Member
    Supporter

    Joined:
    Dec 4, 2008
    Messages:
    570
    Likes Received:
    122
    Gender:
    Male
    Location:
    Marikina City
    I changed it to 32 characters now (but I can still see new devices once in awhile). I have blocked around 15 MAC addresses, not sure if that means 15 different computers being used to connect
    The router anow has 32 character password and no one else knows this except me
    There is only one router connected to the PLDT modem, I asked PLDT to disable the WiFi of the modem.

     
  7. JMacalinao

    JMacalinao Active Member

    Joined:
    Aug 18, 2009
    Messages:
    328
    Likes Received:
    205
    Location:
    Manila
    They could be 15 different devices, or just a couple of devices that use randomized MAC addresses. Recent mobile devices have that feature enabled by default.

    The slowness of your Wi-Fi could also have been due to an application from a device connected to the network, whether wired or wireless. That one happened to me recently -- all of my access points started to slow down, sometimes even drop from my SDN. Turns out it was my PC (that's not even using Wi-Fi), specifically the Elgato Control Center app, that appeared to have gone wonky after waking from sleep. Quit the app, and the issue's gone.
     
  8. Leon21

    Leon21 Active Member

    Joined:
    Aug 5, 2010
    Messages:
    829
    Likes Received:
    119
    Location:
    Greenhills, San Juan
    Good point. It wouldn't make sense for new devices to keep popping up if you have recently changed the password to your network aside from your own devices which have reconnected after the password change.
     
  9. lamski

    lamski PhilMUG Addict Member
    Supporter

    Joined:
    May 8, 2005
    Messages:
    2,835
    Likes Received:
    438
    Location:
    Makati, Philippines
    @Leon21 - I think it would be easier to set up a whitelist of allowed MAC addresses. This way, no matter if they can crack your router password, only the MAC addresses in your whitelist can connect.
     
  10. MharDelaCruz

    MharDelaCruz Active Member
    Supporter

    Joined:
    Dec 4, 2008
    Messages:
    570
    Likes Received:
    122
    Gender:
    Male
    Location:
    Marikina City
    I also thought of this, my question is how about the iPhone private relay? I thought the MAC address is dynamic or changes every so often.

     
  11. lamski

    lamski PhilMUG Addict Member
    Supporter

    Joined:
    May 8, 2005
    Messages:
    2,835
    Likes Received:
    438
    Location:
    Makati, Philippines
    Your computer's network card or phone's network hardware has a fixed hardware MAC address. IP addresses are assigned to your mac/phone by your modem/router and could be dynamic.
    The iCloud private relay hides your IP address by routing your requests through several "relays". Maybe it's similar to what TOR (The Onion Router) does to obfuscate our requests.
     
  12. pepspeps

    pepspeps PhilMUG Addict Member
    Supporter

    Joined:
    Jul 2, 2008
    Messages:
    1,119
    Likes Received:
    299
    Gender:
    Male
    Location:
    ::1
    This is true for client devices that are not yet using private MAC address randomization.

    However since iOS 14, watchOS 7 and iPad OS 14, these devices automatically generate their own private MAC address for each network they are trying to connect and for every iOS update, nullifying the whitelist method. Even Windows 10 and 11 have this now (driver support needed). I'm surprised though that MacOS hasn't baked in this feature.

    A couple of solutions for this problem is to implement a captive portal or the RADIUS protocol. A bit complicated but it will require each end user to dial-in to your network. You can then specifically identify who is connected in your network.

    To go back to @MharDelaCruz's problem, if you're 100% sure that these connected devices are not yours:
    1. Connect your Mac/PC to a LAN port to prevent you from being locked out from your network.
    2. Log in to your Wi-Fi management settings.
    3. Change your Wi-Fi SSID to a new one (ex: "Get Out", "Pay for your own WiFi", "Makonsensya ka naman").
    4. Set a new password for that SSID.
    5. Set the security to WPA2-PSK [AES] (very important!).
    6. If supported, set a Wi-Fi schedule (ex: 6am to 11pm only).
    7. Turn off WPS if you're not using this feature.
    8. Verify your new network and Wi-Fi settings.
    9. Reboot your Wi-Fi access point and modem (optional).
    Please take note of the randomized MAC address feature above if you have multiple Apple devices. It's possible that is what you encountered.
     
    MharDelaCruz likes this.
  13. legato

    legato Active Member

    Joined:
    Jan 23, 2008
    Messages:
    183
    Likes Received:
    32
    Random MAC addresses are most likely your issue @MharDelaCruz

    It's not possible to brute force properly setup strong cryptopgraphy, i.e. your wifi, cellphone encryption, ssl, etc.

    That's why the NSA wants a back door.

    Do check that telnet port is off in the PLDT ONU.
    The PLDT admin passwords are all over the internet/google/YouTube depending on the ONU model number.
     
  14. supermow

    supermow Member

    Joined:
    Oct 10, 2010
    Messages:
    55
    Likes Received:
    0
    Hello everyone, i have a question regarding PLDT fibr users especially on bridging their connection. Is it better to request bridge mode thru PLDT or manually bridge PLDT router/modem by accessing PLDT Fibr Onu’s as pldtadmin?

    Im using an AmplifiHD router with mesh points.

    TIA
     
  15. oj88

    oj88 PhilMUG Addict Member

    Joined:
    Jun 13, 2011
    Messages:
    2,468
    Likes Received:
    954
    They should do it.

    ONUs are configured in bulk through the OLT in their CO. Simply put, most of the settings you can do on the ONU will not stick and will either return to the preset configuration immediately or everytime it connects to PLDTs network.
     
  16. manager

    manager Active Member

    Joined:
    Apr 29, 2006
    Messages:
    644
    Likes Received:
    164
    Gender:
    Male
    Just call 171 and make the request.

    The first CSR asked me to fill out a form but didn't say where to send it. I called again to ask and the second CSR said the form is not needed :mad:

    She put in the request and it was done the next day.
     
  17. legato

    legato Active Member

    Joined:
    Jan 23, 2008
    Messages:
    183
    Likes Received:
    32
    If it ain't broke, why not fix it anyway.

    Got a pfsense appliance from shopee.
    Celeron J4125 with 4 2.5Gbe ports.
    After about 3 weeks of burn-in and getting acquainted with it, removed the ERX from the path and have this as the main router.

    Can easily get 300/300 with Traffic Shaper on.
    This is really the main reason why I got it so, happy I guess.
    Sayang and speed boost ni PLDT.
    ERX can't do QoS above 180Mbps. This one does so with ease.

    CPU is mostly 0% and only uses 700+MB of SSD data with 8GB of swap space.
    Not much SSD needed apparently.
    Could have saved by getting a smaller SSD as opposed to 256GB.

    I guess can now sort of understand why Lawrence Systems is recommending pfSense with Ubiquiti stuff.

    Anyway, @oj88, is Untangle the next evolution? Why'd you move to Untangle?
     
    jayparalejas likes this.
  18. oj88

    oj88 PhilMUG Addict Member

    Joined:
    Jun 13, 2011
    Messages:
    2,468
    Likes Received:
    954
    It's natively an NGFW.

    I just have better control and visibility using Untangle. I find the built-in applications to be more cohesive compared to pfSense 3rd-party plug-ins.

    The top four built-in apps I use are: Web Filter, Bandwidth Control, Application Control, and Policy Manager, among others.

    So with my specific use case:
    I can define how and which endpoints are going to be tagged and gets assigned a policy group like "Kids", "Guests", "Default", "IoT", etc. Each policy group then gets assigned which applications are allowed/not allowed in Application Control, which website or web categories they can/can't access in Web Filter, along with how much bandwidth they can use on a per group, per device, website or application basis in Bandwidth Control.

    And I didn't even mention the Firewall app, which is but just a footnote, in the grand scheme of things.

    Let me put it another way.... If I wanted a powerful Layer 3 and 4 appliance, I'll go pfSense. But for modern web traffic patterns and threats, you'd want better granular control up to Layer 7. That's why I switched to Untangle NGFW.
     
  19. legato

    legato Active Member

    Joined:
    Jan 23, 2008
    Messages:
    183
    Likes Received:
    32
    Now I know why you moved to it.

    As it is, my use is mostly for
    - IOT VLAN
    - and Traffic Shaping

    Untangle sounds interesting. Will check it out. Is it possible to test in a VM?

    Sometimes just want to play with tech.
     
  20. oj88

    oj88 PhilMUG Addict Member

    Joined:
    Jun 13, 2011
    Messages:
    2,468
    Likes Received:
    954
    It also has a traffic shaper (QoS) and a bunch of other stuff I didn't mention... WAN Failover, WAN Balancer, IPS, Ad Filter (although I supplement it with Pi-Hole), to name a few more.

    You can run it as a VM. I had it run that way a long time ago but later decided to switch to a bare-metal install because of I/O performance issues with the hardware; It's on an old HP Proliant G7 N40L Microserver from almost a decade ago.
     
    #1060 oj88, Aug 3, 2022
    Last edited: Aug 3, 2022
    legato likes this.

Share This Page

  • About PhilMUG

    Since the mid-1990s, PhilMUG (formerly the Philippine Macintosh Users Group) has grown to become not just the Philippines’ but one of the world’s foremost Apple user groups. Our online community brings together thousands of members from the Philippines and around the world for the latest news and discussions covering all Apple products and related hardware and software. Anyone can join PhilMUG, from newbies to experts, subject to our membership rules and guidelines.
  • Like us on Facebook

  • Buy us a beer!

    The staff works very hard to make sure that PhilMUG is running 24/7. Care to buy us a beer or help out with our hosting fees? We'd really appreciate it!

    Donate to us!