Matrix Home Page Recommendations
The article represents the personal views of the author, and the minority has made only minor changes to the title and layout.
preface
Of course, the situation of each household is very different, this article I will take some experiences and problems of the three network structure adjustments in my hometown as the mainstay, and talk in detail about how to let the elderly in the family use a comfortable network.
body
My home is a house in the middle and late 2010s, at the beginning of the delivery of the house, the country is still in the stage of 100 megabit broadband popularization, so the family's basic network wiring is still good - to achieve Cat.5e line distribution to each room, which is a good condition for laying a good network later. But the developer still left a lot of dark holes for me, let's sort out the initial network topology.
Topology combing
First of all, let's look at the structure of my house and the weak current box
The type of apartment in the home, and the distribution map of the network port
It can be seen that the network port coverage of several main activity areas is still quite in place, but the weak current box is in the locker in the middle of the corridor and is only a little large, and the weak current box stuffed with equipment is simply unbearable:
Weak electrical box left by the developer
Let's comb through the functions of the various parts and modules in the weak current box:
GPON Optical Cat: Responsible for fiber into the home and broadcast number, while providing telephone signals.
Two 100 Megabit switch modules: responsible for whole house network switching, a total of two 12 network cables.
Telephone line switching module: responsible for dialing in and distributing telephone signals.
Cable TV Distributor: Responsible for distributing cable TV signals.
Power supply: Responsible for supplying electrical energy in the weak current box.
Digital TV cable: Responsible for digital access to the TV box (similar to IPTV), connected to the switch.
From the current configuration, the realization of the 100-megabit network is obviously no problem, but the 100-megabit switch also limits the maximum speed of the network, and if the broadband speed is accelerated, it is likely to be implemented on any terminal at home. Relying only on the Wi-Fi signal of the light cat in the iron weak electrical box, the coverage of the whole house is also very difficult. And the LAN and digital TV network cables are connected to the same switch without management functions, which is also very easy to cause broadcast storms, network catatons and other issues.
In the beginning, in order to solve the problem of Wi-Fi coverage, Xiaomi's AX3600 and AX1800 were selected to form a wireless mesh, which was placed in the living room and the study room, forming the following topology:
Phase I
As you can see, there are many topology problems at the beginning. The two main wireless routers use DHCP to access the Internet, and the Xiaomi router does not switch to wired relay mode, and the wireless network and wired network at home are not in the same NAT. Simply put, it is not in a network segment, and it cannot communicate normally on the LOCAL area. The result of this is that wired devices cannot broadcast communication with wireless terminals, such as computers connected to network cables and not allow printers connected to wireless signals to print documents. And double-layer NAT will also affect network performance to a certain extent.
For a detailed description of networking and NAT, you can read these articles:
Coupled with the addition of Apple TV and NAS in the home during this period, broadband has also been upgraded to 300Mbps for various reasons, and the old 100-megabit switch is obviously not suitable for today's home network. So this out-of-the-box product was eventually decided to be dismantled, but considering the size of the weak current box and the size of the other 16-port switches on the market, I finally chose a fool's 8-port Gigabit switch:
Gigabit-for-the-go switch
With the small R2S soft route placed in the weak power box broadcast number to the Internet:
NanoPi R2S
The two wireless routers were also changed to AP mode (wired relay mode) to form a wired mesh network. The network topology at this stage is as follows:
At this stage, after the home network transformation is completed, it can basically be regarded as a comfortable network for parents, Apple TV can normally watch movies in the NAS, and printers and other devices in the LAN can also directly access and print.
The main optimization projects at this stage are:
Optical Cat changed to bridging mode, so that only one layer of NAT is retained in the entire home LAN, improving network performance and enhancing connectivity.
Two fat APs form a wired mesh, which improves the network speed of child nodes.
Phase II
But the first phase of the transformation actually has many problems:
Since the Huashu household line is a 100-megabit network cable, it is easy to negotiate the other gigabit network ports of the fool switch into 100-megabit speeds.
The R2S of the ARM architecture is not stable enough, and it cannot restart after only two months of use.
Multiple broadcast domains coincide, which can easily cause broadcast storms.
For the second point, fortunately, at that time, there was a disaster recovery router left at home, and after connecting the WAN and LAN, it did not affect the parents' normal Internet access. It also happened to be the time of the broken qingming holiday, and the second stage of network transformation was carried out while returning home to visit his parents during the holiday, the main purpose of which was:
Replace the main route to a more stable X86-64 architecture
Isolate the Huashu digital network cable signal to prevent the switch's port from being negotiated as a 100-megabit network port or generating a broadcast storm.
But the X86-64 router and its power supply are an order of magnitude larger than the R2S, and the small weak current box cannot be crammed with so many devices at the same time. Even when put down, heat dissipation after cramming a small host with a power consumption of perhaps close to 20W in a weak current box is a problem. However, since we want to isolate Huashu's digital signals at the same time, we must use the technology of managed switches and VLANs (Virtual Local Area Networks), and VLANs can also help us perform single-wire multiplexing so that the router does not broadcast the number in the weak current box. Through the VLAN, the WAN of the light cat is divided into the HOME, the IPTV of wast TV, and the LAN of the LAN device is divided into three network segments. It is possible to let the router broadcast number outside the weak power box to surf the Internet without broadcasting storms. At the same time, it does not interfere with the normal viewing of the TV box.
The topology after the end of this transformation is as follows:
I chose to put the router in the living room TV cabinet, so that the network upgrade was completed with only two managed switches.
The main improvements I have made at this stage are:
Space is freed up for a weak electrical box, allowing the three-tier equipment to be better maintained.
Isolated the iptv WAN LAN three networks to avoid network storms and network port negotiation speed issues.
Replaced the router device with a better X86 architecture to ensure network stability.
Phase III
The second phase of the transformation has not had much of a problem from the perspective of network structure, but after experiencing two cell power outages, the X86 router cannot be restarted normally, and the broadcast number Internet service inside cannot operate normally. I realized that using my OWN DIY router as the home master router wasn't a smart choice. There are also only two Apple TVs in the home that require the use of DIY routers to provide network services. The original topology had problems such as the excessive time required to manage and troubleshoot the problem. I decided to migrate my home switching and routing devices to Ubiquiti Inc. Unified management in the unified system.
In the previous network transformation, forced by the size of the weak power box, I chose an 8-port switch, and after deciding to migrate to the Unifi full set bucket, there was a 16-port PoE switch in its series - USW-Lite-16-PoE, which supports the power output of 8-port PoE/PoE+, and all ports can be managed by VLAN:
USW-Lite-16-PoE
Let's start with a brief introduction to Ubiquiti Inc. Unifi devices, a family of enterprise-class network devices designed for small and medium-sized businesses and homes, have captured my heart because of their simple and clear user interfaces and excellent product ID design. Unlike ordinary home wireless routers, the use of Unifi devices to build a network generally requires these:
Controller: A unified management center that takes over and configures all Unifi devices, either a dedicated controller sold by Ubiquiti (hard AC) or installed in PC/Mac/Linux or even Docker (soft AC).
Secure gateway: That is, a router in the popular sense, used for the broadcast number of the home network, as well as firewalls and other functions.
Switches: The Unifi series of switches can all be configured in the same controller UI, which is completely crushing compared to the traditional managed switches that require a one-by-one configuration experience.
Wireless AP: Used to transmit Wi-Fi signals, but does not have the same broadcast number internet access as a home wireless router. It can also be composed of wireless meshes.
For a possible future PoE-powered AP upgrade, I decided to tidy up the FLD to put down the USW-Lite-16-PoE switch. By the way, for better maintenance and management, I did these:
Tidying up the phone line: Since there was only one landline phone in the house, I removed the phone line exchange module and sorted out the phone line in the weak current box, connecting the required one directly to the light cat.
Tidying up cables: Since I only had two TVs in my home that required cable service, I removed the cable module and replaced it with a small 1-point 2 dispenser.
Tidy up the network cable: The length reserved for the original network cable in the weak current box is very long, which greatly occupies the space of the weak current box. I cut out the excess network cables and organized them in the form of patch panels and interface modules, and labeled them for troubleshooting. When you need to connect to a switch, simply connect a jumper from the patch panel.
After the final finishing of the three main sets of wires, my weak current box is just enough to put down the USW-Lite-16-PoE switch, to see my finishing results:
Finished weak electrical box
With PoE power supply, the network management switch originally placed in the living room can also be replaced by a USW-Flex-Mini five-port switch that supports PoE power supply, reducing a power cord is of great significance to cable management, and the small size can also be hidden on the back of various cabinets:
USW-Flex-Mini
The router I used the same way as the second stage - put the living room broadcast number to access the Internet, but from the original X86 router to the Unified Security Gateway, that is, the Unifi series of security gateways (USG):
Unifi Security Gateway
USG acts as a router in the home, responsible for dial-up Internet access, DHCP servers, and firewall functions. As for other Internet functions, I still put it on the original X86 router, but as a bypass gateway, I put it in the utility room where the NAS is located. About the bypass gateway you can read this article:
After full migration to Unifi, the biggest advantage is that all Unifi devices can be managed simultaneously in a unified web interface, including their IP addresses, VLAN settings on ports, and segmentation of the main route:
Unifi Network 的 web-side UI
There's also a mobile app and WebRTC remote control technology that let me check the status of my home devices and adjust them accordingly, even when I'm on a WAN.
Unifi Network's iOS app
The original X86 main route was connected to the lower end of the topology by me, which provided gateway functionality for several specific devices as a bypass gateway, and a VLAN and subnet were divided in the Unifi controller specifically for the devices that needed to pass through the bypass gateway: 192.168.2.0/24. DHCP settings let all devices in this subnet point to the gateway to the X86 router. In this way, you only need to control the switch port configuration connected to the device that needs to change the network segment on the mobile phone, and you can easily change the configuration of the network segment, gateway, and DNS where the terminal is located:
Bypass gateway structure
It should be noted that because USG is an enterprise-level Layer 3 network device, as long as the final gateway of different network segments is pointed to USG, the devices in different network segments can also access each other, but they cannot broadcast communication. However, USG also has an mDNS reflection function, which can reflect the information sent by the HomeKit smart home in the home to all network segments to achieve broadcast communication across network segments.
Now let's look at the network topology of my house
Phase III Network Structure
To summarize the optimization of this transformation:
Network devices have been replaced with a more stable and easy-to-manage Unifi series.
The weak current box has been sorted out to make maintenance and upgrade easier.
The use of professional routing equipment broadcast numbers to ensure the absolute stability of the main network.
Add bypass gateways and dedicated network segments to cope with different Internet access needs, if the bypass gateway problems will not affect the main network equipment, through remote configuration, you can also allow the bypass network segment devices to rejoin the main network.
Remote maintenance
The hardware is partially built, but it is inevitable that it will occasionally need to be reconnected to go home for network repairs. At this time, I usually use the following methods:
Remote Desktop
Remote desktop should be the most familiar way for you to wanderers, if you and people at home are using the Mac system, then the system comes with the "screen sharing" is the most convenient, just need to enter the other party's Apple ID can be directly remote control:
If it's not a Mac system, I'll use VNC Server/Viewer (I need to install the server on the remote computer).
VNC Viewer
You only need to log in to the same account on the Server and Viewer to configure remotely.
Public IP port forwarding
If in your hometown, the operator happens to assign a public IP to your home, then using port forwarding for remote maintenance is a convenient and fast choice.
Port forwarding is a network service that forwards the network port of one host to another host and forwards it by another host.
Simply put, a little setting of your router can forward a port number of a LAN device to the WAN. This allows access from your home's public IP anywhere with the port number. The accessed address can be accessed directly through the public IP address, or it can be hosted on the domain name through the DDNS service and accessed using the domain name.
Before using port forwarding, first determine if you have a public IP address. The method of determining is also very simple, just need to enter the background of your router, check the IP address obtained by the WAN port, and then search for the IP in Baidu, if the IP queried is consistent with the IP address obtained by your home WAN port, then congratulations, you have the "public IP".
Taking the Unifi console as an example, in general, the "port forwarding" option is in the "Firewall" sub-option of the router:
After filling in the corresponding number and IP in the name, port, IP to be forwarded, and port, the port forwarding is complete. Your LAN device port will be exposed to the public network and can be accessed from anywhere.
However, it should be noted that in China, ports 80 and 443 will be blocked by operators, so you need to choose other port numbers. It is not safe to directly expose the HTTP page to the public network, it is recommended to choose the HTTPS port of various routers for public network forwarding, and the user name and password are used in a more complex arrangement, and regular replacement to ensure network security. Some routers also have the ability to restrict access to the port IP, and setting the IP address of your location will also make port forwarding more secure.
ZeroTier intranet penetration
If you don't have a public IP at home or you want to opt for a more secure way to link, ZeroTier might be a good choice.
ZeroTier is an open source encrypted VPN service, but this VPN is not a VPN in the broad sense, but ZeroTier through the encryption link, between the devices you installed it virtual out of a local area network for you to access, you now need to enter the address bar ZeroTier for your device generated by the LAN IP address, you can connect to your intranet device.
Let's take Mac and QNAP as an example:
Start by signing up for an account on ZeroTier's website and creating a network
At this point, a network will be generated at the bottom of the page, and you only need to remember the NETWORK ID of the generated network.
Then install the ZeroTier service on your end device, where you can find the installation files for each platform.
On your Mac, after you download and install ZeroTier
Enter your NETWORK ID below and click Join Network.
To be a little more complex on QNAP, after downloading and installing the QNAP installation package, use the Admin account SSH to enter the QNAP terminal and enter Check whether ZeroTier is installed successfully. If the following interface appears, you can use the ZeroTier LAN to join.
After the above steps in the evening, go to the ZeroTier official website and select the network segment where you want the device address to be located:
Then activate all network-joined devices:
Once a valid IP is displayed on Managed, you can enter the IP address directly on the computer for management access.
Unlike port forwarding, ZeroTier is a form of virtual local area network that can directly access all ports that join the network device, without the need to set port forwarding one by one for the ports you want to access, and because of the use of encrypted connections, it is also more secure than port forwarding to some extent.
Site to Site VPN
Compared to the two methods described above, Site to Site VPN is simpler to set up, but it also requires higher conditions - in a Unifi network, the two networks that need to be connected have a "public IP" to set up a Site to Site VPN. Here's an example of USG's Site to Site VPN settings:
You only need to fill in the remote public IP address and the local public IP address, and you can complete the setting of Site to Site VPN by setting the network segment of the remote subnet.
Once you're set up, you can access all the subnets connected to the other end of the VPN from where you are, without having to set up each device individually and run a program to access it, as with ZeroTier. Your LAN and your home LAN can virtualize a large LAN through Site to Site VPN for easy management and access.
However, it should be noted that no matter which method is used to go home remotely, the premise is that there is no problem with the gateway device at home, which is why I chose a dedicated secure gateway (USG) from Ubiquiti to ensure the absolute stability of the main network during the third phase of the transformation. Only in this way can we not bother parents to troubleshoot one location at a time when maintenance is needed, and remotely from the field can help them solve problems.
These are just a few of the remote management methods I've used, and if you know of other great penetration or punching schemes, they can also be used for remote maintenance.
epilogue
Tossing so much is nothing more than hoping that parents who are far away can use the comfortable Internet. To summarize the network that transforms the hometown, it needs to follow the following points:
Choose the brand's router as the primary gateway.
The maintenance process needs to be simple and concise.
Keep the disaster recovery equipment.
After a year of bumpy learning, I also understood that in fact, the biggest need of the elderly is stability, and creating additional functions on the basis of stability is the optimal solution.
Here, I also wish you all a happy new year, and the new year of network smoothness will never drop!
> practical and easy-to-use genuine software, presented to you by the minority