Rebuilding network for ease of use

[spacein_vader]

Hi all,

I'm grappling with a problem and I'm hoping the wonderful Hexites can help me with it.

the setup

My current network has quite a convoluted setup. We have a standard Openreach vdsl 80/20 Internet connection currently provided via plusnet. It connects to my FRITZ!box 3490 router provided by my previous isp Zen. Beyond the WiFi issues discussed later in the post I'd like to keep the router, its very well equipped, has good software and still receives regular updates. They do well in security tests too.

This handles WiFi duties and the current positioning is high up on the ground floor in the middle of the house leading to no poor signal spots. It has 4 gigabit ethernet ports.

Port 1 is plugged into a Pi3b running pi-hole to block ads and other malicious domains, the Pi also handles DNS (that's how it works,) and DHCP for the network.

Port 2 is plugged into my home server running Ubuntu 20.04 LTS. This machine runs Jellyfin media server and various tools to support this. Currently Jellyfin is available over the Internet via my domain name. This PC does have a 2nd 1gb ethernet port but I've yet to experiment using both.

Port 3 is plugged into a 5 port ethernet switch behind my living room TV. This switch is in turn connected to the TV, Xbox One S, a Steam Link and my own gaming PC.

Port 4 is connected to a HP Laserjet Pro printer and makes it available over the network.

The problem

2 problems stemming from 1 root cause. Due to some lifestyle changes for me and the family.

The first is a drastic increase in permanently connected WiFi devices (5 Google Home devices,) 2 Rokus, 3 mobile phones, a laptop, 3 tablets plus any guests...) leading to the WiFi to occasionally lose connection for a few seconds then reacquire.

The second is that the system needs to be simplified drastically, so that any future change of ISP etc can be handled by my wife with support from a reasonably tech competent neighbour.

The root cause is that I have a terminal illness and have less than 12 months, details of which are more appropriate for a seperate thread. The upshot though is that the budget is a bit higher than it would otherwise be. It needs to be right and it needs to be simple before it needs to be cheap.

The Solution

I'm not set on this solution, so if anyone has another I'm willing to listen to ideas. Equally component selection and critique of some areas would be helpful. I've had no issues on the wired side so intend to leave alone unless someone has a genius idea to simplify that.

1. Turn off the remote access functionality of the media server. I'll almost certainly do this step as it requires at least manual updates of domain names etc but also means running some packages I otherwise don't need to and I can close almost all ports on the system to the outside world improving its security. The family will still be able to use it round the house which is the main thing.

2. Find the best way of getting the Ubuntu server to auto update and restart when required. Google suggests there are several ways of achieving this, from bash scripts (no idea how to write one,) on up. Essentially once a week at say 3 am I want it to download updates, install them and reboot as required.

3. Keep the pi hole as DNS & DHCP, find a way to automate updates of pihole and Raspbian. They'd miss adblock too much to remove it and this way I'm thinking when the FRITZ is finally replaced with some awful ISP supplied router I can leave instructions saying turn DHCP off and point its DNS at pi hole. There are concerns about SD card wear, I'm going to get a long life one like the dash cam rated ones but any tips to avoid writes (i'll be turning pi hole logs off,) would be good.

4. Buy a ceiling mounted wireless AP. This allows me to keep the fritzbox and again just leave instructions that any future ISP router have its WiFi turned off and let the AP deal with it. The issue here is which AP. A lot require a cloud config (like unifi) but I'm guessing someone has one with just a simple local admin option. Open to suggestions for brand, definitely go AC but happy to invest in AX/WiFi 6 for future proofing too. Probably PoE for ease of installation.

The idea is the above setup just works, self updates and any future ISP supplied kit is plugged in and told to do as little as possible.

Thoughts?

[jim]

I'm sorry, spaceinvader. Focusing on your questions, I've been going through a similar process myself - albeit for different motivations.

I think 1 + 2 are very sensible. I think perhaps it's best to consider the server as something that's a nice to have, and if / when it eventually conks out it will just be disposed of. Not sure if that was your perspective as well.

In terms of 3, I think it all depends on how tech savvy your family are. I've had problems with my ISP because they aren't expecting the default Wifi password to have changed (not a problem for me, of course, but most of my family would have been bemused). If they're likely to ring Plusnet when things break, having a custom DNS address - let alone a pihole - may be incredibly confusing to both them and the support team. And a reset to default (which will be where such requests end up) will cause chaos with multiple DHCP servers.

I'm wondering whether you're better off to heavily simplify the critical path to the internet (i.e. DHCP, DNS and router) to make it really basic. For example, BT Whole Home Wifi. I would never run it myself, but at least the customer service is there to support the entire technology stack.

If you think that coping with the pihole will be OK, then your plan seems fair enough. But I would also write up some instructions on how to dump it in the future (e.g. in case the SD card or entire board dies) - in other words a fallback plan to cut it out of the network. I imagine that setting up a new one from scratch would be a step too far.

For 4, again it's an option. I can't recommend a specific brand. It would fix your immediate problem of WiFi issues, but it does add another layer of complexity - since you're segmenting router, WiFi, DNS and DHCP when for 99% of houses all four are done by the same box.

[Saracen999]

I agree with Jim that a lot depends on how tech savvy the wife (and/or neighbour) are.

I did a similar exercise recently, and ended up with the basis for an Asus MESH system. It's 'okay' with just one "AP", but would ideally benefit from probably three. My plan is a wired plug 'n' play backhaul between Asus routers (in MESH mode) and that then gives me the option for most devices to be wired, with as few as possible relying on wifi. The latter group will include the home automation stuff. Given the MESH setup, it's pretty easy to expand.

But there's a conflict, however you choose to do it, between versatility and simplicity. Even the Asus routers, which aren't hugely complex, aren't really ideal for completely non-tech users (like my wife).

I haven't really looked in detail at some of the out-of-the-box plug'n'play MESH solutions, but they may be the ideal compromise while keeping usiability high for the non-technical. Oh, and if physical cabled backhaul if an issue, consider tri-band with the third band dedicated to backhaul.

P.S. I'm umming an ahhing about 2.5G v 10G backhaul). 10G provides much greater longevity but costs (quite a lot) more and is probably overkill (for us) if I'm honest. But .... want it.


EDIT - In case anyone thinks me not mentioning spacein's condition is insensitive, I already knew. We've discussed it. I of course also wish him the very best.

[badass]

Sorry to hear this Spaceinvader. As per Jim, Focusing on the problem:

I don't know how technical the rest of your family are, however if they are not into tinkering to keep stuff running I would seriously consider the pro's and cons in a little more depth. I am assuming here that those who will be taking over are not particularly technical. If someone is, this is not so relevant.

Consider the benefits of jellyfish vs not having it at all. All of these solutions occasionally break and are a right faff/impossible to fix for a non technical person. I would just subscribe to netflix/prime/etc. Disable remote access functionality. Instruct them to not bother *when* it breaks.

Wireless: Just get a mesh system. I use a TP-Link Tapo Mesh system and it's very good and most importantly, Simple and reliable. Most (if not all) mesh systems act as a secondary router - i.e. You plug the "master" node into the ISP router. The IP range, DHCP etc are controlled by the mesh system. For non technical people, no special config is required. Mine can operate as a DHCP client of the "ISP" router. Use the ISP router to do DHCP but configure the DHCP server to use the RasPi as a DNS server.

Print out a laminated sheet describing the RasPi, what it does and the config. This can be handed to a helper if the RasPi breaks. This will also help if they replace the Fritz!box router.

[kalniel]

Agree with the above and thoughts with you. To be honest unless you will derive some pleasure from doing it yourself this is one of the few occasions when I'd make a list of your requirements and get someone in to do it - that's likely to require the least amount of your time and also gives a route for support going forwards.

[Saracen999]

.....

Wireless: Just get a mesh system. I use a TP-Link Tapo Mesh system and it's very good and most importantly, Simple and reliable. Most (if not all) mesh systems act as a secondary router - i.e. You plug the "master" node into the ISP router. The IP range, DHCP etc are controlled by the mesh system. For non technical people, no special config is required. Mine can operate as a DHCP client of the "ISP" router. Use the ISP router to do DHCP but configure the DHCP server to use the RasPi as a DNS server.

....

Yup, similar to Asus, by the sound of it.

The Asus one is certainly very simple to get up and running. Read the instruction sheet, takes about two minutes, turn it on and let it do it's thing. It's not much more than that.

Where it gets trickier is hardening the security.

Trouble is, if they default to hardened, lots of things won't work unless you selectively enable them. But if you default to not hardened at all, almost everything works out of the box, but security is compromised. However they set defaults, getting a good but secure setup is going to take some tweaking. IMHO, of course.

[spacein_vader]

Maybe I've misunderstood but I thought mesh was a way of having multiple APs when 1 can't cover the whole area. I don't need that, 1 covers everything amply. So how else is a mesh simpler because to my unaware eye it seems more complicated. Do they still need the isp router (or other seperate vdsl modem) attaching?

Wife is tech savvy enough to install any future isp provided router, neighbour is a developer and with documentation I'm putting together in simple terms I'm confident my wife could navigate an ISP router far enough to turn off wifi/dhcp once neighbour found the intital access page.

The idea with Jellyfin is it'll probably keep going for a few years just playing movies until a HDD fails or a major software update by jellyfin or Ubuntu kills it. Family know this and are happy to use it till it breaks. Beyond updates it's an appliance, it needs no user interaction at all.

Pi hole I'll keep as ads on ITV player et Al drive them mad. What I may do is revert DHCP back to the router and set the pi as primary DNS and 8.8.8.8 as the fallback so if/when it eventually fails it'll be seemless (aside from seeing ads) as it'll just fail over.

[spacein_vader]

Sorry to bounce but can anyone answer my mesh questions above?

[DanceswithUnix]

Sorry to bounce but can anyone answer my mesh questions above?

Probably mesh isn't for you, but it might, hard to tell here.

Mesh is usually a really easy way of filling blackspots in coverage but has other tricks. My TP link one has the advantage that each node has a couple of ethernet ports on which can be used either for wired backhaul or to plug in wired clients like an xbox or playstation. You plug things in, and they just detect what is going on. Setup basically is declaring one node to be the master node and plugging that into the router, then introducing the others. The mesh can either be a router, or the mode I run is a distributed access point.

Prior to that I had (again, TP link) access points. They were OK, but got rather dated and couldn't do the handoff between access points and 2.4/5GHz bands that modern stuff does. But if one access point can cover your property (unlike my odd L shaped place here) then that sounds like the easy option.

Edit: The modern version of the access points I used to run (which were £100 each) would I guess be: https://www.amazon.co.uk/TP-Link-Ult...dp/B08MWN1VTJ/

The problem with things like this is that they are designed to be centrally managed. Mine was via a java program you installed on a server, looks like the modern ones come with a phone app. They are capable, but actually a bit irritating when you only have one of them.
The mesh setup is similar, mine is done on a phone app. I'm using 3 node a Deco S4 setup: https://www.amazon.co.uk/TP-Link-Dec.../dp/B0851D6MXY

I wonder if you should get a router, and put it in access point mode. Or perhaps it is just me that gets nervous when I hear cloud/app setup.

[jim]

I agree, in your case you probably don't need a mesh. It was the combo of "wireless problems" and need for simplicity that led me down that path.

They, as DWUnix says, can help in that they *commonly* have very simple app based set ups, so even technophobes can pretty easily get them running and tweak them.

I'm really struggling to understand why the FritzBox is having problems with such a small number of wireless clients though. Even a bog standard Plusnet / BT Router should be able to cope with plenty more than you're throwing at it. It might be worth just testing the Plusnet WiFi for a day or two if you can, to see if the FritzBox is the weak link.

[badass]

Sorry to bounce but can anyone answer my mesh questions above?

My reason was simplicity and reduction in likelihood of wireless dropouts as my mesh system has a lot more connected devices than yours without problem.

If one access point can cover your whole house just fine then perhaps my suggestion was overkill. However IME access points have more complex interfaces than (consumer) mesh systems

[DanceswithUnix]

My reason was simplicity and reduction in likelihood of wireless dropouts as my mesh system has a lot more connected devices than yours without problem.

If one access point can cover your whole house just fine then perhaps my suggestion was overkill. However IME access points have more complex interfaces than (consumer) mesh systems

You could buy a single mesh node, and just use it as an access point. The router/ap/mesh technologies seem to be converging with a lot of stuff seeming to be mesh capable now.

[spacein_vader]

You could buy a single mesh node, and just use it as an access point. The router/ap/mesh technologies seem to be converging with a lot of stuff seeming to be mesh capable now.

True. I know all but the most basic Asus routers are now mesh capable.

[Saracen999]

Maybe I've misunderstood but I thought mesh was a way of having multiple APs when 1 can't cover the whole area. I don't need that, 1 covers everything amply. So how else is a mesh simpler because to my unaware eye it seems more complicated. Do they still need the isp router (or other seperate vdsl modem) attaching?

....

Yes, I'd say that that is indeed the point of MESH. It's fundamentally to work a bit like a cellular service - the system passes a given user off to another node if you get a better signal from it as you move around. If you get good whole house coverage with one AP (or router) then I can't see Mesh benefitting you. The only possibility is if at some future point, something is added tht requires range extension. Or maybe, if you find a radio blind spot somewhere.

The way my Asus works is as a router. I turned the ISP (Virgin)
one into modem-only mode (i.e. disable wireless and all router functions like DHCP, and plug the Asus WAN port into the ISP-modem LAN port. Let the Asus handle the routing. It's way more powerful. For example, separate 'guest' networks, with their own passwords. It also handles DHCP and all such services, is configurable for prioritising games and so on. It's way more than the Virgin unit, with Trend Micro protection built-in too. Turning it into a MESH is more or less just adding another unit and setting it ro MESH AP mode, not router mode, so that remains an option. i.e. out of the box, it's just a good router.

If your one unit is enough, no MESH needed but the Asus units are, IMHO, pretty good. Not cheap, though.

[Saracen999]

Oh, and I measured throughput both before and after adding the Asus, and got better throughput and better wifi signals on both 2.4 and 5.0, plus wifi 6 (which may or may not matter, yet).

[jimbouk]

I guess another way to look at it is "what will and won't work if something gets replaced or factory reset?

1&2 you could just get a commodity box to give the same functionality. A decent brand should give a few years of updates.

3 I'm yet to pihole as I've just got browser extensions installed in most places, maybe an option at least for PCs.

4 Wi-fi on a separate device makes it ISP/router change proof, even if the new wi-fi didn't get disabled then it's not the end of the world.