Home network update – Meraki to Netgate
I avoid frequent changes to my home network. My stated goal is to design and install a reliable, secure network and keep it updated, but otherwise leave it alone. About five years ago, I took advantage of a Cisco program for free Meraki software for completing a professional certification class and exam. Now the program has expired, and I needed to replace the MX64 security appliance.
Moving from a commercial security device to a consumer product, I wanted to get something simple, but flexible. I’ve always been interested in open-source products, and considered ‘rolling my own’ firewall, but finding cost effective, silent (fanless) computer with multiple gig Ethernet ports in the current (Nov 2022) market was a challenge. Also, there’s still a huge supply chain issue that I expect through 2023 and I don’t want to buy from China. Not a nationalist issue, but I don’t trust security appliances from China (https://www.dhs.gov/news/2020/12/22/dhs-warns-american-businesses-about-data-services-and-equipment-firms-linked-chinese).
Selection Process
Super simple – I looked at consumer products and found they weren’t flexible enough for my use, some products were discontinued, others are on back order. I wanted to spend under $300 and narrowed the search to Ubiquiti Networks and Netgate (pfSense). Ubiquiti availability was an issue, and Netgate was less expensive, so I went with the entry level Netgate 1100.
Although the GUI lagged during the installation, subsequent configuration changes and overall performance of the device has been good. I’ve updated the default configuration by disabling IPv6, not using VPN or packet inspection, using PiHole on a spare Raspberry Pi instead of using Netgate services.
I would call this a ‘prosumer’ product – you can’t install and use this product without reading the manual and understanding the basics of TCP/IP networking. However, it’s much more flexible than the average consumer product and using pfSense open-source software provides greater security and longer support life (IMHO).
Performance
Performance is equivalent to the Meraki MX64. We have >20 devices on our home network including three Roku devices streaming 1080p (not 4K). If you plan to implement low level security, ad blocking, and other features, consider the 2100 model.
Recommendation
-
Pros
- Good security appliance for home networks with under 500 Mbps Internet service
- Simple installation and silent operation
- Better security and longevity than consumer products at this price point.
- Performance is good
-
Cons
- Install is not just “click next” – you need to read the manual!
- Lots of online chatter about performance issues using third party packages
Home Network
Netgate running statistics
Internet speed
Comcast – 300 Mbps download, 12 Mbps upload
PiHole update – certificate error
Attempting to update PiHole from the command line, I received the error below:
[i] Downloading and Installing FTL…curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
[✗] Downloading and Installing FTL
Error: URL https://github.com/pi-hole/ftl/releases/latest/download/pihole-FTL-armv7-linux-gnueabihf not found
[✗] FTL Engine not installed
Unable to complete update, please contact Pi-hole Support
I searched the /setc/ssl/certs folder and didn’t find anything out of the ordinary.
Updated CA Certificates:
sudo update-ca-certificates
After this, re-running pihole update worked correctly.
Obituary – Maureen Begley
Maureen A. Begley (nee Burchill), age 91, of Chillicothe, Ohio, formerly Moorestown and Mount Laurel, NJ, passed away on March 10, 2022. Wife of the late Paul E. Begley, Sr. Mother of Paul (Barbara), Kevin (Pauline), Dennis (Sherry), the late Michael (Vicki), and Brendan Begley. Grandmother of Sarah, Katherine, and Megan Begley, Bradley Edwards, Stacy (Begley) Adams, and Sean Begley. Great-grandmother of Nicholas and Nathan Edwards, and Michael Joseph Adams III. Sister of the late Elaine Corcoran. Aunt to many, many nieces and nephews.
Maureen graduated high school at age 16 and started working for AT&T and eventually RCA where she met her future husband. An accomplished gardener, bridge player, and animal lover, she traveled extensively, including trips to Alaska, Egypt, Antarctica (via east and west coasts of South America), China, the Galapagos Islands, and Ireland to visit family. After her children were grown, she started college, studied accounting, and completed her associates degree. After which she worked for a Atlantic Disposal and later started her own bookkeeping company with several local small businesses until she retired in her late 80’s.
Relatives and friends are invited to attend her viewing and visitation on Friday evening, March 18th 6-8pm at Mount Laurel Home for Funerals, 212 Ark Rd, Mt Laurel Township, NJ 08054. Funeral Mass Saturday morning, 10:30am at Our Lady of Good Counsel, 42 W Main St, Moorestown, NJ 08057. Interment following in Calvary Cemetery, Cherry Hill, NJ.
Mount Laurel Home for Funerals
https://www.mountlaurelfuneralhome.com/
Out Lady of Good Counsel Parish
Calvary Cemetery
Cherry Hill, NJ
https://southjerseycatholiccemeteries.org/locations/
Comcast Internet issues
We ‘cut the cord’ and shifted from DirecTV to Internet streaming in 2019, and, like almost everyone else, I’ve been working from our home office since March 2020. A few months ago, we started to see buffering issues with the TV, and more recently reconnect/timeout issues with VPN connections and Teams calls. At first the cable modem looked OK, and I optimized our internal network (Meraki MX/Switch and Google Wi-Fi) because I hadn’t touched it in three years. No real improvement, so I purchased a new Motorola MB7621 cable modem because the SB6183 was five years old. No change, BUT I noticed the event logs were getting flooded with “T3 timeouts” (reference screen shots below).
I contacted Comcast support via chat, who realized this wasn’t a ‘reset your cable modem’ issue, and they gave me a link to schedule a call back. Fifteen minutes later, I was on the phone with Charles. He didn’t see any issues on his side, and I asked about connecting my old cable modem. We re-registered the old modem, and as soon as he did, he saw errors on the line. At that point, he scheduled a technician to come to the house.
The technician was very good. I showed him how the cable was routed to the house, and he tested the underground cable and determined it needed to be replaced. He also shifted the coax ground from the water pipe to the electric box as that’s the current best practice because newer homes are shifting from copper plumbing to PEX. With that in place, he tested the connection to the cable modem and found that was out of spec as well!
After replacing the connections end-to-end, I see ZERO errors on the cable modem, and with that no buffering, dropped connections, and faster transfers (OS downloads, for example).
Comcast gets beat up a lot, but my customer service experience was exceptional. Fingers crossed the follow-up is as good – they need to bury the temporary cable, but I’m sure it will be just as smooth.
MB7621 Error Logs
SB6183 Error Logs
We bought a 2017 Chevrolet Bolt EV
A 2017 Chevy Bolt EV has replaced my beloved 2005 Saab 92x (aka Saabaru, a Saab badged Subaru WRX) and the best car I’ve ever owned.
When I started researching cars to replace the Saab, we considered buying new and used gas cars, but the market is crazy between supply chain issues and escalating prices. Our newest car is a 2016 Subaru Forester, and we expect to keep it for another 12 years. As we considered EV’s, we feel the landscape will be very, very different in 5-10 years, so we weren’t keen on buying a new car now and we started to look at used EV’s.
In 2014 we leased a Honda Fit EV. It was a Honda special lease program, and we received a free Level 2 charger (we paid for installation). We returned the car because our needs changed and there was no buy-out option for the lease. However, two years with an electric-only car made us EV evangelists (well, maybe I’m the evangelist). For reference, the Honda Fit had a 20 KWh battery, 100 HP, and published range of 80 miles and used a Level 2 charger which we installed in our garage.
Flash forward to 2021. Our EV criteria was a minimum range of 200 miles, a four door hatchback large enough to fit our taller than average family (I’m 6’3″ and 225 lbs.). Looking at used cars, we quickly came to the conclusion that 2017 Chevy Bolt EV’s coming off lease looked like a the best choice for us. We also saw the battery recall putting a dead stop to all resales. At the same time, used Tesla’s were increasing in price and various discounts and promotions for new EV’s were expiring.
One month ownership notes
The Chevy Bolt EV isn’t a Tesla Model 3, but it’s a great EV, a solid car, and a used 2017 Bolt EV Premier is a great value. The batteries and motor are sourced from LG and the balance of the car was designed and assembled by Chevrolet. The controls are familiar, good ergonomics, good visibility, and I particularly like the utility of the car. The rear seats can be folded flat with one hand, and there is a rear storage area behind the rear seats that is covered, but the cover and false floor removed to provide a 12-18″ bin for extra storage. The Premier trim comes with roof rails, and we purchased cross bars for bicycle and roof racks.
-
Chevrolet Bolt EV 2017 details
- 2017 Bolt EV Premier with all features except a sunroof (which we would not use)
- Premier comes with DC fast charge option (55kW)
- 27,000 miles
- Energy Saver A/S SelfSeal 215/50R17
- Safety features like blind spot detection, front and rear cameras
-
The Good
- Driver seat adjustment and leg room is great for tall drivers. Leg room and headroom for four is good.
- Overall ergonomics are solid, and we like the tray between the front seats and door storage.
- The Bolt EV HP and torque are amazing. It’s just fun to drive.
- Range is quite good – well over 200 miles with normal driving and less than full charge.
- 200 HP with no turbo lag and a single speed transmission is addicting, and I’ve been driving a WRX for 16 years.
- “Single pedal driving” – with the transmission in “Low”, you can use regen braking to bring the car to a complete stop.
- Safety features, including a wide-angle rear-view mirror option that uses rear cameras.
- Remote start, auto dimming rear view mirrors, automatic headlights, and other convenience features.
- Bluetooth is rock solid and in-car calls are much better than our Subaru because the Bolt is so quiet.
-
The not-so-good
-
2017 model has 2017 tech
- Android Auto requires a USB cable (versus wireless)
- Waze beta has issues although Google Maps works as designed.
- Wireless charging ‘pocket’ too small for Pixel 4XL
- DC fast charge limited to 55kW, where newer EV’s are as high as 150kW, which limits long road trips.
- No spare tire, sealant, and air pump, we also have AARP road service.
- Ride is a bit harsh, mostly due to energy efficient, low profile tires.
- Front seats are a tight fit, but not bad.
- The arm rest is an interference fit for me but has a lot of storage and removable tray.
-
Personal Letterhead
With email and other forms of electronic communication, no one may care about writing letters, but I’m starting to write letters to friends and family. I wrote many, many letters in college. Phone calls were pretty expensive in the mid-late 1970’s, and freshman year there were only six phones in our dorm. As we emerge from our COVID induced isolation, I appreciate my network of friends, family, and coworkers who have supported me over the years, and I think a letter is more personal and permanent than email.
Two sites that have influenced me are “Letters of Note” and “Letterheady” (links below, worth a look).
Letterheady
https://www.letterheady.com/about
Letters of Note
https://lettersofnote.com/about/
Today is World Password Day
Tips I’m sharing with family and friends. I use a password manager (LastPass) and MFA for all accounts that have monetary or business value (including Amazon, Google, all accounts that involve money).
Password Recommendations
- The smartest choice for all users is to pick unique passwords for every site.
-
Password managers are ideal for people in the habit of re-using passwords, because:
- You only need remember one (strong) master password to access all of your stored credentials.
- If you don’t trust password managers and have trouble remembering complex passwords, consider relying instead on password length.
-
Focus on picking passphrases instead of passwords.
- Passphrases are collections of multiple (ideally unrelated) words mushed together.
- Add numbers and special characters if required – example: Eat figs daily99!
- Passphrases are not only generally more secure, they have the added benefit of being easier to remember.
-
Enable Multi-factor Authentication (MFA) for all accounts that support it (bank, credit cards, Amazon, Google).
- This approach adds a second step to the sign in process, usually in the form of a confirmation text sent to your phone, a security question, or a token provided by authenticator apps.
- MFA provides another layer of security to your password that doesn’t rely on you to remember anything.
-
Finally, there’s absolutely nothing wrong with writing down your passwords, provided
- You do not store them in a file on your computer or taped to your laptop
AND - Your password notebook is stored somewhere relatively secure – not in a purse or car, but a locked drawer or safe.
- You do not store them in a file on your computer or taped to your laptop
Reference Links
World Password Day 2021: ‘123456’ is still a bad idea
https://www.acronis.com/en-us/blog/posts/world-password-day-2021-123456-still-bad-idea
The Wages of Password Re-use: Your Money or Your Life
https://krebsonsecurity.com/2021/05/the-wages-of-password-re-use-your-money-or-your-life/
How to stop robocalls – Jolly Roger Telephone
I wanted to share my experience filtering calls to my 90-year-old mother who has had her phone number for 60 years and appears to be on every scam caller list. Every list. And she felt compelled to answer every call. Every. Call.
First, I switched her phone service from Comcast to Google Voice. I won’t go into the technical details of the move, but it’s a two step process (Comcast to burner phone, then burner phone to Google Voice). This was my first step to filtering her calls because I believe Comcast customers are being targeted by scammers and I hoped that moving to Google Voice SPAM filtering would offer better control over her calls.
Initially, I moved to Google Voice as part of a cost reduction for my Mom, and it provides ‘spam filtering’ capabilities. It turned out that the spam filtering wasn’t very good for faked local numbers so after some research, I went with the nuclear option and configured call filtering using Jolly Roger Telephone (link below).
Jolly Roger is *amazing*. Robots answer the phone and hang up telemarketers and scammers and Mom’s phone never rings. The record voicemail was 7.5 minutes…
To be honest, Jolly Roger is pretty good, but the Final Solution was to put every ‘good’ caller onto the whitelist and block every other area code in the United States, block all foreign calls and block all toll free calls. The whitelist was more of a challenge. I had a phone history of several months and included her doctors, friends, family, etc. Jolly Roger includes simple check boxes to block 800 calls, overseas numbers, and similar. Ultimately, I configured a ‘blacklist’ of prohibited callers using wildcard entries for EVERY AREA CODE in the US except two local area codes.
It seems extreme, but then we just had to deal with faked local numbers, and I had a large list of exchanges that I blocked.
These are a few of my favorite things
UPDATE – added to the list.
Like everyone else, I’ve been working remotely since March 2020.
Ergonomics is a huge issue for me, and something everyone should consider. In my home office, I have the following setup:
- Chair – I have a Staples brand chair, and I upgraded the wheels from a Reading, PA based company
- Desks – I have old Steelcase desks that are circa 1960’s (think Mad Men) and I think my father purchased them from RCA at some point. They work well for me, they are deep, lots of storage, and they are very sturdy.
- (2) 24″ monitors – for now, 24″ monitors are my sweet spot, your mileage may vary. I recommend getting identical monitors so you don’t hang your mouse as you move from screen to screen which can happen with different resolution monitors and it’s maddening.
- Desk mat – think of it as a giant mousepad, but you can put you keyboard and mouse. It covers up any imperfections in the desk surface, and I find it more comfortable in warm weather.
- Keyboard – I use a mechanical keyboard. Personal preference, I don’t judge, but I started computing on one of the original IBM PC metal keyboards (which I still have), and I’m a touch typist, and it works for me.
- Mouse – Logitech wireless mouse and buy the Unify USB dongle which allows you to switch mice any time you want. I own many wireless mice. MX Revolution, Performance MX, M705 or M720 (battery lasts for *years*).
- Headphones – Plantronics. My BIL Mitch gifted me with a headset when he worked for Plantronics “back in the day”, and it continues to be my go-to headset.
- Camera – I’m using an old Microsoft HD camera, but any of the Microsoft or Logitech cameras should work. I work with my laptop closed, so I can’t use the built-in camera, and using a USB camera means I can unplug it when it’s not in use. Also, 720p is more than enough resolution for personal and business video conferencing.
- Network – this is a huge issue for work-at-home. ISP’s are scare mongering you to upgrade to Gigabit speeds. After analysis, our home subscription is 100 Mbps/6Mbps down/upload speeds. This is more than enough to support two of us working concurrently on video calls while someone is watching Netflix or YouTube TV.
- Printer – get a laser printer. Period. They are fast, inexpensive, and toner lasts forever. If you need to print in color, take it to Kinkos, CVS, or similar. After you print your draft in grayscale. I’ve used Brother multi-function laser printers since 2007. Also, get duplex capabilities, it’s easier for scanning, and saves paper when printing. Third party, high-capacity toners is both inexpensive and high quality.
I have an older model that includes FAX, so the link below is for the equivalent, but without FAX. - USB charging block – for my office I have an Anker six port, 60W USB charger. It’s a monster that can charge six devices at a time and it has a permanent location in my office with every type of charging cable I use already plugged in and fed through a cable organizer to keep things (relatively) neat. I charge lights for my bike, headphones, cell phones, fitness devices, anything and everything that charges with a USB cable.
- Password manager – if you don’t already use one, get one. I use LastPass, but 1Password and similar products are quite good. I recommend selecting one that works well with your platform (Windows, Mac), your browsers (Firefox, Microsoft, Chrome, and derivatives), and your phone. Make sure it works well with your phone.
Import all the passwords from your browsers, then disable password save feature of the browsers.
Check your accounts for re-used passwords – start with critical accounts like financial services
Next, review all your accounts and update passwords using the password manager to generate secure, unique passwords.
Reference links
Microsoft LifeCam HD-3000, Retail
https://www.amazon.com/Microsoft-3364820-LifeCam-HD-3000/dp/B008ZVRAQS
CM Storm QuickFire Rapid – Tenkeyless, red switches
https://www.amazon.com/gp/product/B007VDLVD4
Brother MFCL2750DW Monochrome All-in-One Wireless Laser Printer, Duplex Copy & Scan
https://www.amazon.com/dp/B0763X6TCW
Home Network description and recommendations
https://paulbegley.com/?p=749
USB Wall Charger, Anker 60W 6 Port USB Charging Station
https://www.amazon.com/gp/product/B00P936188
Home Network Recommendation
Today I received an email from one of our neighbors, actually their son! He’s a gamer, super technical, and after replying, I thought it would be better to document my recommendations here and update based on feedback from Rob and others.
First, determine whether you need to replace the cable modem. Once you know it needs to be replaced, I recommend buying separate devices for each layer of your home network – cable modem, security device, then switch/wireless. This lets you buy the most cost-effective device with exactly the features and performance you want for each layer of the network.
Cable modem
I like the Arris/Motorola cable modems, reference link below for Wirecutter recommendations. I wouldn’t go crazy. I have an old ARRIS SURFboard SB6183. It Just Works. Also, I have 100Mbps service and it’s not a bottleneck. It’s DOCSIS 3.0, but if you get a new one, make sure it supports the latest DOCSIS 3.1 standard. That’s all you need – match the rated performance of your cable modem with your Internet connection speed. There’s no advantage to getting a 1Gbps cable modem for a 200 Mbps connection.
Security
I use a Meraki security appliance, but only because I got it free through a certification program. When I replace it, I’ll probably buy a Ubuquiti USG or similar. You would be appalled at the stuff it blocks and attempted connections I see on a regular basis. Reference links below and note that you would buy the USG with a Cloud Key for management (detailed in how-to link below).
Switch
Get a good, 1Gbps switch with 8 or more ports to connect your laptop and other devices as needed. Make sure the switch does *not* have a fan, you want everything to use passive cooling and be silent. Early switches required fans, they all go bad, and they all make too much noise.
Wireless
I have a Google WiFi mesh which works well. I bought three access points, but only need two for our house (two story colonial with a basement). If you live in an apartment, I would just get a reliable access point and locate it to get the best coverage in the apartment. Make sure anything you buy supports WPA2/3 and use a complex admin password to secure your AP.
Bonus Tip
If you don’t already have a spare Raspberry Pi, buy two or three and configure one to run PiHole. PiHole can provide DNS services, but more important is it is a very effective ad filter for your home network. You will notice it on your phone immediately and you also benefit from having a local DNS server that you control. On my network it’s filtering >30% of the DNS queries from our Roku TV to our phones and laptops. I’m using a Model 3B Raspberry Pi and be sure to buy a reliable power supply like the Anker Elite Dual Port 24W ($11 from Amazon!).
Reference Links
The Best Cable Modem
https://www.nytimes.com/wirecutter/reviews/best-cable-modem/
Ubuquiti USG security gateway –
https://www.amazon.com/Ubiquiti-Unifi-Security-Gateway-USG/dp/B00LV8YZLK
How To: Deploying a Ubiquiti UniFi Home Network including Multiple WiFi Access Points (Part 1) UPDATED
https://freetime.mikeconnelly.com/archives/6241
Pi-hole® – Network-wide Ad Blocking
Dashboard from Paul’s PiHole