Need help on best way to put Vera in my LAN

bucko · September 27, 2012, 12:58am

My network is set up with my DSL modem connected to the WAN on my wireless router.
Then my router has a LAN port to my switcher.
All my network devices connect to my switcher.
I have my Vera WAN port connected to my switcher. I have internet and local LAN working fine.

I got to thinking about this setup and wanted to get opinions about how the Vera should ideally connect into my network.
Should the DSL modem connect to my switcher first? Then router WAN to my switcher?
Vera WAN to my switcher and config it for PPOE to also connect to the DSL modem?

I am not sure how best to do this and not expose the Vera or my network to security risks.

How do you guys do it???

knewmania · September 27, 2012, 1:21am

I have a Vera2 and I am not exactly familiar with the Network setup/restrictions of a Vera3.

I have two separate routers. One provided by my ISP and one that I purchased. My personal router connects to the ISP router and provides an ‘internal’ network. My Vera2 sits within my internal network. This way I can somewhat isolate the HA stuff from the commercial ISP router/network.

I set as may restrictions on my network as I could (MAC filtering, no SSID broadcast, port restrictions, etc), and configured my Vera2 to act as a switch (Wireless off, no DHCP, etc.).

Intrepid · September 27, 2012, 1:55am

I’m not a networking pro (far from it). But your basic setup of modem<–router<–switch<–devices (including vera) is the way I have mine setup.

I assume your router is doing the DHCP assignment. It will hand out addresses to anything attached to it (through a switch or not). It simply expands the ports from your router. Everything connected to your router should be on the same subnet and should be accessible from any other device connected to the router.

With my Vera3 (or maybe it is a UI5 issue), it defaulted to ‘DHCP on’ and ‘wifi on’. It was trying to hand out addresses itself to wireless devices that could connect. I turned off wifi and DHCP in my Vera3.

futzle · September 27, 2012, 6:51am

bucko, it depends on how much paranoia you have. Your current layout, where Vera is just a leaf node downstream from your router, is pretty standard. I bet most users here are doing that (or they are using their Vera AS a router, but I still maintain that that’s a bad idea).

What this leaves you open to is the risk of escalation in the tiny event that someone compromises MCV, and then your Vera. At that point, they are on your LAN and can start to access anything that you have open on your LAN. If the thought of this bothers you—most aren’t concerned—then you can replace your (probably dumb) switch with a managed switch, and lock down Vera onto a separate subnet. Allow through connections that you need (such as webcam image streams), block the rest. It doesn’t protect your Vera, and the imagined intruder can still mess with your lights from afar, but your collection of cat videos is safe.

If you are more paranoid than that, and you want to protect Vera from intrusion by a hypothetical hack of MCV, there are measures you can take. But they aren’t very effective, because Vera phones home a lot. If you are that paranoid, Vera is not for you.

OtisPreslsy · September 27, 2012, 1:31pm

I have the same physical connectivity that you do:
Vera3 WAN port → Switch → Router → Cable Modem

On Vera3 under Setup >> Net & Wi-fi, I have set the following Manual configuration:

[ul][li]What Network Connection Type do you have? DHCP (a DHCP server assigns this)[/li]
[li]Firewall: Firewall disabled (allow any connections from the WAN or LAN ports)[/li]
[li]DHCP server: Off[/li]
[li]Wifi on: No[/li][/ul]

On my router, I do not forward any ports to Vera3. You will still be able to use your apps because they go through Mi Casa Verde to get to your Vera, and most apps can be switched between local mode for when you are home and remote mode for when you are away.

On my DHCP server, I have set a static reservation for the Vera3 MAC address so that it always receives the same IP address. This is just so I always know what the IP address is. I also have a DNS server set up so I can access it by name.

I also have my own wireless networks set up with security, so this is why it is turned off on Vera.

This setup is by no means hyper security, but I control the access points into my network. There is router security. Most routers have some sort of firewall on them now. If you do port forwarding, then make sure there is security on the hosts these entries point to, and use different ports above 1024 on the outside when possible. While a port scanner will still find the open ports, it will be tougher to figure out what application the port is for.

One alternative to port forwarding would be to set up VPN access to your network. Some home routers also have this capability. This way, your communication to your network is encrypted and it is just like being local on the network, so you have access to everything while connected. I have this set up using Microsoft PPTP 140 bit encryption and a username and password so that my Android devices and my Windows computers can connect to it using their built-in clients.

There is also the big security risk, which is wireless security. Always make sure your wireless networks that have access to your devices are secured. While wireless security is no problem for the hacker who has the knowledge or the right script, it will keep 99% of people out of your network. I use one secured network with a broadcast SSID for my network devices, and another open wireless network that does not broadcast the SSID that is for guest access to the internet only; this network does not have access to anything on my network and only has access to the internet.

One note on DHCP servers: Having two DHCP servers on the same network serving the same range is bad. They will conflict, and the one that assigns the IP address is the one that answers the DHCP request first; they can also assign the same IP address to two different hosts, causing an IP address conflict on the network. If you have a DHCP server enabled on your router, then you should definitely disable it on Vera.

bucko · September 28, 2012, 1:10am

Thank you all for the input.
I will tweak a few things as suggested, but for the most part, I am good to go.

Cheers

jamminred · October 2, 2012, 1:55am

I personally run two DHCP servers on my network, but I limit the addresses that each one can give out to avoid conflict. This is just how I perfer to do it. Im running windows 2008 R2 and find having redundant DHCP servers works great if one machine goes down, one is a virtual on my Hyper-V server and the other is a physical box. this is definetly overkill for most people, but working as a systems admin, I like to simulate an enterprise network at home. this way I can test certain things I might do at work before putting them in to production at work! My next step is to cluster them so they can sync up for fail over. also want to get rid of the physical box with DHCP and go all virtuals.
to address the OP question I would say you got it set up pretty much how most people should! Guess I like the overkill!