Network topography question

[-defunct-]

58 minutes ago, ekohn00 said:

If you create a CONTROL4 VLAN, and everything having to do with C4, including remotes, is in that VLAN then the other's have no bearing.

That said....  I just find it so much easier to go without vlans - especially when most connections are GE. The work won't give much performance improvements.

Not sure about you, but I guess I was assuming that everyone wants to integrate everything on their network into Control4 like me.

Can't really separate stuff if it's all supposed to be controlled and integrated.

[ejn1]

9 minutes ago, Dunamivora said:

Not sure about you, but I guess I was assuming that everyone wants to integrate everything on their network into Control4 like me.

Can't really separate stuff if it's all supposed to be controlled and integrated.

I think you can make everything work but there are few devices that appear to be a bit more difficult.   The trade off is having loads of IoT devices in your network with possibly back doors to the rest of your network for hackers .

[ejn1]

2 hours ago, Neo1738 said:

Also most fiber modems that go light to internet and cable don't have a bridge mode option due to ISP being stupid and their hardware being super restricted. 

Yes but there are ways around this...

[Neo1738]

2 hours ago, ejn1 said:

Yes but there are ways around this...

please enlighten me our modem/ router has no bridge and no dmz. Make my araknis router worthless. 

[ejn1]

13 minutes ago, Neo1738 said:

please enlighten me our modem/ router has no bridge and no dmz. Make my araknis router worthless. 

What is the model of your modem and what service do you have...

[Neo1738]

5 minutes ago, ejn1 said:

What is the model of your modem and what service do you have...

local isp called buckeye and iphotonix 7278g

 

there is very little available on the internet I've scoured. If you figure a way to bridge out I'll give a nice reward lol. 

 

[ejn1]

20 minutes ago, Neo1738 said:

local isp called buckeye and iphotonix 7278g

 

there is very little available on the internet I've scoured. If you figure a way to bridge out I'll give a nice reward lol. 

 

The manual states you can connect a router to ETH1 or ETH2 ports on the back.   Have you tried putting your Araknis on a different subnet and connect to one of these ports? 

[mujtaba.khokhar]

19 minutes ago, Neo1738 said:

local isp called buckeye and iphotonix 7278g

 

there is very little available on the internet I've scoured. If you figure a way to bridge out I'll give a nice reward lol. 

 

Ive just googled this and it looks very similar to the one some ISP's in the UK use. 

All i have to do is connect ETH1 to the wan on the router, on the router Set the Vlan tag (its usually 10 or 100) enter the PPPOE details, sometimes. 

maybe give it a go... 

[Neo1738]

15 minutes ago, mujtaba.khokhar said:

Ive just googled this and it looks very similar to the one some ISP's in the UK use. 

All i have to do is connect ETH1 to the wan on the router, on the router Set the Vlan tag (its usually 10 or 100) enter the PPPOE details, sometimes. 

maybe give it a go... 

Goal is to bridge isp modem and use araknis router. Otherwise everything on araknis is double NAT causes issue remote and local viewing cameras. Have 2 separate on the app based on if I’m home or off local network.

 

ejn1 The araknis is on one of those ports but everything is double NAT. Trying to get rid of isp router NAT.

[SMHarman]

If you can configure the UniFi and know how to troubleshoot networks, then I'd say that may work.
 
If not, then I would get something that is easier to configure and works off the shelf. Misconfigured UniFi networks can wreck a system.

I'll give it a shot and see how it works. Long way to go before the audio is wired so I'll go with the Unifi for now. If it gives me issues with streaming later, I may swap it out. Thank you both.

Yes this. Many of us run Unifi. Some edge cases cause problems. Mostly it just works.

I've yet to see one of these edge cases.

[mujtaba.khokhar]

22 minutes ago, Neo1738 said:

Goal is to bridge isp modem and use araknis router. Otherwise everything on araknis is double NAT causes issue remote and local viewing cameras. Have 2 separate on the app based on if I’m home or off local network.

 

ejn1 The araknis is on one of those ports but everything is double NAT. Trying to get rid of isp router NAT.

Does your ISP router have firewall settings? if so you can create some rules to allow traffic to flow through properly. 

i know its not the solution you might be looking for (It sucks, i know) but it may be a way around things. 

what you'll want to do is reserve / fix the IP address the ISP router gives to your araknis and then setup firewall rules accordingly. 

might also be an idea to disable DHCP on the ISP router too. 

also on your Araknis enable IPSec Passthrough, and PPTP Passthrough. 

[Neo1738]

8 hours ago, mujtaba.khokhar said:

Does your ISP router have firewall settings? if so you can create some rules to allow traffic to flow through properly. 

i know its not the solution you might be looking for (It sucks, i know) but it may be a way around things. 

what you'll want to do is reserve / fix the IP address the ISP router gives to your araknis and then setup firewall rules accordingly. 

might also be an idea to disable DHCP on the ISP router too. 

also on your Araknis enable IPSec Passthrough, and PPTP Passthrough. 

Will look into that. There is firewall and ports have been forwarded however that doesn't disable NAT.

[ekohn00]

15 hours ago, Dunamivora said:

Not sure about you, but I guess I was assuming that everyone wants to integrate everything on their network into Control4 like me.

Can't really separate stuff if it's all supposed to be controlled and integrated.

That goes back to my original saying...sometimes VLANs are overly complex for the situation.

[ejn1]

2 hours ago, Neo1738 said:

Will look into that. There is firewall and ports have been forwarded however that doesn't disable NAT.

without a DMZ+ setting, maybe you can resolve via a manual Firewall settings...   Sounds like you already tried that though.   Another option is to call the modem mfg.   They have a Texas phone number at the end of their manual and their tech support might have a few ideas.   ISP tech support probably useless but maybe the mfg can give you any thoughts or to tell you if another approved modem has passthrough or DMZ options.   I know with ATT there are 2 different PACE modems available and with Gig service and one has a IP passthrough and the other has DMZ options but they are different.   That is an obscure modem you are using for sure...

[ejn1]

6 minutes ago, ekohn00 said:

That goes back to my original saying...sometimes VLANs are overly complex for the situation.

They are more complex than not having them for sure.    Its just your tolerance for security and they also help i believe with network topography elements.   All you read about is video camera back door security breaches and other IoT devices so I thought i would give it a try to segregate.   I have cameras and NVR segrated now and working flawless (without any issues).  They are also connected to my C4 system which is on another VLAN.   With Unifi, it was a pretty straight forward exercise aside from like I said earlier,  a device not working properly into C4 (Big Ass Fans)...  

[Neo1738]

3 hours ago, ejn1 said:

without a DMZ+ setting, maybe you can resolve via a manual Firewall settings...   Sounds like you already tried that though.   Another option is to call the modem mfg.   They have a Texas phone number at the end of their manual and their tech support might have a few ideas.   ISP tech support probably useless but maybe the mfg can give you any thoughts or to tell you if another approved modem has passthrough or DMZ options.   I know with ATT there are 2 different PACE modems available and with Gig service and one has a IP passthrough and the other has DMZ options but they are different.   That is an obscure modem you are using for sure...

Yeah would probably have to go that route, spoke w my ISP who said this is the only approved modem for our service and they know there is absolutely no bridge or dmz option available. I had them turn off firewall didn't help.

[maskas]

On 4/30/2020 at 11:12 PM, mujtaba.khokhar said:

How come you’re sticking with your isp router? Is there any particular reason for this?

I would advise to change this to another router.

I’m a mikrotik man

In terms of plugging everything in.

I would go router —> switch —> devices

My personal preference is to daisy chain switches

I like to use managed switches (I use either cisco or mikrotik)

One setting to look out for is multicast traffic this must be enabled on routers and switches to make sure Control4 works properly.

Second piece of advice - if you have network cameras put them onto a separate subnet otherwise you’ll just flood your main network for no reason with all the UDP multicast traffic coming from the cameras constantly streaming.

I hope that helps you

P.s this is just my opinion and the way I do things and what works for me, I know it many not be right to some people and I might get cussed but networks always seem to be a very touchy subject.

M


Sent from my iPhone using Tapatalk

Unrelated question. Been using Mikrotik for routers for years and its been pretty good. Been thinking about getting their switches now. What's your experience been like? How do they stack up against Cisco? It seems the switches are a relatively new line for Mikrotik.

[mujtaba.khokhar]

Unrelated question. Been using Mikrotik for routers for years and its been pretty good. Been thinking about getting their switches now. What's your experience been like? How do they stack up against Cisco? It seems the switches are a relatively new line for Mikrotik.

Ive been using their switchers for a few years now, bought my first mikrotik switch in 2017, started off with their normal gigabit switches and have recently vested in to the poe switches too.

We have a 10Gigabit Fiber backbone at home, with a Gigabit lease line coming lol

Im running a pretty complex network, with multiple subnets, VLANS and site to site VPN’s all running on a RB2011 and it’s never failed me once. (One of the VPNS lets me access Sling from the UK)

Overall opinion, like any mikrotik device once’s it’s setup properly it just works. I’ve not physically rebooted any of my tik stuff in a long time, but I do do updates regularly.

One thing to look out for with the poe switches is that they used POE TYPE B some some POE devices will not work DoorBird being one of the ones I’ve found. Other than that Control4 touch screens, processors power up just fine. Many IP cameras I’ve tired are good too.

One thing I hate is the switches are white so it totally ruins any rack aesthetic, unless you’re going for the white look

Overall I rate them! It’s a top product!

Thanks
M


Sent from my iPhone using Tapatalk

[maskas]

1 hour ago, mujtaba.khokhar said:

Ive been using their switchers for a few years now, bought my first mikrotik switch in 2017, started off with their normal gigabit switches and have recently vested in to the poe switches too.

We have a 10Gigabit Fiber backbone at home, with a Gigabit lease line coming lol

Im running a pretty complex network, with multiple subnets, VLANS and site to site VPN’s all running on a RB2011 and it’s never failed me once. (One of the VPNS lets me access Sling from the UK)

Overall opinion, like any mikrotik device once’s it’s setup properly it just works. I’ve not physically rebooted any of my tik stuff in a long time, but I do do updates regularly.

One thing to look out for with the poe switches is that they used POE TYPE B some some POE devices will not work DoorBird being one of the ones I’ve found. Other than that Control4 touch screens, processors power up just fine. Many IP cameras I’ve tired are good too.

One thing I hate is the switches are white so it totally ruins any rack aesthetic, unless you’re going for the white look

Overall I rate them! It’s a top product!

Thanks
M


Sent from my iPhone using Tapatalk

Sounds pretty good! Are you using the SwitchOS or RouterOS on the switch?

[mujtaba.khokhar]

Sounds pretty good! Are you using the SwitchOS or RouterOS on the switch?

Router OS

purely due to the face that I can access them via winbox remotely through romon


Sent from my iPhone using Tapatalk

[maskas]

15 minutes ago, mujtaba.khokhar said:

Router OS

purely due to the face that I can access them via winbox remotely through romon


Sent from my iPhone using Tapatalk

In that can you mark some ports to act like switched ports and separate the routed ports?

[mujtaba.khokhar]

1 hour ago, maskas said:

In that can you mark some ports to act like switched ports and separate the routed ports?

they are both pretty much the same. 

stick with RouterOS

[maskas]

9 hours ago, mujtaba.khokhar said:

they are both pretty much the same. 

stick with RouterOS

Ok thanks for the info!