Monday, January 11, 2021

Wi-Fi interference on MX Revolution mouse

Check the wireless channel settings on your 2.4 GHz router.

I had been messing with my network and had set one of my routers to 2.4 GHz channel 3, which resulted in significant interference (skipping, lagging) on my MX Revolution mouse.  Resetting the router to "Auto" fixed it improved it somewhat.

Additionally, putting both my wireless APs on the same channel seemed to improve things as well.  They naturally did this themselves on their "Auto" setting, so I'm guessing it's somehow OK.

This might apply to any 2.4 GHz peripheral, but especially older ones that don't use Bluetooth.  My MX is old and is non-Bluetooth.

Alternatively:

-  If your router is set to "Auto", try setting it to a fixed channel;

-  Try moving the mouse receiver closer to the mouse; and/or

-  Try moving the router further away from the mouse.

These did not help my situation but are always worth a try.


Tuesday, January 5, 2021

Is Link Aggregation / LAG / LACP actually faster?

Simple answer:  

•  From a server to multiple clients, YES.

•  From a server to a single client, NO.

Why:  LAG/LACP does not combine several gigabit connections into a single fat connection. 

This is because all traffic for a single IP address has to go through one physical connection.  It's just too complex to do it any other way. 

So, a 4-port LAG is not a party line, where everyone can hear everyone else.  It's one person with 4 phones talking to four separate people each holding 1 phone - none of which can hear each other.

This means that a 4-port NAS can shove out 4 Gbps in total - but only 1 Gbps to each individual client.

(Yes, there are rare exceptions - just enough to make it unclear if LAG to a single client is really faster or not.  But it's not.)

This doesn't make LAG useless.  It just means it's only useful where you have several clients connecting to the NAS simultaneously.  A single client can't take advantage of the LAG, but multiple clients can.

This also applies if you connect two NAS devices together via LAG, and transfer / migrate / replicate data between them.  Each one is a single client, and so can only receive a single lane of data (1 Gbps) - not the 4 Gbps you might expect.




Thursday, December 31, 2020

Things I wish I had known about pfsense before buying my box

1.  pfSense does not generally support more than one network connection per LAN.

That is:

Most off-the-shelf routers have one WAN port (for internet) and multiple LAN ports (for your stuff).  You can plug any/all stuff into any/all LAN port(s) and it just works.

pfSense is not like this.  It expects to have one WAN port and one LAN port.  That's all.  

If you want more, you're supposed to use a network switch.  This may seem counterintuitive, but switches do everything in hardware and are actually faster. 

This means there is really little need to buy a pfSense box or NIC with more than two Ethernet ports (at extra cost).  It won't use the extra ports by default; they are NOT plug-and-play.  In fact, they won't even work until you set them up!

I wish I'd realized this, as I purchased a pfSense box with six ports, which cost more.  I didn't realize the extra ports weren't intended to be plug-and-play for one LAN.

It also means that if you need more than 1 LAN port, you really should invest in a switch as well.  This obviously costs in addition to whatever hardware you are purchasing to run pfSense itself.


However:

A.  If you have already invested in a multi-plug box and want to use the extra ports, you can use the extra ports via bridging.  

pfSense gurus hate this, but it's useful for lots of things - especially if you have good pfSense hardware that can handle the extra load without a big speed penalty.  See here and here.

 

B.  If you have a managed switch that supports Link Aggregation (LAG or LAGG), you can gang multiple ports on your pfSense box to multiple ports to your switch.  

It probably won't speed anything up, but why not?  Can't hurt!  See here.

 

C.  If you can wrangle multiple subnets, you can assign the extra Ethernet ports to their own subnets.  

(If you don't know what that means, don't try.)


Now, a lot of the Qotom boxes (and similar) come with four NIC ports by default, and that's fine.  Same for a lot of popular NIC cards.  Just don't expect the extra ports to be immediately usable like on a Linksys or Netgear.


Sunday, December 6, 2020

How to set up a better separate parental control network for your kids using the Synology RT1900ac router

Again, this is to set up a private, separate, controllable network to implement parental control for the kids, without affecting the main network.

First, don't do what I did here and use a Netgear with Circle built in.  The Synology is SO much better.

Very briefly: set the Synology in bridge mode, then set up Safe Access for parental control.

Basically:

1.  Get an RT1900AC or other Synology router.

2.  Boot it up, go to router.synology.com.

3.  Set it to Access Point mode.

4.  Give it a unique SSID.

5.  If you want, set it to a static IP address.

6.  Let it start up.  If you haven't already, plug it into your "first" router.

7.  Go to router.synology.com or the static ip:8000 to get to the web interface.

8.  Go to "Safe Access" and set up the profiles/settings you want.

9.  If you want, download the app "DS Router" for mobile management.

OK, I probably got the order wrong.  You get the idea.

Compared to using the Netgear, it's soooooo easy.  Everything works: logging, history, filtering, off times, bedtimes, the mobile app, everything.

And there's no subscription fees.  Unlike Circle.  It just works.

Surprisingly, the router started blocking illicit requests from my son's tablet.  It seems there is some hidden process that is trying to ping X-rated websites.  It wasn't him and I can't find any bad apps with Bitdefender, so it's either a bug in Synology (which I doubt) or some really sneaky nasty.  Circle never caught it.

Notes:

-  Leaving tabs open on a PC will cause the PC to drain their time quota,  even if they're not actually using the PC.  The same doesn't happen for tablets or Chromebooks as they're battery-operated and a lot more frugal with their Wi-Fi usage.

-  Pausing the Internet will also cut off all access to everything upstream of the Synology access point, including any NAS devices.  So: no access to stored music, video, or files.  This could be a pro or a con, depending on your needs.

-  The Synology app supports pause, editing of filter level and time-based access, and rewards.  Pretty much just like Circle.

Regrettably, the Synology doesn't support renaming devices, and doesn't allow you to discover the MAC access of some devices directly, which makes setup harder than it needs to be.  These are the only areas where Circle has an edge, but it's not nearly enough to make Circle better.

You could also (obviously) use the Synology as your main router, in which case kids will have LAN/NAS access without having internet access.  

I didn't do this because I have a bunch of port forwarding already set up in my main router, had limited time, and plan to swap my main box for pfsense later.  Keeping the Synology as a parental support bridge made more sense.

But the RT1900ac looks like a very capable router - easily as good as the R7000 Nighthawk I already have.  I wouldn't be scared to swap the Synology in as my primary router.  

It even supports OpenVPN to allow PIA, NordVPN, ExpressVPN or whatever other service you prefer.  Parental controls AND OpenVPN client in a single box!

Ironically, the person who sold me the Synology has also had problems with Circle Gen 1.  So I'm not the only one.

Obviously I highly recommend the Synology routers over the Circle.

Monday, November 30, 2020

My first week with Circle (1st Gen) on Netgear

 So Circle sent me a cheery email about my "first week with Circle!".  

However, it feels like a lot longer than a week, and I haven't exactly felt cheerful.

Yes, OK, my setup is unconventional.  It's likely the source of many of my issues. 

But, in the last week:

•  I've found that Circle is not logging Usage or History, and does not enforce time limits.

•  Circle is not filtering correctly. 

•  It is unclear if it is enforcing SafeSearch.  It seems to be, but it's hard to tell.

•  Rewards are limited to the current day.  You can set "Extend/No Time Limit", "Late/No Bedtime", or "No Offtimes".  You cannot set an increased amount of time for future days.

•  Circle notifies you of new devices appearing on the network, but tapping the notification just makes the Circle app hang.  This is obviously different behavior from every other app out there.

•  The Circle 1st Gen app has forgotten my premium subscription twice, forcing me to unsubscribe, uninstall the app, reinstall, and resubscribe.  Twice.

[Update]:  OK, three times.  So far.

•  The first time, Circle forgot ALL of my setup, and I had to re-enter every single device, profile and setting.  It seems backup is not automatic; rather, you have to manually back up the 1st Gen app.  I didn't realize this since Circle touts their cloud-based accounts as crash-proof and the backup option is buried at the bottom of the "Manage" menu.

•  Backups appear to be local to the mobile device running the Circle app.

•  The second time 'round, the app asked me for a passcode, but couldn't send it to me, making it useless.  I had to change DNS settings in my primary router to get it to work.

•  When I did get the passcode, it wouldn't validate.

•  For some dumb reason, the passcode is not available in the router UI, nor can it be sent via email.  And it seems to change, meaning you can't just write it down for future reference.

•  After reconfiguration, everything connected except for Chromebooks.  Rebooting and changing DNS on the Chromebooks didn't help.  It took a reboot of the Circle router itself to fix the Chromebooks, which was not obvious.

•  Circle no longer supports the Circle Go app for 1st Gen, meaning there is no parental control off of the local Circle Wi-Fi.

From this, about the only thing that works properly are time-based schedules (Bedtime, Off Time, and Rewards thereto), and Pause.  Everything else seems broken.

Again, my setup is weird, and probably unsupported, and I freely admit that many of my troubles are caused by this.  But even when it's working, the limited Rewards, broken core functionality, and constant forgetting of premium features has driven me nearly to the breaking point.

I may bite the bullet and get a Circle Home Plus (2nd Gen) device, and use it as intended - that is, directly attached to my primary router.  But after perusing the Netgear support forums, I'm not hopeful that it will actually do what it's supposed to do.  

Plus, I'm anticipating my router to be smart enough to prevent the ARP poisoning used by Circle.  And I'm quite frankly sick of troubleshooting this thing.


Monday, November 23, 2020

How to set up a separate network for your kids that uses the Circle by Disney or Circle Home Plus

Update: Several of the features of Circle, such as filtering, usage tracking and time limits are not working.  As many others have reported similar issues, I don't know if this is a result of me setting it up as a second router or not. 

Update:  Circle has now "forgotten" my premium subscription three times.  Again, I don't know if this is related to my setup or not.

Update: Router was not picking up time server. Steps below have been updated.

Given these issues, I don't recommend trying the setup below unless you are willing to take a lot of time to troubleshoot it.


I bought a used router that - unexpectedly - had the Circle parental control functions built-in.  I wanted Circle anyway, so it was a bit of luck.  But it wasn't exactly obvious how to set it up.

 

Problem:  You want to set up a Circle network without having all your devices on it.  Or: you want a separate network for your kids, managed by Circle.

Reason: 

•  You're worried about the Circle slowing down your network.  

•  The Circle is easier to set up with only a few devices connected to it.

•  You just don't like the idea of ARP spoofing your entire network. 

•  You have extra hardware lying around, may as well use it.

•  You want a hardware off button for your kids internet access.

•  It just seems easier.


Easy options:

1.  Router with Circle (Gen 1) built-in.

Pros:  Cheap, easy setup, only one additional device.

Cons:  Off-network / location app discontinued, so no management off-network and no location function; at-home management only.  Gen 1 may not be supported for too much longer (although Netgear seems to think it will stick around).

2.  Second router with stand-alone Circle device.

Pros:  Supports Circle Home Plus (Gen 2), meaning newer features (off-network / roaming device control, location) work. 

Cons:  You need to buy a stand-alone Circle device, at additional cost.  Using two routers in sequence is very much not recommended, meaning you will not find any support.

 

Note that (1), above, seemed an easy and obvious solution at the time, but it's not.  It is actually really hard to get a second router to play nice with the first router.

For these reasons, I actually recommend you go with either (2), above, or a "standard" single router with an attached Circle Home Plus, rather than trying to set up a second router for Circle functions.

However, this might be useful for someone wanting to try out Circle, or for those that want Circle separate from their "regular" network.


Circle-Enabled Router

The below is only a summary, and assumes you know how to access/configure a router.   

Unfortunately, you do need to leave the Circle router in "router mode".  Setting it to be an access point, bridge or repeater will disable the parental controls, making it a pointless exercise.  

This leaves us with cascading two routers, which is (again) not recommended.

 

Steps:

a.  Go buy a second-hand Netgear router with Circle (1st Gen) built in.  (An R7000 / AC1900 should cost around $40.)

b.   IP address:  this is a tough one.

All internet advice says to set it to a unique static IP address on the same network (i.e. 192.168.1.2).  However, there have been reports that Netgear routers not accept an address intended for internal LAN (such as 192.168.x.x, 10.0.x.x, and 169.254.x.x) as a static WAN address, so this may not work.

From this, if in doubt, use a dynamic IP for the second router.  The Circle router should accept whatever address is handed out via DHCP.

If you try a static IP and it doesn't work, reset the router by holding the reset button for 7 seconds, then start over.

c.  DHCP: also a tough one.

All internet advice says to turn off DHCP on your second router.  But this doesn't seem to work in this scenario.  So you may need to leave DHCP on.

d.  Assign the Wi-Fi network(s) unique SSIDs.

e.  Plug the WAN port of the Circle router into a LAN port on the old router.

f.  Access the new router from a mobile device:

  •  Connect the mobile to the Wi-Fi SSID of the new router

  •  Access it using http://www.routerlogin.net

ff.  Go to Administration/ NTP Settings and set a time server. Don't use Netgear default.  Use an IP address (i.e. 216.239.35.0) and not a domain name (such as time.google.com).  

fff. VERIFY TIME SETTINGS WORK SURVIVES AFTER REBOOT.  If it doesn't, your premium features will repeatedly disappear.

g.  Enable "Parental Controls".  (The top one, not the bottom one.)

h.  Hit "Apply".

i.  Hit the link for app download / account setup.  (Note: this will NOT work from a PC, hence the need to do steps (e) onward from a mobile.)

j.  Install the Circle (Gen 1 / First Gen) app.

k.  Run the app, sign up.  

l.  Sign up for the free plan.

m.  Connect a device to the new router wifi and make sure it all works.

The above worked for me on a Nighthawk R7000 with Circle built-in.  

 

Notes:

•  I did have problems accessing the router consistently.  Changing the IP address made it inaccessible a couple of times.

•  My router appears to be weird, in that I (usually ) can't log in to the router via the direct IP address (i.e. 192.168.1.2).  Instead, I have to connect to the router Wi-Fi, then go to http://www.routerlogin.net.

•   Part of the access problem is that when you plug the Circle router into your old router, you are using the WAN port.  

This means access requests come from the WAN side. not the LAN side.  This falls under "Remote Management" (i.e. access by the outside world), which is disabled by default.

To enable, go to Advanced / Advanced Setup / Web Services Management.  The correct access URL will be 192.168.1.xxx:8443, or something like that.  The correct port will be shown on the router page.

•  If you leave DHCP on, the router should start issuing new IP addresses for a different network (i.e. 10.0.0.x).  

This seems to work fine, but will mean devices in the original network space (i.e. 192.168.x.x) will no longer be visible >by name< to the Circle-managed devices.  They should still be accessible by IP address.

•  You can also (obviously) turn off the built-in Circle (Gen 1) hardware and plug in a Circle Home Plus (Gen 2) device any time you want to. So there is an upgrade path.


The below steps I've not personally tried, but hopefully they will work. You may need to adopt steps above as well.

 

Circle by Disney or Circle Home Plus (stand-alone devices)

a.  Buy or use any compatible router (list is here), provided it has an access point (AP) mode built-in.

b.  Set up the router as a wireless access point (WAP), with a unique SSID.  (Do not use the existing SSID from your existing router!)

c.  Optionally, configure the router with a unique IP address (i.e. 192.168.1.2).

d.  Plug the WAN port of the new router into a LAN port of your existing router.  Make sure it works.

e.  Set up the Circle Home Plus per the manufacturer's instructions.  Associate it with the new SSID from the new router.

This setup should set up the Circle to manage only devices connected to the SSID of the second router.



Sunday, November 15, 2020

My experience with ExpressVPN

 TL;DR:  It's not good.

Fed up with PIA, I decided to try another VPN.  I thought it might be easiest.

I wanted Hotspot Shield, but the fact that they log personally identifiable information, don't support pfsense and have no live support were deal-breakers.  I wanted it set up immediately.

 

I decided to bite the bullet and go with ExpressVPN.  

More expensive, but most said they were next fastest, they had 24/7 support and supported DD-WRT (for now) and pfsense (for future).

 

I ponied up and got a login.  I had to run their app momentarily to find the fastest server, then I set it all up.

Any it worked!  All my smart devices reconnected, all my strange connectivity issues went away. 

 

However, I couldn't find the nameservers for secure DNS protection.  I asked their chat, and they didn't know what I meant.

Turns out, ExpressVPN doesn't support this.  They do allow manual configuration (on DD-WRT or whatever), but they don't provide IP addresses for their secure nameservers.

They asked me if I wanted to use the app instead, I said no.  (Because I'm not setting up the app on every device owned by my kids, wife, etc., that's why.)

Reflashing the router is also an option.  No thanks.

We mucked about for a while.  They really didn't know what to do.

 

After some messing around, their suggestion was to set my router DNS to use 0.0.0.0 for all the DNS servers.  

This appeared to work, and I had connectivity - but left my router admin panel unavailable!  I couldn't see, change, or access anything, which was extremely frustrating.  Almost everything broke, and I couldn't fix it, and it was BAD.

I still don't know why, and never will.  But fifteen tense minutes, one hard reset, and a (painless) restore later, it was fixed.

Fortunately, I had a recent router backup, so I was able to restore the router settings.  But I was extremely unhappy for those 15 minutes, and it was almost sheer luck that I had a recent router backup to use.

 

Now, DNS leaks alone were not necessarily enough to make me quit ExpressVPN after only an hour.  And ExpressVPN did fix all of the connectivity problems I was having with PIA.

But:

-  Torrents were 25% slower than PIA.  Definitely not a boost.  This was the opposite of what I expected.  

-  Not understanding or supporting DD-WRT?

-  Not even knowing what pfsense was?

-  And borking my router?  

Come on. 

 So:

  • Incomplete / inadequate support for DD-WRT / pfsense
  • Seemingly slow torrent speeds  (for me)
  • Not-so-knowledgeable tech support that (somehow) managed to bork my router
  • High cost

Not impressed. 

Maybe if I get brave enough (and time enough) I'll try out NordVPN.  Faster downloads are a perk I'm willing to give up at this point.