Monday, November 30, 2020

My first week with Circle (1st Gen) on Netgear

 So Circle sent me a cheery email about my "first week with Circle!".  

However, it feels like a lot longer than a week, and I haven't exactly felt cheerful.

Yes, OK, my setup is unconventional.  It's likely the source of many of my issues. 

But, in the last week:

•  I've found that Circle is not logging Usage or History, and does not enforce time limits.

•  Circle is not filtering correctly. 

•  It is unclear if it is enforcing SafeSearch.  It seems to be, but it's hard to tell.

•  Rewards are limited to the current day.  You can set "Extend/No Time Limit", "Late/No Bedtime", or "No Offtimes".  You cannot set an increased amount of time for future days.

•  Circle notifies you of new devices appearing on the network, but tapping the notification just makes the Circle app hang.  This is obviously different behavior from every other app out there.

•  The Circle 1st Gen app has forgotten my premium subscription twice, forcing me to unsubscribe, uninstall the app, reinstall, and resubscribe.  Twice.

•  The first time, Circle forgot ALL of my setup, and I had to re-enter every single device, profile and setting.  It seems backup is not automatic; rather, you have to manually back up the 1st Gen app.  I didn't realize this since Circle touts their cloud-based accounts as crash-proof and the backup option is buried at the bottom of the "Manage" menu.

•  Backups appear to be local to the mobile device running the Circle app.

•  The second time 'round, the app asked me for a passcode, but couldn't send it to me, making it useless.  I had to change DNS settings in my primary router to get it to work.

•  When I did get the passcode, it wouldn't validate.

•  For some dumb reason, the passcode is not available in the router UI, nor can it be sent via email.  And it seems to change, meaning you can't just write it down for future reference.

•  After reconfiguration, everything connected except for Chromebooks.  Rebooting and changing DNS on the Chromebooks didn't help.  It took a reboot of the Circle router itself to fix the Chromebooks, which was not obvious.

•  Circle no longer supports the Circle Go app for 1st Gen, meaning there is no parental control off of the local Circle Wi-Fi.

From this, about the only thing that works properly are time-based schedules (Bedtime, Off Time, and Rewards thereto), and Pause.  Everything else seems broken.

Again, my setup is weird, and probably unsupported, and I freely admit that many of my troubles are caused by this.  But even when it's working, the limited Rewards, broken core functionality, and constant forgetting of premium features has driven me nearly to the breaking point.

I may bite the bullet and get a Circle Home Plus (2nd Gen) device, and use it as intended - that is, directly attached to my primary router.  But after perusing the Netgear support forums, I'm not hopeful that it will actually do what it's supposed to do.  

Plus, I'm anticipating my router to be smart enough to prevent the ARP poisoning used by Circle.  And I'm quite frankly sick of troubleshooting this thing.


Monday, November 23, 2020

How to set up a separate network for your kids that uses the Circle by Disney or Circle Home Plus

Update: Several of the features of Circle, such as filtering, usage tracking and time limits are not working.  As many others have reported similar issues, I don't know if this is a result of me setting it up as a second router or not.

I bought a used router that - unexpectedly - had the Circle parental control functions built-in.  I wanted Circle anyway, so it was a bit of luck.  But it wasn't exactly obvious how to set it up.

 

Problem:  You want to set up a Circle network without having all your devices on it.  Or: you want a separate network for your kids, managed by Circle.

Reason: 

•  You're worried about the Circle slowing down your network.  

•  The Circle is easier to set up with only a few devices connected to it.

•  You just don't like the idea of ARP spoofing your entire network. 

•  You have extra hardware lying around, may as well use it.

•  You want a hardware off button for your kids internet access.

•  It just seems easier.


Easy options:

1.  Router with Circle (Gen 1) built-in.

Pros:  Cheap, easy setup, only one additional device.

Cons:  Off-network / location app discontinued, so no management off-network and no location function; at-home management only.  Gen 1 may not be supported for too much longer (although Netgear seems to think it will stick around).

2.  Second router with stand-alone Circle device.

Pros:  Supports Circle Home Plus (Gen 2), meaning newer features (off-network / roaming device control, location) work. 

Cons:  You need to buy a stand-alone Circle device, at additional cost.  Using two routers in sequence is very much not recommended, meaning you will not find any support.

 

Note that (1), above, seemed an easy and obvious solution at the time, but it's not.  It is actually really hard to get a second router to play nice with the first router.

For these reasons, I actually recommend you go with either (2), above, or a "standard" single router with an attached Circle Home Plus, rather than trying to set up a second router for Circle functions.

However, this might be useful for someone wanting to try out Circle, or for those that want Circle separate from their "regular" network.


Circle-Enabled Router

The below is only a summary, and assumes you know how to access/configure a router.   

Unfortunately, you do need to leave the Circle router in "router mode".  Setting it to be an access point, bridge or repeater will disable the parental controls, making it a pointless exercise.  

This leaves us with cascading two routers, which is (again) not recommended.

 

Steps:

a.  Go buy a second-hand Netgear router with Circle (1st Gen) built in.  (An R7000 / AC1900 should cost around $40.)

b.   IP address:  this is a tough one.

All internet advice says to set it to a unique static IP address on the same network (i.e. 192.168.1.2).  However, there have been reports that Netgear routers not accept an address intended for internal LAN (such as 192.168.x.x, 10.0.x.x, and 169.254.x.x) as a staticWAN address, so this may not work.

From this, if in doubt, use a dynamic IP for the second router.  The Circle router should accept whatever address is handed out via DHCP.

c.  DHCP: also a tough one.

All internet advice says to turn off DHCP on your second router.  But this doesn't seem to work in this scenario.  So you may need to leave DHCP on.

d.  Assign the Wi-Fi network(s) unique SSIDs.

e.  Plug the WAN port of the new router into a LAN port on the old router.

f.  Access the new router from a mobile device:

  •  Connect the mobile to the Wi-Fi SSID of the new router

  •  Access it using http://www.routerlogin.net

g.  Enable "Parental Controls".  (The top one, not the bottom one.)

h.  Hit "Apply".

i.  Hit the link for app download / account setup.  (Note: this will NOT work from a PC, hence the need to do steps (e) onward from a mobile.)

j.  Install the Circle (Gen 1 / First Gen) app.

k.  Run the app, sign up.  

l.  Sign up for the free plan.

m.  Connect a te2 device to the new router and make sure it all works.

The above worked for me on a Nighthawk R7000 with Circle built-in.  

 

Notes:

•  I did have problems accessing the router consistently.  Changing the IP address made it inaccessible a couple of times.

•  My router appears to be weird, in that I (usually ) can't log in to the router via the direct IP address (i.e. 192.168.1.2).  Instead, I have to connect to the router Wi-Fi, then go to http://www.routerlogin.net.

•   Part of the access problem is that when you plug the Circle router into your old router, you are using the WAN port.  

This means access requests come from the WAN side. not the LAN side.  This falls under "Remote Management" (i.e. access by the outside world), which is disabled by default.

To enable, go to Advanced / Advanced Setup / Web Services Management.  The correct access URL will be 192.168.1.xxx:8443, or something like that.  The correct port will be shown on the router page.

•  If you leave DHCP on, the router should start issuing new IP addresses for a different network (i.e. 10.0.0.x).  

This seems to work fine, but will mean devices in the original network space (i.e. 192.168.x.x) will no longer be visible >by name< to the Circle-managed devices.  They should still be accessible by IP address.

•  You can also (obviously) turn off the built-in Circle (Gen 1) hardware and plug in a Circle Home Plus (Gen 2) device any time you want to. So there is an upgrade path.


The below steps I've not personally tried, but hopefully they will work.

 

Circle by Disney or Circle Home Plus (stand-alone devices)

a.  Buy or use any compatible router (list is here), provided it has an access point (AP) mode built-in.

b.  Set up the router as a wireless access point (WAP), with a unique SSID.  (Do not use the existing SSID from your existing router!)

c.  Optionally, configure the router with a unique IP address (i.e. 192.168.1.2).

d.  Plug the WAN port of the new router into a LAN port of your existing router.  Make sure it works.

e.  Set up the Circle Home Plus per the manufacturer's instructions.  Associate it with the new SSID from the new router.

This setup should set up the Circle to manage only devices connected to the SSID of the second router.



Sunday, November 15, 2020

My experience with ExpressVPN

 TL;DR:  It's not good.

Fed up with PIA, I decided to try another VPN.  I thought it might be easiest.

I wanted Hotspot Shield, but the fact that they log personally identifiable information, don't support pfsense and have no live support were deal-breakers.  I wanted it set up immediately.

 

I decided to bite the bullet and go with ExpressVPN.  

More expensive, but most said they were next fastest, they had 24/7 support and supported DD-WRT (for now) and pfsense (for future).

 

I ponied up and got a login.  I had to run their app momentarily to find the fastest server, then I set it all up.

Any it worked!  All my smart devices reconnected, all my strange connectivity issues went away. 

 

However, I couldn't find the nameservers for secure DNS protection.  I asked their chat, and they didn't know what I meant.

Turns out, ExpressVPN doesn't support this.  They do allow manual configuration (on DD-WRT or whatever), but they don't provide IP addresses for their secure nameservers.

They asked me if I wanted to use the app instead, I said no.  (Because I'm not setting up the app on every device owned by my kids, wife, etc., that's why.)

Reflashing the router is also an option.  No thanks.

We mucked about for a while.  They really didn't know what to do.

 

After some messing around, their suggestion was to set my router DNS to use 0.0.0.0 for all the DNS servers.  

This appeared to work, and I had connectivity - but left my router admin panel unavailable!  I couldn't see, change, or access anything, which was extremely frustrating.  Almost everything broke, and I couldn't fix it, and it was BAD.

I still don't know why, and never will.  But fifteen tense minutes, one hard reset, and a (painless) restore later, it was fixed.

Fortunately, I had a recent router backup, so I was able to restore the router settings.  But I was extremely unhappy for those 15 minutes, and it was almost sheer luck that I had a recent router backup to use.

 

Now, DNS leaks alone were not necessarily enough to make me quit ExpressVPN after only an hour.  And ExpressVPN did fix all of the connectivity problems I was having with PIA.

But:

-  Torrents were 25% slower than PIA.  Definitely not a boost.  This was the opposite of what I expected.  

-  Not understanding or supporting DD-WRT?

-  Not even knowing what pfsense was?

-  And borking my router?  

Come on. 

 So:

  • Incomplete / inadequate support for DD-WRT / pfsense
  • Seemingly slow torrent speeds  (for me)
  • Not-so-knowledgeable tech support that (somehow) managed to bork my router
  • High cost

Not impressed. 

Maybe if I get brave enough (and time enough) I'll try out NordVPN.  Faster downloads are a perk I'm willing to give up at this point.

Saturday, November 14, 2020

PIA did it again - Oddball problems with VPN

 

As of Nov 14, it appears PIA has stopped working again:

  • Play Store not working (on some devices, OK on others)
  • YouTube not working (on some devices, OK on others)
  • Can't connect to BBC.com, CNN.com, but can connect to most other sites fine
  • Smart home devices offline (ecobee, Honeywell, etc) 
  • Honeywell Home: Endless loading

Of course, nothing changed on my end, and everything works just fine outside of PIA.  Mobiles also work outside of router-based PIA with the PIA app.

See here for the original saga.  Seems they can't keep their network stable for more than 3 months at a time now.  Awesome stuff, those Next-Gen servers - a real improvement!

Strangely, the new problems are not as widespread or consistent as before.  One device has no YouTube, but others do.  One device can't access CNN or BBC, but others do.  A third device has no Play Store, but others do.

One constant is the smart home devices.  As before, they are connected, but cannot reach their home servers.  The ecobee is the most obvious example, as it can even ping ecobee.com but cannot connect.

Changing from AES-256-CBC to AES-128-CBC helped some devices with some problems, but other problems persist.  They're extremely annoying at best and extremely frustrating at worst.

PIA did try and claim blacklisting, but the affected devices work fine on the PIA app.  It's only router-based setup that has issues.

[Edit]:  OK, to be fair, I am using an ancient version of DD-WRT.  My router is business-critical so I don't screw with it.  Possibly I can pick up an open-box special and try flashing the latest, and/or switch to pfsense once my new box arrives.

[Update]:  I tried ExpressVPN, and it worked fine.  I had some issues and didn't stick with them, but there were no problems with connectivity per se