Home Network Design

bPsdTZpW

@bpsdtzpw I wasn't in the conditions to check it yesterday evening, but yes, cert issued by Kaspersky and domain managed by a company in Florida ahahah.
I was browsing just to avoid trusting the store description, both match, so it seems reliable :D

Interesting The cert it serves me is issued by CPanel as intermediate to Comodo, with SHA256 fingerprint 41:A6:F1:A2:CB:2C:91:54:30:78:7C:45:0C:FF:C2:C4:6F:D9:7D:E5:0D:01:96:40:1C:09:94:0B:D6:5A:4E:DA . This is cert https://crt.sh/?id=5515086855 . I guess you're using Kaspersky as security software?

, I just wonder how the hell they don't have these details in the official website...

Some manufacturers sell some products in only certain regions. Still, there should at least be some official link from the well-known manufacturer site to the unknown site.

JT40

@bpsdtzpw
CN = dlinkmea.com ,
DNS Name=www.dlinkmea.com
DNS Name=dlinkmea.com
DNS Name=mail.dlinkmea.com

The domain doesn't refer to the original one.

Regarding the cert validation, I don't think that means that I'm using Kaspersky, even though it could use the trust store from KS, it can't override who issued the cert, but that's what I get on the browser, I should use the console or a third party service, I'll check.

JT40

In the end I couldn't take more than a 10 ports switch, anything above it has 2 fans, which is untolerable with 45 dB(A) noise at minimum speed...
That 10 ports switch has PoE on 8 ports + 2 SPF, not sure how I will use them but I think thst SPF ports can be used as normal ethernet.

If I need to expand in anyhow in the future, I can get somethig like this DGS-1210-24, it's fanless but no PoE, which is fine.
I'm simply not sure how it will behave after the 10 ports switch... Shall I tag the same VLAN when it comes to a simple expansion?
For example:

DGS-1210-10MP E1 connected to E2 (just to avoid confusion on the thread - E stands for Ethernet port) in DGS-1210-24, shall I tag the same VLAN ID (let's assuume VLAN 20) also on the DGS-1210-24 when it comes to a simple expansion of ethernet ports on the same VLAN?
The idea is getting other 24 ports on the same VLAN 20 created on the switch DGS-1210-10MP.

Does this setup support client isolation at the latest switch level?
Will the firewall be able to manage the routing of each machine connected to the network? It seems obvious if I get over the DGS-1210-10MP :D , but the machines will be after 2 switches, hence the doubt. In networking it should be possible, but I'm not sure with these devices.

johnpoz

@jt40 if switches support vlans - then yes you can pass vlans between switches.. Not sure what your questions or concern is to be honest.

Yes the uplink between switches would be a trunk port and allow the vlans you want.

bPsdTZpW

@jt40 said in Home Network Design:

@bpsdtzpw
CN = dlinkmea.com ,
DNS Name=www.dlinkmea.com
DNS Name=dlinkmea.com
DNS Name=mail.dlinkmea.com

The domain doesn't refer to the original one.

Regarding the cert validation, I don't think that means that I'm using Kaspersky, even though it could use the trust store from KS, it can't override who issued the cert, but that's what I get on the browser, I should use the console or a third party service, I'll check.

If you're not using Kaspersky security software, this probably should not happen. [1] Please post the SHA256 fingerprint of the leaf cert that the domain is serving you.

[1] Some security software acts as a MITM proxy to deep-scan HTTPS traffic. To do this, it needs to serve your browser a cert ultimately rooted in a cert that your browser trusts.

bPsdTZpW

@jt40 :In the end I couldn't take more than a 10 ports switch, anything above it has 2 fans, which is untolerable with 45 dB(A) noise at minimum speed...

Cisco CBS350-24P-4G ( https://www.cisco.com/c/en/us/products/collateral/switches/business-350-series-managed-switches/datasheet-c78-744156.html ) has 24 ports, 195W PoE+, and no fans. I haven't tried it, but I've been pleased with the 16-port no-PoE fanless version I currently use.

JT40

@bpsdtzpw I'm using it, but I find it very weird.
This is the SHA a84c393949a841252f20085b9c33c120f6711f15

JT40

@bpsdtzpw ahaha, the 24 ports is 700 pounds, which is understandable considering the features, TDP and PoE.
All the others are also quite expensive, they are the most recent devices from Cisco if the website doesn't lie.

stephenw10

I have a Brocade ICX6450-24P which is an older device but it's a real enterprise switch with all the features you could ever want. It has 2 fans but they are not too loud. I swapped them out for quieter ones and it never gets hot. I only ever run a few APs from it though.
They can be had surprisingly cheaply when they comes up for sale. The 6430 model even cheaper.

Steve

bPsdTZpW

@jt40 said in Home Network Design:

@bpsdtzpw I'm using it, but I find it very weird.
This is the SHA a84c393949a841252f20085b9c33c120f6711f15

I can't find that cert at https://crt.sh , which contains info on network certs issued by most reputable CAs. Also duckduckgo and google don't show any matches. Please post the cert's serial number.

JT40

@bpsdtzpw Serial number: 4200000210619acc88

JT40

I just purchased this https://store.ui.com/products/unifi-ap-6-lite
Am i good to use such PoE convertor? 802.3af PoE Injector (48v)

Unifi-ap-6-lite requirements:
Supported voltage range 44 to 57VDC
Max. power consumption 12W

It seems good :D

I gave up on the PoE switch, it was not available :D , maybe in the future I'll think to some 10 ports switch only to use PoE.
As usage, I can only think of videocameras for now.

JT40

@bpsdtzpw It's possible that Kaspersky is doing something with it, but normally the cert should not be changed...

In any case, on the EMEA website there are all the product informations, but not on the international version, probably US.
https://eu.dlink.com/uk/en

johnpoz

@jt40 said in Home Network Design:

Am i good to use such PoE convertor? 802.3af PoE Injector (48v)

Are you not just buying their injector?
https://store.ui.com/collections/unifi-accessories-poe-injectors/products/u-poe-af

But yeah if its an af injector you should be good. Make sure it supports gig.

stephenw10

As long as you don't have one of their older models that uses non-standard 24V PoE. Like I do.
Those were all supplied with injectors though AFAIK.

Steve

JT40

@johnpoz Good point, I totally ignored it :D .
I struggled to find it on the official website, anyway it's all out of stock.
I found it on another store, the only difference seems to be a label (UPOE instead of only AF), I didn't spot anything else, it's probably original :D

I think I need to use iperf from the phone to test it, I don't have 1 Gbit or so.
Thanks a lot for the heads up.

JT40

@stephenw10 I bought the latest AP model, if that's what you are referring to.
Regarding the parts, I don't have a way to check it now, I don't know if my AP was produced in 2020 or 2018, so to say.

stephenw10

The AC-LR I have is pretty clearly labelled 24V and it's a few years old now. I doubt you have that.

bPsdTZpW

@jt40 said in Home Network Design:

@bpsdtzpw Serial number: 4200000210619acc88

This cert does not exist on https://crt.sh . The only hit that Google returns is this conversation. I suspect you're running Kaspersky and it's MITMing your https connections, thus giving this alternate certificate chain. What happens if you use the same browser to navigate to https://www.amazon.com , and look at the cert chain? It should be www.amazon.com -> DigiCert Global CA G2 -> DigiCert Global Root G2 . If there's Kaspersky in there, it's MITMing your connection.

JT40

@bpsdtzpw Yes, it's doing deep scanning of every connection, also HTTPS, but I didn't know that it behaves in this way for the certs...
I also have the Windows Certificate store in use from KS, it's weird that it performs such task.
On top of that, I don't know where I can disable such thing, it must be a built-in function between the HTTPS scanning or other network scanning options.