Home Network Design
-
@jt40 if switches support vlans - then yes you can pass vlans between switches.. Not sure what your questions or concern is to be honest.
Yes the uplink between switches would be a trunk port and allow the vlans you want.
-
@jt40 said in Home Network Design:
@bpsdtzpw
CN = dlinkmea.com ,
DNS Name=www.dlinkmea.com
DNS Name=dlinkmea.com
DNS Name=mail.dlinkmea.comThe domain doesn't refer to the original one.
Regarding the cert validation, I don't think that means that I'm using Kaspersky, even though it could use the trust store from KS, it can't override who issued the cert, but that's what I get on the browser, I should use the console or a third party service, I'll check.
If you're not using Kaspersky security software, this probably should not happen. [1] Please post the SHA256 fingerprint of the leaf cert that the domain is serving you.
[1] Some security software acts as a MITM proxy to deep-scan HTTPS traffic. To do this, it needs to serve your browser a cert ultimately rooted in a cert that your browser trusts.
-
@jt40 :In the end I couldn't take more than a 10 ports switch, anything above it has 2 fans, which is untolerable with 45 dB(A) noise at minimum speed...
Cisco CBS350-24P-4G ( https://www.cisco.com/c/en/us/products/collateral/switches/business-350-series-managed-switches/datasheet-c78-744156.html ) has 24 ports, 195W PoE+, and no fans. I haven't tried it, but I've been pleased with the 16-port no-PoE fanless version I currently use.
-
@bpsdtzpw I'm using it, but I find it very weird.
This is the SHA a84c393949a841252f20085b9c33c120f6711f15 -
@bpsdtzpw ahaha, the 24 ports is 700 pounds, which is understandable considering the features, TDP and PoE.
All the others are also quite expensive, they are the most recent devices from Cisco if the website doesn't lie. -
I have a Brocade ICX6450-24P which is an older device but it's a real enterprise switch with all the features you could ever want. It has 2 fans but they are not too loud. I swapped them out for quieter ones and it never gets hot. I only ever run a few APs from it though.
They can be had surprisingly cheaply when they comes up for sale. The 6430 model even cheaper.Steve
-
@jt40 said in Home Network Design:
@bpsdtzpw I'm using it, but I find it very weird.
This is the SHA a84c393949a841252f20085b9c33c120f6711f15I can't find that cert at https://crt.sh , which contains info on network certs issued by most reputable CAs. Also duckduckgo and google don't show any matches. Please post the cert's serial number.
-
@bpsdtzpw Serial number: 4200000210619acc88
-
I just purchased this https://store.ui.com/products/unifi-ap-6-lite
Am i good to use such PoE convertor? 802.3af PoE Injector (48v)Unifi-ap-6-lite requirements:
Supported voltage range 44 to 57VDC
Max. power consumption 12WIt seems good :D
I gave up on the PoE switch, it was not available :D , maybe in the future I'll think to some 10 ports switch only to use PoE.
As usage, I can only think of videocameras for now. -
@bpsdtzpw It's possible that Kaspersky is doing something with it, but normally the cert should not be changed...
In any case, on the EMEA website there are all the product informations, but not on the international version, probably US.
https://eu.dlink.com/uk/en -
@jt40 said in Home Network Design:
Am i good to use such PoE convertor? 802.3af PoE Injector (48v)
Are you not just buying their injector?
https://store.ui.com/collections/unifi-accessories-poe-injectors/products/u-poe-afBut yeah if its an af injector you should be good. Make sure it supports gig.
-
As long as you don't have one of their older models that uses non-standard 24V PoE. Like I do.
Those were all supplied with injectors though AFAIK.Steve
-
@johnpoz Good point, I totally ignored it :D .
I struggled to find it on the official website, anyway it's all out of stock.
I found it on another store, the only difference seems to be a label (UPOE instead of only AF), I didn't spot anything else, it's probably original :DI think I need to use iperf from the phone to test it, I don't have 1 Gbit or so.
Thanks a lot for the heads up. -
@stephenw10 I bought the latest AP model, if that's what you are referring to.
Regarding the parts, I don't have a way to check it now, I don't know if my AP was produced in 2020 or 2018, so to say. -
The AC-LR I have is pretty clearly labelled 24V and it's a few years old now. I doubt you have that.
-
@jt40 said in Home Network Design:
@bpsdtzpw Serial number: 4200000210619acc88
This cert does not exist on https://crt.sh . The only hit that Google returns is this conversation. I suspect you're running Kaspersky and it's MITMing your https connections, thus giving this alternate certificate chain. What happens if you use the same browser to navigate to https://www.amazon.com , and look at the cert chain? It should be www.amazon.com -> DigiCert Global CA G2 -> DigiCert Global Root G2 . If there's Kaspersky in there, it's MITMing your connection.
-
@bpsdtzpw Yes, it's doing deep scanning of every connection, also HTTPS, but I didn't know that it behaves in this way for the certs...
I also have the Windows Certificate store in use from KS, it's weird that it performs such task.
On top of that, I don't know where I can disable such thing, it must be a built-in function between the HTTPS scanning or other network scanning options. -
@jt40 said in Home Network Design:
@bpsdtzpw Yes, it's doing deep scanning of every connection, also HTTPS, but I didn't know that it behaves in this way for the certs...
I also have the Windows Certificate store in use from KS, it's weird that it performs such task.Yeah, that's how HTTPS scanning typically works, since the encryption is assumed to be (should be) unbreakable. So the scanner acts as a proxy between your browser (system, if the scanner installer put its root cert in your system root store -- shiver!) and the website. That is, your browser forms an HTTPS connection to the scanner, which allows the scanner to decrypt the traffic and scan it, then the scanner forms an HTTPS connection to the website.
The browser-to-scanner connection is thus encrypted with the key from a cert with a wildcard DNS name that matches every possible website. This leaf cert is then signed by a root cert for the scanner "CA". The scanner's installer installs that root cert in your browser's root store so that the browser recognizes the leaf cert as valid.
All this rigamarole means that you can no longer use the browser to determine what cert chain the website actually uses. You need |dig| or some other such tool for that.
On top of that, I don't know where I can disable such thing, it must be a built-in function between the HTTPS scanning or other network scanning options.
Your scanner should provide some UI to disable HTTPS scanning.
-
@bpsdtzpw said in Home Network Design:
Your scanner should provide some UI to disable HTTPS scanning.
This! There is no possible way the benefit of whatever that software is doing that would be worth giving them access to all the encrypted stuff you might be doing - login to your bank accounts for starters..
-
@johnpoz Ya. FWIW, Kaspersky is based in Russia, and is currently banned on U.S. government systems and those of U.S. government contractors and subcontractors. https://www.wsj.com/articles/u-s-government-formalizes-kaspersky-ban-11568194206 ; https://www.securityweek.com/kasperskys-us-government-ban-upheld-appeals-court . But any scanner (ha! any program!) with network access creates potential risks. There is no free lunch in this area.
