Page History: Home IT Setup
Compare Page Revisions
Page Revision: 2011-12-05 05:36
This is going to be an attempt at documenting the main aspects of my home (and, by extension, office) networking and computing setup, so that I have my thoughts in one place, and have an easier time of figuring out what's missing, and what to change, when another machine or technology enters the fray.
There's a very faint chance that something here might be useful to someone or that they get sent here by some confused search engine algorithm - if so, don't hesitate to contact me with any questions.
Network
I'm a big fan of technologies that make me the "owner" of my hardware, and as such DD-WRT (and others in the family, such as Tomato firmware) strike me as the coolest thing ever. Consequently, I try to buy devices that can are supported by open firmware (as far as I know DD-WRT has the broadest support).
I recently purchased what appears to be the best of both worlds - the "TP-Link TL-WR841ND v7", an absolutely dirt-cheap router (less than 30 EUR) that happens to be supported by DD-WRT, and here's the high-level setup:
- Administration -> Management: Password
- Setup -> Basic: IP Address (192.168.2.1)
- Setup -> MAC Address Clone: Set this to a fixed tht is the SAME as the sometime-default, because otherwise the WAN mac, and therefore the interim IP address, wavers along the lifetime of the router boot/uptime... (use the default MAC but ending in 2, as this seems to be the pre-cloning MAC)
- Administration -> Management: Web access - HTTPS only, internal only, no telnet or SSH (except temporarily for backup & upgrade...?)
- Administration -> Management: Max Ports: 4096
- Administration -> Management: TCP Timeout: 300 secs (UDP default 120)
- Wifi
- Primary "TWireless" with WPA2-PSK-AES, ending in "7"
- WDS of type "LAN" to AP, defaults
- DHCP Fixed (list snipped)
- Port Forwarding (list snipped)
- QoS
- Enable, on WAN, default packet scheduler, with upling & downlink specified.
- Set the IP Phone MAC address with "Premium" priority (need to "Add" to set the prriority)
- Add a "MiniMac-BT" service for the appropriate port range, apply
- Select the new "MiniMac-BT" service at "Bulk" priority (means no reservations at all)
Additional parameters that I would have liked to set up, but caused reliability problems (within-network inter-host connectivity failures, WDS connectivity failures, etc):
- guest "GuestWireless" with WPA2-PSK-AES password on a note on the fridge
Home Server
An increasing requirement is an always-on server - I happen to currently favor a Mac Mini running Windows 7 (I stick to windows out of laziness - I'm just quicker on my feet in a windows environment). I would love a more power-efficient Pico-ITX or similar server, but Apple's power usage claims on the Mac Mini are already pretty impressive, and it doubles as a decent projector source.
Sync Folders
I'm a big fan of Unison as it's a dedicated cross-OS sync solution, but I'm more than a little saddened by its stagnation/abandonment; I'd love to create something equivalent (for my purposes at least) starting from a project like Duplicati, but in the meantime I keep using it as it's the only reliable cross-OS open-source solution I'm aware of. These instructions are tainted by my preference for Windows, but seem to work:
- Install cygwin ssh on the server (currently v1.7.x). I used to shrink away from any setup that included cygwin because of the unmaintainable bloat I remembered, but recently gave it a try and was VERY pleasantly surprised by the package-manager-like setup program they have now. Easy to set up, easy to use, but you still need some googling:
- Install base packages + nano (or your editor of choice) and OpenSSH, and auto-selected dependencies
- from a cygwin terminal started as Administrator, run "ssh-host-config"
- priviledge separation: yes (it can only be safer, and I haven't found it breaking anything yet)
- new local account: yes
- service: yes
- value of cygwin: (I left it blank - the defaults seem to work fine for me)
- different name than cyg_server: no (will only be asked on windows 2003 and later)
- create user cyg_server: yes (will only be asked on windows 2003 and later)
- new password: something that you will never remember (you can always reset it and update the service(s) later)
- As recommended here, might as well change /etc/sshd_config to prevent legacy SSH 1 connections, using nano to edit the file (for some reason cygwin protects its config files against local windows admins...?)
- Similarly, change the port to (marginally) help avoid drive-by automated attacks
- start the service ("net start sshd")
- if you're running a host-based firewall like Windows Firewall, set up an appropriate exception (usually on your target port, TCP only)
- If you're going to want access from outside your LAN (eg for remote backup), then set up a port forward on your router (TCP only)
- If you're setting up a dedicated user for Unison (with limited rights, presumably) then run "mkpasswd -cl > /etc/passwd" afterwards to sync the passwd file.
- Test eg with FileZilla
- Install Unison on server
- Drop GTK+ (2.22.0??) files somewhere known eg Progra~1, and add to path (optional, for GUI debugging)
- Drop Unison files somewhere known eg Progra~1 (optional, for GUI debugging)
- Copy Unison-Cmdline into C:\Windows\System32 (or somewhere else that will be in the PATH of a cygwin shell), as Unison.exe
- Install Unison on Client
- Drop GTK+ (2.22.0??) files somewhere known eg Progra~1, and add to path
- Drop Unison files somewhere known eg Progra~1
- Add plink.exe and the ssh.exe wrapper to plink (eg from here) in the Unison folder
- We don't use cygwin SSH, although it also works, because cygwin SSH has irritating permissions/path issues outside of its shell env.
- Generate a public/private keypair with puTTYgen, keep the private key file with the Unison setup (program file probably), and place the appropriate entry in the server's "authorized_keys" file for the target user (creating the .ssh folder for that user profile if necessary, and even the user's folder in /home).
- Connect to the server from the client using puTTY, to save the trusted host key
- Set up one or more appropriate "prf" files in your User profile's ".unison" folder, eg:
#local folder to sync
root = c:\Archive
#server/shared mirror location
root = ssh://Unison@192.168.2.30/D:/UnisonSync/Archive
#Careful with this! Forces RSync mirroring! (deletes any local files that don't match - rarely use)
#force = ssh://Unison@192.168.2.30/D:/UnisonSync/Archive
#private key file and port number specifiers for plink
sshargs = -i ConfuzzedToUnisonOnMinimac.ppk -P 99999
#back up all deleted files in the unison profile folder, just in case!
backup = Name *
#accept (non-conflicting) changes automatically
auto = true
#start automatically (don't wait for the user to click anything)
batch = true
#trust file timestamps and sizes on windows, don't always re-hash in case someone's messing with us (much faster).
fastcheck = true
#don't bother with version control internals, trust that there is a connection to an authoritative VCS server
ignore = Regex .*/*\.(svn|git).*