Networking, DHCP, DNS etc. What do you guys do?

From my other posts, you will probably gather I am “Mr. Low Level”, I like to get access as close to the metal as possible.

So it shouldn’t surprise you that most of my setup is static IP. That means static ips actually flashed into device firmware. So a SOnOff switch might have 10.0.0.9 hardcoded into it and the server address of 10.0.0.3 is also hard coded into the networking calls.

But… I now have about a dozen devices in my eco system and that is expected to grow. I’m starting to dislike static hardcoded addressing.

My first thoughts where of course DNS which would allow most network requests be to a “named entity” rather than an IP. So for example, I would send an ON command to a SOnOff called living-room-lights-1.mydomain.com rather than 10.0.0.12

While this provides flexibility in containing all the name->IP mappings in one place where it can be edited, it does not help me if I want to move that switch off 10.0.0.12 and put it somewhere else.

So, DHCP will of course allow me to assign IPs to MACs in a single place.

What I need is a way to combine the two. DNSMasq provides this functionality. However I stumbled upon “PiHole” which comes as a RaspberryPI image, a normal installer or as a Docker image. Not only does it provide DNSMasq functionality, it also has large lists of advertisement servers and aims to block DNS requests to these.

I have not yet tried, but I believe with DHCP the host asking for a lease can provide it’s hostname, the DHCP server can choose to ignore this and assign it one, but either way it can post a DNS record update to the DNS server for that host and IP. So now it would be the one DHCP config file (or webUI) where you can say:

aa:bb:cc:xx:xx:xx:xx:xx -> 10.0.0.12 -> living-room-lights-1.

So I can freely move that device to a different IP and/or host name without even having to touch it, just maybe power cycle it.

There are caveats of course. You can only really have one DHCP server per subnet or it gets confusing. You “can” technically have more than one if they are working together in HA or if one is master and the others are configured to relay to the master. The later (DHCP Proxy/Relay) is also how you get DHCP (a broadcast protocol) to transit a router between subnets. Most good Wifi routers provide this functionality out of the box, but software solutions exist too.

I’m curious as to what others have done in this regard.

Pihole is great. I’ve used it for a while now.
Using it as your only dhcp server is an option but be aware that it can / does too suffer from sd card issues.

Personally I keep “server” items as static ip / dnsname (I use pfsense for everything) and iot sensors just use host name as they don’t often push.

Advantages of using Pihole are also no adverts. Which is nice.

I would not run Pihole and OH on the same rpi. Until recently it ran OK on my first edition rpi with 256mb but now requires more due to the size of the white lists.

Yes. I think the PI get’s over used and used for things it probably shouldn’t be used for.

We all like the “Little PI that could”, but, it does bite back when the SD card get corrupted or it suddenly stops connecting to the Wifi randomly. Both have happened to me several times now. Then there is hitting the performance bottle necks, for example as a NAS it works brilliantly until you point something like a smart TV to it and it makes 32 concurrent requests for movie thumbnails when you open a folder on DLNA. Without careful configuration 32 concurrent media file scans will absolutely kill a PI, it might not even respond to ping for a while.

For small things it would often be far smarter to use a micro-controller like an Arduino or ESP8266 with no OS to maintain and no writable persistence (with caveats) to corrupt. It will be smaller, cheaper, use less power and require less intervention. The downside is learning how to write code for MCUs which is somewhat different and often in C(++).

For larger things like OpenHAB, PiHole and CCTV stuff, the mediocre performance, stability and reliability are the main issues. I am thinking of moving these things to Docker images and placing them on the linux server I run as a NAS 24/7 anyway. At least with docker, as long as you keep the definition files and backup the data you can restore them to service on any PC running Docker should the need arise.

In fact, I think I’ll just grab and coffee and see if I can get PiHole running in Docker this Sunday afternoon.

I too have pihole installed but I use it just for DNS…as I’m not so confident yet to rely on the RPI for DHCP, I use my router for DHCP and made reservation on it so all devices are set in DHCP but it gives them always the same IP…and it’s easy to manage.

I have a synology nas and a separate server (Celeron J3455) for all the other stuff like dhcp, dns, firewalling, nginx. I just don’t like my NAS to operate as a firewall. The pi3 runs openhab2.

dnsmasq in my setup serves 5 subnets in a VLAN environment (Guest, Family, Core, IOT, VPN). No problem.

Regarding pihole: Blocking ads on a DNS level may work. My experience these days is that an increasing number of content providers are detecting this and provide only a limited subset of their service. Configuring the ad-blocker in a browser in this case for me is easier.
BTW: Long term I’ll be moving openhab to my server. A pi is nice for experiments and e.g. kodi/xmbc but I feel more and more uneasy to run HA on a SD card.

I have DHCP services running from a layer 3 switch (Cisco), I have DHCP for two subnets with two corresponding VLAN tags. I don’t have to setup the DHCP proxy/forward since the switch sits in those subnets.
You should be able to accomplish the same on a dnsmasq system if you can have it sit in multiple subnets (only assign one gateway to avoid routing issues). Should be easy to do with a VM, on a device like the Pi you would have to do far more that would probably not be worth the effort.
In my case, after having woes with WeMo and Google screwing over the Nest API access; 95% of my automation are Zwave products as I just want something that is going to work and not relying on IP addressing is a bonus in my book (have two Lifx bulbs for a fan light combo).

Interesting stuff. I went through a phase of dividing up my network with nets like WAN, LAN, Guest, Wifi and such, but in the end I tore it all out and put one flat subnet, leaving the router to manage the firewall. I did pick the 10.0.0.0 range, but I currently only use the 10.0.0.0/24 class C subnet so I have plenty of room to readdress later.

I realise with the router and NAT the firewall is pretty solid for incoming, but of course NAT does not provide outbound firewalling, but as I haven’t bothered to set up any such blacklists or rules and the router does support it if I chose it’s fine. This is coming from an IPTables veteran!

For those with multiple subnets and/or VLANs what was the driving force for that? Easier management? Broadcast boundaries? Firewalling between them? Security? Something to play with?

Oh and after a quick reconfigure of my server kernel to add all the virtual server and networking bumpf required for docker it came up fine, as did pihole from docker-compose. I haven’t got DHCP working within Docker yet, but I’ve parked it for now and will see how PiHole does for DNS. I notice already it’s blocking most of the Microsoft phone home crap in Windows 10, but isn’t block YouTube adds on the smart TV.

I setup multiple VLANs to allow for me to set up restrictions if I needed too; currently only a guest wifi and a solar panel device have restrictions and only have access to the Internet. Currently trying to bring pfsense up in a VM so I can restrict the younger generations in my house access to authorized domains on devices they have in their hand…then I don’t need to be concerned with hiding/restricting apps.
I have had to make some exceptions to things, for a while Plex wouldn’t work in a different subnet from the Rokus; should probably revisit/re-evaluate to verify if it is still an issue.

I have also noticed Pihole doesn’t block/prevent YouTube ads; last I looked into it was due a limitation and trying to block them resulted in videos not playing. Blockers on web browsers however somehow manage to block/prevent them.

Nothing to play with I have more valuable use for my time.
Basically it’s about security. TVs, Receivers, Amplifiers, Fridge (yes, networked), Amazon Echo all are on a IOT vlan/wifi. No access to local net.
The family network was needed to implement basic protection with nginx for the hue bridge. Same for openhab. Both hue and openhab have no user specific ACLs and thus allow anybody with access to them do maximum damage. I have a nginx reverse proxy on the firewall server which protects the hue api and openhab rest interface.
Guest network: Well, guests may use internet access.

Originally the VLAN setup was driven by an incident where an internet radio with somehow bad bonjour/upnp messages made the hue bridge reboot every 5 minutes. Extremely annoying. Documented on developers.meethue.com

Anyhow, nerd stuff

Apart from that I stick to Z-Wave (predominantly Fibaro) and Zigbee (Hue, only Philips bulbs) to keep the nerd factor to a minimum (still too big). The worst experiences I had was whenever I tried to save some money. Anything which needs a cloud is out-of-scope, I managed to include the fridge in openhab (IFTTT with maker events) but don’t need such an experience again.

Yes, the only real concern I have had with internal security is things like the Smart TV. I had a bit of a fright when, while bored and browsing around the TVs features I found a section which said, “Recent photos” and in there were a large number of photos from a network drive. This startled me a bit until I worked it out that the folder was shared on DLNA. My friend in work worried me even more when he said, “And of course it didn’t upload thumbnails to any cloud service or anything…”

However the point of DLNA is to access your media from smart devices, so all I did was remove read permissions for the DLNA server from places it shouldn’t be!

For guest Wifi my router provides that, out of the box, all I need to do is turn it on and give it a password. The Guest Wifi has internet access but no LAN access.

My daughter does not currently live with me, but if that becomes the case then I can see a requirement to restrict outbound access from her devices or any device she can access. I’d probably do that with a firewall redirect for web ports to a proxy with parental filtering.

I used to run a small web hosting service, so still have a bunch of that infrastructure here at home.

I have Comcast Commercial internet; more expensive, but has been pretty reliable, and has no subtle limits or caps, and gives me static IPs for the Internet-facing equipment.

I use an OpenBSD server on a single board computer running as a filtering bridge to filter between the raw Internet and my Internet-accessible hosts. The filtering bridge has no visible IP address on the Internet and does not show in traceroute so it’s tricky to find and bypass. It has pf rules for all the inbound ports on the Internet-facing hosts.

That plugs into a switch, on the DMZ VLAN. The Internet hosts are on that DMZ VLAN, and are configured with static, real Internet IP addresses. There are only a few so this is not too hard to maintain.

I then have a Netgate PFSense box (used to use another single board computer, but it died and the Netgate was easier than rebuilding my own) plugged into the DMZ VLAN as Internet. The filtered side of that plugs into the VLAN that all of our household devices are on. The Netgate box can do a lot more than I use it for; if I didn’t have all my other stuff set up already, I’d let it do DNS and DHCP for us. Right now, it’s pretty much only a firewall and NAT provider. Outbound traffic is mostly unrestricted, and nothing comes in. All our wifi hotspots, desktops, internal servers, etc., are on this network. Oh! It also runs OpenVPN so we can get to our stuff (including openhab) from outside, securely.

The switch also has a management VLAN which has no Internet access and just allows me to connect to the servers and network gear by private network. This lets me get to and do updates on the filtering bridge, and allows me to always connect to the servers should I need to. These machines use one of the less common private IP ranges, and have fixed IP. Again, there’s only a few. One of them is a console server, which allows access to the serial consoles of all the network stuff, too.

On the household VLAN, we have a server that does a bunch of things. It is a NAS, runs an internal web server, runs squeezecenter for all the squeezeboxes (we have five at the moment, and may add more) and any other software we need in the house. It is the source of internal DNS and DHCP.

DHCP provides static IP addresses, linked to MAC address, for most of the server-like things. I used to do it for our desktops, too, but we’ve quit caring, since I got Dynamic DNS working. Now you just go to everything by name; DNS has been updated by DHCP and the name works. If you get a new address, nobody cares, because DNS knows about it.

I maintain private DNS entries for everything. I hate using static IPs and know none of them by heart. I have a Raspberry Pi running as a DNS secondary server for us, so if the main host is down names still work. It has almost literally no custom data on it, and when the SD card cooks itself it takes about half an hour to rebuild. (Install raspbian, copy in one archived config file, enable named, reboot.)

The maintenance VLAN and DMZ VLAN use fixed IPs, so if DNS is down I can manage if I have to. But, job one is to restore DNS.