Our internal network using Apple Products (part 3)

Hello all, I hope that you all had a really good new year and you are ready and rearing to get back to work as I am. To round off the current series of the internal network I thought that I would actually finish off the blogs on this. That’s not to say that this will be the end of the internal network discussions as whilst this is focused on the setup of the network, we will discuss some of the server and storage that we have in greater detail and how they have helped mitigate the awful internet services that we have.

Rather than going over old ground, parts 1 and part 2 of this series focused on the network and how its composed and connected, yes its probably overkill for 4 small businesses to use, but it solves our immediate issues and will be in place for the next 3 years (maybe), it certainly has the capacity to handle more as our needs grow.

Administration of the network.

Ok so we have all seen our network and how it is connected together in from the view of the Airport utility but I will let you see it again so you don’t have to flick back through the previous posts

Screen Shot 2016-01-02 at 12.21.10

As you will recall she (*GFE: ‘she’ as in mostly perfect with the odd glitch like myself?) is all connected via Cat 6a cables running throughout the internal structure of the house with a Cat 6a shielded external grade cable running out to the kennel block. I have turned many of the features off on the routers and access points because I wanted more granular control over the network, and adding static addresses into this is rather annoying as it requires a reboot for every change that you make to the router, something I wish Apple would address in future updates. All of the shared items totalling 20 devices would have taken several reboots to set them on a static address, plus any ACL’s I wanted to put into place would also have been a pain in the rump to resolve. Thankfully all is not lost though as we have the iServer with Apple’s iteration of what a server should be and also the Synology Ds1813+ both servers in their own right and both running a Unix like operating system which makes me very happy from my background in Unix and Linux enterprise servers and infrastructure, you can do everything so simply or if you want to get down and dirty with the underpinnings of the OS you can, its not a problem (so long as you have root 😉 ). Generally I stick with the GUI interface for the basic stuff, manly as because I am working to very tight deadlines to satisfy the needs of Sarah to get something working it’s easier to click buttons, than type out the commands, check them in my test environment and then push them to the live environment, it also passes the GAT because I can show Sarah what I have done (if I need to) so that she can troubleshoot and resolve some of her own issues (GFE: what like turning it off and on again?) as well as learn about the OS that she now uses in more detail.

iServer Setup

Below I will show you the hardware and software configuration of the iServer that is currently running the network, in the next 12 to 18 months I hope to be replacing this with something a little newer so that I can make use of more 802.1AC networking from the wireless card as well as the newer generation of processors and SSD’s, what I am not looking forward to though is soldered on RAM….

Hardware

  • Mac Mini Late 2012
  • 3Ghz Core i7 (Ivy Bridge)
  • 16Gb of Crucial RAM tuned for Apple products
  • Intel HD 4000 Graphics with 1.5Gb of RAM
  • 512Gb Crucial 2.5” SSD for the OS
  • Dual mSATA to SATA connector
  • 2x Samsung 1Tb mSATA’s in RAID 0 (these were the largest on the market at the time)
  • Bluetooth 4 chip (not really used other than to play music to soundbar)
  • Apple-based 1Gb wired network card (primary)
  • Apple 802.11n wifi card (management)
  • Thunderbolt (no longer used)
  • 4x USB 3’s used for various things
  • 1x SDcard Reader (4Gb card installed and soft link from downloads)
  • HDMI used to connect to the 46” Sony Smart TV for debugging if it ever loses the network

Generally, 99.99% of the time the mac mini sits on the shelf, serving up what its’ been configured to do and dish out and act as a VMWare fusion test centre for my lab environment as well as serve my Service Desk applications.

Software and OS

  • MacOSX 10.11.12 El Capitan
  • Apple Server Application
  • VMWare fusion
  • Office 2016 (I have the family pack so seemed a waste not to install it)
  • All the usual Apple-based installs
Screen Shot 2016-01-02 at 12.55.07

Nothing out of the ordinary other than the Apple Server Application, which is what we are going to cover in this post in more detail as well as the server stuff on the NAS array.

For the NAS I use the following equipment

  • Synology DS1813+
  • Intel Atom 2.13Gb D2700
  • 4Gb of RAM
  • 4x 1Gb bonded Network Cards
  • 1x Salvaged Wireless USB dongle (802.11N)
  • 8x 4Tb Western Digital Reds (32Tb RAW) in RAID6

Software

  • Sinology 5.2 U2
  • DS Antivirus (always good to check for viruses)
  • Plex (media Server
  • DS Audio (Media Server)
  • iTunes Server
  • DS Video
  • DS Photo
  • DS Cloud (for onsite CCTV backups to the cloud)
  • Open Directory (backup of Apple Directory Server)
  • DNS Server
  • Proxy Server
  • Backup location for TimeMachine (All Mac backups to the NAS)
  • Download Center (so that I can schedule large downloads overnight)
  • PHP
  • WordPress (test site internal only)
  • Python module (required for some things to work)
  • MariaDB (this is a pain that I hope to move over to something else although it would be a bit of a downgrade)
  • DS Surveillance

As you can see the NAS is a very heavily used piece of kit that we use almost every minute of every day although we don’t always know how much we do unless it fails, or more likely until I accidentally reboot it during the day (and trigger a GBAS session). A lot of the internal DNS and databases are running on this server as well as the proxy server (we will touch on this later). It also has our ripped DVD and Blu-ray collection on it as well as a copy of our music so that we can stream throughout the house without the need for our phones or computers to be turned on. For compliance and security reasons the recordings of significant events are sent via Rsync to the surveillance station and then copied out overnight to the cloud, this reduces the amount that is streamed over the internet as well as keeping a backup elsewhere in case the CCTV DVR is ever stolen., it is also programmed to call home with current images and network information of where it is if it is ever stolen.

Getting control of the DHCP Server

When I first started to look into the Airport Extreme’s I knew they had some limitations on the amount of control that they want to give you, they are basically designed as a set it and forget it device for the standard user, however I’m not one of these and I wanted control over my DHCP, I already had the iServer configured as the sole DHCP server and user accounts server, so I didn’t want to turn the DHCP scopes off on the iServer and combine my scopes from smaller ones to one large scope, as it would mean mixing my lab environment up with the production kit, this is not a very good place to be. So looking at the options that I had available to me with the airports as shown below.

Screen Shot 2016-01-02 at 13.33.34

As you can see you don’t really get any option to turn off the DHCP without just turning the Router into just another access point, this is great for all the other Airports but not good for the one that you want to set up as the Router, Apple has really screwed up on this one as the Airports themselves are not modems and so they need to connect to either an ADSL model or some other connections method to get out onto the internet, the trouble with this is most Modems have a NAT and DHCP server behind them as well but in most cases you can disable the DHCP and other features that you won’t use but still provide a route to the internet. So to get the Airport to act as a router and still use the iServer as a DHCP server, you have to choose between one of the DHCP options, with how our internet is currently set up this is a pain, as when I am on the ADSL line I don’t need to use the NAT, whereas when I am on the Satellite broadband I need the NAT in place to fool that modem into thinking only one device is connected to it. So for this setup I used the DHCP with NAT option this gives me an error message about having two NAT’s when on the ADSL line but this isn’t really a problem and you can ignore the error. So how do you actually go about using your external DHCP server with the Airport Extremes.

In short, I have gone through the steps you go through to make this happen

Screen Shot 2016-01-02 at 14.20.52

  • Set a small DHCP range using IP addresses that aren’t used by the real DHCP server or any other device on the network. (Actually, it can probably duplicate another device but this is cleaner.) In the screenshot, I used 172.16.100.100 to 172.168.1.101. I had to use two addresses, due to another one of Apple’s limitations
  • Create dummy DHCP reservations for each of the IP addresses. The MAC addresses don’t have to be real.

For the more detailed setup then you would need to follow the steps below

Screen Shot 2016-01-02 at 14.20.52

Open the Airport Extreme Utility and go to the Network tab and click the Network Options button.

Screen Shot 2016-01-02 at 14.20.52

Set a DHCP range that’s appropriate for your network. Use addresses that aren’t used by any of your computers or other DHCP ranges. (In theory, none of these addresses should be used, but keeping things valid will avoid problems.) Save the screen and you’ll be back on the network tab

Screen Shot 2016-01-02 at 14.21.31

.

Screen Shot 2016-01-02 at 14.22.38

Click the “+” sign under “DHCP Reservations.

Type in a description, make sure “MAC Address” is selected for “Reserve Address By” and type a dummy Mac address. I just type the number “1” (or 2) until it stops me. Then save the information

Screen Shot 2016-01-02 at 14.23.05

.

Repeat step 4 for all IPs in the DHCP range. The Airport Utility will prefill an unreserved IP in the range so you don’t need to keep track.

Save everything all the way out and your Airport Extreme will restart.

In the end, the Airport Extreme is still running a DHCP server, except it doesn’t have any IP addresses to hand out so the “real” DHCP will be the only one to respond, it’s a bit of a faff but it works. Some of the Windows virtual machines that I have don’t like this setup but as they are temporary most of the time they can just be statically assigned an IP in the test range.

So now you have seen how to set up the Airports using an external DHCP source, yes it’s a bit of a faff but if you like control and neatness to your setup then you will need to go through the above.

So what do my DHCP Ranges look like?

If I was just wanting a simple design then I could have just dumped everything into one big scope and it would have worked, I could have added all the ACL’s as well as the static IP’s but then everything would have been in the same scope and it would have been ugly and a mess, I could have just set up the DHCP and then on each of the devices set each one to be static, this would have been a nightmare to resolve anything it would also mean that I would have to teach Sarah how to turn off the static IP when connected to another network (this would not pass GAT), so this is the setup of the IP Scopes that we currently have

  • Network Core – provides each of the AirPort Extremes and the Express with a static Address
  • Core Devices – This is basically all of the shared infrastructure devices such as the Smart TV’s the NAS, the iServer and the Switches IP, everything in here has a static address
  • DHCP Scope – this is basically everything that isn’t covered in here it has a total of 30 addresses to give out
  • Security – this is really important as it keeps the security devices out of the other scopes, each of these addresses are statically assigned
  • VPN – give the iServer VPN service 3 addresses to be able to connect inwardly to the iServer remotely
  • Test – provides 10 Addresses for test and development purposes, this is generally blocked off with dummy addresses or scaled back to the actual number of devices when not in use.

The only true DHCP scope is the DHCP Scope, all others only have enough addresses for the number of devices in that range.

Screen Shot 2016-01-02 at 14.39.14

DON’T FORGET

This is important, especially if like me you use multiple routers and access points in a roaming configuration enable IGMP Snooping on the Airport’s, this will allow the IP address and device hostname to roam across the network, if you don’t you will end up with your network having a device called ‘iPhone(2)’ rather than ‘ghoules iPhone’. I will cover this in more detail in future.

Other server-related settings

The Synology does the internal DNS as well as the Proxy services to help make the ADSL and Satellite broadband connections more efficient all internal Mac devices have the updates pushed from the iServer which are downloaded during the night as well as the mobile devices, this makes updating all our devices rather quickly during the day as it’s a local cache meaning that we only have to download the updates once and they get installed to everything else from the iServer. We also have a netinstall service meaning that we can download overnight the latest OSX version and boot up any Mac from the iServer to install a fresh copy of the OS, although this service is very seldom used as not a lot goes wrong with a Mac that you have to reinstall the OS, it is generally used on new devices or to build test machines on. The Proxy server has 10Gb of space dedicated to it, I will explain what a proxy server is an how it can help you in future blog posts.

What I have learned from doing all this

Well I have learnt a lot about consumer-grade networking equipment and I have summarized some other things that I have learnt along the way below

  • Apple products fit in with Apple products in looks and simplicity to use but they are not very good on the networking side if you want some control
  • Beamforming and other wireless technologies, yes its great on paper but in real life it sucks
  • Buying the top of the range Linksys or any other brand will not give you everything that you want or suit your requirements
  • I’ve learnt a lot about blogging
  • I’ve learned to listen to Sarah (GFE: really?) and make things simpler for her, yes I am technically minded and I do what I do in my sleep but Sarah isn’t and so I have found ways to make things user-friendly

So whats for the future

I have a lot of plans for the future of this network, my main goal in all of this is to keep everything simple and easy to maintain, but I have a few ideas below that I want to do

  • Explore Acceleration technology for the satellite Broadband
  • The NAS is coming to end of life this year, and I want to explore other options
    • Do I go back to using the DROBO’s, the 5D looks like a winner
    • Upgrade the Synology to a 12 bay model
    • Either way, it will be filled with Seagate enterprise 6Tb drives
    • Will be over-engineered
  • Possibility of adding another Airport Extreme to the other end of the kennel block to further the range of the network, in an attempt to get to the top of the field, useful when trying to get to information on the NAS whilst walking dogs. Or in the summer being able to work in the field office (we have a desk at the top of the field) (GFE: that’s my old kitchen table that won’t fit in my pokey kitchen and serves a purpose for deep thinking)
  • The Cat 6a supports 10Gbs I really want to try this out because it would satisfy my geekiness
  • Sort out radius services for the WIFI meaning that we can use our own network credentials to connect to the local network instead of just an insecure single passphrase
  • Maybe test the wireless extenders from Linksys that I already have to extend the network further.
  • Finally, sort out a decent internet connection

Well I hope that you have had some laughs (GFE: yes because this post is hilarious !!! – <yawns>, plus Seb isn’t always aware of my ‘GFE’s’)  and it has answered some of your questions on how and why we have set up our network the way that we have, yes I could have used all of the Linksys routers and the access points to do the same job but the setup would have been clunky (GFE: like your old knackered Z4(BFE: Really Sarah?)) and we would not have the flexibility to do the roaming across the network, the other way would have been to use Cisco controller and Access points, but this would have been about 5 times the cost and really been overkill. I would really appreciate your thoughts on my network, or for you to share your setup, please contact me either via email s.truswell@ghouletech.co.uk or the comments section below. Also as I am blogging now please send your suggestions on future posts.

  • GFE: – GirlFriend Edit