Networking, security & backups in 2024

I made a couple of upgrades to our home network recently so I thought I’d map it out and talk about it a little.

Home network

About a year and a half ago we bought a house. One of its major selling points (at least for me) was that it came pre-wired, with ethernet cables already installed in the walls.

Here’s how I used that to set up our home network – one that provides high quality wired or Wi-Fi internet access in all rooms, bathrooms, and outside areas.

Network diagram titled ‘Home network’. The diagram shows four room locations, one roaming location, and wired ethernet cables in the wall of the house. The garage is where the internet is connected via an NBN modem is. That room also has a router, switch, NAS, and printer – all of which have wired connections. The downstairs living room has a network switch, TV, UHD player, and home theatre – all of which have wired connections. The upstairs retreat has a Wi-Fi extender + switch and TV, UHD player, and home theatre. All but the home theatre have wired connections. The upstairs home office has a desktop with a wired connection. Finally, we have some roaming phones, tablets, laptops, etc that are connected via Wi-Fi.

I had two main goals when planning this network:

  • Put all bandwidth-heavy activities on the wired network. This includes things like 4K media streaming to our TVs and the backing up of large media files from my desktop to the NAS. Doing that leaves the Wi-Fi network free for our laptops, phones, and smart home gadgets.

  • Make sure our work laptops are a single wall away from a Wi-Fi access point. Both Nadia and I work from home at least two days a week and both of us do lots of video conferencing. So our work laptops (which we use upstairs) need to have access to a strong Wi-Fi signal.

Happily I was able to achieve both of those goals.

With this set-up Nadia and I can do simultaneous video conferencing for work without any issues. And I can do things like download hundreds of gigabytes of computer game data to my desktop without interfering with the TV show Nadia that is streaming downstairs.

New router and a UPS

A couple of weeks ago I replaced our ailing primary router (all its ethernet ports had died) with a Synology WRX560. And because our secondary router is a Synology RT2600ac with the latest firmware installed, I’ve been able to configure that as an extender. So now we have a mesh Wi-Fi network throughout the house.

Finally, this weekend I put our primary router, NBN modem, and NAS behind a CyberPower UPS. I’m pretty sure our previous router developed its issues because of recent power surges and outages. This UPS has automatic voltage regulation so it’ll protect our primary networking devices (and NAS) while also giving us about an hour of back-up battery power.

Protecting our data and network

With everything always connected, I need to make sure our devices and gadgets are secure. I do this using the Swiss cheese model of layered network security.

All security layers have some holes (like a slice of Swiss cheese does) but, by adding multiple layers with differently-arranged holes, you can minimize the chance of anything getting through.

In our case we have protections at the router layer, operating system layer, and browser layer.

Screenshot of a diagram titled ‘Security strategy’. The diagram has three columns with icons for browser, operating system, and router. Each column is split into incoming and outgoing directions, with risk mitigation measures listed under each one. The router column has active threat protection, two-factor authentication, and auto lock-out under incoming; and it has Cloudflare DNS under outgoing. The operating system column has active threat protection, full drive encryption, and 3-2-1+ backups under incoming; and it has NextDNS under outgoing. The browser column has password manager, two-factor authentication, DNS over HTTPS, HTTPS-only, and uBlock origin under outgoing.

Incoming controls

Active defense against incoming attacks is managed through threat protection at the router and operating system levels.

Passive defense is managed by using things like full drive encryption (which means upgrading to Windows 11 Pro so we can use BitLocker) and a comprehensive back-up strategy (more on this in a minute).

Outgoing controls

Since malware and ransomware attacks are often triggered by what you do in your browser, we use layers of outgoing security to protect against this:

  • Our primary router is configured to use Cloudflare’s DNS service,

  • our operating systems (in our computers, phones, and tablets) are all configured to use NextDNS, and

  • our web browsers all use uBlock Origin and a bunch of other security and privacy-forward configurations.

Finally, all our online accounts use unique, long, randomly-generated passwords that are managed by the Bitwarden password manager. And we have two-factor authentication set-up (using Aegis) on all the accounts that offer this feature.

Recovering from a disaster

If, in spite of all those protections, things do go horribly wrong – or maybe if there’s a fire or natural disaster – our last line of defence is a comprehensive back-up strategy.

A 3-2-1 back-up strategy – the least you should be aiming for – says you need to have:

  • 3 copies of your data,

  • on 2 different mediums,

  • with at least 1 copy in the cloud.

We have a 4-4-2 back-up strategy with:

  • 4 copies of our data,

  • on 4 different mediums,

  • with 2 copies in the cloud.

Screenshot if a graphic titled ‘Back-up strategy’. The screenshot shows backups from a desktop. There are constant, selective back-ups to a cloud sync location; hourly, selective back-ups to a cloud backup location; and hourly, comprehensive back-ups to a NAS backup location.

How I do it

I use Sync.com to maintain a constant, synchronized copy of all my important files in the cloud. This gives me two copies, on two different mediums, with at least one copy in the cloud.

I then use Arq to simultaneously (a) backup a selection of key files to a cloud storage bucket and (b) backup all my files (which includes large, replaceable media files) to our network attached storage (NAS) at home. So that’s two more copies, on two additional mediums, one of which is in the cloud.

Naturally all these files are encrypted before leaving my computer and access to the NAS and all those cloud services is protected with unique, long, random passwords and two-factor authentication.

Keeping up with our needs

Doing all this takes time and effort, and it doesn’t come cheap. But so much of our lives is online these days that the cost of inaction – and the risk of losing that much of our lives – is much higher than the cost of doing everything I’ve talked about above.

It wasn’t always like this for us, of course. Our cost and effort has kept pace with what we’ve been able to afford along the way. We’re just privileged to be in a position where we can do something this sophisticated and automated. (Gone are the good old days of backing up to multiple 3½ inch floppy disks and, later, USB sticks.)

I hope, regardless of your personal set-up, that you too are doing the best you can to keep yourself connected, but protected.

2020 NBN update: now with FTTC

I’ve been tracking the NBN speeds we’ve been getting in the last four houses we’ve lived in. (NBN is Australia’s National Broadband Network, by the way.)

Since 2015, when we swapped our ADSL connection for the NBN, every time we’ve moved house our speeds have been gotten better. That’s mainly because, when picking a place to rent, we’ve only looked at houses with Fibre to the Premises (FTTP) connections. (Also because the NBN network itself has been getting incrementally better.)

This time, because we wanted a specific type of house within our price range, we decided to compromise a little and go for a place with a Fibre to the Curb (FTTC) connection. The performance of FTTC connections depends very much on how far your house is from the fibre-optic distribution point on your street. We lucked out and found a house we wanted to rent that is directly across the street from one of these points.

Speeds I can live with

Compared to the house we just moved from, our download have dropped only 12.7% to 91.9Mbps, which I’m super happy about.

Unfortunately our upload speeds dropped by 51.2% to 18.5Mbps, which isn’t ideal.

Given how much time Nadia and I spend on video conference calls for work, this drop in upload speeds might be an issue if we’re both on a video call at the same time. I guess we’ll wait and see how the connection performs when that situation arises in the next few weeks.

Other changes: latency, technology

There are two other differences compared to our previous NBN connection.

First, our connection latency has increased 78% from 3ms to 5ms. You don’t notice that too much day-to-day, though, so this hasn’t been an issue so far.

Second, given the technology change from FTTP to FTTC, we had to change modems because the fantastic Synology RT2600ac we were using doesn’t support VLANs (virtual local area networks).

UPDATE (24 Aug 2022): With a firmware upgrade to SRM 1.3, the Synology RT2600ac router does now support VLANs (announcement; feature support; configuration info). A big thank-you to to Craig in the comments for letting me know about this update!

FTTC is more of a shared connection than FTTP, so you need to use a VLAN-capable modem to connect to the internet. But all is well because I quickly bought a Netgear Nighthawk AX8, which is an equally fantastic modem that does support VLANs (and, specifically, 802.1Q VLAN tagging).

(If any of you are wanting to connect your Netgear Nighthawk AX8 to an FTTC connection, by the way, follow the configuration that rhys375 figured out you need to get this working.)

A mixed bag, but I’m okay with it

Overall I’m comfortable with our new speeds. I might think differently if we have issues with simultaneous video conferencing, but I don’t expect this to be a major issue.

So, onwards and only slightly downwards! And let’s hope the NBN network keeps getting better and better as time goes by.

Bypassing the YouTube recommendation algorithm

How many times have you watched a YouTube video that’s ended with a variation of this phrase: “please like and subscribe, and remember to click that bell icon so you get notified every time I upload a new video”?

If you watch YouTube as much as I do [1], you hear this All. The. Time.

What’s with the bell icon?

Why are YouTubers so insistent that viewers clicking that bell icon?

Veritasium (Derek Muller) explains this in his recent ‘My Video Went Viral. Here's Why’ video. In that he presents his “theory of everything when it comes to YouTube”. If you’re a big watcher of YouTube videos, I highly recommended you watch it.

But, basically: clicking that bell icon is great because doing so lets you, essentially, bypass part of YouTube’s recommendation algorithm (while also, technically, giving it more data). This, of course, is the algorithm that, among other things, determines which eight recommended videos you’ll see at the top of your YouTube home page.

If, however, you watch videos from your favourite channel by clicking on a YouTube notification instead, two things happen.

  1. You don’t have to wait for your favourite channel’s newest video to appear in your recommendations list. This is great because now you don’t miss a video just because the algorithm determined, for whatever reason, to not feature that video in your top recommendations.

  2. Once you’ve watched the videos from your favourite channels, YouTube doesn’t need to recommend them to you anymore. That means it can now recommend other things in your recommendations list. Which, depending on how you look at it, can be an excellent outcome.

But…I use an older magic

That, however, is not the method I use. It would make sense if I did – I do subscribe to 454 channels on YouTube, after all. But I really don’t want to be bombarded with all those notifications and emails.

Instead, I use a much older, much simpler, and much less obtrusive way of keeping track of every video a channel uploads: RSS.

Yes, I subscribe to the RSS feed of all the channels I want to watch most (if not all) the videos from :)

Some of the learning and science YouTube channels (and blogs) that I subscribe to.

Some of the learning and science YouTube channels (and blogs) that I subscribe to.

Depending on which RSS news reader you use, this is super easy to do. My reader of choice is NewsBlur so all I need to do is copy-paste a YouTube channel’s URL into NewsBlur’s add-feed dialog and, voilà, I am subscribed to a full feed of this channel’s videos.

So, if you’re someone who watches a lot of YouTube and also uses an RSS feed reader, I highly recommend you give this method a try. It will make your life much easier and you’ll be free of those pesky notifications.

[1] About and hour and half a day, on average.

Firefox extensions for privacy and security

A post called ‘A Few Simple Steps to Vastly Increase Your Privacy Online’ by Keith Axline has been making the rounds of the internet recently. It’s really good; you should read it.

In that post Keith recommends several privacy-related browser extensions. I use most of those, too, so I thought I’d follow up on my ‘Staying safe and private online’ post from a few weeks ago with the list of Firefox extensions I use to increase my online privacy and security.

Firefox extensions website.png

Block trackers from following your around the web

Privacy Badger by EFF Technologists: blocks trackers from following you around the web and seeing which websites you visit.

Decentraleyes by Thomas Rientjes: blocks creators of shared internet content (which lots of websites use) from tracking you every time you download their content.

CanvasBlocker by kkapsner: stops some trackers from using JavaScript to ‘fingerprint’ your browser.

Facebook Container by Mozilla: stops Facebook from tracking you around the web — essentially, lets you use Facebook and its related sites (like Instagram) in a private browser container that’s separated from the rest of your browser.

uBlock Origin by Raymond Hill: blocks ads and adware (ie malware in ads).

Keep your connections to websites encrypted whenever possible

HTTPS Everywhere by EFF Technologists: tries to upgrade all your website connections to ‘https’, which is an encrypted connection.

Stop potential security leaks when you use a VPN

Disable WebRTC by Chris Antaki: stops your true IP address from being leaked when streaming media through a VPN.

Create and manage excellent passwords

LastPass Password Manager by LastPass: generate long, unique, random passwords and then keep them secure.

Am I Mullvad.png

Take things up a notch by using a Virtual Private Network (VPN)

This isn’t a Firefox extension but, for completeness’ sake I thought I’d mention that my VPN of choice is Mullvad by Amagicom AB.

When you connect to the internet with Mullvad, we ensure that the traffic to and from your computer is encrypted to the highest standards even if you are using a public WiFi network at a cafe or hotel.

We keep no activity logs, do not ask for personal information, and even encourage anonymous payments via cash or one of the cryptocurrencies we accept. Your IP address is replaced by one of ours, ensuring that your device's activity and location are not linked to you.

If you want a really comprehensive VPN comparison, by the way, check out That One Privacy Site. One of the reasons I went will Mullvad is because that’s the only VPN listed on this site that has earned its ‘GOOD’ rating for privacy, features, and technology.

Staying safe and private online

I do lots of things to keep myself as secure and private as I can online – so many that I figured I’d make a list.

Securing my devices

  • make sure all my devices are fully encrypted – that includes all phones, tablets, laptops, and external hard drives (plus some USB sticks)

  • make sure all my data is backed up – and where it’s backed-up it is encrypted at rest (my cloud backup tool of choice is Arq and I use a local Synology NAS and Google Coldline as my backup locations)

  • make sure I have USB recovery drives for my all Windows installs

  • make sure my computer is kept proactively and reactively secure using anti-virus and anti-malware tools (my AV tool of choice is the pre-installed Windows Defender and my anti-malware tool of choice is Malwarebytes)

Securing my internet connection

  • configure my router to use a secure, private DNS server (CloudFlare’s 1.1.1.1 or Google’s Public DNS 8.8.8.8)

  • configure my Android phone to use a secure, private DNS server when on 4G (on the latest Android phones go to: Settings > Networks & Internet > Advanced > Private DNS)

  • use a VPN whenever I’m on an even slightly insecure network – on both my laptop and smartphone (my VPN provider of choice is Mullvad)

  • turn on my router’s guest network (with network isolation) and connect all my non-computer internet-connected gadgets (TV, Blu-ray player, cable set top box, etc) through that

  • use an advanced router that supports enterprise-level intrusion prevention (in my case I use a Synology router and their Intrusion Prevention app)

Securing my browser

Update: Check out my follow-up post for my list of ‘Firefox extensions for privacy and security’.

Securing my online accounts

  • use a password manager to generate and store long, secure, unique passwords for all my accounts (my password manager of choice is LastPass)

  • use two-factor authentication to keep as many of my accounts as possible secure (check the excellent Two Factor Auth List to see which accounts and services you can set up two-factor authentication for)

  • keep a regular, close eye on the data that various online services and social networks have on me by going through their ‘security check-up’ processes (eg Google’s excellent Privacy Check-up)

  • check all my email addresses on Have I Been Pwned to see which online services that I have an account with have had their user data stolen – also sign up to their ‘Notify me’ service to get an alert every time any of my email addresses is found in a newly stolen user data set

Always be learning

  • keep up with the latest in security via things like the Security Now podcast, several blogs, and a bunch of security-related mailing lists

  • check the EFF’s Surveillance Self-Defense website for the latest guides

  • consider switching to “ethical, easy-to-use and privacy-conscious alternatives” to social media networks, online services, and software using the comprehensive (and growing) list on switching.social

An excellent introduction to TikTok

If you’ve been around the internet for a while you’ll know there used be an app called Vine that let you make six-second long videos. It was hugely popular but, after being purchased by Twitter, was discontinued in 2016.

TikTok is considered by many to be the spiritual successor to Vine. But, like with Vine, if you don’t know what it’s about and what’s happening in that space, it’s a bit difficult to get into.

So a couple of weeks ago Sally Kuchar started a fantastic thread on Twitter that showcases some of the best TikTok videos and memes. I highly recommend you check it out!

The NBN is 62% faster in our new house!

This time last year we finally got connected to Australia’s National Broadband Network (NBN).

Doing so dramatically increased our average download speed from 6.9MBps with ADSL2+ (over the old telephone copper wire network) to 46.7MBps with NBN (over a new NBN fibre optic connection to the closest telephone/internet exchange).

A little over a week ago we moved into an independent house in another suburb. This meant we were no longer sharing that fibre optic internet connection with the other residents in an apartment block.

I checked to see if this had increased our connection speed and, sure enough, our download speeds have gone up by 62% to 75.7MBps!

Woohoo! 

Pro tip: If you’re looking to move house and, like me, can’t live without the NBN, check out the nbnm8 Chrome extension. When you use realstate.com.au and Domain to search for properties it’ll automatically do the nbn availability look-up for you :)

We're finally connected to the NBN!

On 23 June 2014 I tweeted this:

But it wasn't till yesterday, 15 December 2015, that we finally got connected to Australia's National Broadband Network (NBN).

Yes, this took 1 year, 5 months and 22 days

What was particularly irritating was that our neighbours got connected several month ago. It took us this long because we're in an apartment building. Which meant that, first, our Body Corporate had to get their act together and network our building — which they finally did at the end of October.

We then had to wait till iiNet, our prefered ISP (who we've been with for over six years), released their Fibre to the Basement plans for selling NBN services to individual apartment building residents. 

Once all these pieces fell into place, though, things moved quickly. And, six days after the NBN became available to us, we were online:

We're now enjoying download speeds seven times faster than our old ADSL2+ connection (an average of 46.7Mbps with NBN versus 6.9MBps with ADSL2+) and upload speeds thirty-one times faster (27.6Mbps now vs 0.9Mbps previously). We're also connecting faster, with an average ping time of just 2.5ms with NBN vs 27ms with ADSL2+. 

It's awesome.

Of course these speeds aren't as fast as the NBN can theoretically reach ("up to 100Mbps") or as fast as my internet connection is at work (average downloads at 64.3Mbps and average uploads at 86.9Mbps) — but it still pretty darned good. And it's more than enough for any video streaming we want want to do.

So, yay! The NBN was a long time coming, but it was sure worth the wait.