#networking

@tame carbon Better step it up, I have 14 /19s

but where do I set it

and it still doesn't connect

So erm if i need a iso i can hit you up @rocky badge 👀

What did I screw up?!

@hallow nimbus 👀

@mellow heart pub-ip:80 -> local:80

👀

but you can also do: @mellow heart pub-ip:8080 -> local:80

Hmmm

it just changes port numbers

Something seems off here

Ur missing server 20.04 @rocky badge

😂

Of ubuntu

I didn't need to do anything this complicated last time

So I don't know what's going on

@hollow marlin does a /48 count?

It worked before

@hallow nimbus Lol

I know they hand em out like candy

I'm going to re-install and try again

Hopefully it works this time

@mellow heart if you can reach it locally, but not remotely

imagine not being the DoD

and having a shit ton of /8s

@mellow heart might want to check what is happening to the firewall on the machine

I think we only have a /32

I really appreciate all of the help. I just think I'm too stupid to do this without handholding @tame carbon

@rocky badge I say. we squat on them

get your BGP spoofers ready

@mellow heart keep trying with port forward

already uninstalled the plugin

lol xD

but that wasnt were the problem was

you had it open on your local machine

just had to configure the router

but it worked out of the box last time

Maybe something I did when following the guide on setting up SSL screwed with it

@mellow heart the IP that the server gets, isnt always the same

most routers just give out a random one, if a device connects

I'm starting from scratch following this guide - https://www.youtube.com/watch?v=ETdlrNUGjZk&t=8s

so by restarting

@hallow nimbus https://blob.rocks/7Fyk6S42Ye.png

could be that it got a new local IP

so your port forward is invalid

you can mitigate this problem, by using a static IP

I looked though and I can't find the port forwarding I did before

How do I setup a static IP?

With my router?

thats on the settings of your FreeNAS

🤢 🤢 🤢 🤢 🤢

Static IP on a device

Setup DHCP reservations

@rocky badge he's got the most ghetto ass verizon GUI

I studied this shit, and I cant figure it out

Still not a good practice

@rocky badge I explained that earlier

yeah,

but we still havent found dhcp server settings

to set pool size

@hallow nimbus https://blob.rocks/7Fyk6S42Ye.png
@rocky badge

@hallow nimbus https://blob.rocks/wllWg2RoHR.png

there

I appreciate the help, but I'm so lost and don't want to get started on something. I'm gonna see if I can get someone on fivver to set this up for me cause I know I'm going to screw something up

I realize this is above my level

port forwarding

is the most basic network config

That didn't work

We tried it

any mortal might want to do

Nice @rocky badge

@tame carbon https://forums.verizon.com/t5/Fios-Internet/Quantum-Gateway-How-to-setup-static-IP-for-internal-PCs-using/td-p/868832

What is simple for you is totally new to me, and everything is confusing

Go to the “Advanced” tab. Then under Routing click “IP Address Distribution”. Click the red box that says “Connection List”. Go to the bottom of that page and you will see another red box that says “Add static connection +”

So yes, this might be simple for you, but for me it has been 3 hours of work so far

Thank you @peak cloak

3 hours?

pff

I once spent an entire weekend figuring out how to set up this damn IPTV crap on my router

I know you guys are trying to help, but I'm at the end of my rope. This is beyond me and I just want it working like it was

you know that's not helping him, right?

Not everyone knows everything you do

^

thats my point

And that's ok

even I have to spend time

figuring shit out

So you saying "3 hours pff"

doesn't help him

giving up wont help him either

And the things you're saying aren't helping the situation either

It isn't giving it

It is giving up on this tactic

I'm still going to try and set this up

but working with this install where scripts were run that I don't understand isn't helping me

Also:

https://i.imgur.com/wwqssLf.png

Ok, does putting 192.168.1.173 into your browser work

I deleted it already, but it did work

http://192.168.1.173/

I'm installing a new one now

Oh, ok

Were you using your public ip to connect to it before?

It could be some loopback thing

https://i.imgur.com/BH1KMWM.png

isnt that something else

Before, I was using my public IP and :8282 at the end

Jail?

@peak cloak isnt that isolation layer within freenas?

This is what showed up when trying to install the new plugin of NextCloud

@tame carbon idk, never used freenas

@mellow heart if you like

I can help you over screenshare

but thats only if you have some patience

I really appreciate the offer! How about this, I give it one more shot and if that doesn't work, I'll take you up on that?

You'd have to be quick

because I will be on for maybe 1 more hour

its already late

In that case, I'll take your kind offer for help

does the 1.1.1.1 and 1.0.0.1 dns server make much of a difference

the DNS server you choose will depend on your location

ltt made a video on it a while ago and idk if it still works

for example 1.1.1.1 is 18 ms for me while 9.9.9.9 is 2 ms for me

it physically depends on where their servers are in coorelation to you

is there a way to see whats besg for my location

pick the DNS with the fastest response time for your exact area.

yea just ping the addresses

how do i do that

sorry im pretty new to networking lol

oh, open up the command prompt in windows

and just type "ping #.#.#.#"

the 4 pound symbols represent whatever DNS server you want to test

cloudflare's is 1.1.1.1

google's is 8.8.8.8

quad9's is 9.9.9.9

min is 19ms max is 69ms (nice) and avg is 33ms

for 1111

There is a dns benchmark

https://www.grc.com/dns/benchmark.htm, yea you could use something like this

Yep that

https://code.google.com/archive/p/namebench/ is what a lot of people use

Never heard of that one

@hallow nimbus https://blob.rocks/YVh5uDuPGO.png

when you server has a 10G nic but thats the only thing in the house with it

lol it's time to create a cluster of computers

My server and pfSense have 10 gig

and get a 10 gigabit switch

Because I ran out of ports

it's to bad pfsense can't route at 10 gigabit

one day

It can kinda

@chrome hound routes 8-9Gbps iirc

i wanna see a chart of that

cause like everytime i see someone benchmark pfsense

it gets like 200-300 Mbps if that

There goes my two SFP+

I can do more than 200-300Mbps lol

I wouldn't be using pfsense if it bottlenecked my gigabit internet

But it doesn't

So I use it

And a literal potato can route gigabit on pfsense lmao

An AMD (pre ryzen) HP thin client can run pfsense

oh, lol i'm a dummy I meant it never reaches 200/300 MB/s

of course pfsense can do gigabit routing

Well by then it gets a little more complicated, but my pfsense can do that, so can gossamers lol

He has 10gbps wan from Utopia and gets 8-9Gbps from it off of pfsense

4790K iirc

without jumbo frames?

Mines an i5 4460

Idk about him but mines off lol

idk, i soft gave up and just started using vyos for 10 Gigabit + routing

https://discordapp.com/channels/375436620578684930/387022787480387605/585191625865560091 https://discordapp.com/channels/375436620578684930/375436621450969089/578032998105088030

that's not 10 gigabit

https://discordapp.com/channels/375436620578684930/387022787480387605/667838118250151948

:P

It's fine for what it is 😂 tnsr should be better though

and it's free for homelab now

since tnsr is VPP and not kernel based

@rocky badge i also have 10gbit to all my servers 😂

yeet

But time for sleep bow

Now*

oof

Cause work

i mean having 6 Gbps for WAN is amaze

imagine sleeping

i just meant for local transactions

Imagine being american and having a idiot as president

Cya

getting a true speed test to run at 10g is harder than it looks

lmao my school laptop is using my DNS servers to lookup ldap services

and their sccm and file servers

getting it to work with SR-IOV and vyos seems easy enough for me

@chrome hound The server actually being able to support it is hard lol

lol true

lol if you have pfsense 10 Gigabit strats

but the one I test from have a 40g conenction to the fiber back bone

not all of the servers support 10 gig

ye

a lot of speed test server only run at 1 gig

well a lot of tests I saw were literally like in hosue home lab stuff

but my speeds go up and down a lot

no WAN connection

this one is to centerylink

https://blob.rocks/NEwzl3S2K4.png

From one of them 🤔

https://www.speedtest.net/result/d/0ccec1ff-ce11-41d8-866b-9879718857ef.png

LMAO that download

Seems like centurylink to me

lol

the true-est of roflcopters

well to be fair they don't like sending data out 😄

I limited my download lol

so parents would always have ~200Mbps

So they don't complain about me messing up their YT TV

wow my speed test server is struggling today I wonder whats up with it

oh you do YT TV too?

TV is a scam lol

pandemic time is the apocalypse for IT staff

https://www.speedtest.net/result/d/3be458bc-f932-4cef-952a-14fe48e54639.png

but my parents want it

some people just like nice apps that look like the old top boxes

that from my PC to the other room and its dogging hard

if it were me I'd just do ATSC 3.0 (when it comes around 😭)

lol yea get a homerun or something

and re-distribute it with emby or plex

yup

oh hey @rocky badge I finaly got a real POE switch

smh

only just now?

a month ago

😂

i'm gonna try to power my microtik SFP+ switch with POE from the unifi switch

lol i wonder if this will explode in my face

top switch I'm only using for its 10 gig ports plus other shit

bottom is for PoE

I got a unifi pro one I can't recall the exact model

top one handles my PC, pfSense, USG, ONT

bottom one is where all of my runs go to

my actual router is a threadripper :/

i only run vRouters

lol

I have two rn

pfSense & USG

USG is production, I don't touch it much

when i get the second box up

Production aka parents

i'm going to put the vyos instances in VRRP mode

So it never goes down

https://blob.rocks/3LC2yAcSnI.png

so i can shoot one of the servers with a rocket launcher

and internet is still up

that's so clean

That looks like a USW-PRO-24-POE

USW from the new design

24 port duh

PRO from the white LED for the SFP+

thats the one

And since those ports have two pluses

which means it's PoE ++

and I got my truenas server up

truenas core?

you gonna run the new truenas edge platform thing?

are those extreme psus

middle dell r730xd with 12 6t drives

😂 😂

hey spare parts man

😂 😂 😂

I haven't looked into the edge platform thing whats it for?

EdgeMAX from Ubiquiti?

it's ISP/Operator

oh probably not

but I got cooling with a hot air return setup 😎

lmao

It's basically the same HW as UniFi, with some additional stuff in hw, with EdgeOS

but it's also a gen behind UniFi

@chrome hound https://store.ui.com/collections/early-access/products/unifi-switch-aggregation-pro-beta

😉

28 SFP+, 4 SFP28

Available only for Early Access users. Learn more…

booo

https://blob.rocks/YSffhI0al8.png

https://help.ui.com/hc/en-us/articles/204908664-How-To-Sign-Up-for-Early-Access

that smells like effort

Lol

I am thinking of migrating my sped test server to its own blade, I think the ProxMox firewall might be what is slowing it down

do your parents know you are opening up dangerous equipment? you can send that over to me and I will take care of it for you

😂

this is from STH

sure it is

https://www.servethehome.com/ubiquiti-unifi-usw-leaf-overview-not-review-48x-25gbe-6x-100gbe-switch/

I have a question, I want to protect my dedicated gameserver (hosted on my home network and pc) using some sort of proxy or VPN (I want to keep it free)
I've tried portmap.io but I couldn't get it to work.. Does anyone know more about thise kind of stuff?

Please ping me if anyone has an answer c:

@undone adder cloudflare

you can use cloud flare for direct access if you can port forward

or you can use zero-tier with a public node

I see, so how does the port forward look in that case?

in your firewall you forward the required ports to your service

WAN -> Firewall -> Server

firewalls block all incoming port requests by default

I see

What about the port forward in my router?

I'm guessing I'll have to use the external port value?

you port forward from your router which is probably also your firewall

to your internal service

how you do the mechanic of port forwarding is 100% different from each vendor

it's the same idea, but different mechanics

hmm

So what's the basic mechanic behind this then? I'm guessing the server port in internal and VPN (or whatever) port is external?

Incoming Port -> Firewall -> Port to go to server -> server

use plex an example

apparently whinnie's full title is to long

so friend asks to watch whinnie on your plex server server

Friend's plex player -> outgoing request of 32400 -> (Internet) -> incoming request of 32400 (your firewall) -> map 32400 to 32400 in your network -> server

https://www.youtube.com/results?search_query=port+forwarding+plex

Oh I see

here's a list of examples

Thanks :D

So if I get it right:
Gamer -> Outgoing Request {External Port} -> Internet -> Incoming Request {Internal Port} (Firewall) -> Server

So let's say my OpenVPN port is 1194 and my server port is 7777

Gamer -> Outgoing Request __7777__ -> Internet -> Incoming Request __1194__ (Firewall) -> Server?

most cases your external port would be the same as the internal port because the client and server expect to talk on the same port, unless you are doing some kind of advanced config on the server

Just trying to port forward through a proxy or VPN

are you in control of the proxy/vpn?

You mean like a private proxy?

Stroke

the above examples are for firewall setups, a proxy/vpn is going to complicate you setup

Yeah, I'm trying to figure it out

typically a proxy is put in place by some one offering service to clients

Yes

they do that to stop users behind the proxy from doing what you are trying to do

Port forward through it?

A reverse proxy would work

if you are not the controller of the proxy you can't really change how its setup

Yeah, but portmap.io looks like it'd work, I just don't know how to get it to work

thats what I am trying to say, if you are behind a proxy that some one else controls you can't setup any port forwarding

Even if you get a port?

its been a while since I delt with proxies, but typicaly they sit between the clients and a firewall and proxy connections

so you are removed from direct edge firewall access

hence the name proxy

so are you sure you are behind a proxy?

typical home setups have a router, then an ISP device of some kind

I'm not behind a proxy, I'm trying to protect my network with one

ok, you really want a firewall not a proxy

Hmm

so what router are you using?

Linksys

most routers act like a firewall, they don't have to be complex to work

E900 I think

Or E300

by default that router will block all incoming traffic and only allow some things to come in

Nah, I can port forward, I just don't wanna get DDoSed

so in there setup it should have a section on Port Forwarding

in there you define the port you want to have forwarded and then you tell it the internal (private) IP you want traffic to be ported to

@chrome hound also is that a passthrough patch panel /s

yes blob it is I meant to put in punch downs, but effort got in the way 😛

lol

its not my fault the RJ45 plug can pass thoguh the hole

I know how to port forward, I just can't get any protection to work

well I hope you can @chrome hound

because the port on a keystone is RJ45 lmao

So it has to be big enough

when you portforward you are effetivly telling your router you don't want protection on that port

you can even get HDMI keystones

I know

you can't add protection when you want to use port forwarding

Reverse proxies though

and port forward VPN's

what are you trying to protect? no matter what you put in place traffic has to flow across the port from external to internal for any service to serve

opening a port and forwarding it, doesn't negate the rest of the ports coming in

the still remain blocked

I'm trying to protect my network

so opening one port doesn't open them all

I never said that

its just the one port needed to serve

Restrict source? lol

https://blob.rocks/AEZ7oiP3wi.png

on pfSense, NAT rules create a FW rule

That offers protection right?

I don't think you realize what a proxy really does, its not meant to allow any service through, it a very control concept

I see

you have to know what your source IP is going to be to use source restriction

Yeah

I would put a proxy in place for like a network of guest devices that I have no idea who they are that only need web browsing they would sit in an isolated section of my network and would only be allowed to browse out on port 80 or 443

think of a public library that had internet access, I could see a use case for a proxy there to ensure people are not setting up littler rabery pies to serve things off the free internet

@tribal dome hi

I see

So it restricts access

so port forwarding is still protection, just not that port, you are opening it

Well if the wrong person has your IP you're still fucked

but you are also controlling where it goes intenrally so its not like its a firehose

your IP is not secret

its public

and trust me you get scanned at least once or twice a week by forion bodies

in @rocky badge case 4 times a day

Yup, so it's easy for someone to press a button and take you down for at least a few hours

@chrome hound lol

you have to be a target

I am

Rip

like no one is going to waist time taking you down

https://blob.rocks/0IbtvhdY2n.png

https://blob.rocks/L83AfFtVmq.png

and that same effort to take you down will effect your ISP so they will either put in place temp prevention or have other tolls to monitor bot like network traffic and shut it down

Interesting

Downtime bad though ;-;

well thats the internet game for you, open port = risk

Fair point

but I highly dough you are a target

Yeah-

fun fact @rocky badge I had to burn down a mail server I had because I forgot to update the SSH config to block password auth, and it got brut forced by a Chinese entity and they launched a 3.5 gig attach on a German company from my ProxMox cluster

lmao

Ouch

one of my network eng slacked me going he do you realize youre a DDoSing a company in germany? I said what?? My Bad

my b

b

you are a bad person

so yea @undone adder some one some where is always scanning for open things 😄

@chrome hound

bruh

this laptop has an Ethernet port

with a lot of room left over

also rear I/O laptops ❤️

is that one the bacK?

Dell M3000 do that, I love those things

Alrighty, thanks for the help ^^
@chrome hound

Now I sleep

@chrome hound yeah

Dell Precision 7730

nice

it uses a fucking 240W charger

ah they slimmed it down than

BRUH

4 M.2

the m3000 had like a 280 watt

So the 4 M.2 NVME slots I saw in the BIOS is real....

yep

Two DIMM slots on the bottom

two under the keyboard

2x USB C with Thunderbolt 3

Damn this thing is loaded with PCIE lanes

4x4 16 lanes already used for NVME SSD

4x2 8 lanes used for Thunderbolt 3

i did a dns benchmark and i dont know which ones are best

the lowest one

i applied "sort fastest first"

do i choose the top two

what are all these servers

what do these bars even represent

where's 1.1.1.1 and 8.8.8.8 for comparison?

the names are on the right

for me, level3 dns servers are the fastest

@vapid dune they are all dns benchmarks's dns servers for benchmarking

lower is better

What do the bars actually mean?

https://www.grc.com/dns/operation.htm

Interesting. Ill stick to 1.1.1.2/1.0.0.2.

so i should use these as the main and backup? since they are on top

I mean, not always. I would do some research on that dns server

Don't know how I feel about a DNS server on a benchmarking list. Best stay reputable.

As long as latency is fairly close real world performance difference is negatable

I've had luck with cloudflare and quad9's

seems to be pretty fast, never benched them, though

so like cool fun facts

if you have a local DNS server that caches stuff from upstream providers

that's the fastest DNS server you'll ever have

like one of the biggest jumps from a consumer routers to real routers. Is that real routers usually have actual RAM

so they can cache more and more DNS entries

pihole

I run a Sophos UTM here

so I do that already

It's a VM, so performance is kinda eh. May go the pfsense route with real hardware

Thing I like about the sophos end is most things just kinda work, and it lacks some of the jankyness of pfsense, but pfsense is probably more customizable

pfsense workly perfectly fine

the same way OPNSense does

Web filtering and profiles works better under Sophos, despite the fact that both probably use squid

got kids to watch over lol

I've used the netgates, too. Kinda hard to beat their 7100's in HA for $2k

if all you need is straight routing and stuff like OpenVPN for a small business

web filtering is a service you have to pay for

like Pfsense and OPNSense are basically free solutions

it's the rules not the technology that make rule based filtering effective

like a nice networking deployment especially when you're willing to use vRouters (a Router in a VM)

is you just have the router, well route

and delegate other responsibilities to other containers/VMs

so you can offload some of that to something like Umbrella, but if you wanna do any GeoIP or application control you usually have to do that on the Firewall

or just have the router route to something to delegate to it

and have your clients use a different default gateway

I think they have a free DNS filtering for home, but I have profiles that set time limits and individual devices for the kids not to go on things

like i don't let my firewall deal with my self-hoting stuff

it just goes to an nginx instance

most reverse proxies have geo-ip stuff somewhere in their implementation

I know nginx has a blocklist

like hands down https://pritunl.com is just better at VPN tunneling than any firewall/router

my GeoIP is more kinda just a "no no Russia/China/India/NoKo" catchall

oh, yea you can definitely do those broad strokes

or just use cloudflare

if you want to go that broad

Yeah I was looking at setting up Wireguard at work as that can run on the edgerouters now and we could use them as really cheap VPN appliances

https://www.zerotier.com

But Sophos does similar to Meraki with their REDs

is even easier

You use pritunl for failover between sites or just client vpn?

I mean i wouldn't use OpenVPN for failover between sites

and wireguard is still kind of a mystery bell

using a SD-WAN solution i what you want for failover

like zerotier or just using vxlan

https://www.bbc.com/news/uk-wales-54239180

what do you think i upgrade from 1 gigabit

in reference to . . .

i think you downgrade to 100mbit and pay less

having extra speed to get your 10min file in 8min isnt worth $20/m more

downgrading internet speed?

are you insane?

no

i did it myself

$40/m comcast is unheard of and its 100mbit

https://kuma.io/ @topaz quarry there is also shit like this @forest ice

i'm slowly understanding envoy

i've watching so many envoy consul videos

Envoy is nice

I still use Traefik though

traefik is so simple it's hard

Well, it depends what you use for orchestration

if you do like... bare docker, no k8s, I usually push to Rancher Server v1.X with Cattle Orchestration

Traefik can use Rancher as a backend to monitor and attach to containers instead of like docker.sock

If you use k8s, it can straight up be your ingress controller

full integration

so like, there's gonna be a flame forming soon

but i may try to make my own ochestration platform

Aint even worth it with all the options avail

k8s is really cool, but the type of learning required is an interesting hurdle

like docker is so simple

It is that first jump

once you realize whats really going on

its like

OHHHH

naw, i know what's going on

it suffers from Google engineering symdrome

You wanna be pedantic though?

Docker is the wrong name for the containers

Its the moby platform. Docker is an API of sorts that interacts with the containerd runtime and gives it deployment/control commands

Docker itself is not the container platform

its been seperated

containerd is the real runtime system

well yes

Good thing they actually seperated docker from the moby

So you can ditch Docker entirely

https://podman.io/

i still have that tab open

Podman. you could actually alias docker to podman command and itll all work

its pretty much drop and go

but it opens you up to OCI Containers and slowly migrating to k8s or things like kata containers

btw i think etcd which came out of Google's interaction with k8s while they were making it

that's cool

the raft consensus algorithm blows my mind

alias docker=podman

i i use the s3 plugin to do automatic PV creation

will it break?

or wil it work 1:1?

alias docker=rm -rf --no-preserve-root /

podman pull quay.io/containers/podman

Docker S3 Plugin?

there's a s3 plugin to use it as a backend storage

The storage driver

the same way you can spam longhorn in k8s

yea the storage driver for s3 backend storage

they refer to it as a plugin though

Yeah thats related to libcontainer and containerd

not docker itself

fantastic

And honestly, if you wanna get really tasty with your setup

Ditch containerd

btw is there an HA that is HA aware

like if i have a quorum of HA proxies

https://github.com/cri-o/cri-o

can they tell the router via etcd or something to use another node

Actually yeah

and some even use BGP to do this

You want load balancing

not HA

yeah you can achieve both with the same set of tools

but

they are technically diff processes

one is failover only on failure

one is balance the load out

well i was told layer 4 load balancing can lead to bad experiences

but yea

i'm not sure how one convinces a router to do L7 load balancing

i guess pfsense technically has nginx on it

Actually

routers in VRRP mode with nginx?

The k8s ingress controller handles it

Traefik has loadbalancing.

VRRP is HA

not LB

OT: Ever seen juju charms? while I dig up LB tools/projects for you look at this

juju charms is magical

one button datacenters

https://metallb.universe.tf/

https://github.com/metallb/metallb

You kinda need an AS for something like this

for it to be easy

so the ingress IP for k8s

what happens when it goes away

i shot it with a rocket launcher

what goes k8s do?

Depends

your bridge to the WAN is gone

so

rip

If you are asking about the MetalLB though

so the node responsible for ingress can't be promototed to another node?

Well yes

If you have multiple then yes

yes it can

itll failover

so if I have a 5 node cluster

assuming you have failover systems in place to route to new ingress IP actually

how does it give it's IP to another node?

But all ingress IP's are valid

okay so we're assuming L4 load balancing

However......

MetalLB once again

This is using BGP

Itll assign a whole new IP off the public subnet

now because i'm not in a public cloud and have to port forward like a bannana cake

will metallb tell my router to forward to something else?

or are we assuming the router will just do L4 load balancing

The router has to support BGP

And you would prob want more than one

This would have the router under the MetalLB's controller talking to k8s

and it would tell the Routers public IP to route to X Y or Z ingress

so the LB is done on the router but commanded and controlled by the system

https://github.com/cloudnativelabs/kube-router

turnkey

bizz-jazz

okay so vyos supports BGP

would it still need to be controlled by k8 for this to work

can you run BGP on local networks? 10.0.0.0/8 ?

yes

Ok so VYOS would be like the reverse proxy here

It holds the public IP's

you can just can't advertise internal IPs

and BGP is how we give routing tables back and forth between routers

I know

well you can, you just can't do it over a WAN

so using BGP, we tell the public IP to redirect to a new internal IP

for LB

but can you set up your own BGP on non public ranges, ofcourse not announcing to internet

right ?

yes

there is eBGP and iBGP

External BGP

Internal BGP

At&t and Comcast have narly filters to make sure they don't advertise internal IPs to each other

my isp probably not happy if I try to xD

they ring me up cus I had DNS running

And You need a complex internal routing setup to do it

they should have filters

its not just filters

you need auth to the AS

You gotta buy a public IP block

lets squat on 8.0.0.0/8

Thats called BGP Hijacking

I bet DoD will be overjoyed

https://isbgpsafeyet.com/

Dept of Def is considered Bogon networks

Most routers wont let you even try

they just stop you before it even gets to the ISP

btw the DoD has completely out of band networks

so like whatever it is that you're planning

19 of them

set all nukes to target eachother

Those are not on networks

I bet somewhere, someone, forget to unplug

those are 100% hardwire controls

you probably need floppy drive keys

xD

and 1970s equipment to get in

You use zip disks on some

it's so old it's unhackable

it so old, if someone tries to fuck with it to many times, it breaks

on purpose

and then engineers are dumbfounded for weeks

oh pfsense has a package of BGP routing

that seems safe to give to prosumers

Without RPKI, you cant do much anyways

https://i.imgur.com/spG3ZNR.png

btw is there a way to get a VM or a container to failover

with the same IP?

in an automated way?

With the same local IP right?

onto a new host though

yea the same local IP, new host

Yeah the networking backplane you use should do that

Even on Docker with cattle (the basic shit type), it has the option to "Keep IP when replacing unhealthy or updating instances"

So no matter what that container has the same local IP

I use Calico for Policy and Canal (Flannel) for Networking on my k3s clusters

Canal gives all the containers an IP out of 10.60.0.0/16

From there, all my hosts are connected with a VXLAN Network

so it acts like one LAN no matter if the machines are spread out

out of curiosity what do you think of zero-tier?

You can basically self-host that outright

yea

it has a lot of the properties of vxlan in regards to keeping the same IP infastructure

Zerotier kinda caters to the "old style" setups

If you have multiple clouds, your networking backplane should handle it

Heres a good example

k3s

It uses Flannel by default (Canal)

--flannel-backend=vxlan
--flannel-backend=ipsec
--flannel-backend=host-gw
--flannel-backend=wireguard

VXLAN is Default, IPSec works kinda like a Mesh S-S VPN/VXLAN Hybrid to encrypt your traffic, Host-GW is Host Gateway and is basically saying "L2 Flat" and to rely on the router to handle it (if everything is like... on the same switch/vlan), Wireguard is IPSec but using Wireguard basically

https://docs.projectcalico.org/master/reference/cni-plugin/configuration

It utilizes etcd for the networking discovery

so that should give you an idea as to its "healing"/LB/HA

overall that's basically the goal in this paritcular segment

a self-healing network

And thats why k8s wins

its basically built in

but

k8s violates the Sutter rule

Keep it simple, let people get under the hood when the need to

Does it?

i think k8s is to complicated

k3s/k8s doesnt actually have any networking built in.

even with a substantial background

Its purely orchestration

You need a CNI

Flannel, Calico, Weave, Romana, Multus, Cilium, Silk, Knitter... VMWare NSX

Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. Cilium is integrated into common orchestration frameworks such as Kubernetes and Mesos.

fear not, i'm watching a video on calico routes

https://github.com/hustcat/sriov-cni You can get even more.... low levelish

This uses SR-IOV On the nics

Basically gives a physical "virtual nic" to each container

and its directly talking to the router at that point

so it bridges them? is that it?

because that's not quite the same thing as actually utilizing sr-iov

Its like SR-IOV Passthrough to a VM for the Nic

it does the same thing

creates a VF

from a PF

there's some weird macvtap stuff that uses a VF

yeah there you go

and it works substanially worse than just using vfio

This works pretty well tbh

the real answer is getting microVMs to be cool

but like... its turning a virtual network into a physical one

kinda reverse

then you can take advantage of vendor magic

https://github.com/intel/bond-cni

This is bridging

LACP Bonding

it can use https://github.com/intel/sriov-cni to add VF's to a container too with that...
https://github.com/intel/sriov-network-device-plugin to let kubelets control the SR-IOV Networks

https://github.com/intel/multus-cni allows for multiple nics to be attached

i mean SR-IOV VFs can be loaded at runtime

so making the requirement that you need to create them ahead of time is weird

These are "meta" CNI's

i mean i get it

it comes with one extra "yeet"

It lets you add other CNI's on top

throwing exceptions in C++ programs use to be "meta"

VLAN, VXLAN, PTP

Think about this...

Vyos in a Container

You would want to use SR-IOV

Or perhaps a transparent bridge for sniffing

in a container

What about a BGP Router

vyos at this moment can only be deployed as a microVM

because of this problemo

And thats where I fucking love how all this comes together

like they're still voting on if they'll support other container types

K3S Running Katacontainers to run MicroVM's in a k8s cluster

With SR-IOV at the ready and all on a central networking backplane

Utilizing a centralized and shared/controlled datastore like SMB/NFS/S3/etc

btw freenas supports minio

because reasons

like it's not a plugin

it's just a supported share type

IIRC, there is libs3

thats why

btw

or it may be using the S3 FUSE Driver

libs3 is so much less weird than the AWS SDK

the AWS SDK is legacy on legacy

thats why

like the client for AWS's SDK takes like 5s to load as a C++ object

like how

libs3 takes the appropriate 0.086 ms

https://docs.min.io/docs/minio-gateway-for-nas.html

i'm actually going to deploy it in docker swarm soon

all the SFP+ modules will arrive tomorrow

and i'll test it on a 10 gigabit backplane

helm install stable/minio

installed on k8s

like i get it

but swarm seems less idk

out of left field

Swarm is also lacking networking planes

Helm Repos

etc

it has vxlan though

It doesnt have IPv6

is there a magical set of helm repos

this is another part of the problem

dockerhub is my current source of docker power

its just like docker hub

Bingo

You need OCI containers my dude

see i get how to take docker and docker-compose

and shove them into swarm

https://quay.io/

Quay is the OCI Repo

and Docker containers are.... proprietary in comparison

OCI is the evolved container layer

more stuff uses it

https://hub.helm.sh/

This is the Helm chart repo

Otherwise, you can use a git repo as a private helm chart repo

so i'm installing quay as an operator?

and unlike dockers with compose templates, these are all "clean"

and follow standards of creation

so no need to DIY it to keep shit.... the same

Quay is simply another docker hub

but where OCI's live

i think the other like huge bummer

is that swarm works on LXC

while k8s is like

hmmmmm

like this Google technical debt

podman pull quay.io/sylr/traefik

can podman do compose files?

or is there new magic syntax?

https://github.com/containers/podman-compose

okay so there's a comparable

so podman does pods more directly?

is this the magic behind k8s?

K8s is orchestration, keep that in mind

this is the lowdown on what k8s is really doing

The other pieces are diff

Podman replaces "Docker"

For one, no fat fucking daemons

podman doesnt need a service/daemon to work

it achieves that decentralization that is missing

Podman is capable of running containers in exactly the same way Docker does, but it is also capable of running Pods.

so it's missing the huge attack surface

So it can do Docker style

+1

or Pods for k8s

Easy to start "learning k8s" with platform if you ask me

I have a deployed k8s cluster

i've been using rancher dude as guide

Another fun thing

You cannot make "blank" Docker containers

Like... totally empty

But

OCI Containers?

Yes.

You can also build OCI Containers using the upstream docker format/a dockerfile

https://github.com/containers/buildah < This is closely tied to Podman.

This is how you make OCI Images

And this allows for total control over the container

being able to use package manager

instead of docker install script

+1

Guess what can be an OCI

MicroVM's

dah

wait

big brain moment

Usually you use https://github.com/cri-o/cri-o which supports OCI Spec Runtimes (runc)
Katacontainers use OCI Spec Runtimes... like runc

can podman launch microVMs

yes

!!!

thats what i was getting to

In fact, it can launch them in a k8s cluster

https://github.com/weaveworks/ignite

Combines Firecracker MicroVMs with Docker / OCI images to unify containers and VMs.

https://github.com/weaveworks/ignite/tree/master/images/kubeadm > Run kubeadm in HA mode with Ignite VMs

https://www.youtube.com/watch?v=N0hSn5EwW8w

the indoctrination is so real in this video

purge docker

sudo dnf install podman -y

lol it's a good thing i'm using LXC for all of this

cause it makes it easy and less scary to do stuff like that

https://github.com/containers/podman/blob/master/docs/tutorials/remote_client.md

This is cool too

https://github.com/containers/skopeo < Buildah, Podman, CRI-O, Skopeo, K3S, the big 5 to getting out of docker

i mean, launching containers is all i need in reality

podman's got this

https://www.cncf.io/blog/2019/07/15/demystifying-containers-part-ii-container-runtimes/ Read this

It gives you the stoopid simple rundown

"This does this, This does that, and this does that thing over there"

seems like a good read

https://www.cncf.io/blog/2019/08/19/how-kubernetes-works/

This is too

you know honestly k8s has the same problem microtik does

it was designed around command line stuff first

Actually

it was designed around the API first

docker, podman, kubectl all just interface with the API

The Container Runtime

K8s is one piece to a larger playout

The fact is, you can mix and match the diff pieces of it to achieve what you want

https://rancher.com/docs/k3s/latest/en/networking/ Btw here is how k3s default does LB

Default it has traefik as ingress

the LB is default Klipper LB

It can be switched to something like... MetalLB

k3s can run with Ambassador or even Envoy instead of Traefik

https://rancher.com/blog/2020/deploy-an-ingress-controllers

so like raw moment

what if i just wanna run raw nginx

like i wanna be a lame duck

and edit a config

just to see what it'll do

podman run nginx to run it in container standalone
In k3s/k8s, you would give nginx its own pod and disable the LB/CNI if Needed in its deploy config/helm

which is really easy

cause like for SSO stuff it's so easy to run nginx + vouch + gitea

and then traefik and SSO is a fun journey

https://github.com/dexidp/dex

i mean i know a lot this tech can automate it

but like

https://github.com/vouch/vouch-proxy

C++ developers suffer from over-generalization syndrome

I went a bit more than this

a lot of this stuff reaks of over-generization syndrome

I can login using Google as a source or Google can use my system as a source which uses other shit as a source

the whole point was to decentralize

There is a reason why its being used everywhere

If you have a usecase, someone made a piece for your usecase

Thats nice

alright

that's cool

We can get real fun with SSO

Ever seen something like Windows Quick Assist but for SSH?

curl https://www.teleconsole.com/get.sh | sh

> teleconsole
Starting local SSH server on localhost...
Requesting a disposable SSH proxy for ekontsevoy...
Checking status of the SSH tunnel...

Your Teleconsole ID: 29382923a870075324233c490831a7
WebUI for this session: https://teleconsole.com/s/29382923a870075324233c490831a7
To stop broadcasting, exit current shell by typing 'exit' or closing the window.

Also works instead of WebUI: > teleconsole join 29382923a870075324233c490831a7

damn bot

Tbh my SSO system is kinda jank

I have Active Directory on top of it all too

Active Directory ruins lives

SSO is one of those things people just don't think about

until they have an entire infastructure

and they're like

. . .

Yeah

thats basically where I am

AD, LDAP, OpenID, JWT, fucking all of it

in one system

I also have 2FA to top it off

YubiKey

like keycloak is the only provider i've found that provides scoped OAuth tokens

and i'm like

technically gitea and nextcloud are OAuth providers

they just don't scope tokens :/

SAML

this is backend

https://github.com/ory/hydra

The FULL spec of OpenID and OAuth is here

oh

a non java based alternative

it's a miracle

ORY Kratos, Hydra, Oathkeeper, and Keto is the entire ecosystem

the hardware people are using it

i have hope

hardware people blow at software

if they're using this for SSO, it's gotta be simple

hardware people blow at software

Ubiquiti...

im looking at you

like i swear

every time i see code from an EE

there's either a lack of planning