#networking

its more expensive way of pc wifi card xD

you don't need much in performance but you'll want to get rid of the wifi extender

@tender hazel lol

I'm seriously about to recommend https://mikrotik.com/product/RB931-2nD

its not my house tho

..

the hap mini won't let him get rid of the extender

and a small additional 2.4GHz ap

this might allow doing everything with one unit: https://mikrotik.com/product/hap_ac3

it is more powerful than is needed when it comes to CPU etc

that thing can do 2gbit/s lol

sooo those two ?

but it has very good coverage

the hap ac3 can replace your router and extender most likely

get through the walls all by itself

i cannot wire it there ....

the extender is there to get me and ethernet cable there

oh god

that is all lets just speak about the modem and router

..

xD

@tender hazel btw spoke with my dad on the wireless thing

showed him the brochure of the dual band sector antennas

@thick minnow do you have your own internet account or are you sharing someone else's

he was sold lol

its house iam not owner of

all i want is to allow ipv6 traffic here

so are you sharing their service off of their router?

its personal family house XDD

yes but are you paying the telco or cable company yourself for your own connection

yes

i pay for connection is that u want ?

oh you're the only guy in the house who knows how to work this in even the slightest?

oh am I misinterpreting that xD

I'm just wanting to make sure that you aren't trying to set up a router in the house behind another router in the house

it will be very difficult to get IPv6 working in that scenario (one router behind another)

the curse of NAT

it breaks end to end principle

iam in CGNAT

so all these fine protocols stop working

this is reason why i want ipv6

the issue is that in order for the outer router to provide addressing to the inner router, the outer one would need to be running DHCPv6 prefix delegation server on the LAN side

@thick minnow same thing just means your ISP is total garbage.

xDDD

wdym

He has a 100.65.x.x address on his router's WAN interface so it's directly to ISP, and it's PPPoE

i dont have wan

yes you do

@thick minnow run tracert 1.1.1.1

in commandline.

okay i have wan xD

@thick minnow do it

wait

my connection here wait :::

--------------O - ISP ROUTER
/
modem
/
router PC1
/ \
Extender PC2
|
PC3

yes

that is a mess.

thats not how you do networking.

Thank you

Holy crap

Everything works

I promise to not touch anything xd

i mean is here anything bad ? internet is working

^ that quote 🤣

xD

your behind multiple NAT's by the looks of it

yep iam

unless those router's aren't NATing

i cannot ping my public ip

rofl

your router is configured for pppoe though right?

xD tf that means

well at least your diagram was accurate

exactly

get rid of All of this, and replace it with a mikrotik.

ok so then you should be able to get things going if you replace the tplink

problem solved.

woooah woooah wait wait whym, slowly

@thick minnow basically. https://i.imgur.com/LGZ93PM.png

it is

I helped him before diagnose that it's CGNAT

@thick minnow is it okay if I share the pics?

hmm

let me see what is inside them ok?

yes

https://cdn.discordapp.com/attachments/821089686360948777/821089694631723088/unknown.png

ok so yes a standard CG-NAT setup.. if that screenshot is from the tplink all you should have to do is replace the tplink

uh so tp-link is under CG-NAT ?

is thay replacement illegal ?

of course lol

illegal?

just save the pppoe login

did you buy the TP-Link?

replacing something you bought and installed yourself wouldn't be considered illegal under any definition

Breaking: Man goes to jail for replacing ISPs router with a better one

if/when you get a mikrotik router, the first thing you should do is upgrade routerOS on it, then enable the ipv6 package, then reset it back to factory defaults

only after doing all that, then you start configuring it, changing settings etc

yeah then you get default fw and all

i mean

so it will be a few reboots -- upgrade routeros, reboot, enable ipv6 package, reboot, reset it to factory defaults, it will prompt to reboot

ïts my router

i bought it

they have nothing to do with

my friend said me that my wan is local network for ISP that are NAT ing me

so then why would you think it would be illegal to replace it

because its getting rid of NAT which is coverign my ip isn't it ? or it just makes ipv6 accesible ?

you're not going to be getting rid of NAT on IPv4, it is just that the newer router would do it instead of the TP-Link

but your IPv6 will work

your ISP is also CG-NATing v4 no matter what

you'll be running a dual stack configuration

a shared v4 and public v6

public (global) v6

not private

you'll be running both IPv4 and IPv6.. IPv4 will still be CG-NAT but IPv6 would be global

global is basically the new name for public on IPv6

oo

so i would be able to port forward and host again like 5-7years back ?

no such thing as port forwarding in v6

can someone provide some insight into a product comparison?
Nighthawk RAX78 vs MK63S
Nighthawk RAX78: https://www.netgear.com/home/wifi/routers/rax78/
Nighthawk MK63S: https://www.netgear.com/home/wifi/mesh/mk63s/

(well there is if you are nating v6 but eh)

@thick minnow your hosts behind the router will be on global IPv6 themselves

you will just open the firewall

Is wifi 6 or triband important?

wdym

like ppl ?

@thick minnow in ipv6 each device get's a global IP

they should at least

OOH

all of your lan hosts will all have their own public IPs

is it payed by law ?

like ipv4

on v6 you dont need NAT at all

you should get a /64 block of addresses

@thick minnow no, we're out of v4 addresses

its only 32 bit

ik

ik

v6 is 128 bit

yes

ISP's generally give you a /56, so that you have 256 /64's

^

the smallest subnet size you can use practically is a /64

if i have ipv6 i can have public ip and host again ?

and each /64 is 18,446,744,073,709,551,616 addresses

a /64 has 18 quintillion addresses

yes should have at least 18,446,744,073,709,551,616public ips

so i can host with em ? lets say emm a minecraft server ? to frineds ?

yes, at least becuase if they give a /56 like the recommendation you should have 256 times that

only if they have ipv6 as well, but java minecraft doesn't support v6 offically

is ipv6 in price iam paying of ipv4 ?

java version of minecraft doesnt support it

java itself supports v6.

it should

depends on ISP

uh okay

soo

I haven't heard of an ISP charging extra for v6

yes you shouldn't have to pay extra for ipv6, that would be strange

the reason your ISP does CG-NAT is partially due to costs

hmmmm

we give all of our customers public IPv4 but we pay $25,000 a month to rent the blocks

our IPv6 space is much much larger and we pay just $1000 a year for it

tell fios to roll out v6 already

meanwhile

lol

I have my own ipv4 block

currently using a tunnel

how to make any server with ip looking 123.123.123.123 on ipv6 is that impossible ? so old games such as minecraft wont support my public ip so no hosting at all ? no point at is

@thick minnow you got the short end of the stick

XD

you need some kind of reverse tunnel

newer games that support IPv6 will work

tf that means

it'll be an IP like [2001:0db8:85a3:0000:0000:8a2e:0370:7334]

you can get a free domain

@tender hazel wouldnt wireguard on routerOS be easier?

uh

@tender hazel and then using a vps endpoint

so you don't have to write that whole thing

sooooo

like we did before, but this time with a mikrotik?

no more minecraft server hosting unless using hamachi etc .?

that's VPN

I recommended zerotier before

I think they are using radmin vpn...

lol, I have a new mikrotik to play with

gonna load the beta version on it

see how the wireguard stuff fares

so how can i host ipv6 minecraft server

yeah I'm running 7.1beta4 at home on my 4011

and have wireguard running

it works

it is stable

at first I had lots of reboots at random times, but remembered that I forgot to upgrade the routerboot firmware to beta4

after I did that, everything became stable

@tender hazel is it normal that these APs beep?

Bedrock, or mess with minecraft modifications

HOLY so its possible ?

so can i host like other servers do ?

https://i.imgur.com/vnk2KHs.png

oh

you probably have the alignment beeper turned on

it has a buzzer that gets quicker when the alignment gets better

it is intended for aligning point to point links

or subscriber units

you wouldn't have it turned on on the AP side

and you would also turn it off after a radio is aligned so that people don't have to hear the beeping forever for no reason

@tender hazel I just connected with winbox

and deleted configuration

now I can upgrade firmware :P https://i.imgur.com/N7G2B5K.png

On bedrock yes

hmmm

Bedrock supports v6

no more minecraft java ?

Maybe in the future

Java itself supports v6

Only good thing about bedrock, v6 support

as @peak cloak said, zerotier is a much better alternative than hamachi. Upto 100 users for free. Only downside is that it makes it so that its like lan (so basically people can maybe see your files depending on how you set it up)

Well compared to hamachi there is no downside

hmmmm

You could probably set it up so it's isolated to that one computer

That's actually what I did initially

With firewall rules

To host minecraft

Then I switched to routing traffic through a VPS

And while it's a headache at first to setup, it's fine once you set everything up

@tender hazel so what does this mean? https://i.imgur.com/Tn0IYxp.png

it is doing radar detection

it should finish in another minute

its indoor rn

is that bad?

no

radar detection?

its looking at other APs in the area?

yes.. whenever you use a DFS channel the device has to do radar detection

no, it is making supre it will not interfere with doppler weather radar

Could minecraft newer versions come with ipv6 adress update ?

the dfs channels share frequencies with doppler weather radar

https://i.imgur.com/1bG6myj.png

if there is a radar on the same channel, and the AP does not detect it, it would make it look like a giant thunderstorm around you

If java supports it, then I don't see why not

The main question IF they will update it

my phone just connected to it

ill request it xD

lets see.

So far it looks like most of the attention is on bedrock

Since that makes the most money

https://i.imgur.com/B2AWnvh.png

Downstream went to 100 and stayed there.

5GHz is pretty sweet

but there is some downstream limiting going on..

that's very unbalanced

@tender hazel 3 meters away from the AP

it jumped to 100 and pinned.

wat https://i.imgur.com/vkaNnla.png

is this just my phone being garbage?

oh its very direction sensitive

https://i.imgur.com/1mBxIc8.png

400mbit datapath. the phone can barely transmit 80

those values look ok

it is not unusual for the TX rate to drop, what happens is the phone goes into power saving and negotiates a lower rate for when it is not as busy

it will only negotiate a higher rate for a brief time if it is doing heavy uploading

okay, and any way I can tell this CAP to use 2.4 now?

the AP side should keep the same power all the time in most cases, it doesn't have to ramp down for power saving in the same way a phone would so the rx rate should be more stable

oh it was smooth as butter

it jumped to max rate

and has like 1ms jitter

Its just downstream that is slow..

I'm not sure how it is done in the metal 52 - you can't use both 5ghz and 2ghz at the same time, there is probably some kind of setting in the software that lets you change the radio between 5ghz and 2ghz mode

@peak cloak is this reddit response wrong? https://www.reddit.com/r/Minecraft/comments/d51hlr/how_can_i_make_minecraft_server_on_ipv6/

@tender hazel looking at the configuration

my guess would be

to create multiple caps configurations with the same SSID and datapath

but with different frequency bands

https://i.imgur.com/kmQ46Tm.png

you can only select a single band here

but the metal 52 can't do 5ghz and 2.4ghz at the same time

I know.

but it picked 5GHz on its own

I just provisioned it.

yes, but there must be a way of telling it which one to operate in

There isnt one.

Its defconf

maybe, offically it's not supported

interesting

I'll try it out once I get a new router

the thing that is pushing the uptake of IPv6 the most is cellular/mobile

yep, on AT&T and I get a v6

and I'm guessing you probably don't get v4, they are doing some kind of 464XLAT

idk, I think I get a NATed v4

let me check

a lot of them aren't doing NATed v4 and are doing 464XLAT to "proxy" ipv4 only sites

huh, interesting

the issue is that that doesn't work with VPNS

never heard of that

unless your VPN is IPv6

it is a problem for meraki right now

they were slow to build IPv6 support

@tender hazel I think I figured it out

then one day tmobile switched all customers to IPv6 only with 464XLAT

and it broke the corporate VPNs for hundreds of companies

with no way to fix it

@tender hazel you go to Remote CAP, and select provision, this creates a new dynamic interface in the interfacelist.

You then copy this configuration, remove the old one

so meraki had to rush and start implementing v6 becuase of that

YOu can adjust the band and frequency

once you save that. You go back to the radio config and reprovision

then it works

what's the data interface on android?

https://i.imgur.com/VKj3994.png

I have like 22 network interfaces

I did blow up the home wifi

don't run 40mhz channel with 2.4ghz

why not?

unless you are in the middle of nowhere

and is it?

yes

@tender hazel the target will be the middle of nowhere

well. its a valley with no phone service lol

no radio or any interference

in 2.4ghz there are only three choices for 20mhz channel that do not overlap

ohh

3 7 and 11 right?

1 6 and 11

@tender hazel looks like I get a v4 as well

TURBO

https://i.imgur.com/phBlJMt.png

I think 40mhz turbo is different

it is the extension channel you use to restrict the channel size

any channel that is a multiple of 20mhz will have control channel width of 20mhz

so 40mhz and 80mhz will all have control channel width of 20mhz

but the extension channel determines the overall size

So what is this? https://i.imgur.com/0YbATcD.png

Extension channel Ce, eC, or XX means 40Mhz, extension channel of four characters (ex. XXXX, Ceee, eCee, eeCe, eeeC) is 80mhz

extension channel none means 20mhz only

so what do you recommend doing in larger setups?

not using one at all?

not using one at all for 2.4ghz.. for 5ghz you have many more channel choices

ah

seeing what happens if do it anyways xD

in production you will want all three 2.4ghz channels available

where do I set this?

https://i.imgur.com/NxGVeqP.png

really?

you have to enter the frequencies by hand?

yes, with mikrotik you specify the frequency instead of the channel number but I don't know why it says no supported channel

what I usually do to get a list is I look on a device without capsman and see what 2.4ghz frequencies are available

I just googled

dialed in a number for channel 1

now trying to set up a 2nd 2.4gHz device on another channel

and then testing with app on phone ^^

they do make it quite easy

you can just break the config up into smaller units

and then assign them to each AP to what you want exactly

https://i.imgur.com/dX5UD9o.png

yup

I usually use dynamic capsman interfaces instead of static ones, but there is no right or wrong way

well, I least to know what buttons and dials to press if I set out to doing this

I've done plenty of the other mikrotik stuff, first time doing a network with more than 4 antennas

@tender hazel you think an RB4011 would be powerful enough as a centerpiece?

its got enough horsepowers to do bandwidth queueing as well

you mean a central router? a centerpiece is an ormanent that goes in the middle of a dining table

I need a couple vlans, sip

I don't think you mean to put your 4011 in the middle of a dinner table as an ornament

no no

I ment as a core router

and then just a bunch of switches

and APs

yes it is certainly powerful enough

you will want to use local forwarding for the APs and not capsman forwarding, for the best throughput

@tender hazel I want to prevent client-client communication.

all clients are behind a NAT, but no client-client communications

yes, that's fine, that's a separate setting

local forwarding is a separate setting from client to client forwarding

https://i.imgur.com/vQtvvr1.png

what does this do ?

when you aren't using local forwarding, it tunnels all packets from the customer all the way back to the capsman and the capsman decapsulates them

when you are using local forwarding, the packet is handed directly to the AP's ethernet interface and it gets delivered from there, no tunneling involved

but you can still assign them a vlan, and it just comes into the router as normal?

the tunneling increases the cpu usage on the APs and capsman and makes the wifi performance slower

yes

okay, but wouldn't this allow for two clients to communicate with eachother, across two wireless stations?

client to client forwarding controls whether two clients on the same AP can talk to each other, by default it is disabled

I guess to prevent talk between various AP's I'd have to use either multiple VLANs, or some kind of bridge filter?

not sure..

multiple VLANs is not a good idea

yeah

sounds tedious

well it isn't only tedious it will cause problems

devices like phones and laptops assume when they are on an SSID that everything on the same SSID is on the same subnet

so they can roam from one AP to another if the SSID is the same and they won't request a new IP address

because they assume their lease is still valid from the previous AP they were connected to

if you start setting up different VLANs but the same SSID then the devices will lose their IPs and not realize it

so when they roam they will just stop working

okay, so don't change the broadcast domain.

correct

got it

but what about preventing chatter between two ports then?

if you have a switch that has the two APs connected

and the router

right, so you can do that in the switch

what kind of switch is it

Well, none has been selected

I have a CRS305 here

wouldnt be any different though?

https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Port_isolation

https://i.imgur.com/s9mLwhB.png

this?

that explains how to do it for CRS3xx versions

it will be different for different devices with different switch chips

https://i.imgur.com/M0vDLAY.png

yes that looks correct.. that's assuming sfp-sfpplus1 is your uplink port

I'm not gonna change it, right now

what that is doing is it is forcing sfp-sfpplus2 to only be able to talk to sfp-sfpplus1 and no other ports

would break everything :P

@tender hazel but can you do the same with a vlan?

the problem is then you can't have a single subnet

the AP itself will use a different vlan (1)

but the network from caps

will be on its own

in that case, the switch cannot just isolate them?

only the vlan that is used by the caps

@tender hazel ahh I found it..

https://i.imgur.com/B5VA4HH.png

switching rules

port isolation is easier

https://i.imgur.com/TW7Y4Hi.png

nah, but this is perfect

data on X port with vlan Y goes to <other port>

but where is the difference between what you are doing in those screenshots and what you were doing in the simpler isolation option before?

this is a Switching Rule

not port isolation

@tender hazel I guess, in this context there wouldnt be one

but if you wanted to redirect only certain VLANs

for what purpose?

well, wouldn't this prevent the devices from being cable to communicate directly with eachother?

while not breaking the broadcast domain

yes, but the port isolation option would do that too

but it would flag all traffic

the reason I suggest port isolation is all switches have a similar feature and it is also called port isolation

yes, and?

what other traffic is coming from the AP?

None

There is no reason to use a switching rule

i know

but its more flexible

it is more flexible yes, but do you need that flexibility? if not it is better to keep things simple

@tender hazel interesting though. it would also prevent someone from spoofing the router IP

and trying to redirect traffic

wont work xD

how do you mean?

when you are doing port isolation yes they won't be able to ARP each other

if someone does spoof the router IP and MAC, other customers would not be able to resolve the spoofing via ARP, they would just get the original router

so yes it wouldn't work

good

cool so 2 channels working

time to see what the phone has to say aobut it

there is something else you can optionally do as well

you can do local-proxy-arp on your main bridge

once everything is isolated

that is if you want to allow traffic between customers while still keeping them isolated on a layer 2 level

ah yes

that means the router responds to all arp requests?

yes, so essentially all traffic becomes routed

passes through the firewall etc

that's cool

I use that on my vpn bridge here

so I can reach clients on my LAN from my phone through l2tp

I use same subnet

that's regular proxy-arp you are talking about

local-proxy-arp is a bit different

oh

aaand

yes. https://i.imgur.com/Hw4QGut.png

you are correct

proxy-arp is for doing arp proxy to different interfaces - in this case, proxy arp between the bridge-vpn and the other interfaces

local-proxy-arp is for doing arp proxy to the same interface

thx everybody so much today 🙂

@tender hazel https://i.imgur.com/T6GyBcp.png

Well I call this success.

yup

Anyone have any good software to run jnlp file on fedora ?

does this help? https://openwebstart.com/

I don't see here download for fedora 😔

IcedTea-Web?

Stopped working

Doesn't support Java higher than 1.8.0.275

oh ok

And I can't find where to download load it from relaible source

what do you need jnlp support for

Both yes and no

it is if you are using the default ports

^

if you are using non standard ports it has to do deep packet inspection to identify that it is wireguard traffic and that is costly

most ISPs aren't going to do deep packet inspection because it puts too much of a load on their core devices and they would need to buy much more powerful core routers to attain the same speeds

do you get more than that outside of wireguard?

yeah, but did you do a test when not connected to wg?

right now

they would more likely be rate thottling all UDP traffic instead of just wireguard

but that's the sort of thing that net neutrality is supposed to avoid

if your country has net neutrality laws

it may not have anything to do with their changes

What did they change exactly? Just relay the link?

any bad cable connections etc should show up for all traffic, not just wireguard

Would the Nexus 5020 be a good choice for a 10G switch for my homelab server VLAN traffic?

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-5020-switch/product_bulletin_c25-462134.html

Looking to give my homelab servers 10G between them and also to expose myself to the Cisco ecosystem without buying new or spending a fortune.

looks inexpensive enough

newegg price is super cheap

those devices are super old though

the documentation I am seeing is from 2008

yep

Not sure how old is too old in this instance

if you really want cisco you could go with that I guess.. the main thing I would worry about actually with that device is the fans

those old high end switches have a tendency to sound like jets taking off

hm

i'm trying to find something Cisco to expose myself to nxos

I would probably lean more towards the mikrotik CRS312 for a home lab

Yes, if I wasn't caring for the manufacturer then probably.

I already have a MicroTik switch in my lab

Why NXOS in particular? Work related or just curious?

Curious

More trying to get myself, as I said, exposed to Cisco software

Never used any of their things before and it may help me down the line to not be clueless at this sort of software/CLI

Just purchase a CML license and lab it that way. $200 and you will have access to IOS-XE, NXOS and IOS-XR

No point in buying hardware to learn, when it can be emulated at a much greater scale for cheap

i just did

CML enterprise

alright, but along with that i do just need a switch for my lab

I’ll look into CML, haven’t heard of that before

I haven't touched CML yet. Had VIRL in 2019 and still using those images. Expired right before the vXR/vXR9k was updated to support L2vpn...limited anyhow

Its Cisco's version of GNS3/EVE-NG. You can just download the images and use them in GNS3/EVE. I prefer EVE, but it does allow you to use many more images depending on what you would like to lab. CML is Cisco images only

Doesn’t seem to be too expensive

How often is the $200 renewed?

Its yearly but just download the images from CML's dashboard and use them in the above mentioned. AKA you do not need to keep renewing unless you want the most up to date images

Alright

Would you recommend any Cisco switch for <$400 with 10G that could be reasonably used in a homelab?

Or should I just not even look there and look at a different manufacturer?

Depends on the number of 10g ports you need

20-40

If I have 2 connections per server for redundancy and two connections to my L3 distribution switch.

Thats going to be a Lurick or LZ question as at that density you're going to need to go the used nexus line and I am not at all familiar with it

Paging @clear igloo for your Nexus knowledge

yeah that's a lot of 10G ports

I don’t know.

10 maybe

Anything more than 4, a SFP+ switch.

MikroTik's SFP+ switch has 24 ports, $500 USD MSRP

and they are always cheaper than the MSRP

4-40 is quite the swing. Talking <$100 to a few k in the Cisco range

4-20

40 is probably overkill

Realistically I would never use that much

https://mikrotik.com/product/crs326_24s_2q_rm

PSU hot-swappable?

I can go dig mine out

but no

However its dual PSU so I dont really care

and its sub 500

Ah alright

Its capable of being a L2 or L3 switch

The true L3 switch functions are only enabled if you upgrade it to routeros 7 beta

If you run SwOS on it, it runs a lite version of its OS that is L2 only
If you run RouterOS its L3

^ and that

the switch has a chip in it that allows hardware offloading of routing, but it requires some functionality that is only available in the newer linux kernel and is therefore only available in routeros 7, so I would probably not use it as a Layer 3 switch in ROS 6 because you will find the L3 routing performance disappointing without the hardware offload

And tbh ROS 7 is quite... stable

depends on what you are using but yes

I am running it at home now

I’m looking for two switches

the most buggy parts are things like OSPF and BGP

L3 aggregation switch and a switch for 10G connections between my homelab servers

thats really why I dont run them

I use BGP for my S-S VPN Route Propagation, MetalLB and other ingress LB Controller shit, and to announce my ips obv

it really kinda fell apart

S-S?

Site to Site

I use AWS as my Edge Router with their "Transit Gateways" since I also use AWS as my cloud offload.
Their Transit gateways act as a router on top of all the typically public facing endpoints. Its the edge router piece. It attaches to VPC's (AWS' name for a Network, Subnets are their name for VLAN's....), AWS' S-S VPN Links (IPSec with BGP for Dynamic Route Prop), and some other shenanigans. AWS ends up being the central connection piece to all my clouds and physical sites.

Im aware of AWS's design, just curious what S-S meant as when BGP VPN routes are mentioned it's typically not in that context.

https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html#vpn-static-dynamic

I have basic BGP working in RouterOS v7 beta4 but filters are broken

they were working in the last version but broken in this one

OSPFv2 works but OSPFv3 is broken

"Old MAC Donald had a Farm"... EIGRP

the bigger issue is they change the config syntax each release of RouterOS v7 beta

and it doesn't convert properly so you end up with an unstable router

They cant make up their mind

Then again, they are making good use of the beta tag

each time I upgrade I've been exporting an RSC

and basically clearing my config and pasting in the RSC again

Honestly, Im just sad at the lack of consumer priced decent equipment still

Ubiquiti was everyones circle jerk until they dropped the ball because Hardware engineers are not good software engineers or networking plc developers.

In reality, the Unifi equipment was Vyatta with a fancy webUI built into it, It would be nice to be able to kick the secure firmware req and flash straight vyatta.

EIGRP gets the job done. Im just waiting for RouterOS to finally support intermediate-system to intermediate-system (blame the bot for blocking the acronym). They want to keep pushing into the SP space but why they are not including it in v7 is beyond me

Heh

You know its almost turning into a better off option to DIY your switches and routers

ugh.. I tried to just message with a protocol I would rather see before EIGRP

but instead because the name happens to match something else, it blocked the message

lol, told you

For SP, in the core its already being done, at the edge will still be HW. Cisco knows whiteboxes are pushing hard and why they opened up their API with the new Broadcom switchips.

I guess I'll have to call it the routing protocol that shall not be named

Inter-S-Inter-S for short. But agreed, its something that would be of huge benefit. EIGRP is solid but the RFC'd is missing too much of the stub support to use on non-Cisco gear

OSPFv2/3 is fine but until you get to a certain scale its just a pain to design around.

we used to run EIGRP and moved to OSPF

only becuase we started deploying all the mikrotiks and the other network guy was just setting up a bunch of static routes

and redistributing them

and I was like why don't we just move to OSPF, and he was like too much work

and I was like "it's less work maintaining all these crazy static routes?"

in the end I moved our entire network to OSPF in one night

50 routers or so

sounds like someone who is used to hardcoding and cant figure out automation

I run into that too often when pulled into customer deployments. Statics are for defaults, summaries, and nulls. Past that its IGP/BGP or nothing

Designing cloud solutions is fun in the scope of all this
Having to mix the SDN/API/Tenant piece of networking with the Host Layer Networking with the globalized deployments on top.

everybody was like "it's gonna take weeks", and I knew it wouldn't be too hard to blitz through

Ive found basically every "Big IT Task" or "Big Admin Task" can be sprinted in a days sitting if focused on

yup

even if you have no idea what you are doing

google is amazing

and I really wanted to get this migrated quickly.. it was really stupid what they were doing.. they were putting a cisco router and a mikrotik router at each site, the mikrotik router had all customers connected as a stub and the cisco was just there for EIGRP

so like $4000 extra per site to put a cisco router in as a glorified EIGRP translator

lolwtf

this is the amazing nature of networking... the fact you can do shit like this

What was the site design?

EIGRP... on a stiiiiiiiiiiiiiik

the mikrotik was acting as a pppoe concentrator, that all customers connected to

it had static routes to and from the cisco, and the cisco redistributed those to EIGRP to the upstream

that's all the cisco was doing

huge, huge huge waste of money

what.jpg

What was upstream? Hub/spoke, mesh, etc

Talk about paying money for the lack of balls to make a change..

our network is very spread out, so we don't really have redundant connections

it's pretty much hub and spoke

except we have a spoke going to the next spoke going to the next spoke

(WISP network)

our core has layer 2 to a tower, which has a wireless backhaul to the next tower (which maybe has customers) and wireless backhaul to the next tower

so like this

not just 1 layer tho

yes

Basically how Mwave backhaul cell towers are working

EIGRP is simpler in hub/spoke but not at that cost

I really only said EIGRP as a joke for the macdonald shit srry

this auto-generated map includes most of our towers, but not all

Tbh without RFC Backing or vendor-agnostic use, I wouldnt back it

you can see there isn't a lot in terms of redundant links

b/c that is spread out over an area almost as big as texas

Its RFC backed, just missing the most important bits. SIA for days....

Yeah that wouldn't fly for us. Nothing is implemented without solid availability. WISP do not have many options however

yeah we just don't.. a lot of those lines are 30-40km links that are basically in the middle of nowhere from one small settlement to another

in a few extreme cases we have two towers to service two retail customers

We have something around 5-6 WISP peering off us, majority in the mountains. Same situation. I know 2 of them have gone under over the past 2 years just due to upkeep cost

How do I backup emails on my server (postfix+dovecot)?
Is it as simple as copying the maildir folder somewhere, and copying it back to restore?

you can tarball the mail domain dir of dovecot ye

Postfix is just an SMTP Server, Dovecot handles the Mailboxes.

So do I tarball the whole maildir, or just the cur folder that has the emails?

we have a different network architecture now.. we use VPLS tunnels to bring people back to the core to a couple PPPoE concentrators there

maintaining 40 pppoe concentrators was too much work and it was too easy to miss a line of config somewhere

especially when most of them just had a small number of customers

however you opt to manage the backup and restore

A bit off topic but @tender hazel ever heard of the Open Networking Foundation?

yes, and I've heard of OpenFlow

You ever dig through their workgroup files and documents?

mikrotik has basic support for openflow but I've never tried it.. I'm guessing it is pretty incomplete

no

Thats the way to go. Some of our less populated counties have the same design. At least you're using VPLS instead of trunking it back

the problem with trunking it back is that then you get to deal with all sorts of STP fun.. at least with VPLS it flattens the architecture so you aren't left wondering where the problem is if things start getting blocked due to STP finding loops

one of our techs left for another WISP in the area and they have a giant layer 2 trunked, so he would get woken up in the middle of the night every second night because something would be down because spanning tree was blocking something for some reason

he was trying to convince them to build an MPLS network like ours because it was so much more reliable, but they were afraid of what they didn't know.. he left there after just over a month

MPLS is the boogie man for a lot of people. BGP+MPLS+OSPF/inter-s-inter-s is pretty much standard in any flavor of SP. L2 is not sustainable

yeah layer 2 is really not sustainable.. and I guess now there are things like carrier ethernet and EVC's that try to make ethernet better in that way, but I don't know enough about how they get rid of spanning tree related issues and simplify layer 2 troubleshooting

Nothing special with EVCs. Its metro-e which in most instances just means QinQ with some bridge domains and VLAN translations

we have an upstream that uses carrier ethernet and gives us EVC's, and they keep screwing up the configuration and I end up having to help them with their cisco configuration.. and given that I know almost squat about EVC's it's funny that I'm able to figure out the configuration issues faster than they are

Yeah don't let it throw you, still L2 but many of the acronyms are swapped but its pretty straight forward outside vendor quirks

at one point last year the guy there wanted to give us a Q in Q to one site because he couldn't figure out how to give us just a single VLAN tag to get to a site, he wanted to do a 802.1q inside 802.1q for no other reason that he knew how to get that working

but I said no because it was stupid.. I'm not about to set things up in some stupid way b/c the guy doesn't know how to do anything else

Some of it is related to limitations, manly due to their design because they span L2 everywhere, they backed themselves into a corner overtime

Our NNIs are mostly QinQ. Only a few are BGP-LU which is the way to go if you can get a peer to agree. Typically its a headache for our NOC as we will put an order in for NNI to a customer site and since I pushed the standard that we'll handle QinQ on our CPE, the peers just cannot handle it.

in our case we were moving the sites from the old colo to the new one, so we wanted to keep the sites configuration the same if possible.. for the mikrotiks it isn't a big deal because we could mac telnet in, but for the places that we still have a few cisco routers in place and haven't replaced them yet, it is more dangerous to change the uplink VLAN configuration remotely

we had things configured in the way that they used to provide things at the old colo and I didn't really want to have to change that and move the site at the same time to the new colo

commit confirmed changes your life. Its rough going back to IOS making those types of changes

mac telnet and romon are great for that kind of stuff in mikrotik

Agreed, safe mode also

we had a tech one day accidentally reset a remote router to no-default-configuration and we were able to remotely reprogram the entire thing to get it up with no site visit

if that was anything else we would have needed a trip, and it was so far away it would have meant a $1000 flight

it would have been an expensive mistake

we also deal with managing internal networks for some remote schools and health centres and romon really helps us there with the switch infrastructure

b/c unfortunately when things go down, some people have a tendency to just unplug everything from all the switches and plug everything back in to random ports

and at least with romon we can still get into all the switches and figure out what the hell they did

Truck rolls kill ISPs. We're pretty much all Juniper core/edge with Ciena for our CPE. While its no MAC telnet, Ciena does have default tagging for mgmt which we can utilize as a failsafe. But I have yet to see them fail and luckily their reset process is beyond what a customer would attempt

and can remotely walk them through reconnecting things properly

Juniper's don't tolerate sudden power loss. ~10 mins boot results in a customer rebooting when they think there is an issue and rebooting because it doesn't comeback within a min. Only takes 2 pulls to brick them, 3 if you are lucky

some people just seem to lose their marbles the minute they are having an outage.. when we have power outages or something like that, the only thing we usually have to deal with is when power comes back, people have reset their routers or plugged things in funny to try to "fix" things, which really just ends up meaning they are still down when everybody else comes back online

Good thing we don't use Juniper then

although I wouldn't be afraid to use it at our core

in the datacenter where we don't typically have power interruptions like that

No Juniper is where its at. Thats really their only achilles heel which they admit to due to FreeBSD. For our managed deployments its typically SRX/EX switches which during install the techs inform the IT and staff about pulling power along with labels and thankfully have AC locks on them.

we are moving more to mikrotik CHR at our core for now, for our BGP edge

later we might move back to hardware devices, when the CCR2016 comes out

Its a good idea until v7 is in stable. CHR is really the only option until multi core convergence is ready for production

yeah we have been running default route only but we have to move to full tables soon, and I don't want to have to do that on our CCR1072's

Isn't it like 15 mins for even the 1072 to converge with full tables?

yup

ewwww

way too slow if there is a major route flap

you're better off just killing the BGP session and reinitializing

Killing it will still restart convergence. Im not sure if Mikrotik support multipath but if so would be an option for a slight faster convergence at the cost of doubling your tables

killing it is actually much faster, because when there is a route flap, it processes each route change one at a time

if you disable and re-enable the peer, it deletes all the routes at once and reloads them in a batch

Oh you are just talking about individual flaps.

I'm talking about like a major flap that makes you lose many routes at once, they are processed one route at a time

so for each route it has to remove, it has to search through the routing table, find it, remove that one route, rinse and repeat for all the ones that went down

and then add the new ones

which is much slower than the initial load

that's been completely redone in ROS 7 too

so all of that is supposed to be much more efficient

Mikrotik must converge different. Juniper and Cisco use update-groups where routes are organized per-peer/next-hop. Major flaps of due to a peer/next-hop loss is easily purged from memory.

yeah mikrotik wasn't doing that

they do that now in ROS 7, but they aren't in ROS 6

so it purges them one at a time

painfully slowly

God, why would they think to design it that way

I don't know.. a bunch of their routing protocols are designed in a screwy way.. the biggest issue is they tied everything to route caching

they used route caching like an overall FIB

they tied all of their protocols in to use route caching as a major component

when it was removed from the linux kernel, they were stuck and unable to upgrade beyond that kernel version until they rewrote all the routing protocols from scratch to no longer use the route cache

Juniper/Cisco do the same. PFE/CEF handle all that. Many time there are route issues its usually related to it

that's why ROS 7 has taken so long to come out.. they put all of their eggs in the one basket, route caching

it was yanked and everything was back to the drawing board

The question is.. why did Linux pull it

it was pulled from the linux kernel because it didn't improve performance substantially and caused too many secondary issues

Im fine with that type of mindset as long as they are ready to catch up and stabilize decades of work

we've had route caching related bugs on our network

we had a subnet on a router, it was divided up into a series of /29's

we moved things around and eventually it became one big /24

we added it to our PPPoE range and we started getting calls from random customers

that their service wasn't working

saw a pattern to their IPs: .7 .8 .15 .16 .23 .24 .31 .32

etc.

the route caching somehow "remembered" the old /29's that used to exist and was basically blackholing any packets to the broadcast or network addresses for the /29's that used to be there

we wound up having to reboot the device to clear the route cache

Route caching is where a good chuck of the performance comes in but without hardened housekeeping can lead to said issues. It probably still exist in v7 but have just a better implementation. Without it, routing is being pulled away from the ASIC. If they did pull it completely, id be interested in what vodoo is being done which hopefully they'll have a MUM detailing how things were changes

Nothing worse though than PFE/CEF doing the same in the core/edge. Juniper has a more graceful way to flush the tables, but CEF is a bit more of a pain

Well maybe they are doing some kind of caching but they are no longer relying on the version in the Linux kernel

But I also no longer see a route caching check box to enable or disable it. You could disable it before but it broke almost everything in dynamic routing.

They’ve somehow really optimized their routing engine when it comes to the storage. In routeros 7 you can supposedly do full tables with an RB750

Not that you would want to but they have optimized the memory usage so greatly that ipv4 full table can fit in ram on an rb750

I did see that in one of their spotlights a few months ago which leads me to believe they are going the update-groups route like all the others. routes with the same NLRI are all held in chunks like mentioned. Less memory and faster convergence!

Yes they are doing the update groups. And for multi core, they have a core per peer

The core for that peer does the preprocessing and it is only the final main FIB update that is single core

Yeah its going to be a game changer for some that designed around not being able to use BGP and limiting themselves

But come rOS 7, its gonna be on the latest kernel

That will be sweet going forward

hey can anyone help me port forward to host a minecraft server****

its more quiet in here

and folks here know a bit more ;)

@balmy pond do you know how to get into your router's settings?

yeah

im here rn

have you mapped a port yet?

is this the java version of minecraft btw?

yes

ok

theres no port forwarding option

can you find port forwarding or NAT somewhere?

there is an option for virtual servers

that might be it

consumer routers are very confusing sometimes

they all think they can do it better

but end up making it worse/more confusing

yea all the videos in youtube has an option for port forwarding

in my router, I Just create dst-nat rules for this

destination-network address translation

aka: port forwarding

ah ok

go to virtual servers then

show me a screenshot of what it has in it

so confused

what does that mean

@balmy pond did you click on 'new' or something and this come up?

or is this the entire view

i clicked new

oh ok

before this it says no virtual server

ok name it minecraft

private IP should be LAN IP of your minecraft host

which is?

is it the machine you are using currently?

yep

open commandline

and run ipconfig /all

im here

there should be an IPv4 Address

yep

which is?

192.168.0.198

starts with 192.168

okay, first before we continue close out of this.

Find DHCP server settings

usually under LAN configuration

should be somewhere in the router config

i found dhcp

ok, is there a way you can do MAC binding or address reservation?

we need to make sure your PC always gets the same local IP

DHCP is dynamic, so device addresses can potentially change

i see mac filter

nah that's something else

mac filter is wireless

and the dhcp is just showing me devices thats connected

okay but is there a settings for this somewhere?

static route

?

^the menu

no, should be under DHCP

we need to enter a new lease

oh got it

with a predefined mac

dhcp options?

show me a screenshot of the entire view

all the menu options

lol

so they call it static ip addresses

fair

but DHCP leases is more acurate.

idiots building these routers, I tell you.

add a new static IP

ok

ok go back to that ipconfig output you did in commandline

look for your ethernet interface

got it

the IP and physical address you have to copy in there

windows reports these as AA-BB

but your router will want AA:BB

https://i.imgur.com/XJ4RSWd.png wtf ?

lmao

so the ipv4 on the ip address

and the physical on mac?

@balmy pond basically, the Phsyical address is the MAC address. its hardcoded into the network card

when you configure a static ip on your router like this. Whenever your computer turns on and asks for an IP from the router

the router will recognize the MAC address, and always give out the same IP

so that our port forward rule will never break.

gotcha

what about the lease time

a day?

doesnt really matter

ah ok

lower is frequent updates

on big networks this produces a lot noise on the network

so you increase lease times

wireless networks usually have short leases

but it wont matter right

i left it as blank

I have mine set to 20 minutes :3

but thats general dhcp settings

not sure what that has to do with static ip

@balmy pond lol wat

no

leave both host and lease blank

those are not required.

the host one was automatically filled in

like that?

yes.

ok and then

go back to the virtual servers thing

ok

https://cdn.discordapp.com/attachments/387022787480387605/821723118699282482/unknown.png

Give it a name so you can find it later on

enter the private IP of your PC

and private port (start) should be 25565

protocol is tcp, so that is already fine

and then at the bottom

public port: 25565

the private ip is the ipv4 right

just making sure

same one you just configured with the mac address

MAC is physical, IP is logical

yep

IP = internet protocol

ok got it

@balmy pond if you enable NAT Loopback, you'll be able to test it

what does test it mean

see if it works

im sorry im so dumb with these types of stuff

usually only people from outside your network would be able to use this port foward

if you enable loopback, you can enter your own public IP in minecraft and it will work too

its called hairpinning

ohhh ok got it

port forwards only forward your public traffic, not local

Loopback NAT as they call it, is a workaround for this

is it recommended to turn it off or on?

its just convenience to turn it on

aight i'll just turn it on

so now i just apply it?

yeah

so your router should now forward traffic from your public IP to your private IP

ok thanks! i'll test it in a sec

now lets just hope you have your own public IP

because I totally forgot to ask for a network trace

it didnt work

on my friends screen that tried joining

can you do a network trace

open command line

and run tracert 1.1.1.1

@balmy pond do a network trace

might be another reason why it doesnt work

if you can get them to connect externally you can setup something like a pihole and get a local DNS server then override the local dns with that

so both internal and external users can use the same domain

or use a NAT hairpin

Anyone know much about Access Control List?

i'm familiar on aws

My network card is supposed to be only able to handle 8mb

no network card only supports 8mb lol

Well then steams dead then

Anyone know what to do with an old pc? Other than a plex/emby/jellyfin server ofc

Which has Ubuntu server installed btw

pi hole

unbound

what's unbound?

dns server

it's slower

it worked sorry i didnt respond. Thanks for the help!

but more private

ah okay

basically it goes to the root servers and then goes down the list to request dns requests

instead of using a server that does that already like google or cf or your ISP

I used bind9 in the past

yeah bind9 is also a good one

I use pihole and have no issues with it. Performance is great, uses cloudflare as the upstream dns, I can add my own local dns records as well

and pihole has a docker image available too

I've never used the other ones but i'm sure they work fine too

I use my router as my dns server

can configure them to force dns over https too

automatically adds dhcp hostnames to hosts list

I have pihole deployed I just don't use it

well no one is pointed to use it

point the router to it 😄

nope, that would kinda a mess

on my network you can't get DNS unless you go through the pihole or use dns over https

you don't need to set it up, the router tells the clients what to use. If the client tries to use any other outgoing dns, it routes it through the pihole

yeah using NAT rules I saw

I know I can, just don't want to cause more headaches in the future

parents complaining things don't work, etc.

well that's your main problem xD

okay so i need to know how to set up a cisco 5505 ASA firewall as a router. this is for an assignment at my internship but i have no idea how to do this at all. so far i've set the DHCP range, as well as the DNS and the lease time, but what do i do to make it so that i have internet access on the local network i'm creating?

router in what context?

typical home router config? Just NAT one IP?

i suppose so

so that's the thing. Router. You'll need to build the routes

@late geyser if its a shared environment with a single public IP. you need sourcenat.

idk anything cisco specific but yes you need your wan, and you need to route your lan to the wan

i have 2 clients hooked up to 2 different switches, which in turn are connected to the 5505 firewall

because router can also mean routing one subnet to another without NAT

he told me i just need internet access, not company resources and whatnot

are all the clients / switches on the same lan or other lans / vlans?

same lan yeah

port 1, since port 0 is for the WAN as i've read it

is that network card from 1970

I think you just need to setup a route then

I think that was your original question actually... 🙃 idk any cisco cmds

it might've been, no clue

It’s called pre installed laptop network card

is your laptop from 1970

https://community.cisco.com/t5/switching/problem-with-routing-from-lan-to-wan/td-p/1297294

even laptop network card can can do like at least 300mbps

Nope just a very funny system integrator

also my supervisor told me that i don't need the default gateway of the company network for some reason

nope because that's upstream

you just need your own wan IP

as long as that IP has internet

oh hm

that's like needing to know your ISP's default gateway

so all i need is to assign an ip to port 0?

since technically your home router is connected probably to an ISP switch or ISP router

wouldn't the router need to still know it, DHCP provides that info

to know what IP to route packets to

or actually, he said just use dhcp

yeah just use DHCP

you're right actually. You'd need it if DHCP wasn't available

so, should i be able to just hook it up after providing the internal DHCP range?

so the router itself may already have internet if wan0 has an IP

so first establish that, then the issue is getting the rest of the traffic to route to that

check?

there must be a way

does the cisco cli have ping?

it does yeah

I know how to do it on JunOS, Vyetaa, EdgeMax, Vyos based devices but not cisco

oh

keep in mind i haven't connected the wan ethernet yet

wasn't allowed to yet he said