This one is 33 euros

TOOLCRAFT

German

Oh it updated the price for me

lol

@tame carbon i have that one i think

https://i.imgur.com/tcGZZhC.png

or at least mine looks almost identical

they have 444 in stock

xD

Yeah I have a few generics that look exact
Prob same Whitelabel OEM PRovider

oh wait no i have one from trendnet

big ol box of network hammers

https://www.amazon.com/dp/B0000AZK4G/

i have that one, $18 in US

but no passthrough, it's old

@plain siren Conrad is very reputable hardware vendor in Netherlands. and it says 10 years warranty

good enough.

good enough

klein does make really nice stuff, i have some of their wire strippers

@untold elbow yeah but paying premiums on US imported parts is just not worth it

yep

it's a bummer

I also found a 10 euro ethernet cable tester

just continuity.
might buy that too

@untold elbow lol all that effort to set up a corporate account on conrad.

to be billed exactly the same price (included VAT)

stupid new laws, small businesses no longer to pay Tax free

you get it as a return at the end of the fiscal year

but I can't invoice VAT myself.

Its easier to manage

but you also pay a little more.

wtf.

I just made an order.

money was withdrawn

but its not in the order history

oh

no their servers are slow as fuck, and have no "in progress" status

bad design.

my favorite website for non fiber cabling: https://i.imgur.com/TUR2sFX.png

Its called "All the Cables"

really cheap

and they have everything

they have ~100,000 different cables

Do you recommend getting shields for the ethernet jacks?

like plastic ones

https://i.imgur.com/YVVx6uP.png

i never use them

I guess you could use em for color coding

yeah

but cable makes more sense...

right but then you need like 8 spools of bulk cable

what kind of cable do you recommend for outdoor installation?

i try to not make my own ethernet cable when i can avoid it

yeah but I have to run ethernet

they make direct-bury cat6a cable, i'd use that

outdoors

or get normal cat6a and run it through a tiny PVC pipe, like the kind they use for irrigation systems

but then you need to get all the crap they use to join that piping together, the glue and joints and stuff

Thats what I did at home here

except its just a tube

not really sealed in any way

xD

its cat6a

inside the tube

its just protected from outside impacts, but perhaps some moisture can get in

but the cable was pulled through with green soap, so the isolation is ok

xD

direct bury might be better

yes

having the PVC pipe there is nice if you're worried about someone potentially breaking the cable with a shovel at some point

Its under pavement

but we have big trucks

oh then screw it

the camping installation

Its also nice to help with running more later if there is a potential

the only risk we have there

is someone who wants to put up a tent

puts their peg in the wrong place

that's why we do 50cm

pegs are like 20-30cm long at most

I was gonna say just throw a 1/4 pipe PVC over it when you bury it and that should stop impacts

https://i.imgur.com/PvUytvP.png

Used for water mains

HDPE

HDPE

ye

yeah that works too

though we might just do regular rugged cable

I want an easy solution

we have a small excavator

direct bury will be the easiest solution

so we can dig a trench, toss cable in

run it up to the pole

i'd prob only use conduit if you were running fiber

put cable into a waterproof splice box

and in there I put the injectors

then I have some regular outdoor cable go up the post to the radios

something like that

Direct Bury is exactly what you would want for that tbh

The PE jacket I can just cut off right?

yeah

for terminating it

now I need some kind of electrical patch box

wait no

the cable is filled with this like gross goopy grease stuff to keep water out

we can just go to nearby h improvement store

so bring paper towels or something to wipe your hands

use wet onesss

da best

actually totally trash for the sewers

I worked in that industry briefly

xD

they can cause clogs

but also obstruct sensor equipment

or so I was told

I only wrote software

yeah but im not gonna wipe with dry tp

I have isopropanol and paper towels

no worries

could also use this rum I got from Grenada

75%

tastes like lighter fluid

no save that for after

does it matter "flexible and solid core"?

for those rj45 jacks?

I always cut those plastic cores out

when terminating

no, matters for the crimps

for permanent installs, you usually us solid core

but you can really use either

so that rugged cable

@untold elbow idk lol

I've had cables with and without plastic core

and used the same jacks for years

whistles

i dont think it really matters tbh

Would you recommend shielding?

for longer runs, yeah

There's overhead high voltage lines

then def

yes

wait

lemme see if I can find picture

And terminate the shielding into ground too in that case

Preferably at one end only, the ending of the run not the start.

couldnt find it

only found a picture from when I was there

comet ^

:D

i think you have to ground the sink wire on both side of the termination

cool right?

it was bright enough to snap with a phone

lol nice

@untold elbow https://en.wikipedia.org/wiki/Comet_NEOWISE

nice, p cool

yeah the area is really undeveloped

so you can actually see the stars

and build reliable wireless networks

it's very tough to find a dark spot on the east coast of the US

gotta go way out west

or high up.

yeah, not a ton of that here either

being 500 meters above sea level already makes big diff

netherlands doesnt really have good night skies

its densely populated and mostly below sea level

if you go to the coast

the sky is orange at night

@untold elbow https://pbs.twimg.com/media/Dtv7S7rXgAASdEx.jpg

yeah a lot of cities here have the same thing, or kind of a more red cast

Can you use STP jacks for UTP cable?

yeah

this ok deal? https://www.amazon.de/-/en/50-Piece-Cat6-Conductors-Cat6-Shielded-RJ45-8P8-°C-Connector/dp/B0721SK9Q9/ref=sr_1_2?dchild=1&keywords=push+through+rj45+geschirmt&qid=1617546930&sr=8-2

i have no idea lol

how can I see if they are pushthrough?

thgey should say

if they dont say, they prob aren't

@untold elbow https://images-na.ssl-images-amazon.com/images/I/51jldOCVz8L._AC_SL1115_.jpg

this looks promising

little comb

yeah

but bunch of complaints

not sure tbh, ive never actually used the pullthrough ones

about there only being 10 in the box

instead of 12

@untold elbow oh cool, found a box of 100 pcs for 30 euros

no more fucking around with getting a perfect flat insert

Yeah tbh there is no reason not to use these

and also bought a cable tester

cus why not

Good idea

its nice to check for longer runs

sometimes they are nice to let you know you need to go back and smack harder on them pins

yeah and not require debugging on Layer 2

when that middle pin doesnt register you know what the fuck you did

but it also checks for orientation

so you know if you screwed up

Yeah, however if its hard to visualize as it is for some, you print out the wiring layout with the words writting "TAB IS DOWN"

And you keep that in front of you

I always have the tap away from me

same

Down/away

im facing the easier to see into side

cuz fuck sakes, is the blue jacket in there enough yet?

Oh wheres my magnifying glass

lol

clap clap zoom in and enhance

Good Morning Yall. Enjoying the PfSense box I setup

Yeah that's a deep buffer, with RED you would have to bring the max threshold way down to make sures it's dropping enough to not let the queue build up. 4000 shouldn't be that extreme though

Hey guys, So my android device just randomly drops my wifi connection, even when it is prettty close by. Any ideas on what might be causing this or how to fix this?

Look at logs

Idk where you can find them, but that's where you should go first

Do you need them? I have them, crDroid automatically logs everything

Tho I have 0 Idea what most them mean

For for disconnected or something like that

Well, I can't really find anything in the logs searching for that word

and for some words related to it

I can't get any errors

I've got a networking specific question: I'm looking into powerline for my student place, and I've read that it's not as efficient as straight ethernet, is that deficiency to do with the actual modules themselves or the way they actually transmit signal?

Like for example: say my max real world speed is 250Mb/s from my ISP, would getting modules + cable rated for gigabit eliminate that deficiency? Or would it still be present?

You're not gonna get the full 250mbit on powerline

and you can't use multiple ones, or at least not ideally.

This produces interesting results

if you are ok with 10M, go ahead xD

can i get help with port forwarding? the port still shows up as 'closed'

For ethernet cable buying. Is it good to buy longer than what you need or Should I just buy long enough cable for my purpose?

I mesaure my new router location from my modem placement and it is 6 foot and 10 inches away. I was thinking of just buying two 10 foot cables or two 12 foot cables

My new router won't be here until mid week

What would be the perfect length cable 10 or 12?

Unless you're going over 100 meters it won't matter, just get cables that will have a bit of slack and look nice

Here the 10 foot cable https://www.amazon.com/dp/B07X9B724Y/ref=twister_B08F55F7DL?_encoding=UTF8&th=1

Here the 10 foot cable https://www.amazon.com/dp/B07X99SSLH/ref=twister_B08F55F7DL?_encoding=UTF8&th=1

Price difference is only $0.28

You are right I was thinking really hard on buying longer cables like the 12 foot. I am not going to really mount my router to the ceiling. Figure that router placement would be optimal for me if it is mid high door height.

@vast shard I could do you one better

you can have router and wireless access seperate.

Why this is never really a wide spread solution offered in CPE is annoying

Like nooooooo, I want my WiFi Upgradeable without upgrading my whole fucking route table and migrating

I am not doing that at all. I am just replacing my 15 year old router back in 2006 that has WIFI 4 technology

And I want my WiFi AP's in more than one damn area acting like what they should be.... Ethernet without a wire

@vast shard yes but instead of mounting the router in the ceiling. You have seperate devices that do these tasks

you can expand on this if you need coverage in some other place.

I am talking about mounting location like the height

That seems so weird... having the device doing my routing on the ceiling.... god help me if I gotta access it

right now my old router is place next to my PC

in the same cabinet

But if you want ideal, yeah the higher the better

so all the heat from the PC is ruining the 15 year old touter now

yes you understand.

Its like a sprinkler head, the further up you can get to optimal coverage spread, the more the "dome" coming off it spreads

it is not attic placement but just room placement

okay got you on that

I am trying to save money on cable length as well even if 10 foot is only $0.28 difference from the 12 foot

I am running CAT 8

I utilize In-Wall AP's which have a radiation pattern meant to shoot sideways

usually you have this kind of pattern ^

the source is in the center

Yeah, standard non-vaulted ceiling height is about the max optimal

Assuming max broadcast power and all that

my new router placement in my room right now will be for family wifi and the house is 2,000 or so sq. ft

imperial units

and you are in the corner or center

oh that's quite large.

I am in the corner of the house

router is in the right part of the house

@vast shard don't tell me you already bought a router

or wireless AP

your 5GHz is gonna get 1280-1390 sq ft on edge propagation and your 2.4 about 1600 from a corner of a 2k SqFt House assuming 2 walls between end

I already have a wireless router

mh

and thats assuming quality

that cover to the main street as well

To be fair, mine covers to main street and across the street until you put the garage between you and most the AP's LOS

this house have drywall but multiple rooms and this router is like a buy once and done

I am not going mesh router addition

The solution I have here is multiple wireless access points, each fed by wired ethernet

and the central router controls the wireless network across those devices.

so you just hop between one antenna to another if you move around in the house

and you dont even notice it

@plain siren I seen the 2021 router from ASUS

Gaming Router

Replaces a wall jack

Also > Gaming Router,

Oh no

I would return it if you can

@tame carbon my Western Digital wireless router right now is very strong and can do all that

No matter how many antennas you add to an AP, the physical limitations of propagation of signals will always give same results

with mikrotik you get 3 wireless access points AND a router for less.

yes gaming router

yeah thats a huge cost of money wasted holy shit I just saw the price

Yeah its a total ripoff

And its a MIPS System WOT

they are incredibly limited in features, never receive updates, and are full of bugs.

HAHAHA

And they also never reach advertised speeds

omg its like a reactor in a box

@vast shard sorry to say, but you have been ripped off. Asus should be banned from building routers. Its a real shame.

I would return it

@plain siren I was thinking of putting a switch in my attic and running ethernet wall plates near every electrical outlet and using a wireless router

And the RF controller stability is already reported to be compromised by heat due to placement

I did not buy asus router I a researching right now

@vast shard https://mikrotik.com/product/hap_ac3

For 540 USD, you could get ...a lot

@vast shard that as your main router, and you can then buy additional APs for $60

https://www.amazon.com/TP-Link-EAP225-Wall-MU-Mimo-Wall-Plate-Wireless/dp/B07GRCMJWH
6 of these guys
https://www.amazon.com/TP-Link-OC200-Omada-Network-Controller/dp/B07GX6GVB6 One of these

And they literally perform just as well as any other

omada is nice too

little easier to setup perhaps

mikrotik is a bit more involved

https://www.amazon.com/TP-Link-TL-SG2008-Integrated-Aggregation-Protection/dp/B08TR19PTD/

Shit I found Omada more stable than ubiquiti's ... anything

@plain siren @tame carbon can ysll stop being shills for 5 seconds

I had a total of... 1 issue

No

speaking from experience here.

I was going for best router and not going to buy any extra

but muh dedicated controllers and access points and numerous other points of things to manage @severe wigeon !!!!

Dont spend that is the point, get a single system with matching specs for 1/10th

You are are looking at price==perf

@vast shard just because it has 8 legs and can walk doesnt mean it is worth the money

Its incredibly expensive and my experience with asus routers is that they are full of bugs and problems

and have almost no features

you still thinking I will buy ASUS but I am buying another brand with great reviews and prosetup

Is management really changed that much from when you bind it all into the same plastic box?

@vast shard this isnt just asus. those linksys and tplink routers in that pricerange are equally bad.

Cant forget when people try to use 5 different environments and wonder why shit ain't right

@plain siren getting none of them as well I found other

Also not all home gamers have a spare rack

For the average home user it is, yes, single point of access for everything without having to delve into a lot of different knobs and settings, if someone wants simple and easy that's fine

Dont need a rack for this, and also dont need to sell your car to own this

Not saying a $600 asus router is what they should get but sometimes simple is good

and this is 10x more reliable

Can look at it two ways: Less things to fail, OR, only one thing to replace

If I am being entirely honest, Ive found the AIO's just as PnP as much as this shit offered today. We are in 2021 so its not unlikely that some level of user experience was gained

speed so slow I need more

I can be just as lazy in any solution you decide on now a days

@vast shard yeah but more antennas doesnt mean more speed

not if you all concentrate them in one location

only 5 of them are actually wired

at close range with that router above ^ you get ~800mbit/s total bandwidth over 5GHz

that's at an 80MHz channel

If you're doing 160MHz and 8x8 then sure, but you're 5 feet from the router at that point

yeah but why xD

the moment you are on the other side of the house

5GHz dies, and you are stuck on 20MHz channel on 2.4GHz

So according to my shitty ass math, if he can nail a router at about 9ft height exactly dead center of his house I assumed was a square

He can get 5GHz 1'st edge to every corner

Except where bathrooms are

did you analyze the soil composition of the material that was put into the drywall?

I assumed the extra 8th inch thick drywall was used and 2x6's not 2x4's

@vast shard if you have the option to run an ethernet cable to the other side of the house, then having a multi AP solution is really preffered

itll yield more stable and equal coverage around the house

my router now has no antennas

it is fast

neither does mine :)

It does, its just taped to the inside of the case

They're just internal

https://cdn.discordapp.com/attachments/776722183119699988/777646103775674368/IMG-20200922-WA0001.jpg

this router has no wireless capabilities at all.

but I can still manage my wifi with it :)

Usually built onto the board and absurdly fragile

made of glass more like

I am running CAT 8 ethernet cable so it just provide more speed that way too

ugh

Lol what

No they aren't

they break like glass

Oh

not they actually are

srry

@vast shard cat6a is good enough

Cat 6 is not for me anymore

its amazing how brittle that copper is when I can play with the copper in a cat5 cable all day and itll flex

I may have two CAT 6 only because it running from a switch

yeah plug that cat8 into a gigabit interface to get gigabit

fucking amazing.

So like almost every modern ecosystem that dates back to 2012

@severe wigeon yup

except now its affordable

Its not special, and it never was expensive. You just kept looking at expensive gear

In like 2015 there were brands in the 300-400 range

They were aimed heavily at hospitality up until 2016

I found CAT 8 100 foot cable at $20. Even thought I don't need that length it is still cheaper than the Cat 6 cable I bought in store for $30

thats about when I saw marketing change personally

Literally anything beyond 6a is pointless in a home

^

it doesnt make it faster

That's not CAT8, 8 is much more expensive and most of it being sold is not actually CAT8

@plain siren I figure out all my math in money and cable length. 100 foot cable length is long enough and not going 12 foot because that is excessive

tell that to the internet

This

Internet is telling that to you right now

@vast shard cat5e can do gigabit speeds at 330 feet.

for real not everything may seem what the product is

Ensure you count beams, properly securing the cable and giving enough room for slack

and dont forget the drywall sample

Anyone ever have the pleasure of playing with GG45 Terminations?

the slack is what I am worry about. How much slack is too much?

Ive watched dumbfucks measure the floor and wonder why it wasnt enough. I swear common sense is lacking noawadays

I think if stumble over it then you have too much slack

When it starts looking stupid

Otherwise, never

Really no such thing if you manage it right

Because you can always cut it down

bad day when you aint got shit to work with after

I measure from my router placement from the floor is 1 foot and 8 inches and the computer is 1 foot and 5 inches. at the ethernet port location. From where I want to place it is 4 foot higher off those port locations.

@plain siren when are we going to use silver for high speed copper wired ethernet?

Real CAT8 will cost you $150-200 for 100ft. The internet thinks 7/8 is an actual acknowledged standard too. It's a specialty spec and most are just advertising it for quick money

I cut it down by buying the right cable length

Give yourself 5 feet or so extra

Kinda wasteful, but csn make patch cables after

It was a asshole move by OEM's too. They ruined the next logical step in classification with non-ratified standards made outside the authorities scope

Because I assume you are using keystone plates

https://cdn.discordapp.com/attachments/387022787480387605/828281951806685235/61D8OJNOUvL.png

Sounds like AR500's bullshit armor that cant even stop greentip, but thats a different rant

It got hot in here suddenly

"lEvEl iV"

heheh, belongs on wish

The redneck that runs my local demo range has a joke:
"Its called wish because you are gonna wish you didnt"

Ope

Agreed. It was developed during a time when optics were just starting to make significant jumps. Never was officially acknowledged as the power requirements were enormous compared to fiber and realized early on it was a waste of time. But OEMs and marketing still push that garbage.

so if I did all my measurement and math right I would only need two 10 foot cables because of how high I want to place my router at on my wall and I would probably place it on a small homemade shelving unit

where the modem and computer are located I won't be able to use my 3 foot cable anymore

12 foot in my measurement are very excessive.

Now I will see how much slack I will have left after using my 10 foot cable and placing my new router on the wall. Either actual wall mount it or putting it on a shelf

What is this anyway? I see this from time to time. It is a maroon circle with a tan/yellowish border on the outside.

I see people reacting to things with that maroon circle but I'm not getting the reference

It's an edgy version of

which is a version of

ahh I see

Yeah its basically taking the whole gaping mouth gag to the largest extreme out of irony...... or so I assume
its just the first one in my :omega search so I mash enter

Usually most people get what it is so its good enough for my lazy communication standards

I hadn’t really seen enough of the intermediate steps to make a connection

And googling omega maroon circle meme didn’t return anything useful

it looked sorta ugly and so I figured it was some kind of discord bug where it wasn't displaying something properly

interesting.. I can't seem to be able to pass any traffic at all over a VPLS tunnel from one mikrotik CHR on ESXi to another

only between a CHR and a physical router

except for neighbor discovery broadcasts.. they are making it through somehow

the mac and IP show up in the ARP table but the little "C" for connected doesn't appear next to them

not entirely sure what that means

So only ND is going through the tunnel?

Maccas wifi be pumping

Hi, new to the server.
Where/who may I ask about VPN providers?
Looking at switching my VPN over PIA and wondering if its any good. 3 years ago the speed was dreadful.

Yup.. I put an IP on both sides and I can't ping the one end from the other

but a VPLS tunnel from either of the CHRs to a hardware router is fine

@hollow marlin I'm also seeing some weird behavior of throughput

mikrotik btest from one chr to the other, both with MPLS, TCP receive is fast but send is slow, like 3Mbps instead of 1Gbps

btest from the second CHR to the first, TCP receive is fast but send is slow, same thing

but it is a different direction

so I can get very fast rates on receive in either direction, but send in either direction is slow

so it doesn't appear to be related to the direction of the traffic, but instead based on which side initiated the session

it is just kinda weird

Thats odd for sure. Are the CHRs licensed? I really only use the CHR in my lab as unlicensed traffic generator is unlimited and works great for my labs. I have not tested it with btest though

they have a trial license of 1G

I checked and what is happening is when I do a send it applies an MPLS label but when I do a receive it does not, it is regular IP.. my advertise filters are preventing anything that is not in my router loopback range from getting MPLS labels

that's why the direction matters, I can't force btest to use a certain src IP so it uses the closest interface and whether the traffic is labelled or not depends on the direction

That'll be a problem. By advertise filters, I assume thats Mikrotik's syntax for LDP filtering?

yeah.. in our case we set up advertise filters because we only want traffic from router loopback IP to router loopback IP to get labels.. we don't really need other traffic to get an MPLS label

Nice thing is Juniper defaults LDP to loopback only and only uses an LSP for BGP with next-hops in the inet.3 table. Actually Junos revolves around loopbacks . My IOS-XR configs I always filter loopbacks only. Not just having more control of labels, but a hell of a lot easier when troubleshooting too

You can setup a egress policy to advertise other FECs but its rarely useful.

nice to know that what we are doing is more or less standard practice - I just did it because it seemed to make sense to do so, no need to slap labels on everything

Yeah its definitely best practice and cleanest config

so this means mikrotik did not fix the bug related to large receive offload in ESXi and KVM

they introduced a fix in 6.45.9.. but I hadn't tried the fix until now

It was well after then before I began using CHR in EVE so I never ran into it. Were you able to fix the VPLS circuit as well?

no.. VPLS seems to work fine between CHR and hardware though

so this probably won't be a showstopper for what we are doing

I can probably create a bunch of PTP VLANs to allow the CHRs to communicate to each other directly if I need

Was the inner tag intact when arriving at the other CHR?

Or were the PW even coming up?

the pseudowires come up and show running

and they pass the mikrotik neighbor discovery protocol broadcasts

which is weird

I don't know why that would work, but arp wouldn't?

it must not be getting the arp reply

just a whole bunch of that

yeah it's not getting the arp replies

it is just getting broadcasts, no unicasts

hmm

I wonder if I need promiscuous mode for that

although I wouldn't expect vmware could read that deep inside the packet

nah promiscuous mode isn't helping

What does the label stack show ingress/egress the HW router?

this is between two CHR's

VPLS works between a CHR and hardware router

the arp request which is received has a label of 16

the reply has two labels, 4888 and 155

Oh this is just virtual

yeah VPLS is working ok when going from an ESXI VM to a hardware router

This just 2 CHRs directly connected?

routed through a cloud core router

but they are running on the same esxi box

CHR1 <-- /30 --> CCR <-- /30 --> CHR2

CHR2 is applying the correct labels to the arp reply and sending it back to CHR1, but it doesn't make it

Whats the MPLS table on the CCR for the outer label in the reply?

I'm just doing more captures here to check, first I was making sure that the CCR is receiving the arp reply from the second CHR2, it is

so the reply going from the CCR to CHR1 pops the outer label, which I would expect, the inner label is 155

the CCR sends it to CHR1

CHR1 does not receive this on ether1

why on earth is this only happening with unicast traffic.. that's what doesn't make sense

broadcasts make it through

Good, so labels are switching correctly. Odd its only unicast though.

Id have to toss it in EVE to see if I get teh same results.

yeah I was actually just suggesting to our other network engineer that we should maybe have an EVE VM in the office for testing for stuff like this

Ive never configured VPLS for ROS so it would be going through the wiki. Or in say 15 we could a screen share if you're up for it

@hollow marlin https://pastebin.com/QfaKihBe

that should be enough to get it going, it is pretty straightforward.. I'm up for doing a screen share though, yes

I fully expect you'll be able to reproduce the issue

Ill toss the config in EVE quick and test first

ok

@tender hazel looks like its working

oh ok

might be due to the hypervisor in eve-ng

maybe it doesn't do the receive offloading

like it works fine in hyper-V apparently because that doesn't do receive offloading

Agreed. The config is not to bad in ROS

@tender hazel Anything you want me to test while I got this lab up?

No, if that works, everything else probably would

Thanks!

👍

I do love how little resources are need. MY 3950x can handle quite a bit, but I might replace the vIOS routers with CHR for my larger labs

Any ideas why my ipsec tunnel dont work? https://imgur.com/a/29a3nCo

@mortal stirrup are you using just ipsec or some kind of layer 2 tunnel ontop?

im actually using wireguard also

but i use 10.0.0.x on that tunnel

But from that diagram you posted, surely those two subnets should be on the same network?

I've only ever deployed ipsec as L2TP/ipsec

might want to ask the other guys like @hollow marlin . They are bit more familair with this stuff

this is how ppl made it before between pfsense and usg, ive copied other ppl config and just changed the ip address to suit my network

for example heres one ive copied: https://devopstales.github.io/linux/pfsense-usg/

poorly documented :/

im using IKEv1 cause another config used it (ive also tried v2)

yeah i know

also watched this guy: https://www.youtube.com/watch?v=1M6R8cnml-c

I stay far away from youtube tutorials

my config is a frankeinstein beween those, hehe

They often gloss over details

well, he described more then first link ;)

welp, I think you'll have to wait for someone else with a bit more experience on this

yeah, thanks anyway bro :)

I'm a bit of a single-vendor idiot, and beyond the basics, I dont know much about those other brands

mh

https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IPsec_tunnel

See, for mikrotik most of this is well documented xD

ipsec profile, proposal, peer and identity
and then a policy for encryption

These kinds of things are probably the same on other vendors

Hey.. Im new and i want to ask.. I want to open port for my web .. And im not sure if i had to pay something to operator... Anyhelp?

@dull mirage if you have your own public IP, then you should be able to just configure your router

could also be an port on an server

so if i dont have public ip i cant portforward?

@dull mirage some internet service providers hand out shared IP addresses

Best way to verify if this is the case

is by looking at the public IP (WAN) that your router reports

eh

and comparing that against https://www.google.com/search?q=whatsmyip

Im confused now

@dull mirage do you know how to configure your router?

yes.. But my english is super sketchy.. And i hardly understand

There should be an option somewhere that says "WAN" or "Internet"

It should have an associated IP address

okay

and thats how i will know if i can portforward?

@dull mirage that's the only pre-requisite yeah.

@dull mirage Port forwarding itself is relatively easy, its just a rule you configure

But that only works, if you aren't on a shared network.
Which you can verify by looking at what Public IP your router has on its WAN

so if i dotn have public ip i cant do anything basicly

@dull mirage do you have the router page in front of you?

not yet.

Just take a screenshot and send it, I can have a look

i just want the question.

:d I cant acces right now

xd

got there

im in

^

here or?

sure

@dull mirage now what does https://www.google.com/search?q=whatsmyip report?

Does the IP that this page gives you ^ match with the IP that you blanked out in the screenshot

yes it matched

nice

yeah should be able to just create a port forward then

what if a will do it on other network?

if this will match its public ip?

?

@dull mirage if the WAN IP and your reported public IP are not the same

it means your ISP uses some kind of NAT

https://en.wikipedia.org/wiki/Carrier-grade_NAT

ok

https://i.imgur.com/KqdYCQD.png

oh..

@dull mirage your router makes use of NAT too

port forwarding is NAT.

It translates packets to your public IP to be forwarded to your LAN

Network Address Translation

if you for example hosted a minecraft server on your local PC

and wanted to port forward

you tell your router to forward traffic from your WAN (on port 25565) to your LAN IP of your PC

@dull mirage as an example: https://i.imgur.com/pEOCc68.png

god I hate explaining NAT

cant we just all use v6 already.

Basically you cant go ask your ISP to go setup Port Forwarding on their big ass LAn

@plain siren lol but what if you could ? :D

Lol

UPnP/CG-NAT

EZ Way to explain it, We got 1 Window, But I have the best Painting, You have the Best Sculpture, and He has the best Picture. We all share the Window, we all share the Public IP. I took the Painting, You took the Sculpture, He took the Picutre.

I'm trying my gre again wish me luck 😆

https://tenor.com/view/three-finger-salute-good-luck-jennifer-lawrence-katniss-everdeen-hunger-games-gif-14699764

Same result as last time

Its possible with CG-NAT. It can be configured in multiple ways, one is each inside IP can be assigned an outside port range, example, 100.64.0.1 ports 20000-21000 and if they are willing to can forward inbound the block.
Impossible, no, but extremely unlikely to do that outside some high profile customers

@hollow marlin I dont think a NATting comcast-knockoff ISP will even take the time for such a request

static DST-NAT across their CG-NAT sounds... like a security and configuration hole

Anyone knows how to configure gre tunnel from pfsense to mikrotik?
I fixed the pfsense ping block to the default gateway of the server.

@lean pebble why you need GRE?

isnt there another protocol that is maybe slightly less cisco-ey

I already had gre tunnel that worked long time ago with my fortigate just playing with it for learning.

I don't mine learning different protocols

GRE is fine

everything supports it

I fixed the ping issue I had last time from pfsense to his default gw

I mean GRE is pretty simple so just setting up a GRE tunnel shouldn't be problematic at all

It is for some reason

Can't surf the net when connecting to it and can't ping my router on both IPs the gre internal IP and my main network internet ip

I think that still sounds more like a routing issue

than a tunnel issue

Are you setting your GRE Tunnel as Default Route?
If you are trying to ping your own WAN IP from Inside your own LAN, sometimes it wont route

If you set your tunnel as def route, then it makes sense you cant do anything when its connecting (but not)

Major company: "Our Fortinet VPN is not coming up this morning, we are seeing packets go over the tunnel and fail on return, can you do a PCAP to see for any loss on IPsec traffic"

Sure, let me capture your lost packets in a tunnel you are reporting down but sending traffic over

@hollow marlin Just capture them in the air!

well you are expected to fly your ass over to the IX and and do it from there their minds

I'm using the same configuration as last time. @tender hazel helped me configure the mtik side and I just reconfigured my centos 7 gre tunnel.
I have gre tunnel on mtik that pointing to my external IP ad local IP and remote IP as my server IP address then I added mangle rule and IP in the addresses list that setting up my internal IP address that I have on my gre tunnel side.

Is NAT setup in the VM? It will have to have to have a rule for your subnet/zone to make it to the internet

Yap

The vm configured correctly something in mtik not working properly with my tunnel

do a tcpdump on the VM to see what traffic is being received.

Erina can you describe the setup a bit more - I know it is more complicated because you have your mikrotik with a GRE tunnel to a VPS and then you also have a pfsense somewhere but I don't know where

and you are policy routing and doing double NAT on the MikroTik and the VPS

what ports do i have to forward for a wiregurad server on ddwrt

Nah pfsense it's just testing bench for different gre tunnel

I tested it to see if I get the same issue as I have with the vps

Do you remember my setup?
I can access my vps internal gre IP address from my pc but not to the router internal IP address (main gw, gre internal IP)

Pfsense now disabled

I don't completely remember your setup no, I do not recall the way the pfsense is connected, where it is

Ignore pfsense

I just used it to test gre tunnel between pfsense in my cloud service and my mtik and got the same result

That I can't ping gre internal router ip while connecting to the gre tunnel

And can't surf

I did the gre tunnel as pfsense guide told to do

can you clarify exactly you can't ping from where - you can't ping the IP that is on the gre interface on the mikrotik from your desktop that is going through the VPS?

Vps internal IP 10.70.3.1 and router gre internal IP 10.70.3.2

I can ping from my pc and my router to 10.70.3.1 but can't ping from my pc 10.70.3.2 while connecting to the tunnel

And can't surf the net or ping my 10.0.20.1 (router DHCP gw IP)

My other pc can ping both while not going through the gre tunnel

you probably need to add 10.70.3.2 to the gre exception address list we made

as well as 10.0.20.1

Ya but then still can't browse the net

what's changed - you could browse the net before, yes?

you wanted that system to go through the gre to get on the internet

Without gee tunnel I can browse

Yap

right and we had it working, so what changed?

Nothing I guess.
It stopped working

We made it work but it was ultra slow

Can we try to it in the other way you suggested?

the slow performance was due to MTU issues

Instead with the policy

I made it 1400

Both sides

For testing

you might also need to do tcp mss clamping.. on mikrotik it is turned on by default for GRE tunnels I think

but I'm not sure if it is on by default on your VPS

My ISP blocking mtu 1500

How do I check if it's enabled on the vps?

when you pay for wifi do you pay for just speed or is it like cellular plans where you have to pay for a certain amount of data at a certain speed? im in the US by the way

it is probably in the gre tunnel config, or might need to make an iptables rule or something.. I'm not sure how you do it in linux

BTW if I want to do it from pfsense how do I do that ?

Gre tunnel working but can't surf to

I haven't used pfsense before

Even lower ping

-15/20ms

does anyone know why my ethernet is plugged into my computer says it is plugged but the internet will not work on it?

Maybe your Router has settings that have to allow for your device to have Internet first

wut?

lol

Yeah, some Routers make Profiles for every device

no they don't

do you get an IP address

Ah you mean like WAN<>LOCAL Firewall BS?

type ipconfig /all in windows cmd

@peak cloak

I dont know If it is called that way

it gives me an message saying no valid ip config

in cmd?

no

like that

ok

mmmmm AIO Routers

so looks like no DHCP?

AIO?

Yep crashed on the router

All in One

ahh, yeah

Thats what I like to call them

never heard that

Like a printer

Just as bad too

Go restart your router

ah it's an asus they said

lol

no wonder

A nice WiFi Toaster

@peak cloak sorry idk which statements were directed at me

I once saw someone else had it run out of space

restart your router

We're back to square one 😂
155ms to the internal router gre IP

dhcp service probobly crashed

I have before multiple times

huh

its a long term issue for months

I bet I know whats up

no one has been able to help

get a router that's not asus

mikrotik shilling again...

Whats the ping between you and the other end of that GRE tunnel without all the GRE

70ms

*2

155

You go there and come back

You are making round trip your Routing Table is yoinked

yes, she must have removed something from her policy routing exception address list

I was guessing 73 on the ping

Kinda salt

Lets see the whole config, both sides, all at once now.

Now 1ms but the browsing slow af

I forgot I changed the internal IPs 😆

ok

browsing slow is most likely an MTU issue

Inb4 the loopback put one of the connections into a blocking state and its having to route around it making it slow

MTU 1400

I just start assuming worst case whack scenario at this point

you need to do ping tests

to see what MTU you can actually pass

ping tests to something on the internet from your desktop, with various packet sizes

Ping to 10.70.4.1 stable and ok vps
Router internal 10.70.4.2 1ms after adding the exception

Actually, Question:
Is it DNS thats slow for you, or is it actual IP Transit

By my ISP max 1490

Try to upload something to Google Drive.

Taking 15 minutes to refresh the page of whatismyipaddress

While connecting to the gre

open cmd and tell me the output of nslookup google.com (The response server, not Googles DNS Entry itself)

Straight away I get answer I'm using 1.1.1.1

@plain siren we troubleshot this before, and she reported great speeds on a speed test, but every webpage taking 10-15 minutes to load

that's why I suspected MTU issues

if you start dropping HTTPS packets due to MTU issue then web pages will not properly load

My MOM and DAD thought that ETHERNET CABLE send off WIRELESS SIGNAL

Hmmm, MTU was set right?

Was the tcp-mss set with it?

She is doing gre over pppoe

So it gets more complicated

More places things can be going wrong

Oh trust me I get that. But I always like to work from the top

@lean pebble Can you just humor me anyways here

Yeah

Set the MSS Clamping Option to Enabled if it Isnt

Drop Maximum MSS to like... 1360

mss clamping is enabled on the mikrotik side I believe, but she doesn't know how to do mss clamping on the linux vps and neither do I

iptables

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360

yeah I figured something in iptables

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu < this calculates

obviously the top is "I know what I want" option

https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.mtu-mss.html

"Circumventing Path MTU Discovery issues with MSS Clamping (for ADSL, cable, PPPoE & PPtP users)"

Ayyy

and the MTU on both sides of the gre tunnel config should match, make sure you don't have a higher MTU on one side than the other

Do I need to something here or just copy and paste?

dis

Ok

They are both the same but still slow

:\

show your gre config on the mikrotik side

Yeah Im really gonna need a good like... Everything listed here

Interface or the firewall rules

interface, but you might as well show both so that rouing knows what is happening

Both interface and firewall or both sides ?

yes.

I'm confused with your answer

When you give a X or Y question and someone says "yes"
They are saying "I want X AND Y"

This is mtik

you can export the config instead.. /ip firewall mangle export /ip firewall nat export and /interface gre export, it will be smaller

Actually

Enable yes to dont fragment and give it a shot

there's also config in the general tab that isn't shown in those screenshots above

Queue for the Interface would be nice too

The GRE config on the VPS would be good to see as well.. I imagine the issue is on that side actually

I did some digging and it turns out there is a bit of a long going issue with these Tiks

GRE with IPSec, PPPoE, whatever seems to have a tendency to have some logic failures

I think its an MTU issues + Queue Issue
But I think the Tik isnt doing what it should with the MTU Clamps

And We need to drop those about 8 more anyways

The Tiks are great for their build quality alone, the software/config options are nice too

But sometimes.... I think some cleaning up can be done

It feels like the same way Ubi went with the whole Polished look, these guys are balls to the walls aiming for that "Most detailed possible output"

Theres value in having these things "think" for themselves a bit and fill in the obvious at least

Hey guys. I am trying to use Unbound DNS on a spare raspberry pi I have for network wide, local authorative DNS access. I have some idea of what I am doing... But sadly, doesn't seem to be working. Everything on the net seems to have you install Pihole as well, which does work fine because I use that on a Pi4 as my primary DNS in the network. I wanted to setup a backup DNS with this spare device. Anyone know where to find this info? Or be able to guide me through it?

I would suspect the issue is more likely at the VPS side routing

oops rouing

lol

I've almost made that typo like 5 times in the past

My name is literally bait, its on purpose

Im amazed its not much more of a thing

Agreed and what I was asking him to show last round. Without the VPS config it's a shot in the dark

So you want your authoritative DNS to be made of something fit for just that and you can have the feature-types down the line

What you are looking for is Zone Delegation. You have an idea of what you want but theres more to it

I have a Pi4 setup with Pihole+Unbound (authoritative) already, I want to use just Unbound on a second Pi3 device as a backup, network wide authoritative DNS in case the primary ever has to go offline, to limit net access downtime

Does it have to be authoritative also

I would prefer it to be

is the raspi in control of a subdomain?

Or is it just a proxy

I can setup two DNS servers in my router, so I was going to try and make it easy and just have them not talk to each other and just be used interchangibly by the main router

I believe it's just a proxy. I use Pihole as the adblocker DNS, which queries Unbound on itself as the upstream DNS. Works great.

And the Pihole address is the sole DNS in my router

I just want to add the second pi device running unbound as the second DNS address in my router so if the primary has to go offline, it's not without a DNS server

but I can't seem to get Unbound on the second device configured properly to do that

lets say you got ns1 and ns2, ofc we need to put them in the root zone's NS entries (As Authoritative)
dig +short NS google.com as an example. Between the 2 unbound servers, they should be allowed to forward their zones between each other. So if one doesnt come back, the then other will in the NS lookup.

something something round robin

That's truly way over my head. I sorta understand it but not entirely.

I'm not looking for them to be able to query each other, if that's what that means.

ns1.sub.example.com.  IN A     172.16.1.20
ns1.sub.example.com.  IN AAAA  fd02:faea:f561:8fa0:1::20
ns2.sub.example.com.  IN A     172.16.1.21
ns2.sub.example.com.  IN AAA   fd02:faea:f561:8fa0:1::21

sub.example.com.  IN NS    ns1.sub.example.com.
sub.example.com.  IN NS    ns2.sub.example.com.

I am just looking to have 2 Unbound servers running on the network as redundancy to prevent loss of internet access by the rest of my network

without using an outside nameserver like Cloudflare

Look at the last 2 lines in that paste

2 NS records for the same subdomain pointing to 2 diff ns servers

Yes but I don't think that's what I am asking for?

I'm lost, I apologize.

Theres more

Each NS server has its own zone file

But the trick is

For the zone its server, it needs to return itself

not its friend

zone "sub.tld" {
    type master;
    file "...";
};
``` on each NS Server

Well that would be great but I can't get Unbound to operate on the seond Pi device..

Which is what I need help with first

Lol say that sooner

Whats the error/malfunction

I thought that I did by saying it wasn't working lol

😐

Did you burn it down?

Did it hack the NSA?

It's just not seemingly working. I found a unbound.conf setup that I thought would work, and it gave me an error when I tried to restart Unbound. Let me see if I can find it lol

this is the guide I was using

https://calomel.org/unbound_dns.html

I do have to ask, why even have a PiHole? \

when I put in the conf settings, and restart unbound I get this error:

`pi@192.168.1.25:~$ systemctl status unbound.service
● unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2021-04-06 01:42:32 BST; 4s ago
Docs: man:unbound(8)
Process: 25479 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
Process: 25492 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Process: 25522 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FAILURE)
Main PID: 25522 (code=exited, status=1/FAILURE)

Apr 06 01:42:32 raspberrypi systemd[1]: unbound.service: Service RestartSec=100ms expired, scheduling restart.
Apr 06 01:42:32 raspberrypi systemd[1]: unbound.service: Scheduled restart job, restart counter is at 5.
Apr 06 01:42:32 raspberrypi systemd[1]: Stopped Unbound DNS server.
Apr 06 01:42:32 raspberrypi systemd[1]: unbound.service: Start request repeated too quickly.
Apr 06 01:42:32 raspberrypi systemd[1]: unbound.service: Failed with result 'exit-code'.
Apr 06 01:42:32 raspberrypi systemd[1]: Failed to start Unbound DNS server.`

I like network wide adblocking as well as blocking other things without needing a ton of software on every device.

Or devices I can't install anti-ads or anti-tracking software on, like my Echo Show

I mean like... why not use the Unbound server

Because the UI in Pihole is easier for me

It can pull from lists so I don't have to curate and add them all manually myself

cat /var/log/unbound | nc termbin.com 9999

and paste the link

pi@192.168.1.25:~$ cat /var/log/unbound | nc termbind 9999
cat: /var/log/unbound: No such file or directory
nc: getaddrinfo for host "termbind" port 9999: Name or service not known

sorry termbin.com, I corrected

cat: /var/log/unbound: No such file or directory
nc: getaddrinfo for host "termbind.com" port 9999: Name or service not known

https://github.com/firehol/blocklist-ipsets < check this out btw
Its literally all the lists shoved into an automagically updating git repo

its doing this because unbound is not running

termbin

not bind

because it exited with the error i posted above

it should still be exporting dns entires

its termbin.com

yes I did both and they return that error because Unbound isn't running, because when I made the conf file, there must be something wrong with it and it wont start

hold on i will try again then

5.39.93.71

this is all that came back

pi@192.168.1.25:~$ cat /var/log/unbound | nc termbin.com 9999
cat: /var/log/unbound: No such file or directory

did you directly copy paste the config file

yes but I took out the adblocking portions

Was it while you were in windows... SSH'd or some file transfer?

I am SSH'd to my Pi device

from Windows

Pasted into terminal or did you move a config file over

pasted into the terminal

Hmm not that

but I made the adjustments needed to make it look like the config in the web page

I was worried about line endings

cat /your/unbound/conf | nc 5.39.93.71 9999

there is something it dont like about it

same thing happened

pi@192.168.1.25:~$ cat /your/unbound/conf | nc 5.39.93.71 9999
cat: /your/unbound/conf: No such file or directory

cmd... "your" "unbound" "conf"

https://termbin.com/gq02

unbound-checkconf

pi@192.168.1.25:~$ unbound-checkconf
bash: unbound-checkconf: command not found

uwhat

yeah I had this issue with my other setup

idk why I cant run that command

sudo unbound-checkconf

pi@192.168.1.25:~$ sudo unbound-checkconf
/var/unbound/etc/root.hints: No such file or directory
[1617670790] unbound-checkconf[18368:0] fatal error: file with root-hints: "/var/unbound/etc/root.hints" does not exist

I see now.

Standby

Ayyyy

You know Pihole can run on Unbound right?

Yes. I ahve my Pi4 setup that way

I just want a strict unbound only server as a pure DNS backup

Okay so why isn't root hints installed into /var/lib/unbound like it was on my other pi device?

I do have dns-root-data installed

and it lists root.hints

can unbound use a symlink to the root.hints file? so I don't have to manually copy it every 6 months?

rsync

https://github.com/cbuijs/unbound-dns-filter Found it! Its the ad blocker that has karma. It knows what to focus on and you dont ever set any lists

https://github.com/cbuijs/accomplist < Based on this source listing which has aallllllllll the lists.

I prefer Pihole. It has per device settings and groups, very powerful.

Also, fixed my conf file. So now to test

Thats true, but you can reduce downstream load if you are load balancing already

Pre Filters

Honestly, I have the Pi4. The impact on the system is basically zero lol

I was more happy I found the thing again tbh ¯_(ツ)_/¯

Mainly because the anti-bot lists for servers, I need to reapply that shit

Okay, how can I test that Unbound is working properly on this device?

without triggering the Pihole or the other Unbound ns?

nslookup google.com pi2.home.local

Says couldnt get address for pi2.home.local

I'm not sure if I was supposed to change anything and if so to what

if I do just nslookup google.com then I am returned this

#2 pi's ip

or tld

pi@192.168.1.25:~$ nslookup google.com
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: google.com
Address: 172.217.1.46
Name: google.com
Address: 2607:f8b0:4009:813::200e

the second pi's ip

pi@192.168.1.25:~$ nslookup google.com 127.0.0.1
;; connection timed out; no servers could be reached

nslookup google.com 192.168.1.25
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.25

that was from windows terminal

always sudo unbound-checkconf before start. check the status of the service

pi@192.168.1.25:~$ sudo unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf

https://termbin.com/t92d

0.0.0.0 should mean that it should be accepting queries from any outside client, yes?

yes

You know...
I forgot why I liked BIND's elegance so much.
This requires more reading than I like

lmao I do apologize haha

its all good

Its been a while since I used Unbound personally

I know im missing something too

I wonder if it has to do with the strict DNSSEC Enforcement and private-address assignments on this

nah

is the root.keys valid?

Should be, it gets installed with unbound via apt

and my other pi is using the same one and it seems to work fine

let me copy paste over my pi4's config and just change the interface and port and see what happens

OKAY

progress

pi@192.168.1.25:~$ nslookup google.com 192.168.1.25
Server: 192.168.1.25
Address: 192.168.1.25#53

** server can't find google.com: REFUSED

that's after copy/pasting my pihole's config to the other one, and setting 0.0.0.0 and port 53

okay I think I got it

added this to the config:

` # control which client ips are allowed to make (recursive) queries to this server. Specify classless netblocks with /size and

action. By default everything is refused, except for localhost. Choose deny (drop message), refuse (polite error reply), allow

(recursive ok), allow_snoop (recursive and nonrecursive ok)

access-control: 10.0.0.0/8 allow 
access-control: 127.0.0.0/8 allow 
access-control: 192.168.0.0/16 allow`

pi@192.168.1.25:~$ nslookup google.com 192.168.1.25
Server: 192.168.1.25
Address: 192.168.1.25#53

Non-authoritative answer:
Name: google.com
Address: 172.217.10.238
Name: google.com
Address: 2607:f8b0:4006:813::200e

nslookup google.com 192.168.1.25
Server: UnKnown
Address: 192.168.1.25

Non-authoritative answer:
Name: google.com
Addresses: 2607:f8b0:4006:813::200e
172.217.10.238

from windows terminal

i think it's working now

okay looks like everything is working fine now

dude thank you so much for the help

np, njoy

Okay so now that I have the IP's of both my Pihole server and my second unbound server in my router, none of my devices are releasing the old 1.1.1.1 address from being obtained automatically, how can I force them to pull the new DNS addresses from the router?

you mean clear the clients cache?

I did ipconfig /flushdns on the windows machine and it's still using 192.168.1.15 (my pihole) and 1.1.1.1, which should be replaced with 192.168.1.25 now for the new unbound device

wait

my router is telling me that the config is wrong now

You do have DNSSEC which means the zones are supposed to be signed

and im pretty sure there is no Central Auth in play right now that would allow shared sig

Would they even allow each other to talk after getting the RR of one

Well I don't really need them to talk to each other

I just want the router to use either of them should one of them fail

Well I mean, if I see one as authoritative already and I see another unknown trying to do the same, I would ignore it

So what is the proper way to get them to both run at the same time and have the router switch between one or the other should one of them go offline for whatever reason?

Question is, are you using them as DNS Proxies or as actual DNS Servers in this environment

actual DNS servers

Whats your domain

I have no idea.

Well you got a problem

You need to think of one

.

Define domain. Like... for example.. My router has something called "amplifi.lan"

is that it?

Yeah

mine is lastname.me

its also a valid domain