#networking

naw he is fine

we tried hamachi

what.

Oh dear my messages got deleted

Yeaa exactly

true

i'd think or taught 60ghz is point to point

so it is point to point

heh 5G Mmwave also died that fast

thru a glass door? dead

needs clear sight

60ghz is being done PtMP with beamforming

BeamForming™️

we are shipping 60ghz PtMP to a rural school for this purpose

they have 8 housing units for the teachers, all in a row a short distance from the school

60ghz AP on the school and CPEs on each housing unit

gives them internet through the school's connection

ok so

zerotier isnt working

I found a few tutorials

tutorial shows two ip things and one is the main host thing

But I only have one

fixed!

never mind

broken

I can connect but friend cant

My internal Realtek gigabit NIC or Intel gigabit PCIEx1 card. What will get most performance and taking least resources from CPU and such?

any ways to run tests and compare?

I am getting this error in filezilla:

Status: Connecting to X.X.X.X:21...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: LIST
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

@clear igloo on demand VPN is a success

Nice!

30ms pinging back home 😄

very nice

different providers along the way I assume too?

This is the first stop :P lol

So this is Spectrum Business

Yah, and your local ISP back home right?

yeah

Cool, so that's pretty good latency then 🙂

I wonder if I can play MC local player across devices 😄

Should be able to 😄

The VPN isn't slow.....the rate limit is harsh 😦

5Mbps both ways

the internet is pretty ok latency wise but throughput is in the shitter 📉 📉

Anyone have any clue on how to get vyos to generate a link-local v6 address on wireguard interfaces

or do I need to set those up manually

@peak cloak does it have a similar command set family inet6

no, I looked it up and apparently it looks for a mac address before setting up a link-local address which makes sense, but I can't find a way to set a mac address on a wg interface

so I set it manually

but now I can't ping the other side of the tunnel, since it gives me no route however show ipv6 fe80::ade0 shows routes

I even set a static route

but it shows lo as best route

When you ping you must specify the outgoing interface

That applies to all OSes as with link local, all interfaces share the same route so it needs to know which interface

yes I did that and still no

although I figured it out

in the wireguard interface config I did not add ::/0 to allowed-ips

That's right, VyOS is more FW style config

that's just a standard wireguard setting anywhere

Eh, I find it has elements of some routers/switches to its config too

Especially the "configure" to enter config mode out of operational

Then the whole set service/device/tool specific-target config-for-target-to-change value format

anything special I need to setup on vyos for ipv6 configuration

BGP router identifier 172.23.84.33, local AS number 4242422810 vrf-id 0
BGP table version 1
RIB entries 1, using 184 bytes of memory
Peers 1, using 20 KiB of memory

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd
fe80::ade0      4 4242423914       0       0        0    0    0    never       Active

Total number of neighbors 1

I can ping fe80::ade0

what confuses me is no messages sent

which I suspect I messed up somewhere

     address-family {
         ipv6-unicast {
             route-map {
                 export DN42-ROA
                 import DN42-ROA
             }
         }
     }
     ebgp-multihop 20
     remote-as 4242423914
 }

@hollow marlin ebgp 20. Yikes

¯_(ツ)_/¯

that's what the tutorial said

I have like very little clue what I'm doing

You shouldn't need that command at all. But it's not going to hurt anything

How come you didn't configure the other neighbor

wdym

Go to fe80::ade0 and configure that side

oh, that's the peers side

I have no control over that

this is on a network called dn42

https://dn42.g-load.eu/

this is the peer

almost everything is over some sort of vpn protocol

I got ipv4 to work just fine

now I'm doing v6

I'm on mobile. Paste the ASN so I can copy it and look at that website

my asn?

Yes

4242422810

Ty

https://explorer.burble.com/#/

Nm it wants me to login as you

yeah that's for setting up the peering

Yeah, it appears to be a weird mix of Junos/IOS XR

This is exactly my thoughts.

Honestly, I love it. VyOS has always been a special piece of my attention since it was called "Vyatta"

I would love to make a setup out of my own hardware from Gateway, to Router, to Switch one day

Under the neighbor, is there a local-interface command?

@hollow marlin I only use globals for peerings usually

yep, it's interface and I think I found the problem

🤦

I don't ever think ive seen LL peerings in the real world

There's no point to that

Now what I do hate is when ATT needs a /64 to peer

idk, that's the preferred method apparently on the network

I forget if that was an L3VPN or internet policy

Even through my studies its really only shown during introducing v6 into the network or 6PE

What was the issue?

well it's not resolved yet, but there is an option interface was v6only Enable BGP with v6 link-local only

now instead of ACTIVE it's showing IDLE

still no message sent

You'll probably be seeing it cycle between idle/active. If not then config is not setup correctly.

Whats the show ipv6 bgp neighbor show?

Internet Policy, i recently ran into this

there's no such command, but if you want the general overview show ip bgp summary ```IPv4 Unicast Summary:
BGP router identifier 172.23.84.33, local AS number 4242422810 vrf-id 0
BGP table version 105476
RIB entries 1044, using 188 KiB of memory
Peers 5, using 102 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
fe80::ade0 4 4242423914 0 0 0 0 0 never Idle
172.20.16.139 4 4242421588 61390 42662 0 0 0 1d06h08m 469
172.20.53.98 4 4242423914 119062 68416 0 0 0 1d06h07m 541
172.20.229.123 4 4242421080 0 1212 0 0 0 never Active
fe80::ade0 4 4242423914 0 0 0 0 0 never Active

Total number of neighbors 5

wait

why are there 2

hmm

Thats showing v6 peers advertising v4 routes. Use show ipv6 bgp summary/neighbor instead

ah

BGP router identifier 172.23.84.33, local AS number 4242422810 vrf-id 0
BGP table version 1
RIB entries 1, using 184 bytes of memory
Peers 1, using 20 KiB of memory

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd
fe80::ade0      4 4242423914       0       0        0    0    0    never       Active

Total number of neighbors 1

could it be the router id?

idk

do show ipv6 bgp neighbor fe80::ade0

  BGP version 4, remote router ID 0.0.0.0, local router ID 172.23.84.33
  BGP state = Active
  Last read 00:53:03, Last write never
  Hold time is 180, keepalive interval is 60 seconds
  Message statistics:
    Inq depth is 0
    Outq depth is 0
                         Sent       Rcvd
    Opens:                  0          0
    Notifications:          0          0
    Updates:                0          0
    Keepalives:             0          0
    Route Refresh:          0          0
    Capability:             0          0
    Total:                  0          0
  Minimum time between advertisement runs is 0 seconds

 For address family: IPv4 Unicast
  Not part of any update group
  Community attribute sent to this neighbor(all)
  0 accepted prefixes

 For address family: IPv6 Unicast
  Not part of any update group
  Community attribute sent to this neighbor(all)
  Inbound path policy configured
  Outbound path policy configured
  Route map for incoming advertisements is *DN42-ROA
  Route map for outgoing advertisements is *DN42-ROA
  0 accepted prefixes

  Connections established 0; dropped 0
  Last reset 00:53:03,  Waiting for peer OPEN
  External BGP neighbor may be up to 20 hops away.
BGP Connect Retry Timer in Seconds: 120
Next connect timer due in 88 seconds
Read thread: off  Write thread: off  FD used: -1

Whats the entire BGP config?

     address-family {
         ipv4-unicast {
             network 172.23.84.32/27 {
             }
         }
         ipv6-unicast {
             network fdc1:e70f:34b0::/48 {
             }
         }
     }
     neighbor 172.20.16.139 {
         address-family {
             ipv4-unicast {
                 route-map {
                     export DN42-ROA
                     import DN42-ROA
                 }
                 soft-reconfiguration {
                     inbound
                 }
             }
         }
         ebgp-multihop 20
         remote-as 4242421588
     }
     neighbor 172.20.53.98 {
         address-family {
             ipv4-unicast {
                 route-map {
                     export DN42-ROA
                     import DN42-ROA
                 }
                 soft-reconfiguration {
                     inbound
                 }
             }
         }
         ebgp-multihop 20
         remote-as 4242423914
     }
     neighbor 172.20.229.123 {
         address-family {
             ipv4-unicast {
                 route-map {
                     export DN42-ROA
                     import DN42-ROA
                 }
             }
         }
         ebgp-multihop 20
         remote-as 4242421080
     }
     neighbor fe80::ade0 {
         address-family {
             ipv6-unicast {
                 route-map {
                     export DN42-ROA
                     import DN42-ROA
                 }
             }
         }
         ebgp-multihop 20
         interface {
             remote-as 4242423914
             v6only {
                 remote-as 4242423914
             }
         }
         remote-as 4242423914
     }
     parameters {
         router-id 172.23.84.33
     }
 }

Interface is not setting an interface

that's what I thought was well

but I can't. unless I'm doing it wrong

set protocols bgp 4242422810 neighbor fe80::ade0 interface wg92

that fails

says not valid

Yeah that is not the same, thats just interface level configs

there's this thread I found

https://phabricator.vyos.net/T941

Ether it has a source-address or local-interface config. what options are there after set protocols bgp 4242422810 neighbor fe80::ade0

 > address-family
                Parameters relating to IPv4 or IPv6 routes
   advertisement-interval
                Minimum interval for sending routing updates
 > bfd          Enable Bidirectional Forwarding Detection (BFD) support
 > capability   Advertise capabilities to this neighbor
   description  Description for this neighbor
   disable-capability-negotiation
                Disable capability negotiation with this neighbor
   disable-connected-check
                Disable check to see if EBGP peer's address is a connected route
 > disable-send-community
                Disable sending community attributes to this neighbor (IPv4)
   ebgp-multihop
                Allow this EBGP neighbor to not be on a directly connected network
 > interface    interface parameters
+> local-as     Local AS number
   override-capability
                Ignore capability negotiation with specified neighbor
   passive      Do not initiate a session with this neighbor
   password     BGP MD5 password
   peer-group   IPv4 peer group for this peer
   port         Neighbor's BGP port
   remote-as    Neighbor BGP AS number [REQUIRED]
   shutdown     Administratively shut down neighbor
   strict-capability-match
                Enable strict capability negotiation
 > timers       Neighbor timers
 > ttl-security Ttl security mechanism for this BGP peer
   update-source
                Source IP of routing updates

what options are after update-source

   <x.x.x.x>    IP address of route source
   <interface>  Interface as route source

use the WG interface there

So set protocols bgp 4242422810 neighbor fe80::ade0 update-source wg92

yep

did that

nothing different

I"ll try resetting bgp like last time

still nothing

Remove the interface and multihop commsnds

when I remove ebgp-multihop, I get Error configuring routing subsystem.

Delete the neighbor and re add it without those. Multihop and link local conflict

This is so much hell when you could have had a Cisco

😇

nothing

I'll try updating

I feel like this may be a bug

Let me toss it in my lab and see if I get the same thing

great and now I can't ssh into it

from my pc

weird

but I can from router

ok, after reboot some stuff got messed up

fun

I'll have a go at it tommorow

either I messed something up the way I updated, or this is why vyos isn't used much at ISPs

I have a ISP Modem+Router 2-in-1 (which I consider trash). It used to frequently drop my devices even when working right next to it. All the devices used to get disconnected at the same time for about a min. There was a big issue with the 2.4GHz connection. I have a plan of 200mbps but on 2.4G band, I only used to get about 20-30 at the most 50mbps. The 5GHz band worked flawlessly other than the obvious shorter range. This was really for WorkFromHome. So I disabled both the wireless bands on the ISP Modem+Router and attached my ASUS router as an access point as it was just lying around. The range and strength improved slightly but the same issues still prevailed. I used to get disconnected on devices and 2.4G band was still weird and sus.
Now I have an option of making selective LAN ports on the ISP device run in "bridge" mode rather than "route" mode. From what I know, I will have to put my ASUS router back into Router mode and connect the LAN to the WAN (rather than LAN to LAN) for this, and this may probably solve any issues arising from a double NAT situation.
What is wrong with my WiFi?

could be your microwave, - anything that causes or amplifies radio waves can cause interference for wi-fi. that is why ethernet is much better.

could also be your neighbor turning on an ancient TV.

make sure you are only using a 20mhz channel size on your 2.4ghz and not 40mhz

I call these "AIOs"

All in ones

yeah, you really wanna use Bridge mode on your ISPs AIO, and then have Router + WiFi AP Function handled elsewhere tho

could be

idk i gotta check which one i am using

default is probably 40MHz

oh

Alr ill try that

it is a stupid default that only makes sense if you live in the middle of nowhere not near any other 2.4ghz sources

😂

that assumption is also true for wireless range described on wifi router boxes

any guys here with some best practices with pfsense and unifi integrations (on home lvl)

Well, you would configure the PfSense Router/FW as you normally would tbh

There isnt much different that needs to happen.

Was just looking out for some stuff that I might've overlooked. Pfsense isn't the real issue here, it's moe or less the clients not picking the correct ap

Define picking the the correct AP.
You mean picking the closest one?

Basically yeah. Because when, testing with different SSID's and e.g. only placing ssid 1 on AP on first floor and connecting to that gives way better performance when providing SSID on both floors it still picked the one on the ground floor, thus weaker performance

Probably need more dbm tweaking

I have a homelab network inside my main home network and I am wanting to be able to communicate with devices on the homelab network. Is there a way to say 10.3.0.0/16 should be routed through 192.168.0.100 router (in Ubuntu), and how do I configure my VyOS router to allow this?

Or what is this called so I know what to google?

so, the static route is created on my ubuntu pc. Now I need to configure VyOS

hey boys, my messed up country is blocking social medias to prevent cheating in national exams (yeah thats not a joke) and I need to access my instagram since thats what I work with, theyre also blocking VPN entries I cant seem to connect to any of them, does anyone know any sort of free remote thing to access that or any other solution pls? 🙏

Have you tried NordVPN obfuscated mode?

Can't even get to login screen with NordVPN either, cant connect to any VPN actualy

I think this isn't possible since I am using NAT

You basically described what a pure router does

I just don't know how to configure it

I get how to get traffic from inside the homelab to external. It's just the opposite I need to work on

hmmm, I wanted to advice to use PFsense, but I just googled what VyOS was.

It should be possible with VyOS, but I have zero knowledge over it's possibilities

Yes, I did that with my kuberetes network. What role is vyos playing in your setup

VyOS is the gateway between my home and homelab network

https://docs.vyos.io/en/latest/configuration/protocols/rip.html
This could be a first step

It's NATing?

Yes. Internal Homelab is using NAT

Ah, you don't need to do nat

Hold on, where do you have NAT?

I didn't

So basically have vyos get an IP on wan normally

It's currently getting an IP from my home network router using DHCP

Then assign 192.168.0.100/24 to your lan interface

Ah ok

So what you need to do, is just get rid of the masquerade rule

Will I still be able to use 10.3.0.0/16 for the homelab clients?

Ok wait what

Wouldnt that mean you have the IP assignment controlled by the Root router?

He has a cascaded LAN solution

So hes using an isolated LAN behind his root

No? I mean dhcp is still handed out by vyos

Just you gotta tell the main home router where the homelab network is

@cedar igloo what's the homelab network ip range?

I'm a bit confused

Praise be to IPv6.

WAN <> LAN (home) <> LAN (Homelab)

192.168.0.0/24

And fuck NAT

Yes FUCK NAT

That seems correct

And the "wan" ip of vyos?

192.168.0.100 at present (although it uses DHCP)

Wait

192.168.0.0/24 is also your home network?

Yeahhh you cant really be using the same IP Range as your Home LAN if you have it cascaded

You gotta have a different ip range for homelab

I am getting myself confused. Sorry

Use something like 10.0.0.0/24

It would be something like 192.168.1.0/24 or 10.0.somehting.blah/24

Home Network: 192.168.0.0/24
HomeLab Network: 10.3.0.0/16
HomeLab WAN: 192.168.0.100 (handed by root router DHCP)

Ah

So in your main home router add a static route for 10.3.0.0/16, next-hop 192.168.0.100

And that's it

Get rid of the nat rule as well

Ok. I'll give it a go. Thank you all 😀

Did someone say fuck NAT? NAT is the best.

Pumps shotgun

Get em bois.

🤣🤣🤣

Nat OF nat natter nat cgnatted nat nat nat is prem.

Ok... So that kinda worked, except now I've lost homelab to external access (both internet and home network). However home to homelab is working

Hmm, dhcp should give the vyos router already a next-hop

show ip route 192.168.0.0/24

Nat rule is deleted right?

Yes

Just loading discord on my computer rather than phone. 1 sec

Known via "connected", distance 0, metric 0, best
Last update 00:06:14 ago

• directly connected, eth0

Hmm

Can you ping your router

The main one, from vyos

From VyOS, yes. From homelab client no

Hmm, on a homelab client do a traceroute to your main router

why does traceroute need installing on ubuntu... its difficult to do that as i have no internet access

Oh it does, weird

What about pinging 1.1.1.1 from vyos

To check if it can ping the internet

It prob can

vyos to 1.1.1.1 works

If that's confirmed I bet it's something between the clients and vyos

Yep

I think thats what NAT was doing before

I think it's something in the config I forgot

Would it be possible for you to export the config

There's this export support option so it hides anything sensitive

You can press ? To see all available commands

ill just do this

https://pastebin.com/B8FAyZTc

you may notice the interface has changed to 0.12. I set it to static (and also changed the static route)

Ah

Don't see anything out of the ordinary

On a client can it ping the vyos router

yes

gonna check my config

Thank you. That would be great

hmm, I think I never saved that config

But your thing should work

Unless I'm missing something

all I can think of is how does VyOS know which IP to use for external traffic. NAT took care of this before

Wdym

The source ip stays the same as the clinet device

With nat it changes

like what would my root router see as the source ip if it comes from the homelab

What's the default gateway for the client device

vyos

I think that command is ip route

sorry I cant copy and paste it

Looks fine

thank you for your help. It's working now. all I needed to do was enable nat after adding the static routes as you said

although I am pretty sure what I have now is the same as when it wasnt working...

@peak cloak Also I tried VyOS in my lab last night and BGP link-local is bugged out, even on latest release. Also I had it in my lab but that was the first time I was really using it and host shit its buggy. I don't know how rolling releases are in production networks

Logs kept showing a bind socket error, it was trying to bind to just the LL, not LL%eth0. Looks like when they changes the config hierarchy they forgot legacy config that allowed it to work.

ah, thanks

from what I seen a bit recommend bird

or Quagga

kinda sucks you gotta pay a subscription for vyos stable

you can build stable from source

yeah I guess

this guy uses BIRD 2

https://github.com/jlu5/ansible-dn42

I guess I'll learn BIRD 2 then

seems better for bgp than vyos

Unless anyone has any other suggestions

will i stop getting ping spike if i get better wifi

it could but it could also be the game servers being terrible

are you the only 1 in the game with ping spikes and whats your current wifi?

describe "better wifi", better hardware? better package from ISP? or different ISP?

Either ways it's not going to be huge. You wouldn't see a 120ms ping, go down to 60 or something by doing any of the above ^

i have 10 mbps rn but ill upgrade to 500 mbps nrxt week

Even the cheapest crap hardware usually, you still get like at lease 5ms to the router or so.

yea speeds don't affect ping.

Speed can impact ping indirectly though by providing more throughput you have less chance for congestion with packet drops

I sometimes have games taking 20-30mbps

10 wont wouldnt do it

If you're downloading while playing that's going to impact ping and latency

especially if you have things open in the background that 10 can drop alot

but online play by itself needs less than 1mbps in most cases

Yea sending just packets of say where a player is standing or so, same with shooter based and Minecraft etc...

If you have 10Mbps connection and you are utilizing whole of it the ping will get affected since ping is also a data packet.

traceroute is the best tool to figure out where the issue resides. either at your end or at the server end.

is it always best practice to use fqdn/hostname over ip when joining servers to any sort of cluster?

Yes, as the FQDN will mostly point to a 'distributor' (wrong term)

So that no server get overwhelmed

How do others connect to my filezilla server? Is it a port?

Port+IP and some NAT settings

Just the Ftp port 21? And internal ip from server device right?

Should i just make an URL and paste it into here?

I really hope you're not planning to host an FTP server on the internet

What else should i do in peder to make my friends connect the the device files through the internet?

Order*

Why do they need them to access them

Aren't you hosting a Arma server

Yea but my mates should be able to transfer mods and such from their pc’s to the nerver

Server

But why

You are the admin

Pretty bad idea

We are all admins:)

Hmu with better solutions tho

You install everything

if you trust your friends, give them VPN access?

Honestly Id stick with VyOS, the extra BGP features are of little use in your case. Even with how f'ing buggy it was just testing it

Also when this comes out I am going to be testing it more

Hmm ok, how would I get around this issue then. I'm going to submit a bug report though

Sounds good, I didn't see any bug reports, just the query

But in reality, you shouldn't be peering via link-local unless the peer allows it. There are a ton of policies required to make that work as expected within their network, not worth the effort

The thing is most people prefer link-local for peering

I'll try setting up v6 with another peer that doesn't use link-local

Most do not prefer it, especially in the SP space. It might be with tunnel brokers

The most scalable design is IGP advertising loopbacks and iBGP peering to loopbacks. iBGP does not change the next-hop like eBGP does which breaks routing. Usually link-local peering for 6PE (routing v6 over IPv4)

btw, I think routeros 7 actually supports 6PE

they haven't announced it, but a bunch of UI things lead me to believe that

the advertise filters now allow you to enter v6 prefixes instead of only v4 prefixes

the IPv6 routing table has an "MPLS" tab, just like the v4 one

and MPLS-TE has a "Local address Ip6" field in addition to the "Local address Ip" field

I am going to hide in here for a while

Looking in general, why do people not google first

Like

Asking here is last resort

For me

Because word has gotten around, I am better than google since I can read.

Pure, unadultered, laziness.

Just get off discord

Like I realize how much time I waste

It's too much

The second Windows "11" drops and I have my chance to laugh, I will

the entry for IT jobs is literally being able to google better than others....or at all for that matter

My entire career has been that

That's alot of different careers

Programming requires tons of Google, it's impossible to memorize every library

Networking I'm not sure of yet. Going through college again for it and only in second semester. So far it seems like once you know how everything works you should be good, aside from IOS commands.

I can say with straight confidence, you know the basics in networking, but after that, you still use google almost as much

For what though?

for everything

wrong. need to be senior now

there is so much to know you can't know everything

Honestly I was gonna try to give a good answer but yeah... thats right.

want a new networking career? better be senior already or located in Mumbai.

Subnet Calculators to how to configure docker with IPv6

you're going to run into weird problems where things that you would expect to work don't

That's true

people who don't know how to google waste a ton of time banging their heads against the wall trying random things

if you know how to look things up, you may find the answer on stackoverflow in 45 seconds or some other random site

If you want to learn how to use Google effectively just switch to Linux for a few months. You'll be using it all the time.

Linux has improved my google skills so much

the number of times that i have helped someone with an issue that they spent hours at and I found the answer in < 60 seconds is astonishing

Lmao

Change 60 to literally 3-8s

and hours to sometimes weeks

yeah, very often it is the first thing that comes up if you google it

I have people in my program now asking for help with things they supposedly spend 2 days on that I found answers for in 2 minutes. Then they think I'm some sort of magician.

Are you me?

@little schooner how many acrobat readers have you reinstalled

You're the go to guy too?

I made a whatapp group since my college is online due to covid and I kind of regret it

From literally how to replace a wall outlet and build a damn chair to omg my drivers are not working!

Man... That gets old

I like being helpful but there's a point where it's just too much.

It does help you learn too though since you're constantly recalling information

This is the only reason I do it constantly

It keeps me well informed of the issues that currently are relevant

Build those neural pathways

Strengthen them

Its actually only thanks to this discord I was able to do the 2+2 on the whole PCIe Boot Device not working (NVMe Drives) suddenly a few months ago for many people

After fixing a few, what was seemingly random instances, It became obvious what had happened

Microsoft pushed a Firmware capsule that required Secure Boot and UEFI for PCIe Boot Drives due to the fact they are direct links to the CPU and thanks to the Whole TB3 Security Fail with Intel, they realized they needed to secure the path

Unlike SATA Drives which are PCIe <> SATA Controller <> Drive, there is no "Firewall" like the SATA Controller

So if you changed the firmware on a PCIe Drive to have malicious code, you could have a perm ring 1 bot

I never heard about that at all but I don't use Windows. Interesting though nonetheless.

Windows has gotten.. man fuck me for saying this...

Almost there in terms of decent.

Their massive push to overhaul the entire framework and security along with featuresets and standards has made huge huge huge strides for the damn thing

Haha, I don't mind it to be honest, it's a fast, user friendly OS.

For the most part. I used it for years.

Linux on the other hand is a giant pain in the ass sometimes

speaking of windows, our sysadmin is probably going to be upset tomorrow that the tech bench linux system was replaced with windows yesterday

I really hope he doesn't complain to me about that all day, it is a huge waste of time for me

It was a whole ordeal to get PCIe passthrough working in KVM but now I have a windows VM with near native performance.

@tender hazel Why would he be mad?

we get our first level service desk (normally people who are pretty green and just do by the book troubleshooting) to configure customer CPE devices to go out in the field

I guess it's more work for him

he set up a linux desktop for that a few years ago

but the level 1's who are pretty green and not used to linux often say that it doesn't work and so they can't configure stuff

it's because other people are changing the VLAN configurations on it and other stuff like that

Oh it works, they don't work

and when you have someone who is totally green who walks up to it and someone else has changed the VLAN settings on it, they don't know how to get it back to normal

Netplan?

Are you talking about configuring the vlans in a .yaml then applying with netplan?

anyway we set up windows there instead because the service desk will be more comfortable with it

Yeah that's a better option

he's been trying to get us to move to open source stuff, like we use visio for all of our network drawings but he was trying to get people to try out libreoffice draw for that instead

I fucking hate LibreOffice

and we have so much going on right now, we are doing these fiber projects

Sorry for my language

Draw.io is where its at

the cost of visio is not that great

I don't want people to be spending a lot of time experimenting with libreoffice or whatever because it takes time away from other critical things that have to get done

yeah

foss is cool and all

but work is work

I set up WinApps. It runs a VM in the background and leverages RDP so you can launch windows applications that launch as of they were native. Threw office on that

Click icon, it'll open the program and you'll never see the VM

he also wants to use linux for the field laptops but that can also be problematic, because there are certain windows apps that we rely on in the office that aren't necessarily easy to get going in WINE and it's only going to take a couple times where the tech in the field says "oh sorry, I can't run that, I'm on linux" that management is going to get upset

Yeah you don't want Linux on a field laptop.

The best option would be to dual boot them, then you get everything

the reason he wants them on the field laptops is because people aren't going to plug them in that often necessarily and so they might be behind on updates

his main concerns with windows are when it comes to patch management

Isnt there a domain set up?

yeah there is

but if they only use the laptop for field work and they go out into the field once every 3 months

Can't you use enforce a GP

and aside from that it is turned off

There should be a group policy for Windows updates

there is, but it doesn't help you if the system is powered off

or rarely plugged into the corporate network

Hey. I'm having trouble in my bluetooth audio. I recently got akg k361bt headphones. They work completely fine when on pc(wired and wireless) and also wired on phone but the audio in bluetooth mode on phone is way too low. I saw the option to change my bluetooth codec for that specific device to aac. However, it doesn't toggle on after I press "ok" on the risk warning pop up. I went into developer mode and changed some of the Bluetooth audio settings includig the codec but they defaulted back once I exited the settings. Enabling "disable absolute volume" did nothing

Direct access

Its a feature that does Authentication, GPO updates, and any attempt to access internal URLs to automatically path over the VPN.

oh

never heard of this

It holds the concept of a Machine and User authentication too.

So before login even, the machine authenticates for authentication to AD

Then the user after login which grants full access

It's apart of the windows server Direct Access Role/Feature.

It uses the Windows VPN Server

So if you got one, it's easy to push the other.

It also offers DNS64 and NAT64

Just make sure to have your IP scopes defined in the site configurations

I'll send the docs later.

(I've read wayyyyyy Too much of the MS docs at this point)

these docs? https://docs.microsoft.com/en-us/windows-server/remote/remote-access/directaccess/directaccess

if those are the docs you were going to send I probably don't need any other info

Yes

thanks very much

@tender hazel Also you would want to most likely point the GPO at the corporate WSUS server which is the Windows Update Sever you can run. From there you can control releases, approve or deny for whatever case (breaking issues), roll back, etc, and point these updates at groups and even device types.

This would also allow you to report on the status of machines.

From that point patch management is covered

right we already have a WSUS server

it fixes everything except for these weird laptops that are only rarely connected correctly to the corporate network so they end up months behind on patches

but direct access takes care of that

I used to be quite up to date on windows server admin and used to be an MCSE, until around 2008 or so

after that point I started to work more on the ISP side

as a network engineer rather than a server admin

probably 700+, the patching schedule is set to run every 2 Fridays of the month.

I need to make a script that changes the default Adobe app in case the user has acrobat dc pro and reader installed side by side

common issue with that is user opens doc in wrong Adobe app that can't edit pdf document without reopening it again

at least 3 tickets for that

btw @plain siren I wound up typing a super long response to that guy who thought that his Unifi firewall was doing something really weird when it comes to routing

https://community.ui.com/questions/Ubiquiti-Routing-in-Wonderland/c8507358-c6f3-4fc9-a065-a72fe0dc8bf0?page=1

my response is the one at the bottom of page 1 that is as long as his initial question

I replied via the ubiquiti forums instead of reddit because I figured it was more likely he would see the response

and I was also really irritated that he was suggesting that Ubiquiti was doing something in some weird way that nobody else does, which is not the case

I don't really use Unifi myself where I can avoid it

but he thought the Ubiquiti behavior was wrong, based only upon the subset of devices that he has tested with, and it really isn't (as was already said before)

I responded more so that he wouldn't think that the iptables way of doing things wasn't some backwards way that only Ubiquiti did and nobody else did

Iptables and thing kernel net functions like bridge, vxlan, whatever it may be is literally how... Like everything Linux based works.

It's literally like.... The net filter....

I...

Wuuuuuuuuuuuut

I know what sort of things he is talking about - our firewall at the office is Check Point

we had our FOB door access system set up on a public subnet, on a VLAN routed by the Check Point

we had a lot of problems with it where if it lost connection for any reason it would stop working and they would have to go to our office to fix it and charge us for a service call

so we added a rule on the check point to allow everything from everywhere to that VLAN

a month or two later we got an automated notice that we had BGP open to the internet on the check point IP on that VLAN, and it wasn't only BGP but the web admin interface and everything

and it was all because check point doesn't have the equivalent of the INPUT chain like in iptables

so that one incident made it really obvious as to the justification for a separate INPUT chain (or LOCAL chain or whatever you want to call it)

I feel like if people would take a pen an paper and kinda draw the map they make with their rules, it would make WAAAAY more sense.

Honestly, that guy probably never setup anything but his homelab before.

yeah I think that guy has set up a limited number of firewalls before

and thinks he knows how everything normally works in all cases

I think it is more than just a homelab

but it is more that he is used to how device X works and here is device Y and it isn't the same and he doesn't like it because it isn't the same

but he is even misunderstanding the reasons why it isn't the same

Actually many of my policies are diagramed for my own sanity. Especially focusing on specific chains where in some of our configs contain almost 1000 policies

creating a diagram is really good, but if you misunderstand the way the system works, your diagram is not going to be accurate

Well in that situation the best is to hope nothing lines up as they're mapping it out and makes them wonder if they actually understand it

like for instance that guy assumes that no firewalls have such a thing as an INPUT or LOCAL chain that handles traffic to the firewall device itself, which is not correct.. and he thinks that Ubiquiti is some weird brand for having such a thing, which is also not correct

It doesn't help that many vendors don't actually call the chains by name but are just policies referencing zones, interfaces or routing-instances

yeah - that's something that Ubiquiti does with their Unifi firewall

they don't show you the original iptables chains, but instead show you the sub-chains that they jump to from the main chains

from the FORWARD chain they jump to IN-LAN or IN-WAN depending on the interface that it comes in

from the INPUT chain they jump to LOCAL-LAN or LOCAL-WAN depending on the interface it comes in on

it is already a tad confusing since they swapped FORWARD for IN and INPUT for LOCAL

and the similarity of IN and INPUT should have given them pause but did not

they don't give the ability to add rules to the original INPUT or FORWARD chains

only to the sub-chains they jump to from those, like IN-LAN, IN-WAN, LOCAL-LAN and LOCAL-WAN

Juniper is even less transparent. All policy based. It's based on BSD but I'm not sure if they are using iptables or their own

Anybody?

@hollow marlin I'm pretty sure all BSD based stuff uses pf by default, which doesn't have the equivalent of an INPUT chain

with pf, a single set of firewall rules handles both traffic destined to the firewall and traffic that is forwarded through the firewall

@thorn osprey bluetooth stuff isn't normally considered networking

even though it is wireless

your question would be better suited for one of the tech support chats, or audio-tech

a few of us in here are network engineers for ISPs but know basically squat about bluetooth audio

Oh ok

does someone here have experience with swag on unraid? I want to access my nextcloud instance over http/https via dyndns.
I've set everything up so far that I reach the swag page over the domain, but now I struggle to route that to my nextcloud instance.
can someone maybe help me?

god these lawsuits against speeds are so weird

Linus doing cnc machining now...

What the hell is with those comments. Some bringing race into to it

welcome to the modern world

only thing left is race to cisco routers.

so lets just hide here and pray it doesnt happen

this is why I want social media deleted

at least give me twitter

theres a reason why i use no sosal media at all 🤷‍♂️

discord youtube, litteraly.

and other "private chatting" apps :P

but yes

i dislike that the people who represent us are on social media listening to the 0.1% and thinking the 99.9% like the ideas

:X

:/

lmao the office im working in at summer is using TKIP instead of AES

hahahahaa

where should he move instead?

The moon seems like a nice place

Dad - dy Elon, take me to mars!

also why is that word censored

did you call moon a place? how dare you

you cant assume the moon

I'm planning on moving to the UK and getting a UK sim there, but I have all my two-step authentication messages on my current number. If I deactivate my cellular plan, will I still be able to receive these messages?

You probably won’t be able to, no

Hmm. I remember back when I was like 8 years old, I didn't have a data plan and my parents brought something in bulk. Then I recall running out and being unable to call or message but I could still recieve messages and calls

If you deactivate your plan you are releasing your number. I strongly suggest keeping it until you get a new SIM and account, eat the roaming charges and transfer all the accounts to the new number

What about those grocery store sim cards that have no plans?

Do they get released one you use up the data?

Or do they make you pay afterwards?

I think you are talking about pay as you go plans

I've always paid for monthly, not pay as you go, so I have no idea.. but I don't know why you are asking here, that is not really a networking question

muh google fi

anyone ever used voip.ms?

need a voip solution

Avaya is pretty good

As in, an actual phone solution?

or purely software?

need an actual phone

http://www.allworx.com/

They're nice. And can forward calls to an app on a cell

people on reddit I saw reccomended voip.ms

remote office

the reason is that we got rid of a landline and now we realize it's actually sometimes useful, but not useful enough to pay 20 bucks a month to ISP

so basically we want a VOIP landline

We use Allworx. Handsets are robust and good construction. Been using them for years

You still need a SIP provider

yeah that's what we need

and actual provider

voip.ms looks pretty nice and cheap

just need a SIP to phone converter

I'm not familiar with them. Typically go with the ISP for SIP connectivity. You don't have to, but..

All on one bill

verizon is 20 additional dollars per month

too expensive

for something that we will use very little

but it's a good to have

Eh, it might suffice. I work in a physical office and often at home too. So I've got a physical handset in both locations. I do a lot of placing and receiving calls, forwarding, and conference calling. So, it's getting its use 🙂

Mitel is solid for a HW for, probably have a handful no longer used. We have 10,000s out there. For a sip gateway just get a Cisco SPA. Cheap and small

my internet has been super duper slow these past few days. i’ve hard reset the router called my isp more than once they say nothing is wrong but i can’t even load a snap on my phone idk what’s wrong

like not even a mbps down slow

hey is anyone active in here?

Tried speedtest, ping, traceroute tools?

Have anyone encountered this?

Hey guys, what do you think about Synology Nas for home and server backups?

Yeah. seems so. Need to explain this to the stupid vendor who always says "there's no problem on our side".

check the broadcast vs paused. xD

🤣

Sounds like my ISP.
Finally now I can say ISP they are not separated anymore for ISP and internet infrastructure

Fortunately, the vendor accepted that there is some crunch at his side. I am surprised. xD

Hey anyone that can help? My dad and I have a 1220E and a 1260E that refuse to request a new IP address from the 7590 (all fritzbox and all in a mesh network). The third 1260E did request a new ip

Everything is static

Because it’s the wrong up

Up

Ip

Stupid autocorrect

Like, it’s 151 instead of the 56

That it should be

“On next request it will change”

But we’ve had them out of the plug for over an hour and still no change

Hello guys im having a headache with a LHG2 mikrotik antenna. I cant event connect to it using winbox. At this point im not sure if its even working. I tried resetting but the ritual seems weird and doesnt seem to have done anything... the ETH led is pulsating constantly and the Wireless led powers on for a slight on very long intervals. Need some help here cuzz ive never dealt with such networking device

a fuck that shit... now what

im sure i didnt held too long but...

RTFM ?

readthefmanual i get it ok

yeah i read the manual, and tried to keep it down for 5 seconds untill the USR starts flashing

then immediately let go

uhhh its been like this for like 15 at least

perhaps i should do it gain ?

well not fast fast but pulsating

nvm it is flashing fast

Could the FTP protocol be used in place of ethernet if software allowed it? Such as using FTP to connect a modem to a router rather than using a standard ethernet cable?

oh so i shouldnt hold the reset when im powering it ? i guess thats where i went wrong

@tame carbon Could the FTP protocol be used in place of ethernet if software allowed it? Such as using FTP to connect a modem to a router rather than using a standard ethernet cable?

i see, ok imma try that again and leave it for some time - wish me luck

So that uhh, prevents it from doing what exactly?

ftp runs on tcp which runs on ip, which runs on ethernet protocol which runs on wifi or wires

Ohhh ok i gotcha, thank you. I'll look up the OSI Model as well.

One ISP in my country starting to provide FTTR instead gpon

You must understand the OSI before getting technical with the network.

Omg Crystal you deserve an award

I usually keep the reset pressed and then power the device on. The usr starts blinking and I let it go. Sometimes you need to do it multiple times.

EM Waves* 😛

wut!

photons are light man

This is the most responsive channel i swear, thanks fellas

huh. never heard like that lol. let me search.

uh yeah they are basically photons. lel.

Sheesh

5G caused Corona xD

So uhh whats a good resource for finding more out about the osi model

layer 5+ idk about

ok just got back its still doing the same light blinkling pattern so imma see what i can do to flash it

hands on experience

Layer 8 is cool 😛

Try using Netinstall if you are unable to reset the device.

Layer 0 - Power
Layer 8 - People

yah

@frigid pine ok imma see what i can find in google about this

TCP model: WHAAAAAT!

I'm not sure if im quite ready to dive in networking 😂 still don't know much about the basica

@sour beacon

Yeah or look for a free ccna1 course

Networking is fun but you have to just dive in sometimes and try to swim

idk anything about ccna

There is one from networkchuck on YouTube

urgh

he's

...

Im drowning already lol

he's interesting, lol

the what not to do XD

Coffee? xD

Ccna1 is just is just osi and the other basics

There is no CCNA1 and 2 anymore, it's just a single exam now

Yeah annoying it changed

I only have HE ipv6 and some intro to packet tracer thing

yah, I was so close to passing my CCIE Data Center a couple years back too, right before they changed it and I couldn't get another attempt in before that date ;-;

Networkchuck free ccna isn't bad per say but only checked a few minutes as I know the things

Yup, I would say 90% is just experience alone for me

Here in India, What's written on your CV doesn't matter unless you have a certificate go with it. So now I am trying to get CCNA finally. :/

lol

Nice!

BTW whats the difference between Masquerade and NAT?

I just got the old ccna 1 and 2 certs. And know like half of ccna 3

oof

yah, I know that feeling

yah, that stinks

yikes, sounds like my first college I went to

Except they were the opposite

Made you buy books and stuff with 0 lines of code, made you write code for the class

My google-fu was strong that year

that's really cool

yup

haha, yes

of course, why prompt you 😛

I always like to joke "that's a license"

oh boy

HA!

Sooooo this mikrotik antenna won't even show up in the netinstall list of devices. I tried holding the reset button for 15seconds in order to get it to look for netinstall servers but it's still doing the same stuff with the LEDs and windows network connections keeps showing "disconnected" on regular intervals

prolly the device port is fried if you hv already tried changing the cable/connectors.

Tried ...

Thanks anyways :/

Make sure you computer port is working fine

It should be I have been using it without issues for a very long time

Whats the difference between Masquerade and NAT?

Masquerade is a type of Nat

specifically

it's a type of source nat

Ok. Any specific application of that?

https://help.mikrotik.com/docs/display/ROS/NAT

your internet connection

it's most likely Masqueraded

huh i've never heard of Masquerade

default (except the name) config

was designed for specific use in situations when public IP can randomly change, for example, DHCP server change assigned IP or PPPoE tunnel after disconnect gets different IP, in short - when public IP is dynamic.

Hmmm so it's just snat when WAN IP is changeable.

basically

Though Source NAT and masquerading perform the same fundamental function: mapping one address space into another one, the details differ slightly. Most noticeably, masquerading chooses the source IP address for the outbound packet from the IP bound to the interface through which the packet will exit.

Ohkay. I think I got it.

👍

yes, masquerade is when the ip can change

but you can manually put in the translation address

You did not say much about Masquerade.

What I understood is, Masquerade hides a local pool behind one IP. So basically it is translating all local IPs to the router IP.

that's just src nat?

no?

yeah

masquerade puts a much heavier load on the device in cases where you have a static IP

the load on the device increases as you have more interfaces, so the load is particularly bad for PPPoE servers or other types of PPP VPN servers where each remote user creates an interface

yes

But why would we do masquerade instead of snat when we have a static IP?

from my understanding, then you don't need to use masquerade

yes. snat is much faster and lighter on the CPU since it doesn't have to re-calibrate the mappings every-time a link goes down.

There isnt really any CPU difference between the two. The biggest impact just revolves around number of routes. Every interface adds a connected route, so as you add dynamic interfaces the route table grows.

Maybe CPU won't be significant in a small LAN. But it would surely be significant with a considerably bigger LAN env.

NAT has an impact on CPU and yes more so on a larger network with more state to parse, but there is no difference in CPU with a static vs dhcp IP.

what about plain src-nat vs masquerade?

Semantics

With static the nat mappings are stored in cache and don't need to be remapped. But with dynamic all mappings need to be recreated every time a link goes down which puts load on the CPU.

Those are two entirely different points

This is what I have read up till now that is and logically makes sense. But practically may be insignificant.

please elaborate

NAT tables and interfaces flapping are two different impact to the CPU.

• Interface comes up, route is created, address is added to the route table. Thats just a one time CPU hit. Nothing related to NAT.
• Transit traffic gets processed, looks at the routing table, looks at NAT rules, header is swapped and mapped in the NAT table based on outgoing interface. Now every matching packet that is in transit after that point has a mapping and is matched earlier on in the chain and forwarded on (fasttrack).

This same process happen whether its static or dynamic addresses

Interesting. Id still like to get my hands on one

Who appreciates their own competition. 😀

I thought you were talking about flexoptics

Previous work place had 1000s of FS optics. Overall I would say they are a decent alternative

Nope, that the first Ive heard of them

Interesting. I know FS's just has a web interface or maybe just CLI

Sounds like they sell you the programmer and unprogrammed SFPs

I signed up for the FS beta when they first released it but never got in. I think it still exist, at least was like $200 at the time

https://www.fs.com/products/96657.html Yeah $219

Same thing for the FS one if you look at the docs

Yep, plug it in run the windows/mac app, choose vendor or custom and hit ok

I need help answering a question, does the Google WiFi access points work with Google Nest WiFi?

Yes it does! I should have just googled it

tip

always google everything

before asking

it's all IT people do

Hey! I resemble that remark 😛

I've heard that certain routers complain if ya use a tranciever which isnt from them itself

like FS's one

Depends on how its programmed, some will just let you know it's unsupported as a log message only, others might not work unless you tell it to allow "unsupported" stuff

If you put a specific transceiver programmed for say Intel NICs in a Juniper router it might not work, all depends though

I like the human touch also

Yah

yah, or they figure the investment vs time cost to program large amounts isn't worth it

a friend is on Gighabyte connection, same with the cloud server, a gigabyte connection. uploading a largeass 1.4+TB file archieve over

sadly only peaking 45MB/s

;-;

over sftp

well okay it goes to 55MB/s too

whats a reliable way anyway to upload hugeass files like this? sftp or any other thing? i mean i guess we could use torrent as even if the connection dies compeltly u could just restart with current progress, if sftp dies kek you'd do the whole thing again

so transfering local files to a computer in the cloud?

also

gigabyte?

that would be 10 gigabit connection

I meant gigabit. opsies :P

just because the speeds are gigabit doesn't mean the link between is gigabit

like

an ISP link somewhere between them could be congested

it only hops one IP transit in between, core-backbone to aorta, and the whole trip is less than 29ms too

i'd expect it to actually be pretty good link in between

bandwidth delay product even with that latency, a single stream's throughput would be crippled. As Crystal said, when trying to push that type of throughput, multiple streams are really the only option

3ms sucks for a database

does anyone know what "software" or config is good for your own VPS service provider? I have 5 server boxes, 12 VPS's, I want to achieve to host them or sell them..

There is a whole other level you have to think about when you charge for VPS/VMs; QoS between VMs, backups in case something you do nukes a VM host by mistake

to make your own VMs?

I have VM's ready with Proxmox

yeah I know that, but since it's a project and that I have an opportunity to do it, I can do it

I don't understand what you want to do then

make your own cloud?

like

make vm setup really ez?

yeah, I want to host people VPS's

like I want to be a VPS provider

at home?

at school

I have them at school

where will you get customers?

I'll get them dw

you would need to build your own software stack and such

unless some already exist

theres no open-source software to do such thing?

https://github.com/UCCNetsoc/cloud

I have googled some but all of them are saying how to resell VPS haha

ooh I'll look into it

https://wiki.netsoc.co/en/services/tutorial

this if of course for their service

you would need to fork the repo

yeah

so basically you can't use the same name to promote it

shouldn't be a problem

also be warry of the legal implications

does the school know you are doing this?

is this a school project

the IT manager knows this

also this

http://www.virtualizor.com/

oh, this would work with existing Proxmox or do I have to re-setup?

¯_(ツ)_/¯

I'll give it a try though

apparently this is also paid

fyi

yeah I saw pricing

this looks good tho

need to mod it

frontend seems to be in vue

okay but in case it's a school project, it doesn't have to be forked?

you need to mod it

so that's what forking is

ah right...

WHMCS

Blesta

I have a weird thing going on with my internet

And I'm not sure what the deal is so I'm hoping someone here can help explain to me what's going on

So my internet is down right?

Cant connect to websites, router shows no internet, my neighbors internet also isn't working entirely

However Steams chat thing works, and the telegram desktop app about have connection

Now I also even on data cannot connect to my ISPs website

So how the fuck does that work? Lol like what fucks up so that I do and don't have internet?

the dns server you are using - probably your isp's died. change your dns to 1.1.1.1 or 8.8.8.8

these are the dns servers I use.

You're not like direct connecting to me to like something that's gonna like fuck my pc up are ya? Lol

The fuck lol

Thank you glad that fixed it

When they fix theirs should I go back to getting automatically from my isp?

up to you you do not have to use the ISP's

Oh also my router has options for a 2nd and 3rd dns should I fill those in too?

you can 1.1.1.1 1.0.0.1 is cloudflare 8.8.8.8 8.8.4.4 is google 9.9.9.9 149.112.112.112 is quad 9

Okay cool sorry for all the questions after Networking is something I know very very little about

both whmcs blesta paid 😆

Yap

But WordPress doesn't

yea but a panel for billing and shit sadly ya goota use the WHMCS crap

how are private/special made panels better than this

Like DO or hetzner

😆

Hey guys, how can I connect truenas as client of webdav or smb

Please help

anyone tried one of these i would like to get one or does anyone know anything similar around this price range i dont really want a tp link mesh wifi device as my main router

@hollow marlin would you use that? its carrier class!

that will not work as your main home router

@peak cloak explain?

it's literally 1 ethernet port

its 2

oh, I see now

still

would not reccomend

how still lmao why?

could it work, maybe

but it will be trash

ok explain again how it will be trash?

you havent seen any information on it

for 50 bucks you could get something better like a HEX or ER-X

cpu perf

also forget about wifi

dont need wifi

then get a HEX

it's like 10 bucks more

but much better, as it's designed to be an actual router

or ER-X works as well

https://mikrotik.com/product/RB750Gr3

https://www.ui.com/edgemax/edgerouter-x/

hmm

so this thing would stand inbetween my modem and my home network?

well it would route

so yes

what is "home network"

a switch?

how would my guest wifi work with like a mesh wifi system i put all my dodgy hardware on it

?

VLANs

then i need new switches lmao

lmao wonder if a triple NAT would work 🤔

lol wut

what are you trying to do

NOO

lmao running double nat just now

why

i have to have double nat just now as my modem runs better in router mode because its extremely flawed

does it have to be RPI only or you're comfortable with Arduino module?

@peak cloak why yes, a LAN is a switch

Talk about bananas vs car engine.

one sounds kinky the other painful

@plain siren would you help me with this please? I have set up wireguard VPN ("tunnel" between VPS and home server on port 25565), on Cloudflare I changed the DNS IP to my VPS one, replacing my home public IP. The moment I changed the DNS IP, I haven't lost communication between the node and the panel, but I can't connect to a Minecraft server using the domain. I think I need to change something but I don't know what. It's all for Pterodacyl..

anyone here good with proxmox? Im having issues with accessing the web interface

if you could help, please send me a friend req

Ok ok lets back up

Are you trying to use the VPS as a way to expose your MC Server runing on your Home Server?

Ideally you should have 2 DNS Entries, one for something like "home.domain.tld" which points to your home IP and one like "vps.domain.tld" which points to VPS.

yes, I have domain.tld which points to a home server and mcmgr.domain.tld that points to a VPS (panel), that works, but exposes my public IP

Now, wireguard would use these as a way to find the endpoints, but internally, a Wireguard VPN has its own "LAN" IP's which you use to communicate between the 2 endpoints inside the VPN.

yeah tried pinging 192.168.6.2 that I set up, it works

the communication between VPS and home server trough VPS works, but since I changed domain IP in CF, I can no longer access the domain in Minecraft, so that's why I was wondering what I missed

Ok, so you would need to tell the VPS to take all traffic on 25565 on its Public IP and route it (NAT Basically) through the Wireguard VPN to your MC Server.

yeah I don't know how to do it..or what to modify

IP Tables is the play here

you mean that I'd allow a specific IP going trough 25565?

iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to-destination 192.168.6.WHATEVERHOMEMCSERVERIS:25565

"DNAT" or Destination NAT.

I'd need to look up the ufw, home server uses ufw and VPS uses iptables..

However, this would only route TO your MC Server from the VPS, you also need to tell the Home MC to route BACK to VPS also

yeah I know, need to look up what I should set up in ufw

IIRC, IPTables is still used

oh right, I remember doing iptables -L and I would see ufw rules too

Use SNAT or MASQUERADE to make sure the route back is the same so your servers think the traffic comes from wireguard interface and not the internet

Else itll just take default route back and try to send the return data to the internet..

And your MC Client will be like "What teh fuck, thats not where I requested the server?!"

"Das a whole diff public IP!"

yup

so this would fit my case or I should use SNAT or MASQUERADE?

You need both.

Thats just from VPS to MC Server.

The MC Server to VPS would be either SNAT or MASQUERADE

Else you get
MC User > VPS >(Wireguard)> Home Public IP > MC Server
MC User < Home Public IP < MC Server

And that aint where the MC User is expecting to get its data from.

yup, I'll look and try doing it..

the domain IP on CF should be VPS's IP?

Yeah, i would use the following A rules I stated above then CNAME mc.domain.tld to vps.domain.tld

SNAT should do the following
MC User < VPS < (Wireguard) < MC Server, so basically just SNAT any traffic on 25565 back up to the VPS.

I have CNAME for panel access

and for accessing MC server I'm gonna use the domain only, not subdomain..

mcpanel.domain.tld > CNAME > vps.domain.tld
@ > CNAME > vps.domain.tld
vps.domain.tld > A Record > VPS IP

@ represents the root domain typically.

iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to-destination 192.168.6.1:25565 for VPS and iptables -t nat -A PREROUTING -p tcp --dport 25565 -j SNAT --to-destination 192.168.6.2:25565 for home server?

https://gist.github.com/tomasinouk/eec152019311b09905cd Heres a good ref for SNAT/DNAT examples

yeah already on it

Frankly, despite my abilities, I am absolutely trash at IPTABLES Rules else I would give you the actual command. As ironic as that is.

oof okay..

I have to use pen and paper to every damn time to draw it out visually

I can't mess up IPtables right?

good question

My IP Tables Rules looks like a fucking war zone usually since I add things to protect from malicious scanning and attacks

I used to use this script which would download the IP assigned blocks PER country, and I'd block whoel china and rememebr the script used iptables

Yeah basically this kinda shit

i remmeber it had "iptables flag flag DROP"

But Instead of outright BLOCKING or Denying, I do some trickery

and i'd just block china out kek, no more weird SSH bots

oh 😛

I return Host Not Found, Timeout, or whatever instead

So it looks less like something is there

And more like nothing is there in the response

Huh, wouldn't that be just "natural", i.e: if the server doesnt respond anything then we just presume its not listening on anything

so most automated tools will just keep on going

Yeah, it looks more natural

Shit like SKID DDoS Tools and such will most of the time fail on the Skid since itll report back to them with an error "Host not found" or some stupid shit

if ya ping me in my residental IP it wouldnt respond back i think my isp has that disbaled too, it just would show "lost packets" or something

and they have no way to force the attack

Heh, seems a cool thing to do. respond with stuff instead of compeltly DROPPING them.

But i used to just drop whole china, mainyl to get rid of the SSH bots. they were BOTS so they arent that smart anyway

I dont like doing massive block lists since that takes alot of time to do the table comparisons for every new connection

hwut what do you mean

I actually don't get it, what takes time

Does this IP match this block rule? No?
Ok what about this block rule? No?
How about this block rule? no

Bruh...

I mean, i didn't notice any network slowdown or something

it wasnt even a powerful VPS

if you ping from a new IP you would notice the first ping had a huge latency

Oh, huh, never checked that

when I used to talk about that other's would just say "i ThInK GeOBlOCKINg a COuNtRy iS StUPiD"

and the reasons would just be, because well the users or real people from the country wouldn't be able to visit your site etc... I mean I used to not care as my site had nothing to do with chineese people anyway kek

Yeah you can mess up iptables

oh so I better screenshot it and if I do, I can just delete every rule and re-add them

Yap

You can just backup the iptables configuration

yeah