networking
- TP-Link cold feet - go for ubiquiti instead?
cross-posted from: https://lemmy.world/post/21641378
> So I just added a TP-Link switch (TL-SG3428X) and access point (EAP670) to my network, using OPNSense for routing, and was previously using a TP-Link SX-3008F switch as an aggregate (which I no longer need). I’m still within the return window for the new switch and access point, and have to admit the sale prices were my main reason with going for these items. I understand there have been recent articles mentioning TP-Link and security risks, so I’m thinking if I should consider returning these, and upping my budget to go for ubiquity? The AP would only be like $30 more for an equivalent, so that’s negligible, but a switch that meets my needs is about 1.6x more, however still only has 2 SFP+ ports, while I need 3 at absolute minimum. > > I’m generally happy with the performance, however there is a really annoying bug where if I reboot a device, the switch drops down to 1G speed instead of 10G, and I have to tinker with the settings or reboot the switch to get 10G working again. This is true for the OPNSense uplink, my NAS and workstation. Same thing happened with the 3008F, and support threads on the forums have not been helpful. > > In any case, any opinions of switching to ubiquity would be worth it?
- How do I set up a wireguard configuration that acts like a nat?
I have a server with wireguard in a container with host networking. I want to assign an ipv6 subnet for each peer (eg:
fd42:413d:a91f:dd37::/64
) that the client (my laptop) can freely use all the addresses in that subnet and corresponding port ranges as a separate network interface. Meanwhile on the server, that exact same ip and port is routed to that specific client but through the tunnel.Here's an example:
-
Server config
```ini [Interface] Address = fd42::1/128 ListenPort = 51820 PrivateKey = <key>
[Peer] PublicKey = <key> AllowedIPs = fd42:413d:a91f:dd37::/64 ```
-
Client config
```ini [Interface] PrivateKey = <key> Address = fd42:413d:a91f:dd37::1/64
[Peer] PublicKey = <key> Endpoint = server.local:51820 AllowedIPs = fd42:413d::/32, fd42:413d:a91f:dd37::/64 ```
-
Run a server on the client
sh python -m http.server 8080 --bind fd42:413d:a91f:dd37::1 -d dist
-
Access on the server
sh curl -svL http://[fd42:413d:a91f:dd37::1]:8080/
I can't get step 4 to work. It's also entirely possible that my lack of knowledge in networking is making me think this is even possible in the first place. Any help is appreciated!
-
- Turkish government just blocked access to YouTube after a terrorist attack - but the Vivaldi browser on my desktop still connects?
It also connects to discord, supposed to be blocked since more than a week. No other device or browser I have connects to YouTube, they all get
ERR_SOCKET_NOT_CONNECTED
, and only a fresh Vivaldi profile on the same pc also connects to Discord, everything else getERR_CONNECTION_RESET
.I've tried disabling all extensions, it still connects. Checked its IP address and DNS server and they're the same as other devices/browsers. Any idea what could be going on?
24m edit: Discord just started working on some other chromium browsers including on another device.
80m edit: Another chromium browser just also connected. After deleting browser data it stopped
edit 3: found that if I add this to the servers section of a
Network Persistent State
file associated with a chromium browser profile (while the browser is closed), it can connect to youtube. Can't explain why. (anonymization sayshttps://www.youtube.com
+ some number that doesn't matter in the beginning in base64):{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13376788973168704","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABMAAABodHRwczovL3lvdXR1YmUuY29tAA==",false],"server":"https://www.youtube.com","supports_spdy":true}
Edit 4: The block is gone
- ASUS N66U with VPN Client on WAN interface, disable traffic when VPN server connection is down
I have an ASUS N66U
I have configured the WAN interface to use a VPN Client to connect to a 3rd party VPN Server, so that all NAT LAN connected device traffic is routed through the 3rd party VPN server.
But if the 3rd party VPN server goes down, or the connection is otherwise lost or broken, the Asus N66U will route directly from the WAN connection using e.g. my ISP.
How can I stop my Asus N66U from routing any traffic on the WAN port if the VPN connection is down?
- LAN: authentication and monitor data consumption
Hi,
I would like to create a LAN where each node need to authenticate before gaining access to the LAN.
and secondly be able to monitor the data consumption of each node and even limit the speed for a node when exceeded.
I'm looking for something FLOSS. For example a single-board computer with a gnu/Linux etc...
Maybe some distribution or solution already exist for this ?
Thanks.
- [SOLVED] IPv6 Networking - Router Advertisements, DHCPv6, and No Assigned Addresses
Greetings all!
I have been working on getting a new network setup. The current test host (A server running OpenSUSE Leap 15.6 w/ Wicked) is able to get routes and obtain an address via DHCP from the router of the network (running OPNSense 24.7.6), but is unable to resolve routes and obtain an address via the local DHCPv6 server. Admittedly, I am not great with IPv6 doubled with the ISP for this network granting a statically-defined /128 address for the router and manually-delegated /64 address blocks.
The OPNSense configuration has a /64 address block assigned as its address space for the LAN interface. The configuration has the ISC DHCPv6 server allocating address range 2602:xxxx:xxxx:xxxx::8888:0 - 2602:xxxx:xxxx:xxxx::8888:ffff. The radvd server is set to managed, set with an automatic source address, set to advertise the default gateway, set to use the dhcpv6 dns configuration, and set with no additional routes advertised.
As noted, the OpenSUSE machine is unable to get any routes beyond link-local via ipv6 nor is it able to automatically be assigned an ipv6 address from the DHCPv6 server. I have done some diagnostics, but have been unable to determine any conclusive issue.
Starting ip route and address checks:
ip -6 addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 fe80::xxxx:xxxx:xxxx:a4ee/64 scope link proto kernel_ll [OpenSUSE Leap 15.6 Server link-local address] valid_lft forever preferred_lft forever
ip -6 route
fe80::/64 dev eth0 proto kernel metric 256 pref medium
The eth0 interface noted is using a standard configuration as provided by Wicked (BOOTPROTO=dhcp, STARTMODE=auto, ZONE=public). Testing dhcpv6 address acquisition by hand results in nothing:
wicked test dhcp6 -m auto eth0
wicked: eth0: Request to acquire DHCPv6 lease with UUID <$uuid-a> in mode auto
However, testing in forced managed mode does get results from the DHCPv6 server:
wicked test dhcp6 -m managed eth0
wicked: eth0: Request to acquire DHCPv6 lease with UUID <$uuid-b> in mode managed INTERFACE='eth0' TYPE='dhcp' FAMILY='ipv6' UUID='<$uuid-b>' IPADDR='2602:xxxx:xxxx:xxxx::8888:807/128' [theoretical bound address on LAN] PREFIXLEN='128' DNSSERVERS='2602:xxxx:xxxx:xxxx::1' [LAN address of router] DNSSEARCH='<$domain>' ACQUIRED='1729020515' CLIENTID='<$clientid>' SERVERID='<$serverid>' SERVERADDR='fe80::xxxx:xxxx:xxxx:a4ee' [OpenSUSE Leap 15.6 Server link-local address]
So unless I am mistaken at this point, this likely means that something is going wrong with the Router Advertisements for the system to not automatically try get assigned an ipv6 address. Checking a router advertisement broadcast to the OpenSUSE server, I am not seeing anything out of the ordinary:
radvdump
```
radvd configuration generated by radvdump 2.17
based on Router Advertisement from fe80::xxxx:xxxx:xxxx:4eb4 [router link-local on LAN]
received by interface eth0
interface eth0 { AdvSendAdvert on; # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump AdvManagedFlag on; AdvOtherConfigFlag on; AdvReachableTime 0; AdvRetransTimer 0; AdvCurHopLimit 64; AdvDefaultLifetime 1800; AdvHomeAgentFlag off; AdvDefaultPreference medium; AdvLinkMTU 1500; AdvSourceLLAddress on;
prefix 2602:xxxx:xxxx:xxxx::/64 [public /64 address block manually delegated as LAN] { AdvValidLifetime 86400; AdvPreferredLifetime 14400; AdvOnLink on; AdvAutonomous off; AdvRouterAddr off; }; # End of prefix definition
RDNSS 2602:xxxx:xxxx:xxxx::1 [LAN address of router] { AdvRDNSSLifetime 600; }; # End of RDNSS definition
DNSSL <$domain> { AdvDNSSLLifetime 600; }; # End of DNSSL definition
}; # End of interface definition ```
sysctl -a | grep eth0.accept_ra
net.ipv6.conf.eth0.accept_ra = 1 net.ipv6.conf.eth0.accept_ra_defrtr = 1 net.ipv6.conf.eth0.accept_ra_from_local = 0 net.ipv6.conf.eth0.accept_ra_min_hop_limit = 1 net.ipv6.conf.eth0.accept_ra_mtu = 1 net.ipv6.conf.eth0.accept_ra_pinfo = 1 net.ipv6.conf.eth0.accept_ra_rt_info_max_plen = 0 net.ipv6.conf.eth0.accept_ra_rt_info_min_plen = 0 net.ipv6.conf.eth0.accept_ra_rtr_pref = 1
Am I missing something with why Wicked doesn't actually get a proper route to the LAN nor an address via IPv6?
To recap: IPv4 works, this is the only device connected to the network thus far, IPv6 configuration appears (to me at least) correct for the router advertisements and DHCPv6 config.
EDIT:
Found the source of the problem. The OPNSense configuration is in fact correct for what I want to do. The issue is on the OpenSUSE machine. I forgot about a funny little Linux kernel networking quirk regarding ipv6 forwarding. In OpenSUSE, enabling forwarding for IPv6 from the installer keeps
net.ipv6.conf.*.accept_ra
set to 1. However, settingnet.ipv6.conf.*.forwarding
to 1 will disable accepting routes from RA, and in my case of expecting automatic IPv6 configuration from DHCPv6 without forcing managed mode on the Linux server.Unless I feel like bypassing some functionality provided by the router, one needs to set
net.ipv6.conf.*.accept_ra
to 2 for all affected network interfaces. This enforces accepting routes with forwarding enabled. This in turn for my case also allows for DHCPv6 resolution to function without forcing or bypassing it from the OpenSUSE machine. I can only assume the reason this isn't just default if applied from the installer is that fully-manual static IP addressing is expected rather than wanting to use DHCP reservations for assigning addresses.So in short:
All is good with the OPNSense configuration. I needed to change the sysctl flag
net.ipv6.conf.eth0.accept_ra = 1
tonet.ipv6.conf.eth0.accept_ra = 2
, in order to forcefully accept RA routes and normal DHCPv6 address assignment on my ethernet interface. This is necessary because I need forwarding over IPv6 for the affected machine. - Is my proxy setup safe?
I'm currently working on setting up a proxy on my home computer to bypass my school's blockers, and want to see if I can make any improvements to security. To be clear, I haven't opened this to the internet yet, I'm asking BEFORE doing that.
The setup is thus: I have a squid server running on my linux laptop, which will only allow authenticated users through. It's no longer listening to the default port (3128) and is instead listening to a port in the 10000-20000 range. I would have both my router and modem set to forward that same port, and my laptop's local IP address is static.
This is a consumer internet connection, so Dynamic DNS, but I have a NOIP address ready to connect once I open the ports (already have the client installed and running, just throws an error on the website because it can't get through the port.)
I'll be connecting to my proxy server through the FoxyProxy extension, rather than through the Windows 11 control panel on my school laptop, because I dont have access to that specific part of the control panel.
That's the sum total of the setup I've got thus far. It only needs to be able to support my lone connection, I'm not sharing this around. Any improvements to be made?
- Using a chromecast without a google account?
cross-posted from: https://programming.dev/post/19441371
> cross-posted from: https://programming.dev/post/19441320 > > > cross-posted from: https://programming.dev/post/19441267 > > > > > I have a 2nd-gen chromecast, it's factory reset. If i plug it in all it tells me is to install the app to start configuring. > > > > > > I don't have a google account not do i want to install/use google-related stuff on my phone. > > > > > > My home router doesn't register any new device, which makes sense since the cast doesn't know the SSID/pass of the WiFi. > > > > > > Does it try to ping some service/port? Multicast perhaps? Where would it get an IP from without authenticating? > > > > > > My (wired) PC runs gentoo. > > > > > > How can i get it to work in these conditions?
- Network Simulator which one ? (FLOSS)
Hi,
I would like to make some simple network simulations
I've tried to make run few (under Linux or Windows)
- Kathara
- GNS3
- EVE-NG (3.1 GB ! to download )
- omnetpp
- ns-3
- Cisco Packet Tracer (Not FLOSS, if I'm not mistaken )
The only one that I managed to install, run and use (set some nodes) was sadly the Cisco Packet Tracer ...
They other have their install process way to much complex or with such layer of dependency or more simply they way the works is too complex (running side VM for each nodes etc..) make it challenging to installing.
Do youn know a FLOSS Network Simulator , this is easy to install ?
Thanks.
- Do I need open unifi or is a simple router okay for my setup?
I'm moving into a new apt and the ISP is trying to rent a router at $20/mo, so I'd like to get my own router.
I'm considering setting up opnsense for the router & TP link Omega for the AP & Switch.
But this feels a bit overkill for an apt. Should I just get a all in one router instead? What are the pros and cons?
- Port forwarding without global routing with OpenVPN
cross-posted from: https://lemmy.dbzer0.com/post/26553762
> How can I use my VPNs port forwarding feature while also disabling global routing by adding “route-nopull” in the OpenVPN config? Using hide.me vpn > > I found a relevant post, but the links to the anwsers don't work anymore: https://forum.netgate.com/topic/127557/openvpn-client-port-forwarding-route-nopull-issue
- Got My Comptia Trifecta Certs!
Didn't know where else to post this but figured I would just leave it here. Hopefully I can get some kind of job with this.
- Networking Infrastructure Attack Causing Train Delays Ahead of Opening Ceremonywww.abc.net.au France's high-speed rail network hit by arson attacks hours before Olympics ceremony
Fires started in railway cabling have impacted up to 800,000 people across the French railway network on the eve of the Paris Olympics.
"Train operator SNCF's chief executive, Jean-Pierre Farandou, said the attackers had started fires in "conduits carrying multiple (fibre-optic) cables" that carried "safety information for drivers" or control the motors for points."
Seems this attack is becoming more common place. Used to just be the occasional tractor or digger damaging fibre but now it's seems to be intentional.
https://www.abc.net.au/news/2024-07-26/vic-teens-charged-over-politically-motivated-graffiti-josh-burns/104147956
- It is so confusing in europe having a Cca required rating vs CCA cable makeup.
In Belgium, we are forced by law to use Cca data cables because of "lower fire risk" while I hear literally everywhere that CCA data cables have a much higher fire risk.
Everything here has to comply with the euroclass chart level cca or higher which is confusing because they seem to be combustibility(ca) ABCDEF rating. Making the minimum required in Belgium (and the most prevalent) Cca.
I think for example that getting this for PoE (sorry, in Dutch) would be fine because it does say that it is pure copper, but it also says that it is CCA which is confusing.
Not really a question or anything, just very confusing considering Cca and Eca are the 2 cable types used for residential homes which happen to correspond also to Copper clad aluminum and Enhanced Circuit Integrity. Adds extra probably completely unnecessary stress.
- [Question] Protecting outdoor LAN port from infiltration?
If you have an outdoor Ethernet port—in my case with a WiFi AP connected—how can you go about protecting your network from somebody jacking in?
Is there a way to bind that port to only an approved device? I figured a firewall rule to only allow traffic to and from the WiFi AP IP address, but would that also prevent traffic from reaching any wireless clients connected to the AP?
Edit: For more context, my router is a Ubiquiti UDM and the AP is also Unifi AP
- How to set up local home video game streaming with two routers?
I haven't really done home networking since Windows XP / gnome only Ubuntu days, so rusty is an understatement.
Currently due to the layout of my apartment, I have my main PC in a bedroom connected to a gli.net Velica router, such then connects to the wall, which then connects to a TP-Link Switch (1), which is connected to the internet.
In the living room, where I want to stream to a Raspberry Pi that has Android TV (lineage os), I have the Pi and 2 Nintendo Switches connected to another TP-Link switch (2), which is then connected to another gli.net router, which connects to the wall and then to TP-Link switch (1) which is connected to internet.
How do I set up a local LAN network so that my computer can then stream to the Pi via Steam Link, Moonlight, Sunshine, or any other recommended option?
Layout
Bedroom
• Wall connection (port 3) | ∆ Velica Router 2 | § PC
----------------------------------
Living Room
• Wall connection (port 1) | ∆ Velica Router 1 | × TP Link Switch 2 |. |. |. π ™ Nintendo Switch 1&2
----------------------------------
Electrical Box
• Port 1, Port 3 | × TP Link Switch 1 | 🌐 Internet
- IVPN and AirVPN wireguard working only if i connect to them first via LTE
Hi, i have this weird issue where both my IVPN and my AirVPN connection works only if i do the following:
Disabile WiFi Connect to LTE and open either IVPN or AirVPN Connect to wireguard protocol Enable WiFi and Connect to it Disabile LTE
Now it works
If i try to connect to wireguard protocol from WiFi directly (corporate WiFi) it doesnt work
Any idea why?
If i Connect from my home WiFi it works normally
Thanks
- Recurring issue in corporate wifi on windows 11 computers
Hi all, I've got an issue in my company that it's now some months that is happening to many windows users.
Basically the user change the windows password due to a policy that require every 3 months to change it (I know not ideal, but still) , the user then works fine under wifi for 1-4 hours and then he gets kicked out from the network.
The network is a visible SSID with WPA2-Enterprise security (AES ecncryption) and the authentication method is PEAP using the saved login information (from AD).
Here some test I did for troubleshooting:
1st Test: Normal password change from windows: ctrl alt canc, change pw: All good, no disconnection at all -> user is good to work
2nd Test: We force-reset a new password on the PC -> The users stays connected to wifi even after 15 minutes from the reset, this means that the wireless network kept an "old token" as valid even tho the windows password changed. We manually disconnect from the network (turn off wifi) and reconnect -> doesn't work We reboot the PC which still logs in with the OLD password -> We try to connect to wifi (without using the new pw) -> KO We connect ethernet cable, we receive the message that the domain has a different pw than the PC -> lock PC -> Unlock with new password -> Wifi still doesn't work -> Reboot, login to pc with new Password -> wireless works
NOTE: We suspect that this "old token" is not renewed for a while sometimes, that's why the user, even with an old pw, can still connect and work normally.
- Somebody please explain PROXYv2 to me and the myriad of ways to do DoH?
I've been looking to implement DoH
- The first idea was to simply follow this - I do not understand the configuration fully but it looked fine.
- Then, I decided to use a proxy/Load balancer in front of BIND to deal with HTTPS.
However, I came across PROXYv2 (which is not even mentioned in the docs, just in a blog post) and the likes of DNSdist.
My questions:
- I can't find a detailed explanation of what I need to do about PROXYv2 - does my Reverse-proxy absolutely need to have it to be able to communicate with my DNS server?
- Why can't I just have any reverse-proxy that can handle HTTPS and put it in front of my DNS resolver? Does my proxy need to have a specific protocol to be able to talk DNS queries?
I am still confused, would really appreciate some help :)
- Mikrotik setup question
I have recently upgraded my router from a nearly 7 year old consumer "gaming" router to a Mikrotik RB960PGS router.
So far I have been able to:
- Remove all configurations
- Set a long admin password
- Create a bridge
- Setup DHCP server
- Set up NAT
- Set up Spark NZ fibre connection
- Update to latest stable firmware (7.15.2)
- Set up basic IPv4 & IPv6 firewalls
- Setup NTP & disable cloud/update time
- Set DNS to my Pi-hole
- Disabled the following IP services API, API-SSL, FTP, SSH, Telnet, & WWW-SSL
- Turned off "detect internet"
- Turned off "use peer dns" so all DNS goes through the Pi-Hole instead of the ISP's DNS servers.
Is there any other "gotcha's" or things that I should be setting up?
- Company brought to its knees by a cable
Yesterday around noon, the internet at my company started acting up. No matter, slowdowns happen and there's roadwork going on outside: maybe they hit the fiber or something. So we waited.
Then our Samba servers started getting flaky. And the database too. Uh oh... That's different.
We started investigating. Some machines were dropping ICMP packets like crazy, then recovered, then other machines started to become unpingable too. I fired up Wireshark and discovered an absolute flood of IGMP packets on all the trunks, mostly broadcast from Windows machine. It was so bad two Linux machines on the same switch couldn't ping each other reliably if the switch was connected to the intranet.
So we suspected a DDOS attack initiated from within the intranet by an outside attacker. We cut off the internet, but the storm of packets kept on coming. Physically disconnecting machines from the intranet one by one didn't do a thing either.
Eventually, we started disconnecting each trunk one by one from the main router until we disconnected one and all the activity lights immediately stopped on all the ports. We reconnected it and the crazy traffic resumed.
So we went to that trunk's subrouter and did the same thing. When we found the cable that stopped all the traffic, we followed it and finally found one lonely $10 ethernet switch with... a cable with both ends plugged into the switch. We disconnected the cable and everything instantly returned to normal.
One measly cable brought the entire company to a standstill for hours! Because half of the software we have to use are cloud crap or need to call their particular motherships to activate their licenses, many people couldn't work anymore for no good technical reason at all while we investigated the networking issue.
Anyway, I thought switches had protections against that sort of loopback connection, and routers prevented circular routes. But there's theory and there's reality. Crazy!
- Cheapest router for 10Gbps internet
One of my local ISP offers 10Gbps broadband for cheap. What is the cheapest router setup one can get with a 10Gpbs wan and lan port? WiFi and switching hardware is optional.
- [Question] IPv6 SLAAC and firewall rules
Given there's been a bit of talk about IPv6 around here recently, I gave it a really good shot at implementing this past week. I spent 3 days getting up to speed, reading loads and trying various different things. But I am now back to IPv4 only because I just can't get IPv6 to do what I want and no amount of searching has made me think what I want to do is even possible.
Some background about the IPv4 network I run at home: I run opnsense on a Proxmox server. I have a few services publicly available using port forwarding. I run several VLANs for IoT, VoIP, Cameras etc. I use a bunch of firewall rules that are specific client devices on the network. So for example I have a rule that blocks youtube from the kids tablets and the TV. I have a special rule around DNS for the wife as she doesn't want to use the pihole blocking features. These rules are made possible because the DHCP server is set to give them a fixed IP and I can create a firewall alias and rule based on that.
None of these things on my existing network are particularly difficult to configure, they run really well.
What I want from IPv6 is:
- All devices to use IPv6 including android devices.
- To have the same firewall rules configured and not have them be easily bypassed.
- To use privacy addresses as I don't want to make every device uniquely trackable over the internet.
- To be able to cope with changes to the ISP provided /48 prefix seamlessly.
- Have internal DNS make accessing intranet devices easy.
- To ensure the privacy of individual devices on my network by avoiding individual device tracking.
What I've tried:
- Using DHCPv6, but this excludes android devices. So that's out.
- Using a NAT (to avoid tracking of individual devices) and fd00/8 addresses, but this is pointless as those addresses are lower priority than IPv4 (FFS!)
- SLACC just seems a non-starter.
Additional: I don't think I have a problem with "thinking about it all wrong for IPv6". I may have a skill issue, hence this question.
As far as I can tell to achieve requirement 1) you must use SLAAC. SLAAC without privacy extensions doesn't allow for 6).
Changes to external ISP prefix assignment impacts MY INTERNAL NETWORK (this just seems insane). And as far as I can tell there's no easy way around this, especially if I have static addresses configured for servers which would (if using SLAAC) have to be manually configured.
I can't see how DNS would be updated either, either Unbound running on Opnsense, or to the pihole. If I go for SLAAC with privacy extensions and I keep paying for a static IP (v4 & v6) to my ISP then I can't implement any firewall rules for specific devices as devices will change their IP regularly. And its even worse if I don't pay for a static IPv6 prefix.
I don't think anything I'm trying to do is particularly strange or unusual but 26 years after its introduction I don't see that IPv6 can meet these requirements. And one of the leading firewall routers, especially in the homelab doesn't have answers to these questions either.
Can you suggest a way to meet all 6 requirements I have with IPv6?
- [Question] How should I configure Tailscale app connectors and/or subnet routing for HomeKit Secure Video?
Basically, I’m running Tailscale on most of my devices and using subnet routing on a Raspberry Pi for non-Tailscale devices.
My problem is that while using an exit node streaming video from cameras in the iOS/macos Home apps is entirely too slow. I can see from App Privacy Report that it attempts to connect to my home network’s WAN address, so I’ve set up subnet routing to bring in any traffic to any of ISP’s networks through the Raspberry Pi at home (this also makes it possible to use said ISP’s streaming app on Apple TV as if I were at home).
I know that Home doesn’t connect to the cameras locally at all, because I can tear down all the Tailscale stuff and not see any traffic between the client and the camera on the LAN.
Has anyone have a clue how to go about configuring this? Thanks in advance!
- [Question] what exactly is hard about adopting IPv6??
I mean on a technical level. Are the devices that make up the infrastructure of the internet hardwired with IPv4? Is the firmware on these devices impossible to upgrade remotely?
If it's just a matter of software or firmware then adoption should only take like a year but clearly that isn't the case. So what specifically is stopping us?
- [question] I want to learn - where do I start?
[I hope this belongs here - if not, lmk and I'll delete the post. I've been mainly lurking here so far]
In a month I'll be in charge of "IT-stuff" in a small office. People are generally happy if there is internet and VoIP is working. I'd like to take the opportunity to learn what I can, while I have the chance. And maybe/hopefully contribute to make it a bit better. For now I want to look into how I should configure wifi and access for office/guests (and devices that are used obv.) Thing is, I don't know where to start and what I actually can do. Do I just google "how to configure wifi in the office?" and go from there? (I'm a bit hesitant to do that since I'll not be able to tell if what I find is good) Is there any good reference material you would suggest? Any suggestions are appreciated.
I studied business informatics (but it's been a while) so I'm not completely clueless (but still clueless hehe).
- Have you upgraded to WiFi 6 - 802.11.ax?
Am about to move houses and new place will have 1000/1000 speeds. Wondering if I should get a Wifi 6 router or not, is it worth the upgrade? Can Wifi 5 and 6 equipment be combined? Or will it then all be 'downgraded' to Wifi 5?
Usecase: At home - with 8 or so devices.
Anyway, let me know your experiences with WiFi 6 and wether I should aim to get it.
- pfSense DHCP / DNS performance
pfSense... Anyone have much experience with the new Kea DHCP server?
I'm using 2.7.2 (Community Edition) on a fairly good Celeron based system that's not heavily loaded, but I have 7 network segments (VLANs and physical interfaces), so I have 7 DHCP pools / configs and just adding 1 more static reservation can cause a significant delay when reloading the service and because I register static reservations in DNS, I can lose comms.
Would Kea fix this?
- [Question] Virtual networking docker (bridge)
Edit: Whoops I just read that networking@sh.itjust.works is for enterprise networks? I hope my small homelab question doesn't break the rules? If so I will redirect my question.
---
Hi everyone !
I'm scratching my head in finding an actual answer on how virtual networking in docker actually works (mostly on the packets/frame level) or some good documentation to improve my understanding on how everything fits together.
Because I'm probably lacking the correct network terminology I made a simple network topology of my network. Don't hesitate to correct any network mistake.
In my scenario, my docker container with the virtual interface
veth2b22c98
and the following ip (10.0.0.8) connects to bridge networkbr-b1de95b5ea89
. When I curl, from my conntainer,lemmy.ml
the packets/frame is send to my enp4s0 and goes through my wireguard tunnel to my VPN provider which sends back the packet/frame/handshake...I probed every interface with tcpdump (enp4s0, wg0, br-b1,veth2b):
-
enp4s0: Every packet/frame is encapsulated into the wireguard protocol with my physical interface's IP (192.168.1.30) and no DNS is visible on that interface (like expected) and sends it out to my ISP's public IP.
-
wg0: Shows every packet/frame with the actual protocol with my wireguard's interface IP (192.168.2.1) with the destination IP of lemmy.ml (Dst: 54.36.178.108)
-
br-b1: Shows every packet/frame with the actual protocol with my containers IP (10.0.0.8) with the destination IP of lemmy.ml (Dst: 54.36.178.108)
---
I know there is a mix of 2 different concepts in my scenario (wireguard tunnel and virtual networking) but I really do not understand how the frame gets back to my docker container. When I look at the frames on wg0, there is no mention of either the MacAddress of my container or the actual IP of my container.
How/when/what ? is exactly happening to my frame so that it gets to the correct target between my physical interface, virtual interface, bridge ? I mean with VLAN's there's a VLAN tag on the frame, so you can easily identify with Wireshark where it should go. But here, I cannot find any clue who or what is doing the magic so the frame finds it's way back to my docker container.
What is encapsulated into the frame that makes everyone understand: "OHHH that's for 10.0.0.8, your docker container on bridge network br-b1de on the veth2b interface !!! "
Sorry for my broken English and lack of networking terminology and thank you for those who beared with me and are willing the give me some hints/proper networking lesson.
---
Edit: Changed something on my network diagram (wireguard is not in a container it's bare bone on the server) and some typo.
-
- I think my home network may be compromised, please advise
When I go to iknowwhatyoudownload.com, a bunch of stuff shows up for my IP that’s definitely not being downloaded by anyone in my house (foreign language torrents). Aside from that my router (AT&T Arris BGW210) needs to be restarted about once a week, due to some kind of dhcp issue. The most recent event seemed bad - none of my devices had internet, they could all talk to each other, and my ONT activity light was flickering steadily. During this time I had no access to the router, even plugged in directly to LAN. Fixed by a restart but no idea what was going on.
The DHT torrent thing has been happening for months and the router thing could just be that AT&T sucks. I have no other evidence that something is wrong.
I could buy a firewall and put it downstream of the AT&T equipment.
I could switch internet providers, get a new IP address and router, and see if that fixes it.
Should I try to figure out what’s going on or just keep restarting the router once a week and ignore the DHT hits from my static IP?
- Advice regarding poor download speeds within LAN
So I am trying to track down what is possibly slowing down my download connection from my Debian server to my devices (streaming box, laptop, other servers, etc).
First let me go over my network infrastructure: OPNsense Firewall (Intel C3558R) <-10gb SFP+ DAC-> Managed Switch <-2.5gb RJ45-> Clients, 2.5gb AX Access Point, and Debian Server (Intel N100).
Under a 5 minute stress test between my laptop (2.5gb adapter plugged into switch) and the Debian Server (2.5gb Intel I226-V NIC), I get the full bandwidth when uploading however when downloading it tops out around 300-400mbps. The download speed does not fair any better when connecting to the AX access point, with upload dropping to around 500mbps. File transfers between the server and my laptop are also approximately 300mbps. And yes, I manually disabled the wifi card when testing over ethernet. Speed tests to the outside servers reflect approximately 800/20mbps (on an 800mbps plan).
Fearing that the traffic may be running through OPNsense and that my firewall was struggling to handle the traffic, I disconnected the DAC cable and reran the test just through the switch. No change in results.
Identified speeds per device:
- Server: 2500 Mb/s
- Laptop: 2500Base-T
- Switch: 2,500Mbps
- Firewall: 10Gbase-Twinax
Operating Systems per device:
- Server: Debian Bookworm
- Laptop: macOS Sonoma (works well for my use case)
- Switch: some sort of embedded software
- Firewall: OPNsense 24.1.4-amd64
Network Interface per device:
- Server: Intel I226-V
- Laptop: UGreen Type C to 2.5gb Adapter
- Switch: RTL8224-CG
- Firewall: Intel X553
edit: Forgot to add that the OpenSpeedTest is being hosted in Docker by my local server.
- Create a Public Hotspot from my router, that handles auto time out when their session is done, etc?
Hi there,
I find myself in remote areas regularly, and I have internet, when nobody else does.
I'm happy to share this internet with people, but I want a time restriction on them, and throttle their speeds etc, so that they don't smash my internet / data allowance.
I'm looking for a really easy system where they can just sign into a portal, it gives them a certain amount of time based on my settings, then kicks them off again.
I'm using a GLiNet AX1800 if that makes any difference? Also, all of my machines run different versions / distros of Linux.
I'd really appreciate any feedback, or guidance on this.
Thanks so much
- Question regarding the routing table
Let's say I have a Linux VM. Default route is the gateway to the top of rack switch for public internet and a public IP is bound on one virtual nic.
2nd interface is on a private network so the VM can be reached anywhere on the VPN. This is a management network where the gateway is on the other side of the data center.
A lot of stuff sits on the 10.0.0.0/8 that needs to reach this vm so a static route for the second interface points that /8 to that gateway on say 10.100.100.1
Now inside the same cabinet are devices sitting on 10.20.20.0/24.
If I didn't do anything, would hitting something on say 10.20.20.2 route traffic through gateway outside of the cab and back? I would think so as it sees the routing table and has no way of knowing.
If I want to optimize traffic so nothing is routed and traffic stays local to the cab, could I just add a third nic and give it an IP of say 10.20.20.3 and hitting .2 would arp / hit it directly through the switch in the cab?
- Review request: home network setup
I'm going to be overhauling my network over the next few months as I get ready for my new municipal fiber installation. I have a general idea of how to set things up, but I'm not an expert and would appreciate a few extra pairs of eyes in case I'm missing something obvious.
Hardware available:
- Microtik Routerboard - 5 ports
- Ubiquiti AP - AC-Lite; plan to add U6+ or U6 Lite once I get faster service
- some dumb switches
Devices (by logical category; VLANs?):
- main - computers and phones (Wi-Fi for now, I plan to run cable)
- media - TVs, gaming consoles, etc
- DMZ - wired security cameras, Wi-Fi printer (2.4GHz wireless g only)
- guest - guests, kids computers
Goals:
- main - outgoing traffic goes through a VPN
- media - outgoing traffic limited to certain trusted sites; probably no VPN
- untrusted - cannot access internet, can be accessed from main
- guest - can only access internet, potentially through a separate VPN from main
Special devices:
- NAS (Linux box) - can access main, media, and DMZ
- printer - accessible from main, rest of devices on untrusted don't need to be (I can tunnel through the NAS if needed); can potentially configure a CUPS server on the NAS to route print jobs if needed
Plan:
Router ports:
- Internet
- WiFi APs
- main VLAN
- untrusted (VLAN)
- unused (or maybe media VLAN)
WiFi SSIDs (currently have a 2.4Ghz and 5Ghz SSIDs):
- main VLAN
- guest VLAN
- untrusted - hidden SSID (mostly for printer) - 2.4GHz only
If the VPN causes issues, I would like the ability to move individual MACs to another VLAN (say, to media, or a separate, usually unused backup VLAN). Not required, just a backup plan in case the VPN causes issues.
This is my first time configuring VLANs, so I'm not really sure what my options are. Also, I'm not super familiar with Mikrotik routers (I'm not a sysadmin or anything, just a hobbyist), I just got fed up with crappy consumer hardware and wanted something a bit more reliable.
Does that sound like a reasonable plan? Is there something I could improve or suggestions you have?
Edit: DMZ is the wrong term, so I replaced it with "untrusted". By that I meant a local-only network, so no Internet access. Ideally I could access these devices from my main network, but they can't initiate connections outside their VLAN. However, that's not necessary, since I can tunnel through my NAS if needed.
- I'm interested to hear possible reasons a public Wi-Fi network at a state building might block specifically lemmy.ml and not other instances.
I don't need help, it's just too implausible for me not to be curious.
Aside, it's been fascinating anonymously watching this network evolve over the past decade as a citizen-user who has business in the building. I've been battling with the faceless network admins trying to find ways to access my home lab year-after-year.
First they blocked my personal domain because I tried to reach vpn.mydomain.com. Then I couldn't use OpenVPN at all (or I was too green at the time to bypass). Next, Wireguard worked for a while until it didn't. Now tailscale is working but I'm forced to use the slow DERP servers to reach home. I might try Headscale with a different personal domain next.
My next project is a little more radical - hiding an old pi 3B on the network as an exit node on that network. Then I can use the state-owned IP instead of my home one when websites are dicks about third-party VPN IPs.
- Requesting a sanity check...help untangle my home network as I expand into more advanced networking?
Hey there, I've been on a networking journey that has, over a few years, taken me from simple unmanaged networking, to managed networking, to advanced VLAN management. It's all been self taught, but mostly successful. However, I've gotten myself into a bit of a pickle and I'm hitting a wall in troubleshooting. Apologies for the length of the post, however I want to provide as much detail as possible.
High level, I have several /16 vlans for things. VLAN 99 is networking, 2, is servers, 4 is clients, 6 is wireguard clients, and there are some others. They're all 10.99.0.0/16 with a gateway at 10.99.1.254, etc.
I have had a very old Netgear Layer3 switch for some time. I've replaced it with a Brocade ICX6610, mostly so I can move my storage infrastructure to 10G fiber (I have a small hypervisor cluster). I had done a ton of preparatory work to configure the new L3 switch so that it could just be dropped in place of the old one; this was MOSTLY successful...
...However, in doing that I broke the connection to my opnsense firewall and sort of had to redo that piece from scratch. During my planning, I didn't realize some of the config changes I'd made would require changes on the firewall, and after the cut over I was locked out of the firewall. This is all my fault; that's the piece of this I understand the least, and I had followed dodgy guides when getting it to initially work. I have a backup in xml format, but even having that I'm realizing what I had been doing didn't make sense. Previously, I had a firewall interface on all of my vlans and the trunk going to it was carrying all the VLANS. Now, I set this up with only 2 vlans going to the firewall, the networking vlan and the wireguard vlan, as it seems to make more sense with my understanding of how Layer 3 routing works. All routing should happen on the Brocade L3 switch. The firewall itself has 4 physical ports, 1 going to my comcast gateway, and 2 in an LACP lagg going to my L3 switch. (I have a single interface right now going to the L3 switch separately for troubleshooting, removing the LACP lag as a complexity source).
So, in recovering this, I had to get into the firewall at the console and re-define the interfaces and IP's. I got this to work, but at this point I had tons of connection problems which I didn't understand fully. I have found some of opnsense's configuration to be a bit obfuscating, which I think is making my learning more difficult. The following were put in place:
- The "LAN" interface was given a static 10.99.1.40/16 IP, and an upstream gateway was defined at 10.99.1.254.
- The "WAN" interface was given DHCP, and is up and works
Once I recovered the connection to the web interface I had to make the following changes:
- Under the "Firewall" sidebar, under "Aliases", I defined each of my VLANS/Subnets with a CIDR notation and a name.
- Under the "Firewall" sidebar, under "NAT" and then under "Outbound" I switched the mode to "hybrid" and added a rule for each of my vlans on the "LAN" interface, with the "Source" being the aliases defined above, and the target (NAT Address) being the "WAN address"
- Under the "Firewall" sidebar, under "NAT" and then under "Port Forward" I added some port forward rules.
- While it's outside the scope of my immediate troubleshooting, I had a working WireGuard setup. I have an interface defined for it on that VLAN, and a second gateway defined at 10.6.1.254. It's all set up according to the opnsense documentation, and I can connect from the WAN and can access any resources on the LAN.
So onto the problem...I can access the internet from almost all of my LAN clients. I can access LAN clients via the port forward rules from the WAN. The firewall itself CANNOT access the WAN; for example, I can't check for updates. I can access the firewall web interface from anywhere on the LAN, I can ssh to the firewall from anywhere on the LAN, but once I'm ssh'd in, I can't ping back to the client I'm connecting from. The firewall CAN ping things like 8.8.8.8, but as my DNS resolver is on the LAN, DNS queries from the firewall fail. I believe in a related note, my WireGuard clients can access anything on the LAN, but cannot connect to anything on the WAN.
I believe this has to do with outbound routes from the firewall, but any time I mess with it I end up locking myself out and having to reset interfaces from the console. I tried defining some static routes in "System" -> "Routes" -> "Configuration" but that isn't working. I'm kind of stumped and have been looking at it so long that I don't think more reading and configuring is going to help me anymore. I'll post some screenshots of rules and routes as well (you'll be able to see various things enabled/disabled for experimentation), but I'm kind of in over my head and need some help.
- Bridge WiFi to Switch for other devices to connect to?
Hiya, I've got a desktop (connected to wifi), and a server (without a networking card), and I do not have access to Ethernet/or the router. However, I do have a networking switch - and was wondering if I could bridge the WiFi from my desktop(Nobara), to the Switch, and have my other devices such as Raspberry Pi and my main server connect to that. If thats possible please let me know how, or point me to some resources, I believe I have to touch iptables in this case, but have never tweaked those before.
This is a very temporary solution for not having access to a router. But gotta live like this for 5 months, so gotta find a solution to get WiFi on my server, as cheap as possible.
- ISP Router change in my HomeLab
cross-posted from: https://lemmy.world/post/12521221
> Dear all, I have some questions for what I'm about to do with my HomeLab. > I recently upgraded my connection to a 1000/1000 and the ISP sent me this shit ass router (Fastweb Nexxt) which is very locked down. > I want to change it. > > Today this Fastweb Nexxt is not doing DHCP because I'm running a VM with OPNSense on it from which I manage IP reservation etc. > > The fiber connection comes to my house and it's connected to a small box, an ONT from ZTE. Then an ethernet cable goes to the wan port of the Fastweb Nexxt and then LAN to my server where the OPNSense VM is hosted. > > Now, I'm open to solution, the goal is to remove the Fastweb Nexxt. > > The "Cheap" idea would be to use a USBC to Ethernet cable so to add a second Ethernet card to my server and connect the ZTE device to it. I would then assign in OPNSense this cable as WAN and leave the existing card as LAN for the switch. I'm quite sure I would need as well to clone the MAC address of the Fastweb Nexxt device and assign this MAC to the wan of my OPNSense right? > > I'm open to any kind of suggestion, even something like "this is the best home-router for 100€"
- VPN vs Proxy for speed?
Hiya, quickly wondering if there is a big difference between speeds when using a vpn compared to using a proxy server solution? Anyone got any experience here or good articles to refer to?
Thanks 🌻
- VyOS 1.4.0 LTS release (EPA)blog.vyos.io VyOS 1.4.0 (Sagitta) LTS release
based on Debian 12, bringing the redesigned firewall, IKEv2 road warrior VPN, new PKI CLI, and many more improvements to the new LTS branch.
VyOS 1.4.0 is finally here as a full LTS release (although, it's early production access).
So many great features are highlighted in the post. I've been using 1.4 images for quite some time, with great success, in my labs. Looking forward to using this one more.
Congrats to the VyOS team.