networking

2803 readers
5 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 1 year ago
MODERATORS
1
 
 

cross-posted from: https://lemmy.world/post/21641378

So I just added a TP-Link switch (TL-SG3428X) and access point (EAP670) to my network, using OPNSense for routing, and was previously using a TP-Link SX-3008F switch as an aggregate (which I no longer need). I’m still within the return window for the new switch and access point, and have to admit the sale prices were my main reason with going for these items. I understand there have been recent articles mentioning TP-Link and security risks, so I’m thinking if I should consider returning these, and upping my budget to go for ubiquity? The AP would only be like $30 more for an equivalent, so that’s negligible, but a switch that meets my needs is about 1.6x more, however still only has 2 SFP+ ports, while I need 3 at absolute minimum.

I’m generally happy with the performance, however there is a really annoying bug where if I reboot a device, the switch drops down to 1G speed instead of 10G, and I have to tinker with the settings or reboot the switch to get 10G working again. This is true for the OPNSense uplink, my NAS and workstation. Same thing happened with the 3008F, and support threads on the forums have not been helpful.

In any case, any opinions of switching to ubiquity would be worth it?

2
 
 

I have a server with wireguard in a container with host networking. I want to assign an ipv6 subnet for each peer (eg: fd42:413d:a91f:dd37::/64) that the client (my laptop) can freely use all the addresses in that subnet and corresponding port ranges as a separate network interface. Meanwhile on the server, that exact same ip and port is routed to that specific client but through the tunnel.

Here's an example:

  1. Server config

    [Interface]
    Address = fd42::1/128
    ListenPort = 51820
    PrivateKey = <key>
    
    [Peer]
    PublicKey = <key>
    AllowedIPs = fd42:413d:a91f:dd37::/64
    
  2. Client config

    [Interface]
    PrivateKey = <key>
    Address = fd42:413d:a91f:dd37::1/64
    
    [Peer]
    PublicKey = <key>
    Endpoint = server.local:51820
    AllowedIPs = fd42:413d::/32, fd42:413d:a91f:dd37::/64
    
  3. Run a server on the client

    python -m http.server 8080 --bind fd42:413d:a91f:dd37::1 -d dist
    
  4. Access on the server

    curl -svL http://[fd42:413d:a91f:dd37::1]:8080/
    

I can't get step 4 to work. It's also entirely possible that my lack of knowledge in networking is making me think this is even possible in the first place. Any help is appreciated!

3
 
 

It also connects to discord, supposed to be blocked since more than a week. No other device or browser I have connects to YouTube, they all get ERR_SOCKET_NOT_CONNECTED, and only a fresh Vivaldi profile on the same pc also connects to Discord, everything else get ERR_CONNECTION_RESET.

I've tried disabling all extensions, it still connects. Checked its IP address and DNS server and they're the same as other devices/browsers. Any idea what could be going on?

24m edit: Discord just started working on some other chromium browsers including on another device.

80m edit: Another chromium browser just also connected. After deleting browser data it stopped

edit 3: found that if I add this to the servers section of a Network Persistent State file associated with a chromium browser profile (while the browser is closed), it can connect to youtube. Can't explain why. (anonymization says https://www.youtube.com + some number that doesn't matter in the beginning in base64):
{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13376788973168704","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABMAAABodHRwczovL3lvdXR1YmUuY29tAA==",false],"server":"https://www.youtube.com","supports_spdy":true}

Edit 4: The block is gone

4
 
 

I have an ASUS N66U

I have configured the WAN interface to use a VPN Client to connect to a 3rd party VPN Server, so that all NAT LAN connected device traffic is routed through the 3rd party VPN server.

But if the 3rd party VPN server goes down, or the connection is otherwise lost or broken, the Asus N66U will route directly from the WAN connection using e.g. my ISP.

How can I stop my Asus N66U from routing any traffic on the WAN port if the VPN connection is down?

5
 
 

Hi,

I would like to create a LAN where each node need to authenticate before gaining access to the LAN.

and secondly be able to monitor the data consumption of each node and even limit the speed for a node when exceeded.

I'm looking for something FLOSS. For example a single-board computer with a gnu/Linux etc...

Maybe some distribution or solution already exist for this ?

Thanks.

6
 
 

Greetings all!

I have been working on getting a new network setup. The current test host (A server running OpenSUSE Leap 15.6 w/ Wicked) is able to get routes and obtain an address via DHCP from the router of the network (running OPNSense 24.7.6), but is unable to resolve routes and obtain an address via the local DHCPv6 server. Admittedly, I am not great with IPv6 doubled with the ISP for this network granting a statically-defined /128 address for the router and manually-delegated /64 address blocks.

The OPNSense configuration has a /64 address block assigned as its address space for the LAN interface. The configuration has the ISC DHCPv6 server allocating address range 2602:xxxx:xxxx:xxxx::8888:0 - 2602:xxxx:xxxx:xxxx::8888:ffff. The radvd server is set to managed, set with an automatic source address, set to advertise the default gateway, set to use the dhcpv6 dns configuration, and set with no additional routes advertised.

As noted, the OpenSUSE machine is unable to get any routes beyond link-local via ipv6 nor is it able to automatically be assigned an ipv6 address from the DHCPv6 server. I have done some diagnostics, but have been unable to determine any conclusive issue.

Starting ip route and address checks:

ip -6 addr

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::xxxx:xxxx:xxxx:a4ee/64 scope link proto kernel_ll [OpenSUSE Leap 15.6 Server link-local address]
       valid_lft forever preferred_lft forever

ip -6 route

fe80::/64 dev eth0 proto kernel metric 256 pref medium

The eth0 interface noted is using a standard configuration as provided by Wicked (BOOTPROTO=dhcp, STARTMODE=auto, ZONE=public). Testing dhcpv6 address acquisition by hand results in nothing:

wicked test dhcp6 -m auto eth0

wicked: eth0: Request to acquire DHCPv6 lease with UUID <$uuid-a> in mode auto

However, testing in forced managed mode does get results from the DHCPv6 server:

wicked test dhcp6 -m managed eth0

wicked: eth0: Request to acquire DHCPv6 lease with UUID <$uuid-b> in mode managed
INTERFACE='eth0'
TYPE='dhcp'
FAMILY='ipv6'
UUID='<$uuid-b>'
IPADDR='2602:xxxx:xxxx:xxxx::8888:807/128' [theoretical bound address on LAN]
PREFIXLEN='128'
DNSSERVERS='2602:xxxx:xxxx:xxxx::1' [LAN address of router]
DNSSEARCH='<$domain>'
ACQUIRED='1729020515'
CLIENTID='<$clientid>'
SERVERID='<$serverid>'
SERVERADDR='fe80::xxxx:xxxx:xxxx:a4ee' [OpenSUSE Leap 15.6 Server link-local address]

So unless I am mistaken at this point, this likely means that something is going wrong with the Router Advertisements for the system to not automatically try get assigned an ipv6 address. Checking a router advertisement broadcast to the OpenSUSE server, I am not seeing anything out of the ordinary:

radvdump

#
# radvd configuration generated by radvdump 2.17
# based on Router Advertisement from fe80::xxxx:xxxx:xxxx:4eb4 [router link-local on LAN]
# received by interface eth0
#

interface eth0
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag on;
        AdvOtherConfigFlag on;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvLinkMTU 1500;
        AdvSourceLLAddress on;

        prefix 2602:xxxx:xxxx:xxxx::/64 [public /64 address block manually delegated as LAN]
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 14400;
                AdvOnLink on;
                AdvAutonomous off;
                AdvRouterAddr off;
        }; # End of prefix definition


        RDNSS 2602:xxxx:xxxx:xxxx::1 [LAN address of router]
        {
                AdvRDNSSLifetime 600;
        }; # End of RDNSS definition


        DNSSL <$domain>
        {
                AdvDNSSLLifetime 600;
        }; # End of DNSSL definition

}; # End of interface definition

sysctl -a | grep eth0.accept_ra

net.ipv6.conf.eth0.accept_ra = 1
net.ipv6.conf.eth0.accept_ra_defrtr = 1
net.ipv6.conf.eth0.accept_ra_from_local = 0
net.ipv6.conf.eth0.accept_ra_min_hop_limit = 1
net.ipv6.conf.eth0.accept_ra_mtu = 1
net.ipv6.conf.eth0.accept_ra_pinfo = 1
net.ipv6.conf.eth0.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.eth0.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.eth0.accept_ra_rtr_pref = 1

Am I missing something with why Wicked doesn't actually get a proper route to the LAN nor an address via IPv6?

To recap: IPv4 works, this is the only device connected to the network thus far, IPv6 configuration appears (to me at least) correct for the router advertisements and DHCPv6 config.

EDIT:

Found the source of the problem. The OPNSense configuration is in fact correct for what I want to do. The issue is on the OpenSUSE machine. I forgot about a funny little Linux kernel networking quirk regarding ipv6 forwarding. In OpenSUSE, enabling forwarding for IPv6 from the installer keeps net.ipv6.conf.*.accept_ra set to 1. However, setting net.ipv6.conf.*.forwarding to 1 will disable accepting routes from RA, and in my case of expecting automatic IPv6 configuration from DHCPv6 without forcing managed mode on the Linux server.

Unless I feel like bypassing some functionality provided by the router, one needs to set net.ipv6.conf.*.accept_ra to 2 for all affected network interfaces. This enforces accepting routes with forwarding enabled. This in turn for my case also allows for DHCPv6 resolution to function without forcing or bypassing it from the OpenSUSE machine. I can only assume the reason this isn't just default if applied from the installer is that fully-manual static IP addressing is expected rather than wanting to use DHCP reservations for assigning addresses.

So in short:

All is good with the OPNSense configuration. I needed to change the sysctl flag net.ipv6.conf.eth0.accept_ra = 1 to net.ipv6.conf.eth0.accept_ra = 2, in order to forcefully accept RA routes and normal DHCPv6 address assignment on my ethernet interface. This is necessary because I need forwarding over IPv6 for the affected machine.

7
13
Is my proxy setup safe? (discuss.tchncs.de)
submitted 1 month ago by [email protected] to c/networking
 
 

I'm currently working on setting up a proxy on my home computer to bypass my school's blockers, and want to see if I can make any improvements to security. To be clear, I haven't opened this to the internet yet, I'm asking BEFORE doing that.

The setup is thus: I have a squid server running on my linux laptop, which will only allow authenticated users through. It's no longer listening to the default port (3128) and is instead listening to a port in the 10000-20000 range. I would have both my router and modem set to forward that same port, and my laptop's local IP address is static.

This is a consumer internet connection, so Dynamic DNS, but I have a NOIP address ready to connect once I open the ports (already have the client installed and running, just throws an error on the website because it can't get through the port.)

I'll be connecting to my proxy server through the FoxyProxy extension, rather than through the Windows 11 control panel on my school laptop, because I dont have access to that specific part of the control panel.

That's the sum total of the setup I've got thus far. It only needs to be able to support my lone connection, I'm not sharing this around. Any improvements to be made?

8
 
 

cross-posted from: https://programming.dev/post/19441371

cross-posted from: https://programming.dev/post/19441320

cross-posted from: https://programming.dev/post/19441267

I have a 2nd-gen chromecast, it's factory reset. If i plug it in all it tells me is to install the app to start configuring.

I don't have a google account not do i want to install/use google-related stuff on my phone.

My home router doesn't register any new device, which makes sense since the cast doesn't know the SSID/pass of the WiFi.

Does it try to ping some service/port? Multicast perhaps? Where would it get an IP from without authenticating?

My (wired) PC runs gentoo.

How can i get it to work in these conditions?

9
 
 

Hi,

I would like to make some simple network simulations

I've tried to make run few (under Linux or Windows)

  • Kathara
  • GNS3
  • EVE-NG (3.1 GB ! to download )
  • omnetpp
  • ns-3
  • Cisco Packet Tracer (Not FLOSS, if I'm not mistaken )

The only one that I managed to install, run and use (set some nodes) was sadly the Cisco Packet Tracer ...

They other have their install process way to much complex or with such layer of dependency or more simply they way the works is too complex (running side VM for each nodes etc..) make it challenging to installing.

Do youn know a FLOSS Network Simulator , this is easy to install ?

Thanks.

10
 
 

I'm moving into a new apt and the ISP is trying to rent a router at $20/mo, so I'd like to get my own router.

I'm considering setting up opnsense for the router & TP link Omega for the AP & Switch.

But this feels a bit overkill for an apt. Should I just get a all in one router instead? What are the pros and cons?

11
 
 

cross-posted from: https://lemmy.dbzer0.com/post/26553762

How can I use my VPNs port forwarding feature while also disabling global routing by adding “route-nopull” in the OpenVPN config? Using hide.me vpn

I found a relevant post, but the links to the anwsers don't work anymore: https://forum.netgate.com/topic/127557/openvpn-client-port-forwarding-route-nopull-issue

12
 
 

Didn't know where else to post this but figured I would just leave it here. Hopefully I can get some kind of job with this.

13
 
 

"Train operator SNCF's chief executive, Jean-Pierre Farandou, said the attackers had started fires in "conduits carrying multiple (fibre-optic) cables" that carried "safety information for drivers" or control the motors for points."

Seems this attack is becoming more common place. Used to just be the occasional tractor or digger damaging fibre but now it's seems to be intentional.

https://www.abc.net.au/news/2024-07-26/vic-teens-charged-over-politically-motivated-graffiti-josh-burns/104147956

14
 
 

In Belgium, we are forced by law to use Cca data cables because of "lower fire risk" while I hear literally everywhere that CCA data cables have a much higher fire risk.

Everything here has to comply with the euroclass chart level cca or higher which is confusing because they seem to be combustibility(ca) ABCDEF rating. Making the minimum required in Belgium (and the most prevalent) Cca.

I think for example that getting this for PoE (sorry, in Dutch) would be fine because it does say that it is pure copper, but it also says that it is CCA which is confusing.

Not really a question or anything, just very confusing considering Cca and Eca are the 2 cable types used for residential homes which happen to correspond also to Copper clad aluminum and Enhanced Circuit Integrity. Adds extra probably completely unnecessary stress.

15
 
 

If you have an outdoor Ethernet port—in my case with a WiFi AP connected—how can you go about protecting your network from somebody jacking in?

Is there a way to bind that port to only an approved device? I figured a firewall rule to only allow traffic to and from the WiFi AP IP address, but would that also prevent traffic from reaching any wireless clients connected to the AP?

Edit: For more context, my router is a Ubiquiti UDM and the AP is also Unifi AP

16
 
 

I haven't really done home networking since Windows XP / gnome only Ubuntu days, so rusty is an understatement.

Currently due to the layout of my apartment, I have my main PC in a bedroom connected to a gli.net Velica router, such then connects to the wall, which then connects to a TP-Link Switch (1), which is connected to the internet.

In the living room, where I want to stream to a Raspberry Pi that has Android TV (lineage os), I have the Pi and 2 Nintendo Switches connected to another TP-Link switch (2), which is then connected to another gli.net router, which connects to the wall and then to TP-Link switch (1) which is connected to internet.

How do I set up a local LAN network so that my computer can then stream to the Pi via Steam Link, Moonlight, Sunshine, or any other recommended option?

Layout

Bedroom

 • Wall connection (port 3)
 |
 ∆ Velica Router 2
 |
 § PC

Living Room

 • Wall connection (port 1)
 |
 ∆ Velica Router 1
 |
 × TP Link Switch 2
 |.               |.      |. 
π              ™ Nintendo Switch 1&2

Electrical Box

  • Port 1, Port 3
  |
  × TP Link Switch 1
  |
 🌐 Internet 
17
 
 

Hi, i have this weird issue where both my IVPN and my AirVPN connection works only if i do the following:

Disabile WiFi Connect to LTE and open either IVPN or AirVPN Connect to wireguard protocol Enable WiFi and Connect to it Disabile LTE

Now it works

If i try to connect to wireguard protocol from WiFi directly (corporate WiFi) it doesnt work

Any idea why?

If i Connect from my home WiFi it works normally

Thanks

18
 
 

Hi all, I've got an issue in my company that it's now some months that is happening to many windows users.

Basically the user change the windows password due to a policy that require every 3 months to change it (I know not ideal, but still) , the user then works fine under wifi for 1-4 hours and then he gets kicked out from the network.

The network is a visible SSID with WPA2-Enterprise security (AES ecncryption) and the authentication method is PEAP using the saved login information (from AD).

Here some test I did for troubleshooting:

1st Test: Normal password change from windows: ctrl alt canc, change pw: All good, no disconnection at all -> user is good to work

2nd Test: We force-reset a new password on the PC -> The users stays connected to wifi even after 15 minutes from the reset, this means that the wireless network kept an "old token" as valid even tho the windows password changed. We manually disconnect from the network (turn off wifi) and reconnect -> doesn't work We reboot the PC which still logs in with the OLD password -> We try to connect to wifi (without using the new pw) -> KO We connect ethernet cable, we receive the message that the domain has a different pw than the PC -> lock PC -> Unlock with new password -> Wifi still doesn't work -> Reboot, login to pc with new Password -> wireless works

NOTE: We suspect that this "old token" is not renewed for a while sometimes, that's why the user, even with an old pw, can still connect and work normally.

19
 
 

I've been looking to implement DoH

  1. The first idea was to simply follow this - I do not understand the configuration fully but it looked fine.
  2. Then, I decided to use a proxy/Load balancer in front of BIND to deal with HTTPS.

However, I came across PROXYv2 (which is not even mentioned in the docs, just in a blog post) and the likes of DNSdist.

My questions:

  1. I can't find a detailed explanation of what I need to do about PROXYv2 - does my Reverse-proxy absolutely need to have it to be able to communicate with my DNS server?
  2. Why can't I just have any reverse-proxy that can handle HTTPS and put it in front of my DNS resolver? Does my proxy need to have a specific protocol to be able to talk DNS queries?

I am still confused, would really appreciate some help :)

20
12
submitted 4 months ago* (last edited 2 months ago) by [email protected] to c/networking
 
 

I have recently upgraded my router from a nearly 7 year old consumer "gaming" router to a Mikrotik RB960PGS router.

So far I have been able to:

  • Remove all configurations
  • Set a long admin password
  • Create a bridge
  • Setup DHCP server
  • Set up NAT
  • Set up Spark NZ fibre connection
  • Update to latest stable firmware (7.15.2)
  • Set up basic IPv4 & IPv6 firewalls
  • Setup NTP & disable cloud/update time
  • Set DNS to my Pi-hole
  • Disabled the following IP services API, API-SSL, FTP, SSH, Telnet, & WWW-SSL
  • Turned off "detect internet"
  • Turned off "use peer dns" so all DNS goes through the Pi-Hole instead of the ISP's DNS servers.

Is there any other "gotcha's" or things that I should be setting up?

21
148
submitted 4 months ago* (last edited 4 months ago) by [email protected] to c/networking
 
 

Yesterday around noon, the internet at my company started acting up. No matter, slowdowns happen and there's roadwork going on outside: maybe they hit the fiber or something. So we waited.

Then our Samba servers started getting flaky. And the database too. Uh oh... That's different.

We started investigating. Some machines were dropping ICMP packets like crazy, then recovered, then other machines started to become unpingable too. I fired up Wireshark and discovered an absolute flood of IGMP packets on all the trunks, mostly broadcast from Windows machine. It was so bad two Linux machines on the same switch couldn't ping each other reliably if the switch was connected to the intranet.

So we suspected a DDOS attack initiated from within the intranet by an outside attacker. We cut off the internet, but the storm of packets kept on coming. Physically disconnecting machines from the intranet one by one didn't do a thing either.

Eventually, we started disconnecting each trunk one by one from the main router until we disconnected one and all the activity lights immediately stopped on all the ports. We reconnected it and the crazy traffic resumed.

So we went to that trunk's subrouter and did the same thing. When we found the cable that stopped all the traffic, we followed it and finally found one lonely $10 ethernet switch with... a cable with both ends plugged into the switch. We disconnected the cable and everything instantly returned to normal.

One measly cable brought the entire company to a standstill for hours! Because half of the software we have to use are cloud crap or need to call their particular motherships to activate their licenses, many people couldn't work anymore for no good technical reason at all while we investigated the networking issue.

Anyway, I thought switches had protections against that sort of loopback connection, and routers prevented circular routes. But there's theory and there's reality. Crazy!

22
 
 

One of my local ISP offers 10Gbps broadband for cheap. What is the cheapest router setup one can get with a 10Gpbs wan and lan port? WiFi and switching hardware is optional.

23
 
 

Given there's been a bit of talk about IPv6 around here recently, I gave it a really good shot at implementing this past week. I spent 3 days getting up to speed, reading loads and trying various different things. But I am now back to IPv4 only because I just can't get IPv6 to do what I want and no amount of searching has made me think what I want to do is even possible.

Some background about the IPv4 network I run at home: I run opnsense on a Proxmox server. I have a few services publicly available using port forwarding. I run several VLANs for IoT, VoIP, Cameras etc. I use a bunch of firewall rules that are specific client devices on the network. So for example I have a rule that blocks youtube from the kids tablets and the TV. I have a special rule around DNS for the wife as she doesn't want to use the pihole blocking features. These rules are made possible because the DHCP server is set to give them a fixed IP and I can create a firewall alias and rule based on that.

None of these things on my existing network are particularly difficult to configure, they run really well.

What I want from IPv6 is:

  1. All devices to use IPv6 including android devices.
  2. To have the same firewall rules configured and not have them be easily bypassed.
  3. To use privacy addresses as I don't want to make every device uniquely trackable over the internet.
  4. To be able to cope with changes to the ISP provided /48 prefix seamlessly.
  5. Have internal DNS make accessing intranet devices easy.
  6. To ensure the privacy of individual devices on my network by avoiding individual device tracking.

What I've tried:

  1. Using DHCPv6, but this excludes android devices. So that's out.
  2. Using a NAT (to avoid tracking of individual devices) and fd00/8 addresses, but this is pointless as those addresses are lower priority than IPv4 (FFS!)
  3. SLACC just seems a non-starter.

Additional: I don't think I have a problem with "thinking about it all wrong for IPv6". I may have a skill issue, hence this question.

As far as I can tell to achieve requirement 1) you must use SLAAC. SLAAC without privacy extensions doesn't allow for 6).

Changes to external ISP prefix assignment impacts MY INTERNAL NETWORK (this just seems insane). And as far as I can tell there's no easy way around this, especially if I have static addresses configured for servers which would (if using SLAAC) have to be manually configured.

I can't see how DNS would be updated either, either Unbound running on Opnsense, or to the pihole. If I go for SLAAC with privacy extensions and I keep paying for a static IP (v4 & v6) to my ISP then I can't implement any firewall rules for specific devices as devices will change their IP regularly. And its even worse if I don't pay for a static IPv6 prefix.

I don't think anything I'm trying to do is particularly strange or unusual but 26 years after its introduction I don't see that IPv6 can meet these requirements. And one of the leading firewall routers, especially in the homelab doesn't have answers to these questions either.

Can you suggest a way to meet all 6 requirements I have with IPv6?

24
 
 

Basically, I’m running Tailscale on most of my devices and using subnet routing on a Raspberry Pi for non-Tailscale devices.

My problem is that while using an exit node streaming video from cameras in the iOS/macos Home apps is entirely too slow. I can see from App Privacy Report that it attempts to connect to my home network’s WAN address, so I’ve set up subnet routing to bring in any traffic to any of ISP’s networks through the Raspberry Pi at home (this also makes it possible to use said ISP’s streaming app on Apple TV as if I were at home).

I know that Home doesn’t connect to the cameras locally at all, because I can tear down all the Tailscale stuff and not see any traffic between the client and the camera on the LAN.

Has anyone have a clue how to go about configuring this? Thanks in advance!

25
 
 

I mean on a technical level. Are the devices that make up the infrastructure of the internet hardwired with IPv4? Is the firmware on these devices impossible to upgrade remotely?

If it's just a matter of software or firmware then adoption should only take like a year but clearly that isn't the case. So what specifically is stopping us?

view more: next ›