networking

I'm going to be overhauling my network over the next few months as I get ready for my new municipal fiber installation. I have a general idea of how to set things up, but I'm not an expert and would appreciate a few extra pairs of eyes in case I'm missing something obvious.

Hardware available:

• Microtik Routerboard - 5 ports
• Ubiquiti AP - AC-Lite; plan to add U6+ or U6 Lite once I get faster service
• some dumb switches

Devices (by logical category; VLANs?):

• main - computers and phones (Wi-Fi for now, I plan to run cable)
• media - TVs, gaming consoles, etc
• DMZ - wired security cameras, Wi-Fi printer (2.4GHz wireless g only)
• guest - guests, kids computers

Goals:

• main - outgoing traffic goes through a VPN
• media - outgoing traffic limited to certain trusted sites; probably no VPN
• untrusted - cannot access internet, can be accessed from main
• guest - can only access internet, potentially through a separate VPN from main

Special devices:

• NAS (Linux box) - can access main, media, and DMZ
• printer - accessible from main, rest of devices on untrusted don't need to be (I can tunnel through the NAS if needed); can potentially configure a CUPS server on the NAS to route print jobs if needed

Plan:

Router ports:

1. Internet
2. WiFi APs
3. main VLAN
4. untrusted (VLAN)
5. unused (or maybe media VLAN)

WiFi SSIDs (currently have a 2.4Ghz and 5Ghz SSIDs):

1. main VLAN
2. guest VLAN
3. untrusted - hidden SSID (mostly for printer) - 2.4GHz only

If the VPN causes issues, I would like the ability to move individual MACs to another VLAN (say, to media, or a separate, usually unused backup VLAN). Not required, just a backup plan in case the VPN causes issues.

This is my first time configuring VLANs, so I'm not really sure what my options are. Also, I'm not super familiar with Mikrotik routers (I'm not a sysadmin or anything, just a hobbyist), I just got fed up with crappy consumer hardware and wanted something a bit more reliable.

Does that sound like a reasonable plan? Is there something I could improve or suggestions you have?

Edit: DMZ is the wrong term, so I replaced it with "untrusted". By that I meant a local-only network, so no Internet access. Ideally I could access these devices from my main network, but they can't initiate connections outside their VLAN. However, that's not necessary, since I can tunnel through my NAS if needed.

I don't need help, it's just too implausible for me not to be curious.

Aside, it's been fascinating anonymously watching this network evolve over the past decade as a citizen-user who has business in the building. I've been battling with the faceless network admins trying to find ways to access my home lab year-after-year.

First they blocked my personal domain because I tried to reach vpn.mydomain.com. Then I couldn't use OpenVPN at all (or I was too green at the time to bypass). Next, Wireguard worked for a while until it didn't. Now tailscale is working but I'm forced to use the slow DERP servers to reach home. I might try Headscale with a different personal domain next.

My next project is a little more radical - hiding an old pi 3B on the network as an exit node on that network. Then I can use the state-owned IP instead of my home one when websites are dicks about third-party VPN IPs.

Hey there, I've been on a networking journey that has, over a few years, taken me from simple unmanaged networking, to managed networking, to advanced VLAN management. It's all been self taught, but mostly successful. However, I've gotten myself into a bit of a pickle and I'm hitting a wall in troubleshooting. Apologies for the length of the post, however I want to provide as much detail as possible.

High level, I have several /16 vlans for things. VLAN 99 is networking, 2, is servers, 4 is clients, 6 is wireguard clients, and there are some others. They're all 10.99.0.0/16 with a gateway at 10.99.1.254, etc.

I have had a very old Netgear Layer3 switch for some time. I've replaced it with a Brocade ICX6610, mostly so I can move my storage infrastructure to 10G fiber (I have a small hypervisor cluster). I had done a ton of preparatory work to configure the new L3 switch so that it could just be dropped in place of the old one; this was MOSTLY successful...

...However, in doing that I broke the connection to my opnsense firewall and sort of had to redo that piece from scratch. During my planning, I didn't realize some of the config changes I'd made would require changes on the firewall, and after the cut over I was locked out of the firewall. This is all my fault; that's the piece of this I understand the least, and I had followed dodgy guides when getting it to initially work. I have a backup in xml format, but even having that I'm realizing what I had been doing didn't make sense. Previously, I had a firewall interface on all of my vlans and the trunk going to it was carrying all the VLANS. Now, I set this up with only 2 vlans going to the firewall, the networking vlan and the wireguard vlan, as it seems to make more sense with my understanding of how Layer 3 routing works. All routing should happen on the Brocade L3 switch. The firewall itself has 4 physical ports, 1 going to my comcast gateway, and 2 in an LACP lagg going to my L3 switch. (I have a single interface right now going to the L3 switch separately for troubleshooting, removing the LACP lag as a complexity source).

So, in recovering this, I had to get into the firewall at the console and re-define the interfaces and IP's. I got this to work, but at this point I had tons of connection problems which I didn't understand fully. I have found some of opnsense's configuration to be a bit obfuscating, which I think is making my learning more difficult. The following were put in place:

• The "LAN" interface was given a static 10.99.1.40/16 IP, and an upstream gateway was defined at 10.99.1.254.
• The "WAN" interface was given DHCP, and is up and works

Once I recovered the connection to the web interface I had to make the following changes:

• Under the "Firewall" sidebar, under "Aliases", I defined each of my VLANS/Subnets with a CIDR notation and a name.
• Under the "Firewall" sidebar, under "NAT" and then under "Outbound" I switched the mode to "hybrid" and added a rule for each of my vlans on the "LAN" interface, with the "Source" being the aliases defined above, and the target (NAT Address) being the "WAN address"
• Under the "Firewall" sidebar, under "NAT" and then under "Port Forward" I added some port forward rules.
• While it's outside the scope of my immediate troubleshooting, I had a working WireGuard setup. I have an interface defined for it on that VLAN, and a second gateway defined at 10.6.1.254. It's all set up according to the opnsense documentation, and I can connect from the WAN and can access any resources on the LAN.

So onto the problem...I can access the internet from almost all of my LAN clients. I can access LAN clients via the port forward rules from the WAN. The firewall itself CANNOT access the WAN; for example, I can't check for updates. I can access the firewall web interface from anywhere on the LAN, I can ssh to the firewall from anywhere on the LAN, but once I'm ssh'd in, I can't ping back to the client I'm connecting from. The firewall CAN ping things like 8.8.8.8, but as my DNS resolver is on the LAN, DNS queries from the firewall fail. I believe in a related note, my WireGuard clients can access anything on the LAN, but cannot connect to anything on the WAN.

I believe this has to do with outbound routes from the firewall, but any time I mess with it I end up locking myself out and having to reset interfaces from the console. I tried defining some static routes in "System" -> "Routes" -> "Configuration" but that isn't working. I'm kind of stumped and have been looking at it so long that I don't think more reading and configuring is going to help me anymore. I'll post some screenshots of rules and routes as well (you'll be able to see various things enabled/disabled for experimentation), but I'm kind of in over my head and need some help.

Hiya, I've got a desktop (connected to wifi), and a server (without a networking card), and I do not have access to Ethernet/or the router. However, I do have a networking switch - and was wondering if I could bridge the WiFi from my desktop(Nobara), to the Switch, and have my other devices such as Raspberry Pi and my main server connect to that. If thats possible please let me know how, or point me to some resources, I believe I have to touch iptables in this case, but have never tweaked those before.

This is a very temporary solution for not having access to a router. But gotta live like this for 5 months, so gotta find a solution to get WiFi on my server, as cheap as possible.

cross-posted from: https://lemmy.world/post/12521221

Dear all, I have some questions for what I'm about to do with my HomeLab. I recently upgraded my connection to a 1000/1000 and the ISP sent me this shit ass router (Fastweb Nexxt) which is very locked down. I want to change it.

Today this Fastweb Nexxt is not doing DHCP because I'm running a VM with OPNSense on it from which I manage IP reservation etc.

The fiber connection comes to my house and it's connected to a small box, an ONT from ZTE. Then an ethernet cable goes to the wan port of the Fastweb Nexxt and then LAN to my server where the OPNSense VM is hosted.

Now, I'm open to solution, the goal is to remove the Fastweb Nexxt.

The "Cheap" idea would be to use a USBC to Ethernet cable so to add a second Ethernet card to my server and connect the ZTE device to it. I would then assign in OPNSense this cable as WAN and leave the existing card as LAN for the switch. I'm quite sure I would need as well to clone the MAC address of the Fastweb Nexxt device and assign this MAC to the wan of my OPNSense right?

I'm open to any kind of suggestion, even something like "this is the best home-router for 100€"

Hiya, quickly wondering if there is a big difference between speeds when using a vpn compared to using a proxy server solution? Anyone got any experience here or good articles to refer to?

Thanks 🌻

VyOS 1.4.0 is finally here as a full LTS release (although, it's early production access).

So many great features are highlighted in the post. I've been using 1.4 images for quite some time, with great success, in my labs. Looking forward to using this one more.

Congrats to the VyOS team.

I posted about OpenWISP a while back but I need to report that it is buggy and unpolished. The community behind it also is very small so not much happens.

Hello networking community

driven by the vision of a decentralised, independent and neutral network, I have set out into the depths of netowrking. I have compared different networks and tried to understand the underlying structures.

But my head is spinning from all the research and I've lost track a bit, which is why I'm turning to you. I would like to compare and categorise all these networks according to their protocols using the osi model.

I would be grateful if you could help me to fill in the following table as good as possible. You can simply copy it or write your answer in the comments.

I'm in need of a cable crimper and some other network tools like a tone gen/probe, cable snipper/stripper, and I'll probably also get a cable tester, for a couple of jobs I'll be doing soon

So, I'm assembling a basic toolkit to install the physical network parts, and I'm asking here for recommendations on mid and high quality tools so I can decide on what to get

As one should do with tools, I'm ready to spend a buck (or euro, in this case) to get good and durable stuff, but these days looking for reviews online is a marketing shitshow, so I thought I'd come here to look for recommendations and try to find someone with actual practical knowledge and experience

Any advice is welcome!

cross-posted from: https://lemmy.ca/post/14107888

I have a very specific questions about Linux Traffic control and u32 filters in particular. However, I don't know where the right place is to ask such a question as it's fairly niche.

The Linux Advanced Routing & Traffic Control site says it has a mailing list for questions, but the last post was from 2019. There is also the incredibly busy 'linux-netdev' mailing list, but, the traffic there looks like strictly source changes.

Any ideas?

The question I'm trying to find an answer to is: The u32 tc filter seems to support negative byte offsets which allows you to examine the Ethernet frame header (I don't think I even found documentation on this, this is thanks to ChatGPT). However, when using u32 values to examine 8 bytes I can only use offsets in increments of 4 - like "at -8" or "at -12", with any other increment giving me the error Illegal "match".

This seems like only a curiosity, but, I've been struggling to get my bit-matching to match the way I expect, and I'm wondering if this suggests that matching doesn't function the way I think.

Hey all, I was wondering if anyone could help me work out how to do this? Basically, I have a stupid number of smart devices and my router has become increasingly unstable. I want to have all my IOT devices on one router and reserve the other for priority devices like phones and PCs.

I plan to put my IOT hub on 2G only and my primary hub on 6G and 6e only to avoid 2G congestion.

Problem is, if I connect both my routers to my modem, only one can connect to the internet. I tried putting a network switch between the routers and the modem, no dice.

Does anybody know how I can have 2 separate networks using 2 separate routers on a single modem? Both require internet connection but they don’t need to be able to communicate.

Thanks in advance for any help people can give :)

I may soon be upgrading to 2.5Gbps internet, however all the routers that support said speed seem to be expensive. Is there any that cost less than $100?

I'm building this implementation of a circular DHT from scratch because I want to learn and understand how peer-to-peer protocols work. So far so good, but I'm realizing I don't know two things and I don't know where to find them:

1. What NAT traversal method to use. Do I necessarily need to rely on relay servers for UDP hole punching or STUN?
2. What is the most reasonable way to test the overall system is working? Should I build a docker network with each node being a container or are there specialized tools for testing networked applications?

Thanks in advance for any answers or pointers!

Hi all!

I have 2 ISPs with their own routers.

Router A: 192.168.0.1/24

Router B: 192.168.20.1/24

I have my servers plugged into Router A and all my endpoint and users' devices connected to Router B.

I want users connected to Router B (192.168.20.1/24) to have access to server 192.168.0.90

I thought plugging a LAN cable and connecting Router A and Router B and then defining static routes in both routers would solve the issue.

However, at the first step itself I have an issue. When connecting the routers via a LAN cable, both routers dont get any IP.

I was also referring to this post on superuser. Though Router B is capable of creating subnet and static route, I am not sure if Router A (Archer XR500v) is capable of creating a subnet and/or a static route.

https://superuser.com/questions/1667068/connect-two-routers-with-different-subnet

I'm looking at a permanent install of a Windows machine that runs a few digital signs. I want to achieve remote access and file upload to the Windows box, as well as accessing the internal web server of the displays on the same LAN. This LAN will be attached to a corporate network, but I would prefer if it did not have access to the internet. I'll have to work with the IT department to get this happening, of course, but I'm hoping to go in prepped with potential solutions. Could anyone tell me if these ideas will work, or what I'm missing?

• VPN tunnel. This would be whichever VPN that their IT supports. Would I be able to simply install the client on the windows box and my machine, and then on my machine connect to the VPN, use TeamViewer in LAN mode for control of the Windows box, and web browser for control of displays? I'm assuming their IT would set up the upstream switch to only pass that VPN connection, so that the Windows box does not see the internet, and I cannot see their internal network.
• Some kind of IPMI/PiKVM solution- This would be a second computer, attached to the corporate network, but not to the signage LAN. It would just be a KVM for the Windows box. I would then dial into that via its webserver, and control the Windows machine. The control for the displays would be accessed via browser on the Windows machine. I like this solution, as it keeps the networks separate, but I think that uploading files will be a challenge.
• Or is there a better way?

I'm trying to set up a Pi-hole on my in-laws' home network. I've got everything configured on the pi but ad-blocking wasn't working. So I did some digging into the logs and found that DNS requests were all coming from the router.

After some reading it seems that the DHCP server that the router used was adding a DNS suffix to all requests (search.charter), so I turned off the DHCP server on the router and used pi-hole's built-in DHCP to see if this would resolve the issue. I didn't have enough time to test the fix, but here's my understanding of what was happening before I changed the configuration:

I set the primary DNS server to the IP address of the pi-hole in the router settings so they would have network wide adblocking. All of the clients get a DHCP assigned DNS server address which was set to the router's address. I would input example.com into a client's browser, the DNS request would be sent to the router, then the router would act as a client in the pi-hole logs. Pi-hole tells the router that example.com is found at 192.158.1.38 and the ads being hosted on the website are at 0.0.0.0. The router sees that the DNS server didn't return a result for one of the queries, so it goes to an upstream DNS server hosted by the ISP where they provide the IP for the ad. Both addresses are sent along to the client device and the pi-hole shows the ad domain as being blocked.

Is that true? Did changing the DHCP server to the Pi-hole fix the problem? Is there anything more that I need to do? Did I totally whiff on troubleshooting? Let me know if you need more information. Any help would be appreciated since I'm trying to learn a little bit more about networking and take a little more control of my home network. Thanks!

I've made eireguard tu nel out to VPS (to circumvent CGNAT). Dns server works, web server + Gitea, Jellyfin,.. works. All the stuff running on my thin Ubuntu client. What doesn't work is forwarding the RDP port to my windows machine. No firewall on the windows machine. Used to work before CGNAT got enabled by my ISP. I've tried also UDP port, but still no connection.

Here is my wg0 conf:

[Interface] PrivateKey = ..... Address = 10.1.0.2/24

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.21:3389; iptables -t nat -A POSTROUTING -p tcp --dport 3389 -j MASQUERADE

PostDown = iptables -t nat -D PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.21:3389; iptables -t nat -D POSTROUTING -p tcp --dport 3389 -j MASQUERADE

[Peer] PublicKey = ........ AllowedIPs = 0.0.0.0/0 Endpoint = ...oraclevpsIP....:55108 PersistentKeepalive = 25

Link on the bottom if you wish to try out the new VPP addon.

Is it possible? Can proxies somehow "advertise" themselves the way some media services or printers do?

So on my host I run Mullvad VPN all the time due to living in one of the X eyes countries and being over-paranoid, but when I torrent I do almost no uploading due to Mullvad blocking port forwarding. I had the bright idea to create a VM then attach it to my network in a way to completely bypass my host (also running Linux) connection and in-turn bypass Mullvad, I'd then connect this VM to my own Wireguard server that I rent overseas and configure port forwarding on that. I think I'm almost there however I seem to have hit a roadblock that I think the only workaround is attaching a second ethernet cable to my host, in order to get another interface so that the VM doesn't steal my host's connection.

Doing the dual ethernet setup isn't impossible, but it is extra cables and dongles that I'd rather do without, so I was wondering if I could create a second IP address on my host and pass that into the VM to use? I'm using qemu and virt manager for my virtual machines, Artix on my host and probably Linux Mint on my torrent VM.

Again I have no idea if this is possible or not, I simply don't know enough about networking yet to know for certain. I feel like it is but I wanted to ask some people who know what they're talking about :D.