Question for #networking friends:
I have 3 #VLAN switches. My incoming Internet is adjacent to one of them, but I don't really want anything else much there. Most of my equipment is on the third switch in the chain - ie traffic to there from the internet has to go through all three.
Currently my router (#Debian #Linux box) is next to the Internet connection, but I want to move it to the other end. Is that sane?
Es hat den ganzen verschissenen Tag gedauert, aber VLAN-Config per File und ein Uplink auf Port 22 mit allen #VLAN tagged scheine ich hinbekommen zu haben.
Nächster Schritt: Trunk mit zwei NICs, um das Ding direkt an die #pfSense anzuschliessen. Dann kann ich endlich den uralten und chronisch überfüllten 24x #Switch unterbrechungsfrei ausmustern, der immer noch mein Hauptswitch ist. Dessen Ableben ist ein Damoklesschwert über meiner heimischen IT-Landschaft, dessen Auflösung ich schon seit Jahren vor mir her schiebe. Bin ja kein Netzwerker und #JunOS ist jetzt nicht so intuitiv.
Der #Juniper 3400 ist deutlich jünger und hat einen erheblich geringeren #Stromverbrauch, trotz doppelt so vieler Ports. Danach kann die Serverlandschaft weiter wachsen, die #Weltherrschaft ist nahe...
Edit: Seems like this was caused by hardware offloading being enabled, which worked fine on 22.x. I am investigating why this is no longer working, but for now I have a working internet connection again! Hooray!
Dear #OpenWRT users out there,
I migrated my main router to 24.10.0 (direct update from 22.x was not possible). I got almost everything working again, VLANs, DDNS.
But now I got a funny issue:
Connections via LAN are NOT working.
Connections via Wifi directly on the router ARE working.
Connections via Wifi on the access point are NOT working.
Ping and DNS queries (with both TCP and UDP) are working fine from all clients to all hosts I tried.
But trying to curl a website (or open it in a browser) only works on clients connected via Wifi to the router. As soon as LAN comes into play, the connection hangs until "empty reply from server".
Any ideas anyone?
https://forum.openwrt.org/t/connection-issue-after-migration-to-24-10-0-router-can-curl-a-url-clients-cannot/226424
#openwrt #router #vlan #wifi #adminlife #homelab
Hat hier wer ne Idee? #Proxmox #Homelab #Network
Ich habe 2 VLANs: 1 & 6. Zukünftig soll alles im Homelab in das #VLAN 6 umziehen - dauert noch etwas.
Ich hab ne neue Diskstation. Die alte soll im Homelab als Speicher dienen, daher steht sie im VLAN 6.
Einige LXC hab ich schon ins VLAN 6 umgezogen.
Der Proxmox Host steht noch im VLAN 1.
Aus irgendeinem Grund kann der Host mittels Ping keinen Client aus dem VLAN 6 erreichen - und somit auch die Diskstation nicht.
Warum?
I recently rebuilt my networks and segregated devices into proper VLANs and everything was working great until I tried to connect to #ProtonVPN. I tried tweaking all the different settings and could not get it to connect reliably if at all. Finally figured it out. They use 10.2.0.0 for their VPN subnet, which was the same one I was using for my client #VLAN. So now I get to rebuild stuff again. Ugh.
Do I expect the average home user to understand these things? No. But could devices have better default options? Certainly yes. Business class switches already have Voice #VLAN auto-detect by MAC OUI -- there's no reason not to add a little more fairy dust and help home users keep their stuff separated intelligently while still enjoying the benefits of insecure #IoT devices.
Some day maybe it will be normalized to hire a pro to install these things, but until then ...
#sysadmin #networkSecurity
I’m looking for a wireless access point that supports VLANs - in the sense that I can create different SSIDs for different VLANs or I can specify which client goes onto which VLAN.
Any help appreciated as I’m drowning in marketing fluff at the moment.
And boosts always appreciated.
Als einzige Einschränlung: ich habe die Firewall nicht nach „best practice“ aufgesetzt (also: erstmal alles verbieten und dann Löcher reinbohren), sondern erstmal komplett das Routing erlaubt zwischen den Netzwerken und dann gezielt den Zugriff auf bestimmte Ports im LAN aus dem IoT gesperrt. Für bestimmte IP Adressen, wie das NAS sind alle Ports gesperrt. (5/x) #IoT #VLAN
Hmmm going slightly troppo. I have bought a little four port fanless PC, nice-cheap-and-cheery, and installed #debian on it. The aim is to connect to my ISP (yless4u) using #PPPoE on enp4s0.
(the existing connection is through a vilo. Its only parameters are username and password. Somehow it makes sense of all the rest. Clever, but inscrutable)
pppoe-config produces a workable config, but, after the ppp0 comes up, all packets sent into it are filtered by the other end.
During debugging, I noticed that after the PAP/CHAP phase, the remote end sends a "VLAN 100" message back to me. I am *supposing* that it is saying ??? that I should ??? tag packets as #vlan 100 ??? before sending them down ppp0???
Is this in any way common/useful? Has anyone else seen this?
(The other idea, that vlan 100 might be required for authentication and setup seems not to work. Setting up emnp4s0.100 as vlan 100 and telling pppoe to use that interface instead of enp4s0 FAILS)
So, over to #mastodon #debiants. What is going on here? Am I barking up the wrong tree?
So it helps if you actually specify the VLAN IDs in your `bridge-vids`... but for some reason, I'm still not getting one specific VLAN ID to work on one of my three proxmox systems.
- Other VLANs work on that brocade port/proxmox host, so I don't think it's a media/cable/layer 1 thing
- The problem VLAN (ID 10) works on my other brocade ports/proxmox hosts, so it's not a general routing/firewall thing
- A VM and LXC container on the bad host/bad VLAN ID can ping each other
Any other ideas for troubleshooting?
Weekend ToDo:
- [x] Replace failing UPS
- [x] Move Wifi Base station to first floor
- [x] Move Fiber connections from Microtik to Brocade
- [ ] Use VLAN tagging to move Proxmox LXC/VM traffic from janky USB to SFP+
Well I'm almost done. For some reason, despite identical Proxmox and Brocade configuration, Linux VLANs aren't working on two of my three hosts. Looks like I'm keeping the super janky bonded USB ethernet around for at least another week.
Adventures getting #Netflix to work in a somewhat complex home #network 
I decided to give their plan with ads a chance, sounding like a somewhat fair deal. First issue was, I couldn't even register. It only offered me US plans. Figured that's because my #IPv6 connectivity is tunnelled through #HE (for reasons, different story). Of course using an endpoint here in Germany, but nevertheless, Netflix seemed to think it's a US located address.
Running my own #bind9 instance, I found a way to hide relevant AAAA records (netflix' own domain and also amazonws) by adding a view only operating on local loopback and filtering out ALL AAAA records, and then adding forward-only zones for these domains to this local view. Horrible, but works, now I could register, forcing #IPv4.
One particularly cheap "smart-tv" still couldn't connect to netflix, always showing me an error that I was using some "VPN". 
No way to analyze what exactly was happening there, but I finally found a solution for that as well: I created an entirely new network segment (with its own #vlan on the switch). I don't offer IPv6 in this segment at all, and only allow it to access the internet as well as my local #dns server. Putting all tv sets and my #minidlna instance into this segment, everything finally works.
The nice thing is, I always wanted to isolate the tv sets anyways, and this is now finally done, they're unable to see the rest of my home network! 
Still a bit sad I have to restrict them to IPv4 for now, just to work around netflix' geolocation stuff... 
All those experiments were on an EdgeCore switch. The SMC switch, despite IIRC being the same manufacturer, is configured fundamentally differently. It is now working, however, and I have trunking to the Edgecore.
The answer seems to be to not use VLAN 1 at all, and move management to a different VLAN. That seems to be working.
It seems that looping back like that is not allowed either - the link lights come on briefly, but then turn off.
My switches are EdgeCore and SMC. Most of the online info seems to prefer talking about Cisco, and maybe Juniper.
Any #VLAN experts out there? It seems they're not as straight forward as they seem (or should be?) - particularly around VLAN 1. That has magic, that doesn't seem to be mentioned in the (minimal) switch documentation. Is it normal for VLAN 1 to not be allowed on trunk ports? My switch (at least one of them) seems to think so. My current plan is to keep using VLAN1 for management of each switch, but loop it to (say) VLAN 99 for trunking, with a short cable at each switch.
