Search results

  1. Nicklebon

    Tracing out ethernet cables. Any easy way?

    Terminate remote ends and then tone out and label at the central location. Once labeled terminate what you like at the hub.
  2. Nicklebon

    What are you guys using for a router that you love?

    There's not much, read no, point in allowing encrypted dns to some certain addresses. You either block it outright and force DNS to internal sources where you can filter it or you don't. QUIC is another thing that is just blocked completely in a secure network.
  3. Nicklebon

    What are you guys using for a router that you love?

    If you're trying to block out going DNS from everything except PiHole you should be blocking 853 (DoT) as well. You should also block 443 to all known DoH servers. Of course DoH to unknown servers will ignore all that shit and breeze on through. It is my sincere desire that the inventors of DoH...
  4. Nicklebon

    SOHO Rack Mount Firewall Recommendation

    That's seems strange. We push PAN hard and still sell 3-5X more Fortinet. Of course the price/performance difference is substantial coupled with much better SDWAN integration on the Fortinet side. For the last year almost every deal has some element of sdwan in it. It isn't mentioned often in...
  5. Nicklebon

    SOHO Rack Mount Firewall Recommendation

    100/101-F or E series Fortigate or use a 60/61-F or E series with one of these: https://www.amazon.com/Rackmount-RM-FR-T10-Rack-Mount-FortiGate/dp/B01MXMCODG
  6. Nicklebon

    School Me on how to start this fiber setup please.

    FC HBA are great if you're running fibre channel not so much (read worthless) for ethernet.
  7. Nicklebon

    School Me on how to start this fiber setup please.

    Pretty sure those cards are FC HBA and not NICS. Also, I'm afraid to ask but .... All that external cable you describe in #7 is plugged into grounding blocks on both ends of the external pieces before being attached to your gear yes? If you were to switch to 1 run at 400 feet assuming 10G SR you...
  8. Nicklebon

    WiFi MAC randomization - good for privacy on public networks, but bad for home security?

    I never said they invented it. They are however the biggest cheerleaders as it plays right into their wallet. DoH is horrible for consumers as it allows app vendors to bypass any local DNS requirements and filtering to collect 100% of your dns searches from the app in question and return...
  9. Nicklebon

    WiFi MAC randomization - good for privacy on public networks, but bad for home security?

    The OP needs to understand that privacy and security are two different things. Quite often you must sacrifice one for the other. If you are interested in security then your doing TLS deep inspection on everything. If you're interested in privacy then you likely think doing so is evil. Very often...
  10. Nicklebon

    Is there benefit to direct DoT and/or DoH connection compared to local DNS server?

    Sadly this is true. You can still play the cat and mouse game of blocking known DoH servers but that's generally a loosing scenario. This is the primary reason I despise DoH. It's an abomination and should be stomped out of existence. DoT solves all the issues with plaintext DNS and does so in...
  11. Nicklebon

    Is there benefit to direct DoT and/or DoH connection compared to local DNS server?

    If you've local DNS resolvers then only those resolvers should be allowed outbound DNS. All other DNS should be blocked on your firewall. There is little point in DNS filtering if all a client has to do is change resolvers.
  12. Nicklebon

    Is there benefit to direct DoT and/or DoH connection compared to local DNS server?

    If someone is doing MITM on your LAN then they have already installed certs on your endpoints. You're already owned and DNS is the absolute least of your worries.
  13. Nicklebon

    How to isolate wireless from LAN ?

    Can you ping a wired device from a wifi device or the reverse of that?
  14. Nicklebon

    Battling with ISP over ports

    Is this a satellite ISP or a WISP? Are you certain you have a static publicly routable IP? Also, Starlink will not be a solution for this as they use CGNAT so no inbound traffic you. There is a possibility that will change later but as of today ... sorry Charlie.
  15. Nicklebon

    How to isolate wireless from LAN ?

    I'll add that if you have more than one AP you can plug a switch into the new PFSense interface and then plug APs into the switch. Also you said earlier in the thread you needed but didn't have an L3 switch for VLANs. Please note VLAN are layer 2 that require layer 3 routing. You can build a...
  16. Nicklebon

    How to isolate wireless from LAN ?

    Full stop! Again the AP is absolutely not where you control what you want to do. An AP is a just a layer 2 bridge that bridges wifi to ethernet. To do what you want you need to be at the router. Add another interface to your PFSense router using a different subnet than your wired network. Plug...
  17. Nicklebon

    How to isolate wireless from LAN ?

    What the AP is plugged into, typically a router in homes, is biggest part of this equation not the AP itself.
  18. Nicklebon

    How to isolate wireless from LAN ?

    First, as others have said, your LAN (local area network) includes your wifi. Now unfortunately MOST consumer class networking equipment stops right there and you get WAN and LAN with routing+NAT/PAT between. The wifi and the ethernet segments of the LAN are bridged together. Sadly this is the...
  19. Nicklebon

    We need better site-to-site VPN routers/gateways

    One question was asked and never answered. I know the site locations are reasonably close to each other but are they on the same ISP?
  20. Nicklebon

    We need better site-to-site VPN routers/gateways

    It eliminates the VPN. If there are still performance issues then we've narrowed it down to device or network problems.
  21. Nicklebon

    We need better site-to-site VPN routers/gateways

    This could be an all day conversation and honestly requires adult beverages. :) If you have more than a few sites AND want site to site tunnels (full mesh) vs just hub and spoke then what Fortinet calls ADVPN simplifies things. If you have multiple access connections then you layer in SDWAN...
  22. Nicklebon

    We need better site-to-site VPN routers/gateways

    PMTU involves more than just the endpoints. The entire path must configured to support this. FYI most firewall will not participate so .... At 64 bytes with good encryption a little less for not so good encryption IPSEC encap has about a 5% penalty on a 1400 byte packet. Throughput depends on...
  23. Nicklebon

    We need better site-to-site VPN routers/gateways

    I'd still have a hard look at mtu. IPSEC is notorious for throughput problems due to incorrect mtu settings. IPSEC vpns were my segue from server admin to security and still very near and dear to my heart.
  24. Nicklebon

    Improvement recommendations? Diagram inside

    Failing to read is missing the point of the forum. Which part of posts #2, #3, #5, and #9 did you not read? 1. You might want to put the NVR and cameras on a different network, or anything that is "outside". 2. Put all IoT devices on their own VLAN and block it from talking to anything else on...
  25. Nicklebon

    We need better site-to-site VPN routers/gateways

    Doesn't address the iperf issues but what protocol are you using for the file transfer? CIFS generally sucks over WAN link due to latency. Same carrier at each site? What mtu are you using? Packet fragmentation will destroy throughput. You can use -M on the iperf cli to play around with the...
  26. Nicklebon

    Improvement recommendations? Diagram inside

    Just because you can doesn't mean you should. If you're really looking for a secure network you most certainly should not. As others said, the picture is pretty though.
  27. Nicklebon

    What are you guys using for a router that you love?

    If it were actually in bridge mode it would not really be an issue. The real issue is that their gear is not in bridge mode and that there is no bridge mode. In some cases there are options but those likely won't work with most new installations and definitely don't work with the >1Gbps tiers.
  28. Nicklebon

    Improvement recommendations? Diagram inside

    Is there a switch connected to the router not shown in the diagram? I ask this not having used Mikrotik devices but in general routers frown, read puke and don't allow, on having the same subnet connected to multiple interfaces. That said, from a security standpoint wireless and wired should...
  29. Nicklebon

    TP-Link and Ubiquiti gear (specific questions)

    I'll throw in that Minos stands behind their auctions. I've bought a lot of gear from them over the years and never had any problems with returns even when it was clear UPS caused the problems.
  30. Nicklebon

    CD PROJEKT RED Donating Humanitarian Aid To Ukraine

    Helluva lot more than condone. They brought them into the army, armed and legitimized them.
  31. Nicklebon

    CD PROJEKT RED Donating Humanitarian Aid To Ukraine

    This is absolutely political and 30 years in the making. This is the Cuban missile being played out over again with the role of Cuba played by Ukraine and the role of the USSR split with the US and the EU. Russia is playing the role of the US. It has nothing to do with democracy.
  32. Nicklebon

    Anyone Else Having Network Issues Today?

    Not seeing any problems here with Spectrum or ATT Fiber. Should also add Hurricane Electric to the list since IPv6 is riding a tunnel over to them to get out.
  33. Nicklebon

    What are you guys using for a router that you love?

    You ask about a router and the describe access point problems. As Eulogy says all in one devices are generally not especially good at anything and poor substitutes for dedicated devices and even more to the point these are services that generally should be not supplied from the same location...
  34. Nicklebon

    Same local IP + same MAC for 4 clients - shouldn't the switch/router freak out?

    More true words have never been typed than the ones above here ..................................................................................................^^^^^^^^^^^^^^^^ We know this because he/she/it expects Ethernet errors from layer 3.
  35. Nicklebon

    A bit of network assistance plz!

    Either way you should wipe and reset to default before using. Seeing as you did not know they were managed my guess is you did not. I would suggest starting over.
  36. Nicklebon

    A bit of network assistance plz!

    It's been a while since I've used my cisco-fu but I assume you started with "wr mem erase" yes? If not I would recommend a do over starting with that. edit: Actually you'll need to delete the vlan.dat file after you erase the config because in their infinite wisdom cisco decided that erasing...
  37. Nicklebon

    A bit of network assistance plz!

    I would check the output of netstat -r and arp -a on each machine to make sure it matches expectations. I would also also disconnect two of the networks and test one network at a time.
  38. Nicklebon

    Looking for a POE swtich Need some suggestions

    A switch would not be used for port forwarding. I would suggest hitting ebay and picking up one of the many Fortigate 140-POE firewalls available there. They can be used as your switch and a firewall to do your forwarding and terminate an ipsec or ssl/tls vpn. Before you ask none of them are...
  39. Nicklebon

    Google loses patent case against Sonos, will remove features from Nest and Chromecast products

    As a very happy Sonos user and a user of many poor attempts prior I'll add this. If the way Sonos controls the volume of grouped unit is so obvious why then did no one do that way previously? Most things seem obvious once you've seen it done. It wasn't so obvious before and when Sonos did it...
  40. Nicklebon

    Bill Gates predicts our work meetings will move to metaverse in 2-3 years

    That has been my experience and the company's. Most of my division is WFH and has been long before this current mess. They have found that they are much more productive than other divisions that are not as WFH friendly. My team is distributed from eastern Europe to Hawaii and aside from the...
Top