Search results

Terminate remote ends and then tone out and label at the central location. Once labeled terminate what you like at the hub.

There's not much, read no, point in allowing encrypted dns to some certain addresses. You either block it outright and force DNS to internal sources where you can filter it or you don't. QUIC is another thing that is just blocked completely in a secure network.

If you're trying to block out going DNS from everything except PiHole you should be blocking 853 (DoT) as well. You should also block 443 to all known DoH servers. Of course DoH to unknown servers will ignore all that shit and breeze on through. It is my sincere desire that the inventors of DoH...

That's seems strange. We push PAN hard and still sell 3-5X more Fortinet. Of course the price/performance difference is substantial coupled with much better SDWAN integration on the Fortinet side. For the last year almost every deal has some element of sdwan in it. It isn't mentioned often in...

100/101-F or E series Fortigate or use a 60/61-F or E series with one of these: https://www.amazon.com/Rackmount-RM-FR-T10-Rack-Mount-FortiGate/dp/B01MXMCODG

FC HBA are great if you're running fibre channel not so much (read worthless) for ethernet.

Pretty sure those cards are FC HBA and not NICS. Also, I'm afraid to ask but .... All that external cable you describe in #7 is plugged into grounding blocks on both ends of the external pieces before being attached to your gear yes? If you were to switch to 1 run at 400 feet assuming 10G SR you...

I never said they invented it. They are however the biggest cheerleaders as it plays right into their wallet. DoH is horrible for consumers as it allows app vendors to bypass any local DNS requirements and filtering to collect 100% of your dns searches from the app in question and return...

The OP needs to understand that privacy and security are two different things. Quite often you must sacrifice one for the other. If you are interested in security then your doing TLS deep inspection on everything. If you're interested in privacy then you likely think doing so is evil. Very often...

Sadly this is true. You can still play the cat and mouse game of blocking known DoH servers but that's generally a loosing scenario. This is the primary reason I despise DoH. It's an abomination and should be stomped out of existence. DoT solves all the issues with plaintext DNS and does so in...

If you've local DNS resolvers then only those resolvers should be allowed outbound DNS. All other DNS should be blocked on your firewall. There is little point in DNS filtering if all a client has to do is change resolvers.

If someone is doing MITM on your LAN then they have already installed certs on your endpoints. You're already owned and DNS is the absolute least of your worries.

Can you ping a wired device from a wifi device or the reverse of that?

Is this a satellite ISP or a WISP? Are you certain you have a static publicly routable IP? Also, Starlink will not be a solution for this as they use CGNAT so no inbound traffic you. There is a possibility that will change later but as of today ... sorry Charlie.

I'll add that if you have more than one AP you can plug a switch into the new PFSense interface and then plug APs into the switch. Also you said earlier in the thread you needed but didn't have an L3 switch for VLANs. Please note VLAN are layer 2 that require layer 3 routing. You can build a...

Full stop! Again the AP is absolutely not where you control what you want to do. An AP is a just a layer 2 bridge that bridges wifi to ethernet. To do what you want you need to be at the router. Add another interface to your PFSense router using a different subnet than your wired network. Plug...

What the AP is plugged into, typically a router in homes, is biggest part of this equation not the AP itself.

First, as others have said, your LAN (local area network) includes your wifi. Now unfortunately MOST consumer class networking equipment stops right there and you get WAN and LAN with routing+NAT/PAT between. The wifi and the ethernet segments of the LAN are bridged together. Sadly this is the...

One question was asked and never answered. I know the site locations are reasonably close to each other but are they on the same ISP?

It eliminates the VPN. If there are still performance issues then we've narrowed it down to device or network problems.

This could be an all day conversation and honestly requires adult beverages. :) If you have more than a few sites AND want site to site tunnels (full mesh) vs just hub and spoke then what Fortinet calls ADVPN simplifies things. If you have multiple access connections then you layer in SDWAN...

PMTU involves more than just the endpoints. The entire path must configured to support this. FYI most firewall will not participate so .... At 64 bytes with good encryption a little less for not so good encryption IPSEC encap has about a 5% penalty on a 1400 byte packet. Throughput depends on...

I'd still have a hard look at mtu. IPSEC is notorious for throughput problems due to incorrect mtu settings. IPSEC vpns were my segue from server admin to security and still very near and dear to my heart.

Failing to read is missing the point of the forum. Which part of posts #2, #3, #5, and #9 did you not read? 1. You might want to put the NVR and cameras on a different network, or anything that is "outside". 2. Put all IoT devices on their own VLAN and block it from talking to anything else on...

Doesn't address the iperf issues but what protocol are you using for the file transfer? CIFS generally sucks over WAN link due to latency. Same carrier at each site? What mtu are you using? Packet fragmentation will destroy throughput. You can use -M on the iperf cli to play around with the...

Just because you can doesn't mean you should. If you're really looking for a secure network you most certainly should not. As others said, the picture is pretty though.

If it were actually in bridge mode it would not really be an issue. The real issue is that their gear is not in bridge mode and that there is no bridge mode. In some cases there are options but those likely won't work with most new installations and definitely don't work with the >1Gbps tiers.

Is there a switch connected to the router not shown in the diagram? I ask this not having used Mikrotik devices but in general routers frown, read puke and don't allow, on having the same subnet connected to multiple interfaces. That said, from a security standpoint wireless and wired should...

I'll throw in that Minos stands behind their auctions. I've bought a lot of gear from them over the years and never had any problems with returns even when it was clear UPS caused the problems.

Helluva lot more than condone. They brought them into the army, armed and legitimized them.

This is absolutely political and 30 years in the making. This is the Cuban missile being played out over again with the role of Cuba played by Ukraine and the role of the USSR split with the US and the EU. Russia is playing the role of the US. It has nothing to do with democracy.

Not seeing any problems here with Spectrum or ATT Fiber. Should also add Hurricane Electric to the list since IPv6 is riding a tunnel over to them to get out.

You ask about a router and the describe access point problems. As Eulogy says all in one devices are generally not especially good at anything and poor substitutes for dedicated devices and even more to the point these are services that generally should be not supplied from the same location...

More true words have never been typed than the ones above here ..................................................................................................^^^^^^^^^^^^^^^^ We know this because he/she/it expects Ethernet errors from layer 3.

Either way you should wipe and reset to default before using. Seeing as you did not know they were managed my guess is you did not. I would suggest starting over.

It's been a while since I've used my cisco-fu but I assume you started with "wr mem erase" yes? If not I would recommend a do over starting with that. edit: Actually you'll need to delete the vlan.dat file after you erase the config because in their infinite wisdom cisco decided that erasing...

I would check the output of netstat -r and arp -a on each machine to make sure it matches expectations. I would also also disconnect two of the networks and test one network at a time.

A switch would not be used for port forwarding. I would suggest hitting ebay and picking up one of the many Fortigate 140-POE firewalls available there. They can be used as your switch and a firewall to do your forwarding and terminate an ipsec or ssl/tls vpn. Before you ask none of them are...

As a very happy Sonos user and a user of many poor attempts prior I'll add this. If the way Sonos controls the volume of grouped unit is so obvious why then did no one do that way previously? Most things seem obvious once you've seen it done. It wasn't so obvious before and when Sonos did it...

That has been my experience and the company's. Most of my division is WFH and has been long before this current mess. They have found that they are much more productive than other divisions that are not as WFH friendly. My team is distributed from eastern Europe to Hawaii and aside from the...