Mvbb

cross-posted from: https://lemmy.world/post/21641378

> So I just added a TP-Link switch (TL-SG3428X) and access point (EAP670) to my network, using OPNSense for routing, and was previously using a TP-Link SX-3008F switch as an aggregate (which I no longer need). I’m still within the return window for the new switch and access point, and have to admit the sale prices were my main reason with going for these items. I understand there have been recent articles mentioning TP-Link and security risks, so I’m thinking if I should consider returning these, and upping my budget to go for ubiquity? The AP would only be like $30 more for an equivalent, so that’s negligible, but a switch that meets my needs is about 1.6x more, however still only has 2 SFP+ ports, while I need 3 at absolute minimum. > > I’m generally happy with the performance, however there is a really annoying bug where if I reboot a device, the switch drops down to 1G speed instead of 10G, and I have to tinker with the settings or reboot the switch to get 10G working again. This is true for the OPNSense uplink, my NAS and workstation. Same thing happened with the 3008F, and support threads on the forums have not been helpful. > > In any case, any opinions of switching to ubiquity would be worth it?

I have a server with wireguard in a container with host networking. I want to assign an ipv6 subnet for each peer (eg: fd42:413d:a91f:dd37::/64) that the client (my laptop) can freely use all the addresses in that subnet and corresponding port ranges as a separate network interface. Meanwhile on the server, that exact same ip and port is routed to that specific client but through the tunnel.

Here's an example:

1. Server config

   ```ini [Interface] Address = fd42::1/128 ListenPort = 51820 PrivateKey = <key>

   [Peer] PublicKey = <key> AllowedIPs = fd42:413d:a91f:dd37::/64 ```

2. Client config

   ```ini [Interface] PrivateKey = <key> Address = fd42:413d:a91f:dd37::1/64

   [Peer] PublicKey = <key> Endpoint = server.local:51820 AllowedIPs = fd42:413d::/32, fd42:413d:a91f:dd37::/64 ```

3. Run a server on the client

   sh python -m http.server 8080 --bind fd42:413d:a91f:dd37::1 -d dist

4. Access on the server

   sh curl -svL http://[fd42:413d:a91f:dd37::1]:8080/

I can't get step 4 to work. It's also entirely possible that my lack of knowledge in networking is making me think this is even possible in the first place. Any help is appreciated!

It also connects to discord, supposed to be blocked since more than a week. No other device or browser I have connects to YouTube, they all get ERR_SOCKET_NOT_CONNECTED, and only a fresh Vivaldi profile on the same pc also connects to Discord, everything else get ERR_CONNECTION_RESET.

I've tried disabling all extensions, it still connects. Checked its IP address and DNS server and they're the same as other devices/browsers. Any idea what could be going on?

24m edit: Discord just started working on some other chromium browsers including on another device.

80m edit: Another chromium browser just also connected. After deleting browser data it stopped

edit 3: found that if I add this to the servers section of a Network Persistent State file associated with a chromium browser profile (while the browser is closed), it can connect to youtube. Can't explain why. (anonymization says https://www.youtube.com + some number that doesn't matter in the beginning in base64): {"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13376788973168704","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABMAAABodHRwczovL3lvdXR1YmUuY29tAA==",false],"server":"https://www.youtube.com","supports_spdy":true}

Edit 4: The block is gone

I have an ASUS N66U

I have configured the WAN interface to use a VPN Client to connect to a 3rd party VPN Server, so that all NAT LAN connected device traffic is routed through the 3rd party VPN server.

But if the 3rd party VPN server goes down, or the connection is otherwise lost or broken, the Asus N66U will route directly from the WAN connection using e.g. my ISP.

How can I stop my Asus N66U from routing any traffic on the WAN port if the VPN connection is down?

Hi,

I would like to create a LAN where each node need to authenticate before gaining access to the LAN.

and secondly be able to monitor the data consumption of each node and even limit the speed for a node when exceeded.

I'm looking for something FLOSS. For example a single-board computer with a gnu/Linux etc...

Maybe some distribution or solution already exist for this ?

Thanks.

Greetings all!

I have been working on getting a new network setup. The current test host (A server running OpenSUSE Leap 15.6 w/ Wicked) is able to get routes and obtain an address via DHCP from the router of the network (running OPNSense 24.7.6), but is unable to resolve routes and obtain an address via the local DHCPv6 server. Admittedly, I am not great with IPv6 doubled with the ISP for this network granting a statically-defined /128 address for the router and manually-delegated /64 address blocks.

The OPNSense configuration has a /64 address block assigned as its address space for the LAN interface. The configuration has the ISC DHCPv6 server allocating address range 2602:xxxx:xxxx:xxxx::8888:0 - 2602:xxxx:xxxx:xxxx::8888:ffff. The radvd server is set to managed, set with an automatic source address, set to advertise the default gateway, set to use the dhcpv6 dns configuration, and set with no additional routes advertised.

As noted, the OpenSUSE machine is unable to get any routes beyond link-local via ipv6 nor is it able to automatically be assigned an ipv6 address from the DHCPv6 server. I have done some diagnostics, but have been unable to determine any conclusive issue.

Starting ip route and address checks:

ip -6 addr

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 fe80::xxxx:xxxx:xxxx:a4ee/64 scope link proto kernel_ll [OpenSUSE Leap 15.6 Server link-local address] valid_lft forever preferred_lft forever

ip -6 route

fe80::/64 dev eth0 proto kernel metric 256 pref medium

The eth0 interface noted is using a standard configuration as provided by Wicked (BOOTPROTO=dhcp, STARTMODE=auto, ZONE=public). Testing dhcpv6 address acquisition by hand results in nothing:

wicked test dhcp6 -m auto eth0

wicked: eth0: Request to acquire DHCPv6 lease with UUID <$uuid-a> in mode auto

However, testing in forced managed mode does get results from the DHCPv6 server:

wicked test dhcp6 -m managed eth0

wicked: eth0: Request to acquire DHCPv6 lease with UUID <$uuid-b> in mode managed INTERFACE='eth0' TYPE='dhcp' FAMILY='ipv6' UUID='<$uuid-b>' IPADDR='2602:xxxx:xxxx:xxxx::8888:807/128' [theoretical bound address on LAN] PREFIXLEN='128' DNSSERVERS='2602:xxxx:xxxx:xxxx::1' [LAN address of router] DNSSEARCH='<$domain>' ACQUIRED='1729020515' CLIENTID='<$clientid>' SERVERID='<$serverid>' SERVERADDR='fe80::xxxx:xxxx:xxxx:a4ee' [OpenSUSE Leap 15.6 Server link-local address]

So unless I am mistaken at this point, this likely means that something is going wrong with the Router Advertisements for the system to not automatically try get assigned an ipv6 address. Checking a router advertisement broadcast to the OpenSUSE server, I am not seeing anything out of the ordinary:

radvdump

```

radvd configuration generated by radvdump 2.17

based on Router Advertisement from fe80::xxxx:xxxx:xxxx:4eb4 [router link-local on LAN]

received by interface eth0

interface eth0 { AdvSendAdvert on; # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump AdvManagedFlag on; AdvOtherConfigFlag on; AdvReachableTime 0; AdvRetransTimer 0; AdvCurHopLimit 64; AdvDefaultLifetime 1800; AdvHomeAgentFlag off; AdvDefaultPreference medium; AdvLinkMTU 1500; AdvSourceLLAddress on;

prefix 2602:xxxx:xxxx:xxxx::/64 [public /64 address block manually delegated as LAN] { AdvValidLifetime 86400; AdvPreferredLifetime 14400; AdvOnLink on; AdvAutonomous off; AdvRouterAddr off; }; # End of prefix definition

RDNSS 2602:xxxx:xxxx:xxxx::1 [LAN address of router] { AdvRDNSSLifetime 600; }; # End of RDNSS definition

DNSSL <$domain> { AdvDNSSLLifetime 600; }; # End of DNSSL definition

}; # End of interface definition ```

sysctl -a | grep eth0.accept_ra

net.ipv6.conf.eth0.accept_ra = 1 net.ipv6.conf.eth0.accept_ra_defrtr = 1 net.ipv6.conf.eth0.accept_ra_from_local = 0 net.ipv6.conf.eth0.accept_ra_min_hop_limit = 1 net.ipv6.conf.eth0.accept_ra_mtu = 1 net.ipv6.conf.eth0.accept_ra_pinfo = 1 net.ipv6.conf.eth0.accept_ra_rt_info_max_plen = 0 net.ipv6.conf.eth0.accept_ra_rt_info_min_plen = 0 net.ipv6.conf.eth0.accept_ra_rtr_pref = 1

Am I missing something with why Wicked doesn't actually get a proper route to the LAN nor an address via IPv6?

To recap: IPv4 works, this is the only device connected to the network thus far, IPv6 configuration appears (to me at least) correct for the router advertisements and DHCPv6 config.

EDIT:

Found the source of the problem. The OPNSense configuration is in fact correct for what I want to do. The issue is on the OpenSUSE machine. I forgot about a funny little Linux kernel networking quirk regarding ipv6 forwarding. In OpenSUSE, enabling forwarding for IPv6 from the installer keeps net.ipv6.conf.*.accept_ra set to 1. However, setting net.ipv6.conf.*.forwarding to 1 will disable accepting routes from RA, and in my case of expecting automatic IPv6 configuration from DHCPv6 without forcing managed mode on the Linux server.

Unless I feel like bypassing some functionality provided by the router, one needs to set net.ipv6.conf.*.accept_ra to 2 for all affected network interfaces. This enforces accepting routes with forwarding enabled. This in turn for my case also allows for DHCPv6 resolution to function without forcing or bypassing it from the OpenSUSE machine. I can only assume the reason this isn't just default if applied from the installer is that fully-manual static IP addressing is expected rather than wanting to use DHCP reservations for assigning addresses.

So in short:

All is good with the OPNSense configuration. I needed to change the sysctl flag net.ipv6.conf.eth0.accept_ra = 1 to net.ipv6.conf.eth0.accept_ra = 2, in order to forcefully accept RA routes and normal DHCPv6 address assignment on my ethernet interface. This is necessary because I need forwarding over IPv6 for the affected machine.

I'm currently working on setting up a proxy on my home computer to bypass my school's blockers, and want to see if I can make any improvements to security. To be clear, I haven't opened this to the internet yet, I'm asking BEFORE doing that.

The setup is thus: I have a squid server running on my linux laptop, which will only allow authenticated users through. It's no longer listening to the default port (3128) and is instead listening to a port in the 10000-20000 range. I would have both my router and modem set to forward that same port, and my laptop's local IP address is static.

This is a consumer internet connection, so Dynamic DNS, but I have a NOIP address ready to connect once I open the ports (already have the client installed and running, just throws an error on the website because it can't get through the port.)

I'll be connecting to my proxy server through the FoxyProxy extension, rather than through the Windows 11 control panel on my school laptop, because I dont have access to that specific part of the control panel.

That's the sum total of the setup I've got thus far. It only needs to be able to support my lone connection, I'm not sharing this around. Any improvements to be made?

cross-posted from: https://programming.dev/post/19441371

> cross-posted from: https://programming.dev/post/19441320 > > > cross-posted from: https://programming.dev/post/19441267 > > > > > I have a 2nd-gen chromecast, it's factory reset. If i plug it in all it tells me is to install the app to start configuring. > > > > > > I don't have a google account not do i want to install/use google-related stuff on my phone. > > > > > > My home router doesn't register any new device, which makes sense since the cast doesn't know the SSID/pass of the WiFi. > > > > > > Does it try to ping some service/port? Multicast perhaps? Where would it get an IP from without authenticating? > > > > > > My (wired) PC runs gentoo. > > > > > > How can i get it to work in these conditions?

Hi,

I would like to make some simple network simulations

I've tried to make run few (under Linux or Windows)

• Kathara
• GNS3
• EVE-NG (3.1 GB ! to download )
• omnetpp
• ns-3
• Cisco Packet Tracer (Not FLOSS, if I'm not mistaken )

The only one that I managed to install, run and use (set some nodes) was sadly the Cisco Packet Tracer ...

They other have their install process way to much complex or with such layer of dependency or more simply they way the works is too complex (running side VM for each nodes etc..) make it challenging to installing.

Do youn know a FLOSS Network Simulator , this is easy to install ?

Thanks.

I'm moving into a new apt and the ISP is trying to rent a router at $20/mo, so I'd like to get my own router.

I'm considering setting up opnsense for the router & TP link Omega for the AP & Switch.

But this feels a bit overkill for an apt. Should I just get a all in one router instead? What are the pros and cons?

cross-posted from: https://lemmy.dbzer0.com/post/26553762

> How can I use my VPNs port forwarding feature while also disabling global routing by adding “route-nopull” in the OpenVPN config? Using hide.me vpn > > I found a relevant post, but the links to the anwsers don't work anymore: https://forum.netgate.com/topic/127557/openvpn-client-port-forwarding-route-nopull-issue

Didn't know where else to post this but figured I would just leave it here. Hopefully I can get some kind of job with this.

"Train operator SNCF's chief executive, Jean-Pierre Farandou, said the attackers had started fires in "conduits carrying multiple (fibre-optic) cables" that carried "safety information for drivers" or control the motors for points."

Seems this attack is becoming more common place. Used to just be the occasional tractor or digger damaging fibre but now it's seems to be intentional.

https://www.abc.net.au/news/2024-07-26/vic-teens-charged-over-politically-motivated-graffiti-josh-burns/104147956

In Belgium, we are forced by law to use Cca data cables because of "lower fire risk" while I hear literally everywhere that CCA data cables have a much higher fire risk.

Everything here has to comply with the euroclass chart level cca or higher which is confusing because they seem to be combustibility(ca) ABCDEF rating. Making the minimum required in Belgium (and the most prevalent) Cca.

I think for example that getting this for PoE (sorry, in Dutch) would be fine because it does say that it is pure copper, but it also says that it is CCA which is confusing.

Not really a question or anything, just very confusing considering Cca and Eca are the 2 cable types used for residential homes which happen to correspond also to Copper clad aluminum and Enhanced Circuit Integrity. Adds extra probably completely unnecessary stress.

If you have an outdoor Ethernet port—in my case with a WiFi AP connected—how can you go about protecting your network from somebody jacking in?

Is there a way to bind that port to only an approved device? I figured a firewall rule to only allow traffic to and from the WiFi AP IP address, but would that also prevent traffic from reaching any wireless clients connected to the AP?

Edit: For more context, my router is a Ubiquiti UDM and the AP is also Unifi AP

I haven't really done home networking since Windows XP / gnome only Ubuntu days, so rusty is an understatement.

Currently due to the layout of my apartment, I have my main PC in a bedroom connected to a gli.net Velica router, such then connects to the wall, which then connects to a TP-Link Switch (1), which is connected to the internet.

In the living room, where I want to stream to a Raspberry Pi that has Android TV (lineage os), I have the Pi and 2 Nintendo Switches connected to another TP-Link switch (2), which is then connected to another gli.net router, which connects to the wall and then to TP-Link switch (1) which is connected to internet.

How do I set up a local LAN network so that my computer can then stream to the Pi via Steam Link, Moonlight, Sunshine, or any other recommended option?

Layout

Bedroom

• Wall connection (port 3) | ∆ Velica Router 2 | § PC

----------------------------------

Living Room

• Wall connection (port 1) | ∆ Velica Router 1 | × TP Link Switch 2 |. |. |. π ™ Nintendo Switch 1&2

----------------------------------

Electrical Box

• Port 1, Port 3 | × TP Link Switch 1 | 🌐 Internet

Hi, i have this weird issue where both my IVPN and my AirVPN connection works only if i do the following:

Disabile WiFi Connect to LTE and open either IVPN or AirVPN Connect to wireguard protocol Enable WiFi and Connect to it Disabile LTE

Now it works

If i try to connect to wireguard protocol from WiFi directly (corporate WiFi) it doesnt work

Any idea why?

If i Connect from my home WiFi it works normally

Thanks

Hi all, I've got an issue in my company that it's now some months that is happening to many windows users.

Basically the user change the windows password due to a policy that require every 3 months to change it (I know not ideal, but still) , the user then works fine under wifi for 1-4 hours and then he gets kicked out from the network.

The network is a visible SSID with WPA2-Enterprise security (AES ecncryption) and the authentication method is PEAP using the saved login information (from AD).

Here some test I did for troubleshooting:

1st Test: Normal password change from windows: ctrl alt canc, change pw: All good, no disconnection at all -> user is good to work

2nd Test: We force-reset a new password on the PC -> The users stays connected to wifi even after 15 minutes from the reset, this means that the wireless network kept an "old token" as valid even tho the windows password changed. We manually disconnect from the network (turn off wifi) and reconnect -> doesn't work We reboot the PC which still logs in with the OLD password -> We try to connect to wifi (without using the new pw) -> KO We connect ethernet cable, we receive the message that the domain has a different pw than the PC -> lock PC -> Unlock with new password -> Wifi still doesn't work -> Reboot, login to pc with new Password -> wireless works

NOTE: We suspect that this "old token" is not renewed for a while sometimes, that's why the user, even with an old pw, can still connect and work normally.

I've been looking to implement DoH

1. The first idea was to simply follow this - I do not understand the configuration fully but it looked fine.
2. Then, I decided to use a proxy/Load balancer in front of BIND to deal with HTTPS.

However, I came across PROXYv2 (which is not even mentioned in the docs, just in a blog post) and the likes of DNSdist.

My questions:

1. I can't find a detailed explanation of what I need to do about PROXYv2 - does my Reverse-proxy absolutely need to have it to be able to communicate with my DNS server?
2. Why can't I just have any reverse-proxy that can handle HTTPS and put it in front of my DNS resolver? Does my proxy need to have a specific protocol to be able to talk DNS queries?

I am still confused, would really appreciate some help :)