networking

This turned into more of a rant, but input is welcome.

There doesn't seem to be a FOSS (or even low cost) wifi analysis tool. Ekahau, Chanalyzer, Acrylic, etc. are all $$$$$$. What's a guy trying to get relevant certs to do?

Wireshark will only show you actual wifi packets if you have the precise combination of wifi adapter, OS, and driver, and packet capturing is just one component. Spectrum analysis and evaluating mobility are also important. Seems like you have to already work in the industry to have access to these tools, and nobody's going to hire you without relevant certs which require knowledge of these tools.

(update: Someone's bound to mention Kismet. I only have a windows laptop, and kismet doesn't work [well] under windows. I do have access to a linux desktop, but wifi analysis on an immovable desktop isn't terribly useful.)

Context

I have a WireGuard network, which consists of some VPSs, some in-premise servers (in different premises) and some user devices (like PCs, laptops and phones). All the servers are running Debian or NixOS.

Port forwarding is only possible in VPSs, as all other devices run behind NAT/CGNAT networks.

In the current configuration, all WireGuard traffic is going through a central VPS. So, every time I need to reboot it, the entire network collapses.

Goal

I want to share the WireGuard configuration between my VPSs, and load balance the traffic between them. Since I don't have a floating IP, I am probably going to add all VPSs IPs to a domain name and let the clients decide which VPS to use.

I don't want to have separate keys on each VPS, as this makes it more time consuming to onboard new devices. It's easier to add a single VPS key to each device, and have their keys in a single shared VPS config.

Problem

Is there any way to allow the communication of 2 devices/servers, that are connected to separate VPSs?

If it's necessary, one option is to sacrifice the communication between the user devices, and configure some additional layer(s) for the servers, like OSPF or VXLAN. However, even in this case, I need the servers to be plug'n'play. I wouldn't like to reconfigure the other servers, every time a server is added or removed to/from the network (except, of course, for the WireGuard key that would need to be added/removed in the VPSs).

Relying on external services, like Tailscale is not an option.

G'day,

I'm on a 100/40Mbps HFC plan, and have an ongoing issue where the internet in general (browsing, file access, email, cloud hosted products, etc) will just grind to halt.

For example, I can be accessing our CMMS and suddenly a page load will take 30+ seconds to complete. Never times out, just takes forever. Or I'm using our accounting software which syncs remotely and saving an invoice or opening a purchase order will stall for a minute.

This behaviour goes on for maybe 5 minutes or so and then goes away again. It can occur once or twice in a 10 hour day at the office, or not at all, or sometimes half a dozen times in a one hour period.

• Local network use is unaffected (for e.g. accessing SMB shares to a local server)
• All PCs and laptops connected to the LAN are affected so its not PC-specific.
• Ping is unaffected and hovers around 12ms to geographically close remote servers, with no packet loss or jitter.
• Speedtests of any kind always return around 95/35Mbps at any time be it peak / off peak / when problem is occurring / when problem is not occurring
• VOIP does not seem to be affected despite being on the same network and I can talk on the phone while the internet is otherwise wading its way through treacle.
• Happens with my current ISP (Leaptel), but also happened the previous ISP (Aussie Broadband) who are 100% completely different companies and I believe use completely different peering/routing/backhaul/etc.
• DNS seems irrelevant and occurs using either the ISP DNS, Cloudflare, Google, or Quad9
• Some websites like Facebook and Google work, but other websites like Lemmy (any instance), Reddit, my CMMS, various wholesaler sites hosted both in AU and worldwide, are affected.

Are there any steps I can take to try and identify what causes this random delay? Its just enough to be really frustrating, especially when you're trying to look up something while on the phone and have to be like "so yeah hows the wife? hows the kids? hows the....dog? .... pet bird doing anything interesting?" as you wait for a damn page to load. I need fast internet so I dont need to make small talk dammit.

PCs are all on cat5e or cat6 (depending on when the cabling was run), to a Ubiquiti Dream Machine SE which is connected via cat6 to the NBN HFC modem.

Hey all,

This is probably a very easy one for folks here. It’s been quite some time since I’ve done anything professionally but I was for a long time. Basically, for a while, my systems have experienced intermittent issue that for approximately 30 seconds, can’t get any WAN activity. I can still communicate with other systems within my network. - this is a home situation. The only thing that changed sort of around when this started was I configured my two access points as a mesh - pseudo, since they’re not actually mesh technically. Like, I just made same SSIDs, but different channels. This way I could get around and my devices would hop. And it’s worked nicely. Only issue has been occasionally a device tries to hang on desperately which I know is like the most common problem, but I am gonna play with signal strength if the APs support modifying that. 

Anyway, I’m getting off topic. But yeah, that was the only thing that changed but I really think it’s just a coincidence. It’s definitely not the wifi itself because the problem occurred on a wired machine as well. 

My setup is I have the cable device in bridge mode and I have a Sonicwall as my router. I also have a site-to-site VPN with another Sonicwall at a remote location for a variety of purposes. That setup has been on and stable for like 15 years almost, and it’s fine. 

So, really my first idea is I want to run software that can continually test the connection for like 12 hours, and log when the connection goes down and for how long. Obviously I thought of just running a ping, but I wanted to know if there’s anything that will try varying destinations over time, and track the results so I can analyze for more than just how long and when. Also I don’t know if some servers might misconstrue a persistent ping for many hours as a possible DDoS bot and knock me off, so I figured varying the destination has the added benefit of making sure the test is as reliable as possible. 

If I’m gonna figure out what’s wrong, and if it’s the cable device I want to be able to just tell level 2 support my results so they’ll just swap it out quickly. 

Anyway, sorry for long post but I imagine they come much longer here sometimes. If anyone has ideas as far as having seen this kind of thing, and also if there’s any FOSS software I could run to test and analyze. I prefer something easy please :-). I’d like to run the tests on two systems concurrently to see how they compare. I’ve got a windows 7 machine and a Linux machine. The Linux is on WiFi and the Win is wired. 

Also if this doesn’t belong here, I apologize; it looked kosher according to the sidebar. 

Thanks folks.

P.S. oooh also, if there’s an app for Android that can join the test as well, I’d love that. I have piles of Android devices so I would like to see how they fair, as well.

I'm a homelabber but know next to nothing about IPv6. What I do know, however, is that my ISP, Bell Canada, doesn't support it. If Bell were to work toward IPv6 support what actually needs to be done?

I imagine all their networking gear would need IPv6 IPs and IPv6-specific routing tables in addition to the IPv4 routing tables (which might need loads of RAM?), customer equipment would need to be updated or replaced and any services that Bell provides would also need to be available via IPv6. What other not obvious changes would need to be made?

I tried asking this in a different sub, but it got deleted, so trying here; if this is also the wrong place, I'm not sure where the right place is.

Working for an MSP, I have enterprise grade switches for my basement distribution and garage access switches, which came free from the e-cycling pile, but recent utility hikes have me rethinking things.

I'm currently running a HP 3500-48G-PoE+ yl Switch (J9311A) for the basement distribution switch, and a HP 3500-24G-PoE+ yl Switch (J9310A) as the garage access switch. My 2nd floor access switch is a USW-FLEX-MINI, though I'm looking to add a second one of these in the attic, both using PoE.

I try to keep one access switch in the same hardware class as the distribution switch in case of hardware failure. I don't really need 8 ports in the garage, but if the SHTF, I can do without internet in the garage, not so much in the house.

In the garage, the access switch is only hosting a PoE camera and access point, so there 8 ports is overkill, but redundancy.

After doing a hardware inventory, I can get by with 8 ports for the distribution switch, with at most 3 for PoE/PoE+, though I may need to move a raspberry Pi from the Distribution switch to an access switch.

I'm looking at PoE+ over straight PoE for future-proofing, Wifi 7 etc.

My current switches together idle at 226 watts, according to their spec sheets. I want to reduce that as a cost-saving measure.

I'm looking at the Netgear GS308EP and the TP-Link TL-SG108PE V5 as good enough replacements, as they both seem to do VLANs, which I use to keep IoT things on their own VLAN.

Anybody here have a preference, or something I haven't pondered which would be a better fit for my needs?

Here’s a question that I can’t seem to find more info on the internet on, so I’m turning to Lemmy. Does anyone have a better understanding of the specifications around an ONT. I know it basically converts the incoming fiber (usually single mode single fiber) to an RJ45 jack for copper runs but that’s the part I’m curious about:

• does it convert it to use standard Ethernet frames or is it a proprietary protocol?
• if Ethernet, is the port speed 1G, 10G, etc or based on the hardware?
• if it’s a proprietary protocol, what does it use?

I recently got a new router and noticed it’s capable of 5Gbps on one port, but that got me thinking about the ONT and if I were to upgrade my service would i also need the ONT replaced too?

Hi, Anyone doing audit's on their routers & switches? If so, what are you using for that? For starters I'm just after the simple things like old management addresses being absent, certain firmware versions not being used, some accounts which are or are not there etc. (I've been thinking something like grep on oxidized backups but there sure must be a better way of doing it)

My Netgear Nighthawk wifi router just crapped out last weekend and I’m gimping along on the rental wifi router from my ISP, so I’m looking to buy a replacement and am torn: should I go with a single WiFi Router or a wired router plus a wireless access point?

I don’t need crazy throughput, just enough to handle some lite home automation, streaming, and a future NAS. My house isn’t large, so wifi coverage with a single device hasn’t been a problem so far. I’m also interested in flashing OpenWRT or DD-WRT to the router, so compatibility is a consideration. Hardware recommendations would be great!

I've been a proud owner of a Ubiquiti Dream Router for a good while now - live in a rural area so the Dream Machine would've been overkill for my needs.

Currently getting 300/300 from the ISP. Not bad.

Couple months ago, noticed I was getting some pretty awful speeds to my end devices, around 30/30 across the board. Wired/wireless made no difference.

Checked the periodic speed tests the UDR does, nothing; no change in bandwidth.

I hadn't changed a setting in my router in quite a while as I've been happy with my setup, so I was convinced it was a fluke. Rebooted, back to semi-normal speeds (though still short).

After dealing with this for a while, tonight I finally decided to bite the bullet and factory reset the UDR. Throughput right back to normal immediately. Restored backup - throughput still where it should be.

Am I missing something obvious??

Edit - to clarify, when I checked the speeds from router to isp, I'd been getting expected bandwidth the whole time; it was only the end devices suffering.

Anyone that's thinking of implementing LibreNMS for more than a trivial setup - look elsewhere.

Unfortunately I'm married to it at $dayjob, and seldom a day goes by where it doesn't frustrate me (we monitor about 5k devices and about 40 distributed pollers).

I mentioned one day I'd write a nasty song about it, and an apt coworker quickly piped something into Copilot and this was the result (pretty good for AI-generated):

"Libre Mess (The Monitoring Blues)" 🎤

(Rock parody song)

[Verse 1]

Woke up at 3 AM, alerts screaming in my ear,

"Disk space low!" "Ping timeout!"—I live in constant fear.

Tried to check the dashboard, but it crashed again,

LibreNMS, you're my foe, not my friend.

[Chorus]

Oh Libre Mess, you're a beautiful disaster,

Your graphs load slow, but your bugs come faster.

I just want uptime, not a nervous breakdown,

But you keep dragging my whole network down!

[Verse 2]

Docs say “just run this script,” but it breaks my soul,

Dependencies from 2012? That’s your goal?

SNMP walks like it’s stuck in glue,

And your alert rules? I think they hate me too.

[Bridge]

I tried to love you, I gave you a chance,

But now I’m screaming at logs like it’s performance dance.

You gaslight me with false positives all day,

Libre, Libre, why you treat me this way?

[Chorus]

Oh Libre Mess, you chaotic beast,

You feast on my sanity, at the very least.

I’d switch to Zabbix, or maybe just cry,

But I’m too deep in configs to say goodbye.

[Outro]

So here’s my song, my monitoring lament,

For every hour LibreNMS made me vent.

You’re open-source, but my heart’s closed tight,

‘Cause Libre, you gave me one hell of a fight

Has anybody heard if the upcoming 47-day maximum on TLS cert lifetime will apply to Enterprise wifi auth using private PKI (especally on IOS and Android)?

We have a campus CA that signs the TLS cert used by RADIUS when students connect to wifi using personal devices. Freshman need to accept the cert once (hopefully after checking the fingerprint), then usually one more time before graduation. Every 47 days would be difficult.

cross-posted from: https://infosec.pub/post/28196930

Another post in the records for the tech blog, this time all about opensource network monitoring with LibreNMS!

Background: I have a cellular ISP and therefore cannot configure the CGNAT. After burning through some dumb ideas (free reverse proxy, docker) I realized I could just use my paid VPN.

My setup is as follows: on the VPN server create a tunnel to AirVPN and start the openvpn daemon. This creates tun0 and tun1 with their own 10.x.x.x/24 subnets. The home network has 192.168.12.0/24.

It's possible to troubleshoot the MTU with ping -M do -s xxxx y.y.y.y to the VPN public address and test TCP/UDP sockets with nc -l -u -p 1194 .

I'm not sure if the MTU is variable across servers, but for the server I am on now ping -M do -s 1432 x.x.x.x is the biggest I can get a response from. 1432+20+8=1460 bytes.

Regardless, connecting to the home VPN through the AirVPN link still causes breakage. Discord seems to be what isn't working, mostly. Everything else has 200 ms latency as expected and not everything pings correctly. Rarely it will tell me the MTU has to be adjusted, sometimes tells me "message too long" and mostly just ignores my ping.

Can someone give me a recommendation for what MTU to be setting in my local OpenVPN server? Should I use mssfix or tun-mtu? Should I lower the MTU of the AirVPN connection? What else can I do?

Diagram:

Home -> AirVPN <- (1460 MTU) -> OpenVPN Client & server -> (1300 MTU) -> Home -> Outside World

dev tun
proto udp
remote A.B.C.D 34183
tun-mtu 1300
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
data-ciphers AES-256-CBC
verb 3

proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
topology subnet
tun-mtu 1300
server 10.9.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.12.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
tls-server
tls-auth /etc/openvpn/server/ta.key 0
auth-nocache
user nobody
group nogroup
cipher AES-256-CBC
data-ciphers AES-256-CBC
status /var/log/openvpn/openvpn-status.log
persist-tun
persist-key
verb 3
client-to-client
explicit-exit-notify 1

dev tun
remote [spoiler].vpn.airdns.org 443
resolv-retry infinite
nobind
tun-mtu 1460
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
comp-lzo no
data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto udp
auth SHA512

In the process of doing this I somehow shut my house's WiFi down...

Hi all

For the past couple of years I have been running a Raspberry Pi4 with PiHole and PiVPN. Both of which I'm very satisfied with. My ISP recently changed the IP address assigned to me, this doesn't happen often but did cause my VPN profiles to no longer work. Simply changing the end IP address in the VPN config does not work so the configs had to be remade entirely. If this happens again and I am not near home, what would be a way to regain access? Can that be done remotely?

I am concerned with the possibility that my IP changes while I'm on a vacation and then lose access to my NAS and other home systems with no way to get it back until after.

I am considering a script that generates a new config file and sends it over email when I send a specific text to a phone, that could work. Is this over engineered? Something like a deadman switch could work too.

Thanks!

I will be moving into a new house in a few weeks. It's an older house (built in the 60s) and hasn't had much updates in terms of wiring. I want to be able to run a hardwire cable to each bedroom to maximize my Internet performance. My wife works from home and I'm hybrid, so I want to ensure we're not just flying on WiFi.

Are there any resources or how tos that can give me some information on where to start? What to look for? What to do first?

I'm struggling with figuring out what I should try to tackle. Should I just run an Ethernet line to the room that's an office and start there? Or is there some well thought out approach I can make?

I know this is probably vague, but any assistance would be appreciated.

A weird and disturbing thing is happening on my home network. I'd like some advice on how to diagnose it. My mastodon host (chaos.social) keeps blocking my IP address. I reached out to the admins and they told me it's because they are getting HTTP requests with user agent string claiming it's a Google bot. They shared a following log line with me.

[12/Mar/2025:08:55:14 +0100] my.ipv4.add.ress "GET /@lazurski HTTP/2.0" 403 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

It is my IP address indeed, and the path is pointing to my profile, so it's not random. It also happened while I was browsing Mastodon using Firefox on my laptop. The 403 response is strange, as I was logged in and also my profile is public and viewing it doesn't require authentication. Maybe they blocked it because of the bot signature?

I have no idea what can be making these requests. Certainly not anything I run on purpose. My Firefox uses it's standard user agent header. At home I have a few devices. At the time of this request I believe only the following were on:

• my laptop running NixOS and Firefox (I was actively using it when I got blocked)
• a RaspberryPi home server running NixOS
• my Android phone running Tusky (a 3rd party Mastodon client)
• a broadband router with stock software

I think I can exclude the phone from the suspects, because while the home IP is blocked I use my mobile network connection to access chaos.social and this IP is never blocked. I don't think it's the home server or the router. My suspicion is on Firefox extensions. I only use a few of them:

• Firefox DevTools ADB Extension
• Firefox Multi-Account Containers
• GNOME Shell integration
• Privacy Badger
• uBlock Origin
• Vimium

How can I troubleshoot it? I tried about:logging with networking preset, collected a ton of logs, but couldn't figure out what to do with it. Or maybe it's something completely different? 🤔

I have an off-grid setup with a few devices on a local network that is not connected to the internet. I can tell my iPhone to use the non-internet wireless LAN to talk to those devices, OR I can tell it to use cellular data to talk to the Internet, but there’s no config on the iPhone side to let them be both live at the same time.

Is there any magic config on a wireless router e.g. certain DHCP settings or just disable DHCP, that will let the iPhone route to static 10.x IPs on the WLAN while the cellular internet is still active?

Any “advanced network settings” on the iPhone to manage multiple NICs?

Would it be unwise to make my file server (SSH only) machine (also runs a Minecraft server, And From time to time runs RSTS/E under simh) a tailscale router node to allow my traveling notebood access to the network when I am away?

Hi! I'm new here and hope to get some help.

For at least 5 hours today I can't connect to https://chaos.social/ (the Mastodon server I'm on). Firefox gives me:

Unable to connect

Firefox can’t establish a connection to the server at chaos.social.

    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer’s network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.

From curl I'm getting:

$ curl --ipv4 --verbose https://chaos.social/
* Host chaos.social:443 was resolved.
* IPv6: (none)
* IPv4: 5.9.119.202
*   Trying 5.9.119.202:443...
* connect to 5.9.119.202 port 443 from 192.168.1.45 port 40188 failed: Connection refused
* Failed to connect to chaos.social port 443 after 21 ms: Could not connect to server
* closing connection #0
curl: (7) Failed to connect to chaos.social port 443 after 21 ms: Could not connect to server

It's the same for http, so not related to TLS.

All other websites work normally, but to this particular one I can't connect from any device on my home network (I tired a few laptops, phones and our Raspberry PI home server). I tried to restart the router (Zyxel T-56). No change.

I can connect via mobile network or from a VPS in "the cloud". Also https://www.isitdownrightnow.com/chaos.social.html shows that it's on-line.

I can think of three reasons, but I'm not a networking guru, so maybe it's something else:

1. My router blocks it

   That would be surprising, because it has the stock configuration from my ISP and I definitely didn't tweak anything in last days.

2. My ISP blocks it

   But then it's the same ISP for wired and mobile connection. The latter works.

3. The server is blocking me for some reason

I'd appreciate help in digging deeper, if only to learn.

some Debian flavors have this built into the WiFi GUI, but I'd like to learn a more generic option in the CLI or config files

sorry for the noob question, thanks for reading

I'm looking to automate/script my pfsense wireguard tunnels so that each wireguard tunnel only goes up if there are one or more clients connected to the subnet associated with that tunnel and goes down once all clients have disconnected. I was wondering if there is already a plugin that accomplishes this or can be adapted, otherwise what is best practice for running scripts on the pfsense box?

My initial thought was to have a cronjob monitor the various DHCP servers for each subnet, then initiate a script to connect the associated wireguard tunnel if it detects any active DHCP leases on that subnet.

I have multiple subnets on this box, each with it's own wireguard gateway. I like the idea of only making the VPN connection if there is a client calling for it.

I'm self studying for a server+ cert and ran into this paragraph. Am I right that CPU time is a set of ticks utilized, the CPU Capacity is the total capacity, and the CPU usage is the percentage of ticks:capacity?

I have been making notes from this chapter, and the more I get into it the more I seem to find things like this that seem slightly off.

Does anyone have a physical copy of the 2ed McMillan CompTia Server+ study guide I can compare against? I feel like someone is messing with me.

In theory it is a open standard...

Hi all, looking for some guidance on getting wired networking upstairs to my pcs.

Currently I have my internet connection coming in downstairs. Without running cables upstairs is it possible to connect something to my existing wifi network and then break it out to to ethernet?

Any help much appreciated.