@scottalanmiller ahhhh the S.A.M.

This was very informative, I like the simplicity of the explanations. Also @scottalanmiller thanks for the extra feedback! I watched this a week ago btw

@scottalanmiller said in 10Gb/s Firewall Choice for Colocation:

@bnrstnr said in 10Gb/s Firewall Choice for Colocation:

Looks like the ER‑8‑XG could also be a good fit if you prefer the EdgeRouter series over the Unifi stuff. Also slightly less expensive, and better performance.

https://www.ui.com/edgemax/edgerouter-infinity/

And ordered... we should have it on Monday.

From the only vendor offering prime?

Good find.

@Jimmy9008 said in VLAN on Dell N4064 Stacked:

Im guessing 'U' is fine. As I want vLAN2 to pass traffic where the device has already set vlan2 in its NIC. If the LAG is set to 'T', all traffic will be set to vlan2, right? Even when from vLan1/default...

I think it's better to tag every vlan in both ends. Then you can be certain traffic ends up on the same vlan on the other switch stack.

@scottalanmiller said in ISP Failover with Cisco ASA:

That's mostly true. But Cisco considers it real Cisco and it shows their view of themselves. And that, I always think, is important. Cisco doesn't seem themselves as an enterprise player. And I've been in sales meetings with Cisco and that definitely comes through when talking to them.

That's not what I got from my sales conversations with them. They were very explicit about real Cisco and the lesser sub-brands.

Having been at two huge banks that were burned by being willing to use UCS, Cisco and enterprise are two words I never put together. From networking to phones to servers, Cisco is consistently overpriced and underperforming.

I absolutely loved UCS, even wrote the original oVirt/RHV plugin for the VMFEX cards. They were ahead of their time with those boxes, but the cloud pretty much killed everything really cool and advanced about HW

@pmoncho said in Kerio Connect "license error: license exhausted, cannot allow another host":

Based on the couple posts I have seen, each registered user can have five devices. So, if they have 30 devices, they need 6 user licenses. Did they add any extra devices lately?

Easily, but more likely they just let their license expire.

@DustinB3403 said in Openvpn HELPPP!!:

@abdel-hakim-abousrea to start, if you have access to the internet, you have a public IP, it could be a statically assigned IP or one that could change randomly.

Having a static public IP to use for this would be ideal.

Set up a FQDN for your system, even if it is a static IP. Either via some type of dynamic DNS or a manual records in your public DNS.

@mroth911 said in locking down network:

so basically I am helping with my church/School , they need to connect to apple/android store. youtube. but social media sites locked down and p2p networks and anything inappropriate for k-12.

So OpenDNS is doing the trick for now., However there is no cherry picking, and certain users need the ability to connect to facebook as well. Posting via webpage what is going on in school etc.

Thats the situation at hand.

They received a letter that someone on the network was downloading from BitTorrent. and it broke digital media anti-piracy law. etc. So they are naturally freaking out.

This is something I want to setup and walk away.. I am just doing this to help them.

Blocking Bittorrent without an application level firewall isn't that easy. Talking to the tracker happens via DNS, but talking to the other clients normally is just via IP address.

You could block all non needed outbound ports - but again, I think Bittorrent can work over port 80 and 443, so not really that helpful.

@Donahue said in Hyper-V teaming worth it for LACP?:

Yeah, i think i need to learn powershell. I probably rely too much on GUI's

Same fees, tenth of the time. 😉

I'm curious as to how they'll deal with depletion of their 256 bit UUIDs and/or spoofing or anything else. We can know is that Google (and others) will have a way that works across IP addresses that will provide a fairly unique way of identifying you no matter what. Presumably some browsers will let you change it or have it different in privacy mode or whatever, but like with Don't Track we'll can almost guarentee that even if there is a standard some other company like Microsoft will implement it just differently enough to make a lot of it pointless... other than the connection speed I guess.

People are already gungho about this, some thinking that it's a total replacement for the TCP stack which is utterly stupid. I first read about this in mid 2017 and noticed it seemed to be sort of a spin on MinimaLT which was specified to deal with mobile IP (as in protocol, not address) issues.

@scottalanmiller said in Another Major BGP Mishaps Redirects US Traffic to China:

I noticed that YouTube was down yesterday for a little bit. Very short, though.

Even Facebook got taken out for a bit too... Don't know if it's related or not, but still...

@Dashrender said in Strange snafu misroutes domestic US Internet traffic through China Telecom:

@scottalanmiller said in Strange snafu misroutes domestic US Internet traffic through China Telecom:

@Dashrender said in Strange snafu misroutes domestic US Internet traffic through China Telecom:

Man - BGP needs an overhaul!

Replaced!

Is there something that can replace it now?

Dont' think so. Not on that scale.

@Mike-Davis said in daisy chain Ubiquiti AC Pros?:

@DustinB3403 said in daisy chain Ubiquiti AC Pros?:

This is why you don't use pre-made cables.

What does it cost to have fiber terminated? $150/hr? Since this is in the mountains, I'm guessing the nearest city is 1.5 hours away, so drive time on top of that. I'm just guessing at the labor since I haven't ever had it quoted.

Right, so if oyu are confident that premade will pull in quantiy, then by all means go with it.

The good thing about fiber, is that it doesn't matter if you coil up the left over.

@Donahue said in Why I See UTMs As Generally Bad in the Current Market:

@scottalanmiller said in Why I See UTMs As Generally Bad in the Current Market:

@Donahue said in Why I See UTMs As Generally Bad in the Current Market:

The reason we went with Fortigate over an Edge router, is that the Edge router couldn't do the IPsec bandwidth we were trying to hit. But mine is an NGFW with UTM bundled in. Could there been some other product that I dont know of that would have been better in our case?

ERL does nearly half of what you need...

https://community.ubnt.com/t5/EdgeRouter/ERL-Performance-Testing-with-IPSec-VPN/m-p/1053799#M44593

ER and ERPro are so much more powerful. The ER Pro has 2x the CPU power, and 4x the RAM. We'd expect it to be able to saturate your lines no problem. Of course that is "expect", but based on the ERL speeds, and that they run the same code, there is little doubt that it can push IPSec over 1Gig speeds.

https://dl.ubnt.com/datasheets/edgemax/EdgeRouter_DS.pdf

Your link is what convinced me not to use the ER pro. the Pro's will only do <500 mbps at full capacity, its in the link you posted.

Where in it?

Oh, I see. he mentions ER Pro in another post, then posts them without stating what they are in a thread on ERLs. VERY confusing.

Something to keep in mind is NGFW. Ubiquiti and Meraki, for example, are NGFW.

It looks like much of the market is already starting to cool on the UTM crazy and NGFW is taking off as the "next stage" of popular approaches. Basically a reversal of direction or marketing at least, even from the big players in the UTM space like Palo Alto, Fortinet, Cisco, etc.

Only so serious, it's in D-Link gear. Bwahaha

@jaredbusch said in Ubiquiti ER3 to ER4 Upgrade?:

@scottalanmiller said in Ubiquiti ER3 to ER4 Upgrade?:

@mroth911 said in ubiquiti Er3 to 4 Upgrade?:

Can I just back up my er3 and upload it to the 4

I believe so.

I have never tried, but it should handle it because it only bring the /config folder in, and nothing in the hardware of the 3 vs 4 is all that different.

To clarify, I have migrated from ERL to ER4 a couple times. But I manually migrate. I don’t try to restore the old config.

@scottalanmiller said in Network error Windows 7:

@wrcombs said in Network error Windows 7:

@dashrender said in Network error Windows 7:

@wrcombs said in Network error Windows 7:

@scottalanmiller said in Network error Windows 7:

@wrcombs said in Network error Windows 7:

@scottalanmiller said in Network error Windows 7:

@wrcombs said in Network error Windows 7:

Anyone ever see this error before? do you know what it means ? how to get rid of it?
0_1536843443200_netowrk error.PNG

No, because I carefully never do that, lol.

I didnt do this, this is from someone saying " This is how I think it goes" and changing settings.

Also something to avoid 😉

Random people who don't know the basics, making completely crazy configuration changes... that's a disaster waiting to happen. Imagine if they were doing that on a PCI network or something 😉

They did! we use 2 NICs, one for internet, one for the PoS system so they are "seperated" the best they can be. They stacked and added IP's to the PoS NIC, So all of the PoS were accessing the internet...

Sure, but the internal POS network doesn't have a gateway to some place else inside it, right?
So you don't have a gateway on that network interface.

I dont believe there is a gateway, its just communicating within the PoS and the back office.

If that were the case then I shouldn't be getting this message correct?

Shouldn't. The warning seems like it would be genuine - it's warning you that someone messed up the configuration.

When I used to have these type of setups, I would set the gateway to the POS and set the metric to 10 for either that NIC or that subnet. That's assuming that you're talking directly to the one and only POS and nothing else on that network. While you don't have to alter the metric, it helped stop Windows from wigging out seeing two NICs or two IPs and two gateways on one NIC. If you experiment, you can always put it back. Different VASCs and different brands & processors specify what's ok with them. Because PCI.