@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@Dashrender said in Co-lo + 5 (or more) sites....connect 'em all:

@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

@Dashrender said in Co-lo + 5 (or more) sites....connect 'em all:

@Aaron-Studer said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee

https://blog.kruyt.org/zerotier-on-a-ubiquiti-edgerouter/

My question is why? Why setup ZT instead of site to site on all the devices?

I suppose one answer could be, because it's just a single setup, instead of 5 setups.

WTF?

FFS, the question is about connecting multiple colo's. Do you only have one thing in each colo? Most don't. The OP specifically mentioned multiple thigns.

You smokin?

"The co-lo has all the gear (servers, voip, apps, file shares etc).
You have 5 (or more) sites that "connect" to the co-lo."

What we aren't told - is there a firewall in front of all of that stuff at the co-lo, or is it all directly on the internet? Then the OP asks - can ZT be installed on ER? I'll admit I was assuming an ER at each location, and at the co-lo in front of all of that gear.

Yes, the plan is an ER in front at all locations (that plan isn't set in stone)

We did this for a company from their colo but NOT with ZT, ERs using their native, much faster IPSec.

Did you use Route based VPN?
https://help.ubnt.com/hc/en-us/articles/115011377588-EdgeRouter-IPsec-Route-Based-VTI-Site-to-Site-VPN

I've done both. No idea on speed difference. never ran in to router limits with both methods.

Ease of setup/ability to add more sites, one method vs the other?

@scottalanmiller said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee said in Co-lo + 5 (or more) sites....connect 'em all:

@Dashrender said in Co-lo + 5 (or more) sites....connect 'em all:

@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

@Dashrender said in Co-lo + 5 (or more) sites....connect 'em all:

@Aaron-Studer said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee

https://blog.kruyt.org/zerotier-on-a-ubiquiti-edgerouter/

My question is why? Why setup ZT instead of site to site on all the devices?

I suppose one answer could be, because it's just a single setup, instead of 5 setups.

WTF?

FFS, the question is about connecting multiple colo's. Do you only have one thing in each colo? Most don't. The OP specifically mentioned multiple thigns.

You smokin?

"The co-lo has all the gear (servers, voip, apps, file shares etc).
You have 5 (or more) sites that "connect" to the co-lo."

What we aren't told - is there a firewall in front of all of that stuff at the co-lo, or is it all directly on the internet? Then the OP asks - can ZT be installed on ER? I'll admit I was assuming an ER at each location, and at the co-lo in front of all of that gear.

Yes, the plan is an ER in front at all locations (that plan isn't set in stone)

We did this for a company from their colo but NOT with ZT, ERs using their native, much faster IPSec.

Did you use Route based VPN?
https://help.ubnt.com/hc/en-us/articles/115011377588-EdgeRouter-IPsec-Route-Based-VTI-Site-to-Site-VPN

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

@Dashrender said in Co-lo + 5 (or more) sites....connect 'em all:

@Aaron-Studer said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee

https://blog.kruyt.org/zerotier-on-a-ubiquiti-edgerouter/

My question is why? Why setup ZT instead of site to site on all the devices?

I suppose one answer could be, because it's just a single setup, instead of 5 setups.

WTF?

FFS, the question is about connecting multiple colo's. Do you only have one thing in each colo? Most don't. The OP specifically mentioned multiple thigns.

You smokin?

Totally.

"The co-lo has all the gear (servers, voip, apps, file shares etc).
You have 5 (or more) sites that "connect" to the co-lo."

But the point was valid even if I used the wrong terms Multiple sites with multiple things. not singe server point to point like @Dashrender said.

Correct, multiple sites, multiple things.

@Dashrender said in Co-lo + 5 (or more) sites....connect 'em all:

@Pete-S said in Co-lo + 5 (or more) sites....connect 'em all:

@JaredBusch said in Co-lo + 5 (or more) sites....connect 'em all:

@Dashrender said in Co-lo + 5 (or more) sites....connect 'em all:

@Aaron-Studer said in Co-lo + 5 (or more) sites....connect 'em all:

@FATeknollogee

https://blog.kruyt.org/zerotier-on-a-ubiquiti-edgerouter/

My question is why? Why setup ZT instead of site to site on all the devices?

I suppose one answer could be, because it's just a single setup, instead of 5 setups.

WTF?

FFS, the question is about connecting multiple colo's. Do you only have one thing in each colo? Most don't. The OP specifically mentioned multiple thigns.

You smokin?

"The co-lo has all the gear (servers, voip, apps, file shares etc).
You have 5 (or more) sites that "connect" to the co-lo."

What we aren't told - is there a firewall in front of all of that stuff at the co-lo, or is it all directly on the internet? Then the OP asks - can ZT be installed on ER? I'll admit I was assuming an ER at each location, and at the co-lo in front of all of that gear.

Yes, the plan is an ER in front at all locations (that plan isn't set in stone)

@dafyre said in Co-lo + 5 (or more) sites....connect 'em all:

I'm up to 3 sites for the moment. Once of them goes away in about 2 weeks.

I connect them all via ZeroTier.

This is you: https://mangolassi.it/topic/19493/zerotier-site-to-site
How has it worked out so far?

@dafyre said in Co-lo + 5 (or more) sites....connect 'em all:

I'm up to 3 sites for the moment. Once of them goes away in about 2 weeks.

I connect them all via ZeroTier.

How's the speeds between sites?

Has anyone installed ZT on an ER?
https://blog.kruyt.org/zerotier-on-edgerouter-p2/

The co-lo has all the gear (servers, voip, apps, file shares etc).
You have 5 (or more) sites that "connect" to the co-lo.

How are we connecting?
What options are available today?
VPN, ZeroTier??

@dafyre said in Network routing question:

@dafyre said in Network routing question:

DNS server is at 10.50.235.235

Configure your computer to look to 235.235 for DNS... and configure the DNS server at 235.235 to forward anything it doesn't recognize along to your Meraki?

I added 235.235 as an additional DNS in the 250.254 network.

I tried this yesterday but silly me forgot to "refresh" the NIC so it could grab the new settings.

All is good & working.

@Kelly said in Network routing question:

Looks like the MS series supports the DHCP relay setting: https://community.meraki.com/t5/Switching/need-to-configure-DHCP-IP-helper-address-on-VLAN-in-MS-switch/td-p/22806.

I can't use that relay setting since I still need dhcp on the 250.254 network

@Pete-S said in Network routing question:

Why are you discussing DNS? Routing has nothing to do with DNS. DNS is for resolving names.

Because I want to access the resources via name resolution (you gotta read my OP)

@Kelly said in Network routing question:

@FATeknollogee said in Network routing question:

@Kelly said in Network routing question:

@FATeknollogee said in Network routing question:

@Kelly said in Network routing question:

@FATeknollogee said in Network routing question:

Does 250.254 have 235.235 in its upstream list or have a secondary zone for 235.x?

No, 250.254 doesn't have a DNS server, just services provided by the dhcp router.

I am confused. Either way, does the DNS server in the subnet where your DNS service is working have the DNS server for the non functioning subnet in its upstream list or a secondary zone for that subnet?

250.254 is my Meraki router (so no "standalone" DNS server)
Not sure if I can add a secondary zone

You can use an IP helper for a Meraki: https://documentation.meraki.com/MX/DHCP/Configuring_DHCP_Relay.

Unfortunately, no MX, I got rid of my MX84.
DHCP is handled by Meraki MS320-24 Layer 3 switch

@Kelly said in Network routing question:

@FATeknollogee said in Network routing question:

@Kelly said in Network routing question:

@FATeknollogee said in Network routing question:

Does 250.254 have 235.235 in its upstream list or have a secondary zone for 235.x?

No, 250.254 doesn't have a DNS server, just services provided by the dhcp router.

I am confused. Either way, does the DNS server in the subnet where your DNS service is working have the DNS server for the non functioning subnet in its upstream list or a secondary zone for that subnet?

250.254 is my Meraki router (so no "standalone" DNS server)
Not sure if I can add a secondary zone

@Kelly said in Network routing question:

@FATeknollogee said in Network routing question:

Does 250.254 have 235.235 in its upstream list or have a secondary zone for 235.x?

No, 250.254 doesn't have a DNS server, just services provided by the dhcp router.

@PhlipElder said in AWS Catastrophic Data Loss:

@IRJ said in AWS Catastrophic Data Loss:

For IaaS, using a tool like terraform can help you transition from one platform to another as terraform is compatible with many cloud hosts.

I feel like I'm back in the early 2000s when Microsoft released Small Business Server 2000 then Small Business Server 2003 with the business owner DIY message. We got a lot of calls as a result of that messaging over the years.

Then, there was the mess created by the "IT Consultant" that didn't know their butt from a hole in the ground. We cleaned up a lot of those over the years.

At least in the above cases we could work with some sort of box to get their data on a roll.

Today, that possibility is virtually nil.

That is, the business owner being knowledgeable enough to navigate the spaghetti of cloud services setup to get to a point where they are secure and backed up for one. For another, as mentioned above, how many folks know how to set up any cloud?

Then, toss into the mix the message about speed and agility and we have a deadly mix beyond the SBS messaging and failures in that we're talking orders of magnitude more folks losing their businesses as a result of one big FUBAR.

Ever been on the back of a bike holding a case of beer while the "driver" hit 200+ KPH? I have. Once. And lived to never, ever, ever, trust an arse like that again.

The powerful power of marketing
Cloud = :couple_with_heart: :kissing_face_with_smiling_eyes: :kissing_cat_face_with_closed_eyes:

@dafyre said in Network routing question:

What is your machine set to use for DNS server right now?

It gets it's DNS settings from the DHCP server.
10.250.250.254
10.50.235.235

@Dashrender said in Network routing question:

I see these two IPv4 networks
10.250.251.242/22 brd 10.250.251.255
10.50.235.12/24 brd 10.50.235.255

Assuming you want to reach 10.50.235.200 for DNS, do you have that address setup as a DNS server?

Also, if you have multiple DNS server setup, it will use the first one until it fails, then it will failover to #2 in the list, etc. so you can't simply list multiple DNS server and expect them all to be used.

Can you ping the IP of the client you want to connect to by IP?

DNS server is at 10.50.235.235
Yes, I can ping the DNS Server and the clients on the 10.50 network by IP address but not by name.
If I disable the 10.250 network, then I can ping & reach the clients by name.

@Pete-S said in Network routing question:

@FATeknollogee said in Network routing question:

@Pete-S The desktop is connected to vlan10 (my op says that, I think)

Run ip addr and post it.

2: enp8s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:25:90:6d:41:ee brd ff:ff:ff:ff:ff:ff
    inet 10.250.251.242/22 brd 10.250.251.255 scope global dynamic noprefixroute enp8s0f0
       valid_lft 77617sec preferred_lft 77617sec
    inet6 fe80::d10b:e3fd:dfb6:4149/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp8s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master bridge0 state UP group default qlen 1000
    link/ether 00:25:90:6d:41:ef brd ff:ff:ff:ff:ff:ff

19: enp8s0f1.235@enp8s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:25:90:6d:41:ef brd ff:ff:ff:ff:ff:ff
    inet 10.50.235.12/24 brd 10.50.235.255 scope global dynamic noprefixroute enp8s0f1.235
       valid_lft 522139sec preferred_lft 522139sec

Run ip route and post it.

default via 10.250.250.254 dev enp8s0f0 proto dhcp metric 102 
default via 10.50.235.254 dev enp8s0f1.235 proto dhcp metric 400 
default via 10.250.250.254 dev bridge0 proto dhcp metric 425 
10.50.235.0/24 dev enp8s0f1.235 proto kernel scope link src 10.50.235.12 metric 400 
10.250.248.0/22 dev enp8s0f0 proto kernel scope link src 10.250.251.242 metric 102 
10.250.248.0/22 dev bridge0 proto kernel scope link src 10.250.251.243 metric 425

@Kelly That's the problem, I need this traffic to NOT use the default gateway.

@Pete-S The desktop is connected to vlan10 (my op says that, I think)