ok Mikrotik question time:

It can be really tricky to nail down when/how these things do hardware offload.

* For a router, is the actual routing/firewall component offloaded to hardware or is that in CPU

* Then the reason I am asking: how much would enabling the Netflow integration crush routing/uplink speeds. (on a RB5009, 2.5g uplink, 10g downlink)

https://help.mikrotik.com/docs/spaces/ROS/pages/282132674/NetFlow+analysis+with+Elasticsearch

#Mikrotik #InfoSec #Networking #Homelab

I have one missing piece for full internal DoT support, which is getting dnsmasq to tell clients to use the DoT servers via options 144/162.

Adguard-DNS and the cluster's bind9 servers are now serving DoT, and everything is using it outbound as well.

I may implement an unbound recursive resolver instead of using quad9, at some point but that is a separate project.

Actually, I wonder, is it viable currently to force DNSSEC when using unbound, or will that randomly break shit? I assume attempting to force outbound encryption will for sure break something.
#Networking #HomeLab #DNS

Any suggestions for a decent 2.5Gb switch in the EU.
Managed would be nice, but it's not a must

#switch #Networking #network

Now available on YouTube:

At the June 2025 FreeBSD Developer Summit, Ariel Ehrenberg (NVIDIA) presented on adding IPsec offload support in the MLX5 driver for FreeBSD.

The work improves security, reduces CPU load, and speeds up packet handling through full offload integration.

Watch the full talk here: IPsec Offload in FreeBSD MLX5 Driver
https://www.youtube.com/watch?v=opahWemyVoY

#FreeBSD #Networking #DeveloperSummit2025

Idea: is there a tool out there that can attach to a mirrored network port and listen to everything with the goal of generating firewall rule recommendations?

I'm thinking about this primarily for the actual networking layer, but also interested in doing it within a kubernetes cluster as well. Unfortunately I think I recall learning that Cilium only does this with an enterprise subscription
#Networking # #HomeLab #Kubernetes #InfoSec

Looking good :-) The amount of IPv6 traffic is higher than the crappy legacy-IP one 🙂

All Jails now equipped with native IPv6 and firewalled by "pf" on the host-bridge.

Just IPv4 still using NAT. And I'm even considering dropping that. Not worth the hassle anymore.

#ipv6 #freebsd #pf #networking

🙅 Goodbye Forever OPNsense 🙅

It displeases me to finally and heartily say GTFO to OPNsense; to abandon a solid decade of use.

I've had it on everything from embedded arm64 experiments to baremetal with ranges of 10, 25, 40, and 100GbE NICs. I've used all of the core features, built complex global service meshes, H/A systems, etc. I used to love it. I used to pay for it.

OPNsense was great, until it wasn't (starting around the time they axed their use of HardenedBSD), and with each release it gets more convoluted, out of date, tedious to debug, and generally a source of disappointment. The command line controls are anemic, inconsistent, and the lack of unified and useful system state tracking is a source of sailor level obscenities. Also, dear gods get rid of XML configs, no one can parse it without going blind! What is this, SOAP and XML-RPC era nonsense, really? 😠

I do not have time to waste, and I do not say that lightly.

I am never debugging OPNsense ever again, especially not for four hours on a (yesterday) Saturday, and especially not putting off updates in a colo for TWO YEARS because their team decided to break admin group SSH controls, hamper CARP flapping controls, breaking IPMI fencing, and the list goes on. I am done.

What now? Three realistic options.

1) BSD Router Project: I've built custom BSD-RP releases with Poudriere, loved just about everything it offers.
2) VyOS: configurable via CLI in a fraction of the time that was wasted on debugging OPNsense. Solid product, enjoying it more every day.
3) OpenWRT: I build custom releases for NanoPi and Meraki rooted WAPs and SOHO boxes, it's fun, though it's not running my 100G infra.

#opnsense #bsd #freebsd #linux #networking #engineering #homelab

Ok the Parent's Fileserver (PFS) needs to be reachable over protocols that should not be port forwarded. My options are:

1. Site-to-Site wireguard (Mikrotik <-> Unifi)
2. Connect PFS as a client to the Mikrotik via wireguard
3. Place my entire k8s cluster and the PFS on tailscale

The PFS will be on tailscale anyway, since it needs to be reachable by my Dad's laptop.

So I guess the real question is, is it worthwhile to bother with tailscale on the cluster, or is a site-to-site a better or more useful option?

I think I am leaning towards the site-to-site to keep complexity lower.
#HomeLab #Networking #Kubernetes #Tailscale #Wireguard

0 days since I've had to explain martian packets get dropped and TCP connections won't work.

#Linux #networking

Tomorrow evening it is #NetMCR (https://www.netmcr.uk/) again in #Manchester.
Join them for a #Networking #MeetUp at the Northern Monk (https://www.northernmonk.com/pages/manchester) from 7pm.

The talk will be by Tim Wilkes - 'PAWs for thought: a walk through the requirements to access network management securely.':

Looking at the Privileged Access Workstations that the Telecom Security Act makes several references to, Tim will be looking through the requirements of PAWs and what that means for network management.

I don't think I will make it this time, but it's at a nice venue, has a large selection of 🍻 , together with 🍔 and 🍟.

I've been several times, and I always learn something new!

Regular folk need to learn how to protect their IoT devices. Because they underestimate the power of a botnet consisting of millions of those devices the following occurred

A massive UDP attack sized at 11 and 1/2 terabits was executed at an undisclosed cloudflare client. According to cloudflare the largest DDoS attack mitigated to date

The reason why I deliberately say that **regular folk** need to learn how to do this, is because they can just go into a shop, get any IoT device, give it power, disregard reading the manual, where they warn you to change the default user ID password combo to something unique, and just use the device. There are oblivious to the fact that such a device, can be weaponized and used in army of other such devices.

They are unaware of the fact that others can look straight into their homes, their bedrooms, the rooms where the vulnerable children are, their vulnerable elders are and put them at risk for countless negative things.

Everyone knows that there are a search engines to find cameras in the global UDP IoT network matrix which are open with default user IDs and passwords

It's because of this deliberate ignorance by regular folk, such bot networks can proliferate and even be expanded exponentially

https://x.com/Cloudflare/status/1962559687368593552

#DDoS #InfoSec #DenialofService #networking #BlackHat

Alt...

The image shows a tweet from Cloudflare, a well-known cybersecurity company, detailing an update about a significant DDoS attack. The tweet, posted on September 1, 2025, at 3:59 PM, states that the 11.5 Tbps attack originated from a combination of several IoT and cloud providers, with Google Cloud being one source but not the majority. The tweet mentions that Cloudflare's defenses have been working overtime, autonomously blocking hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Gbps and 11.5 Tbps. The tweet also highlights a new world record for the largest DDoS attack, which was autonomously detected and mitigated by Cloudflare. The attack lasted only about 35 seconds. The tweet has garnered 38K views, 11 comments, 58 retweets, 399 likes, and 61 bookmarks. The image includes a graph showing the attack's intensity over time, with the peak clearly marked. The tweet is displayed on a mobile device, with the time and battery level visible at the top of the screen. Provided by @altbot, generated privately and locally using Ovis2-8B 🌱 Energy used: 0.285 Wh

My upcoming book, The Book of PF 4th edition, is part of B&N’s pre-order sale Sept 3–5! Use code PREORDER25 for 25% off (35% for Premium members).

https://www.barnesandnoble.com/w/the-book-of-pf-4th-edition-peter-nm-hansteen/1147997310?ean=9781718504707

#bookofpf #bnpreorder #openbsd #freebsd #pf #packetfilter #networking #security #nostarch #barnesandnoble

Finally migrated my Gateway to OPNsense (of course with IPv6!), running on a FreeBSD server in bhyve (with PCIe passthrough for the Intel NICs)

One interface (vtnet0) is bridged to a VM Switch on the BSD server, to route traffic to other VMs and Jails 🙂

Running smooooth and gives me so much more insight and options than the old Unifi hardware, I used before.

Also my WiFi (also new) is now absolutely amazing:

❯ iw dev wlp2s0 info
Interface wlp2s0
ifindex 3
wdev 0x1
addr 82:20:1e:70:67:42
ssid M56-Home
type managed
wiphy 0
channel 69 (6295 MHz), width: 160 MHz, center1: 6345 MHz
txpower 16.00 dBm

Basically saturates the 1Gbps link entirely :)

#freebsd #opnsense #ipv6 #networking #bhyve #wifi

Speaking of Matrix global services occasionally exacerbating one's propensity for migraines, oh look a total outage for the malignant design... oh but they tell everyone a fantastic story:

> "Matrix is a distributed fault tolerated encrypted network of disaggregated nodes!" 😐

except that they deployed via an active/passive two node PostgreSQL backend which just crashed both nodes and took 55TB of network data offline. also their TLS termination is fronted by CloudFlare (anything in back of TLS termination is not TLS encrypted).

- https://www.theregister.com/2025/09/03/matrixorg_raid_failure/

#matrix #chat #networking #linux #encryption #thisIsNotHighAvailability

A network scanning tool with modern looks, NetPeek is a user-friendly alternative to nmap.

https://www.omgubuntu.co.uk/2025/08/netpeek-linux-network-scanner-gui-alternative-nmap

#linux #networking #Flatpak

Come to Zagreb September 24-28, 2025 and geek out with other BSD people at EuroBSDcon!

See https://2025.eurobsdcon.org/
Program https://events.eurobsdcon.org/2025/schedule/
Registration https://2025.eurobsdcon.org/registration.html

#openbsd #netbsd #freebsd #zagreb #eurobsdcon #conference #freesoftware #libresoftware #development #devops #sysadmin #networking #security

Trace route is a hack lol. Some excellent quotables in here

https://gekk.info/articles/traceroute.htm

Edit: full disclosure it's not entirely correct, see https://www.theregister.com/2024/12/14/mpls_traceroute_history/ and https://systemsapproach.org/2024/12/09/three-packets-walk-into-a-tunnel/

#Networking

We're going to need a second AP to reach the second floor. My Ubiquiti UniFi nanoHD has been going strong for over 5 years now, so I figured I'll go with another UniFi AP, and since it will hopefully be just as long-lived, I went with the most future-proof option, the U7 Pro. 2.5 Gbps port, Wi-Fi 7, 6 GHz, all the works.

She's quite a bit bigger than my nanoHD! Makes it look downright... nano

#networking #mb

Alt...

A round white disc with a U logo coming out of a box thst says UniFi on it

Alt...

Two round white discs with U logos on them, one bigger than the other

The next scheduled "Network Management with the OpenBSD Packet Filter Toolset" fullday session is at EuroBSDcon in Zagreb, 2025-09-25 10:30–17:30: https://events.eurobsdcon.org/2025/talk/FW39CX/

register here: https://2025.eurobsdcon.org/registration.html

#openbsd #freebsd #pf #packetfilter #networking #security #eurobsdcon

I hate WPS WiFi connections because they never bloody work properly and it takes 10 minutes to get a printer connected. Then a week later it mysteriously disconnects without any apparent reason. I always end up wishing I'd plugged in a CAT 5 cable instead.

I didn't use WPS because it was easy but because I thought it would be easy and I never learn.

#wifi #printers #networking

Alt...

Picture of a HP Laser printer control panel with the message Network Connection Failed Press [OK ] to continue

"Yes, The Book of PF, 4th Edition Is Coming Soon" https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html (also https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html), title still true, actual publication date TBD, #bookofpf #pf #packetfilter #openbsd #freebsd #networking #security #trickery #hacking

No huge details (more on that in later guides), but I wrote about the basic hardware setup for my home network based on #openbsd

"My OpenBSD Home Network Setup"

https://btxx.org/posts/network-setup-2025/

#networking #router

In one month (2025-09-25), there will be a "Network management with the OpenBSD Packet Filter Toolset" tutorial https://events.eurobsdcon.org/2025/talk/FW39CX/ at #eurobsdcon in #zagreb To register: https://2025.eurobsdcon.org/registration.html #openbsd #freebsd #networking #security #unixlike

In general, I like netcup. The FediMeteo VPS rocks and they're quite reliable but....their IPv6 implementation is such a mess! Hetzner allows you to route, so each vnet jail can have its own IPv6 address. On netcup, I have never been able to achieve such a result.

#ipv6 #Networking

Anyone using OVHCloud with IPv6?
I have a server at Netcup.de and it seems, there's a nasty routing issue from OVH to the German Nuremberg Datacenter of NetCup.

Could someone try reaching out to 2a0a:4cc0:c1:2f90::2 from an OVH network? (Ping, SSH, Traceroute ..)

#networking #ovh #netcup #fedihelp #routing #ipv6 @OVHcloud @netcup

Routing is a fascinating thing. I was having slow connectivity issues on my mobile phone via the cellular network. It wasn't a DNS issue, but a latency one. I opened a WireGuard VPN to my home network: much better.

#Networking #IT

Change control window closed and another 15% of our subscriber base was moved to the new BNGs. 22% to go and most of those can be done in two more cutovers. It’s been almost a year but we are at the pointy end of it now.

#juniper #isp #networking

I've just published version 25.7.1 of 'kpfleming.systemd_networkd', my collection of Ansible roles for managing systemd-networkd configuration. New in this release are a half-dozen 'advanced' features in the 'network' role, along with a new 'bridge' role. Most of these changes originated from my recent project to switch to DHCPv6-PD on my home network, and also eliminate the standalone DHCPv4 servers I was using.

If you're an Ansible user and use systemd-networkd on your managed machines, take a look! Here's an example of a moderately-complex configuration:

https://github.com/kpfleming/ansible-systemd-networkd#examples

I've got more complex ones if you're really interested 🙂

#Ansible #systemd #networking #systemd-networkd

There is a new Café in town. The illumOS Café

The news is wonderful, the concept interesting, the setup simple.

Want to learn more? Surf to this link

Thank you 💕 @stefano

#Networking #programming #OpenSource #FediVerse #decentralized #illumOS

https://it-notes.dragas.net/2025/08/18/introducing-the-illumos-cafe/

Alt...

The screencap displays a webpage titled "The illumos Cafe Project" with a dark background and white text. The content explains that the illumos Cafe is a project similar to the BSD Cafe, focusing on positivity and inclusivity. It aims to provide services running on illumos-based operating systems to demonstrate their reliability and resilience. The text emphasizes the importance of diversifying operating systems to improve the Internet's reliability and resilience, noting that the Internet was originally decentralized but has become a tool for big players. The section titled "Community and Philosophy" highlights the desire to connect and build relationships. The webpage's URL is "it-notes.dragas.net," and the page is viewed on a mobile device with a battery level of 80%. Ovis2-8B 🌱 Energy used: 0.185 Wh

#Signal group about #Meshtastic

a decentralized network using license-free radio to get reliable and independent messaging

Meshtastic.org

https://signal.group/#CjQKIKbTI-Qne1canCIsfz7qJFawNLdkuiJbSMuo5ejHd30HEhClGT1ZO4WwuvywBXYh__el

#SignalGroups #decentralization #decentralized #networking #selfhosting

I just unwound an ethernet cable that had been wrapped up tightly, like paracord. I had done that wrapping, years ago. I could feel the eyes of @nuintari on me. I used the cable, disconnected it, and put it away.

Wrapped up exactly as I found it.

#networking #horror #bofh

☕ Good Morning Homelabs ☕

Freitagsgrußküsse von dem 💤 verschlafenen 🌞 annnyway, new place, new in-wall panel of cat6 terms and a 5GbE symmetric fiber line. I cleaned up the initial mess in June, second iteration this past week/ish. Generally, most of this hardware should be in one of the office racks (1U switch + 2x 0.5U patches + 1U UPS), specifically NOT in my walk-in closet. It's a work in progress.

#homelab #linux #freebsd #engineering #networking

Alt...

first iteration of the telco panel rebuild, just a bit messy

Alt...

in-between iterations, the OnQ parts arrived so mostly everything was removed. the two fiber boxes (shitty Comcast, and decent ATT) have to stay put.

Alt...

iteration number two, not horrible, needs more ethernet cable management and etc etc

It's heartwarming to a greying geek that a 5000+ words retrospective on greytrapping is turning out to be popular - https://nxdomain.no/~peter/eighteen_years_of_greytrapping.html (tracked https://bsdly.blogspot.com/2025/08/eighteen-years-of-greytrapping-is.html)

#greytrapping #spam #antispam #greylisting #blocklist #openbsd #freebsd #smtp #email #ssh #passwords #passwordguessing #pop3 #security #networking #cybercrime

Successfully serving some test sites off my local Mac Mini running OpenBSD / httpd. It’s currently using Eero’s DDNS for the port reservations and forwarding, so it’s only temporary until my real router arrives.

Just a good test though 👍

#openbsd #networking

Good morning!
Tomorrow evening it is #NetMCR (https://www.netmcr.uk/) again in #Manchester.
Join them for a #Networking #MeetUp at the Northern Monk (https://www.northernmonk.com/pages/manchester) from 7pm.

The talk will be by James Blessing: 'Did “we” build the wrong network?'

Hot on the heels of his June presentation, and coming from similar experience, James is back to speak to you all about what he thinks of all our networks. There is no doubt given James’ usual style that this will be a light-hearted and thought provoking gallop through the networks we’ve built, and those we will likely build in the future.

I'll be there for 🍻 , 🍔, 🍟 and ℹ️ 😀

Friends, it finally happened. On August 7th, 2025, the number of spamtraps intended to fool spammers rolled past the number of inhabitants in my home country of Norway. It's time for a retrospective.

Eighteen Years of Greytrapping - Is the Weirdness Finally Paying Off? https://nxdomain.no/~peter/eighteen_years_of_greytrapping.html (tracked https://bsdly.blogspot.com/2025/08/eighteen-years-of-greytrapping-is.html)

#greytrapping #spam #antispam #greylisting #blocklist #openbsd #freebsd #smtp #email #ssh #passwords #passwordguessing #pop3 #security #networking #cybercrime

Friends, it finally happened. On August 7th, 2025, the number of spamtraps intended to woo the unwary spammer rolled past the number of inhabitants in my home country of Norway. It's time for a retrospective.

Eighteen Years of Greytrapping - Is the Weirdness Finally Paying Off? https://nxdomain.no/~peter/eighteen_years_of_greytrapping.html (tracked https://bsdly.blogspot.com/2025/08/eighteen-years-of-greytrapping-is.html)

#greytrapping #spam #antispam #greylisting #blocklist #openbsd #freebsd #smtp #email #ssh #passwords #passwordguessing #pop3 #security #networking #cybercrime

#Homelab/#Networking question: I just realise that 'setting a static #IPv6 address' on a (#Linux) server is not as simple as it'd be with #IPv4 - one of the reasons being, realising, that the address prefix changes when my router restarts (i.e. due to any configuration changes).

When that network address prefix changes, obviously, any 'static' IPv6 address I'd like to set for my server would just be rendered invalid, since the network address portion/prefix is no longer applicable.

On my #TP-Link router, under IPv6 LAN settings, I saw an option to configure the Address Prefix - however, this field is currently prefilled with the network address prefix my servers/client devices are currently using/assigned to, and it is immutable (not configurable). To make it configurable, I could set a different setting on the same page called Prefix Delegation to Disable instead of its default, Enable.

My idea is to disable it, set an address prefix, and save/apply it - my expectation is, after the router restarts, all IPv6 addresses on my network will have that prefix, and it'll never change unless I explicitly do so (again, on the router). Is my idea right? or am I getting it tooootally wrong (which is possible bcos IPv6 is something else)?

Eighteen Years of Greytrapping - Is the Weirdness Finally Paying Off? https://nxdomain.no/~peter/eighteen_years_of_greytrapping.html (tracked https://bsdly.blogspot.com/2025/08/eighteen-years-of-greytrapping-is.html)

Friends, it finally happened. On August 7th, 2025, the number of spamtraps intended to woo the unwary spammer rolled past the number of inhabitants in my home country of Norway.

It's time for a retrospective.

#greytrapping #spam #antispam #greylisting #blocklist #openbsd #freebsd #smtp #email #ssh #passwords #passwordguessing #pop3 #security #networking #cybercrime

In this FreeBSD Journal article, Randall Stewart and Michael Tüxen walk through how SYN segments are processed during TCP’s three-way handshake—crucial for establishing reliable connections.

Learn how FreeBSD handles the client-server exchange and what happens behind the scenes during SYN, SYN-ACK, and ACK.

Read the full article:

https://freebsdfoundation.org/our-work/journal/browser-based-edition/downstreams/the-handling-of-syn-segments-in-freebsd/

#FreeBSD #Networking #TCP #OpenSource #SystemInternals #FreeBSDJournal #TechInsights

I am an old man. I regularly yell at clouds. "Elvis is alive! How 'AI' stunts modern mythmaking" https://nxdomain.no/~peter/elvis_solaris_ai_mythmaking.html (https://bsdly.blogspot.com/2025/08/elvis-is-alive-how-ai-stunts-modern.htmltracked ) #elvis #solaris #unix #ping #networking #AI #mythmaking #artificialintelligence #aislop #history

Downloading Cisco drivers: "click this link to complete your profile to download this software" [link clicked] "you have been logged out." #networking

Was ordering myself a new X220 keyboard and a small, fan-less Intel-based router caught my eye (on sale!). I snagged both :)

When it gets here, I plan to swap out my hacked-together router (2012 mac mini) for it. The next goal would be to repurpose that same mac Mini as a web server my personal, public websites.

Only time will tell if I fail...

#openbsd #networking #router

40gb to 4x10gb break out cables exist. Can I use that in a machine with a 40gb NIC to connect to 4 10gb devices, or does the breakout functionality only work on switches? I have a lot to learn with physical networking. #homelab #networking

Blegh.

I remember being explained to me once before how #IPv6 SLAAC works, but I've since forgotten and I'm too NAT-pilled by IPv4 to be able to grok it on my own.

It also kind of makes my few privacy nerves itch to think that systems in an IPv6 #network just have public IPs by default instead of tucking them away privately behind a gateway with NAT. >.>

But at the same time, having a public IP by default would make spinning up self-hosted servers easy peasy, lemon squeezy.

#networking

Okay, so let me tell you about my doorbell, from a #networking perspective.

When you push the button by the door, it sends a message over the #zigbee wireless mesh network in my house. It probably goes through a few hops, getting relayed along the way by the various Zigbee light switches and "smart outlets" I have.

Once it makes it to my utility closet, it's received by a Zigbee-to-USB dongle, through a USB hub (a simple tree network) plugged into an SFF PC. From there, it gets fed into zigbee2mqtt, which, as the name implies, publishes it to my local #mqtt broker.

The mqtt broker is in the small #kubernetes cluster of #raspberrypi nodes I run in my utility closet. To get in (via a couple of #ethernet switch hops), it goes through #metallb, which is basically a proxy-ARP type service that advertises the IP address for the mqtt endpoint to the rest of my network, then passes the traffic to the appropriate container via a #linux veth device.

I have #HomeAssistant, running in the same Kubernetes cluster, subscribed to these events. Within Kubernetes, the message goes through the CNI plugin that I use, #flannel. If the message has to pass between hosts, Flannel encapsulates it in VXLAN, so that it can be directed to the correct veth on the destination host.

Because I like #NodeRed for automation tasks more than HomeAssistant, your press of the doorbell takes another hop within the Kubernetes cluster (via a REST call) so that NodeRed can decide whether it's within the time of day I want the doorbell to ring, etc. If we're all good, NodeRed publishes an mqtt message (more VXLANs, veths, etc.)

(Oh and it also sends a notification to my phone, which means another trip through the HomeAssistant container, and leaving my home network involves another soup of acronyms including VLANs, PoE, QoS, PPPoE, NAT or IPv6, DoH, and GPON. And maybe it goes over 5G depending on where my phone is.)

Of course something's got to actually make the "ding dong" sound, and that's another Raspberry Pi that sits on top of my grandmother clock. So to get *there* the message hops through a couple Ethernet switches and my home WiFi, where it gets received by a little custom daemon I wrote that plays the sound via an attached #HiFiBerry board. Oh but wait! We're not quite done with networking, because the sound gets played through PulseAudio, which is done through a UNIX domain socket.

SO ANYWAY, that's why my doorbell rarely works and why you've been standing outside in the snow for five minutes.

Alt...

A nondescript round white button (a doorbell) mounted on a vertical wood member. To the left a part of a door is visible, and to the right, bricks.