Making the veb(4) virtual Ethernet bridge VLAN aware https://www.undeadly.org/cgi?action=article;sid=20251029114507 #openbsd #veb #vlan #networking #bridge #freesoftware #libresoftware #current #newfeature #development

It's been a long day. Tomorrow though, I really need this MikroTik CCR2004-1G-2XS-PCIe, running the home router, to be quiet. Therefore, lay in bed, figure out which Thermal Grizzly conductive pad is most appropriate for replacement between the NIC's heatsink.. and maybe there a STL file for making a carbon fitment plus copper core (taken from an old Broadwell system, heatsink with a couple of blah blah blah... yep. Go to sleep brain, stop this, maybe more tomorrow.

So GPT-Pro and Deep Research... tell me what to buy.

#homelab #tired #mikrotik #intel #mellanox #networking #sleepy #uuuuuuugh #gptpro

Alt...

another NIC needing thermal paste to reduce dB

Alt...

another NIC needing thermal paste to reduce dB

As of this afternoon, my home Wi-Fi network is (once again) being managed by the old MikroTik Cap AC mounted on a wall. The last time I tried it, it worked well, but some peripheral areas seemed to have poor coverage (compared to the Ruckus r650 I normally use). I still have three of these MikroTiks, which were my access points about six years ago (and up until almost two years ago). With the wave2 drivers, just one of them now covers the entire house.
What amazes me is how a firmware update has revolutionized the device's experience. It consumes a fraction of the [power of the] Ruckus and, at the moment, it doesn't make me miss it.
Will I keep it running? Maybe not, at least not in the long run. I have the Ruckus; it probably wouldn't make sense to leave it switched off. Furthermore, when FTTH arrives, it will be a bottleneck. But the freedom these devices provide, even just at the scripting level, is truly remarkable.

#Wifi #AccessPoint #Networking #MikroTik #Ruckus

🍂 The Tailscale Fall Update is here!

It's a week of new features that make it easier to build securely, manage effortlessly, and connect seamlessly across your network.

Join our live webinar at 1pm EDT on Oct 30 to see what’s new.

🎥 Sign up: https://tailscale.com/events-webinars/tailscale-fall-update
#Tailscale #ZeroTrust #Networking #DevTools #Webinar

Keeping an eye on the queues, load balancing and failover I configured over the weekend on a client's router.

#IT #SysAdmin #MikroTik #Networking #MondayMorning

Alt...

The screenshot shows the MikroTik WinBox interface with multiple windows open related to queue monitoring and routing rules. At the top left, the Firewall > Mangle rules panel is visible, showing several active rules used for routing and marking connections. Some entries include labels like “Sticky: Inbound Voda”, “Sticky: Inbound Wind”, “Force Netwatch traffic via Vodafone”, “DECIDE_WIND_BACKUP”, and “Apply: Route via Voda.” Each rule has columns for action, chain, and marks, with most actions set to “mark connection” or “mark routing”. Two windows display Simple Queue statistics: The first, titled TOTAL, shows traffic graphs and statistics with an upload rate of 870.6 kbps and a download rate of 32.3 Mbps, along with packet rates of 1,954 p/s (upload) and 2,837 p/s (download). The second, titled TOTAL_WINDTRE, shows lower upload but higher download activity, with 181.2 kbps upload and 48.8 Mbps download, and packet rates of 397 p/s and 4,606 p/s, respectively. At the bottom, the Log window shows a list of recent messages under the “system, info” and “script, warning” topics. The entries mention load balancing events such as “LB Debug: Voda overloaded, new connections switching to WindTre” and “switching back to Voda” indicating dynamic WAN failover or load balancing between two ISPs, Vodafone and WindTre. The Simple Queues tab is also open, listing queues like “TOTAL”, “VIP-GARANTITA”, “limit-servers” and “normal”, along with their WindTre-specific variants.

Question for the #HomeLab #networking folks on here - any recommendations for a Thunderbolt 10Gbe SFP+ network adapter? It looks like all I’m able to find are Base-T ones and I’m looking for one that I can connect to the switch using DAC to keep the power consumption down.

Unfortunately the Base-T adapter I bought six months ago overheated and is now making a credible impression of Monty Python’s Parrot, and I’d rather not repeat that experience.

Seen on Steam 😂
https://pocosia.com/games/tower-networking-inc/

#networking

Alt...

Screenshot of a Steam list that includes a network simulation game titled Tower Networking Inc. I haven’t tried it yet, but it feels surprisingly refreshing.

New blog post! My adventures in IPv6 in the homelab

https://blog.transitory.social/posts/2025-10-25-adventures-in-ipv6/

It covers going from an IPv4 only to Mikrotik config, all the way to getting Kubernetes running in dual stack mode with pods and services assigned IPv6 addresses

(Note: I have enabled a cache middleware on the blog, so if that explodes someone give a shout and I'll disable it ;) )
#Homelab #Blog #IPv6 #Mikrotik #Kubernetes #Networking

If you have an #ASUS router from the current or last gen and want to do some #HomeLab networking, then I recommend #MerlinWRT. If you're using AiMesh (whether or not as a mesh network), then only the router(s) need it. The ASUS stuff should continue to work (app, DDNS, etc.), but you'll have more control over the finer points of your network to do LAG, run your own DNS, etc., from the router.

https://www.asuswrt-merlin.net/

https://github.com/RMerl/asuswrt-merlin.ng/wiki

#networking

Then: The Internet is designed to route around failure.

Now: The Internet is five companies and one of them is broken.

#aws #programming #networking

Technically my IPv6 journey isn't done, but it'll be a good part 1.

Part two I still need to do the work for. The parts left are:

* Local Kubernetes load balancer IPv6 support: I need to get ipv6 bgp working, and I need that to be serving IPs in both ULA GUA pools.
* I need to figure out how to handle GUA and firewalls.

More explanation on my questions and hangups with the second point there:

Ok so everything gets a GUA, neat except.... What happens if my prefix changes? Normally that isn't supposed to happen at all. It isn't likely to happen for me unless I move. Ok fine except ... Then what? Manually update every firewall and maybe routing rule? (Not as worried about DNS side of things) I think I found a Mikrotik script that does this so maybe that is the play? I'm just using ULAs for now for everything at the moment (except those remote nodes do have ipv6 GUAs)
#Homelab #Networking #IPv6

WPA3 support for OpenBSD 802.11 wireless funded by NLNet Foundation https://www.undeadly.org/cgi?action=article;sid=20251017070142 #openbsd #wifi #networking #wpa3 #security #nlnet #nlnetfoundation #funding #freesoftware #libresoftware

I refuse to add traaflik's name to my spellcheck

- [x] Enable IPv6 wireguard addressing (related to node addressing and internal/external address designation)

traefick service is proper dual stack now #Homelab #Networking #Selfhosted

EDIT: It worksssssssss

- [x] Cloud Edge Node Project:

Goal: Build a hybrid cloud to enable a caching point-of-presence in a different region without using cloudflare or similar.

* [x] EU Edge node created via terraform
* [x] Edge node connected via wireguard and joined to cluster
* [x] Cilium Egress Gateway tested functional for both ipv6 and ipv4 (ip tests when applied to node show the cloud IP
- [x] Cilium Node IPAM LB enabled
- [x] Traefik Ingress created, load balancer service using Cilium Node IPAM LB gets the edge node as it's external IP
- [x] Enable IPv6 wireguard addressing (related to node addressing and internal/external address designation)
- [x] Install crowdsec traefik middleware
- [x] Install traefik cache middleware (maybe this)
- [x] Setup s3 cache nah just used traefik middlewares (blog ref)
- [x] Add external-dns installation targeting the edge nodes
- [x] Update this instance's ingress class and switch seamlessly #Homelab #Networking #Selfhosted

I like finding out stuff can be less complicated than how I used to do it. Like going from team bridging to bridging over a bond to realizing that all I actually needed was to setup vlan connections directly off the bond to accomplish what I needed to do, so it was like a total of 4 nmcli commands to setup an 802.ad bond and a vlan tagged con.

#Linux #networking

Shout out to @paradoxguitarist for keeping me fresh.

@stefano You'd think something like that would set off all kinds of alarm bells. I mean, even a *cursory glance* at a data transfer rate diagram would show a >>95% drop in throughput pretty clearly, even if it is brief in duration.

Maybe they have a problem that needs solving? ;-)

#networking

Today, knowing I'd be in a place with less-than-excellent connectivity, I came prepared. I brought two MikroTik 4G routers with me (one, an old friend; the other, new and ready to be tested). I also have my smartphone with two SIM cards from two different mobile providers.

I noticed something extremely curious: the fixed FTTC connection sometimes has extremely strong drops or speed reductions (from 100 mbit/sec to 1 or 2). Knowing this, I brought the 4G routers on purpose to compensate. But I realized that when the FTTC connection fails, all four mobile providers also fail. The phenomenon is therefore correlated. This leads me to believe that, not being in a big city, there is a single (or multiple, but malfunctioning) point of connection that all providers, both fixed and mobile, connect to.
Note for the future: don't trust the mobile providers here.

#Networking

OpenSSH 10.2 released https://www.undeadly.org/cgi?action=article;sid=20251010131052 #openbsd #openssh #ssh #security #networking #login #trickery #shell #tunneling

Ok, Akovordo is working, and this will be useful I think

I am gonna let it collect for a bit and worry about it more next week

I can see how I could pull it into the cluster, setup proper auth, etc

...or I could just turn it off when done and have it ready to go if needed, it'll depend on how much resources it takes to run

I have a ways to go categorizing things and optimizing queries too
#Homelab #Networking

Alt...

a sankey chart of traffic flowing between named networks with ports in the middle, the biggest flows are camera traffic streams, it is very colorful, in a somewhat confusing way

Attempts to analyze netflows the easy way*

* I could probably re-install security onion but it is way too heavy there has to be something better
* Akovordo looks like it could be nice, the docker compose absolutely refuses to run, maybe v2 broke it? Maybe I'll have to open some issues
* OpenObserve has a really straightfoward guide and is super light and also doesn't work, goflow2 claims to be receiving the flows but nothing shows in openobserve and neither side has useful logs, cool, cool
* goflow2 has it's own docker compose, that references dead bitnami links, awesome, love to see it

siiiiiiiiiiiiiiiiiigh
#Homelab #Networking

This month #NetMCR (https://www.netmcr.uk/) in #Manchester is on Wednesday 8th October instead of Thursday due to a timetabling clash.

I'm not sure what the talk will be about, but even if there isn't one, it's nice to chat with people about #Networking and other technical subjects.

It's at the Northern Monk (https://www.northernmonk.com/pages/manchester) from 7pm, and by luck I will be able to make it 🥳

Come and chat with some nice people, and have some weird 🍻, and if you're hungry, 🍔 and 🍟!

OpenSSH 10.1 released https://www.undeadly.org/cgi?action=article;sid=20251006105328 #openbsd #openssh #ssh #security #newrelease #crypto #cryptography #securelogin #networking #freesoftware #libresoftware

uggh, I got netbird almost running but....

Error: daemon up failed: login backoff cycle failed: rpc error: code = Unknown desc = getting device authorization flow info failed with error: context deadline exceeded

#networking deep dive on packet fragmentation and reassembly in NICs with hardware offloading.

https://medium.com/@tom_84912/segmentation-offload-and-protocols-lets-be-friends-64d9e6341054

RFC1149: Ten Years of In-Flight Internet https://nxdomain.no/~peter/rfc1149_ten_years_of_in-flight_internet.html

Yes, there was an implementation. In April 2001, my laptop was pinged via carrier pigeon.

My writeup for the 10th anniversary of the experiment, with links to copies of the original material. #rfc1149 #pigenons #networking #hacking

PG&E outage for all of Sunnyvale, UPS resources kept the home office and homelab online most of the hours. In the interim via LTE, decided to resume efforts on spec'ing the latest network refresh.

Big decisions; mostly around scale model design principles, some blandness re: OFED drivers and SPDK version parity for specific NIC/DPU SKUs, and analysis paralysis when focusing on critical nerdatorium protocol support.

Otherwise to say... I'm leaning towards additional Bluefield DPUs, where offload options are more important than bandwidth parity for production port speeds (also lower total port count using 4x25 breakouts), and there's no sense in paying more per unit for a CX6 25G vs BF2 25G... so... yep.

#networking #homelab #mellanox #nvidia #dpu #zfs #distributedsystems #ai #hpc

Alt...

eBay cart showing three options for lab network update consideration, CX7, BF2, CX6.

Whelp back I go down into the IPv6 mines wish me luck

(I need to get Cilium/Talos running in dual stack before I get these remote nodes working)

The nodes are getting ipv6 addresses but it isn't propagating into k8s/Cilium for some reason...
#SelfHosted #Homelab #IPv6 #Networking #Talos #Kubernetes

Tonight's Tech Distractions:

- Got some Grafana dashboards working. Some didn't work perfectly just yet. I am not entirely sure why, but I didn't look deep
- Created a new Tailscale account, using authentik as the OIDC provider to move away from the google account. I really wish they supported moving users/acounts around better.
- Now looking into DoH/DoT... I got adguard-dns serving DoT, now I am seeing how I can propogate that to hosts..... can dhcp/dnsmasq hand out a DoT address? Probably not without breaking things?
#Networking # #HomeLab #Kubernetes #Tailscale

Ok so the network driver crashed again on this NAS

I hadn't encountered it because previously I was using an Intel x710

I could put that back in and use a DAC to 1gb sfp I guess. Or I could troubleshoot a stupid Intel nic driver crash on debian

Wheeeeeeeeeee
#Homelab #Networking

Made a wiring diagram before labeling all my new fancy uniform white ethernet cables I got to replace the spaghetti of random lengths of colored wires

#mb #networking #RetroComputing

Alt...

A screenshot of ClarisWorks Draw on MacOS 9 running an fvwm theme drawing a crude network wiring diagram

Alt...

A dot matrix, tractor feed printout of a crude network diagram

OpenBGPD 8.9 released https://www.undeadly.org/cgi?action=article;sid=20250926141610 #openbsd #openbgpd #bgp #routing #networking #security #freesoftware #libresoftware

This sounds like an awful question:

Can I "port forward" an ipv6addr:port pair to an internal ipv4 address?
#Homelab #Networking #IPv6 #Mikrotik

Ok so after a bunch of searching for a good tool to track down what is running on the network I settled on:

* Security onion ingesting NetFlows from the router. This catches all traffic that crosses subnets. Traffic within the subnets isn't as much of a concern at this stage.
* Nmap plus a stylesheet I found was able to generate a pretty digestible html doc enumerating ports and hosts

From those sources I can pretty easily setup sensible firewalls at the router level, and potentially at the host level as well. After that I can work on intra-kubernetes traffic rules.

Also I used some of the initial data to sort hosts a little better and cleanup DHCP/static DNS entries

Lastly I'm going to back away slowly from ipv6 again. I did learn a bit and made some progress but getting that cluster properly talking dual stack is less of a priority at the moment I think?

#Homelab #Networking #IPv6 #Mikrotik

I find myself using quadlets more and more often, but the networking threw me for a loop when I first moved over from docker-compose.

Here's a quick post about getting your quadlets onto the same networks:

https://major.io/p/quadlet-networking/

#containers #quadlets #fedora #podman #networking

Reading this article really makes me want to connect a classic AppleTalk device straight into an internet exchange https://blog.benjojo.co.uk/post/ixp-bad-broadcast-packets-interesting

#networking #VintageApple

We are about five minutes from starting the "Network management with PF" https://events.eurobsdcon.org/2025/talk/FW39CX/ tutorial at #eurobsdcon in #zagreb. Slides at https://nxdomain.no/~peter/pf_fullday.pdf as usual #pf #openbsd #freebsd #packetfilter #networking

Tomorrow 2025-09-25 at 10:30 CEST, the refreshed "Network Management with the OpenBSD Packet Filter Toolset" https://events.eurobsdcon.org/2025/talk/FW39CX/ by yours truly, @stucchimax and Tom Smyth will start at #eurobsdcon.

We will put the updated slides online just before the session starts.

#openbsd #freebsd #pf #packetfilter #networking #firewall #trickery #security

Returning to the Valley from SF, feeling mostly quite tired (in a generally good way). Will soon depart, then work, then sometime in the evening decided whether to install a MikroTik CCR2004-1G-2XS-PCIe, or a Mellanox CX-5 2x25G (OCP v2 form factor) mounted on a PCIe converter card. 🤔

Ok, suppose it's time to get ready.

#homelab #SF #networking #linux #freebsd #engineering #nvidia #mellanox #mikrotik

Alt...

Eva in a hotel room, yesterday, which is not right now.

Alt...

MikroTik CCR2004-1G-2XS-PCIe on top, Mellanox ConnectX-5 2x25G

Alt...

MikroTik CCR2004-1G-2XS-PCIe on top, Mellanox ConnectX-5 2x25G

Alt...

The MikroTik CCR2004-1G-2XS-PCIe, taken apart to refresh the heatsink compound so it will run a tiny bit cooler, and hopefully quieter.

Ok so more IPv6 thoughts:

I was thinking a bit more about the idea to move the dnsmasq service onto the router:

So the entire reason for switching to dnsmasq was because it creates DNS entries for DHCP clients, and it even can assign a different subdomain per subnet.

However, there was something I had yet to get functional: mapping IPv6 to those same DNS names.

I'm not even sure how that is possible! Certainly not with dnsmasq because I don't have it handling anything? Or maybe there is some stateless DHCP option?

Which got me to thinking that maybe it is possible with Mikrotik's scripting?

On a related note I saw a script to update IPv6 prefix if that updates which looks super useful and might put me at ease. I could use ULAs for internal traffic and have that prefix updater script update firewalls if anything changes.

#Homelab #Networking #IPv6 #Mikrotik

My house is such a strong Faraday cage that even from the front yard 2 meters away from the house, the 2.4 GHz Wi-Fi network is not reachable (and the 5/6 GHz SSIDs are not even visible)

[in other words I want an outdoors AP so I don't need to rely on mobile 5G]

#networking

rpki-client 9.6 released https://www.undeadly.org/cgi?action=article;sid=20250922061303 #openbsd #rpkiclient #rpki #routing #bgp #networking #security #libresoftware #freesoftware

On Thursday, September 25, 2025, Tom Smyth and I will be giving a "Network Management with the OpenBSD Packet Filter Toolset" tutorial https://events.eurobsdcon.org/2025/talk/FW39CX/ at #eurobsdcon in #zagreb. Register: https://2025.eurobsdcon.org/registration.html #openbsd #freebsd #networking #pf #packetfilter #security #trickery

Ok so I gave up getting something in-cluster importing data and threw a SecurityOnion VM up on the fileserver (powered it up to prep moving it to parent's place

Then I just added 'all' ports tot he traffic flow exporter in mikrotik. Speed seems fine, at least for uplink?

I actually caught one misconfiguration with it, but I don't think I've found anything groundbreaking.

Missing a bunch of internal traffic that doesn't hit the router.

But actually. Hmm. maybe not that much? almost anything interesting would be going cross subnets anyway.

Biggest annoyance so far is I can't seem to get it to properly do reverse-lookups in kibana
#Mikrotik #InfoSec #Networking #Homelab