Hey all,

We're working on a press-freedom / anti-censorship project and we're testing a variety of scenarios in which a journalist's internet traffic is being monitored by a hostile state. We'd like to simulate an ISP's access to the journalist's traffic so we can run some packet collection and other tests to see what it looks like.

What's the best way to do this? Put a few routers in series and collect on the last one?

Hey all, not-a-networks-guy here.

I've currently got an rpi set up running pihole natively (not in a container) for ad and website blocking reasons. (Using port 80, no TLS) I've used the pihole localdns feature to set an internal hostname for that ip (me.lan).

On the same pi, I have podman "set up" to run FreshRSS, and I'm getting more and more annoyed about using the port # to access it. (me.lan:12345) I'd like to set up a reverse proxy (probably Traefik) in a container to redirect internally, but considering that port 80 is taken (by pihole, outside of podman) I don't see a way to direct traffic from the pihole to Traefik.

I'd really rather not reconfigure the whole setup to use containers.... I'm lazy, and also prefer my dns resolver to have the least amount of overhead possible. Is configuring the router an option here, or is the only way to achieve what I'm looking for an overhaul of the pi and containers?

If I've missed any pertinent details, let me know and I'll update here.

Hi everyone, I recently finally setup the Ruckus AP unleased system that came with my townhome. After spending a long night learning how to properly configure the system I finally set it up in a way that provided me the best speeds/range without interference.

This was achieved by setting my Ruckus APs to manually sit on the DFS channels (60-140) via the Ruckus configuration app (shown here)

This has been working great as I'm avoiding the 10~ other wifi networks in the area that are all set to the standard 36-48 and 149-160 channels (wifi analyzer screenshot here) but I'm concerned I may be inadvertently violating FCC guidelines. Note I do not live near any military installations, but I am about 13 miles away from a major airport. Will the Ruckus APs automatically change channels if they detect radar interference or am I causing trouble for someone?

So in about two weeks I'll be at a conference for a career path that I've been trying my best to get into for two years. It's a bit niche, having an overlap with science, tech and IT.

As such this conference represents opportunity for me, and given how low my morale is after rejection after rejection after rejection, something I really hope to see some result from.

Does anyone have any tips on how to network at such a conference?

I recently moved to a new place with a new ISP, and my Mullvad VPN isn't playing nicely with Firefox like it used to. Can any of you networking gurus please help me troubleshoot?

When the VPN is enabled, most requests from the browser fail immediately. If I pull up the dev tools Network tab, I can see that these requests fail with an NS_ERROR_FAILURE message before any data is transferred.

I have Firefox configured to use "strict" Enhanced Tracking Protection. When I reduce it to "standard" my requests go through.

I'm also trying to use DNS over HTTPS with a custom provider (Mullvad, via https://dns.mullvad.net/dns-query). I'm configuring this in Firefox, using the "Increased Protection" DoH setting. When I do that, Firefox reports the DoH status as "Status: Not active (NS_ERROR_FAILURE)". This happens even when Enhanced Tracking Protection is set to "standard" — in other words, that reduced setting fixed the NS_ERROR_FAILURE for HTTP requests, but not for DoH.

So how do I fix this so Strict Enhanced Tracking Protection, DNS over HTTPS, and Mullvad all work together? I never had this problem with my old ISP, so I suspect something's being blocked at the WAN level that I need to circumvent.

• OS: macOS Sonoma 14.5
• VPN protocol: WireGuard
• ISP: AT&T Fiber

I'm just using the official Mullvad client app with mostly default settings. The fiber gateway modem/router came with some default packet filtering firewall rules but I disabled everything in the admin panel. Weirdly, rebooting my machine fixed this temporarily, but the next time I disconnected/reconnected the VPN it broke again. Other browsers (with default settings and no DoH) are working fine when the VPN is connected.

Edit: Solved! Solution here.

[SOLVED]

... well, this is in many ways very unsatisfying, because I have no idea why this worked, but I seem to have fixed it.

Server A has two Ethernet ports, an Intel I219V and a Killer E3100. Several months ago, when trying to debug sporadic btrfs errors (I had my RAM installed incorrectly!), I had disabled some unused devices in BIOS, including the Killer Ethernet port.

Since I had no other ideas, and it seemed like this was somehow specific to this server, I just re-enabled the Killer port and switched the Ethernet cable to that port. I'm now getting 300 Mb/s transfers from my wireless devices to my server, exactly as expected.

I'm gonna like... go for a walk or something. Thank you so much to everyone who helped me rule out all of the very many things this could have been! I love this place, you all are so kind and supportive.

Original:

I'm trying to debug a perplexing networking situation, and I could use some guidance if anyone has any.

Here's my setup:

• UniFi Security Gateway
• UniFi Switch Lite
• Two UAPs
• Two servers, A and B, connected to the USW-Lite with GbE
• Many wireless devices, connected to the UAPs

Here's what I'm experiencing:

• Network transfers from the wireless devices to server A (as measured by iperf3 tests) are very slow. Consistently between 10 and 20 Mb/s.
• Network transfers from server A to all devices are expected speeds. 900-1000 Mb/s to server B, 350-ish Mb/s to wireless devices.
• Network transfers between server B and all devices (in both directions!) are expected speeds.
• Network transfers from the USG to server A also seem slow, which is odd. Only about 60 MB/s.
• Network transfers from the USG to server B and the wireless devices is about 300 MB/s

So, specifically network transfers from any wireless device to server A are slow, and no other connections have any issues that I can see.

Some potentially relevant details:

• Server A is running Unraid
• Server B is running Ubuntu
• Wireless devices include a Fedora laptop, an iPhone, and a Macbook Pro
• UniFi configuration is pretty straightforward. I have a few ports forwarded, a guest WiFi network (that none of these devices are on), a single default VLAN, and two simple "Allow LAN" firewall rules for Wireguard on the USG. No other firewall or routing config that I'm aware of.

If anyone has any thoughts at all on how to continue debugging, I would be immensely grateful! I suppose the next step would be to try to determine whether it's the networking equipment or the server itself that is responsible for the throttling, but I'm not sure how best to do that.

Hi folks

Keeping in with the theme of people of Tildes are generally really good people (hopefully), I may have a gig early next year that I want a quote on for a network redesign. It's not massive at 3 sites of roughly 100 people per site, 2 sites are dark fibred together, a couple of IPSec routes between UK and USA. It's mostly building out IP subnets, correct router and firewall configs, vLANing up the sites correctly.

If anyone is interested or knows anyone, please reach out to me on this thread for a bit more info, we can take it from there.

Else, I'm going to reach out to some UK based tech companies for the work. You may ask "Why not do this yourself?" That would require planning and testing which I don't have enough time for; I'd rather a Pro designed, and implemented.

Hey all, I'm interested in going down the rabbit hole with Ubiquiti equipment or other manufacturers, more specifically with access points, routers, and a switch. I want to ween off my ISP-supplied all-in-one equipment as their newer hardware limits basic features such as port forwarding, and I'm interested in re-enabling my self-hosted software. Wi-Fi standards have been moving pretty quickly, as have hardware. What setups do you have established in your homes?

I don't really have a budget in mind, and have a 2.5GbE port I'd like to utilize for media consumption over LAN.

Pretty much what the title says - I’ve been looking for something small and not too expensive to run a few VMs on recently, and I’m just genuinely amazed at where the tiny SBC space is at right now.

The Celeron N5105 seems to be the go to choice at the moment. You can get an entire machine running that CPU that’s slightly smaller than an old double CD jewel case, for $150. Less than $200 if you want 16GB RAM and a fast NVMe SSD in there too. Four decent quality 2.5GbE NICs thrown in as a bonus. And it’s not that much slower than my expensive full size desktop from late 2020.

Part of me thinks I’m just getting old - phones have been plenty of people’s primary computer for years now, after all - but there’s something about having a real standalone x86 PC that size for literally 1/5th the price of a flagship phone that just blows my mind.

Hey everyone!

Sorry if this is a long post, but I've done my research and I would like to make a few questions.

I've decided that I would like to buy a NAS mainly to storage all of my documents, photos and videos, so that, I can access them from multiple devices and also use it to upload important documents to Backblaze B2. Then, I've actually discovered that I can install a few Docker containers and I could use it as a media server (Jellyfin) and serve the content to my Apple TV (neat!).

I considered a QNAP (better hardware for the price) but everyone recommends Synology instead (because of the stronger security and better overall software), but to be honest, I'm not sure what should I get.

My budget would be to buy a NAS (without counting the disks) below €1000. Ideally, €500-600 but I don't mind stretching to the €700 mark, if it is really worth it.

Spoiler alert: I think, it should be the DS920+ (4-bay) or the DS1520+ (5-bay). I think a NAS above 4-bay is better for future-proofing.

Looking here in Germany at price comparators, I could buy the DS920+ for €663 and the DS1520+ for €750. But these prices seem to be at an all-time high :(

Questions & Assumptions:

0. I'm not sure if the price difference of about €100 is worth the premium to get the 5-bay model. There are only two differences between these two models: The 5-bay has one extra slot, and it has 4x 1 Gbe LAN ports instead of 2x 1 Gbe. All the rest is the same. What is your opinion?

1. I've read that if you run a few containers (~10) it consumes quite a bit of RAM (~3 Gb), so it should be ideal to have at least 8 Gb. This is the reason I've said that I think I can only choose the DS920+ or DS1520+. Looking at official Synology resellers, these models, seem to come already with 8 Gb, and they are within my budget. Is my research wrong?

2. These two models, have an encryption engine. I think this is necessary to encrypt my files before sending them to Backblaze, or?

3. A lot of people seem to say to simply pick Synology's hybrid RAID setup called SHR-1 or SHR-2. I would go the easy way here and pick one of those two. Would you think that is a bad idea, and it is better to pick a specific (standard) RAID? I've read about the long long long RAID rebuild that could happen in some situations, and picking the "right" RAID could decrease the rebuild in days (or weeks!!!!).

4. In case, I choose a NAS model with Nvme cache slots, most people say it is not worth it to use if you are not running Virtual Machines and the SSD’s "burn" really fast. I have no interest on VMs.

5. Most people say to pick an Enterprise (Server) HDD instead of a NAS HDD mainly because price is similar in some cases and Enterprise has longer life and warranty. I should also pick a CMR HDD which is helium filled. 5400 rpm would be preferable to 7200 rpm because of the noise. Sadly, all Enterprise HDD's and most of NAS HDD's are 7200 rpm. Is the noise difference that big? The NAS will be in our living room.

6. Is 8 TB still the best cost per Terabyte?

7. I was extremely sad to hear that the Hitachi hard drive division was bought by WD. I've had lots of misfortune with WD drives (and let's not forget the debacle with the SMR and CMR drives) and I would prefer not to give money to them, but, nevertheless, I'm still tempted to buy the Ultrastar drives that belonged to Hitachi. Does anyone know if WD kept the components, manufacturing processes, staff, etc., that made these brilliant disks?

8. Following the HDD topic, what is your experience with Seagate or Toshiba drives?

9. These two NAS models have the same Intel Celeron CPU, which supports hardware transcoding. To be honest, I don't know in which cases would that happen. It seems if I use Infuse on the Apple TV it would never transcode (and instead direct play) because Infuse would do the transcoding in software. Should I take in account that hardware transcoding is a must-have or a nice-to-have?

10. Would you recommend having a CCTV system connected to the NAS? Should I dedicate one entire HDD just for the NVR system? Would a standalone NVR device be better?

11. My last question is: Should I just wait for the new model of the DS920+ or DS1520+? The 20 means it was launched in 2020 (in Summer specifically) and it seems Synology refreshes the model every two years., that means, a new model would be available in Summer this year. Most people say it is not worth the wait because Synology is very conservative in its model updates/refreshes. People are saying that a better CPU will be of course available (do I even need that for my use cases?) and probably upgrade the 1 Gbe LAN ports to 2.5 Gbe or 10 Gbe (10 Gbe I really doubt it). I've read that a 4K stream does not fill a 1 Gbe bandwidth, and you could theoretically have three 4K streams in a single 1 Gbe connection. If all else fails, I could just do a link aggregation of the two ports to be 2 Gbe, or?

12. Anything I'm forgetting? Should I be careful with something in particular?

I know I should buy a UPS too, but I think I'll create a separate post regarding this topic because I would also want a recommendation regarding a UPS for my other devices.

I know that I could actually build my own NAS and use Unraid for the OS. Furthermore, I'm just at a time in my life with too much on my plate (baby and small child) and having something that just works is preferable. When they are older and more independent, I'll have more time to investigate this option :)

Again, sorry for the long post. Thank you everyone!

Hello everyone, I'm going to move to a new apartment and doing full time home office while my wife is doing part home office, so I'm looking to improve my internet connectivity. I already plan to get the 400 mbps down fiber cable plan. So, I have to be honest that routers is one of those topics that I should know more than I should but don't, so I'm not sure what should I expect and the features I want or don't need.

Some time ago, I discovered and bookmarked the amazing website smallnetbuilder which at the time I thought, I would just trust his thorough reviews and choose the best router within my budget. Sadly, the website seems abandoned now, so I'm not sure if there is something new on the market or if the routers on his "Best" rank, are still valid options. By the way, I don't really game online.

My requirements are:

• 150€ budget, but willing to go to 200€ if really worth it;
• Mesh compatibility, just in case I need it in the future;
• Hopefully very low packet loss maybe 0-0.5%;
• Compatibility/support with open source firmware;
• Maybe VPN support (not sure, if worth it);
• 2.5Gb LAN ports would be nice for future-proofing, but I think this is not possible without going over the budget;
• Something that I don't know and never heard about, but you would really recommend it to me :).

After a first glance, the Asus RT-AX58U looks nice. Just not sure about only having two 5GHz streams and no LAN port aggregation.

Bonus dumb question(s) (sorry): Will all the routers work with my ISP modem? Or is it normal to always check with the ISP first before buying?

I recently got my home internet upgraded to 10 Gb/s. I currently have the following hardware:

• 10 Gb/s fiber modem (from the ISP)
• 1 Gb/s ASUS combo router/AP/switch (needs replacement)
• 2.5 Gb/s 4 port switch (not currently in use)
• 5 Gb/s USB C ethernet adapter

My ASUS router is the bottleneck in my current setup. My actual internet speeds are more in the 2-5 Gb/s range when plugged directly into the modem. So I'd be happy if I can get 2.5 Gb/s hardware between my laptops and the modem. That makes my existing ASUS router the bottleneck and in need of replacement. Is there a good, relatively cheap, standalone router (no switch or AP) I can build/buy that supports >1Gb/s speeds? Or is there a good all-in-one solution that isn't way too expensive? I'd honestly prefer to have different components each doing just one job.

I already tried hooking the switch into the modem directly to see what happens. Under that configuration only one device plugged into the switch has internet access.

I did some cursory Googling but found stuff that I'm not looking for (maps of the web and traceroutes hooked up to GeoIP lookups). Is there a resource that will show me the internet as a series of interconnected hops? Preferably with information on the connections between nodes that indicates the amount of traffic. I'm interested in the topography of the internet itself - not physically where hops are located.

EDIT: Crisis averted! The problem was with the modem and not the devices connecting to it. I'm not sure why the first person I called at the ISP couldn't help me. In reality, the second person I called also didn't help, but something magically started working after talking with them a second time and rebooting the modem about 5 more times, so it turns out I don't need a new WiFi router at this time. That said, I will take these suggestions to heart, as I may be buying one anyway as a backup for when this inevitably happens again.

TL;DR: I probably need a new wifi router and want one that isn't malware and will work even if the company I bought it from goes under or stops making it.

Long version:
So today my wifi stopped working. I use an Apple Airport Extreme (the tower one that has a Time Machine backup in it). I've had it for 5 or 10 years and it's worked fine during that time, other than replacing the hard drive it backs up to. My spouse and I were sitting on the couch after lunch surfing the web on our phones, when we suddenly couldn't reach anything. The router itself appears fine. We can connect to it and see other devices that are connected to it, but for some reason, it's no longer communicating with the cable modem via the WAN port. It still backs up the computers in our house, though. I have tested the cable that was connecting it to the cable modem, and it appears fine. I can connect my computer directly to the cable modem without issue using the same cable. So my guess is that the WAN port is hosed.

However, I'm suspicious that something else is going on for 2 reasons. #1, the cable company (Spectrum) made me replace my cable modem last week. I did that, got my Airport connected to it, and after a call to tech support got it up and running. It's been working for the past week. I suspect the modem may have updated or changed configuration without me knowing it and that's the real cause here. They sent me a Wifi router with the modem, but will charge me $5.00/month if I keep it. I'd rather own the hardware. #2, I have an older Airport Express that was working the last time I used it. I replaced it with the newer model about 5 years ago so I could do backups. It fails to work in the same way. It seems like the WAN port isn't communicating with the cable modem. So, if there's some way to verify that the WAN ports on my Airports are or aren't working, I'd be interested to hear about it.

I am able to connect a wired ethernet switch to the cable modem and all devices on the switch can see the Internet just fine. I tried connecting both Airports to the switch via their WAN ports while the switch was connected to the cable modem, but that did not work. (Or at least, I couldn't connect to the internet via either Airport.)

So, on the off-chance that both my Airports have a similar failure, I need to replace them. I have gotten suggestions from others, but have been pretty unhappy with them. I have the following requirements:

• Absolutely must not store any information about me in the cloud (for example as Ubiquiti apparently does)
• Absolutely must not rely on any sort of connection to the manufacturer to work properly and must not phone home without my permission
• Preferably not a poorly made device that will die in 3 years
• Must work properly and at full speed with Apple devices
• Must not require a phone app to configure
• Must have ~3 ethernet ports so I can hardwire in my TV devices (AppleTV, TiVo, etc.)

Things I don't need, but aren't a deal-breaker if it has it:

• The ability to configure every little setting. I prefer to set it and forget it.
• Mesh networking. My house is not huge, the cable modem is in the middle of the house and my single Airport base station has good coverage of the entire house.

If you know of any device like this, please share!

Friday Security Briefing

Hello there! I hope you're all looking forward to something this weekend. Today's briefing will cover a captivating tale of scheming against financial centers, woes of virtual networking, and the possibility of Russia behaving quite unnecessarily.

"Listen, or your tongue will make you deaf." ~ Unattributed proverb

Wall Street targeted by new Capital Call investment email scammers

The tactic of exploiting enterprise email systems remains a successful and active attack vector for bad actors. The emerging development is the use of "capital call" style scam, wherein scammers pretend to have investor or insurance business with the business.

"In an example shared by the researchers, the scam email attached a Capital Call Notice for US $970,357.00 to be deposited into a bank account under the fraudsters’ control."

"If the targeted investor was duped into wiring the funds, then it is likely that money would be quickly moved into other accounts and withdrawn by mules to prevent the payment from being returned to the victim."

The flexibility that cryptocurrencies provide to discreetly rearrange money may actually be disadvantageous for banks in certain situations.

Source: Tripwire, Wall Street targeted by new Capital Call investment email scammers

High severity Linux network security holes found, fixed

(CVE-2021-26708) Alexander Popov of London has discovered five security holes in the Linux kernel's virtual socket implementation. This is concerning, my personal use of virtual networking systems could be a lot more thought out. I do tend to keep my use of libvirt to a minimum but ideally I would be running my virtualization workstation on a separate box optimized for safe practices.

"These holes entered Linux when virtual socket multi-transport support was added. This networking transport facilitates communication between virtual machines (VM) and their host. It's commonly used by guest agents and hypervisor services that need a communications channel that is independent of the VM network configuration. As such, people who are running VMs on the cloud, which is pretty much everyone these days, are especially vulnerable."

Source: ZDNet, High severity Linux network security holes found, fixed

Ukraine: DDoS attacks on govt sites originated from Russia

Ukraine is proposing that information on the threat actors responsible for a DDoS on Ukrainian government websites originated from Russian domains.

However, they did not claim that the threat actors were affiliated with the Russian state.

I am curious about the motivations if this was sanctioned by Russia. Are they testing their capabilities against a softer target in order to learn from the European and American Cyber-Defense response? Perhaps this was a way for Russia to demonstrate it's competency at cyber warfare.

"The National Coordination Center for Cybersecurity (NCCC) at the NSDC states that these DDoS attacks have been massive and have targeted government websites in the defense and security sector."

Possible retaliation?

"Last week, news leaked that Ukrainian law enforcement, in cooperation with the US and French police, arrested alleged Egregor ransomware operation members.

Three days later, the Security Service of Ukraine (SBU) issued a press release about the Egregor arrests and seizing the ransomware group's equipment."

Source: Bleeping Computer, Ukraine: DDoS attacks on govt sites originated from Russia