• Activity
  • Votes
  • Comments
  • New
  • All activity
  • Showing only topics with the tag "networking". Back to normal view
    1. Router recommendations in 2022

      Hello everyone, I'm going to move to a new apartment and doing full time home office while my wife is doing part home office, so I'm looking to improve my internet connectivity. I already plan to...

      Hello everyone, I'm going to move to a new apartment and doing full time home office while my wife is doing part home office, so I'm looking to improve my internet connectivity. I already plan to get the 400 mbps down fiber cable plan. So, I have to be honest that routers is one of those topics that I should know more than I should but don't, so I'm not sure what should I expect and the features I want or don't need.

      Some time ago, I discovered and bookmarked the amazing website smallnetbuilder which at the time I thought, I would just trust his thorough reviews and choose the best router within my budget. Sadly, the website seems abandoned now, so I'm not sure if there is something new on the market or if the routers on his "Best" rank, are still valid options. By the way, I don't really game online.

      My requirements are:

      • 150€ budget, but willing to go to 200€ if really worth it;
      • Mesh compatibility, just in case I need it in the future;
      • Hopefully very low packet loss maybe 0-0.5%;
      • Compatibility/support with open source firmware;
      • Maybe VPN support (not sure, if worth it);
      • 2.5Gb LAN ports would be nice for future-proofing, but I think this is not possible without going over the budget;
      • Something that I don't know and never heard about, but you would really recommend it to me :).

      After a first glance, the Asus RT-AX58U looks nice. Just not sure about only having two 5GHz streams and no LAN port aggregation.

      Bonus dumb question(s) (sorry): Will all the routers work with my ISP modem? Or is it normal to always check with the ISP first before buying?

      9 votes
    2. Looking for >1Gb/s networking hardware

      I recently got my home internet upgraded to 10 Gb/s. I currently have the following hardware: 10 Gb/s fiber modem (from the ISP) 1 Gb/s ASUS combo router/AP/switch (needs replacement) 2.5 Gb/s 4...

      I recently got my home internet upgraded to 10 Gb/s. I currently have the following hardware:

      • 10 Gb/s fiber modem (from the ISP)
      • 1 Gb/s ASUS combo router/AP/switch (needs replacement)
      • 2.5 Gb/s 4 port switch (not currently in use)
      • 5 Gb/s USB C ethernet adapter

      My ASUS router is the bottleneck in my current setup. My actual internet speeds are more in the 2-5 Gb/s range when plugged directly into the modem. So I'd be happy if I can get 2.5 Gb/s hardware between my laptops and the modem. That makes my existing ASUS router the bottleneck and in need of replacement. Is there a good, relatively cheap, standalone router (no switch or AP) I can build/buy that supports >1Gb/s speeds? Or is there a good all-in-one solution that isn't way too expensive? I'd honestly prefer to have different components each doing just one job.

      I already tried hooking the switch into the modem directly to see what happens. Under that configuration only one device plugged into the switch has internet access.

      12 votes
    3. Looking for a good map of the internet

      I did some cursory Googling but found stuff that I'm not looking for (maps of the web and traceroutes hooked up to GeoIP lookups). Is there a resource that will show me the internet as a series of...

      I did some cursory Googling but found stuff that I'm not looking for (maps of the web and traceroutes hooked up to GeoIP lookups). Is there a resource that will show me the internet as a series of interconnected hops? Preferably with information on the connections between nodes that indicates the amount of traffic. I'm interested in the topography of the internet itself - not physically where hops are located.

      7 votes
    4. Synology NAS Recommendations & Questions

      Hey everyone! Sorry if this is a long post, but I've done my research and I would like to make a few questions. I've decided that I would like to buy a NAS mainly to storage all of my documents,...

      Hey everyone!

      Sorry if this is a long post, but I've done my research and I would like to make a few questions.

      I've decided that I would like to buy a NAS mainly to storage all of my documents, photos and videos, so that, I can access them from multiple devices and also use it to upload important documents to Backblaze B2. Then, I've actually discovered that I can install a few Docker containers and I could use it as a media server (Jellyfin) and serve the content to my Apple TV (neat!).

      I considered a QNAP (better hardware for the price) but everyone recommends Synology instead (because of the stronger security and better overall software), but to be honest, I'm not sure what should I get.

      My budget would be to buy a NAS (without counting the disks) below €1000. Ideally, €500-600 but I don't mind stretching to the €700 mark, if it is really worth it.

      Spoiler alert: I think, it should be the DS920+ (4-bay) or the DS1520+ (5-bay). I think a NAS above 4-bay is better for future-proofing.

      Looking here in Germany at price comparators, I could buy the DS920+ for €663 and the DS1520+ for €750. But these prices seem to be at an all-time high :(


      Questions & Assumptions:

      0. I'm not sure if the price difference of about €100 is worth the premium to get the 5-bay model. There are only two differences between these two models: The 5-bay has one extra slot, and it has 4x 1 Gbe LAN ports instead of 2x 1 Gbe. All the rest is the same. What is your opinion?

      1. I've read that if you run a few containers (~10) it consumes quite a bit of RAM (~3 Gb), so it should be ideal to have at least 8 Gb. This is the reason I've said that I think I can only choose the DS920+ or DS1520+. Looking at official Synology resellers, these models, seem to come already with 8 Gb, and they are within my budget. Is my research wrong?

      2. These two models, have an encryption engine. I think this is necessary to encrypt my files before sending them to Backblaze, or?

      3. A lot of people seem to say to simply pick Synology's hybrid RAID setup called SHR-1 or SHR-2. I would go the easy way here and pick one of those two. Would you think that is a bad idea, and it is better to pick a specific (standard) RAID? I've read about the long long long RAID rebuild that could happen in some situations, and picking the "right" RAID could decrease the rebuild in days (or weeks!!!!).

      4. In case, I choose a NAS model with Nvme cache slots, most people say it is not worth it to use if you are not running Virtual Machines and the SSD’s "burn" really fast. I have no interest on VMs.

      5. Most people say to pick an Enterprise (Server) HDD instead of a NAS HDD mainly because price is similar in some cases and Enterprise has longer life and warranty. I should also pick a CMR HDD which is helium filled. 5400 rpm would be preferable to 7200 rpm because of the noise. Sadly, all Enterprise HDD's and most of NAS HDD's are 7200 rpm. Is the noise difference that big? The NAS will be in our living room.

      6. Is 8 TB still the best cost per Terabyte?

      7. I was extremely sad to hear that the Hitachi hard drive division was bought by WD. I've had lots of misfortune with WD drives (and let's not forget the debacle with the SMR and CMR drives) and I would prefer not to give money to them, but, nevertheless, I'm still tempted to buy the Ultrastar drives that belonged to Hitachi. Does anyone know if WD kept the components, manufacturing processes, staff, etc., that made these brilliant disks?

      8. Following the HDD topic, what is your experience with Seagate or Toshiba drives?

      9. These two NAS models have the same Intel Celeron CPU, which supports hardware transcoding. To be honest, I don't know in which cases would that happen. It seems if I use Infuse on the Apple TV it would never transcode (and instead direct play) because Infuse would do the transcoding in software. Should I take in account that hardware transcoding is a must-have or a nice-to-have?

      10. Would you recommend having a CCTV system connected to the NAS? Should I dedicate one entire HDD just for the NVR system? Would a standalone NVR device be better?

      11. My last question is: Should I just wait for the new model of the DS920+ or DS1520+? The 20 means it was launched in 2020 (in Summer specifically) and it seems Synology refreshes the model every two years., that means, a new model would be available in Summer this year. Most people say it is not worth the wait because Synology is very conservative in its model updates/refreshes. People are saying that a better CPU will be of course available (do I even need that for my use cases?) and probably upgrade the 1 Gbe LAN ports to 2.5 Gbe or 10 Gbe (10 Gbe I really doubt it). I've read that a 4K stream does not fill a 1 Gbe bandwidth, and you could theoretically have three 4K streams in a single 1 Gbe connection. If all else fails, I could just do a link aggregation of the two ports to be 2 Gbe, or?

      12. Anything I'm forgetting? Should I be careful with something in particular?


      I know I should buy a UPS too, but I think I'll create a separate post regarding this topic because I would also want a recommendation regarding a UPS for my other devices.

      I know that I could actually build my own NAS and use Unraid for the OS. Furthermore, I'm just at a time in my life with too much on my plate (baby and small child) and having something that just works is preferable. When they are older and more independent, I'll have more time to investigate this option :)

      Again, sorry for the long post. Thank you everyone!

      12 votes
    5. Friday Security Briefing

      Friday Security Briefing Hello there! I hope you're all looking forward to something this weekend. Today's briefing will cover a captivating tale of scheming against financial centers, woes of...

      Friday Security Briefing

      Hello there! I hope you're all looking forward to something this weekend. Today's briefing will cover a captivating tale of scheming against financial centers, woes of virtual networking, and the possibility of Russia behaving quite unnecessarily.

      "Listen, or your tongue will make you deaf." ~ Unattributed proverb


      Wall Street targeted by new Capital Call investment email scammers

      The tactic of exploiting enterprise email systems remains a successful and active attack vector for bad actors. The emerging development is the use of "capital call" style scam, wherein scammers pretend to have investor or insurance business with the business.

      "In an example shared by the researchers, the scam email attached a Capital Call Notice for US $970,357.00 to be deposited into a bank account under the fraudsters’ control."

      "If the targeted investor was duped into wiring the funds, then it is likely that money would be quickly moved into other accounts and withdrawn by mules to prevent the payment from being returned to the victim."

      The flexibility that cryptocurrencies provide to discreetly rearrange money may actually be disadvantageous for banks in certain situations.

      Source: Tripwire, Wall Street targeted by new Capital Call investment email scammers



      High severity Linux network security holes found, fixed

      (CVE-2021-26708) Alexander Popov of London has discovered five security holes in the Linux kernel's virtual socket implementation. This is concerning, my personal use of virtual networking systems could be a lot more thought out. I do tend to keep my use of libvirt to a minimum but ideally I would be running my virtualization workstation on a separate box optimized for safe practices.

      "These holes entered Linux when virtual socket multi-transport support was added. This networking transport facilitates communication between virtual machines (VM) and their host. It's commonly used by guest agents and hypervisor services that need a communications channel that is independent of the VM network configuration. As such, people who are running VMs on the cloud, which is pretty much everyone these days, are especially vulnerable."

      Source: ZDNet, High severity Linux network security holes found, fixed



      Ukraine: DDoS attacks on govt sites originated from Russia

      Ukraine is proposing that information on the threat actors responsible for a DDoS on Ukrainian government websites originated from Russian domains.

      However, they did not claim that the threat actors were affiliated with the Russian state.

      I am curious about the motivations if this was sanctioned by Russia. Are they testing their capabilities against a softer target in order to learn from the European and American Cyber-Defense response? Perhaps this was a way for Russia to demonstrate it's competency at cyber warfare.

      "The National Coordination Center for Cybersecurity (NCCC) at the NSDC states that these DDoS attacks have been massive and have targeted government websites in the defense and security sector."

      Possible retaliation?

      "Last week, news leaked that Ukrainian law enforcement, in cooperation with the US and French police, arrested alleged Egregor ransomware operation members.

      Three days later, the Security Service of Ukraine (SBU) issued a press release about the Egregor arrests and seizing the ransomware group's equipment."

      Source: Bleeping Computer, Ukraine: DDoS attacks on govt sites originated from Russia


      8 votes
    6. How reliable is IP ownership information?

      I have interactive firewalls like OpenSnitch running on most of my desktop OS's. I like to see what is going on with my machines' network connections to learn about networking, infosec, and to...

      I have interactive firewalls like OpenSnitch running on most of my desktop OS's. I like to see what is going on with my machines' network connections to learn about networking, infosec, and to have have some peace of mind.

      Example workflow:

      1. Get a firewall notification of a new incoming connection to some process running on my machine
      2. If no DNS entry exists and only the IP address is provided, then I google the IP
      3. I find something like https://ipinfo.io/74.125.20.189
      4. I make a decision as to whether allow/deny based on the ownership info which I found in step 3.

      Aside from trusting the particular site presenting the ownership info, how reliable is this information regarding IP ownership?

      For example, if an IP came back as "Google" could it really be a GCP instance running a command and control server?

      Another example, I know that large corps own big blocks of IPv4, but they must lease these IP's out to whomever, right? I imagine there is some wild-west market for these with little accountability?

      Are either of these scenarios realistic? If so, is my entire workflow for "do I trust this IP" pointless?


      edit: btw, I used to catch and deny incoming connections from *.ru to the Windows legacy Skype client all the time. I cannot think of any non-evil reason why that should have been happening. That particular series of events is what really validated me doing this. If you can think of a non-evil reason for any incoming connections to skype from *.ru, please let me know.
      5 votes
    7. Accidentally Solving Access Point Roaming Issues.

      I'm sharing in case some of you are having a similar issue at work or at home, and to hear your opinion and/or similar stories! I've been using Ubiquiti access points in my home for a few years...

      I'm sharing in case some of you are having a similar issue at work or at home, and to hear your opinion and/or similar stories!

      I've been using Ubiquiti access points in my home for a few years now, and overall, they've worked very well. 3 APs giving near perfect 5GHz VHT80 coverage on DFS channels. LAN transfers are about 600-650mbit on laptops, which has proven to be plenty for wireless clients in my home. Keep in mind that this is a pretty basic setup... besides the APs, there's just the ISP provided GPON ONT which is also a typical all-in-one ISP solution (router, switch, AP, firewall, DHCP server...) with it's Wi-Fi turned off.

      As I said, I was pretty happy with the results, however there was one feature that I could never get to work just right; roaming. You could be walking around the house watching a live stream and the stream would pause for 5-8 seconds until the roaming transition was over. Strangely, with VoIP calls, roaming would be about 3-5 seconds. Even enabling fast roaming features (which I believe is simply 802.11r) on the AP's controller would not give the results I was looking for. After days of tweaking TX power settings, channel selection and trying to implement Minimum RSSI (which I ended up not using), I finally gave up and resigned myself to the 4-6 seconds (oh, the humanity) of roaming time.

      Fast forward to about two months ago and I added a new router to the setup (UBNT ER-4) and a switch (UBNT USW-24). Setup went smooth, already had some cat.6 cabling around the house, now it was time to actually use it. Had some fun setting up a guest Wi-Fi network on it's own VLAN, which was always a concern of mine; having "untrusted" devices connect to my network. The access points do client isolation on guest networks by default, but in my mind it wasn't enough as I have some file servers and time machines on the network.

      Anyways, a few days after doing the setup I'm walking around the house with a livestream on my mobile and suddenly realize that it's not losing the connection. I try with a VoIP call and it worked flawlessly. I start walking around faster and still, the phone is roaming without an issue. I was very excited!

      I'm thinking it must be the router that somehow solved the roaming issue. My first theory was that the DHCP server on the ER-4 was doing it's thing much faster than the ISP's device, allowing the wireless clients to actually roam faster. So I do a web search and I find some very relevant info. It was a thread on a forum and reddit thread with a sysadmin that was about to give up on the APs because of roaming issues. In both threads, there were replies about what switch were they using.

      Apparently, some switches (Cisco and HP were mentioned), have a "MAC aging" interval setting which is way too high by default, or they simply have bugged firmware that doesn't allow the switch to "re-learn" the MAC address of a device on a different switch port. I assume that ISP provided "el-cheapo" gear has similar issues.

      So, if you're having roaming issues with your wireless clients, check your switches!!!

      Anyways, just wanted to share this story. Thank you for reading. :-)

      10 votes
    8. Two-factor authentication for home VNC via Signal

      For my particular use case I share my home PC with my spouse and since I'm the more tech-savvy of the two I'll need to occasionally remote in and help out with some random task. They know enough...

      For my particular use case I share my home PC with my spouse and since I'm the more tech-savvy of the two I'll need to occasionally remote in and help out with some random task. They know enough that the issue will usually be too complex to simply guide over the phone, so remote control it is.

      I'm also trying to improve my personal efforts toward privacy and security. To that end I want to avoid closed-source services such as TeamViewer where a breach on their end could compromise my system.

      The following is the current state of what I'm now using as I think others may benefit from this as well:

      Setup

      Web

      I use a simple web form as my first authentication. It's just a username and password, but it does require a web host that supports server side code such as PHP. In my case I just created a blank page with nothing other than the form and when successful the page generates a 6 digit PIN and saves it to a text file in a private folder (so no one can simply navigate to it and get the PIN).

      I went the text file route because my current hosting plan only allows 1 database and I didn't want to add yet another random table just for this 1 value.

      Router

      To connect to my home PC I needed to forward a port from my router. I'm going to use VNC as it lets me see what is currently shown on the monitor and work with someone already there so I forward port 5900 as VNC's default port. You can customize this if you want. Some routers allow you to SSH into their system and make changes that way so a step more secure would be to leave the port forward disabled and only enable it once a successful login from the web form is disabled. In my case I'll just leave the port forwarded all the time.

      IP Address

      To connect to my computer I need to know it's external IP address and for this I use FreeDNS from Afraid.org. My router has dynamic DNS support for them already included so it was easy to plug in my details to generate a URL which will always point to my home PC (well, as long as my router properly sends them my latest IP address). If your router doesn't support the dynamic DNS you choose many also allow either a download or the settings you would need to script your own to keep your IP address up to date with their service.

      Signal

      Signal is an end-to-end encrypted messenger which supports text, media, phone and video calls. There's also a nifty command line option on Github called Signal-cli which I'm using to provide my second form of authentication. I just downloaded the package, moved to my $PATH (in my case /usr/local/bin) and set it up as described on their README. In my case I have both a normal cell phone number and another number provided by Google Voice. I already use my normal cell phone number with Signal so for this project I used Signal-cli to register a new account using my Google Voice number.

      VNC

      My home PC runs Ubuntu 18.04 so I'm using x11vnc as my VNC server. Since I'm leaving my port forwarded all the time I most certainly do NOT want to leave VNC also running. That's too large a security risk for me. Instead I've written a short bash script that first checks the web form using curl and https (so it's encrypted) with its own login information to check if any PIN numbers have been saved. If a PIN is found the web server sends that back and then deletes the PIN text file. Meanwhile the bash script uses the PIN to start a VNC session with that PIN as the password and also sends my normal cell the PIN via Signal-cli so that I can login.

      I have this script set to run every minute so I'm not waiting long after web login and I also have the x11vnc session set to timeout after a minute so I can quickly connect again should I mess something up. It's also important that x11vnc is set to auto exit after closing the session so that it's not left up for an attacker to attempt to abuse.

      System Flow

      Once everything is setup and working this is what it's like for me to connect to my home PC:

      1. Browse to my web form and login
      2. Close web form and wait for Signal message
      3. Launch VNC client
      4. Connect via dynamic DNS address (saved to VNC client)
      5. Enter PIN code
      6. Close VNC when done

      Code

      Here's some snippets to help get you started

      PHP for Web Form Processing

      <?php
      // Variables
      $username = 'your_username';
      $password = 'your_password_super_long_and_unique';
      $filename = 'path_to_private_folder/vnc/pin.txt';
      
      // Process the login form
      if($action == 'Login'){
      	$file = fopen($filename,'w');
      	$passwd = rand(100000,999999);
      	fwrite($file,$passwd);
      	fclose($file);
      	exit('Success');
      }
      
      // Process the bash script
      if($action == 'bash'){
      	if(file_exists($filename)){
      		$file = fopen($filename,'r');
      		$passwd = fread($file,filesize($filename));
      		fclose($filename);
      		unlink($filename);
      		exit($passwd);
      	} else {
      		exit('No_PIN');
      	}
      }
      ?>
      

      Bash for x11vnc and Signal-cli

      # See if x11vnc access has been requested
      status=$(curl -s -d "u=your_username&p=your_password_super_long_and_unique&a=bash" https://vnc_web_form.com)
      
      # Exit if nothing has been requested
      if [ "$status" = "No_PIN" ]; then
        # No PIN so exit; log the event if you want
        exit 0
      fi
      
      # Strip non-numeric characters
      num="${status//[!0-9]/}"
      
      # See if they still match (prevent error messages from triggering stuff)
      if [ $status != $num ]; then
        # They don't match so probably not a PIN - exit; log it if you want
        exit 1
      fi
      
      # Validate pin number
      num=$((num + 0))
      if [ $num -lt 100000 ]; then
        # PIN wasn't 6 digits so something weird is going on - exit; log it if you want
        exit 1
      fi
      if [ $num -gt 999999 ]; then
        # Same as before
        exit 1
      fi
      
      # Everything is good; start up x11vnc
      # Log event if you want
      
      # Get the current IP address - while dynamic DNS is in place this serves as a backup
      ip=$(dig +short +timeout=5 myip.opendns.com @resolver1.opendns.com)
      
      # Send IP and password via Signal
      # Note that phone number includes country code
      # My bash is running as root so I run the command as my local user where I had registered Signal-cli
      su -c "signal-cli -u +google_voice_number send -m '$num for $ip' +normal_cell_number" s3rvant
      
      # Status was requested and variable is now the password
      # this provides a 1 minute window to connect with 1-time password to control main display
      # again run as local user
      su -c "x11vnc -timeout 60 -display :0 -passwd $num" s3rvant
      

      Final Thoughts

      There are more secure ways to handle this. Some routers support VPN for the connect along with device certificates which are much stronger than a 6 digit PIN code. Dynamically opening and closing the router port as part of the bash script would also be a nice touch. For me this is enough security and is plenty convenient enough to quickly offer tech support (or nab some bash code for articles like this) on the fly.

      I'm pretty happy with how Signal-cli has worked out and plan to use it again with my next project (home automation). I'll be sure to post again once I get that ball rolling.

      13 votes
    9. Why are so many websites (and CDNs) IPv4 only?

      One of the people in an IRC channel I frequent pointed out a site I've been building uses CDNs that are IPv4 only. I never realized this, I just assumed every major provider had deployed IPv6. Oh,...

      One of the people in an IRC channel I frequent pointed out a site I've been building uses CDNs that are IPv4 only. I never realized this, I just assumed every major provider had deployed IPv6. Oh, how very wrong I was. A quick check of some major (to me) sites shows a shocking lack of IPv6, including:

      • Bootstrap (stackpath.bootstrapcdn.com)
      • Discord
      • FontAwesome (use.fontawesome.com)
      • GitHub/GitHub pages
      • GitLab/GitLab pages (self-hosted supports IPv6, but officially hosted GitLab only supports IPv4 due to Azure limitations)
      • jQuery, IF you use code.jquery.com (some tutorials use ajax.googleapis.com, which does have IPv6, but an unfortunate amount use code.jquery.com, including the getting started page for Bootstrap)
      • Parts of Amazon/AWS (Amazon is IPv4 only, some of AWS is IPv4 only, including S3)
      • Reddit
      • Stack Overflow/Exchange/etc
      • Twitter

      An honorable mention goes to Angular's websites because the websites themselves are IPv4 only but the libraries are hosted on ajax.googleapis.com, which is IPv6 accessible. I checked npm, PyPI, RubyGems, and Tildes, and they all support IPv6.

      I can understand why companies like Amazon have partial support (upgrading can be a PITA if you're a cloud service provider with uptime requirements), but then you have services like Discord (launched in 2015 with no obligation to maintain service) that only support IPv4. At the very least, I'd expect CDNs referenced by thousands (if not millions) of webpages to be on IPv6 by now.

      Am I missing something? CDNs are pretty static, it's just a matter of choosing one that supports IPv6, you don't even need to update your application if you just change the DNS entries.

      13 votes
    10. Full blown SSH servers within Docker containers?

      Trying to get a sense on how the networking would go down? If I had one public IP address and say 4 Docker containers on the host, how would the SSH connections work? Would I have to reserve ports...

      Trying to get a sense on how the networking would go down?

      If I had one public IP address and say 4 Docker containers on the host, how would the SSH connections work? Would I have to reserve ports for each container?

      7 votes
    11. Does anyone have tips or tricks for self studying / preparing to get a CCNA?

      Hey everyone, I've decided to start studying to get my CCNA. My books are showing up Monday and I'm really excited. I'm going to shoot for self studying and prep for the testing. I think I can do...

      Hey everyone, I've decided to start studying to get my CCNA. My books are showing up Monday and I'm really excited.

      I'm going to shoot for self studying and prep for the testing. I think I can do it as I've always thrived in a more self paced learning environment (I also have no money for the classes).

      I'm just wondering if anyone has any tips, supplemental material, etc they could recommend? What was hardest for you and what was easiest? What did you spend too much time studying and what didn't you spend enough time on?

      6 votes