cross-posted from: https://sh.itjust.works/post/32918493

cross-posted from: https://sh.itjust.works/post/32918427

Hello,

Recently, I've been interested in self-hosting various services after coming across Futo's "How to Self Host Your Life Guide" on their Wiki. They recommend using OpenVPN, but I opted for WireGuard instead as I wanted to learn more about it. After investing many hours into setting up my WireGuard configuration in my Nix config, I planned to replace Tailscale with WireGuard and make the setup declarative.

For context, this computer is located at my residence, and I want to be able to VPN into my home network and access my services. Initially, it was quite straightforward; I forwarded a UDP port on my router to my computer, which responded correctly when using the correct WireGuard keys and established a VPN connection. Everywhere online suggests forwarding only UDP as WireGuard doesn't respond unless the corre

Consider a Ping Request packet arriving on a computer with 2 NICs (multi-homed PC). The packet is received on 1 of the interfaces. Now the computer has to send the Ping Response packet. To fill the source IP and source MAC address the computer does which of the following?

• Computer first determines which interface should be used as the egress interface by looking at the Destination IP address. Destination IP address was taken from source IP address field of Ping Request packet. Once it determines egress port, it will enter that interface's IP and MAC address in the Ping Response packet.
• Computer takes the destination IP and MAC address of the Ping Request packet and just flips them over to fill source IP and MAC address in Ping Response packet.

I've seen companies do all sorts of home grown things.

One uses a spreadsheet that is just the configuration row by row, they turn it I to text file and copy to startup, reload.

I have used git servers to do the same thing, but with obvious change tracking history of git.

What real or home grown things are you using?

Currently using an ISR4461x. Now 17.7+ supports ssl VPN.

Should we learn flexvpn or do ssl VPN?

So, every network engineer knows it: everyone else will blame the network and you have to prove them wrong.

There are multiple reason:

• lack of knowledge
• ignorance
• passing on responsibility
• laziness
• ... There are more.

I am interested in how you react to 'The network is causing the problems' requests.

• do you request certain information?
• need an explanation?
• what are you first steps?
• do you have a runbook or some policy in place?

Without getting into too much detail, I request some or all of the following information before I start looking:

• what are they trying to do? What is the desired outcome?
• what is the error message? *(pref a screenshot!) *+ timestamp (for logs)
• has it ever worked before?
• since when isn't it working?
• can you resolve domains?
• Source Host > Destination Host:Port
• Results of Ping + Powershell Test-NetConnection on Windows and Netcat on Linux (to test general connection, assuming TCP connection)

What I ask for and in wh

Thanks to Jerry for bringing this community back to life. I'll be playing moderator for a while and may tweak the design a bit.

Enjoy!

I am interested in your ways to identify a bottleneck within a network.

In my case, I've got 2 locations, one in UK, one in Germany. Hardware is Fortigates for FW/routing and switches are Cisco/HPE. Locations are connected through an Ipsec VPN over the internet and all internet connections have at least a bandwidth of 100 Mbps.

The problem occurs as soon as one client in UK tries to download data via SSH from a server in Germany. The max download speed is 10 Mbps and for the duration of the download the whole location in UK has problems accessing resources through the VPN in Germany (Citrix, Exchange, Sharepoint, etc).

I've changed some information for privacy reasons but I'd be interested in your first steps on how to tackle such a problem. Do you have some kind of runbook that you follow? What are common errors that your encounter? (independently from my case too, just in general)

EDIT: Current list

• packet capture on client and server to check for packet loss, latency, etc.

I had the weirdest of a problem. Two computers communicating with each other over ping and TFTP works. When I boot one of them into U-boot (a bootloader that supports TFTP boot) it can’t ping not load tftp of the other machine complaining on ARP timeouts.

I swapped with a dumb switch - all works. Everything else (machines, cables) are the same. The managed switch is a Cisco switch and I have a serial console to it, but I’m not familiar with managing those switches - what feature is potentially blocking u-boot's arp packets?

I’ve double checked with tcpdump - the other machine never seer u-boot's arp packets, but does when the same board is booted into Linux. I’ve also checked Cisco's monitor event-trace arp continuous and it didn’t print any packets but it did say link status went from up to down to back up when I rebooted.

Is there some sort of Mac filter on Cisco switches?