Howdy, I’m trying to connect three network stacks via PFSense IPsec Tunnels. Currently banging my head against the wall. We have

• Stack B
• Stack P
• Stack R

(Yes they are in the same room, no we can’t connect them via cable, no I can’t explain :)

B and P are connected via IPSec. B is the init and P is the responder. Using port 500.

I’m trying to connect R within this connection. I tried adding a second IPsec to P as init and R as respond. The setup settings are exactly the same as B->P. The Pf version is the same but the settings to click(menu) are different.

PSK keys are the same. The lifetime are respectively different for resp and init. The Child Action for each I fluxed, I tried Default, Initiate at start (VTI/Tunnel), close connection and clear SA, etc.

When I get to the portals I’ll add more information.

(We used this link to make the first B->P s2s. https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html )

Thank anyone in advanced

I updated my Cradlepoint E320-5GB from 3.10.07 to 3.14.10 and now it says Firmware mismatch.

"* Warning: The firmware active on the modem is different than the version in the firmware store. Upgrade to resolve.

( 03.10.07.00_TMO,030.052_000, 03.14.10.01_TMO,030.083_000 )"

It won't let me install the old firmware. Is there any way to delete a boot image or replace the modem firmware from the CLI?

I'm having trouble accessing the local GUI on an Adtran 611 to set the Registration ID. This unit was provisioned before, but the services removed and the ONT deleted from the OLT.

I have it connected to my laptop but it doesn't respond to pings and I can't access the local GUI at the default 192.168.0.1 address. If I pull a new ONT out of the box I have no trouble accessing the local GUI, so I'm assuming this one has retained some config from when it was last provisioned. I've tried every combination of pressing and holding the reset button that I can think of, but I can't get it to respond.

Any ideas? I've been scouring the adtran docs for info on provisioning the 611 but I can't find anything aside from the quick start guide which only covers the physical installation.

Hellooooooooo

Situation is as fallows. Cradlepoint IBR 600 on a mast located about 30ft in the air(antenna). Its positioned at an airport for a camera system. I dont believe it matters but the mount is plastic, and not metal.

We are experiencing interference. Zero issue with signal strenght, it just so happens to derp out to often for our clients.

Im guessing upgrading to 5G is the solution, but If we can swap to a better antenna or even a directional antenna that would be the perfered route.

Currently we are using a rf max Rbdm g55ww 2 sssrr antenna

I come from the upfitter world and I've always used airgans multimax antennas. Would an omini directional like that help at all? Or say screw it and find a directional?

Other things to consider on the building side? No matter where they place the trailer it always has full strenght, with random interference. To the best of my knowledge it really boils down to to much background from all the devices at the airport rather then a wifi issue.

Amusing side note, our client is outsourcing managing the system to India. This is the first time I've given India tech support and not the other way around 🤣

Thanks in advanced!

Stumbled across this external antenna at a Starbucks southern CA this morning. Its connected to a Meraki MR76 on the other site of the wall. Anyone know make and model of the antenna? Have a project that this would be a great fit at least aesthetically!

Picture

Hi all,

So I just moved to a new small sized company that has 20+ locations. I say small but the nature of the business has us serving thousands of devices.

Anyways the current solution is composed of a firewall serving DHCP and basic FW applications. This leads into switches that are 6+ years old.... I'm both impressed that they are still running and scared of their eventual demise.

​

I'm preparing some investigations to present to the directors however there are so many solutions nowadays that its a lot of work to demo them all. So I thought reddit could help.

​

Essentially my requirement's are the below:

- Cloud access (prevent running around between locations for simple port changes)

- CLI access ( I see some companies are locking this down with their CDN solutions)

- VERY cost effective ( I know hard to find, but the IT fund bucket isnt deep)

- Wireless solutions if possible CCTV/ Security ( this is a loose condition)

​

My current short list is, HPE Aruba / LanComm / TP-Link

​

I've got an annoying situation. I've got a problem between 2 switches. A core switch and an access switch.

The core switch isn't learning the mac addresses that come from the access switch. It is learning the mac addresses of a second access switch.

Configuration of the 2 access switches is the same. configuration of lacp and trunk is the same on all ends.

Does anybody have any tips where I can look for next? I've absolutely no idea what is causing this problem.

edit: I forgot to add that from the core, I can ping devices behind the access switch. I then check the mac address table and the mac isn't there. No mac addresses are there that are from the trunk used to connect to the access switch.

I have a unifi network, USG as a router, edge switch, vlans. Got a new ISP and plug to USG(alone or with other ISP because USG support two ISP with network balancing or fail over). And my entire network just crash, access point not accepting users, network up and down, then unplug ISP and voila, everything is fine again.

This thing is drivin me crazy, no one can't work!!

I've been working in IT for 4 years but never in a networking role.

At my last job, whenever we had printer or phone issues, I would contact our Network team and oftentimes they would have to put the device on a special VLAN. I remember our engineer saying "this wasn't on the printer VLAN" and then he would ask me which switch port the the printer was patched into, and then make a change on his end.

What did he mean by this, and what did he do? What is going on behind the scenes?

At my current job, we ran into an issue where we ran out of IPs (all 255 used) so our engineer "made" another VLAN with a similar IP (172.168.10.xxx vs 172.168.11.xxx) to give us an additional 255 IPs to be used.

Can anyone explain in a user-friendly way what our engineer did to create a new VLAN and open up those IPs? I vaguely remember him mentioning changing the subnet from 255 to 252 as well.

Thanks!

I'm working on a project where two rpi zero 2 will communicate over wifi. There will be no router so communication has to be either one as an access point or both ad-hoc. The most important aspects (in descending priority) are that they must be reliable (especially when connecting), long range (roughly 100m) and low latency. Is simply putting them in ad hoc mode the ideal setting? Or should I set one up as AP and other as client?

Hi.

We have recently configured our MA5800-X17 OLT to send data to our PRTG through SNMP trap. The OLT Uptime is working as intended and it is sending proper data to the PRTG, but the PON data isn't being sent correctly.

I created the 64 PON sensors three days ago, but the sensors still show "no data since initialization".

I used the following commands to configure the snmp:

snmp-agent sys-info version v1

snmp-agent community read NAME_HERE

snmp-agent target-host trap-pa NAME_HERE v1 security CIPHER_HERE

snmp-agent target-host trap-hostname NAME_HERE address ADDRESS_HERE trap-par CIPHER_HERE

(community name, address and cipher not disclosed for security reasons)

Do I still have to configure something else?

To ensure it was not because there wasn't any ONU in any of the PON ports, I placed and configured one and the PON LED on the OLT is lit but still no luck

Thanks in advance!

There are many solutions in the market offering splash page based guest management, but I would like to avoid having an open network due to security/privacy concerns. I would like to have dedicated guest WPA2 keys managed by some sort of tool, but couldn't find anything. Has anyone of you solved similar challenge?

I'm looking for advise / recommendation what tools or complete out-of-box solution if there is any for a small ISP mostly Juniper MX's and some Cisco's, for monitoring the Network, fault management, performance metrics, topology mapping and need 95th percentile billing tool to bill customers and with the possibility of customers accessing their 95th percentile usage.

Any recommendations, what are you guys using?

Thanks.

Hi guys,

I need to setup a new little PoP in a DC which is giving me max 200W of power. In similar situations i usually put a couple of catalyst 3850 with stack config, for production traffic and a 3750 for management one. This build consumes around 295W

Do you have a suggestion on what can i put in this 5 rack unit space which consumes less than 200W? I can use MLAG instead of stackwise, what i need are at least 12 10Gbps ports on production switch and a couple of 1Gbps ports for management (routed or switched ports is not a constraint)

PSU have to be AC, and I'll use SFP+ with optical patches, no copper Thanks in advance!

(edited to specify sfp)

Without hard drives of course. Any resources would be helpful, thanks. I tried researching this online but the laws around data security can be convoluted at times.

How are you guys detecting poor path performance? Anything newer or cooler than plain ol' IP SLA? My understanding is that sFlow/netflow are capturing metadata of the flows over time and/or sampling packets; I've used SolarWinds Orion to find who was hogging all the bandwidth. Has anyone leveraged them granularly to detect a lost packet or variations in latency?

I finally cobbled together my new cluster and decided to go with true NAS scale as my storage. My old cluster was 4 nodes with 56gb InfiniBand connection running hyperconverged Hyper-V and performance was OK at around 2500mbps.

New setup is 3 nodes connected to a storage server(true NAS core). Each server has 2 connectx-3 VPI cards running in ethernet mode with 1 port each going to a switch for 80gb total bandwidth. the truenas server as 4x40gb connection giving 160gb bandwidth limited by pci 3 at around 128gb total.

Here is my problem. when first testing I was getting 18gb through Iperf3 with a single 40gb link.....I finalized the setup and built all the nodes and now even with dual connections there seems to be nothing I can do to get past 7.5gb on the Hyper-V nodes. no clue what has changed. I have destroyed and rebuilt them. change drivers, added and subtracted offloading, and jumbo frames. I can’t tell what I gave done to tank performance.

​

setup:

​

Switch: 2x mellonox SX6036. currently running on a single sitch to eliminat iisues but will eventualy be Mlaged together for redundancy.

4x Dell 820 (4x E5-4657L v2(12 core,24 threafd), 512gb ram, 2x connectx-3 pro with 1 port each used)

trunas has 4 connenections at 40gb an 768gb ram with 36tb arc2 and 840tb storage.

​

testes are curently being conducted between nodes to take OS out of the picture. Microsoft recomends not using Iperf so I have moved to ntttcp with simalar results. even using 96 threads.

1. find old junk 100baseTX switch
2. hardware hack one port so that it goes up and down about 10 times a minute. Hack same port so that the port is permanently an UPLINK or use and external crossover. The hardware hack will interrupt the TX 3 & 6 pins on that port about 3 seconds on and 3 seconds off
3. use this modified junk old switch at the end of unknown wall jack X with the modified port
4. observe back at the main riser or closet switch for a LINK LED that repeats in the same slow UP, DOWN pattern of activity. Note the port and rack numbers.
5. back to the unknown port in office X 'the unlabeled drop', label that wall jack correctly

Inexpensive "Port Identification Tester"

(you can also accomplish a slow cycle with another partner Technician perhaps saying UP, DOWN when that Tech inserts the RJ45 and removes it from unknown Wall Jack port.

b/c most laptops have Audo-MDX this could probably already be a team method of identification but I am planning to create a Video to post a this DIY . I have many older 100baseTX switches in a junk box that can be repurposed to make a Solo tester

I cannot reliably get results from my testing .. But if I had said rules in this order:

lamp@Web:~$sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       71.64.45.23            <- Allowing
Anywhere                   DENY        ...
Anywhere                   DENY        ...
Anywhere                   DENY        ...
Anywhere                   DENY        ...
Anywhere                   DENY        ...
Anywhere                   DENY        ...
Anywhere                   DENY        ...
Anywhere                   DENY        71.64.0.0/12           <- Denying

Would the direct IP address supersede the CIDR that blocks that IP range? In theory would not the IP in fact override the CIDR if set to position 1?

OR would the UFW read this as Allow from 71.*** THEN Deny because of the CIDR rule?

What has your experience been like with thousandeyes since Cisco purchased them? Is it just my company, or it is not as good as it used to be?

We are currently doing a proof of value test with MIST Wifi, versus our current vendor Aruba. One disadvantage I'm seeing so far is with Aruba if you view Clients, it will show you every client who is trying to connect even, even if they failed. In MIST it looks like it only shows you clients who are fully and successfully connected. Where do you go to quickly see a client who is trying to join a WLAN and failing in MIST? Any help can be appreciated!

Hello everyone. I am trying to understand VLAN traffic for our network and how the frames are tagged on the switch. I understand that VLANs are just virtual LANs that help separate the network.

Here is my big question:

If you have several VLANs on a switch with the same port tagged how is that traffic identified to that VLAN?

For example, If I have a 24-port switch, ports 1-24 are tagged on my phone VLAN, and a VLAN for my printers is tagged on ports 1-24. Now let's say I have my native VLAN, "Workstations," untagged on ports 2-24, and tagged on my uplink port, port 1. Now switch port 4 has a workstation, phone, and printer connected to that port.

How is that traffic that comes through that port tagged to their perspective VLANs? Does it just get tagged to all of the VLANs or is there an identifier within the frame that goes through the switch that knows where to tag that frame to the VLAN it needs?

I get the basic VLAN understanding that if you have one port on VLAN 10 and a port on VLAN 20 that is on the same switch those 2 devices can't talk to each other. The tagging and untagging concept confuses me.

Here is an example of a VLAN config on a switch if that helps.

vlan 10

no untagged 1-24

untagged 25-28

no ip address

exit

vlan 20

name "Workstation"

untagged 1-3,5-24

tagged 4

ip address x.x.x.x x.x.x.x

exit

vlan 40

name "Phones"

tagged 1-24

no ip address

exit

vlan 100

name "Printers"

tagged 1-24

no ip address

exit

vlan 101

name "VLAN101"

tagged 1-24

no ip addres

exit

I’m fully aware of the procedure to factory reset this model, however the mode button on this particular switch does not seem to do anything.

I have tried holding “mode” down before pulling power and then reconnecting power and releasing at the initializing flash.

I also tested the mode button and nothing changes on the switch (LED lights) which nothing happens.

Anyone run into this?

Hi all firewall admins

I have a question for you guys that are admin's of one or more firewalls with 3-400+ rules (including ips and application detection) and 100+ nat (statics, pat and so on).

How long are your deployment times after making updates on a ruleset on Palo, Fortinet, Checkpoint and what else you have?

The reason for my question is that i have a Cisco setup with an FMC and a Firepower 4125 (running 2 minimum size instances' and one instance taking the rest of the resources). I have deployment times of a access control policy (ACP) of roughly 8 to 12 minutes where i the only thing i see is a spinning wheel. I have had Cisco TAC and consultants look at the deployment times and the only way to cut 1-2 minutes of the deployment times was to accept that clients would have disconnects on deployment and that is from my point of view unacceptable.

I have a Firepower 1150 where i have roughly 400 rules and i have deployment times there that is 8-10 minutes.

Cisco TAC and consultants has ended up saying: that is the way it is.

The consultants we use say more or the less that same when it comes to Palo, Fortinet, Check Point and so on.

I miss my god old Cisco ASA ASDM / CLI days.

So what do you guys say?

EDIT: This post is largely irrelevant now, I changed it from ikev2 to ikev1 and the tunnels are showing matching encaps / encrypt and decaps / decrypt, so I think the misinformation is an FTD ikev2 bug where it doesn't record properly.

The problem, unfortunately, remains where nothing being encapsulated into the VPN from OFFICEB is being received at DC. So I've answered a question and still made no progress.

BONUS EDIT: The whole thing is moot, it's the firewall. I'd taken the many TAC engineers at their word when they said the traffic wasn't arriving at DC, turns out it's not actually leaving OFFICEB. pcaps on the outside interfaces show isakmp messages going back and forth happily, but ESP packets are only coming out of DC, no ESP whatsoever leaving OFFICEB. I do not understand how we had the same issue on an ASA, but I've been staring at this for 6 hours and I simply can not be bothered to build another tunnel and test that again.

Hello I've got a real sticky issue that nobody can make sense of, we've run through about 10 TAC engineers, firewall and VPN, we've tried terminating VPNs on ASAs and FTDs, we've tried different circuits, we are completely out of ideas.

We have 3 existing sites

OFFICEA - FTD 7.0.5 10.1.0.0/16

OFFICEB - FTD 7.0.5 10.2.0.0/16

DR - ASA 10.3.0.0/16

and are adding a new site

DC - FTD 7.0.6 10.4.0.0/16

We've got route based tunnels, VTIs etc between all the existing sites working without issues.

When we add in the DC site we set up route based tunnels between OFFICEA and DC.

Tunnel DC > OFFICEA works without issues, tunnel to DC > DR comes up and we can see traffic from DC reaching DR and being responded to, but nothing appears on DC firewall. Just showing packets encaps and encrypt, but nothing decaps.

We spend a long time trying to figure this out and figure it's probably something to do with the ASA, so we try a tunnel from DC > OFFICEB

Exact same behaviour as DC > DR

TAC say it's probably the circuit, luckily we have another circuit at DC so we try to run the tunnels over that. Exact same behaviour.

Can't understand it at all.

So what I've done today is take it all back to be as basic as possible, policy based VPN, permissive NAT and ACL, static routes on the cores but I'm still getting the same and I want to tear my little remaining hair out. The VPN was built via FMC so it essentially has to be exactly the same on both sides, I can't see any margin for error.

The only thing that I've noticed that I don't fully understand is the encaps / encrypt behaviour of the tunnels.

So I've recently reset this tunnel and here is the output after sending some pings back and forth

DC to OFFICEB

> show crypto ipsec sa peer OFFICEBIP
peer address: OFFICEBIP
Crypto map tag: CSM_outside_map, seq num: 1, local addr: DCIP

  access-list CSM_IPSEC_ACL_1 extended permit ip 10.4.0.0 255.255.0.0 10.2.0.0 255.255.0.0 
  local ident (addr/mask/prot/port): (10.4.0.0/255.255.0.0/0/0)
  remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
  current_peer: OFFICEBIP


  #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt.:x.x.x.x/500, remote crypto endpt.: x.x.x.x/500
  path mtu 1500, ipsec overhead 55(36), media mtu 1500
  PMTU time remaining (sec): 0, DF policy: df
  ICMP error validation: disabled, TFC packets: disabled
  current outbound spi: 09C2EB3D
  current inbound spi : E745BCE6

inbound esp sas:
  spi: 0xE745BCE6 (3880107238)
     SA State: active
     transform: esp-aes-gcm-256 esp-null-hmac no compression 
     in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
     slot: 0, conn_id: 1850, crypto-map: outside_map
     sa timing: remaining key lifetime (kB/sec): (4055040/28713)
     IV size: 8 bytes
     replay detection support: Y
     Anti replay bitmap: 
      0x00000000 0x00000001
outbound esp sas:
  spi: 0x09C2EB3D (163769149)
     SA State: active
     transform: esp-aes-gcm-256 esp-null-hmac no compression 
     in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
     slot: 0, conn_id: 1850, crypto-map: outside_map
     sa timing: remaining key lifetime (kB/sec): (4193279/28713)
     IV size: 8 bytes
     replay detection support: Y
     Anti replay bitmap: 
      0x00000000 0x00000001

So we've got packets encapsulated and encrypted, nothing received back.

On the OFFICEB side it looks like below

> show crypto ipsec sa peer DCIP
peer address: DCIP
Crypto map tag: CSM_outside_map, seq num: 2, local addr: OFFICEBIP

  access-list CSM_IPSEC_ACL_1 extended permit ip 10.2.0.0 255.255.0.0 10.4.0.0 255.255.0.0 
  local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
  remote ident (addr/mask/prot/port): (10.4.0.0/255.255.0.0/0/0)
  current_peer: DCIP


  #pkts encaps: 19, #pkts encrypt: 0, #pkts digest: 0
  #pkts decaps: 9, #pkts decrypt: 0, #pkts verify: 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt.: x.x.x.x/500, remote crypto endpt.: x.x.x.x/500
  path mtu 1500, ipsec overhead 55(36), media mtu 1500
  PMTU time remaining (sec): 0, DF policy: df
  ICMP error validation: disabled, TFC packets: disabled


inbound esp sas:
  spi: 0x09C2EB3D (163769149)
     SA State: standby
     transform: esp-aes-gcm-256 esp-null-hmac no compression 
     in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
     slot: 0, conn_id: 365111, crypto-map: outside_map
     sa timing: remaining key lifetime (kB/sec): (4193279/28712)
     IV size: 8 bytes
     replay detection support: Y
     Anti replay bitmap: 
      0x00000000 0x000003FF
outbound esp sas:
  spi:  (3880107238)
     SA State: standby
     transform: esp-aes-gcm-256 esp-null-hmac no compression 
     in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
     slot: 0, conn_id: 365111, crypto-map: outside_map
     sa timing: remaining key lifetime (kB/sec): (4055038/28712)
     IV size: 8 bytes
     replay detection support: Y
     Anti replay bitmap: 
      0x00000000 0x00000001

So in this one we've got the pings I sent from this side encapsulated but NOT encrypted, and same for the replies from the other end.

And nothing happens on the other side.

Is there something with this encaps / encrypt difference? Or am I clutching at straws?

TAC keep telling us it's something in the way causing it or dropping the ESP packets, but this doesn't make sense since the OFFICEA > DC tunnel is up and working fine, and we had the same issue when moving the tunnel onto a completely different DC circuit.

The only thing in common is a DMZ switch at the DC, but we've been through the config and it's basic, I just can't see what on a switchport could drop specific traffic.

Any help or suggestions would be appreciated.

We have a Ubiquiti UDM SE network controller in our office.

We are due to migrate our business broadband tomorrow and I am slightly confused about the configuration of the Ubiquiti network controller.

It currently has a PPPoE IPv4 configuration and its WAN port is plugged into a LAN port on our ISP router.

Does this mean that the ISP router is performing a PPPoE passthrough?

If so, does this mean that as long as the new ISP's router is configured to do PPPoE passthrough and the network controller is configured with the new ISP PPPoE credentials then we should have no issues?

Thanks for any help!

Hi everyone,
I have a HPE SN6600B FC Switch which the username and password has been forgotton. I am unable to reset the switch to default configuration. Can anyone please give me some advice.
I have tried multiple combinations of usernames and passwords. Nothing was working. So i thought to try using the Boot Rom. However this leads to a dead end. the two options available is

1. Start System
2. Enter command shell i tried help or ? but was given Unsupported command '?' in secure boot mode the switch just needs to be defaulted. Can anyone please advise me.

We have a couple of 6507 Core switches and a couple of 3850 used for 1G ports We need to combine into a corr layer We need 10G for floor switches 90 ports per core we are connected to ISP links and legacy hardware, so 1G ports are also needed, Thought abot the 9500 60 port new variant, but afraid of we save on line cards chassis (9407) we will pay for in SFPs, Need adviceee🥲

Back when the certs actually exist of course. Which they don't anymore.

What policy (guidelines, standards) does your org have around firmware updates on core infrastructure in a data center?

• Do you require remote-hands be on-site?
• Do you require graceful out-of-service before you start?
• Do you require peer-review?

I'm looking to learn what your org does to minimize the impact of a firmware upgrading failing.