1
8

i have a ton of all russian subnets which i doesnt want route through vpn due vpn monitoring on rzzian faschist services, and services which blocking all non-rzzian ips

also since i wanna use wireguard(amneziawg obsurfication fork, since plain wg is blocked) on a openwrt system soooo maybe there are way to route all traffic thru wg interface but subnet list thru plain interface

aaaaaaaaa i dont have much openwrt stuff knowledge,

2
89
submitted 3 weeks ago* (last edited 3 weeks ago) by Wudi@feddit.uk to c/networking@sh.itjust.works

Here’s what you’ll do

System orchestration and OS management: Orchestrate, deploy, and maintain all internal and external systems, specifically standard and customised Linux operating systems, with the majority of machines running Debian GNU/Linux. We currently run SaltStack, but proposals for different ways to handle config management and deployment are welcome.

Virtualisation and storage infrastructure: Manage virtualisation platforms and hypervisors (KVM/QEMU). Experience with GlusterFS (for the backup system) is a plus, but not mandatory.

Database, cloud, and App Administration: Administer database servers such as MariaDB and PostgreSQL, cloud storage repositories (such as Nextcloud), web applications, email services, and developer tooling.

Network and hardware maintenance: Maintain core physical and cloud network infrastructure, including routers, switches, and NAS storage, amongst them devices from MikroTik.

Security and network access: Oversee firewalls, intrusion detection, antivirus, IP reputation, global mirror systems, and secure VPNs for users and machines.

Identity and access management: Deploy and manage single sign-on (SSO) solutions, directory services, domain names, DNS zones, and SSL certificates (PKI).

Ensure stable operations and monitoring: Together with teammates and volunteers, ensure stable infrastructure availability, manage log analysis, handle emergencies, and coordinate with external providers during outages.

Patch management: Execute timely deployments of security and software updates within scheduled maintenance windows.

Team coordination and documentation: Lead and coordinate the infrastructure team, volunteer contributors, and third-party vendors, while keeping technical documentation up to date.

Data protection and disaster recovery: Implement backup and point-in-time disaster recovery solutions, and manage infrastructure-related GDPR compliance in cooperation with privacy officers.

👉 We’re looking forward to receiving your application, including information about you (your resume), when you are available for the job, and of course your financial expectations.

👉 The role is offered as full-time (ideally 40 hours per week). While we prefer full-time for the role, part-time applications, or proposals to grow the hours over time, will be considered.

👉 Please provide details about your experience and send us an e-mail to sysadmin@documentfoundation.org no later than July 6, 2026 (end of day, Berlin time)

https://blog.documentfoundation.org/blog/2026/06/08/join-the-libreoffice-team-as-a-paid-system-administrator-working-on-tdfs-infrastructure-full-time-remote-m-f-d/

3
10

A part of 6Ghz spectrum was recently (approx 4-5 months ago) was delicensed for WiFi usage in my country. Intel pushed an update soon after that to enable the 6Ghz band. Even my router manufacturer..TPLink did the same and my S26U updated to unlock 6Ghz and even on One UI 9 there is option for 6Ghz hotspot. The issue is, my router's 6Ghz Band can bee seen by my phone and it can connect to it too without any problem. But, my laptop is unable to see any 6Ghz network.. neither my TPLink router nor my phone's hotspot. Latest updates applied to every device. Any idea how to fix it?

4
11

Inspired by a recent post, and my recent move, I'm looking to play with 6ghz.

I had been waiting for the "openwrt two", and I still kind of am, but I'm not holding my breath for that to arrive anytime soon.

My current network consists of two Google AC1304s flashed with openwrt, an 8 port managed switch for VLANs, and a 5 port dumb switch for the main LAN.

One ac1304 is the main router/firewall/DHCP/vlan etc, as well as Wi-Fi for the basement. The second one is just a dumb AP on the top floor. The main floor catches a bit of both and is probably good enough. And the switches handle all my actual routing, currently just gigabit. I hardwire everything I reasonably can. Internet is 500/500 fiber.

So basically my network is Wi-Fi 5, plenty fast for the devices that need it. I've had no plans to upgrade to Wi-Fi 6 ever, I just don't need it. I definitely don't need 7 right now, but I figured eventually I should probably jump to it when it's stable. I don't think it's currently stable, or even common enough, to bother with. Not for the cost of upgrading everything, especially since Wi-Fi 7 openwrt routers barely exist.

But a comment on a post recently made a point that I had somehow never considered.

A dumb AP doesn't NEED to be openwrt, in order to function well on my network, or be secure.

So I started searching, but immediately hated everything I saw, and got overwhelmed.

TLDR

Basically what I'm looking for is a cheap WiFi 7 AP with 6ghz support that I can add to my network, on the main floor, to play with while I wait for Wi-Fi 7 to mature.

I don't want to have to create an account with some external company, just to change some settings though. As seems to be the issue with the inexpensive Netgear APs I've found.

So, does anyone know of any APs that fit that bill? I'd even go to Wi-Fi 6e if that's the only thing that exists with those requirements, really I just want to play with 6ghz to bide my time for better equipment.

Bonus question: would mixing Wi-Fi 5 and 6/7 APs into my same SSID/network be a bad idea, performance wise? I'm assuming not, because the channels would not be overlapping?

5
15
submitted 1 month ago* (last edited 1 month ago) by uenticx@lemmy.world to c/networking@sh.itjust.works

Looking for feedback on Wireguard capable wifi routers that keep a persistent link from the router to an endpoint. A lot of what I see advertised as "Wireguard Supported" sets up a server and not a client.

The GL.iNET routers seem to do it, anyone with experience with these? https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/

Bonus for being able to push a wireguard client config to the device via API/cli.

6
12

Looking to replace ISP's default fibre modem connected router and two Eero 6s (with ethernet / EoP backhaul).

Looking to get an openwrt compatible router and some sort of access point connected via ethernet over power. £200 would be my max price for router.

Is it still too early to look at WiFi 7 ?

Was tempted by Flint 3 but missed pre order discount, however could not figure what would be a good access point to go with it to offer clean handover like the eeros have.

Want pretty simple life once setup, don't feel like I have the energy these days to tinker.

Any thoughts or suggestions would be welcome, thank you.

7
5

cross-posted from: https://infosec.pub/post/46083169

Hello,

I’m here to ask for guidance on an ongoing project. A number of years ago I wrote an Articles of Association for a worker’s cooperative as I think it should run. The main difference between a conventional co-op and mine is that a conventional co-op tends to have no hierarchy while in mine there is a CEO who gets elected periodically based on their business plan. The theory is that this brings democratic ideals into the workplace without sacrificing the productivity gains that result from hierarchical teamwork. You can read more detailed information on my Beehaw Post.

To put it into practice I need to create an open-source enterprise application server with applications specifically designed for the management of these companies. I created a block diagram to show you what I envision (attached to the post), and this represents my ideal “wish list” for what it should include.

The controls listed at the bottom will determine the permissions everyone has on the network and will be used to design GUI screens. I was going to draw connectors to each of the services but it would have turned into spaghetti.

I’m pretty decent with local programming including database and GUI design, but I lack experience with network programming.

So far I think I need to use XMPP for the messaging client and SSH for the rest. Since I’m most comfortable in Python I was going to look into Paramiko.

So my question is, where should I go in my research? Is there a particular component in the diagram you think I should try to build first?

Thanks in advance for any help, Juniperus

8
7

cross-posted from: https://lemmy.world/post/46304716

We’re currently implementing additional security controls for our hosting platform, and one of the biggest challenges we’re encountering involves customers connecting over mobile networks. As users move between towers or regions they are frequently assigned different IP addresses within very short timeframes, which complicates IP-based allow-listing.

Is there a reliable way to obtain and maintain up-to-date CIDR ranges for major mobile providers such as AT&T, Verizon, and T-Mobile?

For reference, we currently use this from Starlink that provides a public feed of their IP space.

9
7
submitted 2 months ago* (last edited 2 months ago) by GreatBlueHeron@lemmy.ca to c/networking@sh.itjust.works

Edit for anyone that finds this later: my problem was that I was missing a route in the VMs to send traffic for the OpenVPN subnet to the main host bridge interface. So, it was using "default", which sent it to my internet router.

Maybe better to ask this in a Linux group, but trying here first.

I'm running a Linux server with Home Assistant in a VM, and a whole bunch of other stuff.

I recently moved my OpenVPN server onto the same physical box as Home Assistant. OpenVPN runs native on the host OS in tunnel mode.

OpenVPN works fine - clients can get to the host running OpenVPN, to applications running in docker containers on the same host and to other hosts on my network (once I update their routing to send traffic for my VPN network back to the OpenVPN host).

OpenVPN clients cannot get to my Home Assistant VM.

If I use tcpdump to watch the VM network interface (vnet0), from the host, and ping the VM from a VPN client I see the echo request go in and the reply come out. If I do the same, but watch the OpenVPN interface (tun0) I only see the request go in, but no reply. It's like the kernel doesn't know what to do with packets from the VM addressed to the VPN.

There is no firewall running on the host. This is not specific to my Home Assistant VM - I bought up a vanilla Alpine Linux VM and had exactly the same issue.

10
13
submitted 2 months ago* (last edited 2 months ago) by 30p87@feddit.org to c/networking@sh.itjust.works

After connecting to my new ISP (Deutsche Glasfaser) successfully via IPv4 (systemd-networkd got a CGNATt'ed address like expected), I noticed that I had no IPv6 address. I then spent days on researching PPPoE, 6rd and what parameters/prefixes/relays my ISP may use, as neither systemd-networkd, NetworkManager nor dhcpcd were even able to find a DHCPv6 server, neither in unconfigured nor configured (routable IPv4) state. Scanning with nmap (sudo nmap (-6) --script broadcast-dhcp(6)-discover) didn't find anything either.

However, dhclient did, without a hitch.

(0) 30p87@30p87-dns-db:[/etc/systemd/network]$ sudo dhcpcd -6 enp2s0
dhcpcd-10.3.1 starting
DUID 00:01:00:01:31:63:a3:c6:00:10:18:35:c3:1e
enp2s0: IAID 18:35:c3:1e
enp2s0: soliciting an IPv6 router
enp2s0: Router Advertisement from fe80::23
Dropped protocol specifier '.ra' from 'enp2s0.ra'. Using 'enp2s0' (ifindex=2).
enp2s0: soliciting a DHCPv6 lease
timed out
(0) 30p87@30p87-dns-db:[~]$ sudo dhclient -6 enp2s0 -v
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on Socket/enp2s0
Sending on   Socket/enp2s0
PRC: Confirming active lease (INIT-REBOOT).
XMT: Forming Confirm, 0 ms elapsed.
XMT:  X-- IA_NA 18:35:c3:1e
XMT:  | X-- Confirm Address 2a00:6020:5340::29b4
XMT:  V IA_NA appended.
XMT: Confirm on enp2s0, interval 910ms.
RCV: Reply message on enp2s0 from fe80::23.
RCV:  X-- Server ID: 00:03:00:01:18:c3:00:c3:88:24
message status code Success: "All addresses still on link"
PRC: Bound to lease 00:03:00:01:18:c3:00:c3:88:24.

What really wonders me is that there are no indications from any DHCP client that they even got a response for requesting a v6 address. So it's not a problem with expecting an address but getting a prefix instead, ig? Configuring that (as seen in https://github.com/systemd/systemd/issues/31820) also doesn't change anything.

So, ig, either everything but dhclient is borked, or it just automates stuff I don't know about.

I'd guess I'll try to capture all packets with wireshark now, and compare eg. systemd-networkd with dhclient.

P.S.: It's very ironic that a networking community lives on an instance named "itjust.works"

11
6

So I have a very specific use case and need to use my old backup win10 laptop for a test (only windows or mac allowed, no linux). I never connect this laptop to the internet because I need it to stay on 10 to work with specific software/hardware I have on it. But this test requires internet. How can I block the windows update servers on my VLAN? I know the second I connect this thing microslop will corrupt it to force me to update.

12
90
Just passed my CCNA. (eviltoast.org)

By the skin of my teeth. 72 questions.
I blasted through the last questions. Time closed on question 72.
The lablet section must have had a lot of point value. I spent an hour on them, got em right. Got all the subnetting shit. Think I nailed IPv6.

I can stop spending all my free time studying. Go have a drink .
Whew.

13
4
Rotate VPN addresses (programming.dev)

Good day! Let me know if this post is not relevant to this community and I'll take it down.

I am using a VPN provider whose IP addresses are mostly blocked by streaming services and YouTube. This is not a problem for me, since I can often just obfuscate the address with some of their proxy solutions.

Without having any real understanding of how third party VPN providers work under the hood, my questions is, would it be possible for the VPN provider to implement an end user function, like a "vote button" or the likes, that reports when a certain address is blocked by a certain web service and then - for instance, when enough end users have reported a specific IP address as blocked - simply rotate/exchange that IP address to circumvent the blockage?

I'd like to suggest this to my provider if it's viable at all.

14
20

I decided to get my CCNA last summer after losing out on a senior role because I didn't have it. I signed up for the free CCST training and completed Network and Cybersecurity, tested in January.

I used a bunch of other Cisco resources and some 3rd party training to continue on. I just completed all the coursework.

Got 80% on a practice test today.
I got every subnetting, binary, or hex question correct.
Fuk ya. And I have a list of shit to review.

I'm an old fukin man. I wasn't sure if I was still sharp enough.
2 weeks from now. I'm gonna pass this test.

15
12

I made this post 3 months ago: https://sh.itjust.works/post/50242033

@stevetech@aussie.zone was super helpful in checking that my Mikrotik configuration was set up correctly. There's a mess of IPv6 information out there for Mikrotik and it's confusing for a mid-nerd like myself.

Anyway, I checked the other day and boom, I had a prefix assigned by my ISP (Frontier).

Unfortunately Frontier has decided to give out /64 prefixes. The downside to that is you can't use SLAAC inside your LAN to do subnetting (guest networks, VLANs, etc).

So my next step is to learn about DHCPv6 to manage things inside my LAN.

There are comments on other forums that are hopeful that since Verizon bought Frontier, they'll eventually switch to handing out /56 prefixes.

16
4
VLAN for Thermostat? (sh.itjust.works)
submitted 4 months ago* (last edited 4 months ago) by bridgeenjoyer@sh.itjust.works to c/networking@sh.itjust.works

I unfortunately HAD to get a stupid thermostat with wifi. can't even get one without it now. I'd much rather have it not hooked up but I may be forced to.

How can I put this on a VLAN and block all it's telemetry? It's a honeywell. Can i put it on my VLAN and then use mullvad DNS to block all the shit?

"They" are saying it has to be on wifi so it can see the outdoor temp to talk to the heat pump. Bullshit i say.

17
8

cross-posted from: https://feddit.nl/post/50949358

Creator of Mikrotik IaC modules gauging community interest

From Mircea Anton:

Hello, everyone!

I fairly recently re-worked most of my Mikrotik automation to move it from Terraform to OpenTofu and Terragrunt and modularize everything.

Tbh the project got to a point I'm quite happy and proud with it. I made a couple of videos about it if you're interested:

Here's the link to the repo: https://github.com/mirceanton/mikrotik-terraform

Been thinking about cleaning up the modules I made, writing a couple more and maybe publish a module library that others can use and contribute to if attempting something like this. What do you think?

18
12
Security Onion (securityonionsolutions.com)

I just finished my Cisco CCST Cybersecurity. The whole course of study is pretty much to get you skilled up enough to operate and understand the Security Onion console. The last half of the last class is all about handling the alerts.

Well, the CCST was a pretty cursory introduction to an extremely complicated platform. I checked out the vendor training, and its alright. Its a set of videos that walk you through setup and usage of a demo install. (See post link.) I've set it up at home, and I'm monitoring my network.

I know we use Security Onion at work, and I asked about it. Well apparently its completely broken, and my first task as a newly certified network security guy is to rebuild it.

Yup. I ate the Onion. ... err ... or I'm in process. Chomp, chomp, chomp.

19
11
submitted 5 months ago* (last edited 5 months ago) by bridgeenjoyer@sh.itjust.works to c/networking@sh.itjust.works

It seems to happen maybe once a month or every 2 months. Sometimes random. Is it my ISP renewing my IP? How can I check that?

Im on all unifi hardware. Not a total noob but I struggle with the concepts.

20
8
submitted 5 months ago by tdTrX@lemmy.ml to c/networking@sh.itjust.works

Allow affiliate & tracking domains common on deals websites, in emails or in search results. Those usually only get called after manually clicking on a link.

Your IP address will automatically be hidden from those websites to preserve your privacy.

21
4
submitted 5 months ago by tdTrX@lemmy.ml to c/networking@sh.itjust.works

"Speed up delivery of data from content delivery networks without exposing your IP address."

22
6
submitted 5 months ago by tdTrX@lemmy.ml to c/networking@sh.itjust.works

Bypass Age Verification Auto bypass age verification checks used by certain websites, such as adult content sites, to verify a visitor's age before allowing access. By enabling this feature, you acknowledge that you are legally old enough to access the content.

23
15
submitted 5 months ago by tdTrX@lemmy.ml to c/networking@sh.itjust.works

I think my ISP randomly drops my DNS server IP.

blocks some wireguard IPs (there is no handshake on openwrt).

Some SOCKS5 Proxies stop working after few hours.

Snowflake isn't working

24
13
One flash, one packet? (programming.dev)

I've always wondered whether network interfaces that have these flashing lights flash as a gimmick or do they actually indicate the flow of traffic? Perhaps one flash per packet in or out? I wish I could remember what my call up modem looked like to make a historical comparison too.

TL-SG105E

25
13
submitted 5 months ago* (last edited 5 months ago) by tdTrX@lemmy.ml to c/networking@sh.itjust.works

By hijacking I mean redirection .

I think I should be done at cliet's OS level.

Can Router do anything for it ?

view more: next ›

networking

3579 readers
1 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 3 years ago
MODERATORS