After connecting to my new ISP (Deutsche Glasfaser) successfully via IPv4 (systemd-networkd got a CGNATt'ed address like expected), I noticed that I had no IPv6 address. I then spent days on researching PPPoE, 6rd and what parameters/prefixes/relays my ISP may use, as neither systemd-networkd, NetworkManager nor dhcpcd were even able to find a DHCPv6 server, neither in unconfigured nor configured (routable IPv4) state. Scanning with nmap (sudo nmap (-6) --script broadcast-dhcp(6)-discover) didn't find anything either.

However, dhclient did, without a hitch.

(0) 30p87@30p87-dns-db:[/etc/systemd/network]$ sudo dhcpcd -6 enp2s0
dhcpcd-10.3.1 starting
DUID 00:01:00:01:31:63:a3:c6:00:10:18:35:c3:1e
enp2s0: IAID 18:35:c3:1e
enp2s0: soliciting an IPv6 router
enp2s0: Router Advertisement from fe80::23
Dropped protocol specifier '.ra' from 'enp2s0.ra'. Using 'enp2s0' (ifindex=2).
enp2s0: soliciting a DHCPv6 lease
timed out
(0) 30p87@30p87-dns-db:[~]$ sudo dhclient -6 enp2s0 -v
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on Socket/enp2s0
Sending on   Socket/enp2s0
PRC: Confirming active lease (INIT-REBOOT).
XMT: Forming Confirm, 0 ms elapsed.
XMT:  X-- IA_NA 18:35:c3:1e
XMT:  | X-- Confirm Address 2a00:6020:5340::29b4
XMT:  V IA_NA appended.
XMT: Confirm on enp2s0, interval 910ms.
RCV: Reply message on enp2s0 from fe80::23.
RCV:  X-- Server ID: 00:03:00:01:18:c3:00:c3:88:24
message status code Success: "All addresses still on link"
PRC: Bound to lease 00:03:00:01:18:c3:00:c3:88:24.

What really wonders me is that there are no indications from any DHCP client that they even got a response for requesting a v6 address. So it's not a problem with expecting an address but getting a prefix instead, ig? Configuring that (as seen in https://github.com/systemd/systemd/issues/31820) also doesn't change anything.

So, ig, either everything but dhclient is borked, or it just automates stuff I don't know about.

I'd guess I'll try to capture all packets with wireshark now, and compare eg. systemd-networkd with dhclient.

P.S.: It's very ironic that a networking community lives on an instance named "itjust.works"

So I have a very specific use case and need to use my old backup win10 laptop for a test (only windows or mac allowed, no linux). I never connect this laptop to the internet because I need it to stay on 10 to work with specific software/hardware I have on it. But this test requires internet. How can I block the windows update servers on my VLAN? I know the second I connect this thing microslop will corrupt it to force me to update.

By the skin of my teeth. 72 questions.
I blasted through the last questions. Time closed on question 72.
The lablet section must have had a lot of point value. I spent an hour on them, got em right. Got all the subnetting shit. Think I nailed IPv6.

I can stop spending all my free time studying. Go have a drink .
Whew.

Good day! Let me know if this post is not relevant to this community and I'll take it down.

I am using a VPN provider whose IP addresses are mostly blocked by streaming services and YouTube. This is not a problem for me, since I can often just obfuscate the address with some of their proxy solutions.

Without having any real understanding of how third party VPN providers work under the hood, my questions is, would it be possible for the VPN provider to implement an end user function, like a "vote button" or the likes, that reports when a certain address is blocked by a certain web service and then - for instance, when enough end users have reported a specific IP address as blocked - simply rotate/exchange that IP address to circumvent the blockage?

I'd like to suggest this to my provider if it's viable at all.

I decided to get my CCNA last summer after losing out on a senior role because I didn't have it. I signed up for the free CCST training and completed Network and Cybersecurity, tested in January.

I used a bunch of other Cisco resources and some 3rd party training to continue on. I just completed all the coursework.

Got 80% on a practice test today.
I got every subnetting, binary, or hex question correct.
Fuk ya. And I have a list of shit to review.

I'm an old fukin man. I wasn't sure if I was still sharp enough.
2 weeks from now. I'm gonna pass this test.

I made this post 3 months ago: https://sh.itjust.works/post/50242033

@stevetech@aussie.zone was super helpful in checking that my Mikrotik configuration was set up correctly. There's a mess of IPv6 information out there for Mikrotik and it's confusing for a mid-nerd like myself.

Anyway, I checked the other day and boom, I had a prefix assigned by my ISP (Frontier).

Unfortunately Frontier has decided to give out /64 prefixes. The downside to that is you can't use SLAAC inside your LAN to do subnetting (guest networks, VLANs, etc).

So my next step is to learn about DHCPv6 to manage things inside my LAN.

There are comments on other forums that are hopeful that since Verizon bought Frontier, they'll eventually switch to handing out /56 prefixes.

I unfortunately HAD to get a stupid thermostat with wifi. can't even get one without it now. I'd much rather have it not hooked up but I may be forced to.

How can I put this on a VLAN and block all it's telemetry? It's a honeywell. Can i put it on my VLAN and then use mullvad DNS to block all the shit?

"They" are saying it has to be on wifi so it can see the outdoor temp to talk to the heat pump. Bullshit i say.

cross-posted from: https://feddit.nl/post/50949358

Creator of Mikrotik IaC modules gauging community interest

From Mircea Anton:

Hello, everyone!

I fairly recently re-worked most of my Mikrotik automation to move it from Terraform to OpenTofu and Terragrunt and modularize everything.

Tbh the project got to a point I'm quite happy and proud with it. I made a couple of videos about it if you're interested:

• original video about the terraform set-up: https://youtu.be/86LRoxuU5kg
• terragrunt migration walk-through: https://youtu.be/WHzgvH2zgdo

Here's the link to the repo: https://github.com/mirceanton/mikrotik-terraform

Been thinking about cleaning up the modules I made, writing a couple more and maybe publish a module library that others can use and contribute to if attempting something like this. What do you think?

I just finished my Cisco CCST Cybersecurity. The whole course of study is pretty much to get you skilled up enough to operate and understand the Security Onion console. The last half of the last class is all about handling the alerts.

Well, the CCST was a pretty cursory introduction to an extremely complicated platform. I checked out the vendor training, and its alright. Its a set of videos that walk you through setup and usage of a demo install. (See post link.) I've set it up at home, and I'm monitoring my network.

I know we use Security Onion at work, and I asked about it. Well apparently its completely broken, and my first task as a newly certified network security guy is to rebuild it.

Yup. I ate the Onion. ... err ... or I'm in process. Chomp, chomp, chomp.

It seems to happen maybe once a month or every 2 months. Sometimes random. Is it my ISP renewing my IP? How can I check that?

Im on all unifi hardware. Not a total noob but I struggle with the concepts.

Allow affiliate & tracking domains common on deals websites, in emails or in search results. Those usually only get called after manually clicking on a link.

Your IP address will automatically be hidden from those websites to preserve your privacy.

"Speed up delivery of data from content delivery networks without exposing your IP address."

Bypass Age Verification Auto bypass age verification checks used by certain websites, such as adult content sites, to verify a visitor's age before allowing access. By enabling this feature, you acknowledge that you are legally old enough to access the content.

I think my ISP randomly drops my DNS server IP.

blocks some wireguard IPs (there is no handshake on openwrt).

Some SOCKS5 Proxies stop working after few hours.

Snowflake isn't working

I've always wondered whether network interfaces that have these flashing lights flash as a gimmick or do they actually indicate the flow of traffic? Perhaps one flash per packet in or out? I wish I could remember what my call up modem looked like to make a historical comparison too.

TL-SG105E

By hijacking I mean redirection .

I think I should be done at cliet's OS level.

Can Router do anything for it ?

I have a 1 Gbps connection with an ISP that rents another telecommunications company's fiber. That telecom owns the ONT in my apartment.

I had an electrician fix the heated floor in my bathroom a few weeks ago. He had to turn off the main breaker for safety reasons, which also cut power to the ONT. After turning the power back on, my speeds had dropped from 1 Gbps to circa 100 Mbps. I filed a ticket with my ISP, who resolved the issue by having the telecom do something at their end, they said. (Sounds software-y/configuration-y.)

Yesterday, I f*cked my router (a raspberry pi with openwrt) up by flashing the latest pre-release firmware on it. I lost all connections and the Pi wouldn't recognize any of its hardware interfaces. As part or my "routine", I rebooted my devices in this order: my APs, my routers and, lastly, my ONT. After some diagnosing, I identified that the problem was indeed the new firmware on the router/Pi. But then I noticed that my speeds had dropped, so I gauged the speeds directly at the ONT and, lo and behold, they were down to 100 Mbps again. I have, yet again, filed a ticked with my ISP, waiting to hear from them now.

My question, just out of curiosity, to those of you that have the knowledge/experience: what could be going on the telecom's end? Is there a correlation/plausible technical explanation between my connection speeds dropping and restarting or cutting the power to the ONT?

In the early 1990s, internetworking wonks realized the world was not many years away from running out of Internet Protocol version 4 (IPv4) addresses, the numbers needed to identify any device connected to the public internet. Noting booming interest in the internet, the internet community went looking for ways to avoid an IP address shortage that many feared would harm technology adoption and therefore the global economy.

A possible fix arrived in December 1995 in the form of RFC 1883, the first definition of IPv6, the planned successor to IPv4.

The most important change from IPv4 to IPv6 was moving from 32-bit to 128-bit addresses, a decision that increased the available pool of IP addresses from around 4.3 billion to over 340 undecillion – a 39-digit number. IPv6 was therefore thought to have future-proofed the internet, because nobody could imagine humanity would ever need more than a handful of undecillion IP addresses, never mind the entire range available under IPv6.

Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.

If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

What "good" would my public IP do for a hacker if I have no ports forwarded?

Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

I do have software firewalls on all my devices, but that wasn't an informed choice. I just followed the Arch Wiki's post installation guidelines.

Here's a puzzle for you networking specialists:

I'm coding an IP tunnel for our laser communication system. Basically it's a pair of lasers that send / receive raw serial data, and I'm coding a simple TUN wrapper to send/receive IP packets over the laser link. Think of it as PPP but customized for the idiosyncrasies of our laser system.

It works fine: I have one laser connected to one machine with one instance of my IP tunnel software running on that machine, the same setup on another machine, and I can network just fine between the two.

But here's my problem: those machines are at work and I'm currently sitting at home and working remotely, the second machine has crashed and I have no intention to go to the office just to reboot the damn thing.

But all is not lost!

The first machine happens to have another, unused laser aimed at the same target connected to it. Technically, I can open a serial terminal on one laser's serial device file, another serial terminal on the second laser's serial device file, and send / receive data between the two - to / from the same machine.

My question is this: can I somehow create two TUN network interfaces - one for one laser, one for the other laser - on the same machine, and somehow configure them so one is only reachable through the tunnel and not directly?

Or more concretely, here are the two tunnels setup on the first machine:

tun10: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500  
        inet 172.17.3.10  netmask 255.255.255.0  destination 172.17.3.10  
        inet6 fe80::48a7:298c:c6dc:bae  prefixlen 64  scopeid 0x20<link>  
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)  
        RX packets 4  bytes 192 (192.0 B)  
        RX errors 0  dropped 0  overruns 0  frame 0  
        TX packets 5  bytes 240 (240.0 B)  
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0  

tun11: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500  
        inet 172.17.3.11  netmask 255.255.255.0  destination 172.17.3.11  
        inet6 fe80::82b2:44f6:d510:c227  prefixlen 64  scopeid 0x20<link>  
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)  
        RX packets 2  bytes 96 (96.0 B)  
        RX errors 0  dropped 0  overruns 0  frame 0  
        TX packets 4  bytes 192 (192.0 B)  
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0  

I want to telnet to 172.17.3.10 through 172.17.3.11 and vice-versa. But of course, as it is now, if I telnet to either of those IPs, the kernel basically talks to itself and doesn't route anything out.

Naturally, I could setup a virtual machine and install a guest Linux OS just to run the second tunnel. But it seems like a sledgehammer approach to what should be a simple configuration job.

Can it be done? I can't think of a way. But then I'm not much of a networking guy 🙂

Uninitiated noon question below.

A couple of days ago, this haprogram https://programming.dev/post/41491279

Now, during the phonecall with my ISP, the guy asked, "is your router an ASUS?" to which I answered, "yes and no, because it's sold as a router but I have it in AP mode and my actual router is OpenWrt on a Raspberry Pi." To which he replied "noice!"

How did he know the make of my access point? A few of my own thoughts are:

1. he was referring to historical data (I've been a loyal customer of theirs for a looong time...) from a time when I was using the same topology (setup?) but without a VPN on the router, so the hostname of the AP (stored in /etc/hostname on the ASUS OS/firmware ?) was simply displayed on whatever software an ISP uses for troubleshooting through... an ARP? But aren't ARPs limited to a LAN/they cannot resolve beyond a hop? Or perhaps a variant of DNS? How indeed do hostnames transmit? Are they in the IP header by default?
2. as in 1 above, but he actively used nmap or some other recog program
3. as in 1 above but from a time when I was in fact using the ASUS machine as a router
4. my VPN is "leaking" - not likely, because all my traffic either goes through the wireguard interface on OpenWrt/RPi, or it doesn't go anywhere...

If 1, 2 or 3: why do they keep historical data on me? Is it praxis?

Hey everyone,

I searched for the keyword CCNA, but it hasn't appeared for a while.

I'm actually learning the concepts, I'm on STP.

I'd like to hear about your experiences, how long it took you, which website you're learning from, etc.

Have a great day!!

EDIT: Got an email from my ISP saying "the fiber owner has resolved your issue, we are closing the ticket." I immediately called my ISP out of curiosity, since they earlier had told me that they need to change my ONT for me to get my full speed. Well, it turns out, the fiber owner (don't know the English word for them) can manage speed per port on the ONT. Sic. So for some reason, they had limited the speed to 100 Mbps.

I purchased a 1 Gbps down/up connection and noticed that I was consistently getting 95 Mbit/s down/up, regardless of hardware configuration (router, no router, switch, no switch, connecting directly to the ONT, cat 6/6a cables, etc) and regardless of software configuration (VPN on/off, firewall on/off, OS Linux/Android, driver updates, etc).

When nothing seemed to help on my end, I finally called my ISP. They could confirm that my ONT is a decade old and that they can see that each port only allows for 100 Mbit/s down/up.

I went through these steps before finally testing a direct connection to the ONT which finally made me call the ISP.

The ISP is going to replace the ONT for free.

I've had Frontier fiber internet for the past 2-ish years. No complaints at all, but the nerd in me desires IPv6. I have the Frontier provided ONT device but declined their router. I have a MikroTik RB5009 which has been "searching" for an IPv6 prefix.

Anyway, I found this link during my research some time ago, and it finally looks like Frontier is enabling IPv6 for people.

I'm still not sure I'll be able to get it until I get the settings just right, but thought I'd share.