Inspired by a recent post, and my recent move, I'm looking to play with 6ghz.

I had been waiting for the "openwrt two", and I still kind of am, but I'm not holding my breath for that to arrive anytime soon.

My current network consists of two Google AC1304s flashed with openwrt, an 8 port managed switch for VLANs, and a 5 port dumb switch for the main LAN.

One ac1304 is the main router/firewall/DHCP/vlan etc, as well as Wi-Fi for the basement. The second one is just a dumb AP on the top floor. The main floor catches a bit of both and is probably good enough. And the switches handle all my actual routing, currently just gigabit. I hardwire everything I reasonably can. Internet is 500/500 fiber.

So basically my network is Wi-Fi 5, plenty fast for the devices that need it. I've had no plans to upgrade to Wi-Fi 6 ever, I just don't need it. I definitely don't need 7 right now, but I figured eventually I should probably jump to it when it's stable. I don't think it's currently stable, or even common enough, to bother with. Not for the cost of upgrading everything, especially since Wi-Fi 7 openwrt routers barely exist.

But a comment on a post recently made a point that I had somehow never considered.

A dumb AP doesn't NEED to be openwrt, in order to function well on my network, or be secure.

So I started searching, but immediately hated everything I saw, and got overwhelmed.

TLDR

Basically what I'm looking for is a cheap WiFi 7 AP with 6ghz support that I can add to my network, on the main floor, to play with while I wait for Wi-Fi 7 to mature.

I don't want to have to create an account with some external company, just to change some settings though. As seems to be the issue with the inexpensive Netgear APs I've found.

So, does anyone know of any APs that fit that bill? I'd even go to Wi-Fi 6e if that's the only thing that exists with those requirements, really I just want to play with 6ghz to bide my time for better equipment.

Bonus question: would mixing Wi-Fi 5 and 6/7 APs into my same SSID/network be a bad idea, performance wise? I'm assuming not, because the channels would not be overlapping?

Looking for feedback on Wireguard capable wifi routers that keep a persistent link from the router to an endpoint. A lot of what I see advertised as "Wireguard Supported" sets up a server and not a client.

The GL.iNET routers seem to do it, anyone with experience with these? https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/

Bonus for being able to push a wireguard client config to the device via API/cli.

Looking to replace ISP's default fibre modem connected router and two Eero 6s (with ethernet / EoP backhaul).

Looking to get an openwrt compatible router and some sort of access point connected via ethernet over power. £200 would be my max price for router.

Is it still too early to look at WiFi 7 ?

Was tempted by Flint 3 but missed pre order discount, however could not figure what would be a good access point to go with it to offer clean handover like the eeros have.

Want pretty simple life once setup, don't feel like I have the energy these days to tinker.

Any thoughts or suggestions would be welcome, thank you.

cross-posted from: https://infosec.pub/post/46083169

Hello,

I’m here to ask for guidance on an ongoing project. A number of years ago I wrote an Articles of Association for a worker’s cooperative as I think it should run. The main difference between a conventional co-op and mine is that a conventional co-op tends to have no hierarchy while in mine there is a CEO who gets elected periodically based on their business plan. The theory is that this brings democratic ideals into the workplace without sacrificing the productivity gains that result from hierarchical teamwork. You can read more detailed information on my Beehaw Post.

To put it into practice I need to create an open-source enterprise application server with applications specifically designed for the management of these companies. I created a block diagram to show you what I envision (attached to the post), and this represents my ideal “wish list” for what it should include.

The controls listed at the bottom will determine the permissions everyone has on the network and will be used to design GUI screens. I was going to draw connectors to each of the services but it would have turned into spaghetti.

I’m pretty decent with local programming including database and GUI design, but I lack experience with network programming.

So far I think I need to use XMPP for the messaging client and SSH for the rest. Since I’m most comfortable in Python I was going to look into Paramiko.

So my question is, where should I go in my research? Is there a particular component in the diagram you think I should try to build first?

Thanks in advance for any help, Juniperus

cross-posted from: https://lemmy.world/post/46304716

We’re currently implementing additional security controls for our hosting platform, and one of the biggest challenges we’re encountering involves customers connecting over mobile networks. As users move between towers or regions they are frequently assigned different IP addresses within very short timeframes, which complicates IP-based allow-listing.

Is there a reliable way to obtain and maintain up-to-date CIDR ranges for major mobile providers such as AT&T, Verizon, and T-Mobile?

For reference, we currently use this from Starlink that provides a public feed of their IP space.

Edit for anyone that finds this later: my problem was that I was missing a route in the VMs to send traffic for the OpenVPN subnet to the main host bridge interface. So, it was using "default", which sent it to my internet router.

Maybe better to ask this in a Linux group, but trying here first.

I'm running a Linux server with Home Assistant in a VM, and a whole bunch of other stuff.

I recently moved my OpenVPN server onto the same physical box as Home Assistant. OpenVPN runs native on the host OS in tunnel mode.

OpenVPN works fine - clients can get to the host running OpenVPN, to applications running in docker containers on the same host and to other hosts on my network (once I update their routing to send traffic for my VPN network back to the OpenVPN host).

OpenVPN clients cannot get to my Home Assistant VM.

If I use tcpdump to watch the VM network interface (vnet0), from the host, and ping the VM from a VPN client I see the echo request go in and the reply come out. If I do the same, but watch the OpenVPN interface (tun0) I only see the request go in, but no reply. It's like the kernel doesn't know what to do with packets from the VM addressed to the VPN.

There is no firewall running on the host. This is not specific to my Home Assistant VM - I bought up a vanilla Alpine Linux VM and had exactly the same issue.

After connecting to my new ISP (Deutsche Glasfaser) successfully via IPv4 (systemd-networkd got a CGNATt'ed address like expected), I noticed that I had no IPv6 address. I then spent days on researching PPPoE, 6rd and what parameters/prefixes/relays my ISP may use, as neither systemd-networkd, NetworkManager nor dhcpcd were even able to find a DHCPv6 server, neither in unconfigured nor configured (routable IPv4) state. Scanning with nmap (sudo nmap (-6) --script broadcast-dhcp(6)-discover) didn't find anything either.

However, dhclient did, without a hitch.

(0) 30p87@30p87-dns-db:[/etc/systemd/network]$ sudo dhcpcd -6 enp2s0
dhcpcd-10.3.1 starting
DUID 00:01:00:01:31:63:a3:c6:00:10:18:35:c3:1e
enp2s0: IAID 18:35:c3:1e
enp2s0: soliciting an IPv6 router
enp2s0: Router Advertisement from fe80::23
Dropped protocol specifier '.ra' from 'enp2s0.ra'. Using 'enp2s0' (ifindex=2).
enp2s0: soliciting a DHCPv6 lease
timed out
(0) 30p87@30p87-dns-db:[~]$ sudo dhclient -6 enp2s0 -v
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on Socket/enp2s0
Sending on   Socket/enp2s0
PRC: Confirming active lease (INIT-REBOOT).
XMT: Forming Confirm, 0 ms elapsed.
XMT:  X-- IA_NA 18:35:c3:1e
XMT:  | X-- Confirm Address 2a00:6020:5340::29b4
XMT:  V IA_NA appended.
XMT: Confirm on enp2s0, interval 910ms.
RCV: Reply message on enp2s0 from fe80::23.
RCV:  X-- Server ID: 00:03:00:01:18:c3:00:c3:88:24
message status code Success: "All addresses still on link"
PRC: Bound to lease 00:03:00:01:18:c3:00:c3:88:24.

What really wonders me is that there are no indications from any DHCP client that they even got a response for requesting a v6 address. So it's not a problem with expecting an address but getting a prefix instead, ig? Configuring that (as seen in https://github.com/systemd/systemd/issues/31820) also doesn't change anything.

So, ig, either everything but dhclient is borked, or it just automates stuff I don't know about.

I'd guess I'll try to capture all packets with wireshark now, and compare eg. systemd-networkd with dhclient.

P.S.: It's very ironic that a networking community lives on an instance named "itjust.works"

So I have a very specific use case and need to use my old backup win10 laptop for a test (only windows or mac allowed, no linux). I never connect this laptop to the internet because I need it to stay on 10 to work with specific software/hardware I have on it. But this test requires internet. How can I block the windows update servers on my VLAN? I know the second I connect this thing microslop will corrupt it to force me to update.

By the skin of my teeth. 72 questions.
I blasted through the last questions. Time closed on question 72.
The lablet section must have had a lot of point value. I spent an hour on them, got em right. Got all the subnetting shit. Think I nailed IPv6.

I can stop spending all my free time studying. Go have a drink .
Whew.

Good day! Let me know if this post is not relevant to this community and I'll take it down.

I am using a VPN provider whose IP addresses are mostly blocked by streaming services and YouTube. This is not a problem for me, since I can often just obfuscate the address with some of their proxy solutions.

Without having any real understanding of how third party VPN providers work under the hood, my questions is, would it be possible for the VPN provider to implement an end user function, like a "vote button" or the likes, that reports when a certain address is blocked by a certain web service and then - for instance, when enough end users have reported a specific IP address as blocked - simply rotate/exchange that IP address to circumvent the blockage?

I'd like to suggest this to my provider if it's viable at all.

I decided to get my CCNA last summer after losing out on a senior role because I didn't have it. I signed up for the free CCST training and completed Network and Cybersecurity, tested in January.

I used a bunch of other Cisco resources and some 3rd party training to continue on. I just completed all the coursework.

Got 80% on a practice test today.
I got every subnetting, binary, or hex question correct.
Fuk ya. And I have a list of shit to review.

I'm an old fukin man. I wasn't sure if I was still sharp enough.
2 weeks from now. I'm gonna pass this test.

I made this post 3 months ago: https://sh.itjust.works/post/50242033

@stevetech@aussie.zone was super helpful in checking that my Mikrotik configuration was set up correctly. There's a mess of IPv6 information out there for Mikrotik and it's confusing for a mid-nerd like myself.

Anyway, I checked the other day and boom, I had a prefix assigned by my ISP (Frontier).

Unfortunately Frontier has decided to give out /64 prefixes. The downside to that is you can't use SLAAC inside your LAN to do subnetting (guest networks, VLANs, etc).

So my next step is to learn about DHCPv6 to manage things inside my LAN.

There are comments on other forums that are hopeful that since Verizon bought Frontier, they'll eventually switch to handing out /56 prefixes.

I unfortunately HAD to get a stupid thermostat with wifi. can't even get one without it now. I'd much rather have it not hooked up but I may be forced to.

How can I put this on a VLAN and block all it's telemetry? It's a honeywell. Can i put it on my VLAN and then use mullvad DNS to block all the shit?

"They" are saying it has to be on wifi so it can see the outdoor temp to talk to the heat pump. Bullshit i say.

cross-posted from: https://feddit.nl/post/50949358

Creator of Mikrotik IaC modules gauging community interest

From Mircea Anton:

Hello, everyone!

I fairly recently re-worked most of my Mikrotik automation to move it from Terraform to OpenTofu and Terragrunt and modularize everything.

Tbh the project got to a point I'm quite happy and proud with it. I made a couple of videos about it if you're interested:

• original video about the terraform set-up: https://youtu.be/86LRoxuU5kg
• terragrunt migration walk-through: https://youtu.be/WHzgvH2zgdo

Here's the link to the repo: https://github.com/mirceanton/mikrotik-terraform

Been thinking about cleaning up the modules I made, writing a couple more and maybe publish a module library that others can use and contribute to if attempting something like this. What do you think?

I just finished my Cisco CCST Cybersecurity. The whole course of study is pretty much to get you skilled up enough to operate and understand the Security Onion console. The last half of the last class is all about handling the alerts.

Well, the CCST was a pretty cursory introduction to an extremely complicated platform. I checked out the vendor training, and its alright. Its a set of videos that walk you through setup and usage of a demo install. (See post link.) I've set it up at home, and I'm monitoring my network.

I know we use Security Onion at work, and I asked about it. Well apparently its completely broken, and my first task as a newly certified network security guy is to rebuild it.

Yup. I ate the Onion. ... err ... or I'm in process. Chomp, chomp, chomp.

It seems to happen maybe once a month or every 2 months. Sometimes random. Is it my ISP renewing my IP? How can I check that?

Im on all unifi hardware. Not a total noob but I struggle with the concepts.

Allow affiliate & tracking domains common on deals websites, in emails or in search results. Those usually only get called after manually clicking on a link.

Your IP address will automatically be hidden from those websites to preserve your privacy.

"Speed up delivery of data from content delivery networks without exposing your IP address."

Bypass Age Verification Auto bypass age verification checks used by certain websites, such as adult content sites, to verify a visitor's age before allowing access. By enabling this feature, you acknowledge that you are legally old enough to access the content.

I think my ISP randomly drops my DNS server IP.

blocks some wireguard IPs (there is no handshake on openwrt).

Some SOCKS5 Proxies stop working after few hours.

Snowflake isn't working

I've always wondered whether network interfaces that have these flashing lights flash as a gimmick or do they actually indicate the flow of traffic? Perhaps one flash per packet in or out? I wish I could remember what my call up modem looked like to make a historical comparison too.

TL-SG105E

By hijacking I mean redirection .

I think I should be done at cliet's OS level.

Can Router do anything for it ?

I have a 1 Gbps connection with an ISP that rents another telecommunications company's fiber. That telecom owns the ONT in my apartment.

I had an electrician fix the heated floor in my bathroom a few weeks ago. He had to turn off the main breaker for safety reasons, which also cut power to the ONT. After turning the power back on, my speeds had dropped from 1 Gbps to circa 100 Mbps. I filed a ticket with my ISP, who resolved the issue by having the telecom do something at their end, they said. (Sounds software-y/configuration-y.)

Yesterday, I f*cked my router (a raspberry pi with openwrt) up by flashing the latest pre-release firmware on it. I lost all connections and the Pi wouldn't recognize any of its hardware interfaces. As part or my "routine", I rebooted my devices in this order: my APs, my routers and, lastly, my ONT. After some diagnosing, I identified that the problem was indeed the new firmware on the router/Pi. But then I noticed that my speeds had dropped, so I gauged the speeds directly at the ONT and, lo and behold, they were down to 100 Mbps again. I have, yet again, filed a ticked with my ISP, waiting to hear from them now.

My question, just out of curiosity, to those of you that have the knowledge/experience: what could be going on the telecom's end? Is there a correlation/plausible technical explanation between my connection speeds dropping and restarting or cutting the power to the ONT?

In the early 1990s, internetworking wonks realized the world was not many years away from running out of Internet Protocol version 4 (IPv4) addresses, the numbers needed to identify any device connected to the public internet. Noting booming interest in the internet, the internet community went looking for ways to avoid an IP address shortage that many feared would harm technology adoption and therefore the global economy.

A possible fix arrived in December 1995 in the form of RFC 1883, the first definition of IPv6, the planned successor to IPv4.

The most important change from IPv4 to IPv6 was moving from 32-bit to 128-bit addresses, a decision that increased the available pool of IP addresses from around 4.3 billion to over 340 undecillion – a 39-digit number. IPv6 was therefore thought to have future-proofed the internet, because nobody could imagine humanity would ever need more than a handful of undecillion IP addresses, never mind the entire range available under IPv6.

Why would I need to have software firewalls on my devices behind my NAT router at home? The topology is a basic consumer grade one: ISP -> my router (NAT) -> LAN, and vice versa.

If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

What "good" would my public IP do for a hacker if I have no ports forwarded?

Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

I do have software firewalls on all my devices, but that wasn't an informed choice. I just followed the Arch Wiki's post installation guidelines.