Sunday, March 31, 2019

networking note

Running public servers in the home network is a pain in the ass. One thing for certain is that it's best to use a commercial router/firewall, put the servers in an isolated sub-net, apply some good network policy and if you can afford it consider IDS.

I've been going back and forth with a ubiquiti Edgerouter X and a pfSense installation.

In the ubiquiti I got the RULES and the NAT backwards.... first the NAT is applied then the RULES are applied.

Then there is the hairpin that needs to be considered. The behavior is different between the machines inside and outside the private net. The question is "where is the hairpin taking place?"

The Edgerouter does not render on a a smartphone.

If you have a 1Gbps pipe then the ERX is not going to do more than 500Mbps.

The ERX supports a number of VPN solutions, however, it provides no tools for managing certs which pfSense does.

pfSense does not have a unified management solution. and when I'm monitoring multiple devices I have to investigate each individually.

Both support dual wan.

Prices in the ERX world escalate quickly. The pfSense has a hardware offering, however, there is no unified solution.

What a mess!

Monday, March 25, 2019

Skype still sucks

I'm just not sure if Microsoft is doing this because they want to compete with ChromsOS. Frankly I'm trying to push my organization away from Skype regardless of the platform.

Sure there is an Android version that works on my Cell and Slate but the experience still sucks. Also not all ChomeOS devices have Android support. So it sucks more.

Friday, March 22, 2019


A few days ago I was gonna write you this "you were right and ubiquiri rocks" email... but then I started pealing the onion into smaller layers.

We have started to use the UI Edgerouter X and UNMS for monitoring and being able to CLI back into the device for making certain changes. I was so impressed that I decided to buy 2x managed switches and that's when the love affair ended.

- The ERX will only do a max of 1Gpbs total
- the UI SW8 is a managed switch but there are no instructions or a web UI. 
- the UI SW8 is limited to 8Gpbs (according to the doc)

Many years ago I worked for CyberGuard aka Secure Computing (I worked on the SnapGear hardware and their unified console) So that part of the ERX is very familiar.

Hate to think I'm being a bitter betty but it seems like UI needs to truly unifi there product line.

Netgear Prosafe where art thou

"NETGEAR Inc. will terminate the ProSAFE VPN Firewalls on September 1, 2017. The last software update for these products was provided in April 2017. NETGEAR Inc. will continue to honor valid warranty claims for all ProSAFE VPN Firewall devices purchased from an authorized reseller. To complete the full exit from the product line, NETGEAR Inc. will no longer provide ProSAFE VPN Firewall software support or subscription updates for any ProSAFE VPN Firewall devices after September 1, 2017."

Thursday, March 21, 2019

ATT 1Gbps says what?

I'm a professional programmer so I need a little more from my Internet connection than the average user. The average user is not normally serving content... in my case it's just about making my work life easier and it is.

In recent weeks I had a 72 hour outage from my ISP and that's just not acceptable. In response I added a second connection ATT. ATTs service is also 1Gbps but confirming that speed has been difficult. No two speedtest apps provide the same numbers. But then there is the fine tuning that caused more problems. Sadly even after these changes there is still a difference in the speeds, however, at least one tool seems to have the expected performance.

So here are some notes on the ATT configuration....

There is a feature called "router behind router detection".  This was defaulted to OFF but I turned it ON because I was putting a router behind the router. This turned out to be a bad decision as it janked my WiFi bridge connected to my router and it also messed up the Wifi in the modem.  So just leave this off.

Next, since I was service incoming requests I needed to open a range of ports and direct them to my router. ATT's modem has a FIREWALL section where you can set the application/pinhole from the outside to the inside. First you navigate to the page, then select my router from the list of devices, then select the pinhole type.

If you select ALL then the router needs to be rebooted because you'll get the actual public IP address assigned to your router. Unfortunately this is one of the sticky points. When set to all there is huge loss of speed which I have yet to understand.
ATT indicates that when selecting this mode or changing targets you MUST reboot the target(s). DHCP get's a little upset and a reboot forces a proper release/renew.
I ended up creating a user defined port range from 1 to 20000, for both TCP and UDP, so that I would include SIP+media. Although I did get an error message from ATTs modem that I was going to effect the TV I saved it anyway. After yet another reboot my data rates were so much closer to the advertised speeds.

I might mention that my router is a barebones/silent PC with 5 ethernet ports and no WiFi. I installed a dedicated pfSense ISO from a USB stick and at some point performed an upgrade. In my testing I also tried a Ubiquiti Edgerouter X, however, after all the reconfiguration I discovered that it was only capable of half the ATTs capacity. I'm sure that 500Mbps is more than sufficient but the price is right. One reason for trying the Edgerouter is because it's inexpensive, integrated, complete, backup/restore,  and more importantly as a commodity piece of hardware I can get a replacement from Amazon in just a few days.

Tuesday, March 19, 2019

ESXi to rule them all

QUESTION: Should there be a ESXi or ESXi-type layer between your installed OS(s) and the hardware? The reason for the question is because modern compute hardware rarely has CDROM or DVD players attached so [a] lights out or remote operation is painful [b] a fistful of USB sticks from preparation to being on-hand to create/deploy them is a pain. On the other hand the more stuff between your code and the hardware and the more you need to know in order to know your position. In a current deployment my Intel NUC's fan started to whine. It's typically very quiet and I've become accustomed to that so when the fan started I noticed it. I still do not know what caused the problem (although there was a sudden 10% spike in CPU usage which esxtop attributed to proc 1); after suspending the guests and rebooting the machine the problem went away. Also I have a project which uses vsphere APIs to deploy Guest OS(s).

Should I stay or should I go?

Saturday, March 16, 2019

grrr hotspots

I'm trying to get some work done with my hotspot but I also connected my kids iPads and they could easily use all of the bandwidth. I don't think anyone considered that.

Data only accounts are a fail. If you plan to use them as a backup when your primary service is  down then you're cooked.

Friday, March 15, 2019

golang and fossil

Here I am tethered to my phone because my ISP has failed. The challenge I face is that all of my development hardware is in the same office with me. And while a MiFi type device (with RJ45 connectors exist and would be useful there are practical limits to bandwidth, data, cost and then there is whatever services I'm providing.

In my DEV environment I have 4x 32GB Intel NUCs. Two are running VMware, one is a DEV machine where I edit and run the DEV code. I have gitlab, mattermost, and QA running on another host. And a few other tools here and there including haproxy and traefik. I'd say it's a mess but it's feature packed.

Each of the NUCs cost about $700 and are only partially utilized and the cost of power and any interruption of service. 32GB of ram at DigitalOcean costs $160.  Cloud services are not perfect but I have had services running for many years without an outage. Proper cloud hardware will survive a host hardware crash where a host crash on a NUC will take many hours to repair assuming some amount of luck or planning but mostly luck. I'm not exactly certain how the cloud providers allocate their public IP pool, however, they usually have diverse and redundant routing providing many levels of reliable communication that would come at a great expense for a SOHO.

Today is yet another day when I lost service. I'm writing this post while tethered to my phone. The challenge is that my DEV and QA environments are off the air because I do not have a way for my NUCs (connected to the wired LAN) to get to the internet with the same IP my ISP provides.

Thursday, March 14, 2019

TPLink - TL-SG108E

My GS108E and mt SG108E are unreliable as bandwidth goes. At one time I was able to get 1Gbps but then I replaced some gear with these and now I get a fraction of my ISPs speed...

It interesting to note that the SG108E is said to have a switching capacity of 16Gpbs which is 2x the entire switch. Where the Ubiquiti says only 8Gbps. The GS108E tries to avoid describing the bandwidth and I'm still not sure what it is.

What a mess!

Monday, March 11, 2019


Someone needs to explain performance robbing components in the home network! What is particularly strange is that there are times when I was able to measure nearly 1GB speeds on my home network with and Now I get strange results.

155Mbps on my wired network

246Mbps on my wireless network.

All of the routers are 1Gbps routers and they have all been rebooted.

another bad day for open source

One of the hallmarks of a good open source project is just how complicated it is to install, configure and maintain. Happily gitlab and the ...