@WrCombs said in vLANs random question.:

@dashrender said in vLANs random question.:

@scottalanmiller said in vLANs random question.:

@WrCombs said in vLANs random question.:

@scottalanmiller said in vLANs random question.:

@WrCombs said in vLANs random question.:

@scottalanmiller said in vLANs random question.:

@WrCombs said in vLANs random question.:

@dafyre said in vLANs random question.:

The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.

if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..

Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.

So how would you make that work? just using firewall rules, to let the 2 talk to pull transaction information?

If they talk only to the hosted apps, the intercommunications should be on the server, not the client. Is that not correct?

If you need devices on two different LANs (vLANs are just LANs without physical separation) then communications between them is always through a router, and routers are firewalls. So first you have to build a route, then block traffic, then allow the traffic that you want.

in a "normal" IT system, that would be the case, as I'm sure you know.
POS however, the Pin pads talk directly to the Register to pull that transaction data to the Pin Pad - otherwise the pin pad wont know how much to charge the credit card -

Then you need to connect the two VLANs, effectively defeating the purpose. It's not entirely defeated, it is still a secondary firewall but only replicating the vastly more important local firewall.

ROFMAO - like the terminals have firewalls - HAHAHAHAHAHA

on this particular system (which I am the Admin for) Windows firewalls are required to stay on - for all 3 options no matter what.

See!! Firewalls!

@eddiejennings said in Reverse Proxy for Single Public Facing Server:

@dashrender said in Reverse Proxy for Single Public Facing Server:

@eddiejennings said in Reverse Proxy for Single Public Facing Server:

@dashrender said in Reverse Proxy for Single Public Facing Server:

That's pretty easy to do when you're self hosted, but if you're doing something like Vultr instances, I'm guessing it's a bit harder - unless Vultr allows for the creation of VMs that only exist on a private network.

True and that why I specifically mentioned a self-hosting scenario. I think I have a thread from the past asking about whether or not people bother with reverse-proxy for things hosted in Vulture or the like.

I don't think that it makes a difference.

@scottalanmiller said in Basic Ubiquiti Network:

@eddiejennings said in Basic Ubiquiti Network:

@jaredbusch said in Basic Ubiquiti Network:

@eddiejennings said in Basic Ubiquiti Network:

The Dream Machine looks interesting, but I'm not inpressed with it also being an 8-port switch.

I have not looked at it yet, but are they fixed switch ports, or assignable? The ER-X is an example of this.

The documentation I've seen doesn't tell me much. It seems like the switch ports create just a plain layer 2 switch. They aren't assignable interfaces like the old EdgeRouter Lite's eth0, 1 and 2.

I believe that to be true.

The old ER Lite were software bridged only and not something you ever wanted to do. Horrible performance killer.

The ER-X and ER-4 have an actual switch chip. You don't have to make each port use it, but it is there.

So you could make eth0 be WAN and eth1 through eth3 be members of switch0

@Fredtx said in Help Understanding LAN test Speed Results:

I ran a LAN Test speed using from a client to a server, which are both in the same LAN as it's a small dental office network. The results are showing 67.88Mbps (Writing/Upload) and 405.51Mbps (Reading/download). I don't know what their physical infrastructure is as I work remote, but I'm sure it's 1Gbps Ethernet. If that's the case, does this test result indicate there's an issue, with the huge difference between upload and download, all in the local LAN?

That the test is labeled writing / reading.... then yes, you're expected to be testing a lot more than the network and a big difference would be expected.

@scottalanmiller said in First Look Ubiquiti Unifi UXG Pro:

The new, unreleased Unifi UXG Pro just arrived here at the NTG Dallas offices. Woot! It's dual power supply, dual WAN, dual LAN, touch screen LCD and up and running!

More details as we get to play with it.

DAMN IT!!!

TY @black3dynamite

@EddieJennings said in MacVTap Modes:

One option I didn't see in the redhat doc was openvswitch. Don't they support it?

The link I posted was for RHEL 6. I just now saw that RHEL 8's documentation is online. I glanced through it and didn't see that mentioned. I'll read it more closely tomorrow.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_virtualization/configuring-virtual-machine-network-connections_configuring-and-managing-virtualization

There's no mention of openvswitch anywhere in that document. I am aware of XenServer and XCP-ng uses it by default. So its possible RHEL just prefers using macvlan/macvtap instead of openvswitch.

@JasGot said in DHCP Question...:

I guess I am going back subnet school.

I found it, it's in the faded greyed out area under the red rectangle.

@wrx7m said in Tool for Finding Rogue DHCP:

Ran into this about 12 years ago. A guy on the dev team decided to setup his own DHCP server. Screwed up all sorts of stuff. Can't remember for sure what we did, but I think after we realized that it wasn't actually an issue with our known DHCP servers, we decided to talk to the dev team and found out that is what he had done.

It amazes me how many people just don't think about it - they have a problem, they think they know how to solve it, and just slap something onto the network.

@Romo said in Unifi USG VPN from Behind NAT Firewall:

Also add the changes to a config.gateway.json file in the controller to changes directly made on the USG don't get deleted on next provision.

One reason I hate these units.

Discussion on the policy side of this is over here:

https://mangolassi.it/topic/20894/policies-vs-network-access-control

@brandon220 said in how does this work? Modems/IPs/PCI Scans:

@JaredBusch example also is great for home use if you have IoT devices. I have an ERL behind a cable modem and this keeps everything I want separated from my normal LAN.

That is a good way to practice this for business use

@JaredBusch said in Datto AP60:

@WrCombs said in Datto AP60:

@JaredBusch said in Datto AP60:

@Dashrender said in Datto AP60:

Of course, they are basically useless in this setup, because the APs are on a non internet connected network.

No, they are not. @dbeato has clearly stated it works offline once programmed. Yes @NDC mentioned a rare condition where it failed.

None of that matters. This unit is not going out to the restaraunt. He only needs the fucking thing to configure the tablets in the office. The restaurant will be providing s the wifi for the production closed network.

this

People are fucking too stupid to remember from the top of a thread to the bottom I swear.

Anyway, you can use the Datto just like I outlined for the UniFi. Assuming you can get it programmed by someone.

@dbeato Private messaged me and if that's the route we take he said he'd help .

In theory, you could even update the firmware on the UAP, in the future, by pre-downloading it on a device that presents it via a URL and then join that device to the aloha network.

But that would be excessive amounts of work.

Possibly the app could do it on an iPhone/Android device with LTE that is also joined to the aloha wifi.

OK late to the thread. We use a cheap travel router for this purpose. GL.iNET GL-MT300N think we paid $25 for it. Supports up to 4 SSID's and can do VLAN's though we only use 1. We can actual do wifi to wifi bridging with it. We use it for these wifi Sapling clocks that need to connect to a pre-provided WPA2-PSK ssid for initial setup.
This is the newest version: https://store.gl-inet.com/collections/travel-routers/products/gl-mt300n-v2-mini-smart-router
Can get these on Amazon now for $25

@scottalanmiller said in Windows 10 PC's not renewing DHCP lease:

@Dashrender said in Windows 10 PC's not renewing DHCP lease:

@scottalanmiller said in Windows 10 PC's not renewing DHCP lease:

@Dashrender said in Windows 10 PC's not renewing DHCP lease:

@dafyre said in Windows 10 PC's not renewing DHCP lease:

Your DHCP range isn't close to being full, is it?

Man, I wouldn't think that would prevent a renewal.

It does. Depends on race conditions, but it definitely happens.

I guess I need to re-read up on the DHCP process - I thought (at least with Windows) that the client machine did a check at the 50% timeframe and renewed then, thereby never actually reaching an expired state. But that was 20+ years ago when I read the MS docs on it... so I could have a faulty memory.

It does, but machines powering on and off and such can disrupt that process.

uh, what? Sure, now if a machine is off, and the half way point, or the full expire time hits, sure, when the machine comes back online - it has to basically start over...

The OP says the machine is loosing it's IP what appears to be overnight. OK, so let's assume the lease expired while the computers were in powersaver mode, or simply off. I would expect them to be turned on and simply go through a DHCP request - but the OP says a reboot it required to get back on the network. so something isn't working from the client side.

So the NIC has been updated and that didn't solve it.

Any chance the switch could be the culprit? Are there updates available for the switch?

Roflol

I used to manage a Full Tolerance Infrastructure.

2 Devices of Everything (Routers, Firewalls, Edge Switches, Core Switches, Access Switches, etc)
2 Internet Providers
2 Private Circuits

Network Documentation is very very important, for Network Admins is a must, because for example a new team member joins, this information will be useful to acknowledge the network infrastructure.