I've had to deal with the same sort of buildings before. The key will be to have a good site survey done ahead of time. If you end up needing an AP in every room, it's probably not worth it.

Just an educated guess here, but 2.4GHz will probably get halfway acceptable coverage without acceptable speed for the end users while 5GHz will likely not cover enough area to make it worth moving to entirely.

@scottalanmiller said in Troubleshooting poor network performance:

@DustinB3403 said in Troubleshooting poor network performance:

@DustinB3403 said in Troubleshooting poor network performance:

Moving from that port which was only giving 10FDx to an unused port, gave us 1000FDx.

I'm not sure where this issue stems from..

Got it sorted out, for some reason (and I'm still working on the specifics) our ESXi hosts secondary NIC keeps falling to 10FDx (likely some misconfiguration at setup).

I've moved XO off of this nic, and performance has been fixed.

If you want to improve ESXi performance, install KVM.

Yea, that's a different conversation entirely, I do want a outside of the XCP-ng pool environment, in case something goes sideways. I'm dealing with some sunkcost conversations about it, though I am making progress.

@JaredBusch said in KVM networking with libvirt (virsh) questions:

I assume that Debian 11 uses NetworkManager? I don't have a clean Debian system running KVM to check.

If so nmcli and its related commands are your friend.

Thanks Jared.

Reading about nmcli and seeing your screenshots led me to understand that macvtap devices are only active when the VM is actually running.

Using ip link I can now see the macvtap device on the host. One for each VM connected.

7ad85ba6-1b7b-40a2-aa7a-d8e12988683f-image.png

@travisdh1 said in Eero Inquiry:

@scottalanmiller said in Eero Inquiry:

@stacksofplates said in Eero Inquiry:

@Dashrender said in Eero Inquiry:

@dbeato said in Eero Inquiry:

@WrCombs You cannot hide your SSIDs on Eero. You also have a limit of your Main SSID and Guest Network. It is geared for Home and really small environments.

https://support.eero.com/hc/en-us/articles/214588166-Why-can-t-I-hide-my-network-SSID-with-eero-

Why Eero over Ubiquiti? Business versus consumer. Does the pro version have APs with wired connections?

Prob because management is much easier. I ditched my APs and edgerouter for a single Amplifi which I can update and control from my phone. My mom has a Deco setup and it works very similarly and is great as well.

Easier if you do it yourself. But if you have a support company, I think the Unifi is easier. The Eeros always made for a lot of extra work when we had to deal with them.

At a former job, we had an Amplifi system that caused ~8 hours of un-needed billable time. If it would have been a UniFi system, we could have fixed it without the site visits.

You can grant remote access to Amplifi. Aftyer I set it up at my mom's, with her credentials, I then added myself as a remote admin.

@WrCombs said in vLANs random question.:

@dashrender said in vLANs random question.:

@scottalanmiller said in vLANs random question.:

@WrCombs said in vLANs random question.:

@scottalanmiller said in vLANs random question.:

@WrCombs said in vLANs random question.:

@scottalanmiller said in vLANs random question.:

@WrCombs said in vLANs random question.:

@dafyre said in vLANs random question.:

The short answer is you would get the Router to route between the two VLANS, and fix it so that only the Payment devices have access to the internet.

if this was an on prem system, that would world. but this is a cloud system so both need access to the internet..

Actually that makes it make more sense. It's minimal value, but that doesn't mean zero. It will improve security and simplify audits if they are both SaaS connected devices like that. Not a big deal, but not bad, either.

So how would you make that work? just using firewall rules, to let the 2 talk to pull transaction information?

If they talk only to the hosted apps, the intercommunications should be on the server, not the client. Is that not correct?

If you need devices on two different LANs (vLANs are just LANs without physical separation) then communications between them is always through a router, and routers are firewalls. So first you have to build a route, then block traffic, then allow the traffic that you want.

in a "normal" IT system, that would be the case, as I'm sure you know.
POS however, the Pin pads talk directly to the Register to pull that transaction data to the Pin Pad - otherwise the pin pad wont know how much to charge the credit card -

Then you need to connect the two VLANs, effectively defeating the purpose. It's not entirely defeated, it is still a secondary firewall but only replicating the vastly more important local firewall.

ROFMAO - like the terminals have firewalls - HAHAHAHAHAHA

on this particular system (which I am the Admin for) Windows firewalls are required to stay on - for all 3 options no matter what.

See!! Firewalls!

@eddiejennings said in Reverse Proxy for Single Public Facing Server:

@dashrender said in Reverse Proxy for Single Public Facing Server:

@eddiejennings said in Reverse Proxy for Single Public Facing Server:

@dashrender said in Reverse Proxy for Single Public Facing Server:

That's pretty easy to do when you're self hosted, but if you're doing something like Vultr instances, I'm guessing it's a bit harder - unless Vultr allows for the creation of VMs that only exist on a private network.

True and that why I specifically mentioned a self-hosting scenario. I think I have a thread from the past asking about whether or not people bother with reverse-proxy for things hosted in Vulture or the like.

I don't think that it makes a difference.

@scottalanmiller said in Basic Ubiquiti Network:

@eddiejennings said in Basic Ubiquiti Network:

@jaredbusch said in Basic Ubiquiti Network:

@eddiejennings said in Basic Ubiquiti Network:

The Dream Machine looks interesting, but I'm not inpressed with it also being an 8-port switch.

I have not looked at it yet, but are they fixed switch ports, or assignable? The ER-X is an example of this.

The documentation I've seen doesn't tell me much. It seems like the switch ports create just a plain layer 2 switch. They aren't assignable interfaces like the old EdgeRouter Lite's eth0, 1 and 2.

I believe that to be true.

The old ER Lite were software bridged only and not something you ever wanted to do. Horrible performance killer.

The ER-X and ER-4 have an actual switch chip. You don't have to make each port use it, but it is there.

So you could make eth0 be WAN and eth1 through eth3 be members of switch0

@Fredtx said in Help Understanding LAN test Speed Results:

I ran a LAN Test speed using from a client to a server, which are both in the same LAN as it's a small dental office network. The results are showing 67.88Mbps (Writing/Upload) and 405.51Mbps (Reading/download). I don't know what their physical infrastructure is as I work remote, but I'm sure it's 1Gbps Ethernet. If that's the case, does this test result indicate there's an issue, with the huge difference between upload and download, all in the local LAN?

That the test is labeled writing / reading.... then yes, you're expected to be testing a lot more than the network and a big difference would be expected.

@scottalanmiller said in First Look Ubiquiti Unifi UXG Pro:

The new, unreleased Unifi UXG Pro just arrived here at the NTG Dallas offices. Woot! It's dual power supply, dual WAN, dual LAN, touch screen LCD and up and running!

More details as we get to play with it.

DAMN IT!!!

TY @black3dynamite

@EddieJennings said in MacVTap Modes:

One option I didn't see in the redhat doc was openvswitch. Don't they support it?

The link I posted was for RHEL 6. I just now saw that RHEL 8's documentation is online. I glanced through it and didn't see that mentioned. I'll read it more closely tomorrow.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_virtualization/configuring-virtual-machine-network-connections_configuring-and-managing-virtualization

There's no mention of openvswitch anywhere in that document. I am aware of XenServer and XCP-ng uses it by default. So its possible RHEL just prefers using macvlan/macvtap instead of openvswitch.

@JasGot said in DHCP Question...:

I guess I am going back subnet school.

I found it, it's in the faded greyed out area under the red rectangle.

@wrx7m said in Tool for Finding Rogue DHCP:

Ran into this about 12 years ago. A guy on the dev team decided to setup his own DHCP server. Screwed up all sorts of stuff. Can't remember for sure what we did, but I think after we realized that it wasn't actually an issue with our known DHCP servers, we decided to talk to the dev team and found out that is what he had done.

It amazes me how many people just don't think about it - they have a problem, they think they know how to solve it, and just slap something onto the network.

@Romo said in Unifi USG VPN from Behind NAT Firewall:

Also add the changes to a config.gateway.json file in the controller to changes directly made on the USG don't get deleted on next provision.

One reason I hate these units.

Discussion on the policy side of this is over here:

https://mangolassi.it/topic/20894/policies-vs-network-access-control

@brandon220 said in how does this work? Modems/IPs/PCI Scans:

@JaredBusch example also is great for home use if you have IoT devices. I have an ERL behind a cable modem and this keeps everything I want separated from my normal LAN.

That is a good way to practice this for business use

@JaredBusch said in Datto AP60:

@WrCombs said in Datto AP60:

@JaredBusch said in Datto AP60:

@Dashrender said in Datto AP60:

Of course, they are basically useless in this setup, because the APs are on a non internet connected network.

No, they are not. @dbeato has clearly stated it works offline once programmed. Yes @NDC mentioned a rare condition where it failed.

None of that matters. This unit is not going out to the restaraunt. He only needs the fucking thing to configure the tablets in the office. The restaurant will be providing s the wifi for the production closed network.

this

People are fucking too stupid to remember from the top of a thread to the bottom I swear.

Anyway, you can use the Datto just like I outlined for the UniFi. Assuming you can get it programmed by someone.

@dbeato Private messaged me and if that's the route we take he said he'd help .