@pete-s said in HP Switch config question:

The person who set this up would clearly know what he was doing or he wouldn't have been able to make it work.

I'm guessing it was a move in the making. The intention was probably to move over to pfsense, drop the fortigate and perhaps remove routing from the switch. It's possible the fortigate is old and can't handle routing at line speed, hence the L3 routing in the switch.

I'm guessing the fortigate and the switch was setup long before pfsense.

If the fortigate is the actual edge device, maybe this was setup as a simple way to bypass the pfsense for fussy devices or troubleshooting?

I could see setting something like this up so that you can tell a remote user "go plug it into xyz switch and let me know if it starts working"

@FATeknollogee said in Help setting up routing:

@JaredBusch Just curious, what it the /23 on eth3, is that one of your LAN IP blocks from AT&T?

AT&T can't issue private IP addresses.

@JaredBusch said in Vyos Configure DHCP Server:

@EddieJennings his second error is related to DNS.

This is a working DNS setup.

set service dns forwarding cache-size 150 set service dns forwarding listen-on eth7 set service dns forwarding listen-on eth7.2 set service dns forwarding name-server 1.1.1.1 set service dns forwarding name-server 8.8.8.8 set service dns forwarding options server=/domain.local/10.202.0.21 set service dns forwarding options server=/domain/10.202.0.21

Correct. I gambled from his title the immediate interest was DHCP. I lost. :)

@Dashrender said in Windows Domain routing question - dual-nic:

Though - if you have a second layer network like this, you'll need to inform your external router on the internal networks and how to route them.

Routing to the internet is mostly just a nice to have.

@Dashrender said in Cisco ASA:

@Jimmy9008 said in Cisco ASA:

A and B can also RDP/ping devices sitting on C.

If this is true, it's just a matter of rules/route allowing C back to A/B or a route specifically for C -> A/B.

172.16.0.0 vlan… switch IP = 172.16.0.1, ASA = N/A, gateway on the vlan is 172.16.0.1 (the switch)

this is legacy. What appears to happen is that the switch has 0.0.0.0 set to 192.168.50.10 (the ASA) on a vlan2. So, traffic from 172.16.0.0 hits the switch IP at 172.16.0.1, then hope out 0.0.0.0
^ I think its this that's causing the issue.

This should be fine, this is what allows the C network to get to the internet

so, when on the 172.16.0.0 network, the request goes to the switch's IP (172.16.0.1) which forwards it to 192.168.50.10 (the ASA), The ASA then doesn't have a rule allowing traffic from 172.16.0.0 to talk to 10.x, so it just dumps the traffic.

At least that's what it looks like to me at this time.

“C” network really?

@mary said in Network Address Translation - CompTIA Network+ N10-007 Prof Messer:

Is there any kind of slowdown when using just one port if you are getting a lot of traffic?

No not really. The most commonly used ports are 80 and 443. They process quite a bit of traffic on your average workstation.

In fact, most servers are designed to work with a single port or just a handful of ports open. For custom applications using a specific port makes it easier to troubleshoot issues and restricts non application traffic. Many apps are defaulting to 443 these days. Although, keep in mind SSL /TLS can operate on other ports.

@mary It depends of manufacturer or vendor. Now in this times everyone is using "Standard Protocols"

@melvinsilva said in IGP and EGP - CompTIA Network+ N10-007:

@scottalanmiller I Will Add; "Only by WAN Network Administrators".

No, internal too. In fact, most, by far, are internal. You only have a few big WAN connections with most companies. But you might have hundreds or thousands of internal routes that have to be managed.

Both required a good initial configuration, but when "issues" occurs like link flaps or ISP outage (when MPLS fails), Dynamic may affect Router performance (CPU, Memory, etc).

Using Dynamic Routing; if you have no backup link or you dont have a proper failover configuration with correct threshold, the network updates will cause router performance degradation. It constantly will try to reach destination via default gateway.

Using Static Routing; If you have not a recovery plan or a back door to enter the remote router, you will have zero access to that device until link or issue is restored. Packets will be forwarded to a dead route.

For both, Initial design and configuration is the Key, when issues happens troubleshooting is a nightmare when things are not well done.

@scottalanmiller said in Another Major BGP Mishaps Redirects US Traffic to China:

I noticed that YouTube was down yesterday for a little bit. Very short, though.

Even Facebook got taken out for a bit too... Don't know if it's related or not, but still...

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

@dbeato said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

@eddiejennings said in Traffic not flowing for hosts behind NAT - Edge Router Lite:

Take 3 is a partial success. All hosts except the IIS host has full Internet connectivity. The IIS host is accepting web and FTP traffic (so NAT's doing its job now :D); however, I can't ping outside my local network, and it can't resolve DNS.

So what is the DNS Server on that Server?

Same as all of the other servers that could resolve DNS. The issue was forgetting to reconfigure the source NAT rule.

Makes sense now!

@krisleslie said in Hitting the limits of the Ubiquiti EdgeRouter:

@jaredbusch My apologies, I meant QoS!

Well then, yes, better QoS performance because better processors.

@Dashrender said in Cross Post - Help sorting out a Firewall Issue on a Debian Box:

A default gateway on the debian box?

My thought. I don't think I've seen a system firewall not accept icmp by default.

If you stop iptables and still can't ping it's not the firewall.

Bridging issue solved, kind of a Late-Friday-Problem: Promiscuous mode was turned on, but on the wrong interface - the DMZ facing one.

It worked instantly the second I switched it off on the DMZ and instead turned it on on the target network interface.

How to turn on MAC spoofing / Promiscuous mode on Hyper-V using PowerShell

Get-VM -Name XXXXX | Get-VMNetworkAdapter | Where-Object { $_.MacAddress -eq "XXXXXXXX" } | Set-VMNetworkAdapter -MacAddressSpoofing On

@JaredBusch said in ER-X static routing:

I would use a source and destination NAT rule to force it.

Thanks. I'll have to wait till after lunch or tomorrow to get that setup. Redoing the server over there as well, so no remote access at this point :( (I want my jumpbox back!)

@JeffReady said:

There was once a good old day when Linksys was good...

I run DD-WRT on a Netgear Blackhawk (D7000 iirc, not one of the new ones), and it's been solid. Of course Comcast decided to push a friendly firmware update to my cable modem this weekend which reset the config, took it out of bridge mode and re-enabled the modem's own DHCP and routing services (and Lord knows what else), taking me offline. Annoying (not to mention a potential security nightmare)... mostly because I spent an hour jacking around before it even occurred to me to login to the modem and check it's settings.

Are you me? lol

This happened to me a couple weeks ago - same setup, same software, different router.

Definitely most everyone that I have seen is on .local. It was the advised standard for so long and it was so during the era when the majority of companies moved to AD. Even though the new standard has been around for a little bit now, nearly every company I deal with moved to AD prior to that time period. New companies get new AD, obviously, but as a market percentage they aren't so much yet, that I've seen.