@scottalanmiller said in Why Hyperconverged For Small Business:
Good engineers are typically measured at 30 servers for the most junior of staff or troublesome workload, with good seniors more like 100 servers per engineer and top engineers around 600 unless you have state machines and IaC, then the numbers are thousands or tens of thousands.
What do you define as "server" in this context? OS installations?
@killmasta93 said in Issue with NGINX passthough TLS:
@scottalanmiller
so in my case how would i solve this issue so the backend can see the real IP?
Backend can't see the real IP because the request comes from IP of the proxy.
But the proxy can put the IP address of the client (originating) into the http headers. For example using the Forwarded header. Look at proxy_set_header on nginx.
The backend must then have support for looking at the http headers to determine the actual originating IP address.
But if you passthrough TLS then I don't believe you can insert any headers and it's not possible to see the originating IP from the headers. But why does the backend need to see the originating IP?
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender Where does the IP whitelisting happen and how do the users connect?
Is it a SaaS provider or a hosted solution of some kind that is doing the whitelisting?
Are we talking about one IP or a subnet or just that it has to one or several static IP ranges?
This is a SaaS solution. They are the ones who manage the whitelist.
The level one techs are claiming that their system will only accept IP addresses, not hosts in the whitelist. Of course we've all seen systems like that - 20 years ago. And as I just got done telling Scott - RX vendors rarely update their solutions - and unrelated vendor is actively deploying a version of xming from 2006, even though there is active development in 2022.I now believe that they lock down to IP because the rest of their security is so bad.
If it's web based I'd look at using an outgoing http proxy. This is a forward proxy, not a reverse proxy as you commonly see in front of websites.
Mobile users traffic that is going to the SaaS solution goes through the proxy first, everything else goes the directly as normal. You just need to change proxy settings on the mobile users to get this up and running, nothing to install.
You can host the proxy yourself or use a service. IMHO it would be better if it's located outside your LAN to avoid using up valuable bandwidth.
You'll whitelist the IP of the proxy since all your mobile users will appear to have that IP.
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Once when we asked to add an additional IP the vendor did say - now you know, you can't use this software to dispense at another location under this license? Which we knew - we wanted remote access for reports.
Yup, gives them a chance to enforce your knowledge of a potential violation.
I also think it's a licensing thing, with a bit of security sprinkled on top.
Each client location would normally have a different static IP so it's easy to keep track of them. And with IP whitelisting you get some DDOS protection.
IP whitelisting is normally on IP, not FQDNs, to avoid a DNS lookup for every access and to avoid DNS spoofing. When you do use FQDN in a firewall, it's actually still static IPs but the IP list is usually updated when the DNS entry expires or on a fixed schedule, like every 5 minutes or something.
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
@scottalanmiller said in Why Hyperconverged For Small Business:
@woodbutcher said in Why Hyperconverged For Small Business:
The concern with that approach would be minimizing data loss. Primarily transactions in the ERP, though the volume of these transactions is low relative to other companies. But I would guess with proper backups at the DB level, this could be minimized as well if they had to recover via a backup.
Unless you have DB level HA, nothing in your current set up (or in the HA setup!!!) will protect against transactional losses. Only proper database protection does that and nothing being discussed here touches on that.
I know you know Scott, but it bears repeating how HA usually works in pool/cluster of virtualized hosts.
The hosts in a HA cluster have storage in common but not much else.
When a host dies all data in each VM that has not been saved to disk (and replicated) is lost.
When the other hosts detects that one host is dead, all VMs that were running will now start and boot up again on other hosts. Since the storage is shared the VMs will have the same files as the ones that died.
The effect for the VM, and availability of the service the VM provided, will be about the same as killing the power to a server mid-operation and then power it up again.
That why it won't work reliably without transaction loss on a database.
@dashrender Where does the IP whitelisting happen and how do the users connect?
Is it a SaaS provider or a hosted solution of some kind that is doing the whitelisting?
Are we talking about one IP or a subnet or just that it has to one or several static IP ranges?
@woodbutcher said in Why Hyperconverged For Small Business:
Is there truly a case for a hyperconverged infrastructure for a small business?
Not if you're looking for high availability.
Most small businesses lacks a lot of things to get a fault-tolerant high availability system. You need to look beyond the servers themselves because there are a lot of dependencies that also needs to be highly available. Like network, power, cooling etc.
Look at a commercial datacenter. It's usually redundant all the way through, from one end to the other.
@jt1001001 said in Chrome: unable to play YT Video; weirdness:
@travisdh1 i almost said porn mode in a job interview a few years ago!
I casually say I'm watching porn, when I mean cable porn, like in neat datacenter installations, and server porn (as in dual 128 core, 4TB RAM, 1PB NVMe flash) etc.
Anyway, I need to stop that before saying it in the wrong situation...
-- "Yes, boss, I'll be over in a minute. Just need to check out this cable porn first."
@garak0410 said in VPN Slowdowns - Anything I Can Do?:
We now have 6 people who work out of state. 4 in Texas, 1 in California and 1 in Maryland. They all have domain connected laptops that I pre-configure with our applications before they get them and they connect to our VPN via the build in VPN connector in Windows 10/11. Our VPN is provided by our Windows Server with port forwarding on our ISP provided Vigor firewall.
I understand issues like internet pipes and the "hops" it takes to get back to our office on VPN but we see some significant drops in speed. Some apps that require a lot of file transfers, are almost unusable.
Is there anything I can do on our end to aid in some speed increases? I'm also willing to spend money if we have to on software or a network appliance.
Thanks!
You should do some basic investigation so you know what you should expect.
For instance:
It's very possible that low priority internet traffic, from clients in the office, is starving your VPN link of bandwidth.
@scottalanmiller said in VPN Slowdowns - Anything I Can Do?:
So chances are the VPN isn't the slowdown itself, so moving to a "better" VPN might help, but likely only marginally. The fundamental issue is generally "WAN speed" vs. "LAN speed." There are generally three ways to tackle this depending on exactly what apps you use and how they work.
- Switch apps to something that doesn't care about WAN speed as much. Sounds trite, but it's what a lot of us have done. It's the best answer at a technical level, the hardest politically. But long term, it's the investment in the future because almost always what you are seeing is exposing legacy components and antiquated systems that could be addressed directly, or just bandaided through a solution below...
- Encapsulate the apps so that you "view" them remotely instead of doing transfers. Basically you literally stop being "remote" and start "remote controlling." This is most typically done through Windows RDS or VDI solutions (RDS when you can, VDI as a fallback.) This is the most common approach because it is simple, cheap-ish, and well understood. MS makes a killing making this outrageously expensive because they know that these kinds of apps trap customers and customers will pay a lot to not have to update the apps that they use. It is what it is, it's the common answer.
- WAN acceleration. Sometimes this works magic, sometimes it is useless. Things like Riverbed systems that do tons and tons of high speed network reduction, latency faking, and compression. They use less actual bandwidth while making things seem to move faster. It's a lot of horsepower (and typically cost) but for certain workloads can literally make a night and day difference. For other workloads it can theoretically actually make it worse. So you have to test.
Local caching. Working on a local copy of a file that is being synced automatically and often transparently to central storage. Many things falls in this category such as cloud based storage like onedrive but also pure file sync applications.
Split tunneling. Don't route internet traffic over your VPN link. It's easy to have this enabled by default without realizing it. You want to make sure only traffic destined for your LAN is routed through the VPN link and the rest goes directly to wherever it has to go.
The alpine mail client seems popular as well. Do you know if there is a similar way to use directly from the command line?
@scottalanmiller said in Help Sorting out a Firewall Issue:
@mr-jones said in Help Sorting out a Firewall Issue:
Could you expand on why that doesn't make sense? Is port negotiation not a functionality of TCP?
Because you are thinking of WMI as being like HTTP, FTP or SMTP (single protocol.) In all those cases, yes, port negotiation is built in to TCP. But this is why I asked for the protocol details from the beginning, because this is not that simple. This is like SIP.
First, when we talk about port negotiation in TCP the server is always a static port and is always protocol based. It doesn't negotiate, it's published. This is the Port 135 that you know for WMI. WMI then responds on a random port, that's the negotiation.
When you are dealing with HTTP, FTP, etc. that is all that there is.
The port 65849 in your example is not WMI, it is DCOM. The problem here is that DCOM is not published or open. WMI is not using that port. WMI tells the client that it wants them to initiate a DCOM client and reach out to the DCOM server on a dynamic IP (it's dynamic to you and me, it's static to the protocol.)
So the DCOM port needs to be open. Since DCOM has no known port, we'd have to open all available ports for DCOM to listen OR we need the WMI application to be allowed so that whatever ports the DCOM server is using at the moment are open.
WMI is one protocol and working fine. DCOM is another protocol and working fine. Your problem was that you were thinking of DCOM as part of WMI and that's what is confusing you. Either protocol on its own works as expected. What does not work magically is when you have one protocol (WMI, SIP) trying to automate another protocol connection (RTP, DCOM) because the network layer (firewalls, routers, etc.) have no way to know what is going on because it is happen in the application rather than in the network stack. There's no networking involved here, it's literally all inside the application. Not the application layer of the ISO OSI, but the actual application itself.
Good points! Actually FTP is also not really straight forward and has a similar mechanism with it's data and control ports - depending on if it's running in active or passive mode.
@mr-jones said in Help Sorting out a Firewall Issue:
This is to due with 'Asset Discovery' which the server will perform a TCP handshake with the client, and then hop ports to a random port to collect information about that machine, or at least that's how I understand it.
I'm watching the traffic hit the client on 135, two way TCP traffic on 135, and then a swap of ports to a random port, let's say 63595 incoming to the client from the server, so I'm assuming the handshake went swimmingly. Problem is, as soon as traffic on 63595 is hitting the client from the server, the connection times out.
What is defined as the server and what defined as the client here?
I mean it's common to say server when you take about a physical or virtual server and client for a workstation. But when we are talking about client/server communication it's different.
Your description that the communication is hopping to a different random incoming port doesn't really make sense.
Make sure you're not confusing the port on the sender and the port on the receiver.
For instance a web browser connecting to a webserver will use a random port on the client to connect to port 80 or 443 on the server.
The primary reason to allocate a random port in this case is so it can support multiple client connections at the same time.
@scottalanmiller said in Reboot on ping loss:
Eaton is like Cisco. Everyone knows the name, but at the end of the day, their brand is only as good as Linksys.
Everyone big enough has products that sucks. You just avoid them. A Linksys product is still better than a Chinese no-name product that will be gone the second the ebay/amazon seller's stock run out. A product may suck but at least you can get it replaced or serviced if the brand reputable. Tripp Lite has been around and is a known brand, that's all I'm saying.
@scottalanmiller said in Reboot on ping loss:
It's not a real brand. It's total consumer BS. I have a client just try to deploy this trash for a small bank and it's the least production ready stuff I've ever seen. All of the apps and support were long ago abandoned. I think the latest version of their code is Windows 2012 and Fedora 8. EIGHT!!!!!
Sounds like someone bought a legacy product that companies keeps on the shelf for replacement in legacy systems. Or tried to install some old software that is not supposed to be installed on new systems. Basically someone not having a clue. Obviously not the product I mentioned.
@scottalanmiller said in Reboot on ping loss:
Nothing works, Tripp Lite is completely abandoned and has no place in a business. Ever.
The product I linked to was introduced in 2019 and the latest firmware upgrade is from 2022! That doesn't look like abandoned to me.
@adamf said in Reboot on ping loss:
@pete-s thanks, I was just looking at that one before you sent it.
Yes, it's good to know that Tripp Lite is a real brand and commercial grade, not no-name consumer gadget.
Eaton owns them now.
And Schneider owns APC. Both Schneider and Eaton are big manufacturers of electrical equipment for all kinds of industries and applications. Both are among the 500 largest companies in the world (Fortune Global 500).
A small switched PDU that might fit the bill is Tripp Lite PDU15NETLX.
https://www.tripplite.com/support/PDU15NETLX
You can control two outlets over the web interface, SNMP etc.
It might even be possible that it has the auto-probe feature and that it can be used directly to power cycle the modem without having a script. How much control you'd have I don't know. I have no experience with this product.
"In the event a critical device is no longer responding over the network, the included self-healing Auto-Probe feature can autonomously detect abnormal behavior and reboot modems, routers or media servers to restore healthy operation."
https://news.thomasnet.com/fullstory/tripp-lite-offers-pdu15netlx-mini-pdu-with-auto-probe-technology-40023268
@adamf said in Reboot on ping loss:
@pete-s said in Reboot on ping loss:
@adamf said in Reboot on ping loss:
@pete-s
I would also do that, but have other requirements that require us to use the Comcast provided modem.
It is what it is. Unfortunately I don't know any products that does what you want.
I would want to have some control over the automatic reboot process though and would be reluctant to have another consumer grade gadget controlling it.
If I had the choice I would go for a standard PDU that can switch outlets on/off and run a script on some server controlling when to power cycle the modem. Have it write some log files and such.
Exactly. I’m looking for something pro grade. Not consumer grade.
If you run a script on a server to control it, any switched PDU will get the job done.
Do you have on-prem racks and use any brand already for PDUs then you might want to use that. Otherwise a brand like APC is solid.
Some UPSs also have switched outlets. So if you already have an UPS in the same room you might want to check what you have.