I believe you need to define another ESP and IKE group for the site-to-site Tunnel 2. Also, your remote L2TP pool overlaps with one of the existing interface's IP range. It might overlap with the existing DHCP lease or a static address on your 192.168.4.0/24 network. I would make the remote pool totally different.

Do you have static public IPs on both ends? If yes, I'd do route-based site-to-site VPN with VTI interfaces instead. It stays always on as long as there's network connectivity between the peers. No need to define multiple individual policies either.

@travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

Btw, is there anything agentless and free for Hyper-V or vSphere that can be used for scheduled VM backup? I had hopes for the free Unitrends but now they're shattered after this post.

Edit: Looks like the Unitrends' free offering for VMware is better but it's a topic for a different thread I guess:)

@scottalanmiller said in ZeroTier Virtual Adapter and SQL Express 2012 DB Troubles:

Depends how you look at it. You see them as being cheap. I see them as burning money because it's a big joke to show how much they can throw away. SQL Server is only chosen by the ultra rich with money to flaunt. Companies lacking money do IT well and run lean, companies that laugh in the face of profits because they have so much money that it's all just silly to them select outrageously overpriced products for no reason and run them on old worthless hardware... just because it's funny.

Their DB is relatively small (6 GB) and they're using free SQL Server Express with it, though. The whole thing should've really been open source and web-based, I agree.

Thanks @scottalanmiller and @bbigford. Not sure if they are willing to spend $$$ to do it right, though. OMG this SMB is so cheap, they're running this SQL DB on a 5 y.o. Dell tower server with no RAID and a consumer-grade HDD! They do have an internal IT guy but he has no business IT concepts whatsoever, he's more like an IT hobbyist with web design background.

I keep telling them they're wasting productivity with their disastrous IT. However, the main problem with many small organisations here is they don't see IT as an investment more like an inevitable expense. I believe that now a successful organisation regardless of its size is always built around a reliable and efficient IT infrastructure that serves them as operational backbone.

@scottalanmiller

So if they don't want to migrate to another solution, what would be the sensible option for them, then? Running it on a virtual host with two VMs - SQL and RDS with the ERP app installed? Thanks.

@scottalanmiller

I totally agree with you, Scott. I already told them they need to migrate to an SaaS solution asap but the current app is so customised to their business that they're entirely locked themselves in with it. The owner is reluctant to change anything and the developer keeps assuring him that his app is great and it serves its purpose 100%. But the way the dev implemented it was simply awful. Currently it takes about 4 seconds from the remote branch just to access the DB!

I see this situations almost every time I assess SMBs. Horribly old apps running on below par hardware.

Hi All,

I don't have much experience with relational databases and my SQL knowledge is mainly built around resource provisioning for SQL servers (VMs).

There is one small company with horribly messed up IT infrastructure I help out at the moment. While sorting their mess out, I want to trial a Zerotier VPN between the main office's server and a smallish (5 workstations) remote branch. The remote branch connects to the main office over a Site-to-Site VPN configured on the ancient (10 y.o.) home grade networking hardware on ADSL (both branches will get 100/40 HFC links soon). They already bought two Edge Router lite as I told them and I already configured those boxes with route-based site-to-site VPN (both sites have static public IPs). However, I want to test something more modern and flexible like ZeroTier for them so I've installed ZeroTier agents on the SQL Server (Physical Server 2008 R2 machine) and the Win10 test PC at the remote location. They can ping each other on the ZeroTier interfaces.

The remote branch staff is accessing an SQL Express database at the main office using a custom built ERP client that talks to the database using an alias of 192.168.2.4/SQLExpress (it listens to a custom port too). Is it possible by design to add another alias with the new ZeroTier interface's IP and on the SQL server to connect the remote ERP clients to? Or is there another way for the SQL DB to also talk to the remote clients with Zerotier's IP without removing the current alias? (I want it for the local clients). I know there is a registry workaround to add a new NIC for the SQL server to listen to but it's configured with an alias and the server's 192.168.2.4 NIC is not even listed in the IP Addresses tab of the TCP/IP properties in SQL Configuration Manager.

I appreciate your advice, folks.

@himura1 said in Port forwarding custom ports in sonicwall appliance:

NSA 2600

Did you tick 'Create a reflexive policy' box? Otherwise, you will need to create an outbound NAT policy too.

https://www.sonicwall.com/en-us/support/knowledge-base/170503477349850

I came across this WTF configuration in one of the local medical centres. Two low-end Sophos boxes are behind a $20 switch that is also connected to the single fibre Internet connection provided by an Ethernet demarc device (not shown on the image). Apparently, each firewall is set up to serve 50% of the available WAN bandwidth to their tenants...

@scottalanmiller that's exactly I was trying to point out. Storage for the camera footage is important not just in terms of available space. There may be a case where the OP would need to directly access his recordings in case of emergency to provide them to the authorities when the host is no longer available (stolen) or damaged. Having them stored on a separate NAS inside a shared folder would certainly make the above job easier. Having said that, this can also be done by simply backing up the video files elsewhere or syncing them offsite.

Hi Zachary,

Yes, you can fire up a Linux VM on a host but you don't want your video recording data to compete with other VMs for write IOPS especially when using slow SATA disks. On top of that 8 cameras running 24/7 would need about 3.3 TB of storage just for a week worth of video recording.
Why wouldn't you consider a business grade NAS like the Synology DS918+ with WD Red Pros for storing video recordings? You can run Unifi Video even on an old Intel based laptop because it does not require much processing power for handling just 8 Full HD feeds. Just link it with an NFS share from a NAS and you are good to go!

@scottalanmiller Thank you. It's good to be here!

@jaredbusch Thanks for this link. I'll give it a try. I hope UBNT did not trim the CLI down too much on the USG. I now better understand why Edge series is still the prefered choice for deployment among many

Thanks everyone for your advice and suggestions. It looks like, despite the Yealinks still register with WAN2's IP, all packets including SIP use the WAN1 to reach the hosted PBX. I'm not sure how the hosted PBX sends out the SIP traffic back to the phones, though, but the counters on WAN2 show a very little amount of sent and received packets, much less than a typical SIP traffic for a day there.
When I disable WAN2 the phones have no trouble re-registering with the main WAN. The problem is the soft fail-back when WAN2 doesn't get disabled, it just gets a higher metric on the USG routing table. Last time when the 4G data expired, all Internet traffic was unaffected except the phones.
I do like Unifi Controller in terms of remote management but the WAN fail-over feature seems to be too raw at the moment.

@scottalanmiller It also shows on the hosted PBX (Maxotel) side as well. I only have access to their customer GUI but in the extensions tab, it shows as both are registered with the WAN2 public IP address. I called the cloud PBX's support lately and they confirmed this but didn't provide any solution apart from suggesting to mirror one of the desk phone's port on the switch and do a packet capture with Wireshark but I did not get to that yet as this is a new remote site.

Hi All,

I'm having a rather interesting issue here. There is a Unifi network I recently set up with dual WANs. One is the main one - PPPoE WAN1 (FTTP) and another is WAN2 in a failover mode using a Dovado Tiny AC router in bridge mode with a Huawei E3372 4G USB modem. There is also a couple of SIP phones - Yealink T46S and T48S, all on a single LAN registered with a Cloud Asterisk-based PBX. When WAN1 failovers to WAN2, the Yealink SIP phones easily re-register with a 4G public IP but when Unifi fails back to WAN1 the phones still keep WAN2 IP registration even though every 120 seconds they re-register with the cloud PBX. After a fail-back, traceroute from the USG to the cloud PBX shows that the traffic is, indeed, exiting via WAN 1 but on the Unifi controller dashboard, it still shows the WAN2 public IP as the gateway address.

Has anyone experienced any such behaviour with a similar setup? Is this usual for SIP registered phones to specifically route VoIP traffic out of WAN2, even though all other traffic has failed back to WAN1? Or is SIP registration process separate from the actual route the SIP traffic uses to reach the hosted PBX? Why the default gateway on Unifi controller dashboard still shows WAN2 public IP after it's failed back to WAN1, is this a Unifi bug? Thanks.