• 0 Posts
  • 7 Comments
Joined 1 year ago
cake
Cake day: July 1st, 2023

help-circle
  • One rich company trying to claim money off the other rich companies using its software. The ROI on enforcing these will come from only those that really should have afforded to pay and if they can’t, shouldn’t have built on the framework. Let them duke it out. I have zero empathy for either side.

    The hopeful other side is with a “budget” for the license, a company can consider using that to weigh up open source contributions and expertise. Allowing those projects to have experts who have income. Even if it’s only a few companies that then hire for that role of porting over, and contributing back to include needed features, more of that helps everyone.

    The same happens in security, there used to be no budget for it, it was a cost centre. But then insurance providers wouldn’t provide cyber insurance without meeting minimum standards (after they lost billions) and now companies suddenly have a budget. Security is thriving.

    When companies value something, because they need to weigh opportunity cost, they’ll find money.




  • Hold them all to account, no single points of failure. Make them all responsible.

    When talking about vscode especially, those users aren’t your mum and dad. They’re technology professionals or enthusiasts.

    With respect to vendors (Microsoft) for too long have they lived off an expectation that its always a end user or publisher responsibility, not theirs when they’re offering a brokering (store or whatever) service. They’ve tried using words like ‘custodian’ when they took the service to further detract from responsibility and fault.

    Vendors of routers and firewalls and other network connected IoT for the consumer space now are being legislatively enforced to start adhering to bare minimum responsible practices such as ‘push to change’ configuration updates and automated security firmware updates, of and the long awaited mandatory random password with reset on first configuration (no more admin/Admin).

    Is clear this burden will cost those providers. Good. Just like we should take a stance against polluters freely polluting, so too should we make providers take responsibility for reasonable security defaults instead of making the world less secure.

    That then makes it even more the users responsibility to be responsible for what they then do insecurely since security should be the default by design. Going outside of those bounds are at your own risk.

    Right now it’s a wild West, and telling what is and isn’t secure would be a roll of the dice since it’s just users telling users that they think it’s fine. Are you supposed to just trust a publisher? But what if they act in bad faith? That problem needs solving. Once an app/plugin/device has millions of people using it, it’s reputation is publicly seen as ok even if completely undeserved.

    Hmm rant over. I got a bit worked up.


  • I’ve used virtio for Nutanix before and not using open speed test, but instead using iperf, gathered line rate across hosts.

    However I also know network cards matter a lot. Some network cards, especially cheap Intel x710 suck. They don’t have specific compute offloading that can be done so the CPU does all the work and the host cpu itself processes network traffic significantly slowing throughput.

    My change to mellanox 25g cards showed all vm network performance increase to the expected line rate even on same host.

    That was not a home lab though, that was production at a client.

    Edit sorry I meant to wrap up:

    • to test use iperf (you could use UDP at 10Gbit and run it continuous, in UDP mode you need to set the size you try to send)
    • while testing look for CPU on the host

    If you want to exclude proxmox you could attempt to live boot another usb Linux and test iperf over the lan to another device.



  • Ok so you may need to translate a few things.

    Routers gateway networks. Networks are extended physically by Ethernet. The ether in Ethernet is basically “to the network it doesn’t matter the medium” and in days past that was coax, or whatever Cabling you had but today is almost exclusively in a house, fibre, WiFi, and cat[5/6/7].

    Why does this matter? The router is the pivot between networks. Wireless access points are just part of the network.

    A wireless router is a device with two functions!

    Ok so how does a router work? When you buy a home grade router like an Asus or netgear, you get a device which has a single routing statement “0.0.0.0/0 via connected interface WAN”. This works on almost everyones home network because they only have a single network.

    A local network doesn’t need a router to talk, you only talk when you need to talk to something on another network. Your devices automatically broadcast to every other device on connection or device start up “I’m [mac address] with ip [ip] can you introduce yourself?” and everyone who is online responds back not in broadcast, but unicast directly to that device about their mac address. Your device stores that info in a Mac address table with time outs. This applies to the router too, it knows all the ip addresses on the LAN interface.

    Ok now we want to add a second home network to segment IoT away from your highly personal devices with all your personal information. Good idea! So to do that on any “fully fledged” router it’s super easy you would connect a cable to LAN2 plan a second IP subnet and connect a switch or AP to that. The router is now a router for network LAN1 and LAN2. If a device needs to get from LAN1 it goes “this IP isn’t in my subnet therefore I will send it to the router”. It will have no idea if the device is online or offline, it just sends it blindly to the router. Your router gets that IP and now looks at its routing table which now looks like this,for example:

    • 192.168.0.0/24 via connected interface LAN1
    • 192.168.1.0/24 via connected interface LAN2
    • 0.0.0.0/0 via connected interface WAN

    So now the router who knows you tried to get to a device within LAN2 from LAN1 will check the mac address table it has for LAN2 and see if there’s a mac address it’s learned from that device connection. If it does it sends the packet on back unmodified. The packet has return address information saying who sent it, and the IoT device can talk back.

    Wonderful, that’s the most simplest type of multi-lan network you can create. There are no virtual lans and everyone expects networks to mostly work this way. This exact principle is how the rest of the whole internet works. What networks are via what interface and a traceroute will tell you the resulting path. A router doesn’t need to know the destination just the next network.

    One last note on the background info, if you don’t want to setup everything with static IP addresses, you’ll setup a DHCP server which gives out IP details to devices via a lease system, and included can be DNS settings. You must have a dhcp service within a local network. That can be on the router on the LAN1 interface, and another DHCP server with different details on LAN2.

    To apply this to your problem, I think you’ll want to review the features of your two WiFi routers that you have. Many home routers do not support two discrete LAN interfaces. If they have 4 LAN ports they could be already configured as a “bridge” which is to say they’re a switch. They’re all grouped all belonging to LAN1. Check to see if you can remove one from the bridge. BTW the WiFi is usually part of this bridge too.

    If I had to guess the Asus router is likely more featured and more likely to have the ability to create a new network on a different interface.

    The simplest design will be to have your one router be the router for both networks. One wireless router has the router function disabled and becomes a wireless access point connected to LAN2. The router will know all connected networks (WAN/LAN1MLAN2). You won’t even need to write in your own route.

    But if this is not possible, it is still possible to use NAT. network address translation is a technology for a router to re-write the “return address” on every packet it sends. The return address becomes the routers WAN interface IP. Your network already has NAT because your LAN IP would send to an external network like “1.1.1.1” and if your return l address was “192.168.0.2” then 1.1.1.1 wouldn’t know how to get back to you since your IP is used on millions of home private networks. Instead your router uses NAT to keep a table of every single connection to the internet and waits for replies and redirects them back to the right device. It replaces the source address with your ISP assigned public IP. So 1.1.1.1 could have got a return address of 12.23.34.45 your home internet ip.

    But this can work on your home network but there’s limitations. Just 1.1.1.1 can’t randomly reach back out to the original device ever. Only your device can ask 1.1.1.1. If 1.1.1.1 tried to reach back to your public IP the router has no NAT entry for this, and drops the connection.

    Do let’s take the real possibility that you can’t setup two LAN interfaces on your home grade routers. What would you do? Instead could have a second wireless router with NAT enabled (which it is by default). Your second wireless router could broadcast a different SSID and it’s network ip subnet address should be different to your home network IP subnet address. So if your home is 192.168.0.0/24 your IOT could be 192.168.1.0/24. Your WAN interface should be setup static on an address that does not conflict with your DHCP scope. Or if it does, go to the dhcp server and reserve it. It should be an ip that doesn’t change and can’t accidentally be given to another device thereby giving you IP conflicts.

    So then your IoT devices now will get that 192.168.1.2+ address and reach to your IOT router to get out of their network. Now this does allow them to talk to your home network devices on 192.168.0.0/24. But the downside is your home lan devices by default can not talk to your IOT devices. This is kind of the reverse of what you want from a security perspective. To configure your IOT you’ll need to join the IOT WIFI. Why is this? If you on your home network connected device on 192.168.0.1/24 try to go to the IOT network device on 192.168.1.0/24, then the home device first notes that the network is not local, so it will send the request to the configured gateway. Your home gateway has no idea where 192.168.1.0/24 is either. So it goes out to the 0.0.0.0/0 route which is to your ISPs router.

    I’m sure you’ll think: if this is backwards why not flip my home network behind my second NAT router? And the answer is NAT isn’t free, and you’ll probably have heard CGNAT or carrier grade NAT making a mess of games and services. Double NAT has problems too.

    So what about dhcp and dns? The simple answer is the IOT router becomes a dhcp server and offers your IOT pihole for DNS. Your home network shouldn’t need touching

    There are ways to band-aid these two networks. If you know your home router has a proper route table you can modify that. remember you setup the IoT router with a static IP? Well here’s why. If you setup a route statement 192.168.1.0/24 via IP 192.168.0.251 (whatever IP is the IoT router) then now your home router can find and redirect traffic. This still occasionally has issues though and this routing statement can create a triangle route which would take a long time to explain, and secondly a fix for that can be more NAT more translation so we can return communication from the same way, but the branching possibilities are still not fully defined. Alternative fixes are on your local computer add a single routing statement to find 192.168.1.0/24 via 192.168.0.251 (or whatever IoT router ip you assigned).

    Now my suggestion: get a router which handles two local networks. Then you’re topology is pretty much the simplest, easiest to troubleshoot later, avoid Nat.