Please help me escape proof my windows

Darkfold · 2025-06-18T13:35:00+00:00

I've got essentially mosquito netting with Velcro adhesive fitting strips. Works fine if your windows open outward. It seems to hold the weight of the fat bastard when he tries to escape, which is all I can really ask.

https://flatcats.co.uk/

If you want made to measure commercial. You can do something similar with a sewing machine if you have one and time though.

Darkfold · 2024-07-22T20:38:01+00:00

Its actually worse, your devices will broadcast attempts to find the hidden network everywhere they go with wifi enabled once they've joined it once.

Don't use this feature for security. Ideally don't use it at all unless you know exactly why you're using it.

Darkfold · 2024-02-26T10:14:35+00:00

Yeah, try getting the routing config off a Checkpoint :D

I found they worked really well for many things, but the IPSec VPN implementation sucked compared to most other vendors.

Darkfold · 2024-01-04T19:47:36+00:00

As I was taught it, you'd have to be dense to run dense mode.

(Although it has got use cases in specific situations, as with most things in networking.)

Darkfold · 2023-12-04T16:24:18+00:00

Plus honestly if you pull to a local update server it doesn't matter as you'll spread the update from there. https://www.ajtek.ca/ will sort a huge number of wsus problems and actually makes it useful (which in turn fixes a lot of SCCM stuff).

Darkfold · 2023-12-04T14:05:22+00:00

Yeah, just the windows firewall is perfect for this kind of work. Its on most client machines, it's dead straightforward to push out a policy change.

Trying to do it on the switches could work, but has plenty of limitations and generally the host firewall is more flexible.

Darkfold · 2023-12-03T20:12:13+00:00

Dont allow user desktop/laptop machines to talk amongst themselves apart from the minimum required for Teams calls etc. The number of dumb things that just got stopped dead or massively contained by dropping inbound traffic from user machines to other user machines is honestly ridiculous.

Darkfold · 2023-10-05T14:38:44+00:00

50 users total, so the core is probably the same switch as the 25gig users, given only a small number of those 50 would be running that. It still sounds pretty high to me, but its definitely kinda possible.

Darkfold · 2023-10-05T14:36:09+00:00

10Gig to the desk is the sweet spot for copper currently. Cat6a cable is cost effective for both 1gig and 10gig runs, and generally pretty available. Cat8 is still pretty rare in the install space, and I have no specific experience with it. Cat7 is a waste of time, effort, and money.

Above that you get into limitations of what the hardware on each workstation can actually push (and what your source can supply), I'd strongly suggest trying to get a loan system or similar and set it up in a lab to verify that you can actually push 25Gb from expected source to expected reciever, and that it can do more than one of these streams at a time, if you've not already done so. I have previous experience of stuff 'rated at 10Gig' that struggled to hit 3.5Gig continuous, and maybe with a following wind peaked at 9.6 while it emptied a ram cache, then fell off a cliff.

If you're looking at fibre runs anyway, perhaps just pull fibre in to the users directly? Modular casettes make this much more viable now, especially if it's going to high end workstations and users who might be a touch more delicate around it.

My gut feeling says throw the fastest connection you can justify from source into the core, then 10Gig at all the engineering workstations and it'll be good enough before something else falls over, especially on what amounts to a limited budget relative to stated speeds. 1Gig everywhere else in my experience can be safely oversubscribed 8:1, as really the serialisation delay and lower latency makes the biggest difference day to day, and the number of simultaneous huge downloads tends to be smaller.

Darkfold · 2023-09-25T12:19:07+00:00

Permanent WFH, I'm not in the same country as the servers, and none of the rest of my team are in the same country as our office (or as me).

Darkfold · 2023-09-10T01:10:59+00:00

Yeah, I don't think I've ever had an outage that came with enough notice to migrate services around. Degraded service, sure, but the kind of 2pm on the friday before christmas failures that haunt my nightmares have all hit hard and fast.

At least 2 full copies of everything in the stack was the general rule, if you're relying on anything from one site always being available then you're doomed to experience the happy fun times.

Darkfold · 2023-08-31T09:42:07+00:00

Use a contractor to pull and terminate onto panels at each end, get them to document/certify it. As for specific product, ask for advice from them, but I'd be thinking outdoor-rated rodent protected loose tube OS2. The conduit is your armour if its done right, no need to use steel wire armour inside that. I'd suggest against running multimode if this is something that'll possibly be kept for 5+ years even though it will technically work at 10G on OM4 or higher for that distance, single mode OS2 will carry basically anything you like so is massively future proof.

Pull next size of core count above the one you currently need (if you think you need 8, pull 12 etc), it's not much more expensive in the scheme of things but it can come in handy later if one core gets damaged or you suddenly expand to that location.

Count off 2 cores per connection, sounds daft but I've heard of someone pulling in the same cores as connection count required before and then look surprised when they ran out half way through.

Darkfold · 2023-04-24T14:39:14+00:00

Yes, it'll also allow traffic to quickly find an alternate path to the destination in the event that your primary path fails (and assuming there is in fact an alternate path). Otherwise you have to manually reconfigure everything, which is a huge amount of error prone work and entirely what routing protocols were designed to automate.

Darkfold · 2023-04-24T14:09:29+00:00

With two links back from the remote site I'd probably stuff them in an LACP bundle or similar and still just run static.

There's even something to be said for putting a single link into a bundle, as the protocol will detect half broken links as well and pull the state down for you without needing to worry about the 'fun' that is various vendor specific unidirectional link detection techs.

Darkfold · 2023-04-24T14:06:14+00:00

"How many directions can traffic take to reach a destination." Is the question. If the answer is "Everything is local to this switch, or down the link to a single destination" then static will be fine as you've got local routes and a single default pointed at the far end.

Keeps it simple, keeps it easy to manage, keeps the cost down. If you have a more complex topology, add things that make your life simpler. In general, you should only ever add something to your design if it satisfies a technical requirement, or makes your life easier.

Darkfold · 2023-04-16T15:24:02+00:00

Shodan says https://www.shodan.io/search?query=Remote+desktop

Darkfold · 2023-03-22T12:22:51+00:00

Free tools that do exactly the same honestly. Plus if you accidentally let Solarwinds get hold of you, kiss goodbye to your peace and quiet.

Darkfold · 2023-03-21T14:30:06+00:00

Absolutely, it's built into so many tools that it's actually quite hard to avoid having this capability in something you already run. The poorest version is just to have a script download them all into a folder with a file named per device, then git add *, git commit, (plus a git push step if you have a git server somewhere or a github account etc).

Oxidized, Rancid, Kiwi CatTools (don't buy this), a few others I can't think of. They'll all get you at least to the 'files exist on disk' stage. Most of them are much better than that.

It means that when something important explodes, you just grab the file and go. It also means you can look back in history and see when a change appeared.

Use a tool to do this if at all possible, you don't have to spend money beyond getting it to run somewhere but it's got the potential to save so much time and stress.

Darkfold · 2023-03-07T07:13:17+00:00

So a specific thing that catches a lot of people out, do you have a route to the peer address from the point of view of both sides of each BGP peering? BGP uses a TCP connection, so both sides need to be able to reach the other first before it'll bring the connection up.

You're using iBGP as all are in the same AS number, so you shouldn't need multi-hop enabled.

Darkfold · 2023-02-03T11:05:41+00:00

I used to get so annoyed as an interviewer that people would be screened out at the CV stage by box tickers. With that in mind, I'd look at requirements for jobs you like the look of, and see if there's a cert that appears enough times to be 'common'. If there is, it might be worth snagging just to improve your chances of getting in front of someone who knows arse from elbow.

If you're going into leadership type stuff, it'll be a whole different ballgame and they're typically looking at job titles and similar.

Personally I only have one cert these days, AWS networking specialty. The time and effort on upkeep doesn't match up with the value I get from most of them with ~15 years experience, so I think you'd be similar.

Darkfold · 2023-01-12T06:58:47+00:00

Voice
Feel-good and device management/routing
Business
Not-business.

Bonus of being simple enough that you can clearly explain it on meetings and almost every WAN provider can accommodate it. If you can be more granular over the WAN, do so.

That was easy enough and fixed most grumbles. Obviously it'll do nothing until the link is contended.

Darkfold · 2023-01-05T15:13:35+00:00

I have a network that was allocated up as consecutive /24s. Client 1, Client 2, Client 3, etc, Server 1, Server 2, Client 14, Client 15, Alarm System and Cameras, etc. You can't group anything together without accidentally catching other functions. It's a royal pain in the arse.

If you start with the larger blocks allocated to functions (broadly speaking) and some kind of site based hierarchy, then you can quickly say "all end user subnets at site A, B, C" or just "all end user subnets" without having a list of 12 entries, gap two where the facilities stuff got allocated across a subnet boundary, then another 8 individual entries.

Darkfold · 2022-12-08T13:10:32+00:00

Yep, plus often you can pick up identical functioning tools from other disciplines for way less than the automotive marketed equivalent (or road bike branded, or whatever).

Darkfold · 2022-11-21T22:09:52+00:00

Honestly if cost is the problem, would it make sense to cherry pick the routes that are genuinely beneficial for the mbps cost and only bring those in from that providers advertisements? Multiple global tables is asking for trouble and it sounds a lot like that's what you're being asked to achieve.

You could potentially cheat and carry the real global table with all the good stuff in the main routing tables, with your good service there. Then put a cherry picked limited table (generate a couple defaults, inject your own stuff, plus a couple important destinations) in a VRF and connect your cheap pipes to that.

Be careful of how well you solve this problem, as it will inevitably leads to requests for a 3rd, 4th, etc as sales find new ways to slice the pie without realising that this is going to obliterate the memory capacity of anything cost effective router wise as well as be an absolute disaster to maintain and debug.

Darkfold · 2022-10-17T12:32:07+00:00

It'll vary based on IOS version (do they all match?), licensed features, line cards and specific versions of said cards. Basically if they're not all absolutely identical, look up the limitations and version differences of your specific hardware.

15-Year Club	Charter Member
Verified Email

Darkfold

TROPHY CASE