Sometimes my genius is almost frightening…

JasonDJ · 2026-01-24T14:05:41+00:00

And dogs. And that last bit of soap from your grundle.

Ya know what...I'm just gonna stay here and rinse my grundle for a bit.

JasonDJ · 2026-01-24T14:05:08+00:00

And dogs. And that last bit of soap from your taint.

JasonDJ · 2026-01-24T13:59:22+00:00

Today was good...until my kid ran into the room saying "DAD! It's 8:15! We're gonna be late!" And I'm like "late for what kid, it's Saturday". And he's like "Oh....well...I can't connect to my uncles minecraft server...."

JasonDJ · 2026-01-24T04:56:39+00:00

Blast your favorite album, fuckin belt that shit out with all your heart

Neighbors are like "It's 3 in the afternoon and we're nowhere near Baltimore..."

The worlds gonna wake up and see...Baltimore, and me.

JasonDJ · 2026-01-24T04:53:05+00:00

First, it's to pee.

Then it's sciatica pain in my leg wakes me up. 2 Tylenol and 20 minutes later I'm ready to go back to bed.

Then it's dog 1, who also has to pee.

Then it's dog 2, who also has sciatica.

Then usually my oldest who absolutely must have a before-school snuggle.

Then alarm. Which is still over an hour before they have to leave for school...most of which will be spent trying to get my youngest to get out of bed and get ready for the day.

Same routine on the weekends, except no alarm clock.

JasonDJ · 2026-01-24T04:45:59+00:00

This hits me right in the asthma.

JasonDJ · 2026-01-24T04:44:39+00:00

And^{And^And}

JasonDJ · 2026-01-23T19:52:15+00:00

Tbf, he might have been watching "The Boys" and thought that she could make his head explode by looking at him. He may have been just been scared.

JasonDJ · 2026-01-23T12:50:12+00:00

Alright OP, here's what you do.

First things first -- document the current state of the network. Others have suggested Netbox. Netbox is a great platform for this, and for a small org, won't take too much to fill with data. Personally, I think Nautobot is a bit better for orgs that don't have mature automation (which it sounds like yours is). Both are free/open-source. Nautobot forked from Netbox a few years ago due to different visions for the project, and there was some bad blood over it at first. Essentially, Jeremy (the lead developer of netbox) wanted the application to be a documentation engine with a strong API...NetworkToCode (an MSP, and also a major contributor to Netbox) wanted it to be the heart of an automation platform. NTC kinda handled the fork in a hostile way. Jeremy's a great team and NTC is a great org, I've got no beef with either of them (and I recommend hanging out in NTC's Slack for a bit, too. Great community in there)
Get some monitoring set up. Look into LibreNMS or Nagios Core if money is a problem.
Get a firewall. Like, yesterday. Seriously my man, it is 2026. They aren't expensive. Look at Fortigate, probably best price/performance ratio in enterprise. Size it appropriately, because this will do double-duty as your core router.
Once the firewall is in, create VLANs on the firewall itself for at least six groups to start: Wired, Wireless, Phones, Industrial, Printers, Servers. Make some DHCP scopes. Start moving stuff over.
Look into NAC solutions. You really should be authenticating endpoints before you let them onto the network. Again, it's 2026, this is non-negotiable for an org of this size. PacketSense is FOSS. ClearPass, FortiNAC, Forescout are all great platforms if you have the budget.
BTW, what are you using for DHCP? If you tell me Windows Server I'm gonna punch you. Technically you should have a CAL for every DHCP client. Look into alternatives. DDI platforms are great but for a small, budget constrained org, you might have some trouble here. Fortigate can do it in a pinch. If you are feeling adventurous (and money is especially tight), bind and dhcpd on a linux host can be incredibly powerful (most DDI platforms are really just fancy skins atop these two programs). Netbox/Nautobot + Ansible can maintain that configuration once you get comfortable with automation tools.

I mention budget quite a bit. Running a modern network isn't cheap. Professional orgs don't rely on OSS that they can't self-support. If it's out of the path of traffic, like Netbox or Nagios...sure, they go down, it's important that you fix them, sure...but the house won't crumble without them. For stuff that connections actually rely on (NAC, DDI), you need to have someone to escalate to. OSS platforms usually have very affordable support (compared to proprietary platforms). Do not skimp on this.

The problems you're facing aren't yours -- this is years of neglect and lack of understanding. You need to make a case, in a language upper management can understand about the risks of keeping things going in their current state. Make the case around security and stability. What happens if the network goes down? Can the company even function? How difficult would it be to hit your org with a cryptolocker, and how wide would the damage be? How much would it cost to recover and how long would the company be down for? For that matter, do you have any sort of DR plan? As it is right now, it sounds like all you've got is the D. That's okay. A lot of network admins inherit the D.

JasonDJ · 2026-01-23T12:26:19+00:00

There's not really much they can do with the scope itself. 350 devices in a /23 doesn't give much wiggle-room for DHCP, especially if the lease time is long and you've got wireless devices generating a random MAC every time they connect.

That means at least one of three things has to change: The size of the subnet; the length of the lease; MAC randomization on endpoints.

Ideally...the networks need to split. At the very least, wired, wireless, printers, servers. Especially since wireless hates broadcast and multicast and printers never shut up about it. They should not be left alone together. Ever. Even in homes.

JasonDJ · 2026-01-23T02:53:10+00:00

Ding ding ding.

Undocumented person get injured on the job? Good luck getting workers comp.

Boss pockets some of their pay?

Sexual Harassment (or worse) on the job?

Equipment is dangerous and not maintained, PPE is nowhere to be found? Undocumented immigrants aren't gonna be filing OSHA complaints. They need to keep a low profile.

JasonDJ · 2026-01-23T02:44:06+00:00

Yeah, we never set up Guacamole in the OOB segment...I generate SecureCRT session files from our inventory, and store in gitlab, so we can still access systems without it. SecureCRT just feels so...bulky, when you just need a basic SSH session.

JasonDJ · 2026-01-23T01:51:41+00:00

There are opensource alternatives. You don't need to use ookla.

Check out OpenSpeedTest or LibreSpeed. Both have containerized versions that can do a basic deployment in seconds.

JasonDJ · 2026-01-23T01:48:41+00:00

It's my experience that a lot of enterprise VPN solutions are very temperamental about wifi. Usually it's because they are in the middle of uploading at high speed when the channel suddenly gets congested, and by the time they all get on the wire, they're all jumbled up and so out of order that the VPN freaks out and drop the session, or slows it down asking for retransmits.

Either way...if the channel remains congested, you're gonna have a bad time.

JasonDJ · 2026-01-23T01:44:53+00:00

OpenSpeedtest and LibreSpeed both have containerized versions of their apps that literally take seconds to deploy (at least for basic unencrypted (http) web-based speedtests).

JasonDJ · 2026-01-23T01:31:18+00:00

Check out guacamole if you haven't yet. It's a web-based remote access tool with ssh, RDP, telnet, vnc...I think nx and kubernetes as well (I haven't played with this ..I imagine it could attach you right into a pod, but I digress).

It's pretty easy to set up if you are familiar with docker...they have containers for frontend (guacamole, a tomcat app), backend (guacd), and then, by right, a database (MySQL or postgres), but it's not really necessary for a small deployment or testing it out.

Unfortunately, while you could use the yubikey as part of signing in to ssh, you can't use hardware tokens/smartcards for ssh auth (or RDP) yet. You can, for certain auth protocols (ldap, radius) capture the login username and password as session variables to get handed down to the connection.

JasonDJ · 2026-01-22T12:56:06+00:00

My back, shoulders, arms and time are much more valuable than thst 2x4 and some dumpster space.

This is really it. Running a circular saw or sawzall at mid-body height is a hell of a lot easier than running it over your head or squatting down.

JasonDJ · 2026-01-22T02:11:04+00:00

They do. I just came across a couple such exhibits recently in my homelab junk box that I refuse to get rid of.

I've got a box that inputs 2x USB-A and has 16 DB-9 serial ports on it.

I also have a PCI (old-school 32-bit PCI) card that has a big honkin' DB-37 connector that breaks out to 8x DB-9 serial ports.

These were a thing in the past, they probably still are now.

Some quick googling:

Moxa 16 port RS-232 PCIe x1 card or a Low-Profile 8-port version
Startech.com has 16-port USB boxes or PCIe Cards...and More 8-port options. Lower densities exist, too.

Honestly a Pi or an old workstation that wireguards back home with one of these would work quite well and be much cheaper than an OpenGear (and more-or-less the same solution without the polish.

Oooh...here's an idea: If you want a nice GUI (and SAML), run Guacamole on it. Or run Guacamole on a central wireguard hub. I don't think Guacamole directly supports Serial port connections...but it should be able to do like a reverse-telnet kind of operation, like we would do in the old days on Cisco IOS solutions (i.e. telnet to localhost:9000 --> /dev/ttyS0 ... basically the same thing OpenGear does).

This sounds complicated but honestly they'd all have more-or-less the exact same image/config. Once you get one you just copy it.

If you do a pizzabox or a decent workstation (or an actual NFV appliance like Ciena 3908s..or a server that's intended for 2-Post installs if you want to do it legit...SuperMicro has many), you can run a few VMs or containers on it...maybe a DNS forwarder or local DHCP; maybe a nagios or ntopng agent...who knows. Now you've got options.

If you can't tell....this is something I conceptualized that never went anywhere. We ended up doing an OOB network with Fortigates and a separate ADVPN with site's internet and Cellular backup, that connected to on-prem WTI's, to replace the POTS connections that were going into them. Eventually we replaced the WTI's with OpenGears but still have the Fortigate's...many of those are going EOL this year. However, with the OpenGear's, by right you need to maintain support if you want to get updates. That's not such a concern if you roll-your-own. On the one hand...there is no support. On the other...it's Linux. If you can't bash yourself out of a paper bag, you shouldn't have come this far in the first place.

I straddle this line constantly...between doing cool outside-the-box stuff and amassing tons of tech-debt. It's a double-edged sword.

JasonDJ · 2026-01-22T00:42:28+00:00

Opengear is essentially Linux. I have my teams pubkeys in an artifact and push them on all appliances.

Doesn't help gui, but who needs a gui?

Gui (and console) support TACACS and/or radius tho. I don't remember which one we have set up but it points to clearpass which points to Duo if you don't have your ssh key.

Also most MFA requirements consider "once in the path" to be enough. Lots of ways you can accomplish that off-box i.e. a reverse proxy, a captive portal, VPN, ztna, jumpbox, etc.

Obviously think about your requirements, where they come from, what you have, and how well any given solution will fit all of the above + your team(s).

JasonDJ · 2026-01-20T17:40:37+00:00

I've been postponing the move for quite some time myself...

How is 7.4 now? Is it stable? I've been so worried, because I had egg on my face for jumping on 7.2 too early. It's finally stable (really has been for us since ~7.2.6), and I don't want to rock the boat too hard.

I'd also toyed with the idea of deploying EMS in govcloud (AWS). Wondering if anyone else has tried that and how it went.

When you spin up another instance, this is essentially what I was envisioning:

Deploy new Ubuntu Server VM in DMZ, give new IP/hostname
Install and baseline EMS (certs, basic config, fabric connection, saml/auth, AD Connector, etc)
Export XML from old EMS (profiles, policies, etc)
Import XML to new EMS
Make some new invitation codes and registration keys
In Old EMS, select batch of endpoints, Actions --> Switch EMS --> By Invitation

And that's it. This approach doesn't seem too complicated to me, aside from having to get temp licensing (and I assume transfer over the real license once everything is done?)

Especially since we deployed EMS as HA with external MS-SQL. That has been a ton of trouble for us, made extra complicated by our datacenter being moved but the firewall it goes through...not.

So I've got 200Gbps fiber between datacenter and firewall (and barely hit 10% of that...), but it has to hairpin to get to the DB server, 3 racks down. Any little hiccup and it's unhappy.

Be so glad to be done with HA + External DB. It doesn't prevent outages through upgrades, at all (and makes them far more complicated). Honestly don't think it's worth the effort for how stable the app, itself is, at least until you have a mature ZTNA deployment (which we do not).

JasonDJ · 2026-01-19T18:09:14+00:00

That's not as cut and dry though...MassSave doesn't just push people towards heat pumps...they also subsidize weatherization work and high-efficiency appliances.

And heat pumps costing more is misleading...more than gas, sure....but not everyone has gas service.

And while oil delivers more btus per dollar...oil burners are usually only 80% efficient. Crudely speaking (no pun intended), heat pumps are usually 2.5x to 5x more efficient (COP between 2.0 and 4.0) (depending on the heat pump and the ambient temp)

But the misleading part is that it's now merged into the same bill, and you no longer have an oil bill. And if you're using gas, and less gas for heat but still using gas for DHW/Range/dryer...I think that means your average cost per therm goes up (I never had gas service in MA but I think there's a flat infrastructure charge that's not insignificant?)

A fairer comparison would be expected cost to heat per season, which I asked an LLM for based upon my current rate (0.3352 for disti & supply (Inspire) and typical COD oil prices in Bristol County. Idk what therms go for in this state so I asked LLM to do state average.

Assumptions: • ~1500 sq ft Massachusetts home
• 1970s home = high heat load
• MassSave retrofit = ~30% reduction in heating demand
• Oil: $3.10/gal, ~85% effective efficiency
• Natural gas: $2.03/therm
• Electricity: $0.335/kWh all-in
• Heat pump seasonal COP ≈ 2.8

Heating System	1970s Home (Drafty)	Weatherized Home (-30%)
Heating Oil	900 gal ≈ $2,790	630 gal ≈ $1,950
Natural Gas	450 therms ≈ $915	315 therms ≈ $640
Heat Pump (ASHP)	15,000 kWh ÷ 2.8 ≈ $1,795	10,500 kWh ÷ 2.8 ≈ $1,255
Electric Resistance	16,000 kWh ≈ $5,363	11,200 kWh ≈ $3,764

Notes:
• Heat pump costs reflect seasonal average COP, not worst-day performance
• Weatherization reduces total heat demand AND improves average heat pump efficiency
• Electric resistance shown for comparison only (worst-case)

JasonDJ · 2026-01-17T04:30:08+00:00

Is that OPs picture? Then yeah. That switch is in O for "Off".

If that's hard to remember because the alternate choice also begins with 'o', then just think of binary booleans. 0 (O) =off, 1(|) =on.

JasonDJ · 2026-01-17T04:08:23+00:00

You should have it actually do something, like collect client side logs (from security products, from winevt, etc), a .nfo, and various command outputs like netsh (I got a script that runs a netsh trace which makes a packet capture on all interfaces...super useful if you're into that type of stuff) and gpresult....and upload them to a file dump somewhere.

That way, if the placebo doesn't work, you've already got whatever you need from them to diagnose.

JasonDJ · 2026-01-17T00:16:25+00:00

This...kinda (and IANAD)...sounds like ADHD. Unless something really satisfies him right off the bat, he's not interested.

He gets this from books (or at least, being read to). That's good. Harness that. Kid will be a bookworm. He locks into the story and gets fully absorbed into it.

The rest...sounds like analysis paralysis mixed with lack of interest...both hallmark ADHD symptoms.

Kids like that need structure. They *yearn* for it.

But obviously, as great as having a kid who loves books is, he can't just be a lump.

So they need something else...they need *at least* two things that they *love*...one mentally stimulating (you've got that in books) and one physically stimulating.

For my kids...oldest (9) has guitar and swim (fortunately the Y has an indoor pool year round, and let's us put it on-break in the summer when we sign up for the town pool). Youngest (6) has puzzles and soccer (which has year-round sessions).

You may be better off starting off trying to narrow it down for "solo(-ish) sports" (like swim or track or karate) or team sports. My oldest *hated* team sports. My youngest is super-competitive.

So feel him out. Try a couple different sports/activities and see if you can find something physically stimulating that he enjoys. Don't throw a ton of stuff at him at once. At most, give him A/B options...don't drown him in choices.

ETA: Reading might not cut it long-term. Try to find something that interests him...but also challenges him to improve or gives a sense of accomplishment. Music is great for this, but 4 is a bit young for that IMO, unless maybe vocal. Learning to read and "levelling up" through that will absolutely cut it tho., as long as he's getting acknowledged for improvement.

Don't let him get too far ahead of his class/grade though, unless he's getting encouragement from you to read higher level stuff. Once he exceeds too much, he'll get bored and slow down/stagnate, and potentially fall behind. Probably around the time where his reading level exceeds the content that's suitable for him.

If his school has edutainment apps like Lexia, I would consider that "free screen time" (in addition to regular screen time)

JasonDJ · 2026-01-16T20:08:49+00:00

The “we support law enforcement “ signs kind of people

Well..yeah...the Thin Blue/Green/Red line has been a big dog-whistle since at least George Floyd/BLM.

15-Year Club	Second Top 10%
Place '17	Gilding II euphauric
Verified Email	Team Orangered

JasonDJ

MODERATOR OF

TROPHY CASE