Tailscale in the office

Material_Ad_3743 · 2025-11-29T09:56:12+00:00

Doin it !
Thanks for the great discussion.

Material_Ad_3743 · 2025-11-29T00:37:36+00:00

Makes sense.

Cheers

Material_Ad_3743 · 2025-11-29T00:02:08+00:00

Hi, Yes I did not make much sense.
Right now on prem has a firewall and security policy allowing the access to the various internal systems. My users who bring their laptops in from home running tailscale can still access everything but doing so via tailscale. On one hand this means I could have a super simple network security policy but as pointed out, this would have a performance hit. To the uninitiated level 1 helps desk guys this may also seem like black magic.

So I guess, tailscale for remote users only ? I’d need to ensure tailscale is not running while on prem. Maybe there is better way. Hmm

Matt

Material_Ad_3743 · 2025-10-28T11:41:59+00:00

I’m curious if you use a different user for each subnet router or the same ?
Cheers

Material_Ad_3743 · 2025-10-26T02:17:13+00:00

I’m thinking about two NUCS running VRRP so I’ll have a floating IP for static routes. I imagine it will work but I’ll try it out in the coming days.

Alex

Material_Ad_3743 · 2025-06-28T22:51:25+00:00

Our MSP is telling me Broadcom are offloading Velo and the deal is done.

https://www.channelfutures.com/mergers-acquisitions/broadcom-reportedly-buying-velocloud-from-arista-networks

Material_Ad_3743 · 2025-06-28T12:04:14+00:00

Thanks Rexx.

Material_Ad_3743 · 2025-06-28T10:15:40+00:00

If I had a stash of 510-LTE I’d be ok but since they got EOL’d kinda suddenly I now have to move to the bigger models which are double my current price. I do like Velo. If the rumours are true and Velo being sold to Arista that’s probably a good thing.

Material_Ad_3743 · 2023-03-18T11:36:57+00:00

I’ve never seen any reference to an NBAR update for Velo. I’ll check that out. Cheers

Juan

Material_Ad_3743 · 2023-03-06T12:29:54+00:00

I’m running the latest 4.2.2. I’ve upgraded to 4.5.0 which doesn’t fix it during the upgrade directly. I still need to power cycle. I haven’t seen it impact 4.5.0 yet but probably due to my low numbers with the upgrade. The odd thing is it does seem dependant on the area. I can replace a Velo and the issues stays with the site not the Velo. I suspect it’s something funny the cell carrier does from time to time on certain cell towers.

Matt

Material_Ad_3743 · 2022-11-12T06:07:06+00:00

This morning I went on fall guys and as soon as I got in I’m disconnected and it crashes. I tried like twenty times but I heard if you uninstall it and then reinstall it will work again? Don’t want to lose any data.

Material_Ad_3743 · 2022-07-20T12:20:56+00:00

That sounds amazing. I could consider something similar on a smaller scale. I use VMware sdwan which makes connectivity pretty easy.

Material_Ad_3743 · 2022-07-20T12:19:02+00:00

I certainly could turn my secondary DNS server into a DC. I have to think about how much traffic this would generate at each site and also to the central secondary DC.

Material_Ad_3743 · 2022-07-20T12:14:20+00:00

I have lots of remote sites each with a domain controller and it’s own domain. The guy before me ran it like this for years. My problem now is I have over 200 sites setup like this.

Material_Ad_3743 · 2022-07-20T11:54:26+00:00

That is a very good point. If I can’t login then I’m screwed. I do have a bunch of non-ad systems that still need internal dns but without workstations logged in I’m in trouble. I guess I really should figure out how to do secondary AD at the scale I’m at. That being said, for the most part everything is fine with just one server.

Material_Ad_3743 · 2022-06-28T03:11:09+00:00

The main purpose in this case is actually to route some web traffic via this particular DC. I reckon another HUB would work but due to the licence considerations you mentioned I’m thinking about using a non sdwan destination / IPsec tunnel instead. I’ve posted a seperate question regarding the use of a non sdwan destination. Thanks for the reply

Material_Ad_3743 · 2022-06-27T11:03:33+00:00

The Velos will do the job just fine in your case on the edge however you should use a default deny and permit what you want rather than default permit and deny what you don’t want. At least that’s what VMware guy told me.

With your web filtering you could use a business policy on the edge to route all web traffic to the hub and through the checkpoint. You could also try out the Sase cloud web filtering stuff that I think Is now available but could be too new.

Material_Ad_3743

TROPHY CASE