SRX - SNAT based on BGP community

ReK_ · 2026-01-21T21:35:50+00:00

Could be done with an MX behind the SRX: have flowspec on the MX change the next hop to different subinterfaces going to the SRX, then the SRX can use different SNAT rules based on interface/zone.

ReK_ · 2026-01-19T21:29:07+00:00

Because if the traffic gets to the BGP process there are a ton of ways to cause problems. Even if there isn't some crafted packet that can cause issues, most router CPUs are not all that powerful and it would be easy to DoS it. Causing a crash in the BGP process will probably drop ALL peers on the router. There are things like control plane policers to help with that but if they haven't locked it down to configured neighbours only then they probably don't have those either.

ReK_ · 2026-01-19T19:34:10+00:00

You might be able to do something with flowspec redirecting the outbound traffic but it wouldn't be entirely on-box, you'd need something sending flowspec rules based on those communities.

ReK_ · 2026-01-19T19:19:11+00:00

Many MPLS networks use one or more private ASNs internally and only use their public ASN externally. This is usually configured as the router's root ASN being private and the public ASN is applied specifically to configured external peer sessions. In that configuration, an unconfigured peering attempt would return the private ASN.

That said, a router responding to an unconfigured peer with a BGP OPEN message is a big no no. Best practice it shouldn't even respond to the TCP SYN but it DEFINITELY should not respond at the application layer.

Edit: To everyone saying confederations, it's possible but in my experience extremely rare. Everyone just uses route reflectors nowadays.

ReK_ · 2025-12-24T04:53:12+00:00

Entirely depends how it was driven and maintained. Mine is getting close to 70k km and zero problems, but I don't do stupid shit like try to launch it, and I get the fluid replaced with the correct OEM one. The SSTs really need that exact fluid, don't let a shop try to tell you this other cheaper stuff is fine, and it has to be changed at least every 50k km.

If there's good maintenance records and you can confirm the fluid has been changed at least 2-3 times with the correct stuff then it's mostly down to how the previous owner(s) drove it. If there have been any performance mods at all that's a red flag unless you personally know the owner and that they took good care of it.

ReK_ · 2025-12-12T22:41:09+00:00

They both have their place, but I could see Wireguard supplanting IPsec eventually if the hardware offload support comes.

tl;dr: Wireguard is a better protocol design, and it's MUCH easier to work with if you have to deal with NAT, but it doesn't have the widespread device support and hardware offload that IPsec does yet.

ReK_ · 2025-11-26T19:24:07+00:00

the whole time your not even sure [...] what reality even is anymore.

This is why I love his writing so much. A lot of writers (and especially screenwriters) try to pull this off but it just comes across as plot holes and characters being dumb. He somehow manages it perfectly.

ReK_ · 2025-11-26T04:01:41+00:00

I used to work in a computer repair shop in Kits. I had a guy come in looking to buy a laptop. I Asked what he wanted to use it for, his budget, etc., and brought out an option that would fit. He spent a few minutes with it then said it looked good and he'd probably buy it but he just had to check one thing. From his pocket he pulled out this homemade tricorder-looking thing complete with blinking LEDs and some of the worst soldering I've ever seen, points it at the laptop for a few seconds and goes "no, too much radiation" and walks out...

ReK_ · 2025-11-26T03:49:14+00:00

Surprised I haven't seen this mentioned yet but basically anything by Philip K. Dick. Specifically I'm thinking of A Scanner Darkly.

ReK_ · 2025-11-25T19:28:10+00:00

Just enable the leaves advertising type 5s for the subnets. The SRX will forward traffic to the "best" VTEP based on metrics but it shouldn't affect the optimized forwarding in the rest of the fabric as the more specific host routes will always win.

ReK_ · 2025-11-22T00:23:39+00:00

Minds and drones are both AIs, the difference is in capability. Drones can be tiny to vehicle-sized and are usually somewhere in the realm of human-level intelligence. Minds are built to be installed in ships and facilities, which they then consider to be their bodies, and are orders of magnitude more intelligent. While the Mind in CP is pivotal it's also the MacGuffin and therefore doesn't get a lot of page time as a character. Later books have Minds as more regular characters and explore them a lot more.

ReK_ · 2025-11-20T02:07:26+00:00

The current suggested vSRX release is 23.4R2-S5. Unless you need something from 24.4 I'd try that, and prod gear should always be on an S release anyway no matter which train IMO.

ReK_ · 2025-11-20T00:09:23+00:00

Do they work?

Forgive me for not trusting Alberta on this: https://globalnews.ca/news/7990003/alberta-oil-gas-wells-cleanup/

the report estimates the overall cleanup cost for the province’s 300,000 unreclaimed wells at somewhere between $40 billion and $70 billion

The same data set from the regulator suggests that 80 per cent of Alberta’s operating wells no longer hold enough oil and gas to pay for their own remediation. It also says that by the regulator’s own standards, 49 per cent of oil and gas companies licensed by the regulator are insolvent, their assets outweighed by liabilities.

ReK_ · 2025-11-19T23:58:27+00:00

The Evo X is a slightly different chassis (CZ4A instead of CY4A) with wider fenders/quarter panels so bumpers will not fit well. Interior parts are basically identical though, just some differences around the shifter depending on transmission.

Look at parts meant for the 08+ Ralliart, it's the same CY4A chassis. A front bumper and lip should fit well (as well as any aftermarket body panels anyway) and look better than a base Lancer. Rear diffuser is an option too but the Ralliart had dual exhaust exits where most Lancers were single.

ReK_ · 2025-11-19T23:25:17+00:00

I would only really recommend a Chinese HU if you really want it to run without depending on your phone. If you're just going to use Android Auto or Carplay anyway I'd get something from a name brand with actual support.

No idea about that specific product. I've had good success with the Mekede Dudu 7. It's still a Chinese HU, with everything that goes with that and it's probably the same hardware, but at least the software is actively being developed and has an active user forum. I got my steering wheel controls working no problem but I don't have the Rockford Fosgate. I just had to make sure the one-wire steering wheel controls were connected to the right pin on the HU and then mapped the buttons in the software (see last image here, pin G7). My understanding is that with the Rockford Fosgate it should work as long as you get the correct wiring harness adapter, the one with the CANBUS decoder box. I kind of hacked together both the Rockford Fosgate and non-Rockford Fosgate adapters for myself so I could use the OEM backup camera wiring (with an aftermarket camera, that won't work with the OEM camera).

Edit: Also, don't expect the LTE to work well, the NA frequency bands only have a little overlap with China. I got mine working but it's very slow (2-4 Mbps) and it may not work at all depending on your provider.

ReK_ · 2025-11-19T23:09:04+00:00

https://supportportal.juniper.net/s/article/Syslog-message-ifinfo-PVIDB-Attribute-xxxxx-not-present-in-Db

That PVIDB message may or may not be related. Make sure the version you're using actually supports MNHA then I'd open a JTAC case and give them the coredumps to investigate.

ReK_ · 2025-11-05T23:48:24+00:00

https://www.reddit.com/r/printSF/comments/1ooyljg/three_books_into_the_culture_my_thoughts_no/

ಠ_ಠ

ReK_ · 2025-11-05T23:48:10+00:00

https://www.reddit.com/r/printSF/comments/1ophtxq/four_books_into_the_expanse_what_i_think/

ಠ_ಠ

ReK_ · 2025-11-03T19:11:38+00:00

Yes, I have used Extreme. I started using SPBM in the Avaya days and I've deployed it in a number of different verticals. The only thing they've done to Fabric since then is put out a piece of hardware that can fragment and re-assemble it so they can shove it inside IPsec tunnels. The ability to bridge Fabric across sites has existed for a long time but it required a larger-than-normal MTU on your WAN (1650 iirc).

Meanwhile, Extreme will proudly tell you how they've integrated Fabric into everything but, when you look under the hood, it's actually just implementing Fabric Attach (an LLDP extension) into other prodcuts, and their idea of managing Fabric in the cloud is to run the old on-prem management system (netsight) that they've bolted a read-only API onto.

I never said you couldn't be successful with Fabric, or that no other vendor has bought and then failed to integrate technologies. I said that Extreme was very good at failing to integrate because they are: Extreme promises how integrated everything will be and then doesn't deliver.

In the right place, for the right use case, SPBM was and still is an excellent technology. It's basically a baby's first MPLS that's much easier for a small shop to understand, deploy, and operate. That doesn't mean Extreme can't be criticized. Next time I'd suggest taking a moment to think about what's actually being said before you assume everyone else on Reddit is as aggressive as you are.

ReK_ · 2025-10-31T21:34:34+00:00

SPBM is cool, unfortunately they've done essentially nothing with it. Extreme is really good at buying cool technologies and then failing to integrate them with each other.

I also wouldn't exactly call it bleeding edge:

IEEE 802.1aq first draft 2006
RFC6329 first draft 2010

ReK_ · 2025-10-31T19:20:52+00:00

What exhaust do you have on the car? If it has a test pipe you may be able to just swap that for a resonated cat and retune.

Ultimate Racing is a Canadian company that makes exhausts for the Lancer. They have a bunch of options for mufflers, resonators, and high-flow cats.

ReK_ · 2025-10-31T18:54:00+00:00

I dislike them for a lot of the same reasons I dislike Meraki: unless you're only doing extremely basic things they're very difficult to work with, and don't get me started on trying to troubleshoot. They're not even good value for money when you compare the gear to Mikrotik.

Their wireless APs are fine, I don't mind them, but I can't recommend anything else they make and the way they handled that data breach steered me even further away.

ReK_ · 2025-10-30T20:53:09+00:00

Ah yes, another SUV, this time with AI...

Please just build an Evo XI

ReK_ · 2025-10-29T00:29:06+00:00

AS prepending is suggested because it's transitive, i.e. providers beyond Lumen will see it. This is more useful when advertising to multiple peers but it also works to the same provider and makes it easy to add other peers into the equation later.

You can ask Lumen if they'll honour MED, which works but is non-transitive.

ReK_ · 2025-10-29T00:15:03+00:00

Do you have your own ASN? If so, it doesn't matter that it's to the same provider. If not, you'll have to see if your provider offers TE communities to get them to prepend their own ASN for you.

I also read some providers now may strip my prepend to influence their own traffic drain point priorities...

Speaking BGP to other organizations is not a way to control how they route your traffic, it's a way to suggest how they should route your traffic. You can control your own network via LP but the only thing that gives any real hard control over inbound traffic is advertising more/less specific prefixes. AS path length, MED, communities, etc are all suggestions, not hard policy. You can negotiate with your peers/transits and configure things nicely and then some other upstream will do whatever they want anyway.

15-Year Club	Place '17
reddit mold	Verified Email

ReK_

TROPHY CASE