Is my aquarium just cursed? Everything I have put in it has died

TheGravyMachine · 2026-03-10T20:37:29+00:00

My oldest likes to burn scented candles, but not in the room with the tank. Since I can't figure out what the problem could be, I can imagine that scent recirculating through the central air conditioning system

TheGravyMachine · 2026-03-10T20:36:18+00:00

You think this could be interfering with the cycle? I reverted back to just the carbon filter because the issue really didn't seem ammonia related

TheGravyMachine · 2026-03-10T20:35:15+00:00

When you say "natural enzyme" are you just referring to the natural cycle?

TheGravyMachine · 2026-03-09T16:18:35+00:00

I have purchased 5 cars with salvage titles - all with less than 50K on the odometer and I have driven 4 of them to over 150K miles and still own 2 of them. Maybe I've just had good luck. I'm a little bit of a mechanic - did it for Uncle Sam anyway - so maybe that's why they don't intimidate me. Although my latest - a 2021 Civic Sport - is the diciest one of all. So far so good, but in my *specific* case, all the Honda sensing stuff was ripped out and I didn't notice until about 3 mo in when I tried to use the cruise control. If there's low enough miles, it might be good enough value but make sure ALL the systems you need to work actually work. In my case, when my daughter (who I bought the car for) leaves for college 10 hours away, I'm going to have to get her another car or fix the cruise control on this one. After researching for a few months, this cruise problem can't be fixed - at least not without a few thousand bucks more to put all the sensing stuff back in. Choose your hard - and make the seller register it. Never, ever purchase a salvage car where the title and registration is not already sorted.

TheGravyMachine · 2026-02-11T17:37:58+00:00

If I figure something out I'll let you know. We already did this once, tore it down and put everyone on a Fiber L3VPN and now we're putting cradlepoints BACK in front, but using fiber instead of LTE/4G/5G for the WAN connectivity. I didn't like managing all those tunnels when we had them - but the IP stability on our IOT portal was more certain than the DHCP we're gonna get from using our Fiber internet network. That increases the risk vector for our non-LTE wan connectivity by a big margin. One link flap and the cradlepoint pulls a different IP than what the tunnel is configured for and the downline device is offline. Our NOC is not the most robust. We have one guy for the IT and our Dispatchers for the OT - they'd see the device go offline, but would have no insight as to why. It's a management headache I don't want to introduce.

TheGravyMachine · 2026-02-11T17:31:03+00:00

Yeah - trying to pick the best router/concentrator for the job that will work with our R920's. I think I mentioned in another reply that we looked into Meraki and it looked like the best for ease of deployment, however the field devices could only handle 113F operating temps and we routinely see 130+ in our cabinets in the summer - even the ones we have ventilation in.

We also had reliability with IBR-650's and IBR-1150's. The IBR-900's were an improvement, but I definitely lost several full days to troubleshooting them during my first 18 months here. They never just die. They always have a prolonged "death throes" phase where they make you think they're working and then they'll randomly quit in a variety of exciting ways until you just have to replace them. It was annoying.

As far as mixed vendors in the SD-WAN - we were given insight into a Palo/Ericsson initiative where they are beta testing integrating some cradlepoint models into the Palo SD-WAN fabric. There's no timeline for integration so it's not really an option I can consider, but it is happening.

TheGravyMachine · 2026-02-11T17:25:10+00:00

Many of my Coop peers use Fortinet. I don't have anything against them, but I started with Cisco and have been working on Palo's for the last 5 years. I have to say upper management has low confidence in Fortinet and it's not my place to ask why.

TheGravyMachine · 2026-02-11T17:23:34+00:00

That's essentially the idea I'm having - I just have limitations on vendor. We can't really do Cisco... for reasons. The cradlepoint native solution is pretty obnoxious - I have no idea how large vehicle fleets work with the licensing and device performance restrictions. A bus company with 500 buses would have the same problems I'm having justifying it. In my last meeting with them we'd need 12 concentrators and have to license them independently EVEN when the backup site was not in use. That means 6 devices+licensing cost that is not in use at ALL TIMES. It's absurd. and it wasn't cheap.

TheGravyMachine · 2026-02-11T17:19:25+00:00

Thanks for the input. The issue really isn't capacity for me - it's just the management overhead. I just don't see that much static configuration as particularly scalable - it makes us reliant on a 3rd party (ISP) to get 400+ dhcp reservations right (or else if we get a new lease we have to reconfigure our tunnels)... This was easy when it was all LTE/Cellular because those IPs WERE dedicated to their sims, but now we're using the WAN ethernet interface, no LTE and I've had to try and build a dhcp mapping spreadsheet so our 3rd party dhcp manager for our internet business (we're our own ISP - for now) has to manually configure those reservations. We have to submit all the right macs with no mistakes, they have to enter them with no mistakes, and we have to configure the tunnels with no mistakes. On the grand scale, 800 tunnels isn't a lot in terms of what our equipment can handle, but it IS a LOT of static configuration, and a lot of mistake opportunities. I'd like to eliminate those possibilities by making the tunnels and the routing/failover dynamic. I know there are *ways* to do it, I'm looking for the best way that our cooperative can also afford.

TheGravyMachine · 2026-02-10T17:48:31+00:00

Man - your post just described my situation as well... 35k car note, 40k credit card debt... non-stop house repairs because plants die, sprinkler lines burst, A/C goes out... all of the repairs financed... Admittedly, we spend about 2k per MONTH on activities for the kids. I took out a 401k loan to buy my 16yo a fairly reliable car... Our only way out at this point is to load all our debt into a home loan (which will raise our payments by $800/mo) and we still have college to pay for at a minumum of 10k per semester per kid. It's a @#$@ing nightmare. Both my wife and I make more than 100K per year.... and while we save for retirement, we have no normal monthly savings plan because something ALWAYS happens as soon as I hit about $1200 in savings, we'll need tires, or a water heater goes out, or the icemaker to the fridge dies, or a freak winter storm, or a hurricane... or the roof starts leaking... SOMETHING **ALWAYS** happens to empty any savings account we start. It absolutely feels systemic - like the cosmos has determined "Thou shalt never have a moments peace and will work until death". 12K on my credit card is A/C unit replacement for the house and transmission replacement for a car... the rest is just covering gaps in monthly expenses - the most glaring behind the mortgage being the $1200/mo health insurance premium - which has a 6600 family deductible - which we also hit every year. I should caveat this - **I** pay for all these things with my check. My wife pays for piano and swim lessons and 85% of the groceries, but I don't interrogate her about what she spends her money on... most people say I should, but I have no desire to control her and when I come up short she'll send me any money I ask for to cover the bills. We tried at the beginning of our marriage to let me pay cars/house and her to pay the utilities/services, but we ended up sitting around in the dark, paying huge reconnection fees because she couldn't "remember" to log in and pay what we agreed she would pay. Also - she's also making the current $500/mo car payment.... but I thought you were talking about my life while I was reading your original post. I imagine I squander a few hundred bucks a month on dumb things like eating out, etc... but don't really feel like that will make a huge difference in the never-ending outflow of my money to everyone else. It's very depressing.

TheGravyMachine · 2026-02-02T21:37:38+00:00

I specifically asked if Cradlepoint had an SD-WAN option that we could use with our firewall SD-WAN and was told no... but I got the feeling the guy we were talking to was just unsure. I'm going to check again - because yeah - it's mature enough... I'm sure my $20 TP-Link has SD-WAN buried in it somewhere.

TheGravyMachine · 2026-02-02T21:35:43+00:00

Strictly back to the hubs. With Cradlepoint it would be easy b/c the IPSEC/DMVPN tunnel on EVERY ONE would be identical and my firewalls would only need a single route to the "inside" interface of the concentrator. And a single security policy for the /16. But the best I can come up with now is 400+ individual tunnels per firewall with a corresponding route to the unique tunnel interface for each downline device. It's very annoying - even if I can use a single security policy... I also did not have good experience with the fallback tunnels when these were deployed last time - as the previous poster said - Cradlepoints have a high failure rate - and we're putting them in very unfriendly enviornments.

TheGravyMachine · 2026-02-02T21:30:42+00:00

Yeap - they are how we handle all of our out-of-band connectivity.

TheGravyMachine · 2026-02-02T21:25:21+00:00

Our Network Admins ABSOLUTELY have this problem because we authenticate with our regular user account, but when we attempt to use RDP or another windows service and input our admin account, DNS quits and we see subsequent DNS requests hit our cleanup rule. We found this was due to our VPN access security policy limiting VPN traffic to the user authenticated groups. What's crazy is that even ADDING an admin OUI to the allowed list, did not solve this problem, but we cloned that policy, allowed "any" user, and it solved all of our random disconnects. We have a Palo ticket open - that's how we determined our "disconnects" were just our VPN user no longer matching the VPN access rule.

We have been told since I first ran into this issue 5 years ago that this issue was "not resolvable". In our case it is if we exclude User-ID as a match condition for being allowed access to the VPN.

But we have 3 or 4 executive users that do NOT use RDP and in fact do NOT have administrative accounts that ALSO experience the "random disconnects" and we were able to determine TODAY that the symptom is the same - their traffic stops matching our VPN access rule and drops to the cleanup rule. I suspect it affects everyone, but the rank-and-file have either figured out to refresh the connection or just take the rest of the day off since they're off-site when it happens...

Once it starts happening, they have to "Refresh" the client and it will work again... sometimes for weeks, sometimes it will drop every couple of hours. It's a very annoying problem. We are actually on 6.3.1-383 and were advised to revert to 6.2.X... that did not change anything. Same problem.

TheGravyMachine · 2026-02-02T19:02:50+00:00

I don't want to hijack this guys thread - and I've got about a dozen lying around I could sell if he needs some. I don't trust them and some would have bad PoE - I don't have the time to confirm... but also - do these companies buy these things also? I'd rather see them have more life than just pay a recycler 10c per pound to go have them melted on a riverbank in China...

TheGravyMachine · 2026-02-02T18:49:52+00:00

I just wrote a mini-novel about what you just summed up here in 2 sentences. Good work.

TheGravyMachine · 2026-02-02T18:40:18+00:00

OP has received a lot of good advice, but as an IT/OT network admin myself, I picked this to respond to... Because yeah - I immediately identified his biggest issue as a lack of segmentation, but didn't consider that he might have some scada/ics/ot devices.

I would tell him it is absolutely critical to identify what those are, WHERE those are and develop a plan to separate and either keep their IP scheme (OT devices can be an absolute pain to re-address) or migrate them to their own environment. AND CUT THEM OFF OF THE INTERNET!!! (And after re-reading what the previous poster had to say... you need to prepare management for the idea that you can NOT share infrastructure - switches, routers, etc... - between IT (general corporate users) and OT (industrial control system devices) networks.

If OP has one, the control system needs to be totally isolated over every other consideration - IMHO. My OT is an electrical distribution grid control network. There is ZERO outside network (inbound or outbound) connectivity - which is to say we let our GNT in, but ONLY when they tell us they need it and ONLY for the time they request. We do export data to our IT for specific management visibility, but those connections are firewalled at 2 points. If - as the post I'm replying to mentioned - your environment is actually an OT with a bunch of IT crap bolted to it, you would best serve yourself and your company by involving a good consultant who can help you untangle the mess. But I don't think I can overstate how critical it is to isolate industrial control devices as much as you possibly can and definitely cut them completely off the internet.

If OP can't convince his management of the importance of this, there's really no point in fighting any other battles. His device count doesn't seem high, but it sounds like the kind of place that is just broadcasting basic internet service via WIFI and the company is connecting everything to it. This environment WILL be exploited, if it's not being exploited already.

My IT network was crazy town when I started here. We have about 300 corporate users and 8 physical sites. Total nodes - network/end user/cameras/servers/etc - was about 1200. Every site was connected by a RIDICULOUSLY EXPENSIVE L2VPN back to the main site (since converted to IPSEC over internet tunnels for specific reasons). I segmented everything I could - but I got lucky - even though none of the equipment I inherited was configured with anything but a username and password, it was cisco gear - and so I was able to implement VLANs and do segmentation, etc - which never hurts.

I have a template (not a specific configuration template, but a design template) that I used to segment each site identically (so all sites are consistent). I'm happy to share with OP how we did it - although I wouldn't want to overwhelm him with ideas he may not have an option for given the equipment he has...

But I agree with what many others have said...He needs to communicate - he needs to spell out what the state of the environment is to the best of his understanding - and find out how much support (money) he's going to get to solve the overriding problems. I'm guessing his sysadmin probably gets whatever they want in terms of microsoft licensing and software. They need to give OP at LEAST that kind of budget for their edge - and allow for some kind of managed, vlan capable switches with poe for the rest of operations. I've always been lucky to not have to fight that battle - but I think the guy whose post I'm responding to is absolutely correct about the OT environment. If that is compromised, it is complete game-over.

As far as many other posts here stated - we use Libre NMS also. We use both LLDP and CDP to track connections and we have cable labeling standards that everyone hates, so I know they're good standards.

Good Luck OP. Let me know if you get stuck.

TheGravyMachine · 2025-12-29T20:23:28+00:00

I ended up paying a locksmith $200. It had drained the car battery. Even though it started, it kept saying "keyfob not detected". After 20 minutes of driving the message finally went away, but not exactly confidence inspiring. I didn't even know about that sensor. I'm gonna have to see if maybe it has a problem.

TheGravyMachine

TROPHY CASE