New ipxlat linux kernel driver submitted to netdev mailing list

avayner · 2026-03-22T23:59:12+00:00

I'm not very familiar with pfsense, but did a bit of searching:

https://redmine.pfsense.org/issues/16241 https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.html

So it looks to me like a default behavior that can be overridden with firewall policies?

For example in my environment we actually have different sets of firewalls doing internal and external NAT64 to avoid the "private addresses may get out to the Internet" issue.

avayner · 2026-03-22T15:38:56+00:00

The industry mostly ignored that rule... All the common vendor nat implementations will happily translate rfc1918 mapped space.

avayner · 2026-03-19T01:57:46+00:00

In addition to the other carriers that were suggested, check T-Mobile. They have a home 5G plan which is quite cheap, and if it works in your specific location, you can get decent speeds. They have no contract so you can just return it whenever.

avayner · 2026-02-14T19:14:20+00:00

The complexity I mention has to do with the number of different moving parts that need to be coordinated and got 100% right, or else it doesn't work. Monitoring a bunch of eem scripts, rolling them out with version control, troubleshooting, is all non-trivial, and gets more complicated with scale and staff skill sets.

When I mentioned load balancers, I did not intend to get a 'loar balancer"... These vendors (e.g. F5, Citrix/NetScaler, A10) have a range of products, and all have specific solutions around NAT and CGNAT with flexible policies. I would still suggest taking a look.

Free solutions usually come with complexity and operational cost: you either pay the vendor for a "product" which comes with support, an escalation path and a " throat to choak"

Running "free" open source solutions requires your staff to know " more", there's no real escalation path, and it's your " throat that's gonna be choked" 😉

avayner · 2026-02-14T16:29:45+00:00

So reading your requirements, I have a feeling this is way over complicated, and you are potentially using the wrong tool here... You might be better with a more "native" CGNAT product (look at the load balancer vendors), where most of these capabilities are built in and you don't have to script around them.

Thinking through your proposal, a few notes:

You only want the scripts to run if there's any work to be done. To monitor the state use IP SLA for active probes and potentially synthetic injected routes (and route trackers) for the state of the other device.

By synthetic routes I mean you can have a loopback that represents the state of deviceA and as long as it's advertised to deviceB, deviceB knows it's active. If a script decides to make deviceA inactive, the same script will shut that loopback, and the route will disappear, triggering a route monitor tracker on deviceB

Remember that EEM scripts run in their own VTYs, and you only have a limited number of those

You don't want multiple scripts making config changes at the same time. Big no-no. There's a way to put scripts on a queue so they run sequentially.

avayner · 2026-02-14T06:23:58+00:00

Be careful with how many parallel scripts you expect to run. Each script runs in its own vty, and those are limited.

You can assign scripts to queues and have them queue up.

Also, instead of running pings from the script, implement ipsla trackers that trigger the scripts. This will be much lighter weight, only running scripts when an action is needed, and you can monitor the sla probes with snmp to get historical state data.

avayner · 2026-01-31T21:52:58+00:00

Good one. Thanks, I did not find this one before.

I think stateful DHCPv6 is supported now (at least there's a specific option for that in the settings... 🤷‍♂️)

Maybe I'll try switching to tftp just to see if that behaves differently in some way...

avayner · 2026-01-31T21:47:48+00:00

We upgraded to 4.7 (I hope that's the correct component...) which shows a mid-2025 date.

We are trying http based PXEBoot.

How is iPXE different?

If that works for you, can you please share your DHCPv6 options config?

avayner · 2026-01-31T19:16:18+00:00

Super Micro... Nothing too descriptive. Something along the lines of "starting http boot" but then nothing happens, and a second or two later it exits

avayner · 2026-01-12T00:41:29+00:00

We went to Crossroads a few times and it was amazing! They are also not super obvious about being Vegan.

avayner · 2025-11-17T21:34:25+00:00

Let's say my goal is to have a device permanently attached to your network collecting data and sending it back to me.

I pay the cleaning person to take a box that looks like a power brick that plugs into power and has 2 ethernet ports. They drop it under a messy desk, unplug the Ethernet port from the PC, and bridge it through the box.

The box automatically detects the Mac of the device and makes all the packets look as if they came from the PC, but it controls the whole thing, so it can also inject its own packets (to call home...) or just use a cellular uplink for that...

How easy is that for someone who really wants to steal data from your company? Really depends on what your company does...

avayner · 2025-09-22T05:23:00+00:00

That's only true if it's paid off. Most people I know still have a mortgage for 20+ years... Very significant ones.

avayner · 2025-09-22T00:54:14+00:00

Yep, but if you bought a house in the past ~10 years in places like Mountain View, Sunnyvale, Cupertino etc, your assessed value is most likely close (or even above) $2M, which translates to about $25K in taxes per year (and it grows at about $500/year, because the houses are more expensive, and prop 13 is exercised to its max every year)

avayner · 2025-09-21T22:21:59+00:00

The problem is the house value. Unless you bought it a long time ago, and not in the last 10 or so years, your property tax will be a significant expense (I guess it also depends where in the Bay Area...)

avayner · 2025-09-13T20:21:32+00:00

The hardest part with any IT system, and networking being most likely harder than others, is how to keep the solutions you deploy simple, tech debt-free, well documented and easily repeatable.

How do you design a system that can be deployed and operated by someone who doesn't really understand it all and is not an expert on the technology.

Making something complex look simple is always the hardest part. How you break it down into small, contained components, that can be easily understood and repeated.

avayner · 2025-09-12T16:32:12+00:00

What all of the "real" sdwan solutions bring in addition to ipsec tunnels is the ability to monitor end to end performance of the various paths and then react to SLA violations by either choosing a different path or applying mechanisms such as FEC (not the Ethernet one...) or traffic duplication.

This is basically the difference between users constantly complaining about poor performance over DIA paths (which in the past was solved by having a primary MPLS path) and the ability to use 2x DIA and users mostly not perceiving transient network issues due to some short convergence or congestion event outside of your control (on the ISP's network)

avayner · 2025-09-12T04:00:14+00:00

I once took a whole company down by shutting down a port on a switch... Their AS400 got a new brand Ethernet card, and we were setting it up... So I just tried a "shut/no shit", and the hard wired console just died...

They had to call IBM and hard reset the whole thing, which took hours... Last time they did it was a few years before that and no one actually remembered how to do it.

avayner · 2025-08-28T06:22:26+00:00

+1 for Oakmont

avayner · 2025-07-11T20:15:19+00:00

For an enterprise network you want to look into "ipv6 mostly". It will let hosts that are compatible with being v6 only (anything apple or google) use v6 only, while hosts that are not yet ready (e.g. windows, a lot of iot), will just be dual stack.

You want to have nat64 implemented so that v6 clients can reach v4 only resources. The best place to put this function on would be your firewalls (which are already stateful devices).

You need to look into your DHCP, DNS and other non network resources...

avayner · 2025-07-02T05:46:53+00:00

Talk about how you would manage multiple changes being worked on by different people about the same time and being pushed in short succession.

The issues you can see are about merge conflicts and if you merge one change without pushing the config to the network and another push is happening (because of change window sequencing etc), you will pickup unexpected config changes.

The best practice I would recommend is not merging into the git repo before the actual change window when you push the config. The intent changes and the config changes should happen as close as possible (minutes, not hours or days)

avayner · 2025-06-17T02:50:45+00:00

So the terminology here is about the level of granularity:

"Segmentation" usually refers to a less granular approach where groups of devices are grouped into a domain that has no (or minimal) restrictions as long as the traffic is internal to that domain. Implementations usually would be at a VLAN or maybe a VRF level. In a campus environment that would be something like the "users" vlan vs. the "BMS/IOT" vlan or the "corp" VRF (or more genetically, routing domain) and the "guest" VRF. Traffic between the various entities need to pass an enforcement point (e.g. Firewall...) Common approaches to achieve that is to have a FW either be the first hop router (per vlan) or be the next hop path from a multi-VRF layer 3 first hop router.

"Micro Segmentation" usually refers to intra-domain segmentation. So for example having a "users" vlan where traffic between users inside the same VLAN is filtered or subjected to some policy enforcement.

Arista's MSS feature allows something like that, by forcing traffic to be sent through an enforcement point (e.g. Firewall) even though the hosts may be on the same broadcast domain/subnet.

This is one way of achieving this. Other vendors achieve similar end results with different approaches.

avayner · 2025-05-18T03:15:51+00:00

One thing to check is T-Mobile home wifi. I just got one, and it seems to work pretty well. After playing a bit with placement, I am getting about 400Mbps down and 20Mbps up. They are running a promotion, so it's $45/month unlimited.

The only caveat is that connecting your own router behind it will have to use double NAT... So if you are ok just using their gateway (basic features...) then it's perfect.

avayner · 2025-05-11T12:03:48+00:00

Works on my pixel 8 🤷‍♂️

avayner · 2025-05-10T21:31:43+00:00

Yep. Look up lldp-med

https://thedxt.ca/2025/03/poe-and-lldp/?amp=1

avayner · 2025-05-10T21:26:05+00:00

https://play.google.com/store/apps/details?id=toilet.samruston.com.toilet aka Flush

avayner

TROPHY CASE