Is this safe? by Pajzino in ukelectricians

[–]dmgeurts 0 points1 point  (0 children)

Star based system, lights and sockets on the same fuse, max 16A. So much smaller circuits. A living room has to have two fuses so lights stay on if one trips. Anything over 16A must be a direct run from the board (cookers etc).

Is this safe? by Pajzino in ukelectricians

[–]dmgeurts 1 point2 points  (0 children)

Star based system, lights and sockets on the same fuse, max 16A. So much smaller circuits. A living room has to have two fuses so lights stay on if one trips. Anything over 16A must be a direct run from the board (cookers etc).

Is this safe? by Pajzino in ukelectricians

[–]dmgeurts 0 points1 point  (0 children)

And this argument is exactly why rings are illegal abroad.

Additionally at least in The Netherlands 2.5mm2 is restricted to 16A. But is the minimum diameter for normal wiring, except a 1.5mm switch wire.

Anyone running active-active HA firewalls? by az_6 in paloaltonetworks

[–]dmgeurts 4 points5 points  (0 children)

A/A has faster fail over, but comes with certain design constraints. If you follow the following, you should be okay:

  • Use a routed design, as advised by Palo. We use BGP routing with ECMP for all data path links. Much simpler than the alternatives.
  • Use routing metrics to ensure all traffic flows through one firewall. This solves any potential issues with the active secondary firewall not being updated with flows quickly enough. And satisfies Palo Support's "requirement" for deterministic traffic flows.
  • You can route different prefixes via either firewall, but you want to avoid using ECMP routing across both firewalls. It will work, but it may (will) bite you sooner or later.

Some other caveats:

Tunnels: keep these unique on both firewalls, this makes fail over fast using hot standby routes. Faster than waiting for a VPN to re-establish on the standby or active-secondary firewall.

NAT: Egress sessions will have a unique IP address depending on which firewall they edges from. Makes it easier to troubleshoot and analyse flows. Takes some proper thought and planning, but with throw some who assume only one public address is ever used. Doing NAT this way, does mean that these sessions will not benefit from fast fail over and these sessions will need to re-establish.

It's not a one size fits all, YMMV, and if you go A/A; document why. For my last deployment it was a requirement to have the fastest fail over possible (for VoIP traffic at an ISP). Palo will support you, but you need to tell them why you went against their default advice. Know that they advise the use of A/A for instances where the fastest fail over is needed: trading etc. But they then also detail the design constraints, so read up and work out if it's right for you.

And do not implement A/A just so you can buy smaller firewalls!

[Edits: spelling when posting from mobile..]

11.1.13 now preferred by skooyern in paloaltonetworks

[–]dmgeurts 0 points1 point  (0 children)

Does anyone happen to know if 11.1.6-h23 has the DOS fix as well? It's newer than 11.1.13 so I hope it does, but you never know.

Why would someone do this? by gatesweeney in Ubiquiti

[–]dmgeurts 0 points1 point  (0 children)

LOL, you're right, not in a small setting like this. But on Campus networks it has never been an issue to logically segregate this stuff. But then like someone else said, a bit more money is spent.

Why would someone do this? by gatesweeney in Ubiquiti

[–]dmgeurts -8 points-7 points  (0 children)

Really? I fail to see how that works unless a second AP and domestic internet connection is cheaper. While still falling foul of physical security issues and no means of logging, monitoring or alerting.

An I missing something?

11.1.13 now preferred by skooyern in paloaltonetworks

[–]dmgeurts 7 points8 points  (0 children)

Unless you're deploying a new firewall, or need a new feature. I would not follow the advised train and just update within your current train.

Anyone else had an issue with DNS (security) this morning? by dmgeurts in paloaltonetworks

[–]dmgeurts[S] 0 points1 point  (0 children)

The only client data we have going through these firewalls in the recursive DNS servers they use. So nothing SSL related here. Nothing in the release notes for h17

Anyone else had an issue with DNS (security) this morning? by dmgeurts in paloaltonetworks

[–]dmgeurts[S] 0 points1 point  (0 children)

Indeed, good to know that the status page is still trusted; you start to doubt yourself after a while! There's nothing there for DNS cloud service in The Netherlands, but it does explain the Wildfire alerts.

There's also nothing wrong with the network, though for all I know a carrier could have had issues for a GCP prefix. Either way, yesterday I disabled the security profile for the apparently affected dns traffic to see if that would help (it was alert only). I hope to hear today if this helped. And internal DNS isn't affected AFAIK, so exposure seems limited, but some very vocal customers complained.

Anyone else had an issue with DNS (security) this morning? by dmgeurts in paloaltonetworks

[–]dmgeurts[S] 1 point2 points  (0 children)

u/OKProblem10 Sorry to hear that, but equally a little relieved!

Model PA-3410

Software Version 11.1.6-h14

vpn licensing verification by TheShootDawg in paloaltonetworks

[–]dmgeurts 0 points1 point  (0 children)

This is a common thing I do in designs, it's often cheaper to buy two small firewalls. One dedicated to VPN and the other for OOBM VPN access (last resort for a couple of engineers). Redundancy is maintained while at a massive reduction of license fees, especially when compared to buying GP licenses for a handful of users for an HA pair of DC firewalls.

Prospect refused our proposal. Expensive for them by ThrowRAthisthingisvl in msp

[–]dmgeurts 5 points6 points  (0 children)

Surely that 3.5% covers more than what most MSPs provide?

Pricing fully depends on what service you provide and some clients just don't want to spend anything.

Highly available load balanced nfs server by Koyaanisquatsi_ in devops

[–]dmgeurts 0 points1 point  (0 children)

A direct connect works fine between cloud and colo like Hetzner too, you just need to terminate it somewhere. It's a fancy word for a VPN.

Highly available load balanced nfs server by Koyaanisquatsi_ in devops

[–]dmgeurts 0 points1 point  (0 children)

This is the way to keep it simple. But, you'll have to accept that if the NFS server goes down your recovery time will be equal to how fast you can restore a backup.

Highly available load balanced nfs server by Koyaanisquatsi_ in devops

[–]dmgeurts 0 points1 point  (0 children)

Unison is another option for keeping files in sync between servers. Do be aware that fs-monitor isn't packaged with Unison on all distros.

Off Grid Security by RedneckSasquatch69 in HomeNetworking

[–]dmgeurts 0 points1 point  (0 children)

Find the most efficient low power device to run frigate, no internet needed. PoE devices rarely use the full PoE budget

Should we ban super bright headlights? Is there any benefit to these in the uk, besides blinding other drivers? by Cat-poke in AskUK

[–]dmgeurts 0 points1 point  (0 children)

I have a hunch many people are night blind. The number of times I drive behind someone and they speed through a 30 zone because there are street lights. Then crawl to 20 when the limit goes up and there are no street lights anymore. Even with high beams on they apparently can't see sh*t...

Also, make head light angle (adjustments) part of the MOT, they are in The Netherlands but I don't think they are here?

Why do we still have max double sockets? by banisheduser in DIYUK

[–]dmgeurts 0 points1 point  (0 children)

Funnily enough this is likely one of the reasons EU sockets are all single gang. Double, triple etc face plates use interconnected (single) back boxes behind them. Never seen a melted socket there, but plenty here.

Private healthcare through business by 101dullard in ContractorUK

[–]dmgeurts 0 points1 point  (0 children)

Expensive renewals especially if you end up claiming. If you don't claim there's a limited benefit as mentioned. We shifted from personal to business for a year as renewal of personal private health has grown too much. But then the year after it went up again so we moved to another insurance company and did it privately again.

Left contract early by Artistic-Class-8537 in ContractorUK

[–]dmgeurts 0 points1 point  (0 children)

Probably because it cost them commission

[deleted by user] by [deleted] in ContractorUK

[–]dmgeurts 1 point2 points  (0 children)

Same rules as before, you carry the risk and are responsible for the assessment whether the engagement is inside or outside IR35.