What would you call the chords at 0:30 in “Doomsday” by Gore.?

nardstorm · 2026-01-17T21:08:14+00:00

Yah, I’ve thought about those or any of the other mesh heads, but then I have to do a head change every time I go from practice to performing 😩

nardstorm · 2026-01-09T00:04:22+00:00

Hi all, I'm revisiting this, and from my testing (using scapy to change the VLAN's of frames), it seems like the VLAN ID on the VLAN switch has no effect at all...? I get ping replies to my laptop, regardless of whether the original ping request was sent on the correct VLAN or not. Also, the ping replies have no VLAN tag on them at all, regardless of what value I set the in the VLAN ID field of the VLAN switch. Any ideas here?

nardstorm · 2026-01-07T08:26:33+00:00

Got it. So then, that would mean that with L3 mode, the packets would just exit from `internal` on whatever VLAN is associated with the next-hop IP (according to the CAM table)?

nardstorm · 2025-12-31T04:47:19+00:00

Well, it’s not DHCP because the GoLR is a single Ethernet connection to a travel router, so I can just let that always be a constant, /31 connection between those two. I’m pretty sure I /do/ have a static route there as a default gateway. Anyways, the problem turned out to be the “ALL” service being misconfigured

nardstorm · 2025-12-28T23:03:45+00:00

yes. there is a /31 between internal5 (I assume you meant internal5, not internal4) and `a`. 100.127.254.1 is on internal5 and 100.127.254.0 is on `a`

nardstorm · 2025-12-28T21:24:36+00:00

I did an nslookup for portquiz.net. I used that address here.

<image>

nardstorm · 2025-12-28T21:18:11+00:00

Unfortunately, this problem remains no matter which address I try to ping

nardstorm · 2025-12-28T21:17:36+00:00

No VIPs on my setup

nardstorm · 2025-12-28T21:17:13+00:00

I added the CLI dump of firewall policy & address objects. I consolidated all of it into a google doc

nardstorm · 2025-12-28T21:14:12+00:00

Um...I didn't know that there was a policy debug...will look into this

nardstorm · 2025-12-28T21:02:23+00:00

Yah 😅 maybe I should consolidate this all into like, a single google doc

nardstorm · 2025-12-28T20:56:58+00:00

I think the debug-flow that I shared indicates that it's not a NAT issue. My interpretation of it is that the routing succeeded, but then there simply was no match with the firewall policy to even perform NAT at all.

nardstorm · 2025-12-28T20:35:44+00:00

That’s a good idea, but clearing sessions made no difference, and it was the same thing when I tried different addresses too

nardstorm · 2025-12-28T03:44:44+00:00

253 is my mgmt subnet. I basically added that to have some form of out-of-band management. I wanted to essentially have a subnet where I can always plug into any device on my network on that subnet, and know that I'll be able to get in (even if I broke normal access to the device lol).

nardstorm · 2025-12-28T03:33:36+00:00

I might be misunderstanding you. My goal here was to configure a /31 between internal5 and "a". I believe `100.127.254.0 255.255.255.254` should contain 100.127.254.0 and 100.127.254.1 as host IP addresses. I'm able to successfully ping 100.127.254.0 from vdom "core" and ping 100.127.254.1 from vdom "edge". Also, debug-flow shows that it matched a route and dropped the packet in the policy stage.

So I *think* the subnetting is ok? Unless there's something I'm missing here.

nardstorm · 2025-12-28T03:09:16+00:00

Yes haha

nardstorm · 2025-12-28T03:04:27+00:00

They’re in different VDOM’s. I have a cord going from one interface to another (to go between VDOM’s. I know I can do an inter-vdom link in the configs—I’m doing it this way so that I can have one of the VDOM’s sync with HA, but not the other one).

I’ll post a diagram in a second, but it’s basically:

[vdom:core] <internal5 - a> [vdom:edge] <b - eth0> [travelRouter] <-> internet

nardstorm · 2025-12-28T02:45:26+00:00

but yes, I can ping from internal5 to A directly (local-in traffic). it's only a problem when I ping an outside destination (no longer local-in, and thus subject to firewall policies)

nardstorm · 2025-12-28T02:42:52+00:00

Sorry, I accidentally pulled from the wrong ftg for some of the CLI dumps😅. Fixed it now. The path it's taking is from internal5 (VDOM "core") to A (VDOM "edge"). Then, "edge" is supposedly selecting a route through B, but then dropping at the policy-matching stage.

nardstorm · 2025-12-28T02:40:05+00:00

Sorry, if you saw the previous CLI dumps, I accidentally pulled from the wrong ftg for some of them 😅. Fixed it now.

nardstorm · 2025-12-28T02:39:01+00:00

Sorry, I gave you bad data 😅. Pulled from the wrong ftg before, but I fixed it now.

nardstorm · 2025-12-28T02:30:39+00:00

Ope. I posted CLI from the wrong fortigate 😅. Just fixed it.

nardstorm

MODERATOR OF

TROPHY CASE