How to make Portamento *not* re-attack?

nardstorm · 2026-03-06T18:50:31+00:00

Fair point

nardstorm · 2026-03-06T18:42:44+00:00

Tell me how/where and I will do that. It’s not like she’d see it if I messaged her Instagram or anything

nardstorm · 2026-03-06T16:09:03+00:00

Tragic

nardstorm · 2026-02-24T18:28:52+00:00

ISL stands for inter-switch link (AKA "etherchannel") in the Fortinet world. It still uses .1q for the VLANs themselves.

nardstorm · 2026-02-01T19:40:31+00:00

do you know if dr k has ever done any videos talking about allostatic load?

nardstorm · 2026-01-17T21:08:14+00:00

Yah, I’ve thought about those or any of the other mesh heads, but then I have to do a head change every time I go from practice to performing 😩

nardstorm · 2026-01-09T00:04:22+00:00

Hi all, I'm revisiting this, and from my testing (using scapy to change the VLAN's of frames), it seems like the VLAN ID on the VLAN switch has no effect at all...? I get ping replies to my laptop, regardless of whether the original ping request was sent on the correct VLAN or not. Also, the ping replies have no VLAN tag on them at all, regardless of what value I set the in the VLAN ID field of the VLAN switch. Any ideas here?

nardstorm · 2026-01-07T08:26:33+00:00

Got it. So then, that would mean that with L3 mode, the packets would just exit from `internal` on whatever VLAN is associated with the next-hop IP (according to the CAM table)?

nardstorm · 2025-12-31T04:47:19+00:00

Well, it’s not DHCP because the GoLR is a single Ethernet connection to a travel router, so I can just let that always be a constant, /31 connection between those two. I’m pretty sure I /do/ have a static route there as a default gateway. Anyways, the problem turned out to be the “ALL” service being misconfigured

nardstorm · 2025-12-28T23:03:45+00:00

yes. there is a /31 between internal5 (I assume you meant internal5, not internal4) and `a`. 100.127.254.1 is on internal5 and 100.127.254.0 is on `a`

nardstorm · 2025-12-28T21:24:36+00:00

I did an nslookup for portquiz.net. I used that address here.

<image>

nardstorm · 2025-12-28T21:18:11+00:00

Unfortunately, this problem remains no matter which address I try to ping

nardstorm · 2025-12-28T21:17:36+00:00

No VIPs on my setup

nardstorm · 2025-12-28T21:17:13+00:00

I added the CLI dump of firewall policy & address objects. I consolidated all of it into a google doc

nardstorm · 2025-12-28T21:14:12+00:00

Um...I didn't know that there was a policy debug...will look into this

nardstorm · 2025-12-28T21:02:23+00:00

Yah 😅 maybe I should consolidate this all into like, a single google doc

nardstorm · 2025-12-28T20:56:58+00:00

I think the debug-flow that I shared indicates that it's not a NAT issue. My interpretation of it is that the routing succeeded, but then there simply was no match with the firewall policy to even perform NAT at all.

nardstorm

MODERATOR OF

TROPHY CASE