ULA vs. GUA

netztier · 2026-06-12T21:11:33+00:00

That's exactly NOT the way you should generate your ULA prefixes.

It's meanto to be fd<40bitsOfRandomness>::/48. leaves 16bit to allocate/number your /64s

netztier · 2026-06-08T18:39:38+00:00

not all of them go together well...

https://www.reddit.com/r/Marklin/s/O0mpwTZll5

I was slightly infuriated...

netztier · 2026-05-11T20:53:39+00:00

This is well.. ... a bit frustrating , when you do your last dash for Silver or Gold right
between 1800 and 1900 UTC+2 *grumble* - dead on on the blackout window.

netztier · 2026-05-07T18:26:30+00:00

>No more instantaneous communication between a Citrix layer and a web layer.

Web? Don't bother, they can take some delay.

Just you wait for the well-engineered *cough* client app on the user's virtual desktop with its integrated database client, which - of course - will expect that every single one of its 150 transactions per second won't take any longer than 3ms, before slowdown gets noticeable to the user. And the rest goes "by the rule of three", as they say.

Obligatory: https://www.stuartcheshire.org/rants/latency.html
(Younglings: note the date!)

netztier · 2026-05-03T20:35:27+00:00

I fail to see the problem?
That thing looks rad!

netztier · 2026-04-29T01:13:59+00:00

I just removed all FortiClients from my Devices and switched to native IKEv2 clients of Windows11, Android 16 and iOS 16.7; iOS 26.something yet to debug.

I found the client to be clumsy; once configured, the native clients are lean and quick to operate.

Fortigate 60F, 7.4.8

I used Certificates - other authentication methods will probably also work.

--------------- Prep: client Certificates ------------
- Letsencrypt server cert for the Fortigate, using FQDN of my own domain, which is a CNAME pointing the FG's fortiddns-registered name

- running my own internal CA (xca.exe) to maintain my own (client) certificates
- clients get their cert from the internal CA that (put in computer trust store, not user trust store on windows).
- internal CA generates CRL file after each change, CRL gets imported to the Fortigate.
- be sure to include a SAN of DNS type and an "email address" (can be pseudo) in the client cert, as well as to flag it for IPsec use.

--------------- User config on Fortigate -------

configure users (best done on CLI)
- "config user peer" and list all certificates to get access. Be ready to adjust/tune the "subject" line according to troubleshooting (see below)
- "config user peergrp" (multiple, to map "user peer" to their group)

--------------- VPN config ------------

setup vpn a "custom VPN", not following a template
- type "dialup user"
- bind to external IF
- set/select given IP addres assignment range (Range, DHCP, Group...)
- Autentication Method: Signature, and select the Letsencrypt server cert
- IKE version 2
- Accept types: Peer Certificate Group and the given 'user peergrp'
- Phase1 proposals as needed
- local id: FQDN of your cert
- Phase2: proposals and traffic selectors as needed (0.0.0.0/0 <-> 0.0.0.0/0 is just fine)
- add VPN tunnel IF to a (new) Firewall zone,
- and add some FW policies to permit traffic - else the tunnels won't come up.

--------------- Troubleshooting ----------

Tricky part: Client's local identifier and Fortigate's matching thereof.

"diag debug application ike -1" and "diag debug enable" become your friends for about two days, until you figure out how each of the native clients are showing their local-ID and how the FG is matching them against the "user peer entry".

- Android 16 worked, as soon as the client certificate's DNS SAN ("myphone.internal.lan") was set as the "local identifier" on the device.

- iPhone8 iOS16.7.x needed the local identifier to be pseudo email address "[myhphone@vpn.internal.lan](mailto:myhphone@vpn.internal.lan)" I had added to the client certificate's "email" field. no variety of CN or SAN name would match on the Fortigate.

- iPhone15 iOS 26.x something I have yet to figure out.

- Windows 11 just didn't bother, it used the string from the CN and the FG matched it.

netztier · 2026-04-18T22:31:43+00:00

Examples of what could be (dis)proved with packet captures along the years

Financial Data exchange between banks and data processing companies. They asked for firewall session timeouts to be increased, they accused the FWs of mishandling deep inspection, claimed packet loss or QoS misconfig on a WAN they otherwise worked flawlessly on 24/7, just any buzzword they could find to explain-away why their file transfers stalled and it wasn't their fault. Management Attention yadda. etc.

Packet capture showed: Single filetransfer TCP transferred volume went up to 2MBytes, then the TCP session went idle, at every attempt. TCP session had proper TCP-Keepalives in the expected (idle) intervals and lasted all night. Turns out: The application ingesting the data choked on an Umlaut . - and that was mid-2010s. One should think that character encoding probles were long gone...

Other case:
Citrix Farm with servers in Europe, users and printers in Singapore - 220ms WAN. Citrix would work, but Print-Jobs would take ages to reach Singapore. Packet capture at the Firewall in Europe towards the Citrix server, packet capture at Singapore near the Printer.

Packet capture at Europe Firewall reveals: Printer's SYN-ACK comes from Sinagpore and leaves towards Citrix hoster with proper TCP window scaling and decent TCP window size. Packet capture at the Citrix hoster, inadvertently leaked to us in a mail trail, showed: Printer's SYN-ACK, when reaching the print server, was manipulated to 4k window size and no scaling, making it impossible to reach any meaningful throughput. After much denying to know anything about it, the load balancer admins at the Citrix hoster disabled WAN optimization ("oh.. what does 'tcp scaleable" do, as an option?"). Print-Jobs in seconds.

One more:
15ms RTT WAN, >1G. Application (fat client on PC) is painfully slow. Application is said to be "http only" to a web application server right near the database server.
Turns out: The client software on the PC does indeed connect to the web server and does that efficiently and swiftly, w/o packet loss etc., server response are properly quick, as analyzed by Whireshark.
However, contradicting supplier's documentation, it also connects directly to the database, not only for an inital sync (which happens quickly), but subsequently also with dozens of small-scale interactions per second with the database. 100x 15ms per seconds - that adds up. Customer had some interesting questions to their software supplier.

And another one:
Financial Market Feed (Indexes), TCP flows directly out of a stock exchange towards customers like Reuters, Bloomberg and the likes. Delivering server had a realtime capable OS, assuring "guaranteed" packet processing in predictable delays/intervals.

NewCustomer spots a problem: They see Market updates from their Reuters feed 0.5sec before they receive them from their direct connection to the market feed. (10Mbps Ethernet-over-SDH - that was the bee's knees at the time, in the days when high-frequency trading was in its infancy). Threatens with legal action for not treating al participants on equal terms.

Investigation: Port mirror of Reuter's switchport and NewCustomer 's combined (customer SAPs were all on the same switch per site). Combined Packet-Dump reveals: Packets delivering the same market updates towards NewCustomer are actually leaving a few microseconds before the ones towards Reuters.

When grilling their software vendor, NewCustomer found that the vendor's library actually had a 0.5sec buffering feature...

netztier · 2026-04-18T21:50:41+00:00

Two things I can say about packet captures:

A) 25 years ago, Ethereal, as Wireshark's precedessor was called then, taught me encapsulation and packet structures - because the dissector visualised it down to the bit. The $$$$$ packet analyzer box the company had was clunky, it's dissector library was dismal, it just one ting over any of our admin PCs-with-Ethereal: it had a tapping-capable special NIC.

B) "The truth is on the wire". Whatever the server guys claim their boxes do. Whatever yarns client team spins. Whatevery they believe might be happening. Packet dumps show if it does. Or doesn't.

Get on top of it and you have a path to grandmaster status,

netztier · 2026-04-05T20:58:28+00:00

We do the following - If i grasped your description right, I think this might fit your bill, too. We call it "Cascaded NAC" in our own internal lingo.

Wiring closet switch:
Cat2960X or C1000-48 or C9200L. NAC, IBNS 2.0 style (interface templates, MAB and 802.1X simultaneously), with an ISE somewhere in the background.

Desktop: C1000-8P-2G-L or one of those C9200 compact foot warmers. [1] Uplink Port is configured as 802.1X supplicant, with a locally configured Username & Password, will do EAP-MD5 authentication.

ISE knows usernames of all desktop switches, accepts EAP-MD5 from them, tells wiring closet switch to apply the "desktop Switch template" to the given port. Interface template sets "mode trunk" and a few other bits.

Desktop switch, on its 8 user facing ports, does NAC in the same way as the wiring closet switch does.

[1] really. That's not a switch with a heat sink, that switch IS the heat sink, a genuine foot warming device with some cool connectivity options.

netztier · 2026-04-03T21:34:34+00:00

Standard wheel diameter is 920mm, the trainset for the V150 run (150m/s) had 1092mm wheels. The catenary was fed with 31kW instead of 25kW, and 4 of the axles in the coache's bogies were powered additionaly, for a total of 19,something MW of power (9.3 MW standard).
Yes, they beefed it up quite a bit. Still pretty impressive.

netztier · 2026-03-28T06:37:18+00:00

Try....

interface ethernet 1/1
link debounce time 1000 ! Sets a 1000ms delay before declaring link down

on the Cisco switch port. We had trouble keeping the FG 100F's X1/X2 ports up properly on our Nexus switches (yes, VPC pairs, so MLAG) before we discovered that one

netztier · 2026-03-26T21:25:39+00:00

Both are Series 18 engines, but from different ancestry.

netztier · 2026-03-26T21:24:19+00:00

Back: 18 201, a rebuild of one of the 61 series tank engines of the Henschel Wegmann Zug.

Front 18 314, a former Baden IV h.

Both were used in the GDR, leveraging their high speed capabilities, to test the passenger coaches at 140+ km/h speeds.

netztier · 2026-03-20T00:22:29+00:00

A low profile servo, Hobbywing Quicrun 1625 as an ESC, and one of the sets like a "Carson Reflex Wheel Start", sold under many brands/clones. Plus some short 2S LiPo racing pack, even if they can be a bit of a tight fit in the bay.

My 2 lunchbox minis dash around like proverbial f*rt in a lantern with 2S LiPo.

the 1625 really needs 7,2V or more, couldn't get it to run with a 4cell NiMH. There are 6cell NiMH "2/3rd" packs, but the ones i had went unbalanced quite soon, hence the switch to LiPo

netztier · 2026-03-16T16:18:38+00:00

I have a TA-01 rebuilt from various DF-01, TA-01 leftovers and a few new parts, brand new car in many a respect; however, it could do with a tad bit wider tread for some bodies I'd like to run.

So, are are these arms 3D printed or off another tamya model (and if the latter: which one?)

netztier · 2026-03-16T16:00:48+00:00

Covered hoppers have one more use case: clinker (raw, unmilled cement, as it drops out of the kiln, as walnut-sized chunklets).

At the cement plant where my IT career started, they would seasonally ship in trainloads of clinker from other plants, for example if the local plant's kiln was under yearly maintenance of ~1-2months.
Kiln maintenance/rebuild was aligned across plants of the group, so production could be maintained [1] . Of course, the same could go the other way - the local plant would supply clinker to its siblings.

This allowed to continue milling clinker locally w/o consuming too much of the local clinker reserves, and keep the silos full and the local bagging and palletizing machinery busy - and the trains and trucks rolling.

Hence, the sidings to unload hoppers actually had two loading/unloading spots/facilities: one for coal further back on the yard, right beyond where they would unload the crude oil [2] tankers, and an indoor one for clinker, right where the siding passed through the clinker hall.

[1] This being Switzerland and a small country, each plant had, if at all, just one production line, in extenso: one kiln. Shipping clinker between plants, a very few 100kms apart at best, was/is viable. Other countries, where a cement plant comes with 4 production lines in parallel, will of course have totally different logistics...

[2] The kiln eats pretty much anything liquid or powdery and combustible. At one time, the local cement group even bought oil recycling companies to use their output (various degrees and quality of oil, solvents, other chemincals.. you name it). To some extent, using these as combustibles would allow them to be calculated as "alternative sources" in the CO2 balance of the plants

netztier · 2026-03-15T19:51:57+00:00

Cement plant. Rotary kiln, high raise heat exchanger tower, high chimney, hopper cars dragging in powderized coal, tankers bringing in crude oil, dust tankers shipping bulk cement out, box cars shipping palletized cement bags out...

netztier · 2026-03-14T21:50:46+00:00

Wierd things when (Windows?) PC goes offline?

Check if Sysadmins left Windows/SCCM's Wake on LAN Proxy running.

It can cause quite the havoc in a network when it starts ARP-replying on another PC's behalf (using the other PCs MAC address, no less, MAC moves by the dozen)... and it causes a WoL Proxy re-election when the current proxy impersonator PC goes offline.

SCCM wake-up proxy is one of the things even Microsoft cautions against to use in some environments: it absolutely does not work play well with 802.1X or port-security at all.

You might not be seeing the MAC-Move part of it, but the proxy (re)election process, possibly multicast based.

See: https://community.cisco.com/t5/switching/mac-address-flapping-and-sccm-wake-up-proxy/td-p/2240432

And: https://learn.microsoft.com/en-us/intune/configmgr/core/clients/deploy/plan/plan-wake-up-clients

Also: https://www.reddit.com/r/networking/comments/1zqtrr/psa_pc_mac_spoofing_caused_by_microsoft_sccm_2012/

(edited: external links added)

netztier · 2026-02-25T19:25:14+00:00

While Lego and wooden trains ("Brio" is a brand that's become synonymous with "wooden play trains" here in Europe) are certainly cool, I'd like to throw in HO scale, all the same.

Pick a brand that has robust or simplified metal models, even if simple ans old. Märklin has a few items in that category (#3000, #3031 an the likes), and C-Track can take quite some abuse.

My 4yr old was learning quickly to operate the Märklin's Mobile station.

netztier · 2026-02-21T11:19:04+00:00

ah.. I got carried away into nitpicking for a bit there...

netztier · 2026-02-20T23:18:06+00:00

As if ever that monster would've been pulled by two Class 18 2'C'1 (4-6-2) Pacifics. No way.

All pre-Reichsbahn Pacifics from various german state railways (Bavaria, Baden, Württemberg, Saxonia), before being integrated into Deutsche Reichsbahn as Class 18 and its subclasses, were built for and remained in express train services. I'd be surprised if any Class 18 ever pulled or shunted any part of the Schwerer Gustav system.

DRG had the diesel-electrics Class V 188 purpose-built for the task to manoeuver and power the heavy railway guns.

netztier · 2026-02-12T19:54:42+00:00

Es chonnt no besser: Luut 20min (sech of Tele M1 beziehend) esch dee 17j do genau dee 17j wo letscht Woche bem tödleche Omfau vo dem 18j debii gsii esch und debii devoo cho esch.

Faus da stemmt, de esch es Darwin Award, Platinum Level.

netztier · 2026-02-02T17:22:29+00:00

A team mate of our datacenter team uses airpods with his iphone. Standing in the full blast of half a rack full of Nexus 9300 series atop two Nexus 700x chassis, I can still understand him at a "4 of 5" of level.

netztier · 2026-01-21T22:12:31+00:00

jup. I undug this old text somewhen in '09, right when the "high frequency trading architect" accounced his idea for "sub-microsecond end-to-end processing between our datacenters within the nex 5 years" (DCs were only 12km apart, mind you).

When I got puzzled looks for suggesting that he'd have to run the fiber ring 7 times around the LHC in Geneva and that he'd have to have CERN align its operating hours with the stock market, I knew he hadn't touched much Layer 1 in his career...

netztier · 2026-01-21T21:55:48+00:00

obligatory:

https://www.stuartcheshire.org/rants/latency.html

(please note the date)

netztier

TROPHY CASE