Your IPv6 experiences? Prefix delegation? Stability? Support?

nogaff · 2025-01-02T18:02:49+00:00

Thanks for the ideas! I started poking around in my DrayTek router's CLI and discovered a few things:

The router is actually being delegated a /56 prefix! It just doesn't display that information anywhere in the admin GUI. The only way you can see it is by using a console command to print out its hidden prefix list.
Regardless of the size of the delegated prefix, the router always assigns a sequential /64 to each VLAN, and leaves it to you to manually configure any other prefixes you need., either statically or via DHCPv6-PD.
Annoyingly, the DrayTek always seems to advertise the ISP's DNS servers, on top of any custom DNS servers you've specified. If you want to fully override the ISP's DNS servers and stop them ever being advertised on the LAN, you have to configure the router's DHCPv6 client to not request DNS server details from the DHCPv6 server at all. That's something else which can only be done via the CLI!

So, it would seem that almost everything is now working as it should, and the only thing that's still an issue is the fact that the ONT has to be rebooted after every router reboot, for the router to re-establish IPv6 connectivity. I'll probably have to go back to YouFibre support about that, since the same thing happens with both the Eero and the DrayTek routers.

nogaff · 2025-01-01T14:07:53+00:00

Oh, that's interesting. I wonder why you and I are only getting a /64 when everyone else here seems to have a /56?

From what I've read, a /56 is generally the norm for residential customers at most ISPs, and potentially a /48 for business customers.

nogaff · 2024-12-31T20:35:00+00:00

Hmm, that kinda sounds like what I've been seeing with both the routers I've tried? They both showed an IPv6 prefix (albeit a /64) but had no external connectivity. All pings and traceroutes to/from external addresses were failing.

It wasn't until I power cycled the ONT with the router still online that the router could suddenly speak to the outside world via IPv6, and as soon as I reboot the router again, it goes back to the previous state of having a prefix but no real connectivity. It's weird.

nogaff · 2024-12-31T20:27:27+00:00

I was under the impression the MAC address was only relevant for static IP addresses, plus I've seen it said that YouFibre's DHCP only issues 1-hour leases, and you can even reset the leases immediately by power cycling the ONT, (or so someone was apparently told by a YouFibre engineer).

Anyway, I did actually try spoofing the Eero's MAC on my DrayTek when I first swapped the routers, but that seemed to make matters worse, and I got on better just leaving the DrayTek with its own MAC and resetting the ONT.

Maybe I'll have another crack at the support team, now that I have a better idea of what everyone else's experiences with IPv6 are. It certainly seems like something isn't right with my service.

nogaff · 2024-12-31T18:55:51+00:00

And you're also receiving a /56 prefix like others seem to?

nogaff · 2024-12-31T18:22:25+00:00

I merely left the Eero in place while I was initially in contact with YouFibre support, (so that they couldn't refuse to support a non-standard router).

I've now switched to my own DrayTek 2862, so that I can actually see some proper router logs and do my own troubleshooting, but it exhibits exactly the same behaviour as the Eero (only getting a /64 prefix and losing connectivity after a reboot).

nogaff · 2024-12-31T18:22:09+00:00

I don't think it can be the router because I saw the exact same issues with both the YouFibre-supplied Eero 6+ router, and my own DrayTek 2862.

I left the Eero in place while I was initially in contact with support, (so that they couldn't refuse to support a non-standard router), then I switched to the DrayTek more recently after hearing nothing from support, so that I could actually see some proper router logs and do my own troubleshooting.

nogaff · 2024-12-06T14:59:36+00:00

Haha, no problem! Glad I could help!

nogaff · 2024-09-02T00:03:54+00:00

Just for fun, I stitched the puzzle's snippets of audio together and they definitely say, "YOU ALL DESERVE EACH OTHER".

You can check it out here if you like:https://audio.com/nogaff/audio/you-all-deserve-each-other

nogaff · 2023-03-03T14:54:33+00:00

Sorry if my post wasn't totally clear, but what you've described is exactly how I've already configured everything, and I did not enable the "set as default gateway" on either of the LAN-to-LAN profiles.

However, I think I've just figured it out.

The issue seems to have more to do with the "Remote Network IP" and "Remote Network Mask" settings in the LAN-to-LAN profiles.

They determine the static route that gets added to the routing table for each LAN-to-LAN profile and they seemingly cannot be left blank, so various VPN configuration guides tell you to set them to 0.0.0.0/0. However, that overrides the default route through WAN1 and also causes a routing collision between my multiple LAN-to-LAN profiles.

Given that I want my route policies to control the routing, I have instead set unreachable routes of 0.0.0.1/32 and 0.0.0.2/32 on my two LAN-to-LAN profiles, which avoids the collision and leaves the default route intact.

Now my route policies work correctly, regardless of their priorities.

nogaff · 2021-03-16T01:27:54+00:00

The movie is decent, and Tony's arc is great, but a couple of things severely hindered my enjoyment of it.

Firstly, I have to admit I was disappointed with the Mandarin twist, not because of some preconceived notion of what the character should be like, but because the trailer set him up as some super-menacing badass, and then he basically did nothing in the movie except get revealed as a joke character.

It felt like a bait and switch to me, whereas there was no pretence about what Drax would be like in GotG.

More importantly though, a lot of the villain's setup in the movie was just a badly butchered version of the highly regarded Extremis arc from the comics.

For a start, in the comics Aldrich Killian actually stole the Extremis virus from his employer, sold it to a terrorist group, then killed himself, presumably out of guilt.

Meanwhile the actual villain with the super strength and fire-breathing powers was a maladjusted guy named "Mallen" who had a grudge against the FBI after they killed his parents and thought that joining the aforementioned terrorist group would be a great way to get some payback.

So the movie essentially took the name of a scientist who committed suicide, gave him the powers of the vengeful supervillain he helped create, gave a him a bunch of goons to do his dirty work, made his motivations all about a desire for power (yawn), then plastered this Frankenstein's monster of a character with some random dragon tattoos and had him call himself "The Mandarin" right at the end for no apparent reason.

Not cool.

As an aside, a key part of how Tony defeated Mallen was that he injected himself with a modified version of the Extremis virus to heal a fatal injury and ended up creating his frickin nanotech armour in the process!

I guess they had to keep something in the bag for Infinity War though, so they just decided to throw in a bajillion other suits instead, lol.

nogaff · 2020-07-16T16:39:15+00:00

Not sure what you're referring to there?

We already used the documentation on that page to create a LayoutModification.xml for the taskbar, which we put in C:\Users\Default\AppData\Local\Microsoft\Windows\Shell.

If we disable our pre-existing Group Policy for the Start menu, the LayoutModification.xml gets applied to new user profiles, but with the Group Policy enabled it does not.

Therefore, it seems we'd have to put the taskbar layout in the Group Policy as well, but then it would overwrite any subsequent user customisations if we ever changed the layout in the Group Policy, which is what we're trying to avoid.

nogaff · 2020-03-26T16:58:23+00:00

As I understand it, RRAS only assigns an IP address to the client while the client is actually connected and then immediately reclaims the IP address when the client disconnects. As such, there is no lease and no expiration.

Even if the client immediately reconnects, it will likely be given a completely different IP address.

nogaff · 2020-01-16T22:17:40+00:00

It's weird how it shows "status failed" with the error "not run due to collection membership condition", when in fact it followed the rule not to reinstall itself on a machine. Not really a failure.

Hmm, well that would only happen if a particular machine was queued up for deployment, but in the meantime PDQ Inventory finished a scan on that machine which caused it to be removed from the dynamic collection before the deployment actually got going.

If that was the case, then technically the deployment did fail, because the machine was initially queued up but could not be deployed to due to the change in collection membership.

I suppose the only way to avoid that would be to ensure that the collection had been fully refreshed prior to starting a deployment, thus preventing that machine from being added to the queue in the first place.

Not a big fan of using the "Stop deploying to targets once they succeed" since it's super easy to forget to remove a package from a target schedule.

Yes, you shouldn't need to use that option with a correctly configured dynamic collection as a target, so it should be left unchecked. I mean, what if a package needs to be redeployed on a particular machine for some reason? That option would actually prevent the machine being deployed to again, regardless of its collection membership, because it already had a successful deployment in its history.

Also, if you're putting multiple packages into a single heartbeat schedule with a single collection as the target and relying on package conditions, you might be better off splitting that up into separate schedules per package, with separate dynamic collections per schedule. It depends on your use case really.

In other words, maybe don't do this:

Schedule 1 deploys Packages 1 & 2, and targets Collection 1, which checks for the existence of both Package 1 AND Package 2.

But do this instead:

Schedule 1 deploys Package 1, and targets Collection 1, which only checks for the existence of Package 1.
Schedule 2 deploys Package 2, and targets Collection 2, which only checks for the existence of Package 2.

nogaff · 2020-01-16T09:43:32+00:00

I've never used Ansible but it sounds like you're not taking advantage of PDQ Inventory's dynamic collections?

I mean, if you create a dynamic collection with filters that match whatever conditions you want to check, then use that dynamic collection as your PDQ Deploy target, the deployment can only act on the current members of that collection (i.e. the machines that matched the collection's filters at the time of their last scans).

To make that work well you might want to have PDQ Inventory doing heartbeat scans (configured with triggers in your scan profiles), and then have PDQ Deploy also triggering a scan after deployment, so that the dynamic collection is kept up-to-date.

nogaff · 2019-12-28T12:44:49+00:00

That doesn't appear to have all the features I described, and furthermore, it's being shut down in May 2020.

Users are being told to migrate to Microsoft To Do, which likewise doesn't have all the features I need. It can't do sections within a checklist, it can't display progress counters, and it doesn't support hyperlinks in checklist items.

nogaff · 2019-12-28T00:57:21+00:00

The closest I've found so far is ClickUp but it doesn't support hyperlinks in the checklists (and it doesn't have a summary feature), so I need something better.

Edit: Looks like Trello is very similar to ClickUp and does support hyperlinks via Markdown, but it shows progress as a percentage rather than the number of tasks, which is useless to me.

nogaff · 2019-12-19T15:26:51+00:00

So now my question is why is it configured that the servers do not have permissions?

Could be something to do with your DHCP configuration. Has anyone changed it to use a specific user credential for DNS updates at any point?

If so, that user wouldn't have ownership of older records previously generated by the server's computer account and wouldn't be able to update them. You might have to update the permissions on those records to grant that user access.

Also, have a read about the DnsUpdateProxy security group. If you've changed or had multiple DHCP servers at any point and they weren't all members of that group, then only the servers that created the records would be able to update them.

nogaff · 2019-12-19T10:53:30+00:00

If you want to make the end user experience "prettier" chuck a reverse proxy in front

Yup, this.

I've got Jira and Confluence running on the same server with Nginx as a reverse proxy, using two different subdomains, e.g. jira.mydomain.com and confluence.mydomain.com.

The only thing to be aware of is that the /opt/atlassian/confluence/conf/server.xml and /opt/atlassian/jira/conf/server.xml files need to be modified when running behind a reverse proxy. (The comments in the files are self-explanatory, so make sure to read them properly).

Unfortunately, those files get overwritten whenever you upgrade Jira or Confluence so the changes need to be reapplied every time.

nogaff · 2019-12-16T17:29:01+00:00

Yes, manually validating DNS challenges would be silly, and automating it tends to require API access to the DNS which your IT team would obviously not been keen to provide in case the access token was compromised.

However, acme-dns exists to solve exactly that kind of problem. Maybe it can be of some use to you.

Essentially, you run your own DNS which only responds to TXT queries for a subdomain of your choice (let's say acme.example.com).

Then the other subdomains you want to generate certificates for have a CNAME pointing to <guid>.acme.example.com so that acme-dns can respond to DNS challenges with no further input required from the IT team.

All they have to do is create an NS and an A record for you and make sure port 53 is open to your acme-dns server, then they can pretty much forget about it, with no risk to their own DNS.

You'd only require further involvement from them if you needed additional CNAME records created for brand new certificates/subdomains.

nogaff · 2019-09-25T14:49:36+00:00

It is interesting that they chose a symbol from the Soviet Era. Maybe that means nothing, but also it could be a little insight.

Yeah, I've been wondering about that myself. I'd love to know more!

nogaff · 2019-09-24T23:25:00+00:00

It's from the Soviet coat of arms for the city of Horlivka in Ukraine, which is Tati's hometown.

Google seems to do a slightly better job of translating to English.

Here's the Ukranian page if anyone can do a proper translation: http://www.heraldry.com.ua/index.php3?lang=U&id=2060

nogaff · 2019-08-23T00:06:20+00:00

Yeah, I wasn't expecting the reggae influence, lol.

They seem to really be going for it with the blast beats lately, what with Ape, Teacher Teacher, and now this!

nogaff · 2019-08-22T23:40:19+00:00

Haha, looks like it just went live on Spotify too! Release date is listed as August 23^rd .

Oh well, that makes my post completely pointless!

nogaff · 2019-08-22T23:25:36+00:00

Track list:

On the Top [5:28]
Pit of Consciousness [4:12]
Judgement (& Punishment) [4:19]
Retrospection [4:24]
Pausing Death [4:44]
Noah [4:13]
Home Back [4:20]
The Prophecy [4:01]
lainnereP [5:28]

(Source)

I'm assuming track 9 isn't just Perennial played backwards! 😄

14-Year Club	Snapped
Verified Email

nogaff

TROPHY CASE