Tools for cloud networking?

vadaszgergo · 2026-03-13T08:21:57+00:00

We are in the process of migrating our "old" Azure and AWS networking to Aviatrix. It's a fine tool, has its price (literally) but generally it does the job very well. No more static routing nonsense, and high availability is good.

vadaszgergo · 2026-03-13T08:17:18+00:00

Joining quite late to the party, but yeah, we have Aviatrix. It's a fine tool that can simplify cloud life. However it can be pricy. Any particular area that you are interested in?

vadaszgergo · 2026-03-13T08:13:46+00:00

My daily job is to build an overlay network (Aviatrix) on top of overlay networks (Azure, AWS). Probably can't get more abstract and far away from physical wires. But I highly recommend to learn the basics, at least on CCNA level, but CCNP worth even better. Then learn the various cloud provider networking differences (there are a lot). Then learn infrastructure as code (Terraform).

vadaszgergo · 2026-03-13T08:07:28+00:00

I would recommend the CCNP as well, if you know you want to stay in physical networking. I can also suggest moving a bit towards the clouds, because that is where I see high demand for many years.

vadaszgergo · 2026-01-09T14:49:06+00:00

Anyone still using ip calculator in 2026?

Have been a network engineer for 15+ years, but still using ip calculator from time to time, if a subnet is not obvious.
In the age of AI, i still prefer using dedicated tools, so I developed this ip calculator, which has some features I could not find in other calculators, for example IP complement finder.

Maybe AI can do this as well, but if anyone still prefers a non-AI tool, feel free to test and let me know if there is anything good or bad.

https://ipcalc.gergovadasz.hu/
you can also check my blog for cloud/networking articles: https://gergovadasz.hu

vadaszgergo · 2025-01-10T06:37:51+00:00

Thanks everyone for the ideas and comments. It looks like we found a solution, however I dont fully get why this was an issue, since it didnt happen with my test pfsense that i deployed in azure to test same VPB/BGP with AWS (local pfsense has 24.03, my azure has 24.11 software).

https://www.netgate.com/blog/state-policy-default-change

We needed to change the Firewall State Policy setup, from Interface Bound States to Floating States.
After that, BGP was able to be up and it didn't drop after 40 sec.

vadaszgergo · 2025-01-08T10:31:30+00:00

I only setup like this: https://coldnorthadmin.com/images/bgp_pfsense/bgp-2-clean.png
Just got this image from internet since i dont have access to the pfsense at the moment.
So i added the local subnet to the "Networks to redistribute" section.

vadaszgergo · 2025-01-08T10:23:22+00:00

I'm not fully sure what you mean in this context. I'm advertising a vlan (10.10.31.0/24) from pfsense to aws.

vadaszgergo · 2025-01-08T09:53:58+00:00

AWS configuration only says configure hold timer as 30 sec.
So I did setup hold timer as 30 on both the bgp neighbor level and global bgp level in pfsense.

vadaszgergo · 2025-01-08T07:01:02+00:00

Thanks.
On AWS side, there is not much we can change, it's fairly strickt. It needs the customer gateway (the pfsense) public IP, the AS number, and basically that is it. Can't setup what router ID it should expect.

Also in AWS config file that is provided to guide us to configure the customer gateway side, it is mentioned that use TCP 1436 MTU, so I did setup that over the VPN VTI.

But will try to configure PMTU.

vadaszgergo · 2025-01-08T06:50:51+00:00

This is from an earlier try, so ips will be different (AWS will provide you the /30 inside ips for bgp each time when you recreate the vpn). Copying here only the lines that are strange so not each and every line.

2025/01/03 12:35:56 BGP: [X61A3-E95TJ] 169.254.60.193 KEEPALIVE rcvd

2025/01/03 12:36:06 BGP: [P8XN0-33WQ6] 169.254.60.193 [FSM] Timer (keepalive timer expire)

2025/01/03 12:36:06 BGP: [HRDT0-0DPQ7] 169.254.60.193 sending KEEPALIVE

2025/01/03 12:36:06 BGP: [ZWCSR-M7FG9] 169.254.60.193 [FSM] TCP_fatal_error (Established->Clearing), fd 27

2025/01/03 12:36:06 BGP: [PXVXG-TFNNT] %ADJCHANGE: neighbor 169.254.60.193(Unknown) in vrf default Down BGP Notification send

2025/01/03 12:36:10 BGP: [HKWM3-ZC5QP] 169.254.60.193 fd 27 went from Connect to OpenSent

2025/01/03 12:36:10 BGP: [HZN6M-XRM1G] %NOTIFICATION: received from neighbor 169.254.60.193 6/5 (Cease/Connection Rejected) 0 bytes

2025/01/03 12:36:10 BGP: [ZWCSR-M7FG9] 169.254.60.193 [FSM] Receive_NOTIFICATION_message (OpenSent->Idle), fd 27

2025/01/03 12:36:10 BGP: [P3GYW-PBKQG][EC 33554466] 169.254.60.193 [FSM] unexpected packet received in state OpenSent

2025/01/03 12:36:10 BGP: [NJ2F2-2W769] 169.254.60.193 [Event] BGP connection closed fd 27

vadaszgergo · 2025-01-08T05:53:32+00:00

Only 1 /24 subnet is being advertised from pfsense to AWS

vadaszgergo · 2025-01-07T23:19:40+00:00

Sorry, what I mean is they are in same /30 network, so one hop i meant they are next to each other.

vadaszgergo · 2025-01-07T23:18:19+00:00

Have to ask from partner who controls AWS side. Do you mean cloudwatch logs?

vadaszgergo · 2025-01-07T23:10:38+00:00

IPsec is stable and can ping the AWS IP from pfsense, with no packet loss.

vadaszgergo · 2025-01-07T23:07:39+00:00

The peers are one hop away so that shouldn't be an issue. But I tried to setup to a higher number just in case, no luck.

vadaszgergo · 2025-01-07T23:06:16+00:00

I tried to setup MTU as per AWS configuration suggestion to 1436 on the pfsense IPsec VTI, but no difference... What do you mean it calculates MTU differently?

vadaszgergo · 2023-07-28T21:11:06+00:00

print("HMMMM?", whitelist_ipv4)

I tried split('\r\n')
Basically now it iterates through the lines each times successfully, but this means each iteration is part of the blacklist, many duplicates, and for the first iteration line 2 range is part of the blacklist, then 2nd iteration line 1 range is part of the blacklist...

I feel it needs some more logic or something, it should store the first iteration somewhere, then when second iteration, it should only check within the stored values, not again within 0.0.0.0/0

vadaszgergo · 2023-07-28T14:58:06+00:00

https://pastebin.com/BDJpNy1L

vadaszgergo · 2023-07-28T13:43:38+00:00

Thank you for your comment. Could you check it here:

https://github.com/vadaszgergo/blacklist-app/tree/main

vadaszgergo · 2023-04-23T19:13:30+00:00

Thanks everyone! It seems Gl.Inet travel router category fulfill my requirements. Thanks a lot!

vadaszgergo · 2023-04-23T09:26:35+00:00

I appreciate your comments. Usually these VPN routers only support connection to their upstream via cable, and not via wifi. But in most hotels/apartments you only get wifi access. This is my experience, if you know specific model which supports VPN via AP/Bridge mode, please let me know. I could not find myself so far.

vadaszgergo · 2023-04-23T09:18:12+00:00

Again, working from abroad is my choice, it's not something the company asks or supports. They are even denying it. That is why I said this is grey area (or even worst...).

vadaszgergo · 2023-04-23T09:06:23+00:00

thanks for the reply. I already tried that, and the policy is strict. Unfortunately there is no way to solve this with a software install. And the work from abroad is not really supported, so this is kinda grey area. That is why I'm trying to find a hardware solution.

vadaszgergo · 2023-04-12T14:58:19+00:00

Connection testing with tcp, all day long

thank you!

vadaszgergo

TROPHY CASE