/net/ - Networking Thread

But why do they care if i use my 100/100 internet for?

Just wondering how much resource and bandwidth would just one user take..

I will soon ( I hope) graduate with bsc network technologies, never really studied hard, just enough to power the exams. Would it be enough to look for a decent job in Europe? Or should I straight away start with bachelor's.

>What's your take on it?
I do network programming for a living. You oughta think it's the best from both worlds, but it's also the worst from both worlds.

>But why do they care if i use my 100/100 internet for?
that's the most naive thing I've read all day

Maybe so, im clueless about networking.

Does it really matter if i use it for hosting or downloading/uploading stuff constantly.

>I've built a small network stack (Ethernet, IP, ARP, UDP)
Source code?

red pill me on subnet

I had some network related courses and configured some shit and calculated the correct subnet masks but I never really understood them properly. Something about network bits and physical bits, but the whole concept is quite confusing.

Look at it this way: A subnet is a LAN. Within a LAN, you can reach all hosts directly, but to reach them across two different subnets, you need to route packets.

it's mainly eBGP pruning.

Because the lines are oversubscribed, e.g. they give 50 users a 100M connection on a 1G uplink.
General internet usage is bursty, so you only use that bandwith for a short period of time (loading a web page), or
you get a continuous stream of a few Mbps.
When 10 users would start using the full 100M bandwidth all the time, the uplink is saturated and drops will happen for everyone. Providers don't want that.
For business use, you usually have a "guaranteed bandwidth".

ISPs are the physical manifestation of judaism at its purist. They come down /hard/ on people running servers from home.
They'll do everything including but not limited to:
Charging you ridiculous fees
"upgrading you for your convenience" to an extortionately expensive business/SOHO network class
Drop/Cancel your service

hell, comcast won't even let you run your own email server from home. They block /all/ traffic on port 25 unless you have a business account. Granted, they claim it's to deter spam servers and that's plausible, but it's also incredibly suspect.

it all depends on how nice they're feeling on that day, and the phase of the moon

>comcast won't even let you run your own email server from home. They block /all/ traffic on port 25 unless you have a business account.
Wow, ISPs in the US are actually allowed to do this?

man if you're upset at that, you've got a lot coming for ya regarding US ISPs

>man if you're upset at that, you've got a lot coming for ya regarding US ISPs
Jesus man, doesn't the FCC and prevent them from this jewry?

Need to do a project that utilizes a network, I'm planning on implementing a server/client in Java that hosts a game of 1v1 tetris. I've written down a lists of things I need to design, such as a log for accessing the server, some form of encryption before sending a packet, and timing packets to anticipate failed connections and how the server/client should handle it.

I could only find an old revision on my laptop. It only does Ethernet, IP and ARP here.

a.uguu.se/8qxtBSVdoU0I_netstack.tar.bz2

>the FCC
the ISPs own the FCC.
>and
>antitrust
What do you think the US is? Communist? this is a free market economy and antitrust departments are incredibly communist god bless america

Our current FCC Chairman John Wheeler is trying his absolute damndest to improve conditions, but he's been stonewalled every step of the way by politicians who've been bought out, or by ISP lobbyists and what's worse is that his term ends in roughly two weeks (at the next election) and the Republicans (strongly anti-competitive/consumer rights) hold a majority in Congress

Cisco IOS has debugging though.

stupid question
I bought a cisco catalyst switch last month to help me with my studies
it's been gathering dust because I don't know how to connect to it.

I know I need a special coms cable (DB-15/RJ45) but I'm wondering if there's any way for me to just connect to it with a standard RJ45-RJ45 cable so I don't have to buy/make my own cisco cable

Jesus, I feel bad for you guys. My sympathies.

>John Wheeler
meant Tom Wheeler my bad

>netstack/interface/ether.py
self._sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(ETH_P_ALL))

So you're not actually creating ethernet frames, you're just tunnelling your own "frames" over regular UDP ?

I thought you made an actual networking stack and your own ethernet driver or something.

>any way for me to just connect to it with a standard RJ45-RJ45 cable
Not unless it has already been configured with an IP, and you happen to know the config. Otherwise you are going to need that cons cable.

That's a "raw socket", the same thing that is used for packet captures.
It gives the raw L2 frames.
UDP would have been
socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
Only root has access to these special sockets, and it doesn't work on Windows.
You should put the network interface manually in promiscuous mode before using it though.

Lets say i have 2 offices that are very fat away from each other and the only way to connect safely is using vpn

is it possible to make ~10pcs in one office -> nat to wan port -> vpn tunnel ->wan link to nat in 2nd office -> ~10pcs in that 2nd office communicate? Basically allowing 20 pcs to communicate over 1 vpn tunnel? I guess it shouldnt' be a problem

Is there any book that's "hands-on" standard when it comes to security of networks? All dos and donts in one place. CCNA here

But I don't understand why you emulate ethernet frames

linux.die.net/man/7/raw

Antitrust is supposed to break up huge corporations into smaller companies to promote competition, but it sucks when many of them create subsidiaries and the heads essentially cooperate to avoid antitrust.

Fuck.

I'm assuming I'm going to need to buy some kind of USB-to-DB15 adapter since the DB15 port on my laptop is just for video?

Because I want to do L2 bridging and STP as well, later on

>USB-to-DB15 adapter since the DB15 port on my laptop is just for video
This is bait, right?
2/10, made me reply

this isn't quite right. I never have to convert to binary for subnetting (but knowing powers of 2 is a must)

also, no debugging a network? tcpdump/packet captures, IOS debugging, ping/tracert/netstat/telnet, etc.

anyone>

How does REAL network troubleshoot in real life looks like on Cisco equipment?

What do companies have the most problems with?

I am CCNA but it looks to me i would be totally puzzled if i had to dive head first into random company and fix their shit

IPsec+GRE+OSPF or Cisco DMVPN

>CCNA here
Honestly, you should be able to answer your own question.

Here's your spoon.

That's why smart network people dive feet first. Doesn't injure the brain.

>IPsec+GRE+OSPF

This is basically regular vpn config (2 IKE phases) plus ospf to make connection between routers

Ok, so there wouldn't be any problems whatsoever

> DMVPN

I am yet to learn about it

How to approach learning IPsec? Any good book for that?

>first roommate does a lot of sensitive work with a large NGO and needs the upmost security (sleeps in the first bedroom)
>Second roommate still a student and needs bandwidth for his games and occasional movie nights (is in the living room)
>Myself (in the second bedroom)
Is it a good idea to have three different routers connecting to a single gateway and have different settings to make sure that my second roommate's lack of security doesn't fuck with our networks?
Like this
>Gateway -> Router 1 -> Roommate 1's laptop and MyCloud backup
>Gateway -> Router 2 -> Roommate 2's gaming PC, laptop, consoles, and smartTV
>Gateway -> My Router -> My PC, laptop, NAS
The Gateway would have a firewall that prevents any of the routers from allowing packets from each other to prevent the trojan infection we just went through last week.
All the routers would have DHCP and NAT turned off, but have their own DNS settings (I use OpenDNS, but neither of my roommates do).
And how well would QoS work with routers linked in such a layered network? My first roommate does a lot of conference calls and needs the feature to work on his router like it is now.

Also, Roommate1's MyCloud needs to be accessible from an outside network, but how would a DMZ work in a layered network like this?

get a managed switch, you can even use used cisco 2950 which is like $20

create separate vlan for every network and create router on a stick (google it, it's very simple)

>tfw probably meant to take this road
>instead took computer science

Rip in the pepperones. I'm unemployed because I'm pretty shit at coding apparently.

No. Enlighten me.

studying for what ?

have you played with any zone based firewalls before? it helps to reason about these sorts of problems a lot easier, vyos is free and you could do all of that on a single embedded system with the edge router being the only common resource.

firstly physical security, if you have a managed switch or don't need site wide gigabit connectivity you can get them for next to nothing. you can then segregate your roommates equipment using vlan access ports.

second a firewall policy that prevents loopback from each network segment.

finally, QoS works fine in layered networks, but only if it's setup correctly, and thats the hard part about QoS, you need to have the rules well defined for it to be effective, another reason to use a single router would be to simplify the setup of these rules.

topology is router on a stick as has suggested, there are also hardware routers that can be setup to handle complex network segments.

the big gotcha with all of this is as soon as roommate a wants to share with roommate b, you have a problem, an opening needs to be defined for each edge case, depending on how often this changes it could become a pain in the ass.

cont.

some other things to familiarize yourself with is the isolation of "common" resources, e.g a game console will require UPnP to play media over the network, if this is a item used by everyone or it is not physically located in the roommates network you have to consider how they can get L2 access.

generally you create a pleb network, it's given nothing but a route to the internet and cannot connect to any computer or server on site, other pleb devices can share this network and communicate but it needs to be explained that any device on the pleb network should be considered compromised.

>red pill me on
fuck off

cont.

also to address a few of your questions/statements:
>All the routers would have DHCP and NAT turned off
why? if the segment is isolated any services can be run on each leg of the network without them being able to compromise one another, also DHCP is very useful for plebs and will prevent a lot of complaining, it's also a requirment for a lot of auto configured devices like ip phones and printers.
>My first roommate does a lot of conference calls and needs the feature to work on his router like it is now.
you can assign fixed resources with QoS, both managed switches and full featured routers have built in voip templates for correctly routing SIP and other protocols reliably, however it is your responsibility to insure the QoS between the core router and the edge router actually makes sense with a given uplink.

>router on a stick
Alright, I've heard that term before.
I'm a little wary about vLANs because I'm not familiar with them. How robust are they if the gateway is going to be a weak dual-core Cherryville Atom? The trunk port can be a virtual port within the switch itself, right? That way I could build a router capable of doing all that and have enough ports left over not to need a costly layer 3 switch.
>have you played with any zone based firewalls before?
Not successfully, no because of this
>loopback from each network segment.
Where should I turn to in order to learn this?
>QoS works fine in layered networks, but only if it's setup correctly
So in a single router/gateway scenario such as the one is proposing, do I need to set QoS for only one vLAN or set QoS for the entire network based on the IP of the device using VoIP (and wouldn't DHCP cause issues with that if the IPs are dynamic?)
>the big gotcha with all of this is as soon as roommate a wants to share with roommate b, you have a problem
I was hoping to have a fourth LAN-only network to allow for file sharing between networks, but we don't have a need for that at all so I nixed it from the final planning. We could use an external drive for that if necessary.

>generally you create a pleb network
That's what Roommate 2's network was going to be, because we all access the same TV and consoles for our normie apps and streaming. It's actually the reason why we need a network like this, because the trojan infection we just had was from one of his torrented games that spread to all the devices connected to our old router.
>why?
Because the Gateway server would have handled that function by itself. I know that having DHCP and NAT enabled on multiple routers within the same network will cause conflicts with devices connected to those lower-layered routers.

comptia network+

>How robust are they if the gateway is going to be a weak dual-core
generally trash, paired with a decent intel NIC it can be acceptable for home broadband tho. you do not need a L3 switch for vlans, any used cisco or dell will do and can be had for under $200 for a 16-24port gigabit switch.
>loopback from each network segment.
>Where should I turn to in order to learn this?
what i meant by this is just drop internal connections by default as you would with your WAN
>do I need to set QoS for only one vLAN or set QoS for the entire network based on the IP of the device using VoIP
QoS is defined at every hop in the network AND at a service level, the switch needs to insure one user can't thrash the core router by using multiple ports at once(obviously a switch can route 100's of gbits to a single trunk port only for them to all be dropped), e.g. the voip feature built into most switches will insure all SIP communication will proceed even if every port is at line speed. So you would have multiple rules for the network topology itself(to insure the switch can't thrash the core router and that the core router can't thrash your WAN link), and rules for each service you're expecting(prioitse voip over all others, insure upload at the WAN level is shared evenly between each roommate).

>I know that having DHCP and NAT enabled on multiple routers within the same network will cause conflicts with devices connected to those lower-layered routers.
This wont happen if they're separated at layer 2 via vlans, unlike a unmanaged switch it's as if the switch is sliced into separate physical boxes. But yes, if you do router on a stick there can be a single DHCP service serving multiple subnets. NAT is per subnet anyway so it can live anywhere.

oh, i forgot but i actually did a write up on a very similar problem a few years ago, you can find it here: thetooth.name/#network

you're better off forgetting everything else i said and just read that, i'm far to intoxicated to be answering these questions anyway.

Thanks for the advice. One last question though, apart from cost, is going with a vLAN over physically separated networks more reliable and expandable?
The reason why I'm asking this is that the total cost of the three extra routers is about $500. The gateway has a J1900 motherboard I found used for $100 that has four ethernet ports on the back. If I used the only expansion slot on the board, I can potentially add another ethernet port for a new network segmentation later down the line. Is a vLAN that much more advantageous and expandable over this sort of set up?

>i'm far to intoxicated to be answering these questions
A drunk net admin? Carry on; all seems nominal.

>Is a vLAN that much more advantageous and expandable over this sort of set up?
The short answer? Yes.

fancy switch or not you're going to end up using vlans anyway, either physical(in the switch) or virtual(assign a vlan tag to ports in the router and assign the subnet to the vlan). one thing you could do is hang multiple unmanaged switches off the router, each roommate gets a dumb switch with a single wire running to your core router, it achieves the same result but with much less flexibility(no spanning tree, mental reasoning is harder, lack of QoS at the final hop) and potentially the same cost compared to a single large switch.

>is going with a VLAN over physically separated networks more reliable and expandable?

Yes. That's actually one of the large points of a VLAN; to segment a network without paying for extra physical equipment.
If you just buy a managed switch and make say, 4 VLANs; one for each of you and an extra one for native traffic, you'll make it so that a trojan isn't going to harm anything but the affected VLAN (so if roommate 1 gets the trojan and it tries to travel through your network, only roommate 1's VLAN is compromised.)
They may be virtual, but they are very secure.
You just need 1 managed switch and 1 router to do this.

Thanks fellows. vLAN it is. Allah help me.

>People here complain about port 25 being blocked
And I'm just sitting here with an isp that puts all non-buisness class behind a carriergrade-nat.

>Telekom feels

How do you guys manage your DNS, IP space administration and DHCP, and RADIUS etc.?

5 year network engineer checking in, I'll try to help out if people have questions.

wangblows sirvur edidion

Can someone explain to me what the purpose and function of patch panels are? I've read the Wikipedia article and read the descriptions in my networking books, but I still don't understand their purpose or what they offer over other devices

Do the CCENT. N+ I consider a waste.

All Linux boxes have tcpdump and syslog features. With grep its real easy to troubleshoot any network issue.

pretend you have hundreds of pcs, switches, router etc. in your office. you want to connect a pc to a different switch or some shit.

is it easier to trace from pc to the currently connected device, then route that to the new device...

OR

just have patch panels so you can make the change there

Get your hands on a serial (db9 to rj45) cable. They are super cheap and easy to get hold of.

Yes you can use a straight though rj45 (Ethernet) cable. If you have another cisco device using the aux port.

But you don't have access to the ethernet frame...

Also, most NICs do that shit in hardware.

OSPF is a dynamic routing protocol that uses multicast. So I can see GRE has to be used. If your endpoints are going to change IP dmvpn with ipsec encapsulation will be better.

DMVPN is far easier to scale out compared to separate GRE tunnels with their own ipsec encapsulation.

Use ospf to share routes. Don't use it over an uncontrolled network as you will be susceptible to OSPF related vulnerabilities. Strictly point to point (tunnels included)

You've got to ask: what is your end goal?

Working on my implementation, documentation, presentation and demonstration of Snort as a passive NIDS.

Unfortunately can't use all these juicy preprocessors and have to write the rules my self as a way to show my "understanding" of the program. Or at least the basics, still going to use them for complex stuff.

Still deciding on what intrusions I should choose to show off. Need some simple, basic ones as well as more advanced or interesting.

Thinking simple DNS, P2P and pings. And then maybe some SYN flood stuff, ARP poisoning etc. Still not sure.

If only I was doing a teaching masters and not a research masters...

You don't get access to the NIC, and you don't get the link pulse, preamble, etc.
But if you turn off all hardware acceleration (TX checksumming for example), you do get to send and receive Ethernet II and 802.2 frames.
You can even bypass any queuing mechanism of the kernel.
That's the whole point of it.

2-port LACP over 1000BASE-T? 2-port LACP over 1000BASE-X? Or wait for 802.3bz adoption on a single Cat5e cable?

LACP over copper. Unless fibre is a requirement.

It depends

Posting this here because I think it's relevant

So I live in a student apartment complex and they give us network drops in each room that I assume are connected to their in house modem/routers/switches which I don't have access to. Am I pretty much SOL if I try to host internet facing stuff because I can't open and close/ port forward? Is there any way around this? They have some basic ports open like https/http/ssh(filtered). Maybe I can still run openvpn over port 443???

Pic related is my network diagram.

Any advice?

Noob here, are there any pitfalls with using a secondary DHCP server on my LAN-Network to step in when the ISP router fucks up?
(router sometimes ignores DHCP-requests)
I made sure that the ip pools don't overlap and all hosts get the correct default gateway.

>LACP over copper
Why? I thought twisted pairs has more latency? Is it a cost consideration?

So let's say I've got a useless 2 year degree, a CCNA, and another 2 year degree but in networking.

Will I be eligible for any decent networking jobs if if know my shit or am I shooting myself in the foot if I don't have a 4 year degree.

Okay, I will shut up now.

If you know your shit, you'll be fine.

You'd typically only want it on one or the other, especially on the same broadcast segment.

So what kind of positions should I be looking out for? Should I still expect to start out doing helpdesk shit or are there usually positions for junior network tech monkeys

There are junior network tech positions available. Unfortunately, you will probably still be exposed to some form of "helpdesk". However, if you know your shit, you can easily get into Tier II, at the very least. If you start to starve for a position, there's always cabling gigs (I'm only half joking).

I do linux and fortinet

>cabling gigs

Wouldn't mind that at all desu senpai

again I don't see the difference between a patch panel and something like a dumb switch, just that patch panels have bare cat_ cable connecting to it rather than a connector like 8P8C/6P6C

>tfw it's DB9 and I've been saying DB15 the entire time
fug I'm literally retarded