Preparing for 10 GIGABIT Internet! What Could Go Wrong?

[unijab]

3 hours ago, Solkre said:

They need to hire a network engineer

were you not paying attention.... they had johnny...he retired.

[_bolek_]

35 minutes ago, mynameisjuan said:

This only gets worse as you go down the rabbit hole of what is an is not supported on each device.

Not only that. Without proper knowledge about networking, people trying to create BIG and fast LAN. like this:

- i you have 1GbX network then core would be one level faster, so , when you use 10GbX you should have core on 40GbX ... but Linus i trying to run server on 40GbX so then not only he should look for new switches, one will be fully 10GbX with 100GbX Uplink and second switch with 40GbX ports and 100GbX uplink. I don't think that DELL he have cane make what they want (i know maybe 100GbX is to much but the looking for very fast connection to server when everyone using 10GbX).

[_bolek_]

2 minutes ago, unijab said:

were you not paying attention.... they had johnny...he retired.

You didn't listen. The have consultant who helped them (the didn't hire one ever) and he retired form consulting so i presume he got offer to work on some small/medium/large company.

[mynameisjuan]

29 minutes ago, _bolek_ said:

Configuring VLAN on Mikrotik is simple (2h with doc) but making it work and compatible with other device that take weeks I think problem is in terminology and implementation. To this day i couldn't make work native VLAN on Mikrotik with CISCO, and TRUNK between DELL,HP and CISCO properly but on CISCO to CISCO its working like charm. I don't think they need 9k series but based on what they need NEXUS series and minimum 3000 or above.

Mikrotik VLAN configuration only takes a few mins but my point was it took me 2 weeks to fully understand why it had to be configured the way is was so I could actually troubleshoot it. After that I got native vlans working.

 

Also I didnt mean he needs 9k, I was just backing my point that configuration between all the devices is different. 

31 minutes ago, _bolek_ said:

Small enterprise don't need more then 1Gbps these days, most don't need more then 200mbps or even less.

120mbps for residential and 40mbps for small businesses on average. Very few use cases go beyond that. I still cannot see linus reaching close to that in any use as I doubt youtube supports 10gig upload. 

[mynameisjuan]

18 minutes ago, _bolek_ said:

Not only that. Without proper knowledge about networking, people trying to create BIG and fast LAN. like this:

- i you have 1GbX network then core would be one level faster, so , when you use 10GbX you should have core on 40GbX ... but Linus i trying to run server on 40GbX so then not only he should look for new switches, one will be fully 10GbX with 100GbX Uplink and second switch with 40GbX ports and 100GbX uplink. I don't think that DELL he have cane make what they want (i know maybe 100GbX is to much but the looking for very fast connection to server when everyone using 10GbX).

I am not sure exactly what you mean. 

 

He doesnt have 40gig LAN because he was using a breakout cable which is 4x10. He only needs a 10gig uplink.

[_bolek_]

3 minutes ago, mynameisjuan said:

He doesnt have 40gig LAN because he was using a breakout cable which is 4x10. He only needs a 10gig uplink.

The installed or try to install 2 x 40GbX QSFP+ ports https://youtu.be/aGq8uJSco1o?t=675.

[iris7]

I wouldn't be surprised if someone in LTT gets a CCNA or a comptia cert at somepoint.

[mynameisjuan]

32 minutes ago, iris7 said:

I wouldn't be surprised if someone in LTT gets a CCNA or a comptia cert at somepoint.

With how busy they are I doubt it. It took me 2 months to get my CCNA and that was like 5 hours a day studying. If anyone Anthony will but unless he dedicates to it he wont have time with all of Linus's projects. 

[iris7]

It might actually be better to get a network+ since they are not primarily using Cisco hardware.

[selecadm]

I am not from North America, and when I requested 700Mbps from my last mile ISP, they called me and asked whether my router ports are gigabit. This question got me confused, like why did they ask, are my router ports not gigabit? So I cancelled my request and later found out that of course my router ports are gigabit. Asus RT-N66U is a 7-year-old router and I bought it 6 years ago. Stupid ISP, do some of their customers really use 100Mbps routers? Later I accidentally dropped my router, its case broke, but it still works, can even get full Wi-Fi signal through the whole apartment without antennas. I guess it's time to apply for Canadian work permit and send my resume to Linus Media Group, ahaha.

 

I am about to start learning CCNA this year, but I keep in mind that these LTT videos are only for entertainment. @mynameisjuan takes it too serious. But who knows, maybe I will also destroy my own fun after too much knowledge.

[Wh0_Am_1]

"Moment of truth time! And... It's not working...." Oh man do I know that feeling... (Flashes back to a week ago when I spent 5 days trying to get an installation of Windows setup that does not constantly eat ~60% of my CPU (an I5 2500)

[mynameisjuan]

35 minutes ago, selecadm said:

Stupid ISP, do some of their customers really use 100Mbps routers?

Yes, a lot of routers still have 100meg ports. Also a lot of low/mid tier routers can only route 2-300mbps regardless of gig ports. 

 

35 minutes ago, selecadm said:

I am about to start learning CCNA this year, but I keep in mind that these LTT videos are only for entertainment. @mynameisjuan takes it too serious. But who knows, maybe I will also destroy my own fun after too much knowledge.

I do take it seriously because viewers should also know the facts and I dont want Linus to spend time and money for nothing. This swap to 10gig for them could result in hours or days of downtime which is terrible for LTT.

 

Good luck with your CCNA, its a bitch because of Cisco and their way they do the exam but be prepared for the amount of information thrown at you. Take it step by step. Once you get it you will realize how little you actually knew before and when people begin pointing things out in comments or videos it will drive you nuts. 

[selecadm]

16 minutes ago, mynameisjuan said:

Yes, a lot of routers still have 100meg ports. Also a lot of low/mid tier routers can only route 2-300mbps regardless of gig ports.

Just saw Asus RT-AC1200 router, it provides 1167Mbps Wi-Fi but its Ethernet ports are only 100Mbps, WTF. Wi-Fi faster than Ethernet, pathetic.

 

18 minutes ago, mynameisjuan said:

Good luck with your CCNA

Thanks.

[mynameisjuan]

2 minutes ago, selecadm said:

Just saw Asus RT-AC1200 router, it provides 1167Mbps Wi-Fi but its Ethernet ports are only 100Mbps, WTF. Wi-Fi faster than Ethernet, pathetic.

 

Theoretical and this is all on the LAN side where services are at minimum. But yes, like I said, routers still have 100meg ports. 

[iris7]

30 minutes ago, mynameisjuan said:

Once you get it you will realize how little you actually knew

+1
Ive used so much enterprise hardware that I sometimes struggle to figure out how to use some consumer network devices.  If only I do a sh ru on consumer hardware.

[mynameisjuan]

2 minutes ago, iris7 said:

+1
Ive used so much enterprise hardware that I sometimes struggle to figure out how to use some consumer network devices.  If only I do a sh ru on consumer hardware.

no sh run

no debug

no sh mac add

no ip route

no sh ip arp

 

It hurts....it hurts so much

[unijab]

So.. another week or three before part 2?

[Falconevo]

22 hours ago, mynameisjuan said:

As a network engineer, your network videos make me cringe. Dont get me wrong, you get the basics but then spread misinformation elsewhere to the viewers. Not understanding VLANs, like do they have to be configured or why a PC connected to a trunk and not an access port is not working, at their basics proved that this task should have been handed off. 

  

First, that pfsense box will not be able to push 10gig. On top end hardware with pure routing, no ACLs, firewall just permit any any you might be able to push 8-9gig before it gets crippled. Forget trying to run any other services on the box as well. You do have plenty of headroom for 5gig though. 

  

There were much better options to go and with much more features that can truly handle 10gig with 40gig upgradability. Cisco is a given but even more so should be Fortinet for a 10gig firewall router combo for your use. Juniper also is a very solid option. Anything but PFsense.

  

While I applaud you enthusiasm  and still enjoy you videos, your lack of network engineer and purchasing now resulted:

 

- resolving an issue will be a nightmare without understanding the concepts of why the configuration was set or what is needed to fix it which can lead you to hours of downtime.

- PFsense is behind greatly on updates security and stability

 - No upgradability

 

Yes this is an elitist comment but I dont want you to get screwed over in the long run.

I use pfSense a lot and I completely agree.  For anything under 5Gbit/s pfSense (with correctly spec'd hardware) is more than adequate but once you start pushing over 5Gbit/s with additional services, ACL's and VPN's etc the performance starts to tail off.   

 

I have managed to get 7.8Gbit/s throughput WAN<>LAN via pfSense in the past with minimal ACL's, some tuning of the driver config for the X710 Intel network card and some high clock speed Xeons.  It could probably push for more with an OC X99/X299 setup but the soft interrupts is what killed it's performance rather than the actual CPU capacity.  I think that would need some pretty heavy driver and OS (BSD) tuning to take place before it can push 10G line rate with ease.

[mynameisjuan]

10 minutes ago, Falconevo said:

I use pfSense a lot and I completely agree.  For anything under 5Gbit/s pfSense (with correctly spec'd hardware) is more than adequate but once you start pushing over 5Gbit/s with additional services, ACL's and VPN's etc the performance starts to tail off.   

 

I have managed to get 7.8Gbit/s throughput WAN<>LAN via pfSense in the past with minimal ACL's, some tuning of the driver config for the X710 Intel network card and some high clock speed Xeons.  It could probably push for more with an OC X99/X299 setup but the soft interrupts is what killed it's performance rather than the actual CPU capacity.  I think that would need some pretty heavy driver and OS (BSD) tuning to take place before it can push 10G line rate with ease.

Thats very similar to what I read of other's and their experience I am glad to see someone here seeing similar result too. 

 

Also that follows what others say where they could only push 6-8gbps but the CPU wasnt breaking 60-70% usage. This leads me to believe there is a bottleneck down the line like the NIC. 

[Falconevo]

1 minute ago, mynameisjuan said:

Thats very similar to what I read of other's and their experience I am glad to see someone here seeing similar result too. 

  

Also that follows what others say where they could only push 6-8gbps but the CPU wasnt breaking 60-70% usage. This leads me to believe there is a bottleneck down the line like the NIC. 

Na its not the x710 NIC, put vyOS on it instead of pfSense on the same hardware and you get much closer to 10G line rate and the CPU interrupts are significantly reduced.

[_bolek_]

17 hours ago, selecadm said:

Just saw Asus RT-AC1200 router, it provides 1167Mbps Wi-Fi but its Ethernet ports are only 100Mbps, WTF. Wi-Fi faster than Ethernet, pathetic.

For first in most of the country getting faster ISP connection then 100mbps is so expensive, and they don't bother to use gigabyte Ethernet port, and is lot cheeper.

Other thing you cot that wrong. Even if your WiFi card show that you get 1167Mbps, you will never pass 150Mbps its protocol limitation and how its work, maybe on 802.11ax and WPA3 this will change for consumer devices.

 

2 hours ago, Falconevo said:

Na its not the x710 NIC, put vyOS on it instead of pfSense on the same hardware and you get much closer to 10G line rate and the CPU interrupts are significantly reduced.

Yes you have right about vyOS (Ubiquity uses for of original vayetta) but you must remember that vyOS ots stricte optimalised for switching and routing only. there is almost non other services like on PFSense, and limitation on FreeBSD (as most know every record that science show was break on NetBSD :D)

[iris7]

2 hours ago, Falconevo said:

put vyOS on it instead of pfSense

I was thinking that earlier.  I think that using an actual router would probably still be best.

[HimymCZe]

missed Office meme, with DvD logo bouncing from the corner...

[Mikensan]

On 1/1/2019 at 4:33 PM, mynameisjuan said:

--snipp--

First, that pfsense box will not be able to push 10gig. On top end hardware with pure routing, no ACLs, firewall just permit any any you might be able to push 8-9gig before it gets crippled. Forget trying to run any other services on the box as well. You do have plenty of headroom for 5gig though. 

 

Just wanted to add in for others to understand - this would likely be total throughput of 5gb. So pfsense with say 4 10gb ports will still only see 5-7gb/s.

 

As @Falconevo points out, vyos would be better. If pfsense is a must as the internet firewall then that should be all it does, while either the switch does layer 3 or vyos handles routing. Though personally I'd create a flat network for anything that needs 10gb speeds and only VLAN things like the IP cameras / phones.

[i4get42]

I happen to be well versed in that Dell networking OS.  Maybe I can pass along some tips to help out.  Ideally if you're dealing with multiple VLANs, you're only doing it because you have separate internal networks.  You're going to have a better time moving as much of that internal routing over to the Dell L3 switch instead of putting more work on the PFsense.  I'd recommend setting up two networks on the PFsense and your firewall rules there of corse.  One network for the WAN, and one for the LAN that really only needs to be a /30.  Then set up your multiple internal networks on VLANs on the Dell with your VLAN IPs as the gateway for your PCs  You can then set up the Dell as DHCP server for all the scopes, or point it to an external DHCP server.  Then have one more network between the PFsense and the Dell.  The PFsense would have a static route pointing to the Dell for each of it's networks.  And the Dell would have a single return route up to the PFsense's LAN IP for anything it doesn't know about.  That will keep all your local routing traffic off of the firewall, and still allow for seperation of your networks by their function.

 

On that Dell S4048T, assuming you're running OS9:

To trunk VLANs:

enable

conf

int te 1/1 <or whatever port>
portmode hybrid <allows both tagged and untagged VLANs with VLAN 1 untagged by default>

switchport

no shut

interface range vlan 10 , vlan 20 <or whatever VLANs>

tagged te 1/1

end

write <before you walk away, always save>

 

To set up ports for a single VLAN other than VLAN 1:

enable

conf

int te 1/1 <or whatever port>
switchport

no shut

 

interface vlan 10 <or whatever VLAN>

untagged te 1/1

end

write <before you walk away, always save>

 

If y'all are using multiple VLANs, you're probably looking to route on those VLANs as well and then set up a default route up to the PFsense and then set up static routes for each VLAN back over to the Dell as well.  For your purposes, no reason to try running OSPF on the PFsense.

On the Dell that would be putting an IP on each VLAN

enable

configure

interface vlan 10

ip address 192.168.10.1 /24

no shut

interface vlan 20

ip address 192.168.20.1 /24

no shut

end

write <before you walk away, always save>

 

 

 

Setting up a static IP address on a Port on the Dell

enable

conf

int te 1/1 <or whatever port>

ip address 10.10.10.2 /30

no shut

 

Setting up a static route up to the LAN facing IP of the PFsense.

enable

configure

ip route 0.0.0.0 0.0.0.0 10.10.10.1 <route to send all networks the Dell doesn't already know about up to the PFsense's LAN IP(whatever that is)>
end

write <before you walk away, always save>

And you would need return routes for each VLAN's put into the PFsense so that it knows where to send traffic back on the different VLANs that the Dell is in charge of.  Here is a how-to for those on your PFsense:

https://www.netgate.com/docs/pfsense/book/routing/static-routes.html

     As an example though, you'd have an extra network set up just to run between the Dell and the PFsense, ideally a /30 so you just do Two usable addresses, then each of those addresses is the next hop for the other device.  But if you already have a /24 on the PFsense's LAN interface, that is fine, you'd just need to match the same subnet for the Dell's matching IP address.  There are plenty of Private IPs to go around in a small business setup.  

 

So if you have an IP of 10.10.10.1 /30 for your LAN interface of the PFsense, you'd have a cable running over to the Dell and that interface would have an IP of 10.10.10.2 /30.