Preparing for 10 GIGABIT Internet! What Could Go Wrong?

[_bolek_]

On 1/3/2019 at 10:09 PM, i4get42 said:

I happen to be well versed in that Dell networking OS.  Maybe I can pass along some tips to help out.  Ideally if you're dealing with multiple VLANs, you're only doing it because you have separate internal networks.  You're going to have a better time moving as much of that internal routing over to the Dell L3 switch instead of putting more work on the PFsense.  I'd recommend setting up two networks on the PFsense and your firewall rules there of corse.  One network for the WAN, and one for the LAN that really only needs to be a /30.  Then set up your multiple internal networks on VLANs on the Dell with your VLAN IPs as the gateway for your PCs  You can then set up the Dell as DHCP server for all the scopes, or point it to an external DHCP server.  Then have one more network between the PFsense and the Dell.  The PFsense would have a static route pointing to the Dell for each of it's networks.  And the Dell would have a single return route up to the PFsense's LAN IP for anything it doesn't know about.  That will keep all your local routing traffic off of the firewall, and still allow for seperation of your networks by their function.

 

On that Dell S4048T, assuming you're running OS9:

To trunk VLANs: ...

 

To set up ports for a single VLAN other than VLAN 1:

...

If y'all are using multiple VLANs, you're probably looking to route on those VLANs as well and then set up a default route up to the PFsense and then set up static routes for each VLAN back over to the Dell as well.  For your purposes, no reason to try running OSPF on the PFsense.

...

 

Setting up a static IP address on a Port on the Dell

...

Setting up a static route up to the LAN facing IP of the PFsense.

...

 

And you would need return routes for each VLAN's put into the PFsense so that it knows where to send traffic back on the different VLANs that the Dell is in charge of.  Here is a how-to for those on your PFsense:

https://www.netgate.com/docs/pfsense/book/routing/static-routes.html

     As an example though, you'd have an extra network set up just to run between the Dell and the PFsense, ideally a /30 so you just do Two usable addresses, then each of those addresses is the next hop for the other device.  But if you already have a /24 on the PFsense's LAN interface, that is fine, you'd just need to match the same subnet for the Dell's matching IP address.  There are plenty of Private IPs to go around in a small business setup.  

 

So if you have an IP of 10.10.10.1 /30 for your LAN interface of the PFsense, you'd have a cable running over to the Dell and that interface would have an IP of 10.10.10.2 /30.

 

Nice but what i point of doing this?

First routing between VLAN's using L3 is slower then o L2.

Second we still will have issue witch VLAN and trunk between switches of two different producers (i presume they have more then one switches in LAN).

Third moving DHCP to switch you may loos some flexibility (sone switch have missing some DHCP feature)

Forth when you change mode to L3 then you loose some switching feature and make it work even harder.

 

The configuration you just proposed have more sense when you have building and rent office to different company but not when you want simple and fast office LAN.

 

.

 

[mynameisjuan]

On 1/4/2019 at 10:46 PM, _bolek_ said:

First routing between VLAN's using L3 is slower then o L2.

Second we still will have issue witch VLAN and trunk between switches of two different producers (i presume they have more then one switches in LAN).

But their network is already VLAN'd out. So they need it.

On 1/4/2019 at 10:46 PM, _bolek_ said:

Third moving DHCP to switch you may loos some flexibility (sone switch have missing some DHCP feature)

The feature set you get with a DHCP server vs on the switch/router is very specific use case. 

On 1/4/2019 at 10:46 PM, _bolek_ said:

Forth when you change mode to L3 then you loose some switching feature and make it work even harder.

You dont lose any switching "feature loss". Its just really taxing on the router. 

 

On 1/4/2019 at 10:46 PM, _bolek_ said:

The configuration you just proposed have more sense when you have building and rent office to different company but not when you want simple and fast office LAN.

This is a typical setup for businesses. Why do you think that only makes sense for multitenent offices?

[colir]

In this video Linus has mentioned that they'll get 10G to Vancouver Internet Exchange Point - I guess it's VANIX (unless there's other I'm not aware of), is that right?

 

The thing is - Linus said that Amazon's network is also available through this IXP which I don't think it is correct - they're not listed on https://vanix.ca/participants/.

 

Also, the other thing which bothers me slightly is - are they gonna run their own BGP - get their own ASN and join as a regular member of VANIX or "proxy" it through Telus?

[Drcooops]

You can use a pc to access vlans. 

 

Your advanced page of your Intel nic allows you to tag or untag your pc nic in that vlan. 

 

If your switch is configured and port for up link is incorrectly taged in wrong vlan your network or dhcp will not work. 

 

On your pfsense are you running rules to allow dns and dhcp between the different interfaces on your Lan. 

 

This is simular what you would do on ip tables. 

 

The console cable into your switch would be easier way to move your vlans with the configuration files you copied off of net gear. 

 

Issue I have had with net gear switches is the vlan leak packets. 

 

Do you run the essix on your servers and then configure and fail over your virtual machines as and when there is issue. 

 

Did you have to configure any zoning on melloux. 

[Drcooops]

On 1/5/2019 at 5:46 AM, _bolek_ said:

I would trunk the virtual switch and then assign the nics the vlan id's. More speed that way and easier managment. Why does he also not run dhcp on the pfsense 

 

 

.

 

 

[Darren]

I'm enjoying all the discussion re networking but I'm curious why the network is particularly complicated. Some over-engineering perhaps. You should not need a CCNA or equivalent to set up an office network for a couple of dozen staff and servers...

16 hours ago, Drcooops said:

You can use a pc to access vlans. 

 

Your advanced page of your Intel nic allows you to tag or untag your pc nic in that vlan. 

Why would you make the users do the tagging and not have an access port? Just adding work that doesn't need to be done.

 

At least the rack looks tidier at the end...

[William Payne]

Nothing is more important than protecting your files. Especially when those files are your business. Seeing how LTT has had a server failure in the past where they lost data I do wonder whether they consult people for this stuff.

[Canada EH]

Quote

housekeeping first in order to use it, and it turns out we suck at networking

Good luck with the housekeeping, it is not Linus' strong suit that is for sure. I hope you guys hire a maid service, I do.

Not only suck at networking but more too hahahaha

pls pls pls I want to see Linus swing a 20oz. hammer hahahaha

Lay some cable trays!

[Rainbow-six3]

Was happens to the big surveillance server? 

[PsychoXLR]

Maybe I'm a bit old school but I really really doubt that a "software" router can hold a candle to a hardware solution, even a few generations older one. 

Does LTT actually has a ASN? Will they be as a full peering partner on Van-IX? 

[mynameisjuan]

2 hours ago, PsychoXLR said:

Maybe I'm a bit old school but I really really doubt that a "software" router can hold a candle to a hardware solution, even a few generations older one. 

Does LTT actually has a ASN? Will they be as a full peering partner on Van-IX? 

No, software cannot compete with ASIC. Just not possible. From what I see if software is a good up to 2.5gbps. After that no matter what hardware you use it cannot handle it reliably.

 

Why would they need peering? 

[PsychoXLR]

On 2/18/2019 at 5:22 PM, mynameisjuan said:

Why would they need peering? 

How else will they get access to VAN-IX?

[mynameisjuan]

On 2/19/2019 at 10:28 AM, PsychoXLR said:

How else will they get access to VAN-IX?

You dont need to be peered. Its probably just an elan service

[PsychoXLR]

13 hours ago, mynameisjuan said:

You dont need to be peered. Its probably just an elan service

Figures that  it's some sort of L1/L2 transport service. 

But to get connectivity with all the VAN-IX peers - you need to setup BGP. For that you need your own ASN and public IP range.

[THraShArD]

Looks like so much fun working there.  LOL x 1,000 !!! I don't know how it got fixed and that is the worst way of fixed. Been there , done that

[mynameisjuan]

11 hours ago, PsychoXLR said:

Figures that  it's some sort of L1/L2 transport service. 

But to get connectivity with all the VAN-IX peers - you need to setup BGP. For that you need your own ASN and public IP range.

Thats not being handled by LTT. 

[PsychoXLR]

12 hours ago, mynameisjuan said:

Thats not being handled by LTT. 

This kinda doesn't make sense. In that case their ISP is getting the 10Gbps connection with VAN-IX. And they have to share that with that ISPs other traffic. And it will basically depend on the ISPs routing policies.

[mynameisjuan]

10 hours ago, PsychoXLR said:

This kinda doesn't make sense. In that case their ISP is getting the 10Gbps connection with VAN-IX. And they have to share that with that ISPs other traffic. And it will basically depend on the ISPs routing policies.

We do this. Trust me, the customer doesnt peer.