Jump to content

I hope you don't need internet....

jakkuh_t
 Share

widget.png?style=banner2

Gaming Rig: 5900X, 32GB 3600MHz TridentZ, EVGA RTX 3080, 2*4TB Black, 1TB MP600

NAS: Xeon W-2195, 64GB ECC, 76TB of HDD's: 3*4TB + 2*8TB + 4*12TB, 500GB 850 Evo Cache


 

Link to comment
Share on other sites

Link to post
Share on other sites

supposed to be hidden?

edit: nvm i was just fast af BOIII

Link to comment
Share on other sites

Link to post
Share on other sites

I've tried to setup a pfSense router in the past but the biggest problem I encounter was getting it to recognize my 2.5g Realtek NICs. OPNsense unfortunately also had the same issues with Realtek and I couldn't get any of the build guides for the drivers to work. Maybe one day I'll upgrade to 10g Intel NICs and give it another try. Fyi, Cloudflare has their own network test that I prefer over SpeedTest.

Link to comment
Share on other sites

Link to post
Share on other sites

pfsense is limited in terms of routing performance because of BSD not x86.  Check out TNSR from Netgate for more speed!

Link to comment
Share on other sites

Link to post
Share on other sites

Please tell me you're going to build a bigger server room with better sound isolation and cooling once logistics moves to the Lab 2 building...

 

(Keep the old server room as an IDF so you don't have to rewire the whole place.)

Dell owns my soul.

Link to comment
Share on other sites

Link to post
Share on other sites

What would you recommend in SFP+ port to 10 Gib conversion. 

Link to comment
Share on other sites

Link to post
Share on other sites

34 minutes ago, Needfuldoer said:

Please tell me you're going to build a bigger server room with better sound isolation and cooling once logistics moves to the Lab 2 building...

 

(Keep the old server room as an IDF so you don't have to rewire the whole place.)

Totally agree.  I wonder now they have a new larger building makes me wonder are they going to build a real server room at the old building?  This will probably be another video.  lol.  Hopefully with paper cable management this time.

Link to comment
Share on other sites

Link to post
Share on other sites

54 minutes ago, Darkk said:

Totally agree.  I wonder now they have a new larger building makes me wonder are they going to build a real server room at the old building?  This will probably be another video.  lol.  Hopefully with paper cable management this time.

from what i remember. in one of the video yeah. also atm with cabling. i total understand. seeing wendell still working on one of the file servers.

MSI x399 sli plus  | AMD theardripper 2990wx all core 3ghz lock |Thermaltake flo ring 360 | EVGA 2080, Zotac 2080 |Gskill Ripjaws 128GB 3000 MHz | Corsair RM1200i |100tb | Asus tuff gaming mid tower

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Anamcha said:

25:00 in today's vid. Might wanna get the merch team to close the top of the O in the orange .com on Jake's LTTSTORE shirt. Or is that LTT OnlyFans merch?
image.png.6a32bd437f0163066a30693a058d618a.png

image.png.6ed4039f494ac0e7f669ae3476ca6e74.png

That was very deliberate, Reddit had r/place where anybody could place pixels for a limited time, so various subreddits pulled together do whatever designs they could manage.  Of course, LTT fans chose to maintain lttstore.com, but trolls kept on making the uh, U modification.  A WAN show around the time covered this, and the creation of the t-shirt.

Link to comment
Share on other sites

Link to post
Share on other sites

6 hours ago, ToboRobot said:

pfsense is limited in terms of routing performance because of BSD not x86.  Check out TNSR from Netgate for more speed!

Netgate guys would probably love some exposure.

 

However x86 is really kind limited in terms of routing, as it's lacking any hardware means of accelerating address lookups. That is the heavy lifting the TNSR's underlying technology (VPP) is doing in software, rest is just pushing data through pcie interfaces which is quite fast when done properly.

Best thing is that VPP is opensource.

Link to comment
Share on other sites

Link to post
Share on other sites

Soooo, you are telling me that I had proper 10gbps internet at home before LTT got proper 10gbps for work (11:30 in the video) ? mhhhhhhhh

Gaming: Windows 10 - Intel i7 9900K - Asus RTX 2080 Strix OC - GIGABYTE Z390 AORUS MASTER - O11 Dynamic

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, kgzv99 said:

Netgate guys would probably love some exposure.

 

However x86 is really kind limited in terms of routing, as it's lacking any hardware means of accelerating address lookups. That is the heavy lifting the TNSR's underlying technology (VPP) is doing in software, rest is just pushing data through pcie interfaces which is quite fast when done properly.

Best thing is that VPP is opensource.

TNSR on x86 scales over 100GBPS, so I am unsure why you would state that it is x86 and not the old (but stable) BSD network stack that is the issue.

Cheap commodity x86 servers can be great routers.

Link to comment
Share on other sites

Link to post
Share on other sites

@jakkuh_tHow did you do the media change through the switch? I've been trying to do something similar but never been able to figure it out.

 

My modem supports LAG, and I'm looking to eek all the overprovisioned internets I can get out of spectrum, so I was thinking I would setup LAG on two RJ45 ports on my switch, and setup a VLAN for those two ports and the SFP+ 10g port, and then pass that through to my UDM-Pro. But haven't quite figure out why it doesn't actually seem to pass through the signal. Any tips on how you went about setting it up the media conversion that might apply to my situation?

Link to comment
Share on other sites

Link to post
Share on other sites

I usually have my fun watching your videos and seeing you going over the top, but IMHO this time it went sideway. You spent more, but ended up receiving less.

 

pfsense is based on BSD, and as of today some (if not most) of the network processing is tied to a single core. You would have been much better served with a higher clocked CPU - or using a linux based distro. This is most certainly the reason why you are only getting results around 5Gbs at the end of the video. I can't remember precisely where the bottleneck is but you might also get "poor" performance across your VLANs if it is not tied to the NAT.

 

Speedtest can definitively go higher. I get result about 8.2Gbs from home - with the crappy modem my ISP gave me (the 8.2Gbs is also clearly stated in the manual as the limit of the HW - so the servers certainly have higher bandwidth).

 

You should try TNSR on your box, it looks like a perfect match. Bonus: I don't think that Jake will be able to simply import the config this time 🙈

Link to comment
Share on other sites

Link to post
Share on other sites

@jakkuh_t

 

Please if possible fire this post up the internal chain at LTT.

 

Watched this video and something in the setup worried me a lot. Did I understand the setup right, that you connected a fibre cable carrying unfiltered Internet traffic into a switch that is also carrying internal traffic? This was as your new PFsense router does not have a fibre port but only copper RJ45 UTP ports and you are using the internal switch to media convert? And that you have segregated the internet and internal traffic just using a VLAN, but the VLAN the internet traffic is going over is untagged?

 

If my understanding above is correct, then please, please, please do not do this!!!

 

You are opening your internal network up to more risk than you needed to. Why, as the traffic is separated by VLAN's, so internal and internet traffic are separate right? Maybe, but there are theoretical VLAN hoping attacks. VLAN's are a software construct so the separation is only as good as the software on the switch.  That is not the main issue though. The issue is the switch itself is on the internet now. I don't mean in an addressable way, so someone could log into it. What I mean is the switch's control plane / CPU is exposed since it is carrying internet traffic. So any denial of service attacks that load up the switch's CPU, will also affect your internal traffic. CAM / MAC address overflow attacks, etc can affect internal traffic as well as even though there will be a separate MAC table per VLAN. The CAM table resources on a switch are shared, with only so may entries possible (a lot of entries, but there is a hardware limit), across the whole switch. So an attack that fills the table up with rubbish entries will also affect the table for the internal VLAN's. Also a bug in the switch code that means packets coded in a certain way can cause the switch to crash, that has happened.

 

Now I am being somewhat vague here and just giving a couple of example attack vectors, as first I don't know the exact layout of your network and the vendors / models involved. I know there will be a load of responses below saying the example attacks above are unlikely / impracticable (standard forum stuff where, no matter what position you take people will be against it), etc which I will not get into point by point debates about here. Also I am not poo pooing VLAN's as they are perfectly great a separating traffic that is at the same trust level, such as internet networks. 

 

The main point is no that no matter the network layout, vendors and models involved, devices carrying naked internet traffic can be attacked and have their service degraded, that goes with the territory. Why there is normally a physical separate between devices carrying internet traffic and internal traffic, is so that if the internet exposed devices are attacked and have their service degraded, it does not affect your internal traffic traffic as well.

 

So if your Internet connectivity is an issue, it may not be too bad, but your internal traffic too? This I thought would be important to yourselves as if memory serves all the people working on video editing etc, are doing so across your internal network ,as it was frowned on having the files being edited locally on editors machines. So I assume it would not be great if an internal network switch is running slowly due to dealing with an attack on it's Internet carrying VLAN.

 

It is not worth the risk just to save a buck on having a separate device, not carrying any internal traffic doing the media conversion, even if a small not many port switch. This is the height of 'jank' and the issue is yes, you may wave away that you are not so fussed about your network, but LTT in their videos set an example. Anyone watching this maybe believe that this is an acceptable / best practice way of doing this. I and my team already have to have this debate repeatedly with customers who want to use the same switch to carry internet and internal traffic to save some money and I don't look forwards to the 'It's fine as I saw LLT were doing it." that is going to come up going forwards. This is also the reason I posted this publicly.

 

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

In case you doubt me, 'direct from the horses mouth' so the speak...

 

From Pfsense's documenation:

 

Virtual LANs (VLANs) — VLANs and Security | pfSense Documentation (netgate.com)

 

"

Segregating Trust Zones

Because of the possibility of misconfiguration, networks of considerably different trust levels should be on separate physical switches. For example, while the same switch could technically be used with VLANs for all internal networks as well as the network outside the firewalls, that should be avoided as a simple misconfiguration of the switch could lead to unfiltered Internet traffic entering the internal network.

"

 

They have a picked a different reason to explain why it is not a great idea, basically there are a bunch of reasons.

 

Also has a good explanation of why I also had a problem with the traffic being put across the switch untagged (but left out as post was long enough already), i.e in the native / default VLAN..

Link to comment
Share on other sites

Link to post
Share on other sites

You should take a look at using CARP on pfSense/opnSense.  This would allow you to upgrade your router's hardware with no downtime by failing over.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×