In my (UK) experience, university's are potentially your friends if you have any contacts. I used to have a storeroom where old stuff went (after I sanitised it and removed it from asset registers), and I would often "forget" to lock the door. Made no odds to me whether the scrubbed hardware went into our hardware recycler's van, or some colleague's car, the only unwritten rule was that if you took something away it did not come back to me for support.
Didn't really bother me - if you want to sneak something out and back in, it made literally no difference. At the end of the month I was going to open the storeroom and see if we had enough for a collection and if we did we did, if not, it just rolled over to the next month.
I guess I'm not sure why Ubiquiti isn't arranging the return and why I'm left to deal with it instead. Right foot not talking to the left foot with me in the middle?
So, just because a rep has said "please RMA your device" doesn't mean they can handle that for you - have you tried just finding out what Ubiquiti's own process is, and starting an RMA directly with them, with your case number?
Going through a similar situation right now but we are very locked down and they were wild west. They're starting to complain. Our industry is traditionally very locked down so I don't get why the wild west approach and limited policy making. Their it person wants to allow macs ugh.
FYI Macs are not automatically bad, so this attitude makes me think you’re a moron. I’ve been a Mac user professionally for 8 years and it’s honestly been fantastic for MY use case. That’s not to say it’s suitable for everyone, but your “Macs, ugh” attitude says a lot to me about why the other IT team might be starting to rally against you.
I use to operate public mail servers, this is a very good way to tweak things for best performance. If you have never compiled a kernel before then perhaps this isn't for you.
So where’s your evidence? Your benchmarking of how much your custom kernel improved performance? Because someone who’s willing to argue the point as aggressively as you are (including taking swipes at other peoples experience) clearly isn’t just relying on gut feeling or falling for the placebo effect, right?
The main difference between router and modem is probably NAT. Router mode does NAT, your UDM Pro also does NAT, double NAT has zero upside, only potential downside.
I would expect this is a validation thing. I have virtually the same chassis, it has bays for 8 drives (I think), 4TB was probably a common size then, for a total of 32TB.
This is a good point and I don't remember why I wouldn't have brought this up 2 years ago - but my experience of it isn't great, I've had issues in the past where there's some kind of "race" condition between datasets containing the empty folder required to mount being mounted after the datasets which are the folder, where the result was that my system thought both were mounted properly but what I could see in the directory tree was the empty directory from the containing dataset.
Weren’t those two vulnerabilities virtualisation related? So if you’re running a router/firewall OS as the sole OS then there’s very little risk? Or am I thinking of something else?
We recently got our annual raises and apparently the team was given a lump sum that was to be split out among the team members. Some senior devs sacrificed their raises to the lower paid juniors could get a better cost of living raise. It is a little maddening knowing that this team member essentially is taking pay from others.
In the best practice document you linked, I found no occurrence of the text rename. So is it actually a best practice? Or is it something you've made up?
That appears to be what’s happening here. cURL’ing the real public IP requesting HTTP on port 443 indeed returns an XHTML file of the IIS landing page.
Do you definitely have the port forwarding correct? Could you accidentally have forwarded 443 externally to 80 internally, so while your IIS server is configured for HTTPS on port 443, that's only available inside the NAT?
That's how contracts work. I'm sure you're free to not pay, and Virgin (or whoever else you're with) are free to refuse to provide you a service anymore and probably send you through their collection process. Saying "I don't accept price rises" just makes you look like an idiot here.
I didn’t, no. No matter what I did, or what firmware I ran, I could never get it to work. Ultimately, the house I was buying that needed the extra coverage fell through so I’ve pretty much given up and gone back to UniFi with an upgraded version of my Lite AP.
I'm using Aruba Instant platform and they block ARP and mDNS by default. In the enterprise space those are considered noise. But I can change that default setting to allow both (and convert to unicast). It works very well (probably best of anything I've tried). They also have a Bonjour bridge but only needed if trying to cross VLANs. I keep my network relatively flat to avoid those kinds of issues.
Interesting. I realise things like this are not always desirable features in an enterprise environment - however in my case, that's fine. Instead of their branded Bonjour Gateway, my OPNsense firewall is configured for mDNS forwarding between VLANs which works great with UniFi APs. So I figured that in an enterprise environment it would be whatever L3 switch/router/firewall you have your VLANs converging on which would be responsible for blocking that traffic.
I'm not even a manager and I'm largely "off the tools" (and the tools I am still allowed to touch, suck). You could not pay me enough to make this move.
Tools like cloud-nuke (from Gruntwork) exist; otherwise with decent automation you could possibly just delete and create entire accounts within an AWS Organization? There are quotas for how often you can do it but if you wanted to completely throw away the sandbox account once every month/quarter that might work?
The Windows client does some dumb things in my experience. It isn’t an IPsec client, it’s an IPsec+L2TP client so may not be compatible if the router does not support L2TP, and it makes assumptions about classful networking that are often wrong. If OP finds a third party client works better, then that doesn’t shock me at all.
TheGreenBow is just a client though. It doesn’t send anything to a third party. It is a Windows client for IPsec that connects to your own IPsec server. No intermediaries are involved (or at least the risk is no greater than other closed source third party software like the Windows client itself)
There’s a 2 minute timeout somewhere in k3s that makes large images troublesome to use on slower internet connections. I’m currently on 30Mb down and can’t install or upgrade Home Assistant, for example, I have to manually pull the image for it to work
In my (UK) experience, university's are potentially your friends if you have any contacts. I used to have a storeroom where old stuff went (after I sanitised it and removed it from asset registers), and I would often "forget" to lock the door. Made no odds to me whether the scrubbed hardware went into our hardware recycler's van, or some colleague's car, the only unwritten rule was that if you took something away it did not come back to me for support.
Didn't really bother me - if you want to sneak something out and back in, it made literally no difference. At the end of the month I was going to open the storeroom and see if we had enough for a collection and if we did we did, if not, it just rolled over to the next month.
Sounds terrible, I just wouldn't.
I guess I'm not sure why Ubiquiti isn't arranging the return and why I'm left to deal with it instead. Right foot not talking to the left foot with me in the middle?
So, just because a rep has said "please RMA your device" doesn't mean they can handle that for you - have you tried just finding out what Ubiquiti's own process is, and starting an RMA directly with them, with your case number?
Solved
C'mon, don't be that guy.
Going through a similar situation right now but we are very locked down and they were wild west. They're starting to complain. Our industry is traditionally very locked down so I don't get why the wild west approach and limited policy making. Their it person wants to allow macs ugh.
FYI Macs are not automatically bad, so this attitude makes me think you’re a moron. I’ve been a Mac user professionally for 8 years and it’s honestly been fantastic for MY use case. That’s not to say it’s suitable for everyone, but your “Macs, ugh” attitude says a lot to me about why the other IT team might be starting to rally against you.
I use to operate public mail servers, this is a very good way to tweak things for best performance. If you have never compiled a kernel before then perhaps this isn't for you.
So where’s your evidence? Your benchmarking of how much your custom kernel improved performance? Because someone who’s willing to argue the point as aggressively as you are (including taking swipes at other peoples experience) clearly isn’t just relying on gut feeling or falling for the placebo effect, right?
The main difference between router and modem is probably NAT. Router mode does NAT, your UDM Pro also does NAT, double NAT has zero upside, only potential downside.
I would expect this is a validation thing. I have virtually the same chassis, it has bays for 8 drives (I think), 4TB was probably a common size then, for a total of 32TB.
This is a good point and I don't remember why I wouldn't have brought this up 2 years ago - but my experience of it isn't great, I've had issues in the past where there's some kind of "race" condition between datasets containing the empty folder required to mount being mounted after the datasets which are the folder, where the result was that my system thought both were mounted properly but what I could see in the directory tree was the empty directory from the containing dataset.
Weren’t those two vulnerabilities virtualisation related? So if you’re running a router/firewall OS as the sole OS then there’s very little risk? Or am I thinking of something else?
We recently got our annual raises and apparently the team was given a lump sum that was to be split out among the team members. Some senior devs sacrificed their raises to the lower paid juniors could get a better cost of living raise. It is a little maddening knowing that this team member essentially is taking pay from others.
In the best practice document you linked, I found no occurrence of the text rename. So is it actually a best practice? Or is it something you've made up?
Are WAN and LAN VLAN interfaces, with opt3 being the physical interface that contains them?
That appears to be what’s happening here. cURL’ing the real public IP requesting HTTP on port 443 indeed returns an XHTML file of the IIS landing page.
Do you definitely have the port forwarding correct? Could you accidentally have forwarded 443 externally to 80 internally, so while your IIS server is configured for HTTPS on port 443, that's only available inside the NAT?
…Now that you mention it, I was having trouble earlier with 80/443 overlapping. I may need to re-examine the NAT logic.
No sweat - good luck fixing it :)
UniFi (requires a controller, but you can self host it or whatever you want). Extreme also has a free tier of cloud management.
I get that but I won’t pay more than what I agreed to pay was my point.
That's how contracts work. I'm sure you're free to not pay, and Virgin (or whoever else you're with) are free to refuse to provide you a service anymore and probably send you through their collection process. Saying "I don't accept price rises" just makes you look like an idiot here.
did you figure this out?
I didn’t, no. No matter what I did, or what firmware I ran, I could never get it to work. Ultimately, the house I was buying that needed the extra coverage fell through so I’ve pretty much given up and gone back to UniFi with an upgraded version of my Lite AP.
I'm using Aruba Instant platform and they block ARP and mDNS by default. In the enterprise space those are considered noise. But I can change that default setting to allow both (and convert to unicast). It works very well (probably best of anything I've tried). They also have a Bonjour bridge but only needed if trying to cross VLANs. I keep my network relatively flat to avoid those kinds of issues.
Interesting. I realise things like this are not always desirable features in an enterprise environment - however in my case, that's fine. Instead of their branded Bonjour Gateway, my OPNsense firewall is configured for mDNS forwarding between VLANs which works great with UniFi APs. So I figured that in an enterprise environment it would be whatever L3 switch/router/firewall you have your VLANs converging on which would be responsible for blocking that traffic.
I'm not even a manager and I'm largely "off the tools" (and the tools I am still allowed to touch, suck). You could not pay me enough to make this move.
Have you tried changing mirror? Perhaps whichever one you're using is out of date and not having the repository mirrored to it?
How do you regularly clean up those accounts?
Tools like cloud-nuke (from Gruntwork) exist; otherwise with decent automation you could possibly just delete and create entire accounts within an AWS Organization? There are quotas for how often you can do it but if you wanted to completely throw away the sandbox account once every month/quarter that might work?
please explain why do you use TheGreenBow to connect to the office?
The Windows client does some dumb things in my experience. It isn’t an IPsec client, it’s an IPsec+L2TP client so may not be compatible if the router does not support L2TP, and it makes assumptions about classful networking that are often wrong. If OP finds a third party client works better, then that doesn’t shock me at all.
it is not the question of the third party client but "Man in the middle"!
TheGreenBow is just a client though. It doesn’t send anything to a third party. It is a Windows client for IPsec that connects to your own IPsec server. No intermediaries are involved (or at least the risk is no greater than other closed source third party software like the Windows client itself)
There’s a 2 minute timeout somewhere in k3s that makes large images troublesome to use on slower internet connections. I’m currently on 30Mb down and can’t install or upgrade Home Assistant, for example, I have to manually pull the image for it to work
Yea, nothing good.. is just 14 years ago it costed cents and now 20k..but pls stay on your own propaganda
Something can be both valuable and useless.