Messages

What's next?

Next you hope you're the only one subscribing, it's a shared medium. 😉

I reset my PPPoE every night on purpose, get a fresh IP. Why are people so upset by Zwangstrennung? DynDNS is up again in seconds, no problem.

Some of us appreciate uninterrupted connectivity.

@athurdent is the peering problem relevant only for Gbit? or even with lower bandwidth? my 120 Mbit DSL from Telekom is not that a problem for my use cases.

What is the problem with Zwangstrennung? I do that "manually" every night, line up again in very few seconds with fresh IP...

As it's peering-related, the problem will affect everyone. E.g. usage of 1.1.1.1 with packet loss, no fun. Lots of websites also use Cloudflare (IKEA, Discord, etc.) so during prime time those were heavily affected a while ago. Now it's OK again, but usually that holds for a few month and the problems start again. See netzbremse.de or Reddit, e.g. an analysis of the most recent event https://www.reddit.com/r/de_EDV/comments/1qkm5vt/zum_dtagrouting_zu_cloudflare/
Zwangstrennung, there's no problem with Telekom. They have turned that off, it'll only reconnect once every 180 days or so. Remove your 24h workaround, it should not make a difference.

Any experience with Deutsche Telekom on that?

The line itself is great here (dual stack IPv4 / IPv6, no 24h Zwangstrennung).
But careful, with German Telekom you'll get very bad Cloudflare peering. In fact, they don't have any direct peering and the transits are often crowded. Their community forum is full of angry customers, just recently it was very, very bad. Their support team is so desperate, they even recommend switching the ISP (temporarily with a VPN provider, but still).

Over here most people buy either a Huawei ONT or Nokia ONT for XGS-PON connections like this one : https://www.wisp.pl/p12211,huawei-optixstar-en8010ts-20-terminal-xgs-pon-ont.html
_{(Sometimes from the very same webshop by the way!)}

Usually not very cheap and the availability is not that great either...

Would you happen to know if the Huawei allows changing the ID, so we don't have to contact the ISP when switching ONTs?

If anything, this discussion with the OP helped at least me putting the original post in perspective.
I'm out, feels like there's a better use of my time than rephrasing the same fact over and over again. ;)

Palo Alto can filter the content from website, example 1- I would like to give access of youtube except specific video category in youtube like Shorts, Movies, Non-Educational, Games etc.
example 2 - I would like to give access of facebook but not the games inside facebook.

That usually requires the firewall to be able to inspect the URLs called, which normally demands SSL decryption to take a look. With a certificate installed on your system.
If it really works without, and please verify and let us know, then they got lucky and there are e.g. different hosts used by YouTube or Facebook for this. Which would allow differenciation without looking at the traffic.

I doubt you can do the above with Palo Alto and no extra certificate installed though.

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.

Zenarmor is agent-less though? You should perhaps elaborate on your ask, and lay out what others like Palo Alto are doing differently.
I.e. explain how you'd like full SSL Inspection be done by Zenarmor (or any other SSL Inspection engine) without trusting a certificate used to decrypt traffic in the middle.

I was lead to believe that the Zenarmor package could use any SSL certificate. If it only allows its self signed certificate, then that will be a problem that needs to be fixed.

Being a CA certificate, of course it's self signed.

You need something that can issue certificates, so can also be an intermediate CA cert. But I am unsure if any of the CAs other than perhaps Honest Achmed's Used Cars and Certificates ( https://bugzilla.mozilla.org/show_bug.cgi?id=647959 ) will sell something like this ...  :)

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works. ;)

NVIDIA likes both.  ;)

If someone tries to sell AI in the security sector, I usually look twice, double check and then smile about what was actually offered as being AI.

THB, I'd love it if they didn't try to sell anything as ,,AI" for security and just sit out the hype. Remember blockchain?

All the tickets I raised with them were taken care of in a timely and professional manner.
I mainly bought Home to support development, the free edition (and you don't get that level of DPI insights/filtering for free anywhere else) is pretty awesome itself.

Not saying that it's not something nice to play with, but in the end:
SSE (SSL Inspection) is usually not something you run at home anyways, as you have to roll out certificates and will have to constantly exempt stuff (certificate pinned apps, incompatible websites) to make users happy. It has a very low WaF and your kids would start visiting the neighbors pretty often soon. 😅

Hi,

It's not an issue "does not start"... OpnSense on Proxmox works great also with SR-IOV (I've updated to Proxmox 8.2.2 last weekend and it runs great). If it does not start, you probably have to disable secure boot in the "Guest BIOS" => that was my issue when I installed OpnSense on Proxmox the first time ;D

Your error message "smells like" none unique IOMMU groups...

It's an issue with Intel virtual function network interfaces and high availability virtual IP addresses that uses CARP. The issue is that CARP needs a second MAC address and the packet flow inside the Intel driver has some "issues with this by design" on X710 NIC's. That's why it is possible to ping the CARP IP from outside (from another client/PC) but not if the client runs "on the same physical NIC" with another virtual function network device on the same physical card.

As I figured out (and also this link tells us https://forum.proxmox.com/threads/issues-with-sriov-based-nic-passthrough-to-firewall.66392/) it's needed to define "vf-true-promisc-support on" on the Proxmox host on the first NIC interface + promisc is needed to be set within the guest (in our case OpnSense / I think for CARP OpnSense enables promisc anyway?). With this settings and a newer Intel E810 card all works... but it still doesn't work on older X710 Intel NIC's.

Regards

I have been running OPNsense and other VMs with SR-IOV for years now, no problems. It's only kernel 6.8 with the X710 interface preventing any of my VMs (Linux or OPNsense) from starting. It's a Supermicro EPYC board with full IOMMU support, no hacks required.
Older Intel 10G card works fine, too.
I have ordered an E180 adapter now, you not having any issues with that one is a good starting point.