Iirc I seem to find whatever was configured dead or no longer the cool choice when I check online.

Whatever it is, I barely touch it and it works great. Very happy.

Two pihole servers, one n VM vlan, one on device VLAN with OpnSense delivering them both via DHCP options. I sometimes update lists, like yearly… At best. They’ve been there over 7 years. Calling them robust is correct. The hypervisors are 3 proxmox servers in cluster using ceph. Intrl NUC 3rd Gen. Less than 80w combined with all vms. Also 8 years old no failures but tolerant for it.

I think you probably don’t realise you hate standards and certifications. No IT person wants yet another system generating more calls and complexity. but here is iso, or a cyber insurance policy, or NIST, or acsc asking minimums with checklists and a cyber review answering them with controls.

Crazy that there’s so little understanding about why it’s there, that you just think it’s the “IT guy” wanting those.

This is no different to me having a email dedicated to searching for a house to give to real estate agents and someone saying “I don’t think it’s legal that a house has an email”. It was frustrating reading up until your comment that people just didn’t get it.

https://www.theverge.com/2022/8/21/23315513/google-photos-csam-scanning-account-deletion-investigation

Google looks. Google reports. Even if you did nothing wrong you’re guilty until you prove innocent and even then you’ll never get your account back.

Great link.

Well good news! Time to let yourself love again!

I ended up reading it on bleeping computer since the linked site looks like an auto tldr bot saved 50% of the words. The important 50% was discarded.

https://www.bleepingcomputer.com/news/security/18-year-old-security-flaw-in-firefox-and-chrome-exploited-in-attacks/

I checked too, it’s not a valid public DNS record, so then the question is, does Oktas internal DNS resolve this. Even if it does, how does okta even sit in this? Are they the identity provider for Twitter? Surely even if it’s identity, it’s got nothing to do with content moderation? So many questions.

Eating the onion is sure popular today!

One rich company trying to claim money off the other rich companies using its software. The ROI on enforcing these will come from only those that really should have afforded to pay and if they can’t, shouldn’t have built on the framework. Let them duke it out. I have zero empathy for either side.

The hopeful other side is with a “budget” for the license, a company can consider using that to weigh up open source contributions and expertise. Allowing those projects to have experts who have income. Even if it’s only a few companies that then hire for that role of porting over, and contributing back to include needed features, more of that helps everyone.

The same happens in security, there used to be no budget for it, it was a cost centre. But then insurance providers wouldn’t provide cyber insurance without meeting minimum standards (after they lost billions) and now companies suddenly have a budget. Security is thriving.

When companies value something, because they need to weigh opportunity cost, they’ll find money.

Hold them all to account, no single points of failure. Make them all responsible.

When talking about vscode especially, those users aren’t your mum and dad. They’re technology professionals or enthusiasts.

With respect to vendors (Microsoft) for too long have they lived off an expectation that its always a end user or publisher responsibility, not theirs when they’re offering a brokering (store or whatever) service. They’ve tried using words like ‘custodian’ when they took the service to further detract from responsibility and fault.

Vendors of routers and firewalls and other network connected IoT for the consumer space now are being legislatively enforced to start adhering to bare minimum responsible practices such as ‘push to change’ configuration updates and automated security firmware updates, of and the long awaited mandatory random password with reset on first configuration (no more admin/Admin).

Is clear this burden will cost those providers. Good. Just like we should take a stance against polluters freely polluting, so too should we make providers take responsibility for reasonable security defaults instead of making the world less secure.

That then makes it even more the users responsibility to be responsible for what they then do insecurely since security should be the default by design. Going outside of those bounds are at your own risk.

Right now it’s a wild West, and telling what is and isn’t secure would be a roll of the dice since it’s just users telling users that they think it’s fine. Are you supposed to just trust a publisher? But what if they act in bad faith? That problem needs solving. Once an app/plugin/device has millions of people using it, it’s reputation is publicly seen as ok even if completely undeserved.

Hmm rant over. I got a bit worked up.

I’ve used virtio for Nutanix before and not using open speed test, but instead using iperf, gathered line rate across hosts.

However I also know network cards matter a lot. Some network cards, especially cheap Intel x710 suck. They don’t have specific compute offloading that can be done so the CPU does all the work and the host cpu itself processes network traffic significantly slowing throughput.

My change to mellanox 25g cards showed all vm network performance increase to the expected line rate even on same host.

That was not a home lab though, that was production at a client.

Edit sorry I meant to wrap up:

• to test use iperf (you could use UDP at 10Gbit and run it continuous, in UDP mode you need to set the size you try to send)
• while testing look for CPU on the host

If you want to exclude proxmox you could attempt to live boot another usb Linux and test iperf over the lan to another device.

Think of this:

You find a computer from 1990. You take a picture (image) of the 1KB memory chip which is on a RAM stick, there are 4 RAM sticks. You are using a DSLR camera. Your image in RAW comes out at 1GB. You project because there’s 8 chips per stick, and 4 sticks it’ll 32GB to image your 4KB of RAM.

You’ve described nothing about the ram. This measurement is meaningless other than telling you how detailed the imaging process is.

They took imaging scans, I just took a picture of a 1MB memory chip and omg my picture is 4GB in RAW. That RAM the chip was on could take dozens of GB!

Ok so you may need to translate a few things.

Routers gateway networks. Networks are extended physically by Ethernet. The ether in Ethernet is basically “to the network it doesn’t matter the medium” and in days past that was coax, or whatever Cabling you had but today is almost exclusively in a house, fibre, WiFi, and cat[5/6/7].

Why does this matter? The router is the pivot between networks. Wireless access points are just part of the network.

A wireless router is a device with two functions!

Ok so how does a router work? When you buy a home grade router like an Asus or netgear, you get a device which has a single routing statement “0.0.0.0/0 via connected interface WAN”. This works on almost everyones home network because they only have a single network.

A local network doesn’t need a router to talk, you only talk when you need to talk to something on another network. Your devices automatically broadcast to every other device on connection or device start up “I’m [mac address] with ip [ip] can you introduce yourself?” and everyone who is online responds back not in broadcast, but unicast directly to that device about their mac address. Your device stores that info in a Mac address table with time outs. This applies to the router too, it knows all the ip addresses on the LAN interface.

Ok now we want to add a second home network to segment IoT away from your highly personal devices with all your personal information. Good idea! So to do that on any “fully fledged” router it’s super easy you would connect a cable to LAN2 plan a second IP subnet and connect a switch or AP to that. The router is now a router for network LAN1 and LAN2. If a device needs to get from LAN1 it goes “this IP isn’t in my subnet therefore I will send it to the router”. It will have no idea if the device is online or offline, it just sends it blindly to the router. Your router gets that IP and now looks at its routing table which now looks like this,for example:

• 192.168.0.0/24 via connected interface LAN1
• 192.168.1.0/24 via connected interface LAN2
• 0.0.0.0/0 via connected interface WAN

So now the router who knows you tried to get to a device within LAN2 from LAN1 will check the mac address table it has for LAN2 and see if there’s a mac address it’s learned from that device connection. If it does it sends the packet on back unmodified. The packet has return address information saying who sent it, and the IoT device can talk back.

Wonderful, that’s the most simplest type of multi-lan network you can create. There are no virtual lans and everyone expects networks to mostly work this way. This exact principle is how the rest of the whole internet works. What networks are via what interface and a traceroute will tell you the resulting path. A router doesn’t need to know the destination just the next network.

One last note on the background info, if you don’t want to setup everything with static IP addresses, you’ll setup a DHCP server which gives out IP details to devices via a lease system, and included can be DNS settings. You must have a dhcp service within a local network. That can be on the router on the LAN1 interface, and another DHCP server with different details on LAN2.

To apply this to your problem, I think you’ll want to review the features of your two WiFi routers that you have. Many home routers do not support two discrete LAN interfaces. If they have 4 LAN ports they could be already configured as a “bridge” which is to say they’re a switch. They’re all grouped all belonging to LAN1. Check to see if you can remove one from the bridge. BTW the WiFi is usually part of this bridge too.

If I had to guess the Asus router is likely more featured and more likely to have the ability to create a new network on a different interface.

The simplest design will be to have your one router be the router for both networks. One wireless router has the router function disabled and becomes a wireless access point connected to LAN2. The router will know all connected networks (WAN/LAN1MLAN2). You won’t even need to write in your own route.

But if this is not possible, it is still possible to use NAT. network address translation is a technology for a router to re-write the “return address” on every packet it sends. The return address becomes the routers WAN interface IP. Your network already has NAT because your LAN IP would send to an external network like “1.1.1.1” and if your return l address was “192.168.0.2” then 1.1.1.1 wouldn’t know how to get back to you since your IP is used on millions of home private networks. Instead your router uses NAT to keep a table of every single connection to the internet and waits for replies and redirects them back to the right device. It replaces the source address with your ISP assigned public IP. So 1.1.1.1 could have got a return address of 12.23.34.45 your home internet ip.

But this can work on your home network but there’s limitations. Just 1.1.1.1 can’t randomly reach back out to the original device ever. Only your device can ask 1.1.1.1. If 1.1.1.1 tried to reach back to your public IP the router has no NAT entry for this, and drops the connection.

Do let’s take the real possibility that you can’t setup two LAN interfaces on your home grade routers. What would you do? Instead could have a second wireless router with NAT enabled (which it is by default). Your second wireless router could broadcast a different SSID and it’s network ip subnet address should be different to your home network IP subnet address. So if your home is 192.168.0.0/24 your IOT could be 192.168.1.0/24. Your WAN interface should be setup static on an address that does not conflict with your DHCP scope. Or if it does, go to the dhcp server and reserve it. It should be an ip that doesn’t change and can’t accidentally be given to another device thereby giving you IP conflicts.

So then your IoT devices now will get that 192.168.1.2+ address and reach to your IOT router to get out of their network. Now this does allow them to talk to your home network devices on 192.168.0.0/24. But the downside is your home lan devices by default can not talk to your IOT devices. This is kind of the reverse of what you want from a security perspective. To configure your IOT you’ll need to join the IOT WIFI. Why is this? If you on your home network connected device on 192.168.0.1/24 try to go to the IOT network device on 192.168.1.0/24, then the home device first notes that the network is not local, so it will send the request to the configured gateway. Your home gateway has no idea where 192.168.1.0/24 is either. So it goes out to the 0.0.0.0/0 route which is to your ISPs router.

I’m sure you’ll think: if this is backwards why not flip my home network behind my second NAT router? And the answer is NAT isn’t free, and you’ll probably have heard CGNAT or carrier grade NAT making a mess of games and services. Double NAT has problems too.

So what about dhcp and dns? The simple answer is the IOT router becomes a dhcp server and offers your IOT pihole for DNS. Your home network shouldn’t need touching

There are ways to band-aid these two networks. If you know your home router has a proper route table you can modify that. remember you setup the IoT router with a static IP? Well here’s why. If you setup a route statement 192.168.1.0/24 via IP 192.168.0.251 (whatever IP is the IoT router) then now your home router can find and redirect traffic. This still occasionally has issues though and this routing statement can create a triangle route which would take a long time to explain, and secondly a fix for that can be more NAT more translation so we can return communication from the same way, but the branching possibilities are still not fully defined. Alternative fixes are on your local computer add a single routing statement to find 192.168.1.0/24 via 192.168.0.251 (or whatever IoT router ip you assigned).

Now my suggestion: get a router which handles two local networks. Then you’re topology is pretty much the simplest, easiest to troubleshoot later, avoid Nat.

The messaging around this so far doesn’t lead me to want to follow the fork on production. As a sysadmin I’m not rushing out to swap my reverse proxy.

The problem is I’m speculating but it seems like the developer was only continuing to develop under condition that they continued control over the nginx decision making.

So currently it looks like from a user of nginx, the cve registration is protecting me with open communication. From a security aspect, a security researcher probably needs that cve to count as a bug bounty.

From the developers perspective, f5 broke the pact of decision control being with the developer. But for me, I would rather it be registered and I’m informed even if I know my configuration doesn’t use it.

Again, assuming a lot here. But I agree with f5. That feature even beta could be in a dev or test environment. That’s enough reason to know.

Edit:Long term, I don’t know where I’ll land. Personally I’d rather be with the developer, except I need to trust that the solution is open not in source, but in communication. It’s a weird situation.

Now I’m not part of this, but a international student just got scammed $170 000 dollars over 3 months. They believed that the police had seized their Australian bank account and were contacting them related to their identity being stolen. It wasn’t at the time of call, but the international student, maybe 25, was fully profiled. They knew where he studied, who they had been talking to. At the time of call, the poor kid thought he was talking to the police, gave every bit of information including bank account which had mfa, but undid it and and followed the scmmers requests believing he would be deported. He called home to his parents and asked them for more money even in order to build a new account because he believed is other one was frozen, the new account was under order and control of the scammer who this kid trusted. The scammer even made this kid move into a hotel for a week as their “premise needed to be searched” it wasn’t for a month after this that it was found because the kid believed he couldn’t tell anyone before the school (where he was attending but kept leaving to take calls which is a no no) had to tell the kid that absenteeism will result in the student visa being cancelled. At that point it all came out, month and more of being scammed.

My point is, no it’s not business. Just look at the YouTubers, just watch Jim Browning. Just ask people, it’s a multi billion dollar industry. And it’s not limited to rules like ‘business’.

There are massive collections of databases online that find where breaches have occurred allowing attackers to dump the database of that service, then collect all those database dumps together to identify all known accounts under an email address. Then once that email account ever has a password breach attackers can look up and see ‘was this password used also on other accounts’ and attempt to use the same email and password on them. Moreover they will just try that email regardless of known affiliation, if they already have a user name and password across many online services, it’s safe to assume this will work sometimes. This is the essence of a credential stuffing attack.

https://www.abc.net.au/news/2024-01-19/what-is-credential-stuffing-scams-how-to-prevent-and-protect/103367570

https://www.abc.net.au/news/2023-05-18/data-breaches-your-identity-interactive/102175688

I’ve used abc here since I believe they write better for a lay person.

Edit: I should mean to say, they can also create a profile of you and your many email addresses as demonstrated.

You realise if it’s saved you can now use features that are built into the software, that get saved, like using ‘track changes’ to accept or discard edits granually. You have file system level version control to choose previous versions, you have an undo feature built in. Three different tools to use.