The Hub and Spoke!

What should you be learning in 2021 to be successful as a network engineer? Which skills and trends are most important.

Firewalls are becoming increasingly important in today’s world. Hackers and automated scripts are constantly trying to invade your system and use it for Bitcoin mining, botnets or other things. To prevent these attacks, you can use a firewall on your system. IPTables is the strongest firewall in Linux because it can filter packets in the kernel before they reach the application. Using IPTables is not very easy for Linux beginners. We have created easywall - the simple IPTables web interface . The focus of the software is on easy installation and use. Access this neat software over on github: easywall

 

 

 

Terry Slattery EIGRP Vint Cerf Wireless Babel

 

Our splicer, part funded by the campaign and a generous donor, has reached its intended location in Kharkiv, Ukraine and was immediately put to use. Here you can see our founding team member and driver Rene loading it into his truck in Ljubljana, Slovenia. This article was originally published over on Global NOG Alliance:  The splicer has arrived — but we need more.

 

  ⏱️ Timestamps    00:00 Routing Equipment Shortcomings   01:53 Forced Registration   02:52 No Official Wireguard Support   03:16 No Outbound VPN Policy Routing   04:02 No Controls on WAN failover   04:40 No Multiple IP's on USG line   05:31 UniFi Dashboard   06:30 Reasons to Buy The UniFi Dream Machine Pro

 

  In technology terms a black is a full outage and a brown out is a congestion situation. The usual thing is that a blackout is debilitating while a brownout is an inconvenience. However, in many cases congestion is just as debilitating as an outage especially in the case of a network or even a service desk. Domino effect Let us assume that to deliver a resources we need 10 resources. These resources might be people, processes or tools. Now, assume there are only 9 resources. Logic would deduce that the delivery service would degrade by 10%. However, this is incorrect as the delivery of services immediately drops by 25%. This is because the impact of forcing other resources to try and close the gap, also reduces their effectiveness. Additionally, over time the service delivery starts trending further downwards because of a cascading dominoes effect where eventually a full outage situation might as well be declared. Thus if you have a service desks that

The life and times of BB These are the travels and the stories of Ronald Bartels, born a South African. The four corners of the Earth are where we have been, where we are, where we will be going and where we end up. When I was a baby my parents told me I was attached to my bottle and would not give it up. They concocted a story that they had to give it to the elephant in the Bloemfontein zoo to feed her babies. That was the last I saw of it, but every family gathering they would have great pleasure in retelling the story. never realizing that it wasn't appropriate to retell traumatizing events. This article was originally published over on LinkedIn: The second corner of the Earth where you can read the full set of stories.    

   

The article was originally published By Greg Ferro over on EtherealMind: How Small or Big is Off-Premises/Public Cloud, According to Gartner    

   

 

 

View my video about implementing rock solid DNS on Fusion's SD-WAN.    This video was originally published over at LinkedIn: Video: Implementing Rock Solid DNS for SD-WAN    

  View a recording of Fusion's webinar about SD-WAN. This video features Wynand Theron and Justin Colyn .    This video was originally published over on LinkedIn: Video: Recording of MyBroadband SD-WAN webinar by Fusion including ITried and Comsol    

Ronald Bartels from Fusion Broadband South Africa explains in common language using analogies about Software Defined Wide Area Networking!    This video was originally published over on LinkedIn: Video: What the man in the street needs to know about SD-WAN  

  Ron from Fusion Broadband South Africa is joined by Bern to discuss some secrets to dealing with outages in IT. The webinar should highlight how time makes a difference which is where the SD-WAN provided by Fusion features strongly as it is able to provide the critical time metrics. Fusion Sintrex  This video was originally published over on LinkedIn:Video: The secret to dealing with major incidents especially ones related to security  

Data security and data privacy have become increasingly important as the digital world becomes our reality. Laws and regulations have emerged to support this, and every industry now has some form of compliance requirement to keep data safe while maintaining industry standards. Networks and devices can be points of vulnerability that allow bad actors access to data, particularly now as more people are working remotely. A Software-Defined Wide Area Network (SD-WAN) can help organisations to secure both networks and devices to support compliance and ease data security challenges.  Read the article published over at Engineering News by Amritesh Anand, Associate Vice President - Pre Sales at In2IT Technologies: How can SD-WAN help to ease data security and compliance headaches?

S oftware-defined networking (SD-WAN) underwent some fairly interesting changes in 2020. HPE acquired SD-WAN market leader Silver Peak, CloudGenix was bought by Palo Alto Networks, Juniper Networks bought 128 Technology, VMware acquired Nyansa, and Ericsson trundled off with Cradlepoint. Secure access service edge (SASE) technology continued down its own evolutionary path, a development that has bolstered the potential and capability of SD-WAN significantly. The two combine to create a far more agile and secure solution to the business that’s juggling remote working and an increasingly globalised workforce. In fact, a recent Forrester analysis pointed out that SD-WAN is the remote office in a box, but only if the investment into the technology is not a plug and play affair, but rather a long-term focus on skills, process, metrics and procedures that leverages automation and orchestrated service-chaining.   This article published over at ITWeb is a deep dive into why any o

  Ronald and Kirthesh discuss the options available broadband options for a small business.    This was published over on LinkedIn: Video: Broadband links for a small business

A quick demo of the capabilities of Fusion to use tools such as Wireshark and Brim.    This article was previously published over on LinkedIn: Video: Troubleshooting remote SD-WAN sites using Fusion

An insight by Ronald Bartels into the current spate on ransomware attacks and organizations worldwide being compromised. Listen in.    This article was originally published over on LinkedIn: Video: The problem with firewalls and the way we work

  I use Windows as a desktop but access cloud servers. So I use the putty application often. However, I often to to download files and here I usesshfs-win .  When accessing a system that is local and does not have direct Internet access I use rport . This article was originally published over on LinkedIn: Accessing remote cloud servers as drives

Telecoms company iBurst has once again become the first in the market to introduce an innovative product – its uncapped satellite solution! The uncapped VSAT product is geared at providing businesses in all corners of South Africa with unrestricted access to broadband services. This  article was originally published over at the ITWeb press office: iBurst offers dynamic new VSAT product to businesses and SMEs anywhere in South Africa!

iBurst has successfully completed testing of IPv6 on its network (access, transmission, peering and transit), and will start enabling the packet gateways to use dual stack IPv4 and IPv6 from this week. The change will start in Gauteng, then Kwazulu-Natal and finally Western Cape. Read the full article over at MyBroadband:  iBurst going IPv6      

Listen to Ronald Bartels from Fusion talk about multiple Internet links are how using SD-WAN makes them reliable and saves a business millions. Ronald Bartels provides solutions to networking and last mile reliability problems. The solution from  Fusion Broadband  allows a business to stay 100% connected, avoid downtime and keep working. The Fusion Broadband solution has been installed in many vertical industries including state owned and private entities.In addition to the  IBM Beacon Award 2020 for Infrastructure Services , the solution is a mature software platform that has over 2000 installed instances of multiple site private wide area networking deployments. Contact us at info@fusionbroadband.co.za to learn how your business can prevent unnecessary loss.  

  Fusion Broadband has the ability to host containers and docker on the edge node. The configuration relies on creating a separate instance of debian using systemd's nspawn. That can be used for a number of different applications including docker. You can also install a VPN concentrator such as softether . This is how to configure it: # On the SD-WAN edge sudo nano /etc/network/interfaces auto lo iface lo inet loopback iface eth0 inet manual auto br0 iface br0 inet static     bridge_ports eth0     address 10.207.35.254     netmask 255.255.255.248     scope link     pre-up sysctl -w net.ipv6.conf.eth0.accept_ra=0 # On the SD-WAN edge sudo apt-get update --allow-releaseinfo-change sudo apt-get upgrade sudo apt-get install systemd-container debootstrap sudo mkdir /var/lib/machines/container sudo debootstrap \ --include curl,bridge-utils,dbus,iptables,openssh-server,vim \ bullseye /var/lib/machin

  There is an excellent article that appeared on gadget magazine about Fusion Broadband's bullet proof SD-WAN . At my own home office I have a combination of Vuma and Openserve which is managed by the Fusion SD-WAN which provides 100% uptime. Openserve ONT Vuma ONT At my home office I use a more cost effective mini UPS than the one in the gadget article. That one is required to support a microwave link and this requires more base power. The one I use is the UltraLAN 60W unit which manages to keep the two ONTs, the SD-WAN unit as well as a WiFi Access Point up and running during the periods of loadshedding. This article was originally published over on LinkedIn: Bulletproof broadband for the home office

  Work from home (WFH) has been implemented by default for many network deployments and many different solutions exist. The common use case is for the road warrior. This describes using softether . (Another alternative is strongswan ) A big problem with VPNs is that most force all connectivity via the path when you are connected. A better option is to use a split tunnel whereby only the office connecivity goes over the VPN and the rest remains on the existing Internet path. This way your youtube, zoom or teams experience remains great and is not influenced by the VPN. At Fusion Broadband South Africa we have started deploying as using rport . Rport provides a great mechanism to leverage Fusion's SD-WAN for additional infrastructure management. The ability of rport can be leveraged to extend and provide VPN services. Although many other variants are support

  CLI command to see real time view of iptables rules on an edge: watch -n1 iptables -vnL This article was originally published over on LinkedIn: CLI monitoring of iptables

I use rport to manage infrastructure. Its a neat tool. I also use it with wireshark to capture packets from an edge . Another way to troubleshoot is to use Network Miner . The steps to use it are as follows: Install a rport endpoint on your laptop using the port 44013 as an example. Fire up Network Miner and do a PCap over IP to port 44013 on the rport instance. Send packets from the edge to the miner using: tcpdump -i eth1 -s 0 -U -w - | nc rport.instance.somewhere 44014 This article was originally published over on LinkedIn: Mining a SD-WAN edge

  When configuring and operating a LAN the DNS variants of DoT (DNS over TLS) and DoH (DNS over HTTPS) are a pain as they bypass the normal DNS policies and usage agreements. So the solution is to Whack them. The result is the fail back to normal DNS and policy implementations. The first wack is to constrain DoT. Here we go: /sbin/iptables -i br0 -I FORWARD 1 -p tcp --destination-port 853 -j DROP The next is DoH. Its more complex. DoH requires at least one valid DNS call and therein lies the path to mess with it. On DNSMASQ you can signal via the canary domains by doing this: address=/cloudflare-dns.com/ address=/dns.google/ You can also apply a custom hosts file like this: 0.0.0.0 dns.google 0.0.0.0 one.one.one.one 0.0.0.0 dns.umbrella.com 0.0.0.0 rec1pubns1.ultradns.net 0.0.0.0 dns9.quad9.net 0.0.0.0 dns.google.com

  I previously published a video about rock solid DNS . These are tips to leverage DNSMASQ of the an SD-WAN edge. Most of these settings are applied in the custom settings of DNSMASQ. Add this to up the cache size from the default of 150: cache-size=2048 To query DNSMASQ stats use this (where 192.168.0.1 is the DNSMASQ instance): dig @192.168.0.1 +short chaos txt cachesize.bin dig @192.168.0.1 +short chaos txt hits.bind dig @192.168.0.1 +short chaos txt misses.bindd To throw the spanner in the works for any private DNS usage (an example is android): addn-hosts=/etc/ipset-blacklist/custom # custom file contents 192.168.0.1 dns.google 192.168.0.1 dns.google.com 192.168.0.1 one.one.one.one 192.168.0.1 dns9.quad9.net To disable netflix or any domain: address=/netflix.com/0.0.0.0 address=/nflxvideo.net.com/0.0.0.0

  The Illuminate solution provides advanced traffic analytics for Fusion SD-WAN. These analytics can used to block or steer traffic. This is an example to block bittorrent. sudo apt-get install git autogen libtool build-essential git clone https://gitlab.com/netify.ai/public/netify-fwa.git cd netify-fwa ./autogen.sh ./configure sudo make install sudo service netify-fwa stop mkdir /var/run/netify-fwa mkdir /usr/local/var mkdir /usr/local/var/run mkdir /usr/local/var/run/netify-fwa nano /etc/netifyd.conf # Add to end of file [socket] listen_path[0] = /var/run/netifyd/netifyd.sock service netifyd restart cd /usr/local/sbin netify-fwa -d nano /usr/local/etc/netify-fwa/netify-fwa.ini # Modify interfaces-external = eth1 interfaces-internal = br0 nano /usr/local/etc/netify-fwa/netify-fwa.json {   "version": "1.0",   "rules": [         {             "type": "block",             "protocol&quo

    Chris and I go deep into what Nmap is actually sending onto the network and how you can find those dodgy packets! We then get into a real world Wireshark discussion on how to find stuff in a sea of packets.

DNSMASQ host files can be specified using the following custom configuration: addn-hosts=/etc/fusion/custom Here is a script that can be run nightly via crontab to download some host files that can be cherry picked to block name resolution to certain categories of web sites: #!/bin/bash # startubl.sh A script to download host files for DNSMASQ date > /var/log/updateblacklist/cl-`date +%d%H`.run /usr/bin/curl -vs https://blocklistproject.github.io/Lists/abuse.txt -o /etc/fusion/abuse sed -i '/^ *#/d; /^ *$/d' /etc/fusion/abuse /usr/bin/curl -vs https://blocklistproject.github.io/Lists/ads.txt -o /etc/fusion/ads sed -i '/^ *#/d; /^ *$/d' /etc/fusion/ads /usr/bin/curl -vs https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt -o /etc/fusion/ads_1 sed -i '/^ *#/d; /^ *$/d' /etc/fusion/ads_1 /usr/bin/curl -vs https://v.firebog.net/hosts/AdguardDNS.txt -o /etc/fusion/ads_2 sed -i '

  Running a SD-WAN network with network devices the simplest method to configure them is not to use a screen and keyboard. It is using the good old fashioned rollover cable attached directly to a laptop. Most networking kit support it. You can buy the rollover cable and the USB/serial connector . This is typically used with a console terminal program such as Putty on Windows. It is also possible to insert these into a SD-WAN edge and then connect it to an on premise router/firewall/switch as a means of out of band configuration. Ronald works connecting Internet inhabiting things at Fusion Broadband .  This article was originally published over on LinkedIn:  Tools of the trade in running network devices

 Problem solving is the essence of what leaders exist to do.  As leaders, the goal is to minimize the occurrence of problems – which means we must be courageous enough to tackle them head-on before circumstances force our hand.  We must be resilient in our quest to create and sustain momentum for the organization and people we serve. But the reality of the workplace   finds us dealing with people that complicate matters with their corporate politicking, self-promotion, power-plays and ploys, and envy. Silos, lack of budgets and resources, and many other random acts or circumstances also make it harder for people to be productive. Read the article over at Forbes:  The 4 Most Effective Ways Leaders Solve Problems

  The Internet of Things (IoT) has created a storm of assumptions and myths. Many news articles regurgitate old themes and hyped up terms by doing a cut and paste of the term IoT into an article. In this article we will address these myths.   1.     Everything with an IP address is IoT Shock and horror. A significant number of IoT devices do not have an IP address. They use an alternative networking protocol such as Lorawan or Sigfox where communications do not rely on a protocol designed in the 1970’s as a Do It Yourself (DIY) project for an island’s university. It is “things”, not everything!   2.     Data centres will be filled with huge quantities of IoT data IoT operates at a low bit rate. They complete their tasks within a couple of seconds at this low bit rate. It a Point of Sale (POS) ran at the same bit rate it would take 3 minutes. A video surveillance camera will use the same amount of data in 1 hour as an IoT sensor will use in it’s

  The following configuration protects a debian head end from defined threats. This is based on this script . Dependencies are ipset and iprange. /usr/local/sbin/updatethreatblock.sh #!/usr/bin/env bash # # usage updatethreatblock.sh <configuration file> # eg: updatethreatblock.sh /etc/ipset-threatblock/ipset-threatblock.conf # function exists() { command -v "$1" >/dev/null 2>&1 ; } if [[ -z "$1" ]]; then   echo "Error: please specify a configuration file, e.g. $0 /etc/ipset-threatblock/ipset-threatblock.conf"   exit 1 fi # shellcheck source=ipset-threatblock.conf if ! source "$1"; then   echo "Error: can't load configuration file $1"   exit 1 fi if ! exists curl && exists egrep && exists grep && exists ipset && exists iptables && exists sed && exists sort && exists wc ; then   echo >&2 "E