Jump to content
programming.dev
menu
Communities
Create Post
Create Community
heart
Support Lemmy
search
Search
Login
Sign Up
Modlog
alert-triangle
CONTENT WARNING
: Some deleted posts may contain disturbing or adult material. Proceed with caution.
/c/networking
Modlog
Filter by action
All
Removing Posts
Locking Posts
Featuring Posts
Removing Comments
Removing Communities
Banning From Communities
Adding Mod to Community
Transferring Communities
Adding Mod to Site
Banning From Site
Filter by user
All
search
All
Time
mod
Action
13 days ago
mod
Banned
tal
@lemmy.today
from the community
networking
@sh.itjust.works
reason: automod
5 months ago
mod
Banned
bungobungis
@ttrpg.network
from the community
networking
@sh.itjust.works
reason: automod
8 months ago
mod
Banned
James_PTG
@lemmy.ml
from the community
networking
@sh.itjust.works
reason: automod
8 months ago
mod
Removed
Post
Mikrotik aka the `Thought Police` ?
reason: automod
8 months ago
mod
Unbanned
jet
@hackertalks.com
from the community
networking
@sh.itjust.works
reason: error, unbanning
9 months ago
mod
Restored
Comment
Top tier advice!
by
jet
@hackertalks.com
9 months ago
mod
Restored
Comment
https://en.m.wikipedia.org/wiki/IEEE_802.1X But, it's probably far easier to just run a wire guard VPN server, and require every device to connect to the server to get network access. So any device physically plugging into your network would only be able to route to the wire guard server.
by
jet
@hackertalks.com
9 months ago
mod
Restored
Comment
Pros: * You get your hands dirty * You learn a lot * You have total control of everything Cons: * It takes a lot of time to do anything the first time * You're always going to be tweaking something * Things are going to break at random times when it's inconvenient No matter what you do, have an extra cheap open WRT router you can throw in when something breaks. I for one like unifi, I would recommend their dedicated router product rather than an all-in-one device. You can always run there management software in a docker container when you need it
by
jet
@hackertalks.com
9 months ago
mod
Restored
Comment
Some devices will let you specify a list of allowed MAC addresses per port. I believe ubiquity does allow this. Some devices will have a whole port security protocol, if they see a Mac address that hasn't been authenticated, the port is put into violation requiring an admin to physically validate it after visiting the port to make sure nothing nefarious happened. I do not believe ubiquiti has this
by
jet
@hackertalks.com
9 months ago
mod
Restored
Comment
There are ways to try to identify the device connecting to the network. But that doesn't prevent a third party from spoofing an appropriately authenticated device and monitoring and collecting traffic as well as injecting traffic. It just raises the difficulty Over networks, or access points, that are intrinsically unsafe, the current gold standard is to require clients transiting those networks to then use a VPN. So internal Wi-Fi, with access only to a wire guard server, and your wireless clients connect to the wire guard server. Even if a malicious actor takes over the access point, or compromises the ethernet cable itself, the traffic will be encrypted, and only authenticated clients will be able to actually access your infrastructure. So you would enforce a VLAN onto the port that the access point has access to, and then that VLAN can only access the UDM wireguard server.
by
jet
@hackertalks.com
9 months ago
mod
Restored
Comment
This is why I'm recommending IPv6. If you have global unique addresses for all your devices, including on your local network, it makes tail scales job much easier
by
jet
@hackertalks.com
9 months ago
mod
Restored
Comment
Good thinking. If it works without tail scale, it's probably a tail scale configuration issue.
by
jet
@hackertalks.com
9 months ago
mod
Restored
Comment
This is a shot in the dark, but you could do IPv6 for your internal networking, with the global unique IP addresses, it might help tailscale just route locally instead
by
jet
@hackertalks.com
9 months ago
mod
Restored
Comment
yeah its 100% possible, check the qemu manual for your VM network backends. https://wiki.qemu.org/Documentation/Networking A tap device, and have it bypass your mullvad routing rules
by
jet
@hackertalks.com
9 months ago
mod
Restored
Comment
I would recommend starting with tail scale. Tail skill will help you set up wire guard to connect your networks. And it'll work across a large diversity of network topologies.. Once you get things working with tail scale, then you can look at doing ethernet bridging, more advanced things. But they're going to be more fragile and depend more precisely on your topology
by
jet
@hackertalks.com
9 months ago
mod
Banned
jet
@hackertalks.com
from the community
networking
@sh.itjust.works
reason: Ban unban test
9 months ago
mod
Unbanned
jet
@hackertalks.com
from the community
networking
@sh.itjust.works
9 months ago
mod
Unbanned
jet
@hackertalks.com
from the community
networking
@sh.itjust.works
9 months ago
mod
Banned
jet
@hackertalks.com
from the community
networking
@sh.itjust.works
reason: automod
Next
