Networking, IPv6, VPN, Email

  • Networking stuff, arranging new fiber connections and building's internal networking. But can't go into details yet. As well as arranging multiple offers and comparing those and negotiating terms and pricing. No wonder network connectivity is expensive at times, and people choose 4G / 5G connections, because getting proper fiber connection requires so much work. Some parts of the network are from mid 60's and some parts from mid 80's, interesting and quite horrible.
  • Network configuration work, reconfigured a few networks with IPv6 and got it all working perfectly. Once again, annoying routers, configuration was correct but wasn't working correctly before whole system was rebooted. People just can't stop loving networking downtime, but what can you do. radvd configuration, checking DHCPv6 Rapid Commit (RC) option and other fine tuning. Dual Ethernet Linux firewall router with IPv6 tunneling and forwarding and other fun stuff. Iptables is like regexp, it takes a while every time when you use it.
  • Lots of VPN tuning, IPsec, L2TP + IPsec, PPTP (MPPE), SSTP, OpenVPN, we went through several VPN services and local personal setups on cheap cloud server. I guess the best option is to have a "community VPN" service truly without logging. Well, if something happens, you've got ~30 people that are suspects, depending on case, that's a good or a bad deal. Because if it's serious, then everyone is under investigation, if it's not serious, then it's meh. Do you trust your community of professionals not to do anything too serious? Well, I do. Yet, I don't have anything to hide anyway. - This is also one reason for providing free, unregistered access? Why? It gives you cover traffic and plausible deniability. It might have been one of us, or maybe it was someone else. Who knows. Yet, I don't have anything to hide, so enjoy digging.
  • Email server validation and configuration stuff. Now everything's perfect. TLSv1.2 supported, ECDH, GCM, DANE, certs and all, working, with automated renewal. And mirrored servers located in two separate data centers.
  • Configured some IPv6 tunneled systems to prefer IPv4 for out going traffic - precedence ::ffff:0:0/96 100 - Also had nice sessions tuning with IPv6 privacy addressing. Linux configuration is such a huge mess, parameter after parameter, which can be overridden in 100 different places and different subsystems. You've got endless list of things to check if you want to make something to work. And even then, if configuration is right, it still doesn't mean it would work. Also often testing methods are really obscure. Options and settings are right, but it still doesn't work because something else is overriding it somewhere. use_tempaddr is 2, but it doesn't mean it would work, sure I've checked it's for right interface too, of course. Also all the fun misleading or wrong error messages. As example, if interface exists and you try to add it, the error message is "No buffer space available". Great, thanks for that. Many things are extreme mess and really hostile. You'll need to know 1000 things, and everything needs to be exactly correct on relation to ever other aspect. - This is exactly the stuff I really hate about some software. No, it doesn't make the software bad, but it's guaranteed to drive 99%+ users away.
  • Well, some things are totally screwed on Windows too. Like the privacy addressing, which continuously messes networking up, unless you'll manually configure static address for the system. Kind of reverse of the problem which I had with the Linux systems. On Linux, getting the privacy addressing to work, takes lot of trial and error. But on Windows, it's almost impossible to stop the privacy addressing, unless you'll just manually configure everything or use DHCPv6, which is pretty nice option. But SLAAC seems to always default to privacy addressing, even if you'll try to disable it very hard. Especially on Windows 2016. It's so hard, that even team of experts has tried it several times and failed. It seems to work for a while, and then it kicks in and drops the server out of network. Interestingly it just doesn't create new privacy addresses like happens on Linux. But it changes the server address preventing access completely. Yet, I've posted the PowerShell commands to disable the privacy addressing on Windows in this blog. I had to disable listening for RA's and manually configure the addresses. Then it works. With plenty of other PowerShell scripts.
  • It seems that Thunderbird IMAP / Trash folder compact is still broken. I've configured auto-compact, but I started to wonder why the folder was sized at 1.6 gigabytes. After running manual compact the folder size dropped to 51 megabytes. Oh well. - Business as usual. If the size is problem, why you don't purge it (manually). Duh, I did and it's all good (for now).

2020-02-16