The Networking Hardware Vendors Assessment 2021: MikroTik

This is the first article of The Networking Hardware Vendors Assessment 2021 series. In this series, I’m going to talk about some major networking hardware vendors, their hardware and software, their achievements and what to expect if you buy their hardware in 2022.

MikroTik has always been the definitive choice if my purchase target is the cost effectiveness. This is not to say their product is good (the “good” good), but:

  • They produce some products that perfectly match some weird usage I needed
  • They pack a lot functionalities into all their products so you can kind of expect a high baseline of what a low-end MikroTik device can do (not in terms of performance, obviously)

This is the MikroTik way to find its position in the market.

Continue reading

Mellanox ConnectX-3 Firmware Flashing and Configuration for Both Ethernet and InfiniBand in 2021

Introduction

Although old, Mellanox ConnectX-3 has been a good card with decent performance and a good price on second-hand markets. This makes it the straightforward choice for a high-performance home or lab network. (If you intend to run InfiniBand on ESXi 7.0 or higher, go for CX4.) Sometimes you would find a card with a strange firmware or one not compatible with your existent gear. Luckily you can change the port configuration on all CX3 cards with a simple firmware flash. Here’s how.

Continue reading

Juniper SRX as a DHCPv6 PD Client on a PPPoE Interface

Recently my ISP fixed the compatibility issues between their Huawei BRAS and my Junos router. After some digging, I managed to get some IPv6 address allocation for all my client devices. Here’s how I achieved it.

Disclaimer: This article assumes you have basic understanding on IPv6 as we are not going to dig into the very details of the IPv6 standards.

Continue reading

Flux Language Tutorial with Grafana

Flux Language is the shiny new query language that comes with InfluxDB 2.0. Since it is “the future”, and the OSS (free) version of InfluxDB 2.0 is not getting the old query language support in (at least) the first few versions, I’ve been using Flux Language for some new projects. Meanwhile, the (functional) documentation for both the Flux Language and its support in Grafana does not exist yet. In this post, I’d like to give some examples to quickly address common data processing needs, for both server monitoring and simple BI usages.

Continue reading

Interoperating Cisco DMVPN, Huawei DSVPN and OpenNHRP

Traditional point-to-point site-to-site VPN protocols require extensive setup in certain use cases. For example, if you want shortcuts between branch offices rather than let every packet go through the HQ, then you need to set up a cartesian product of tunnels by hand, which is time-consuming and error prone. So, people want something better, something easy to set up and maintain, and dynamic enough. While there are already a lot dynamic point-to-multipoint or full-mesh site-to-site VPN implementations (e.g. Tinc VPN, ZeroTier) on Linux, you don’t have many choices on these commercial black boxes.

Cisco DMVPN (Cisco Dynamic Multipoint VPN) is one solution to this. Huawei also had their DMVPN-compatible solution called DSVPN (Dynamic Smart VPN). Since the protocol is largely compatible, I’ll just reference it as DMVPN.

Continue reading

What the Flow: Reverse Route Modes on Juniper SRX

A SRX is a “security device”, or as we call it conventionally, a firewall. Modern layer-3 firewalls route packets just like a router, but unlike a router, a firewall can organize packets into connections (flows) and run ACLs on the entire flow. This unique functionality is the fundamental building block of every “advanced” security feature offered by a firewall: dynamic NAT (PAT/NPT), zone-based firewall (ZBFW), ACLs for in or out connections only, L7 filtering, etc. For the connection (flow) tracking to work, all the packets in a connection must go through the same device, and the 5-tuple of all the packets in a connection must be of expected values, which usually means:

  • The packets from A to B and the packets from B to A must all go through the firewall at some point
  • There shouldn’t be single-sided stateless NAT happening on the route

This was never an issue when everyone was single-homed and all the routers had only one routing table. But not today. SRXs now have built-in support for virtual routers which can create an asymmetric flow easily. Let’s look at this simplified topology:

Continue reading