 and we are live here with vlog Thursday number 345 and yes I always like saying that it's morning from the land down under so I like to like that there's people for all the way from Australia talking about this stuff that is always super cool I got a greeting from Tyler Billy I'm gonna assume Pandy is how we say that I'm gonna be bad with names oh man we got stuff to talk about with Cisco and some confusion I I did the video and I left I left out maybe just didn't cover and it's always the hard part and it's also funny for me because I I see all the comments which means some people think of videos too short some people think it's too long and me and Jeff from Craft Competing we internally we were just talking about this like one we already know we can't please everybody but two literally he had comments back to back on the live stream me and him did that were absolutely 100% opposite of each other and it's like you can't believe these people watch the same video because they're on their comments are like mirror images it just inverted from each other so it's always hard when you're doing a video of what to leave in what to leave out but something I didn't dive into but we had a discussion today with me and Jason Slago at the office and it was the end of life of Cisco stuff so I didn't really cover that but boy it's confusing and I think Cisco's made some changes that are not good we'll just say and we're gonna cover that in a moment here I will address though because I've been leaving it up on the screen more often the vlog Thursday at learn systems.com to email me randomly people send me things sometimes I just send tech support questions and stuff like that I don't always reply to them this is more about me reading them on vlog Thursday and there's another one we also do this for the homelab show they actually go into similar buckets they're they're separate buckets but similar buckets because they're the buckets of people who email me from YouTube and of those people who email me from YouTube one of the things I want to address because this question keeps coming up and it's we didn't have time to address it in a homelab show and but I want to bring it up here it's the updates with PF sense versus the updates on open sense or OPN sense I've heard it said both ways I don't know I want to call it open sense but I I've heard a lot of people say OPN sense and I don't know if someone wants to phonetically spell that out I'm definitely interested in how you think it should be said but that doesn't change how it should be updated now people like open sense because of the updates and that's a very reason to like something but when you're managing lots of firewalls and security is obviously important I don't want there to be updates for the sake of updates I want there to be updates for the sake of a bug fix that's critical or a you know security problem and this person had sent us some feedback outlining different CVs and flaws found in the open sense system that were fixed that they noted and they're like well why is it PF sense fixing them since they're both based on BSD and one they're based on different versions of BSD but two the bigger issue is the way PF sense compiles things is very carefully and only with what's needed and no more so this is one of those things where people get confused they assume if there's a flaw in one there must be a flaw in the other for having a similar base but one of the examples was the problem with the way DNI I think it was DNS sec there was a flaw in there was a specific bug in the way DNS and it was it was a really clever bug someone figured out I gotta admit this was done by a security researcher and essentially they figured out that you could inject bad information when DNS looked up the security certificate and the security certificate could pull have data more than a certificate in there and potentially go out of boundaries and crash the DNS server I mean this was a definitely some clever poking at how DNS could be taken over I mean it requires some conditions and things like that be met before it does it and your system has to want to go grab a certificate from this place but DNS that feature didn't have to be fixed in PF sense because they don't compile it with that feature on that was required to make that work this is why it's so important to understand like the people at neck gate are very on top of this and it's a very specific like they have to not only not just use that feature or ping is another example someone found a really bad bug in the ping for free BSD and you're like oh definitely ping that's how the gateway works right because the gateway pings to make sure it's up there's that feature actually no they use D pinger so they're not affected by the bug so do they have to have an out of band patch just for ping no they don't really need to because they're not using it in the function of the system so that I just want to comment on that because that's one of those you know just bugs that bothered me when I said you see bothered me just I think I explained it a lot but people have a hard time understanding the details of the security on there it's just one of those things like you got to think about the whole picture of the security kind of rant over but it was a question that came in for the homelab we're going to address it when we do a feedback on the homelab show but that is a I almost I get so many people asking that question in varied ways going well PSS must not be secure because they didn't have an update at the same time that open sense did and that's just not how that works well let's see here Sentinel one I haven't used cyber reason but I don't have a reason I don't have a reason to use cyber reason I don't know any reason for you not to use it but we do prefer Sentinel one how does your company and Jason do multiple ESIC host patching views VPN and manual update yes essentially yes we remote into the clients and update them that's just part of it their VPN and well we have we don't necessarily have to VPN let me clarify that a little bit we use screen connect so we're already in their network we don't necessarily have to VPN so it's going to vary by client but majority clients if we're managing them we have screen connect on our system so we can use screen connect to connect to a system within their network that then we access to do the updates me Kirtik yes they exist why is that a question mark they're a they're a network switch products and they make router OS and they make router products not sure what the but let's talk about where this question mark is because this is a topic I want to address and see what people think I'm probably gonna make this as a separate video because I'm just a little puzzled by it about the way Cisco endo life things are we moving away from screen connect no we use Ninja one and when screen connect matter of fact hey there's another topic I will be covering so before I get into the Cisco topic the list of tools we use me and Jason we're talking about doing it as a live stream and maybe we'll do a live stream so all of you can join what's a good time to do a live stream maybe like sometime tomorrow around five o'clock I'll see what Jason schedules like and me and him can run down all the tools we use now but that that always is a is a hot contested topic and I figured hey why not make it a video and then why not make it fun with make it a live stream so I want to schedule ahead of time so I make sure the right people join the live stream so we can have that discussion of the tools we use kind of why we use them what their purposes are and go from there see what's the reasons you can't update VLAN than a Nexus switch I don't know why you can't update VLAN than on your Nexus switch but we are going to talk about end of life in Cisco because this this is confusing a little bit and this is what got omitted so to speak from the video or I just didn't think to cover it because it's a little confused by it and it started with the discussion of and we'll share that we'll start here so here's the 350 switches and here are the 220 switches they both have the same page other than the model number and the question was posed and Jason brought this up he said you know those Cisco small business which is just don't have the support that a modern or a lot of other Cisco switches have like in terms of when they release it and this is kind of a crappy thing that Cisco does here so if we look at the end of life announcement and zoom in so we can make it bigger so this is how their end of life announcement works we have end of life announcement date but end of sale so that means you have to know and you can look this up before you buy of course you have to know that they're going to announce that this device is going to be obsolete it'll be announced on July of 2022 but by January six months only six months later they stop selling it okay so how long to support for that well that's the fun part if the end of sale is on January 2023 the end of maintenance is on January 2024 so you have a year so you could buy these all the way up to that date and then a year left and that's it and that's kind of short notice especially because if you bought them before the announcement of end of sale that only gives you six more months on top of that so you're talking about a switch that you could buy before the end of announcement that you would only get a year and a half of support provided you know because you haven't had the end of sale announcement to know that you shouldn't buy it so that's kind of a crappy thing because you're only getting a year and a half support and then you have a switch that is no longer updated and that's like not a good thing and you know this is like oh yeah because that's the same and these are both the same if we go over here to 2020 we have the exact same date ranges and let's bring up another switch though let's talk about a catalyst so if we look at this catalyst 2960 and let's look at the end of life announcement so announcement date of 2013 you know older model hardware shipments were going all the way till then but end of sale is 2014 but we have till 2017 so all the way up till the last day you could buy from that last day you still had three years that you could continue and buy it well that's a good three years of support so I think that's reasonable that I get three years of updates on it but and I thought okay that that's making the argument that the other Cisco catalyst or higher end models have longer warranty but then I went and wanted to figure out what Cisco's global policy is let's talk about the end of life purpose now this is all products reach end of life for some reasons including market demands blah blah blah so let's talk about scope Cisco's end of life policy applies to all Cisco hardware software cloud services and service offers collectively products that have their own unique product part number so this is all the things Cisco and that policy here if you go down to the table and let's just talk about the end of life here so their rules are the end of sale notice period you know end of sale date day zero so you have six months ahead of time we're going to tell you it's going to be dead and then after that let's look at the software maintenance releases a year that's it that's pretty short and that lines up with the Cisco small business switches but that also means this is how Cisco is applying it globally so for people who think Cisco has a longer end of life policy that applies to old equipment this is officially from Cisco and I'll drop the link for people that want to read it this particular one this is just on their page but I'll drop the link in there I just find it kind of interesting that Cisco has a pretty short policy and this is globally according to this Cisco document and that's why I want to have people read it to make sure I'm not misunderstanding it and this is the challenge because we'll just say that accuracy in videos has been a hot topic lately and I always try to bring you extremely accurate content I cite all my sources I suggest further reading like where did I get this information here it is and you should read it too let me know if I'm wrong etc so I you know I don't mind if I'm wrong about things but this particular thing I'm staring at it going wow Cisco kind of has a crappy policy for end of life support now that doesn't mean it's not that their products aren't out for a long time they may be out and available for years the problem is you don't know when that time is up you can guess that product built in 2014 is probably end of life but you don't know unless you can assume that maybe a product that's been out for a few years might be getting closer to that end of life but you don't know but from the time you know you only have a year and a half before you're done potentially with that product so you you you know you have a big in the example Jason gave I want to say he bought I don't remember it was like $10,000 with the switches there's a lot of switches it was some number and they put them all in and a year and a half later they had to replace them and how do you tell that to a client that a year and a half later because he bought it right at that time when Cisco was end of lifeing but you didn't know because they hadn't announced it yet and you quote the switches and you put them in so it's kind of a I don't know it's kind of a crappy way to do it it's like they should at least guarantee that from the time you're still purchasing a product there is X number of years left even if that number is three I would like to know before I buy a product and you could just say well just try to buy products that are released recently and that can be challenging to figure out a little bit because of the way the release numbers are on there is even the ones I reviewed they've been out for a number of years and they're still not end of life announced yet so a little bit a little bit confusing for sure that whole small business switch product line doesn't make sense when Maraki and Maraki go exist I still think it does I think the 220s have a place with 350s the the place they have is they're relatively well priced for being Cisco there I said that in that video they're not the cheapest switches you could buy but they're probably the least expensive Cisco switches you can buy and with that being said they work rather well they have the features to get through most of the configurations that you're looking to do and you know they I think they make a good reliable piece of hardware that's why I took the time to review them and talk about them but this part here is obviously just a lot more confusing because how long they'll be around now I think that Cisco puts no effort no effort at all into the Cisco dashboard product because it would compete with the Maraki on that aspect it would because obviously you want central dashboard and you're you know all those centralized management features and you get that one Maraki but you get that allegedly with the Cisco dashboard but man is it just so I did a video on it so yeah it's is definitely an issue I mean you could say you pay Cisco for the badge maybe there's some truth in that but the other side of it is yeah who doesn't know an IT room filled with a bunch of Cisco's that someone finally forced someone to get rid of because they were so old but they worked they just kept working I haven't had myself too many Cisco switches go bad they seem to be pretty solid in terms of performance but when they end a life things and there's security vulnerabilities in them well that's a whole nother problem and that's why we especially now with security being it's much more exploited it's much more under attack it's it's one of those things like this is where the threat actors are is attacking every piece of infrastructure getting leverages on anything they can so you really and then for good reason now and compliance and to even get insured you have to have a plan and a process to patch all of your stuff so it's all those things you if you have to keep on patch now you're fighting this whole end-of-life milestone problem of making sure that there's a way to do it so yes if anyone who do you think does EOL well well that's that's a not an easy question to answer I started searching for this and there's lots of people that debate things in forums but I let's look up a this one here I know there's a page for it let me find it it's not on unit unifies thing let me see if I can find it as I'm looking for like the unify one this this is the challenge if you google search this it's not exactly um no I'm like I'm three I'm looking for so I find third party people that made them we'll just share this tab this is a net wi-fi works this was this is the first result for you in searching ubiquity end-of-life products of what's under on here and hence the problem this is not a complete list pico station air gateways so I guess my question to you is do you know someone who's got a good list of these things companies do not always have this like well documented they usually have sometimes like put in a serial number okay but you know I want to know you know when is it so let's see if I can find it on there's always third parties here's like here's another third party when I was trying to look up a ruba you can't I ruba site doesn't have it a ruba site lands you on a page that doesn't seem to have it listed very well but then you find some pdf with a bunch of random stuff in there and the sale announced on but I don't really know how long this model was out for can I click it and is it bring it there you can see how challenging this is right it's where is this information this one allegedly is end of life but how long was it around if I do a search for it is there a release date on this somewhere I mean this is literally like a research project to try to figure out and these devices were released when they go end of support am I right not seeing there's no date on this it's still an asset listed on there but there's not a date listed so that doesn't necessarily make it easy let's just search for one of the models still no date spec sheets is there a copyright on this even well I mean the copyright on this one turns out to be 2014 so at least you found a copyright on here you can see the challenge with this it's not it's not an easy answer because there's not good list for there we did not we were not talking about pricing with the 45 drives meeting so that had nothing that meeting is all about technology and not money in terms of like we didn't talk how much does the server cost it my my discussion was a lot with I wanted to pick the brain trust because we were just trying to dive into some details on things like you know how wide should ZFS be different storage planning ideas seph talks like breakdown how seph deploy works what's the future of storage look like we had a lot of fun like tossed around some interesting discussions what the market looks like so that's the kind of high level discussion we had pricing is for sales people I am going to throw this out here people not a sales guy I'm a solutions person I am a technologist I'm not exactly a salesperson sometimes I have the cell things to make money but I don't actually do that work I have a whole sales team so I even joke like people I figure out what they want I scope out the work I can roughly estimate how many hours something may take and then I go here you go sales not my problem I don't create customers I don't create bids I don't create that that's why I merge my company the team the sales team at CWR is who gets handed off a scoped out project I may do implementation but I don't do the billing I am I am if you can't tell I'm a little excited not to do the billing anymore not to do the sales or money part anymore like that's not the part that interests me when it comes to that you were just making sure someone brought up me critique fair enough create a point at least you told me a product to a five-year sale five-year support for um that's good to know how can I access or transfer into IX applications data set is there some kind of explorer GUI app I can solve true nest scale um you can usually ssh in that's how most people do it but I did do a video but it does require setting permissions for the file manager if you type in file manager or web file manager true nest scale I did the video in the last couple weeks ubiquity doesn't really have support uh 40 not now required to sign in to see the EOLS now yeah I have a 40 that sign in so I could do that but well for Cisco you can google the model number but it doesn't tell you when it's going to be end of life you don't know you don't know until they announce it and when they announce it you only have a year and a half so if you bought it a day before the announcement you didn't know that you have a year and a half in a day before it's end of end of life for that product a lot of people complaining about newer netgear DAPD offing dropping then reconnecting repeatedly hearing about that I never use netgear APs they make it difficult so you call your sales rep and you wouldn't know if he wants to sell you a new switch yeah Zoros do you need to install Zoros agent on the machine to do web filtering yes you do I love me some stuff that's one of things I would give up switching xcbg if they had first-class stuff support on node um they I don't I even tested it they do have stuff support I just haven't used it generally speaking I believe it's like they expect you to build a sef server they're not doing sef and I don't see the point in them doing sef I understand them connecting to sef I don't see the point in them building their back end in sef that's that doesn't why that's not their specialty like buy a 45 drive server or servers and build yourself a sef cluster makes sense and then connect your xcpng to it that part makes sense you know it's funny watching anyone or listening I should say for me because I mostly listen to podcasts um at one x speed generally I'm used to listening to people at two x so yeah one x is like weird sorry a little bit I was up late because we had a hell of a storm last night thanks you're gonna start moving away from extreme AP and switches moving to ui saving tens of thousands of dollars and just licensing on top of harbor saving seeing hopefully work out yeah yeah the um it is a constant debate because the licensing fees just they really add up and it's not just it is what the school districts we've done are always one of those ones school districts are always under tight budgets and if they buy unify they save all the licensing fees that they don't have to um you know it just saves them all the problems of everything it's just yeah I and I'm gonna do an updated video on that as a topic that's part of what's leading up to it I wanted to cover some of the other switches and before I went and did the unify video so I can say hey here's recent videos on these other switches I'll see I need something I will mention to this right here I was gonna ring a bell I was explaining that in a moment my friends over at ninja got me this because of my uh my arm I injured which is dealing pretty well I thought it was funny they also sent me the shirt I'm wearing is from the event I did with them so if you see it says ninja one back up some bandwidth but uh the sorry if you hear it a bunch of noise I had looked at the camera so I was seeing if my wife was upstairs they're bringing something but they sent me a bell to ring you know for ring for service that's probably really loud so this is my friends at ninja one they sent me a care package oh fun stuff open port for direct mode access access to your NAS access remotely via VPN do you have an opinion always use a VPN do not expose your NAS is my answer yeah they um do not expose your NAS please stop doing that we have so many nuisance things on the internet that are botnets that are taking over your stuff that people lift exposed and it's just a terrible idea stuff is hyper-regurgitation sure the point is compute with storage spread evenly across every node when no goes down you lose a little both but everything stays up I mean should they be the ones engineering it you can say the same thing for you have clustering and xcpng you have setting up a stuff cluster is it the xcpngs team that should be engineering storage because the solution exists elsewhere and you build storage separate from compute in the enterprise space you don't build them as one there's a lot of beneficial reasons to build out your stuff cluster separate from your nodes that are doing the compute thank you I don't know what to give you here for an remote but I'm old for anyone wondering it's not spicy food it does it but man something's killing me ever done any videos on lear through routing such as an ACL trying to work out how to take off the little psense box no mostly because you can usually architect it better sorry let me chew this up you can architect it better usually by not doing it like your quit routing storage is what I was saying I think the last episode the episode before and every time someone comments going well I need my storage I'm like quit routing storage put things that need to be on the same VLAN on the same VLAN you got to figure out why do you need high speed and can you change your architecture to fix that it's not that you can't do it the problem is you want to offload it but then you realize you need a really expensive fast switch you're like oh because the the meeker tick since we are on that topic the the meeker tick I believe you can even do it with their small hundred twenty dollar hundred twenty nine dollar ten gig switch I reviewed I believe you can do the layer three on that but but the speed at which it will do it is not ten gig even though it's a ten gig switch matter of fact a lot of them will not do this native speed of the switch when it comes that until you get into the higher end models so now you you've just moved the bottle neck you you took the burden off your pf sense and moved it to the switch but it's still a burden it's still not at full speed so I've not really done any videos on it because I just and it it also varies from model to model to model there's not there's not a universal to it when you're when you're setting it up it's not like this is the way you can describe it architecturally which you probably know but you have to cover how to do it in each switch they do announce end of life date one or two years later stop selling end of life and own support within five years who do because not Cisco according to their own their own documentation it's not Cisco who does that the issues when you encounter an issue once the solution resolves it you either call a support and let them figure it out or you have a team to figure it out both have a cost yep some H.E. Enterprise switch gear have gotten off eBay lifetime warranties a call in about three times no problems with process questions of being the original owner yeah HP's got that lifetime warranty with I think the Aruba stuff has it too I think that's what they have claimed on their site thoughts on Synology Quick Connect it works I use it for my cameras I use it for my camera system Bell works what arm am I using I'll look it up but how I will tell you it's whatever microphone stand arm from well I'll look it up here would it be I find it my results history somewhere try to find it it's let's share the screen here we bought it a number of years ago so I'd have to go back wow there's stuff that old in here there it is I ordered it on January 20th of 2015 so it's a newer microphone suspension boom arm that's that's how long I've had this same arm the springs are broke and I don't I don't know if I can really pull this in camera to show without making a bunch of noise but the springs are broke on it that's normally there's like a spring it broke so I just crank these tighter and it holds it without the spring so as you can tell it still is doing its thing so shout out to newer for making something that holds up for all those years is it possible these days to use ubiquity cameras without the required access to the motorship servers I don't know I don't know if you have to I don't think you have to register to set up a ubiquity that's a good question I should reset up ours from scratch and see if it requires you to register with ubiquity to do so being an interesting test as I want to do a comparison between ubiquity and Synology now that the ubiquity cameras are in stock again this is actually the challenge with ubiquity I avoided doing videos for a while because they were pointless the cameras weren't available so no matter how much you liked it you couldn't buy it so why do a video on it it was like I mean there's the argument that eventually because videos can be what they refer to as evergreen and the videos are available and if later the other thing is available you know then the video becomes relevant again but I don't know the features keep changing so I was just holding off and doing a review I need to remotely access a NAS streamer add a pile of cash build another NAS use it for remote backup I don't I recommend open if you have a firewall like PF Sense I recommend open VPN that's generally my recommendation because you put it behind a VPN you don't have to worry about it but I mean Synology Quick Connect it works there is a level of risk that comes with exposing even with Quick Connect exposing your NAS to the internet I preach this a lot and someone says I shouldn't which I thought was weird I've got a couple comments that I talk too much about not exposing things but I'm like seriously the number of botnets out there are becoming a nuisance and a danger to the internet and what are these botnets there are lots of exposed QNAP as an easy example because QNAP has had so many security flaws in it there's an army of QNAP bots floating around on the internet doing dumb things or sometimes losing people's data because if they're not turned into some zombie botnet they might be used to delete all the data on them and maybe even ransomware you because what is that one QNAP ransomware called it makes the news every now and then I've definitely covered it because I've covered some of the QNAP silliness and how bad they are at security but quit opening the NASs to the internet is generally my answer to have a better internet I have PfSense on older PC with a 4 port Intel network work when I use PCI slot with a PCIe adapter yeah as long as you go with the Intel cards they generally work fine with PfSense quit connect versus a VPN quit connect directly exposes your Synology NAS a VPN you I mean you can have a problem with a VPN they could find they could find a flaw an open VPN they could find a flaw in WireGuard so VPNs aren't without risk but VPNs generally speaking because of their popularity and the fact that open VPN has gone through code review and I believe WireGuard has to they're less likely to find a flaw in it versus if they find a flaw in your Synology hopefully it's fixed before the person or a threat actor exploits the flaw that was found so it's just there's not like comparing them one to one as that it comes down to I think Synology has a good job with security doesn't mean there's not something missed and do you have a plan to keep your Synology up to date what if you're going oh I was not following the news or I was on vacation for the last week and a big problem was found in it oh man I wasn't home to patch it I hope someone didn't log in those are the problems you're going to run into and the same could happen but I just think it's statistically less likely to happen with open VPN or WireGuard oh quick connect with a proxy is definitely slow Cisco gave us five years on the 3850 so maybe it's there well that's what's so obviously Cisco can override their own policies but their policy for end of life milestone does this have a date on it I don't know when they enacted this policy so for older switches definitely um they've had years of support on lots of the older models do they get that in newer models I don't know they according to Cisco's website and according to that link this is a global policy for all Cisco products but what companies like to do and I don't blame them you set the base policy doesn't mean I can't give you a better deal it doesn't mean I can't give you a longer warranty but I'm only going to guarantee this I might do more but I won't do less or I'm telling you you won't have less support than this if the same arm and it works is terrible yeah but it works yep yes someone else commenting Cisco did the same yep uh already have a mid-level IT job a salary minimum overtime but I missed the extra cash from uh those after hours marathons working I'd be in my search for job boards um kind of depends what you want to do getting into the contracting game can be kind of hard but there's like field nation is one of those places and there's probably more I just don't know about them because I don't really look at those spaces but there's spaces that hire pools of IT people and then rent them back out broker them if you will to other IT companies that need extra help I use Cloudflare Tunnels remotely access my Synology yes and DB Tech has a great YouTube channel he's a friend of mine um he's got a good video on Cloudflare Tunnels Cloudflare Tunnels are good I comes with any risk of you are now trusting Cloudflare but that's another way you can access your NAS huh it's getting to be my thought tail scale or wire guard yeah tail scales uh I like it a lot it just works it's simple I give a lot of simple recommendations because I I know it fits the needs of people if you're a more advanced person you want to use something more advanced by all means do so but for basic usage and like for me be able to get to things at my house tail scale does the job very well Intel i340 Quadport next are dirt cheap um yes you can find a lot of those the prices on network even 10 gig network cards are the prices really dropped on them so you can buy like those four port Intel cards you can buy the four port or two port 10 gig ones and the price is really good on those William much appreciated thank you for the donation 8000 tail scale of magic to DNS what it does well what it does I have not tested it it looks neat but it's I've been too busy to actually use it I just use the regular tail scale they have uh is it called tail scale funnel and something else um it's kind of cool now the nice thing about tail scale in general and let me log into it this is a neat topic log in where is it in my settings ah right here put this on the screen one of the nice things about tail scale is this is where you can set uh like lauren systems.com and I wanted to make sure it uses this this allows me even when I'm out for all of my HA proxy stuff I set up and my DNS resolver and I did a video on this recently that all works now with the DNS right here to say hey when you're connected to the tail scale network this is your DNS server so definitely a um a neat way to do it so you can say for this domain and everything at this domain including all the subdomains use this DNS server that way any overrides I have for DNS show up in there I might do an updated video on that um just to make for some clarifications but it definitely works really well can I set up a VLAN rules on ASUS router with the unify the same APF sense doing your videos I don't know if which models do or do not support VLANs have no idea on the ASUS I don't use them so I don't have an I don't really have an answer for that part of yeah part of secure your network yeah say what you do launch systems do not change a thing signed Peter Griffin automated next thought updates via bashcript do the same for QNAS don't agree with exposing your NAS to the internet but automation can help yes well I'm sure a question I didn't explain all PC has a PCI slot not a PCIe slot um you can find I believe the older cards still work fine if you only have a PCIe slot how old is that computer though there's there's a real question you're no longer doing hell desk well that's good in your experience the Syracot or Syracot PF sense stopped the legit threat I think that PF sense or just let's just go bigger we're just gonna talk about Syracot and Snort and threat detection at the firewall I think threat detection at the firewall is not your best bet it may stop some amateurs it may stop some basics it may stop if you have if you have ports open it's more likely though if you have ports open to stop some payload that is being pushed through those ports if you have no ports open I don't even think it's gonna I don't I can't even name a time and feel free to read to don't believe me I don't I I always suggest people like hey you go read to different reports you look through a different report you look through a debrief and you go hey look at this enterprise company here's a walk-through everything that happened okay how would have how would the firewall have known to stop this oh it wouldn't because the traffic was encrypted well okay moving on that's how I feel about with everything being encrypted now someone will point out but Tom the old viruses are still out there and Syracotta can see them yeah I guess that is an attack vector they would stop but I think they're oversold they but they're also not being required because the compliance systems are pushing that you have that type of threat monitoring on the firewall even though the threats monitoring is really needs to be focused on the endpoint have you heard of side router it's an interesting way for people to bypass the Great Wall I don't really deal with the Great Wall I use Sophos XG with inspection to stop me from doing stupid stuff you never know what link will have bad stuff but it's always a cat and mouse game of you know like it's just the same problem with DNS sync holding it's a great idea as long as someone else has found it first just in as long as it's not too new of a threat because if it's too new of a threat it's not on your list of things to block or the list of your threat protection stuff let's open you look at companies and let me find one that we'll talk about here so Huntress friends of mine so I'm very familiar with how they work so much of what they do how they work is by looking at behaviors there's a tons of free resources by the way they offer you have like all these different resources you can join for free there are events webinars etc etc and you won't hear them talking about how we have some magical BS AI system what they will tell you though is that they're watching for the tactics and techniques that threat actors use to leverage things sorry I didn't have this pulled up this is huge in terms of like what modern threats look like is how you have to look at the tactics and techniques who can do that not some AI system program by someone that's only if you want a bunch of VC money thrown at you you you say I have magic AI because why do VCs want to throw money at magic AI because well it's much harder to sell to say I have to hire really smart people and they're like how many smart people are there how can we scale your company well smart people are hard to find the VCs are going well then why would I give you money and then someone else comes along says I have a magical AI learning system that I pump data into it and then it figures out the threat landscape how do you scale it oh we just keep buying more servers oh cool let's throw money at that that's kind of a oversimplification for why so many things with AI have lots of money and lots of marketing and why it's harder to grow a company but I think it's better and Huntress is an example they've grown quite well building it on smart people who understand the threat landscape that's you know huge different I find something someone's looking for here there's actually I'll share a site where you can there's some good write-ups here where can I find these different reports the DFI report there's a site that the DFI report account but you can search for these and there's just a lot of reports that you can go through you can usually come back to Huntress Huntress covers some of this they'll do debriefs essentially this is a debrief report where you walk through what happened and when you walk through what happened you can play this back in your head and go what if they would have had insert name of product at this point in the attack chain would that have made a difference that's the question you have to ask so you can look at recent modern threats you can read Mandian's write-ups Mandian has really good write-ups I've used them as a source whenever I'm talking about different breaches that happen and same thing you can look through the attack kill chain and ask yourself the question would this have stopped the thing that's happening in this kill chain if I had insert name of product at insert point in kill chain and that's how you can better understand things two times H.A. Proxy has a straight up stopped it started happening recently since upgrade 2301 by Queen Quincinola have you had something similar restarting H.A. Proxy resolves it look at the logs that's always my answer look at the logs also by the way I've talked about this many times before I don't know if I should do a video on it to announce it to people because I don't know if if they check these things like I do but I spend time in forums so maybe let me pull this up and I don't know if this may or may not affect you or maybe why I'm not being affected by this we're going to go here to patches is make sure you have all your patches applied I have all mine applied I don't know because I know there's something about fixing log rotation I just apply the patches because I trust PF sense that if they say apply these patches I apply these patches maybe this patch fixes a problem with H.A. Proxy I don't know I apply the patches when they come out before I have a problem but I wasn't having a problem before so I don't know what circumstance but I do know the secrets to all things are usually in the log files so you have to look at when did it stop what is the last log before it stopped was it trying to read a file that it couldn't find those are always the questions on there so any stories of IOT devices data mining lands with broadcasts and such seem to have relevance to the devices use case stories of IOT devices data mining lands I'm not saying it doesn't exist I don't see a ton of people talking about it most of the IOT stuff just poorly designed but I don't think I've seen any that were specifically nefarious for data mining Huntress something isn't no you cannot run Huntress at home Huntress is uh I think it's 100 end points is their minimum buy is an old HP slimline Athlon X2 4 giga RAM bought PCA ooh Athlon X2 yeah that's pretty I'd look at something newer yeah Huntress labs even have good practice for when their IT members shown on the John Hammond works at Huntress he does a lot of deep dives too on his YouTube channel so if you don't know who John Hammond is follow his channel it's great currently use engine X to reach for internal hosts how could I connect SSH internal hosts using their fully qualified domain some kind of proxy I think you I don't know if you can route SSH to engine X I think you can route SSH through HA proxy I just never do I don't want that extra layer on there so that's not something I usually I'd never have a use case for it so not something usually set up generally I even with clients I VPN into the client I SSH into the box that's on that other side of the VPN can I stop a VLAN with rules on ASUS router nope you already answered that question networking war story something crazy you've seen happen I don't know I don't really think much about the war stories it's always a bunch of dumb things happening we have you know problems where in the mistake was we gave them admin access before we were finished we were working with an internal IT team and the internal IT team started changing things before we were done deploying the network at all the locations it's not only a war story it's just a dumb story and tons of people with loop center network they're not it's I don't know I don't know if they're really war stories they're just the problems that we have to sort out telling people there's a dumb switch in our network they tell us there's not and we're like let's go piece by piece we're gonna find it and we do eventually we found one on a ceiling it was weird you expected the run to go from one office to the other office but we're like it doesn't and the reason we knew which port brought us from point A to point B but what happens is we know if we unplug the port this is this is the fun think about how you have to trace this if I unplug the port it stops routing in that office so we we know I'm holding the wire that brings data to this particular segment of the office the part that took a second to notice and the reason why is because there's another switch in between is when you unplug it the light on the switch that's feeding it doesn't go out you're like oh so I this is definitely where the data comes from and that's definitely where the data goes out because if I unplug that port on that switch the data stops going this way but the link lights never go out because there's a switch in between and it was turned out to be in the ceiling and there's a plug in the ceiling for it that's the best part so there's definitely um there's a lot of it's not all about war stories or just I don't know whatever your troubleshooting network there's always something silly going on HP definition of lifetime warranty is not what you think they come up with their own definition of lifetime if you read the small print probably worked at a non-tech company they had a network with four subnets endpoints on each subnet could talk to any other subnet endpoints did not have any end point monitoring pretty typical took uh oh is it normal for an msp to be the slacks there's a there there's as many bad tech people sysadmins if you will as there are bad msp's and it companies so yes I never saw it with nginx but did it with atproxy I'm sure you're referring to the SSH I'll bring this I've not used this well I take that back I tested it but I didn't want to use it because it requires an agent that's the reason this is the only thing that stopped me from using it but there is this server here to teleport my friend Krishna Lampa has definitely done several videos on this but it's also a pretty slick way to ssh things is using a teleport server I just didn't like it because it uses an agent and I didn't feel like loading agents on my system the unify light switches I mean look at the unify light switches and ask yourself the question does it fit your use case if it has the features that you need then there's nothing wrong with using like they work fine make sure it has the features the unify light switches like the light poe doesn't have a high power budget do you need a high power budget like it's it's it's not a question of will they work like if you need more wattage than they have then it won't work that's the better way to describe it Patrick served the home suggests think clients HP think client they are reasonably priced and cheap great PFS search Dell makes them as well yes Patrick served the home is awesome and he definitely has some good recommendations on a lot of the inexpensive hardware for things like PFSense I don't really keep up with endpoint protection for home users we only use commercial software I just don't know what's like I usually if people ask me I'm just telling you use if you're going to use windows use Microsoft's Defender it's pretty good it's gotten way better but I don't really have any I don't keep up with the home user market at all someone extended and he didn't run via switch in the ceiling technical debt yes don't mind me here just seeking knowledge currently IT help desk look at the order well you're in a good place we have a lot to talk about here 6.4 Linux kernel and ZFS are no go at the moment don't update your kernels interesting setting up a backup for a PSS router custom built AMD 220 and sitting up eight kids CMA board was the best way to migrate the configuration just export and import the config like the I've got a I think I have two videos look for the most recent one on backing up and restoring PF sense I have MSP manager client users password huh will you make a video on the crazy stuff you see in the field not really it's not that interesting and it doesn't it's hard because it doesn't necessarily it's not the most helpful thing sometimes I guess some people just like the stories of it and maybe there's some value in that I try to focus on building the more educational side of the content the tutorials and things like that because that's the ones that people really seem to like that gets the most engagement I've done like a you know a couple of videos on like a really bad wiring job but I also called it lessons learned because I walked through all the lessons learned in that video is two and a half in 10 gig network connectivity is supposed to work with your NAS set to fail over traffic stops flowing once I disconnect 10 gig link I don't know what you're asking exactly so I guess it depends on how you have it set up generally if you're bonding network interfaces together they're going to be of the same speed if that's the question you're asking some bad MSP just take on the client don't want to pay and end up being bad MSPs yeah what is teleport again via SSH oh teleport is and I'll just drop a link so you can read more about it I don't use it but teleport is a way to do SSH but it's it's SSH but it's wrapped in an agent that teleport connects to you have to load the agents on your endpoints do you configure TrueNAS SMB to listen all required subnets I mean yeah whatever subnets it needs to listen on and no more if you're practicing proper principles of least privilege you look at the networks you need SMB on and you set those to listen so you if two sites have overlap it will actually still route because you route your tailnet IP not your let me show you the IP address I'm going to use to get to my devices is the tailnet IP so for example these are all the tailnet IPs now what will not work is the if you're pushing routes so this has subnets on it this this machine advertised subnets you can't have advertised subnets on more than one machine that are overlapping that will not work but as far as the nodes because it's an extra network attached to your system it'll route to those networks do you recommend geoblocking it's a headache if it gets it wrong so maybe um you I don't know that I'd always run things that max load for poe budget it's better not to work the switch at its peak but it's probably fine to work it maybe like an 80% load and you gotta remember how some of the devices work so you have to calculate your load and is the load variable or is it fixed because wifi for example maybe it has a higher boot time load than it does average working load or maybe dynamically it ramps up power based on what's being done so you have to think about the variables of your load if there's any variables to your load cameras are one of those ones that you have to remember if your camera has nighttime mode it's going to use more wattage to drive those iR LEDs than it will in daytime so you have to calculate it based on that huntress versus crowdstrike I'm going to go huntress does the layer 3 unify switch support HRSP I don't think so currently learning things about ssh definitely in a great spot ssh is great video this seems smart but isn't on things to avoid I don't even know how to describe like quit routing storage I said that at the beginning I say that a lot how's the arm physical therapy it's doing well recently learned at something called putty cac support ubekey ssh which is pretty awesome I don't use putty but yes I've done a video on ubekey and ssh I have a zema and I you want to use torrenting I have the highest specs but when torrenting the real techniques crash change to mini pc yeah that's something you're going to run into that you're if you don't have a fast enough system you may not your torrenting experience maybe not good you know if you're going to use zfs on linux and you're going to load cockpit just get the 45 drives version I've covered the I've done a video on that as a topic just use the 45 drives cockpit if you're going to run zfs I mean maybe there's something else out there maybe you have a reason but if you run the houston UI from 45 drives it's all free it's on github they have a great interface for managing all your zfs pool tail scale is cheating sure why not why is the pf sense gooey mini web server so slow even with phenomenal hardware I don't know because to me hold on too many tabs open I don't find it slow let me throw it up here real quick like it seems fast to me I mean that's sub millisecond click and change page so I don't know what it's if it's not that fast for you you're doing something wrong I don't so I don't know what oh yeah I mean that's a choice though you're you're turning lights on at night so of course it's going to use more power at night this one right here yes the 45 drives plug in for cockpit is end of life who said that let me find the zfs on here because I don't know how you can say it's end of life unless there's some secret here there's the repos for it there's the houston ui they even have they've actually added a step one so where's our zfs one it's in here somewhere I just like the fact I mean this is a very active project they're still doing videos on it so I don't I don't understand the whole end of life statement do I still use zero tier not really also I think I know who hey how you doing you're in Saginaw right I want to make sure I got the same computer pro so if that is you terry hi but um anyways I did a video a while ago zero-tier tier versus tail scale what really sold to me is the fact that tail scale is more ubiquitously supported on everything so better support that's why that's why I chose tail scale over zero tier they beat zero tier to the punch they have a plugin for pf sense so that makes a big difference so I don't I mean there's nothing wrong with zero tier it works I haven't really looked at it in a while I remember they talked about for a long time and I haven't looked at it in a while they did not have a self-hosting option versus head scale came out and allows you to self-host that was another thing that made a difference for people that want to self-host things the zero tier have us I think someone made one I don't think it's from them or said scale is not from them either but if you want to use zero tier I mean I don't know any reason not to use it you can host your own routes those previews called moons rules engine self-hosting been a while since I played with it so I don't know much about how the self-hosting work but zero tier is a nice software but the integration of PF sense with tail scale the how well it works on my phone how what are the other devices I have attached to it right now and the other devices I have attached to it it's going to be my pixel seven my Synology my MacBook Air my Chromebook they just all work actually I hardly use my Chromebook I have it I barely turn it on as you can tell but I've actually had it on since then I just didn't open up tail scale on it I turned it on to keep it up to date but I don't yeah I actually I have enough day to tail scale on it because that's why I still running an outdated version but I use it on my phone quite a bit and it works fine I used it two days ago on my phone tail scale contributed to the headscale project they actually had a couple different code things they contributed to it some of the same developers but nonetheless we're an hour in and I'm going to end it here well actually we're an hour in 11 minutes and so I am in need of more water and my wife is gone I can't ring the bell and uh have her come get me more she's not gonna go for that yes so I'm gonna wind it down here thank you everyone for joining this was awesome this was a lot of fun it was great talking to all of you boo bell broken oh yeah well seen as you haven't left yet that bell is loud my ears my ears are ringing from that bell ringing I'm just gonna say that it's really loud pizza night yes gotta do that for sure so nonetheless everyone have fun take care see you next time let me know on that video about talking about the software that we use maybe in case you'll do that if we have time possibly as a live shoot tomorrow we'll figure it out all right and thanks I'll answer that question she's already she already wants to take it away now yeah my wife doesn't like the bell at all you