Several hours later... #ripe
Well now I need to automate krill and I can allocate functional subnets with literally a single line of configuration.
Several hours later... #ripe
Well now I need to automate krill and I can allocate functional subnets with literally a single line of configuration.
With how much @1password renewal costs now they better add some CA management...
me: does the RIPE DB allocation exactly once
also me: ok, I need this bs automated, there's no way I'll be copypasting these subnets around by hand
-enableTCP6
Whether to enable IPv6 for listening and dialing. By default, only IPv4 TCP and UDP are used
*groans*
Hate it when people post part of the content on a website that's available on the plain web and even just through RSS but then BAM: if you want the rest, join discord. What's even the point of having a website in the first place?
Maintaining blog made in middleman has been getting painful recently even with bundler and nixpkgs taking some heat off. Maybe I should consider remaking it in astro which looks like NextJS but static-generation-first. Def should give it some thought.
Learning about Arch rolling out a breaking change to how libjpeg/libjpeg-turbo are being handled from broken system update today had been mildly annoying...
Source: https://archlinux.org/todo/stop-relying-on-virtual-libjpeg-lib32-libjpeg-package/
What a conundrum. I want to see routes that failed RPKI in my looking glass / analytics (because it's fun). But I also don't want to route to them because really, get your shit together, if I figured RPKI, anyone can.
The problem? As soon as I filter on invalid RPKI, I can't reexport the routes into my collector because mikrotik won't export filtered routes (which is reasonable).
What can I do? I can import all of my upstreams into a RIB, do the RPKI annotating there, and reexport the valid ones into the FIB. The router feeds on valid routes, the LG gets the RIB.
It works. It's great. But also this little trick just costed me another gig of ram:
> /routing/route/print count-only
5468859
~~~~~~~
I've been told that I write random things without explaining wtf I'm doing in enough detail and using wild abbreviations, so here's the un-TL;DR'd version of the above (please tell me if this is useful):
I receive a lot of routes from upstreams on my 3 routers. I have several ipv6 sessions (about 250k routes each) and 2 ipv4 sessions (1.2M routes each). They basically allow my routers to figure where to send a packet *anywhere* on the internet but they cost a lot of ram (and cpu).
A looking glass is a common name for a tool that tells you "how would I reach address X from router Y". It basically looks through all those routes and highlights the ones that fit the search.
Any machine on the internet has a routing table (at least one). A routing table tells it where to send packets. Most of the time you only care about the default table (typically, main) and in there—about a default (oh no, I inserted em-dash due to the habit. It's opt-shift-minus, you don't need an llm to paste it btw) gateway, i.e. the place where you send all the traffic you don't know about. You let the default gw figure it. In my case, there's no "default gw" on the router, the router knows every single route out there in the internet instead of forwarding everything to a single upstream.
A RIB is a routing table that just holds routes. You won't deal with those much. A FIB is a routing table that your OS uses to make the routing decisions. That's your main table, for example.
VRFs make some things very easy, other things almost impossibly hard. On one hand it's very nice to have the public traffic completely isolated from the internal VLANs. On the other hand, when you actually need to cross that boundary, it ranges from painful to impossible.
Maybe I need to buy a second router...
A blog post on VRFs is probably coming up.
So anyways, then I wrote my BGP server.(1)(2)(3)
(1) there was an existing library
(2) and I vibecoded the harness
(3) its just a route collector for my fancy looking glass
I just inadvertently got my engineers to invent a combustible lemon. We'll see how it goes from here...
Gah, a macOS update broke my NFS auto-mounts again by force-replacing /etc/auto_master. Here's the most up-to-date manual on how to get it working again: https://gist.github.com/L422Y/8697518
Note: Can't speak on the part of hacking mountpoints into /Volumes with relativity markets since I don't bother with doint that and instead scope them in /mnt/Network that's pinned in my Finder's sidebar.
After months of relearning the radio physics, studying all things BGP, navigating the legal requrements of broadcasting, the RIPE allocation policies, and the such I realised that the immediate problem I was trying to solve needs a single NAT rule from my router to my kube VIP.
Look, at least I know BGP better now and have a radio shack!
Guess who got an ipv4 block?
/routing/route/print count-only
2853573
Thinking back, getting a home router with 4gb ram was a very smart decision.
me: I'll pick routing table 52 because my new vlan is 52
tailscale: am I a joke to you?
accidentally added new default gw into the tailscale table. Literally *everything* but tailscale is broken lol.
preliminary results in. My homelab route is the most visible worldwide (blue). Germany is clustered around Germany (duh).
If you zoom in on US alone, most of locations hit the US server (red) but there's enough random homelab hits (green) and even Germany (purple).
Traffic engineering is cursed.
/me learning about all the useful "no export outside metro" communities.