Author: nathan

Posted on

Troubleshooting: Why A Methodical Approach Matters.

In the world of high-availability, it’s easy to feel an immense pressure to solve network issues as quickly as possible. However speed without strategy leads to compounded issues. Troubleshooting isn’t just about fixing what’s broken… It’s about understanding why it broke in the first place, and how to prevent it from happening again.

There are a few core ideas that I prefer adhering to when working out complex issues:

🔍 Gather Real Data
The first step in solving any problem is understanding the scope of the issue. This means collecting accurate, tangible data like logs, error messages, interface statistics, and user reports. It’s important to screen and correlate as much information as possible with the symptoms of the problem. Assumptions don’t solve problems, but facts do.

💡 Form a Hypothesis Based on Evidence
Once you’ve been able to gather data, you can build a hypothesis grounded in what’s actually observable and reproducible. Theories about root causes should be based on measurable behavior, not a gut feeling.

🔄 Test Changes Incrementally
When it’s time to make changes, remember to do so in small, deliberate steps. Test one variable at a time, monitor the outcome, and roll back if necessary. A calm and controlled approach can prevent new issues from being introduced, and from problems compounding on top of one-another.

🧭 Follow a Documented Process
Structure is the key to success, following a logical and well documented troubleshooting process allows you to rule out potential causes methodically, providing a clear trail of what’s been tried, and what’s failed. This is especially valuable when collaborating or escalating issues.

🧘 Stay Patient and Stay Calm
Acute system issues can create urgency, but rushing often does more harm than good. Remain patient to avoid introducing additional variables into an already sensitive environment.

🛠️ Use Workarounds Wisely
In some cases, a well-implemented workaround can help restore functionality and reduce impact while the root cause is still being investigated. However, it’s important to treat workarounds as TEMPORARY (yes, I am yelling lol). Workaround solutions should always be clearly documented, closely monitored, and followed up on by a determined and focused effort to resolve the underlying issue.

📚 Understand the Technology You’re Working With
Finally, take time to research and understand the intended behavior of the protocols or systems involved. You can’t effectively fix something you don’t fully understand, context truly is everything.

Whether you’re troubleshooting a routing issue or investigating intermittent application latency, applying a structured and thoughtful approach not only resolves problems more effectively, it also builds a more resilient and maintainable network.

Posted on

Troubleshooting: Why A Methodical Approach Matters.

In the world of high-availability, it’s easy to feel an immense pressure to solve network issues as quickly as possible. However speed without strategy leads to compounded issues. Troubleshooting isn’t just about fixing what’s broken… It’s about understanding why it broke in the first place, and how to prevent it from happening again.
There are a few core ideas that I prefer adhering to when working out complex issues:

🔍 Gather Real Data
The first step in solving any problem is understanding the scope of the issue. This means collecting accurate, tangible data like logs, error messages, interface statistics, and user reports. It’s important to screen and correlate as much information as possible with the symptoms of the problem. Assumptions don’t solve problems, but facts do.

💡 Form a Hypothesis Based on Evidence
Once you’ve been able to gather data, you can build a hypothesis grounded in what’s actually observable and reproducible. Theories about root causes should be based on measurable behavior, not a gut feeling.

🔄 Test Changes Incrementally
When it’s time to make changes, remember to do so in small, deliberate steps. Test one variable at a time, monitor the outcome, and roll back if necessary. A calm and controlled approach can prevent new issues from being introduced, and from problems compounding on top of one-another.

🧭 Follow a Documented Process
Structure is the key to success, following a logical and well documented troubleshooting process allows you to rule out potential causes methodically, providing a clear trail of what’s been tried, and what’s failed. This is especially valuable when collaborating or escalating issues.

🧘 Stay Patient and Stay Calm
Acute system issues can create urgency, but rushing often does more harm than good. Remain patient to avoid introducing additional variables into an already sensitive environment.

🛠️ Use Workarounds Wisely
In some cases, a well-implemented workaround can help restore functionality and reduce impact while the root cause is still being investigated. However, it’s important to treat workarounds as TEMPORARY (yes, I am yelling lol). Workaround solutions should always be clearly documented, closely monitored, and followed up on by a determined and focused effort to resolve the underlying issue.

📚 Understand the Technology You’re Working With
Finally, take time to research and understand the intended behavior of the protocols or systems involved. You can’t effectively fix something you don’t fully understand, context truly is everything.

Whether you’re troubleshooting a routing issue or investigating intermittent application latency, applying a structured and thoughtful approach not only resolves problems more effectively, it also builds a more resilient and maintainable network.

Posted on

Juniper Virtual Production Network

Key Technologies:

  • GNS-3 2.2.51 Network Topology Emulator
  • Juniper vJunos-switch 23.2R1.14
  • Juniper vSRX 20.4R1 3.0 Next Generation Firewall
  • Rapid Spanning-tree protocol
  • Link-Aggregation control protocol
  • Network Address Translation
  • DHCP over Layer 3 LACP
  • Juniper J-web management platform

Accomplishments:

  • Familiarized myself with the Juniper OS command structure to ensure consistent setup and deployment of Juniper OS based devices and protocols across a range of devices.
  • Deployed and configured Juniper vSRX 20.4 NGFW as a gateway to both serve and secure internal network infrastructure.
  • Implemented Link-aggregation to ensure consistent layer 2/3 connectivity across both control and data-planes.
  • Arranged redundant switch forwarding using Rapid spanning tree protocol to ensure consistent and secure connection to endpoint devices
  • Established secure endpoint links using port-fast and BPDU blocking on edge ports to ensure the stability of layer two operations.
  • Deployed and tested several endpoint devices and ensured the stability of redundant links through intentional disconnection of lines leading to default gateway.

Additional Improvements added 11-14-2024:

  • Added High-Availability Network Uplink by configuring VRRP across two Identically configured vSRX Firewalls serving as gateways for the Network below them.
  • Added two additional vEX switches acting as a core layer and configured RSTP across redundant links providing a stable and redundant connection from the access layer up to the gateway.
  • Configured SFTP to allow configuration redundancy across VRRP connected routers.
Posted on

Cisco Collaboration 14.0 CUCM Lab

Key Technologies:

  • Cisco DevNet Sandbox Collaboration 14.0 (https://devnetsandbox.cisco.com/DevNet)
  • Microsoft Active Directory on Windows Server 2022
  • Cisco Unified Communications Manager Publisher
  • Cisco Unified Communications Manager Subscriber
  • Cisco Unity Connection Messaging server
  • Cisco IM & Presence server
  • Cisco AnyConnect SMC Version 4.9.04043

Accomplishments:

  • Explored IM & Presence System Troubleshooter in order to resolve NTP failures resulting in the lack of communication between services in a Collaboration 14.0 environment
  • Explored the creation and administration of device templates, allowing for more streamlined deployment of Cisco Mobile Handsets, and Desk-phone telephony systems.
  • Administered local users within CUCM in order to assign “virtual” devices.
  • Reviewed and implemented Cisco’s best practices for device security templates within a single-site, single-cluster environment.
  • Utilized Cisco VPN access to manage, configure, and administer users within Cisco Collaboration and Windows desktop server 2022.
  • Created and utilized Calling Search Space Partitions to allow for Local, Long distance, and International calling space assignments

Posted on

Wazuh XDR Security information and event management lab

Key Technologies:

Accomplishments:

  • Configured and Implemented SIEM/XDR security monitoring system and agents to effectively manage security across an array of connected devices.
  • Implemented active-response rules to prevent and deter attackers utilizing brute-force techniques from accessing personal and lab related devices.
  • Leveraged CIS Benchmarks in order to harden connected devices, preventing attackers from leveraging known vulnerabilities to access personal and lab connected systems.
  • Implemented and monitored FIM database to document and prevent unauthorized file system changes and system compliance anomalies.

Posted on

Windows Server 2019 Domain Controller Virtual Lab

Key Technologies:

  • VMWare Workstation Pro 17.6.1
  • Windows Server 2019 Desktop Evaluation Edition
  • Windows 11 Enterprise Evaluation edition
  • Active Directory Domain Services
  • Active Directory DNS services
  • Active Directory Users and Computers
  • Group Policy Management
  • SMB 3.1.1

Accomplishments:

  • Configured, Enabled, and Implemented Windows Server 2019 domain controller inside of a NAT network configured using VMware Workstation Pro 17.6.1
  • Installed and Configured two Windows 11 enterprise client systems within the same Subnet.
  • Enabled and configured DNS services for Windows Server 2019.
  • Configured Users and Groups within Active directory Users and Computers to allow for two domain user level accounts as well as an additional administrator level account for access to my domain.
  • Configured DNS on adjacent virtual client systems and successfully joined the devices to the domain using previously created accounts.
  • Created and Shared a centralized filesystem to these systems utilizing SMB 3.1.1
Posted on

Personal Website Reverse Proxy and Domain management

06/01/2024 – present

Key Technologies:

  • Domain Registrar: GoDaddy.com
  • Dynamic DNS service: PFSense 2.7.2-RELEASE(amd64)
  • Reverse Proxy: HAproxy 0.63_2 hosted on PFSense
  • Personal Website: https://nawalker.work
  • Web Services: WordPress (TrueNAS Scale Dragonfish-24.04.2)
  • PKI/Digital Certificates: ACME Certificate Management Environment
  • SSL Offloading/HTTPS: HAproxy Reverse Proxy.

Accomplishments:

  • Acquired Domain Name using Godaddy’s domain registration system and implemented Dynamic DNS services using PFsense to ensure WAN IP address is always associated with domain, even if it changes.
  • Implemented WordPress HELM package using TrueNAS scale, allowing me to host this website on my own server from home.
  • Configured Front and Back-end access control lists using HAproxy allowing access to https://nawalker.work without opening and forwarding specific ports on my network.
  • Applied Digital Certificate to my site using ACME Certificate Management Environment to all secure encrypted access to https://nawalker.work over the web.
  • Implemented SSL offloading using HAProxy to allow packet inspection using SNORT IPS to prevent unauthorized and malicious traffic from entering the network.
  • Configured and Designed Personal Website using WordPress.

Posted on

Virtualized Stateful Firewall with PFSense.

07/01/2023 – present.

Key Technologies:

  • Level 1 Hypervisor: Proxmox 7.4-18
  • Virtual Machines: PFSense 2.7.2-RELEASE (amd64)
  • WAN IP Pass-through: ATT BG-320 Fiber Router/Modem
  • Stateful Firewall: PFSense 2.7.2-RELEASE (amd64)
  • Intrusion Prevention System: SNORT 4.1.6_17
  • PKI Certificate Management

Accomplishments:

  • Implemented Dynamic MAC based IP address pass-through to ensure that WAN address is consistently assigned to the PFsense firewall.
  • Installed and Configured PFSense Firewall inside of a virtual machine using Proxmox.
  • Assigned primary NIC to PFSense firewall ensuring that all WAN traffic enters and exits the firewall.
  • Configured firewall LAN interface rules to ensure traffic security and to prevent unnecessary IP address ranges from creating inbound connections to the network.
  • Created Management VLAN to allow traffic to Proxmox from specific devices to ensure connectivity should the firewall ever fail or become misconfigured.
  • Installed and configured SNORT IPS package to assist with automated traffic analysis and to prevent network intrusions from bad actors attempting to access my network over WAN address.
  • Installed and configured ACME certificate management environment to create and manage certificates, enabling HTTPS encryption for sites and services on my network.

Posted on

Proxmox 7.4 Virtualization Infrastructure.

06/01/2023 – present

Key Technologies

  • Virtualization – Proxmox 7.4-18
  • Firewall – PFSense 2.7.2-RELEASE (amd64) FreeBSD 14.0-CURRENT
  • Routing – ATT Fiber BG-320
  • Network Bridging and static IP pass-through – Proxmox 7.4-18
  • Network Attached Storage – TrueNAS Scale Dragonfish-24.04.2 (Linux)
  • Linux and FreeBSD
  • Servers and Network Access.

Accomplishments

  • Implemented level 1 bare metal hypervisor using Proxmox 7.4 based on Debian to deploy and manage virtual machines serving my network.
  • Configured and Deployed Virtual Firewall using PFSense by Netgate to manage and secure my home and lab networks from a single pane of glass.
  • Configured separate network interface cards on the system to ensure management traffic is always available to the host server, preventing critical downtime in the case of a firewall outage or misconfiguration.
  • Utilized IP pass-through to ensure that all traffic on WAN address securely enters and exits through the firewall.
  • Configured and deployed Network Attached Storage server on my host using TrueNAS Scale as a virtualized storage solution, providing my network and devices with redundancy and additional data storage.

Posted on

The Power Of Pfsense.



For most users, it’s not uncommon to rely on the basic router provided by our Internet Service Providers (ISPs). However, this device has limited functionality which often means sacrificing advanced features and robust security measures that can leave your home network vulnerable.
Pfsense is a powerful open-source firewall and routing platform that can unlock a world of benefits for your home network, and it’s totally free if you run it on your own hardware.

I’ve been using Pfsense to protect my home network for roughly a year at this point, so I wanted to write this article to summarize my feelings on the appliance, and to convey how it’s benefited my home network as a whole.

Unlocking Advanced Features

One of the most significant advantages of using Pfsense is the ability to access advanced features that are not typically available through standard ISP router devices.

With Pfsense, you can:

  • Configure complex routing rules and sub-netting schemes to optimize your network’s performance, security, and organization.
  • Easily set up site-to-site VPNs for secure external access, allowing friends and family to connect to your home network without compromising security. Options include Ipsec, OpenVPN, and Wireguard packages all natively available using Pfsense.
  • Host services within your network, such as file sharing or media streaming, while keeping them protected from the outside world using firewall rules, reverse proxies like Haproxy, and IP Whitelisting.

These features not only enhance the functionality of your home network but also provide a level of customization and security that is largely unachievable using most ISP routers that are available.

Enhanced Security

In today’s increasingly complex online landscape, security is more crucial than ever. With Pfsense as your dedicated firewall, you can rest assured that your home network and devices are better protected against the mounting risks posed by the internet. By utilizing utilities like SNORT, you can:

  • Analyze traffic flowing to and from your network in real-time, allowing you to identify potential threats before they become major issues.
  • Create block lists for known bad actors, preventing malicious traffic from ever reaching your family or servers.
  • Block traffic based on a consistently updated rule-set by automating ACLs.
  • Perform deep packet analysis to prevent malware from ever making it to or from devices on your home network.

Traffic Flow Control

One of the most powerful features of Pfsense is its ability to control and prioritize traffic flow across your network. With tools like Traffic Shaping and QoS (Quality of Service), you can allocate bandwidth and resources to specific devices, applications, or services based on their priority level. This means that critical traffic, such as voice, video streaming, or online gaming, gets the fastest and most efficient throughput, while less critical traffic is relegated to a lower priority. This level of control allows you to optimize your network’s performance, ensuring that your devices receive the bandwidth they need to run smoothly.

Easy Traffic Management

Pfsense also provides an intuitive interface for managing traffic flow across your network. With features like Traffic Rules and Bandwidth Graphs, you can easily monitor and manage traffic patterns in real-time. This allows you to identify potential bottlenecks or issues before they become major problems, making it easier to troubleshoot and resolve any issues that may arise. Whether you’re looking to prioritize specific devices or services, or simply want to monitor your network’s performance, Pfsense provides a level of traffic management that is unmatched by standard router.

Conclusion

After using Pfsense for the last year I can safely say it has changed the way that I approach SOHO networking, It’s free to install on any device or virtual appliance ( using a hypervisor like Proxmox is easier than you’d think ) and dedicated appliances can be purchased directly through Netgate, the parent company. I’ve learned a lot while using Pfsense, and am excited to continue diving into firewalls as a means of securing network traffic, both in the enterprise, and at my home.

Thanks for reading!