40 years ago (at school) I generally wrote in ink - edged and straight nibs, blue and black ink because I liked it. I learned several formal styles as well as my idiosyncratic efforts. I did have biros and fibre tips etc available. I had loads of choice. My parent's generation was probably the last of the ink and nib first users.
ICMP echo request/reply is handy for determining if a route exists at all ...
(reads article - I've got a five digit /. ID and that was after lurking for several years - respond first, ask questions/read article later)
Oh. You now fail to understand networks in Rust instead of C/Python/nicker elastic. sighs in policy based routing tables.
A modern mtr (traceroute is so 90's) should do things like run up and down the stack for each point along a route. It will still probably need to use the TTL field to find each point (IP) but then use ICMP/TCP/UDP/etc to measure that point in some way or perhaps interpolate it from points either side.
When I want to really get to grips with latency and stuff, I start off with a small dedicated box on a customer network and "smoke ping" with all points measurable on the path. I also have several running from our datacentre and a fair few RIPE Atlas probes too.
traceroute is handy but you must be able to decipher what it is telling you. Wearing a stethoscope does not make you a doctor.
Fair enough and I think you have done the right thing - opnsense is pretty decent - and the clear delineation between collision domains helps avoid showing too much ankle to the internet 8)
I think your initial setup was perfectly valid. Then you diagnosed a fault and fixed it with aplomb, in a way that you could verify. The key point is: "in a way you could verify" and you failed safe. Well played.
Proxmox itself has a useful firewall implementation too, although it takes a bit of getting used to because you can set it at the cluster, host and VM levels. I personally love it because it is easier to manage than individual host based firewalls, which I also do, but I'm a masochist! For smaller systems I generally use the cluster level to keep all the rules in one place.
DNSSEC and DNS-01 challenges might do the trick at the cost of significant effort, provided LE could be directed to check, similar to the way MTA-STS works.
“does the lead developer prefer cheddar or brie” Quite right but given I live in Somerset (UK) I can have both: Cheddar is in Somerset and where the eponymous cheese originated and quite a lot of brie is produced here too - it's not the French original effort but rather good.
I have quite a lot of customers that we have migrated from VMware to Proxmox. Some of them are rocking zfs instead of vmfs. Mostly these are Dell servers. Proxmox with zfs seems to be more aggressive about disc failure warnings, which I think is helpful.
I remember being a passenger in an Audi 80 Avant with windsurf boards n that on the roof, traveling from the ruhr in northern Germany to southern Spain, in around 1985. We went via la rue du soleil or a sodding great motorway through France - north to south.
reply