Posts made by Mike Davis

@Obsolesce said in Microsoft Multi factor auth down worldwide:

So how do you get in now?

You don't. You sit and stew and think about the credit you're going to put in for when it comes back up.

@dbeato I was hoping I could save someone else the time of troubleshooting.

https://azure.microsoft.com/en-us/status/

Summary of Impact: Starting at 04:39 UTC on 19 Nov 2018 customers in Europe, Asia-Pacific and the Americas regions may experience difficulties signing into Azure resources, such as Azure Active Directory, when Multi-Factor Authentication is required by policy.

Investigation: Engineers have explored mitigating a back-end service via deploying a code hotfix, and this is currently being validated in a staging environment to verify before potential roll-out to production. Engineers are also continuing to explore additional workstreams to expedite mitigation.

Next Steps: Engineers will continue to validate the hotfix. The next update will be provided in 60 minutes, or as events warrant.

@dbeato Just ran the troubleshooter and it's back to activated.

I have 16 printers on that network and they are adding two more wireless ones. Currently the only wifi devices that can get to the LAN are Windows domain devices that match the NPS rules. Since I can't push the windows cert to the new printers, that got me started thinking about the separate VLAN for printers. Then I remembered how they wanted to print from guest devices and I thought I could take care of two things at once.

I was going to just allow port 9100, but was thinking that it would work for older devices, but there was probably some catch with chrome printing or something like that.

@JaredBusch said in printer VLAN firewall rules:

@Mike-Davis said in printer VLAN firewall rules:

So just allow full communication from the guest-wifi VLAN to the PrinterVLAN and do the same for the DefaultVLAN to the PrinterVLAN? Seems like you would want to block port 80/443 from the guest-wifi to the PrinterVLAN to block guests from trying to get to the admin interfaces on the printers.

No, I said why make a printer VLAN in the first place? It is still going to have full capabilities back to the LAN.

So having a rule between the guest VLAN and the LAN or the guest VLAN and the printer VLAN is no different.

I'm thinking have a printerVLAN so I can only allow port 9100 from Guest-wifi to printerVLAN.

@DustinB3403 said in printer VLAN firewall rules:

@Mike-Davis or you could secure the printer admin interfaces with something other than the default credentials.

Already doing that. Seems odd to just give them full access on every port when I'm thinking they only need access to port 9100. I was going to do that, but wondered if others ran in to issues with some printers using non standard ports or something.

Happening on a 1803 build 17134.345 machine.

So just allow full communication from the guest-wifi VLAN to the PrinterVLAN and do the same for the DefaultVLAN to the PrinterVLAN? Seems like you would want to block port 80/443 from the guest-wifi to the PrinterVLAN to block guests from trying to get to the admin interfaces on the printers.

I have a couple networks where they want users on the guest wifi to be able to print to printers that are currently on the LAN. I was thinking of putting the printers on their own VLAN. For those of you that have done this, what rules are you setting between the VLANS?

@Dashrender That explains why the ICMP packets (ping) always worked.

@DustinB3403 said in daisy chain Ubiquiti AC Pros?:

This is why you don't use pre-made cables.

What does it cost to have fiber terminated? $150/hr? Since this is in the mountains, I'm guessing the nearest city is 1.5 hours away, so drive time on top of that. I'm just guessing at the labor since I haven't ever had it quoted.

How in the hell would you pull a terminated fiber through a pipe?

The last time I did this inside a building, I ordered the interduct with a pull string in it, and then ordered the fiber with a pull eye on it.

In this case here, I'd have to use my mouse (conduit piston) to pull a pull string through the conduit, and then pull the fiber in behind it. That's why it has to be 1". With LC connectors and a pull eye it will fit.

But, assuming you go with wired to many units, you are not going to have only a single fiber in the pipe. You are going to have many.

Right. No big deal. If you are pulling 3, you just stager the eyes since they are fat, and the fiber itself is very narrow. If you're smart, you pull a pull string along with the fiber runs so you have it in the conduit in case you need it later.

@JaredBusch said in daisy chain Ubiquiti AC Pros?:

@Mike-Davis said in daisy chain Ubiquiti AC Pros?:

@JaredBusch said in daisy chain Ubiquiti AC Pros?:

FFS. You cannot used pre-terminated cables in pipe.

Do you mean you can't have couplers in the conduit? I would agree. On the other hand, as long as the fiber was outdoor rated, it seems like premade cables like that for the shorter runs makes sense.

How in the hell would you pull a terminated fiber through a pipe?

The last time I did this inside a building, I ordered the interduct with a pull string in it, and then ordered the fiber with a pull eye on it.

In this case here, I'd have to use my mouse (conduit piston) to pull a pull string through the conduit, and then pull the fiber in behind it. That's why it has to be 1". With LC connectors and a pull eye it will fit.

@JaredBusch said in daisy chain Ubiquiti AC Pros?:

Now, the objection to the WISP model.

Why do you think you need an 80' tower?

This hardware is designed to go miles. You are going like 600 feet max. It is highly likely that a solid omni-directional antenna on the roof of the main building will provide signal to most of the facilities.

But even should you have a section of bad service, you can put another one on another building. Likely Lakeview based on the picture.

The trees are about that tall. The cottages have metal roofs on them.

So you're thinking a NanoBeam 5AC-G2 on each cottage connected to a UAP AC lite/pro? What would be needed at the main house? Rocket AC and then (3) airMAX AC Sector Antennas? Does a single Rocket AC support 3 antennas?

@JaredBusch said in daisy chain Ubiquiti AC Pros?:

FFS. You cannot used pre-terminated cables in pipe.

Do you mean you can't have couplers in the conduit? I would agree. On the other hand, as long as the fiber was outdoor rated, it seems like premade cables like that for the shorter runs makes sense.

@coliver said in daisy chain Ubiquiti AC Pros?:

That's what I was thinking. Is the goal to have wireless access throughout the camp?

just in the cottages. Not all over the grounds.

@DustinB3403 said in daisy chain Ubiquiti AC Pros?:

@JaredBusch said in daisy chain Ubiquiti AC Pros?:

1. What is the goal

An Access point for every cabin.

coverage for every cabin. The row of cabins Pine Maple Spruce are so close that doing every other one should work.

@DustinB3403 said in daisy chain Ubiquiti AC Pros?:

@Mike-Davis said in daisy chain Ubiquiti AC Pros?:

@JaredBusch said in daisy chain Ubiquiti AC Pros?:

Mike,
I think this whole this is super confused right now.

Why is there copper involved? All of this should be fiber.

Are these copper and fiber runs listed already in place ? Or are they being planned?

Start this whole thing over...

The only thing they have now is internet to the Main House (1). I thought copper would be less expensive than fiber since I would only need a $20 circuit protector on it, vs a switch with a SFP if fiber is run. Also with fiber, can't terminate it myself, so that would mean hiring that out, or ordering premade cables at the right lengths.

But you already are going to have to hire someone to terminate the 1 fiber cable for APs 10 and 11. Might as well just keep the tech around and have them terminate it all.

not if I order a premade cable....

@JaredBusch said in daisy chain Ubiquiti AC Pros?:

It has a cost. because it is not his costs does not matter.

Right, since I vacation there, the cost goes in to rental fees going up, or the project just not getting started because they can't absorb the cost.