[{"content":"","date":"January 29, 2026","externalUrl":null,"permalink":"/tags/networking/","section":"Tags","summary":"","title":"Networking","type":"tags"},{"content":"","date":"January 29, 2026","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"January 29, 2026","externalUrl":null,"permalink":"/tags/router/","section":"Tags","summary":"","title":"Router","type":"tags"},{"content":"As I\u0026rsquo;ve mentioned before, I\u0026rsquo;m using VyOS for my router. If you\u0026rsquo;re not familiar with VyOS, go check it out. Its community version is open source, extreamly flexable, command line only, has a great community, reasonably good documentation,and people have strong opinions about it\u0026hellip; both good and bad. What\u0026rsquo;s not to love. Is it the greatest thing since sliced bread? No, but I\u0026rsquo;m familiar with it and that is important to me.\nInstalling VyOS is similar to installing any number of Linux ISO\u0026rsquo;s, follow the instructions here. I\u0026rsquo;m using Stream 2025.11. By the time you read this I\u0026rsquo;m sure there will be updated vwersions of stream, and there\u0026rsquo;s always the nightly builds if that\u0026rsquo;s how you roll. The install is done locally with an attached monitor and keyboard and since I don\u0026rsquo;t have a permenent video out I replaced the network card with a GPU for the install and then put the network card back in when done. The setup I\u0026rsquo;m showing is not all inclusive, nor is this the only way to set VyOS up. 7For a very detailed beginner friendly walkthrough check out Level Zero Networking For me, the first thing to do after the install is to configure the management interface so that I can remove the attached video card and install the network card. To keep the addresses from moving around we need to associate the MAC addresses to the interfaces. So start with\nip a And copy down the MAC addresses for the motherboard interfaces. Then enter the config mode and set the host name, add a user and delete the admin account: 8VyOS uses an operational/configuration mode setup that is ubiquitous in enterprise type devices as well as a commit, confirm, save method to make changes. Details here configure set system host-name \u0026#39;vyos\u0026#39; commit; save set system login user mark authentication plaintext-password \u0026lt;\u0026lt;\u0026lt; TEMP PASSWORD \u0026gt;\u0026gt;\u0026gt; commit; save Log out and back in with the new user.\ndelete system login user vyos We\u0026rsquo;ll delete password based access after we setup the interfaces and SSH.\nI\u0026rsquo;m setting up the onboard 1GbE port to use as a console port and I want it to be on Eth0, this is where the MAC address association comes in. 9This is not a console port in the traditional sense, IE: a serial port operating at a RS232 snaill\u0026rsquo;s pace, but rather a separate Ethernet port that will not be connected to the network that I can connect a laptop to if needed. Just like a console port. set interfaces ethernet eth0 address \u0026#39;192.168.2.1/24\u0026#39; set interfaces ethernet eth0 description \u0026#39;Console\u0026#39; set interfaces ethernet eth0 hw-id \u0026#39;xx:xx:xx:xx:xx:xx\u0026#39; set interfaces ethernet eth0 mtu \u0026#39;1500\u0026#39; commit-confirm 10 At this point I connected to the Eth0 console port and SSH\u0026rsquo;d into VyOS, and once I verified that I could still communicate:\nconfirm save Time to power down the router, remove the GPU, install the network card and power it back up. And agian, once logged in:\nip a Note the MAC Addresses for the network card.\nIf you need to, refer back to the previous post for how I\u0026rsquo;m configuring my network. This is how to setup the rest of the interfaces:\nset interfaces ethernet eth1 description \u0026#39;Not Used\u0026#39; set interfaces ethernet eth1 hw-id \u0026#39;xx:xx:xx:xx:xx:xx\u0026#39; # This is the motherboard 2.5GbE port set interfaces ethernet eth2 description \u0026#39;To Switch\u0026#39; set interfaces ethernet eth2 hw-id \u0026#39;xx:xx:xx:xx:xx:xx\u0026#39; # Port 1 on the network card set interfaces ethernet eth2 vif 10 address \u0026#39;10.1.10.1/24\u0026#39; set interfaces ethernet eth2 vif 10 description \u0026#39;LAN\u0026#39; set interfaces ethernet eth2 vif 10 mtu \u0026#39;9000\u0026#39; set interfaces ethernet eth2 vif 20 address \u0026#39;10.1.20.1/24\u0026#39; set interfaces ethernet eth2 vif 20 description \u0026#39;Media\u0026#39; set interfaces ethernet eth2 vif 20 mtu \u0026#39;1500\u0026#39; set interfaces ethernet eth2 vif 30 address \u0026#39;10.1.30.1/24\u0026#39; set interfaces ethernet eth2 vif 30 description \u0026#39;Guest\u0026#39; set interfaces ethernet eth2 vif 30 mtu \u0026#39;1500\u0026#39; set interfaces ethernet eth2 vif 40 address \u0026#39;10.1.40.1/24\u0026#39; set interfaces ethernet eth2 vif 40 description \u0026#39;Management\u0026#39; set interfaces ethernet eth2 vif 40 mtu \u0026#39;1500\u0026#39; set interfaces ethernet eth2 vif 50 address \u0026#39;10.1.50.1/24\u0026#39; set interfaces ethernet eth2 vif 50 description \u0026#39;Cameras\u0026#39; set interfaces ethernet eth2 vif 50 mtu \u0026#39;1500\u0026#39; set interfaces ethernet eth2 vif 100 address \u0026#39;192.168.1.1/24\u0026#39; set interfaces ethernet eth2 vif 100 description \u0026#39;External\u0026#39; set interfaces ethernet eth2 vif 100 mtu \u0026#39;9000\u0026#39; set interfaces ethernet eth3 address \u0026#39;dhcp\u0026#39; set interfaces ethernet eth3 description \u0026#39;WAN\u0026#39; set interfaces ethernet eth3 hw-id \u0026#39;xx:xx:xx:xx:xx:xx\u0026#39; # Port 0 on the the network card set interfaces ethernet eth3 mtu \u0026#39;9000\u0026#39; set interfaces loopback lo Next let\u0026rsquo;s set up ssh and public keys for access on two different ports, the first being the console port on Eth0 and the other being a connection to the Management zone which will be on VLAN 40. 10At the end of each sections you should commit-confirm and save after verification. I\u0026rsquo;m no long going to point that out, but don\u0026rsquo;t forget to do it. set service ssh access-control allow user \u0026#39;mark\u0026#39; set service ssh disable-password-authentication set service ssh listen-address \u0026#39;192.168.2.1\u0026#39; set service ssh listen-address \u0026#39;10.1.40.1\u0026#39; set service ssh port \u0026#39;22\u0026#39; set system login user mark authentication public-keys mark@waywardlabs.com key \u0026#39;\u0026lt; \u0026lt; \u0026lt; MY KEY HERE \u0026gt; \u0026gt; \u0026gt;\u0026#39; set system login user mark authentication public-keys mark@waywardlabs.com type \u0026#39;\u0026lt; \u0026lt; \u0026lt; ENCRYPTION TYPE \u0026gt; \u0026gt; \u0026gt;\u0026#39; delete system login user mark authentication plaintext-password delete system login user mark authentication encrypted-password commit-confirm 5 Point NTP towards the right servers.\ndelete service ntp set service ntp server 0.us.pool.ntp.org set service ntp server 1.us.pool.ntp.org set service ntp server 2.us.pool.ntp.org set service ntp server 3.us.pool.ntp.org Add a DNS. For the time being I\u0026rsquo;m using 1.1.1.1 for everthing, once everything is working I\u0026rsquo;ll switch over to an internal DNS server. One step at a time.\nset system name-server \u0026#39;1.1.1.1\u0026#39; Add in DHCP servers: 11There is no DHCP for the Camera, and External subnets. All IP addresses in these subnets are manuall set. set service dhcp-server shared-network-name LAN subnet 10.1.10.0/24 option default-router \u0026#39;10.1.10.1\u0026#39; set service dhcp-server shared-network-name LAN subnet 10.1.10.0/24 option name-server \u0026#39;1.1.1.1\u0026#39; set service dhcp-server shared-network-name LAN subnet 10.1.10.0/24 range 0 start \u0026#39;10.1.10.50\u0026#39; set service dhcp-server shared-network-name LAN subnet 10.1.10.0/24 range 0 stop \u0026#39;10.1.10.79\u0026#39; set service dhcp-server shared-network-name LAN subnet 10.1.10.0/24 subnet-id \u0026#39;10\u0026#39; set service dhcp-server shared-network-name Media subnet 10.1.20.0/24 option default-router \u0026#39;10.1.20.1\u0026#39; set service dhcp-server shared-network-name Media subnet 10.1.20.0/24 option name-server \u0026#39;1.1.1.1\u0026#39; set service dhcp-server shared-network-name Media subnet 10.1.20.0/24 range 0 start \u0026#39;10.1.20.50\u0026#39; set service dhcp-server shared-network-name Media subnet 10.1.20.0/24 range 0 stop \u0026#39;10.1.20.79\u0026#39; set service dhcp-server shared-network-name Media subnet 10.1.20.0/24 subnet-id \u0026#39;20\u0026#39; set service dhcp-server shared-network-name Guest subnet 10.1.30.0/24 option default-router \u0026#39;10.1.30.1\u0026#39; set service dhcp-server shared-network-name Guest subnet 10.1.30.0/24 option name-server \u0026#39;1.1.1.1\u0026#39; set service dhcp-server shared-network-name Guest subnet 10.1.30.0/24 range 0 start \u0026#39;10.1.30.50\u0026#39; set service dhcp-server shared-network-name Guest subnet 10.1.30.0/24 range 0 stop \u0026#39;10.1.30.79\u0026#39; set service dhcp-server shared-network-name Guest subnet 10.1.30.0/24 subnet-id \u0026#39;30\u0026#39; set service dhcp-server shared-network-name Management subnet 10.1.40.0/24 option default-router \u0026#39;10.1.40.1\u0026#39; set service dhcp-server shared-network-name Management subnet 10.1.40.0/24 option name-server \u0026#39;1.1.1.1\u0026#39; set service dhcp-server shared-network-name Management subnet 10.1.40.0/24 range 0 start \u0026#39;10.1.40.50\u0026#39; set service dhcp-server shared-network-name Management subnet 10.1.40.0/24 range 0 stop \u0026#39;10.1.40.79\u0026#39; set service dhcp-server shared-network-name Management subnet 10.1.40.0/24 subnet-id \u0026#39;40\u0026#39; Now setup any NAT. 12I have a few more servers, I\u0026rsquo;m only showing 3 because you get the idea. set nat destination rule 510 description \u0026#39;Port Forwarding for Server1\u0026#39; set nat destination rule 510 destination port \u0026#39;40000-40099\u0026#39; set nat destination rule 510 inbound-interface name \u0026#39;eth3\u0026#39; set nat destination rule 510 protocol \u0026#39;tcp_udp\u0026#39; set nat destination rule 510 translation address \u0026#39;192.168.1.10\u0026#39; set nat destination rule 520 description \u0026#39;Port Forwarding for Server2\u0026#39; set nat destination rule 520 destination port \u0026#39;40100-40199\u0026#39; set nat destination rule 520 inbound-interface name \u0026#39;eth3\u0026#39; set nat destination rule 520 protocol \u0026#39;tcp_udp\u0026#39; set nat destination rule 520 translation address \u0026#39;192.168.1.11\u0026#39; set nat destination rule 530 description \u0026#39;Port Forwarding for Server3\u0026#39; set nat destination rule 530 destination port \u0026#39;40200-40299\u0026#39; set nat destination rule 530 inbound-interface name \u0026#39;eth3\u0026#39; set nat destination rule 530 protocol \u0026#39;tcp_udp\u0026#39; set nat destination rule 530 translation address \u0026#39;192.168.1.12\u0026#39; set nat source rule 100 description \u0026#39;NAT source address for all traffic leaving eth3\u0026#39; set nat source rule 100 outbound-interface name \u0026#39;eth3\u0026#39; set nat source rule 100 translation address \u0026#39;masquerade\u0026#39; At this point all the routing is configured. Time to setup the firewall. I\u0026rsquo;m using a zone based firewall so we have to setup the rules and then then the zones. Default rules first.\nset firewall global-options state-policy established action \u0026#39;accept\u0026#39; set firewall global-options state-policy related action \u0026#39;accept\u0026#39; set firewall ipv4 name fw_ACCEPT default-action \u0026#39;accept\u0026#39; set firewall ipv4 name fw_REJECT rule 10 action \u0026#39;drop\u0026#39; set firewall ipv4 name fw_EST_REL rule 10 description \u0026#39;Established-Related\u0026#39; set firewall ipv4 name fw_EST_REL rule 10 state \u0026#39;established\u0026#39; set firewall ipv4 name fw_EST_REL rule 10 state \u0026#39;related\u0026#39; set firewall ipv4 name fw_EST_REL rule 10 action \u0026#39;accept\u0026#39; set firewall ipv4 name fw_EST_REL default-action \u0026#39;drop\u0026#39; I know\u0026hellip; there is a global option for established/related. But I like doing both. It\u0026rsquo;s more of a bookkeeping method to make sure nothing falls through the cracks. Continuing\u0026hellip;\nset firewall ipv4 name fw_MGMNT_OUT default-action \u0026#39;accept\u0026#39; set firewall ipv4 name fw_LAN_OUT rule 10 description \u0026#39;Drop Invalid\u0026#39; set firewall ipv4 name fw_LAN_OUT rule 10 state \u0026#39;invalid\u0026#39; set firewall ipv4 name fw_LAN_OUT rule 10 action \u0026#39;drop\u0026#39; set firewall ipv4 name fw_LAN_OUT rule 10 log set firewall ipv4 name fw_LAN_OUT default-action \u0026#39;accept\u0026#39; set firewall ipv4 name fw_EXT_OUT rule 10 description \u0026#39;Drop Invalid\u0026#39; set firewall ipv4 name fw_EXT_OUT rule 10 state \u0026#39;invalid\u0026#39; set firewall ipv4 name fw_EXT_OUT rule 10 action \u0026#39;drop\u0026#39; set firewall ipv4 name fw_EXT_OUT rule 10 log set firewall ipv4 name fw_EXT_OUT default-action \u0026#39;accept\u0026#39; set firewall ipv4 name fw_WAN_EXT rule 10 description \u0026#39;Established-Related\u0026#39; set firewall ipv4 name fw_WAN_EXT rule 10 state \u0026#39;established\u0026#39; set firewall ipv4 name fw_WAN_EXT rule 10 state \u0026#39;related\u0026#39; set firewall ipv4 name fw_WAN_EXT rule 10 action \u0026#39;accept\u0026#39; set firewall ipv4 name fw_WAN_EXT rule 20 connection-status nat \u0026#39;destination\u0026#39; set firewall ipv4 name fw_WAN_EXT rule 20 action \u0026#39;accept\u0026#39; set firewall ipv4 name fw_WAN_EXT rule 20 state \u0026#39;new\u0026#39; set firewall ipv4 name fw_WAN_EXT default-action \u0026#39;drop\u0026#39; set firewall ipv4 name fw_LOCAL rule 10 action \u0026#39;accept\u0026#39; set firewall ipv4 name fw_LOCAL rule 10 description \u0026#39;Established-Related\u0026#39; set firewall ipv4 name fw_LOCAL rule 10 protocol \u0026#39;all\u0026#39; set firewall ipv4 name fw_LOCAL rule 10 state \u0026#39;established\u0026#39; set firewall ipv4 name fw_LOCAL rule 10 state \u0026#39;related\u0026#39; set firewall ipv4 name fw_LOCAL rule 20 description \u0026#39;Drop Invalid\u0026#39; set firewall ipv4 name fw_LOCAL rule 20 state \u0026#39;invalid\u0026#39; set firewall ipv4 name fw_LOCAL rule 20 action \u0026#39;drop\u0026#39; set firewall ipv4 name fw_LOCAL rule 20 log set firewall ipv4 name fw_LOCAL rule 30 description \u0026#39;Allow ICMP\u0026#39; set firewall ipv4 name fw_LOCAL rule 30 protocol \u0026#39;icmp\u0026#39; set firewall ipv4 name fw_LOCAL rule 30 action \u0026#39;accept\u0026#39; set firewall ipv4 name fw_LOCAL rule 30 log set firewall ipv4 name fw_LOCAL rule 50 description \u0026#39;Allow DHCP\u0026#39; set firewall ipv4 name fw_LOCAL rule 50 destination port \u0026#39;67\u0026#39; set firewall ipv4 name fw_LOCAL rule 50 action \u0026#39;accept\u0026#39; set firewall ipv4 name fw_LOCAL rule 50 protocol \u0026#39;udp\u0026#39; set firewall ipv4 name fw_LOCAL rule 50 log set firewall ipv4 name fw_LOCAL default-action \u0026#39;drop\u0026#39; At this point if you are familiar with zone based firewall configurations I\u0026rsquo;m guessing that you are scratching you head why I\u0026rsquo;m doing it this way. Sometimes I wonder myself. I\u0026rsquo;m trying to add the structure that I\u0026rsquo;ll need later when I add an internal DNS server for all but the External subnet. Hopefully this looks more useful later.\nAnd now the zones.\nset firewall zone LAN default-action \u0026#39;drop\u0026#39; set firewall zone LAN from Cameras firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone LAN from External firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone LAN from Guest firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone LAN from Local firewall name \u0026#39;fw_ACCEPT\u0026#39; set firewall zone LAN from Management firewall name \u0026#39;fw_ACCEPT\u0026#39; set firewall zone LAN from Media firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone LAN from WAN firewall name \u0026#39;fw_EST_REL\u0026#39; set firewall zone LAN member interface \u0026#39;eth2.10\u0026#39; set firewall zone Guest default-action \u0026#39;drop\u0026#39; set firewall zone Guest from Cameras firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Guest from External firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Guest from LAN firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Guest from Local firewall name \u0026#39;fw_ACCEPT\u0026#39; set firewall zone Guest from Management firewall name \u0026#39;fw_ACCEPT\u0026#39; set firewall zone Guest from Media firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Guest from WAN firewall name \u0026#39;fw_EST_REL\u0026#39; set firewall zone Guest member interface \u0026#39;eth2.30\u0026#39; set firewall zone Media default-action \u0026#39;drop\u0026#39; set firewall zone Media from Cameras firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Media from External firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Media from Guest firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Media from LAN firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Media from Local firewall name \u0026#39;fw_ACCEPT\u0026#39; set firewall zone Media from Management firewall name \u0026#39;fw_ACCEPT\u0026#39; set firewall zone Media from WAN firewall name \u0026#39;fw_EST_REL\u0026#39; set firewall zone Media member interface \u0026#39;eth2.20\u0026#39; set firewall zone Management default-action \u0026#39;drop\u0026#39; set firewall zone Management from Cameras firewall name \u0026#39;fw_EST_REL\u0026#39; set firewall zone Management from External firewall name \u0026#39;fw_EST_REL\u0026#39; set firewall zone Management from Guest firewall name \u0026#39;fw_EST_REL\u0026#39; set firewall zone Management from LAN firewall name \u0026#39;fw_EST_REL\u0026#39; set firewall zone Management from Local firewall name \u0026#39;fw_ACCEPT\u0026#39; set firewall zone Management from Media firewall name \u0026#39;fw_EST_REL\u0026#39; set firewall zone Management from WAN firewall name \u0026#39;fw_EST_REL\u0026#39; set firewall zone Management member interface \u0026#39;eth2.40\u0026#39; set firewall zone Management member interface \u0026#39;eth0\u0026#39; set firewall zone Cameras default-action \u0026#39;drop\u0026#39; set firewall zone Cameras from External firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Cameras from Guest firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Cameras from LAN firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Cameras from Local firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Cameras from Management firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Cameras from Media firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Cameras from WAN firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone Cameras member interface \u0026#39;eth2.50\u0026#39; set firewall zone External default-action \u0026#39;drop\u0026#39; set firewall zone External from Cameras firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone External from Guest firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone External from LAN firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone External from Local firewall name \u0026#39;fw_ACCEPT\u0026#39; set firewall zone External from Management firewall name \u0026#39;fw_ACCEPT\u0026#39; set firewall zone External from Media firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone External from WAN firewall name \u0026#39;fw_WAN_EXT\u0026#39; set firewall zone External member interface \u0026#39;eth2.100\u0026#39; set firewall zone Local default-action \u0026#39;drop\u0026#39; set firewall zone Local from Cameras firewall name \u0026#39;fw_LOCAL\u0026#39; set firewall zone Local from External firewall name \u0026#39;fw_LOCAL\u0026#39; set firewall zone Local from Guest firewall name \u0026#39;fw_LOCAL\u0026#39; set firewall zone Local from LAN firewall name \u0026#39;fw_LOCAL\u0026#39; set firewall zone Local from Management firewall name \u0026#39;fw_ACCEPT\u0026#39; set firewall zone Local from Media firewall name \u0026#39;fw_LOCAL\u0026#39; set firewall zone Local from WAN firewall name \u0026#39;fw_EST_REL\u0026#39; set firewall zone Local local-zone set firewall zone WAN default-action \u0026#39;drop\u0026#39; set firewall zone WAN from Cameras firewall name \u0026#39;fw_REJECT\u0026#39; set firewall zone WAN from External firewall name \u0026#39;fw_EXT_OUT\u0026#39; set firewall zone WAN from Guest firewall name \u0026#39;fw_EXT_OUT\u0026#39; set firewall zone WAN from LAN firewall name \u0026#39;fw_EXT_OUT\u0026#39; set firewall zone WAN from Local firewall name \u0026#39;fw_ACCEPT\u0026#39; set firewall zone WAN from Management firewall name \u0026#39;fw_MGMNT_OUT\u0026#39; set firewall zone WAN from Media firewall name \u0026#39;fw_EXT_OUT\u0026#39; set firewall zone WAN member interface \u0026#39;eth3\u0026#39; That completes the basic firewall setup minus the DNS server and its rules. I can also imagine that there will be some necessary modifacations as the network grows or changes, but this framework should allow for those changes or additions to be included relatively easily.\nOne more thing I want to add before I\u0026rsquo;m done with this portion is to add in the offloading. If I understand correctly this should allow for some transactions to pass between the Mellanox NIC ports (WAN and the switch) without any involvement of the processor. I need to come up with a way to test this.\nset interfaces ethernet eth2 mtu \u0026#39;9000\u0026#39; set interfaces ethernet eth2 offload gro set interfaces ethernet eth2 offload gso set interfaces ethernet eth2 offload sg set interfaces ethernet eth2 offload tso set interfaces ethernet eth3 offload gro set interfaces ethernet eth3 offload gso set interfaces ethernet eth3 offload sg set interfaces ethernet eth3 offload tso Thanks for reading, and as always comments and questions are welcome.\n","date":"January 29, 2026","externalUrl":null,"permalink":"/posts/260129_router-configuration/","section":"Posts","summary":"","title":"Router Configuration","type":"posts"},{"content":"","date":"January 29, 2026","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"January 29, 2026","externalUrl":null,"permalink":"/tags/vyos/","section":"Tags","summary":"","title":"Vyos","type":"tags"},{"content":"","date":"January 29, 2026","externalUrl":null,"permalink":"/","section":"Wayward Labs","summary":"","title":"Wayward Labs","type":"page"},{"content":"With the router hardware complete, it’s time to move onto the software. But even before that I need to lay out what the network is going to look like as that drives the actual router configuration.\nI’m planning to use a zone based system layout and segment the network into 8 different zones: WAN, LAN, Guest, Media/IoT, Cameras, Management, External, and Local.\nHere’s a high level block diagram of what I’m working with. And here\u0026rsquo;s a short explanation of each:\nThe LAN zone (VLAN 10) is where most things on my network live. All the family internet access (phones, computers, laptops, printer) along with both NAS’s, NVR, DNS, etc.\nThe Guest zone (VLAN 20) is separate from the rest of the network. You can only connect to it via WiFi and it will be rate limited. DNS queries will be pushed to the DNS server on VLAN10. Beyond that it will have no access to anything else on the local network.\nThe Media zone (VLAN 30) is used to keep somewhat insecure devices (TV’s, IoT, etc.) separate from the rest of the network. Like the guest zone, DNS queries will be pushed to the DNS server on VLAN10. Beyond that it will have no access to anything else on the local network.\nThe management zone (VLAN 40) is for connections that are used to monitor and maintain the rest of the network such as server IPMI’s, UPS’s, a few homelab servers and projects. It has access to all of the other VLAN’s but only devices on LAN can access devices located on it and then only thru credentialled devices or services.\nThe Camera zone (VLAN 50) is totally separated from the rest of the network. It will only have an assigned VLAN because it physically resides on a switch that has other VLANs, so in order to maintain the separation it too must have an assigned VLAN. This VLAN does not touch the router, so no firewall rules need to be created for it. I include it in the table for completeness.\nThe External zone (VLAN 100) is basically a DMZ that is used for my business. It will have no direct connection to the rest of the network. It will only be accessible from either the LAN or from the Management zones. It will not use the local DNS server on LAN but will instead use Cloudflare’s 1.1.1.1 and Quad9’s 9.9.9.9 directly. 1I’m debating whether or not to remove access from the LAN and only allow access from the Management zone. TBD. The Local zone is the router itself. It will only be accessible from the Management zone, and then only from credentialled devices.\nIn the next post, I’ll walk through how this is to be implemented in the router.\nThanks for reading, and as always comments and questions are welcome.\n","date":"January 12, 2026","externalUrl":null,"permalink":"/posts/260112_network-layout/","section":"Posts","summary":"","title":"Network Layout","type":"posts"},{"content":"I couldn’t help myself. I picked up a second SX1024 switch.\nWhy you ask? Redundancy, or better yet… a spare. Everything has a usable life, and if the switch fails, I want to be able to get back up and running as quickly as possible. I’m not expecting it to fail (it’s built like a battleship) but it is 13-ish years old and if I wait until an actual failure I might not be able to get a replacement SX1024 at any price which would leave me having to source something different. And then there is the whole configuration issue, possibly on a platform I’m not familiar with. All of the possible scenarios equate to a long downtime, which as mentioned, I’m trying to avoid. 1I\u0026rsquo;m still trying to figure out how to come up with a spare for the router. So, I picked up a second switch at what I consider a bargain basement price of about 60% what I paid for the first one. I’ve already updated it from version 3.6.4006 up to 3.6.8012 and once the network is completely configured, I’ll copy the configuration over to the second switch and stick it on a shelf hoping that I never have to use it, but confident that I have a relatively cheap backup solution. OR since the configuration is fairly generic I could put it to use for misc testing until it\u0026rsquo;s ever needed.\nThe initial connection went as expected.\nThe update procedure had a hiccup in that I needed to find a new intermediate version 3.6.5000, and the path would be 3.6.4006 -\u0026gt; 3.6.5000 -\u0026gt; 3.6.6106 -\u0026gt; 3.6.8012. However, I was not able to locate 3.6.5000 nor was I able to find any other clean path to the present version. I decided to go with 3.6.4006 -\u0026gt; 3.6.5009 -\u0026gt; 3.6.6106 -\u0026gt; 3.6.8012 thinking that any discrepancies or issues would either be edge cases that I’m not going to need or would be cleared up with the two subsequent iterations of updates. Once completed, everything appears to be ok.\nThanks for reading. As always, comments and questions are welcome.\n","date":"December 15, 2025","externalUrl":null,"permalink":"/posts/251215_double-the-fun/","section":"Posts","summary":"","title":"Double the Fun","type":"posts"},{"content":"","date":"December 15, 2025","externalUrl":null,"permalink":"/tags/mellanox/","section":"Tags","summary":"","title":"Mellanox","type":"tags"},{"content":"","date":"December 15, 2025","externalUrl":null,"permalink":"/tags/switch/","section":"Tags","summary":"","title":"Switch","type":"tags"},{"content":"","date":"December 15, 2025","externalUrl":null,"permalink":"/tags/sx1024/","section":"Tags","summary":"","title":"SX1024","type":"tags"},{"content":"There are 3 things I needed to do to get the B550 MB to fit into the SC513 chassis:\nCut the VR heatsink that mounts directly in front of the IO. Remove the audio jacks from the MB. Cut holes in the chassis that align with the IO connectors on the MB. This blog is going to be more show than tell.\nCutting the Voltage Regulator Heatsink # Here’s what the heatsink looks like after I removed it from the MB:\nI cut off the top 2 fins with a hacksaw, then milled the surface flat and touched up the edges a bit so they weren’t that sharp. The system is not being stressed so much that these 2 fins really matter. It now looks like this:\nRemoving the Audio Connector # By audio connector, I mean this:\nThe reason to remove it is because it will just fit under the front panel lip however, the top latch is in the way. As shown here:\nAnd since I don’t need it, I took it off. To get it off, I used a Dremel with an abrasive wheel and cut about a 1/8in from the PCB. Then pried off the remaining plastic, and used side cutters to trim all the remaining leads down to board level. I did use a soldering iron to remove the shield tabs. Now it looks like this:\nCutting up the Chassis Front Panel # This was fairly straight forward using a nibbler as I only cut in openings for the farthest right group of connectors. This leaves the second from the right group of connectors covered and the video connectors partially covered but neither are not really needed. The front panel now looks a little Swiss cheesy, but the extra openings help with air flow, and with all of it being black you don’t notice too much. Yeah.\nAnd finally, here\u0026rsquo;s a picture of the completed router sitting on top of the SX1024.\nThanks for reading. As always, comments and questions are welcome.\n","date":"December 10, 2025","externalUrl":null,"permalink":"/posts/251210_router-motherboard_modifications/","section":"Posts","summary":"","title":"Router Motherboard Modifications","type":"posts"},{"content":"In my last post I said “Unless something goes awry, the plan is…” Well… it went awry.\nFirst, I couldn’t find a decent place to mount the RTL8126 connector on the front panel without adding a longer ribbon cable between the NIC mounted in the M.2 slot and the connector on the front panel which would not be a good idea at 5GbE.\nSecond (and more importantly), I could not get the RTL8126 driver built into the VyOS ISO. After several days trying too many different ways to do so, I decided I had to come up with something different.\nTrying to use an out-of-tree driver was not a good idea on my part. While I could manually install it after VyOS was installed on one of my test systems, I could not get it to be part of the ISO. And this means that it’s going to be a maintenance issue in the long run. Best to have everything in the development tree. There is also another concern that I didn’t realize at the time: The RTL8126 NIC does not support any hardware offloading. Not a big issue, but definitely something I’d like to have the option to explore. 1After the writing of this, I mentioned this issue on the VyOS Forum and they got the proper driver installed in the development tree so it will now build with the ISO. However I’ve moved on from using the RTL8126 for other reasons. I decided I’d leave this note rather than rewrite it. So now what? My backup plan was to give up the 40GbE NIC in favor of a dual 10GbE NIC and use an SFP+ copper adapter that could run at 5GbE. But I really don’t want to give up on the 40GbE connection from the router to the switch just yet. And after quite a bit of searching, reading and banging my head on the wall I found this: a QSFP+ to 10GbE SFP+ adapter.\nNow you might be saying “Duh”, but this is new to me and I’m hoping I can cascade it with the 5GbE copper SFP+ adapter.\nSo as of me writing this, the plan is to use a MCX354 dual QSFP+ NIC in the PCI_E1 slot. One port will attach to the switch via a 40GbE DAC cable, while the other port will connect to the modem with a Mellanox 655874-B21 adapter and a 10/5GbE copper SFP+ adapter plugged into that. This should work well, but I’ll have to test this to be sure. On to more of the hardware issues and honestly these are all caused by my own foibles.\nFoible 1. I like my networking equipment to have all the networking connections on the front and all the power connections on the back. Including servers. I have a few exceptions, but where possible this is high on my wish list. Foible 2. I like everything (again, when possible) to be 1U tall and have a short depth chassis. This is mainly due to not having an actual 19in rack but rather a system that mounts directly to the wall using shelf rails. I’ll show this later when I get to mounting all the new stuff. FYI, the SX1024 switch coming in at 16in deep is a bit of a stretch that I’m going to have to address. Ultimately, I want this router to follow these two foibles and so I thought I’d use a Supermicro SC513 chassis that I had. I picked up 3 of these crazy cheap several years back and this one has been sitting on a shelf ever since. However, the B550 being a desktop MB and the SC513 being a sever chassis, things don’t exactly go together the way one would like them to with the biggest issues being:\nThe IO connectors on the MB do not line up to the connector openings in the chassis. The Voltage Regulator heatsink and Audio IO on the MB are too tall. The air flow for the MB is all wrong for a server chassis. For 1 \u0026amp; 2, I plan to modify the chassis IO openings, remove the audio IO jacks from the MB, and cut the VR heatsink to fit the chassis. What? Why? Yeah, it’s a bit of a drastic solution, but I’ll do it in a smart way that doesn’t affect performance. I want what I want.\nWhy is the air flow wrong? It’s the difference between the design of a desktop MB and a server MB. In a 1U server chassis, the memory is usually perpendicular to the back of the chassis and located to the side of the CPU. Air is pushed from the back to the front through the CPU separate from the memory. On a desktop MB the memory sticks are usually parallel with the back of the case between the back and the CPU. Air is pushed over the memory through a much taller CPU cooler (air not water here). Putting a desktop MB in a 1U server chassis means that the air flow to the CPU is significantly blocked by the memory. To fix the air flow issues, I’ll just do the best I can to direct the air around the memory. All of this will have to be figured out once I get the MB mounted in the chassis.\nThanks for reading, and as always, comments and questions are welcome.\n","date":"December 7, 2025","externalUrl":null,"permalink":"/posts/251207_the-router-take-2/","section":"Posts","summary":"","title":"The Router, Take 2","type":"posts"},{"content":"The following explanation is going to be a bit convoluted, so please bear with me.\nFor the router, I’m planning to use one of the MSI B550 Tomahawk motherboards and 5900X processors that I used for the bandwidth tests with its biggest advantage being that I already have it, so less I have to buy. This combination along with 16GB of RAM and a 256GB NVMe should provide sufficient oomph as a router. However, it only has one 2.5GbE and one 1GbE NIC. I’m going to have to add 2 more NIC’s: One to support the 40GbE LAN connection to the switch and one to support the 5GbE WAN connection to the ATT modem. The onboard 1GbE I’ll use as a management port and the onboard 2.5GbE is going unused.\nAs is typical with most AMD socket AM4 motherboards it has a total of 24 PCIe lanes that we need allocate appropriately. Here’s what I have to work with:\nOne x16 PCIe4 slot (PCI_E1) directly attached to the CPU. This is where you usually connect a GPU. It is possible to bifurcate this slot into two x8 connections but would require additional hardware to physically realize this.\nOne M.2 connector (M2_1) directly attached to the CPU. It’s equivalent to a x4 PCIe4 connection.\nA x4 PCIe4 connection to the B550 chipset (PCH). Everything connected to the B550 chipset is multiplexed onto this connection to the CPU. This includes both onboard Ethernet ports, a second M.2 (M2_2), and all the remaining PCIe slots (PCI_E2, PCI_E3, and PCI_4). There is quite a bit of overlap in the usage of these slots which renders most of them useless if M2_2 is used.\nThe MCX353 NIC for the 40GbE LAN connection will require a x8 PCIe slot, while a 5GbE NIC can be managed with a 1x PCIe slot. For the best performance, both of these NIC’s should have a direct attachment to the CPU and not through the PCH.\nUnless something goes awry, the plan is to put the MCX353 in the x16 PCIe slot and go with a 5GbE Ethernet adapter in the M2_1 NVMe slot. The 256GB NVMe drive will be in the M2_2 NVMe slot which shouldn’t be a problem since I’ve previously verified that the MB can boot from this slot and I really don’t need lightning-fast performance for the file system. The M.2 5GbE adapter I’ve decided to use is a generic RTL8126 network chip I was able to pick up from IO Crest via Amazon. It should work well, but I’ll have to test this to be sure.\nCurrently the only issue I’m seeing is that I have no way to get video out of this configuration as I’m using the PCIE_E1 slot for the MCX353. Not a showstopper, but if things go very wrong I like having a way to connect a video card and keyboard to the system as a backdoor of last resort. Here’s to hoping I don’t need it.\nI’m sure someone is thinking that if I replace the 40GbE NIC with a 10GbE NIC that I could use a different configuration not using PCI_E1 thus allowing me to use a GPU if necessary. Umm no. A 10GbE NIC would still need to be connected directly to the CPU making the configuration I’m using the only configuration for this MB that will work regardless of the NIC speed.\nOne more thing to point out: a nice to have feature that this system does not support would be ECC RAM. One of the tradeoffs I’m going to except.\nNext up is to talk about software… I’m planning to use VyOS. I have nothing against any of the other options (OpenSense, pfSense, OpenWRT, et. al.), I’m sure they would all work well in this application. I just like the idea of VyOS. This mainly comes from a bit of history with Vyatta based routers that I am comfortable with, and VyOS is the current heir to that legacy. The adventure in this project will be building VyOS with the correct drivers which is new to me; and then getting everything to fit in a 1U rack space.\nThanks for reading. As always, comments and questions are welcome.\n","date":"November 21, 2025","externalUrl":null,"permalink":"/posts/251121_explaining-the-router/","section":"Posts","summary":"","title":"Explaining the Router","type":"posts"},{"content":"","date":"November 4, 2025","externalUrl":null,"permalink":"/tags/40gb/s/","section":"Tags","summary":"","title":"40Gb/S","type":"tags"},{"content":"Where getting 10Gb/s was a breeze, 40Gb/s was bit more of a challenge. I started off with the same basic configuration that I used for testing 10Gb/s, just replacing the NIC’s and DAC cables with the 40GbE versions.\nAnd after verifying that everything was still able to talk to each other, I fired up iperf3:\nWell, that’s a bit disappointing, but not unexpected as I’ve read several places online that low 20Gb/s-ish is the best most are able to get without a bit of tweaking. And in regards to tweaking, there’s are really good discussions at Fasterdata and Nvidia which I basically copied. My approach was to throw the kitchen sink at it so I added the following to /etc/sysctl.conf:\n# increase TCP max buffer size setable using setsockopt() to 256MB net.core.rmem_max = 268435456 net.core.wmem_max = 268435456 # increase Linux autotuning TCP buffer limit to 128MB net.ipv4.tcp_rmem = 4096 87380 134217728 net.ipv4.tcp_wmem = 4096 65536 134217728 # don\u0026#39;t cache TCP metrics from previous connection net.ipv4.tcp_no_metrics_save = 1 # If you are using Jumbo Frames, also set this net.ipv4.tcp_mtu_probing = 1 # recommended to enable \u0026#39;fair queueing\u0026#39; (fq or fq_codel) net.core.default_qdisc = fq # from nvidia net.ipv4.tcp_low_latency=1 net.ipv4.tcp_timestamps=0 net.ipv4.tcp_sack=1 net.core.netdev_max_backlog=250000 Follow this with:\nsysctl -p to pickup the changes. And add:\ncpupower frequency-set -g performance because Linux does not pick this by default.\niperf3 again and rates were in the 24-25Gb/s range. Sorry, I forgot to get a screen grab of so you’re going to have to trust me on this. I then started playing around with parallel streams which leads me to believe that 12 streams is optimal for my setup:\nMuch better now, but I still think I can do better. However, nothing I tried improves things. Reading back through all the info on Fasterdata I see that it might be that the CPU core is overloaded and you can check with:\nmpstat -P ALL 1 Sure enough, my server is saturating the core being used for networking. A lot of trial and error lead me to determine that the Genoa server I have is a crazy powerful machine but just isn’t cut out for single core/tread performance. So I replaced the server with a second B550 motherboard with a 5900X and I turned off multithreading in the BIOS, an option I didn’t find in the server BIOS and which I had already done on the first B550 board. And Iperf3 again:\n39.6Gb/s. Aw… the sweet sweet nectar of success! And how about this:\nTwo full minutes at 39.6Gb/s with no retries, no buffer issues. That’ll help me sleep tonight. But “wait” I hear you say… doesn’t that switch and those NIC’s support 56Gb/s? Why yes they do:\nBut this much throughput is a struggle for my setup. It was not consistent, IE: the results were very bursty and more/less streams didn’t improve this. And for a long test it just gets slower and slower with each pass. After quite a bit of fiddling it is doubtful that I’d be able to get more than 44Gb/s reliably. So I’m going to stay with the 40Gb/s setup where it can do it all day. Besides, I need to get onto building out my router rather than spend a lot of time trying to figure out the 56Gb/s optimizations.\nBut does any of this really matter? I suppose only if you have an application that can generate multiple concurrent streams. And then you would need a system at both ends that can actually handle this much data. This doesn’t really fit my current or foreseeable use case. Besides, this was mostly a can-I-even-do-it exercise since I bought a switch that was capable of 40GbE. However now that I see it’s possible, I’m thinking that I will connect my router to my main switch via 40GbE as it would allow for a few close to full rate 10Gb/s concurrent streams. This wouldn’t be a good scenario for connecting to the 5Gb/s or even 2Gb/s WAN that I plan to have, but will help for inter-VLAN routing, DNS processing, and any case where the end point is the router. And at some point, I’d like to replace my pedestrian NAS with something a bit better. That might be a good use case for 40Gb/s.\nThanks for taking the time to read. As always, comments and questions are welcome.\n","date":"November 4, 2025","externalUrl":null,"permalink":"/posts/251104_40gb-speed_test/","section":"Posts","summary":"","title":"40GbE Speed Test","type":"posts"},{"content":"","date":"November 1, 2025","externalUrl":null,"permalink":"/tags/10gb/s/","section":"Tags","summary":"","title":"10Gb/S","type":"tags"},{"content":"Now that I’ve got the SX1024 updated, of course I must run a few speed tests to see how it preforms.\nFor these tests, I have a Supermicro EPYC Genoa server and a MSI B550 5900x system both running Ubuntu 22.04 with the 6.8 kernel.\nBoth the server and B550 are connected to my home network via onboard NIC’s. I installed a MCX311A in each and powered them up and verified that MCX311A’s were showing up in both systems (lspci). I then modified the netplan YAML files to include the new connections, reset the network (netplan apply), and checked that Linux sees them (ip a). At this point I unplugged the 1GbE cables to the home network from both systems, connected the MCX311A’s via DAC cables plugged into random ports on the SX1024, connected the SX1024 to my home network as well as the switch’s management port via a SFP+ copper adapters at 1GbE, and waited for link lights on the switch. After about a minute I was able to SSH into both the server and the B550 via the SX1024 and the 10GbE connections.\nHonestly, things never go this smoothly for me. I really expected to have at least a half dozen problems to work through at this point. So I set the server to be an iperf3 server, and the B550 as an iperf3 client and gave it a go.\nVery nice for the first run, but this is with MTU set to the default of 1500. So on both the server and the B550 I modified the netplan YAML files to change the MTU to 9000. Then on the SX1024 I located the two ports that were connected and change their MTU to 9216. Follow Ports \u0026gt; Port number \u0026gt; and scroll down to this:\nApply changes and click Save in the upper right corner of the web page. 1Applying the changes will make them usable but they will not survive a reboot if you don’t click on Save. Why 9216 and not 9000? The MLNX-OS has 9216 as it\u0026rsquo;s maximum allowed value for MTU which allows for a bit of overheard for VLANs and other protocols. And in the documentation configuration examples it\u0026rsquo;s always set to the max. Monkey see, monkey do.\nRunning iperf3 again:\nAnd a UDP test:\nAnd then a long test to see if any buffers saturate over time:\nAnd just for grins, nuttcp gives similar results:\nI\u0026rsquo;m scratching my head on why the UDP test is a bit slower than the TCP test. I ran it several times trying slightly different configurations and it always came out about the same. I\u0026rsquo;m going to have to look into this more, but for now I\u0026rsquo;m quite happy with these results.\nThanks for taking the time to read. As always, comments and questions are welcome.\n","date":"November 1, 2025","externalUrl":null,"permalink":"/posts/251101_10gb-speed-test/","section":"Posts","summary":"","title":"10GbE Speed Test","type":"posts"},{"content":"Ok, in my last post I was able to access the switch management GUI, now I want it to be as up to date as possible. Hours of searching over several days led me to this:\nThe Mellanox SX1024 was released in 2012. It was EoL’d in 2021 with the last delivered units in June of 2022. The last supported MLNX-OS version for the SX1024 was 3.6.8012. At roughly the same time, MLNX-OS was rebranded as Mellanox Onyx and they released the software under both the old MLNX-OS and the newer Onyx names. In 2022 Nvidia completed its purchase of Mellanox, and in the last two to three years purged all of it’s no longer supported product software and documentation from it’s web pages. And there was this from the MLNX-OS software release notes I ran across: So I couldn’t just load the version I want and be on my way. My switch had 3.6.5009 and the most up to date version for this switch is 3.6.8012. Based on what info I could find, I could do this in two jumps, from 3.6.5009 first to 3.6.6106 and then to 3.6.8012. 1The upgrade path can be found in any of the firmware release notes Easy peasy, right? Several more days of sleuthing and I was able to locate the two upgrade images I needed from HPE. I have versions 3.6.5009, 3.6.6106, and 3.6.8012; if you need them, email me and I’ll happily send them to you. If you want to find them yourself, you’re looking for these filenames in particular: 2HPE rebranded Mellanox equipment and still maintains the upgrade packages. At least as of the date of this post. image-PPC_M460EX-3.6.5009.img image-PPC_M460EX-3.6.6106.img image-PPC_M460EX-3.6.8012.img If you need an older intermediate version you’re going to have to find that by yourself. FYI… there is a really good thread on updating the SX6036 on the STH forums that is worth finding and wading through. 3Or just click here Now for the updates and this is where that bucket of patience I mentioned comes in. While this can be done through the console, I’m going to use the management GUI that I configured in the Configuration Wizard. So I connected a laptop to the Management Port on the SX1024, on the laptop in a browser going to the IP I set for the Management Port and entering the credentials I set in the Wizard got me this:\nIf you set the Management Port to use DHCP, you’re going to have to source that from your laptop to get it to work.\nFirst, spend sometime and poke around the UI. You know that you want to. When you’ve gotten that out of the way, follow System \u0026gt; Onyx Upgrade to get to this:\nScroll down to the “Install New Image to (non-active) Partition x” section and click on “Install from file location” and browse to the image file you need to update to the next version. Either don’t validate or validate if signature is present. Click “Install Image” and now you wait. For my switch it took about 75 minutes for the upgrade process to complete, and when it’s done you’ll be greeted with something like this:\nReboot the switch and verify that it is indeed using the version you just installed. Repeat this process until you get to 3.6.8012 or whatever version you want. At boot up mine now looks like this: 4An observant reader will have noticed the dates on this from Febuary, and now it\u0026rsquo;s October. I wrote this in March and had great hopes of getting this blog going back then. I\u0026rsquo;m about seven months behind getting everything posted but I\u0026rsquo;m working to catch up. Thanks for taking the time to read. As always, comments and questions are welcome.\n","date":"October 27, 2025","externalUrl":null,"permalink":"/posts/251027_updating-the-sx1024-firmware/","section":"Posts","summary":"","title":"Updating the SX1024 Firmware","type":"posts"},{"content":"Buying a used enterprise switch on eBay can be an adventure. The two biggest issues (not problems) will be:\nGaining access and resetting the password. Updating the software. The SX1024 being 13-ish years old is no exception. You’re going to need patience and a serial console cable. And it wouldn’t hurt to find a copy of the 1U_HW_UM_SX10XX_SX1X00.pdf and any version of the MLNX-OS Ethernet Users Manual. I was able to find the 3.6.5009 version fairly easily. And did I mention you’re going to need a bucket full of patience.\nPlugging the switch in and powering it up for the first time took about 8 minutes to boot to the point that the status lights said everything was “ok”. That’s a long 8 minutes as you wonder if you just bought a brick. Patience.\nNext, breakout the serial console cable and try to access it that way as it is the most basic way to communicate with the SX1024. Check the User manual for details, and if you need further help on using a serial cable there are several YT videos you can find.\nAnd yup… the password on my switch had not been cleared. But I didn’t really expect it to be. However, the hardware manual says:\nBut holding the Reset button for 15 seconds didn’t work. Reading a cryptic forum post (I forget where) hinted that a minute would be better. So I held the reset button for a minute… It worked! I was in, however it didn’t reset the password so the only way to get into the switch was to hold the reset button for a minute each time I wanted to get to the CLI. A walk through the MLNX-OS software manual and I find this:\nTo run this, you have to be in config mode:\nswitch [standalone: master] \u0026gt; enable switch [standalone: master] # configure terminal switch (config) # reset factory keep-basic And this worked. At the next reboot I’m greeted with the Configuration Wizard. Here you’ll set the switch’s name, the IP address for the management port (I suggest that you don’t use DHCP for the Management port), and your own password that someone else will have to figure out how to reset when you sell it on eBay in a few years. Hopefully they’ll read this to help them out. Check out the MLNX-OS Ethernet User Manual for details of the Configuration Wizard.\nThanks for taking the time to read. As always, comments and questions are welcome.\n","date":"October 25, 2025","externalUrl":null,"permalink":"/posts/251025_accessing-the-switch/","section":"Posts","summary":"","title":"Accessing the Switch","type":"posts"},{"content":"During my excursion into the switch search I learned quite a bit about Mellanox, particularly about their NIC’s. To be honest, prior to this Mellanox had never registered to me, but with what I\u0026rsquo;ve learned, I\u0026rsquo;ve decided I’m going to use Mellanox NIC’s and DAC cables where possible. 1There’s one exception to this that I’ll talk about in a later post. My reasons for going Mellanox are fairly pedestrian:\nMellanox has a great reputation for building bulletproof equipment. Less chance of compatibility issues vs mix and matching NIC’s and DAC’s. Not as big of a concern as it used to be, but it can still be a thing. The drivers are built into the Linux kernel. It just works. Or at least it should. ConnectX3, while 5 generations old now, gives really good performance at a great price. The biggest downside being power consumption as they are not as efficient as the CX4 and newer NIC’s. And as long as I stick with 10GbE, there should be no reason to change unless something quits working. At some point I’ll buy a few extra to keep as spares. And I could always move up CX4 or CX5 as cost come down. As of now, CX4 cards are typically 2x-3x CX3 cards and CX5 is double that. As of today, I’ve acquired 2 MCX353’s and 3 MCX311A’s. I needed to make sure everything is as up to date as possible, and I got a bit lucky with this as all the cards had the latest supported software, though I did have to change the MCX353 NIC’s from InfiniBand to Ethernet. The MCX353 are QSFP+ NIC’s for 40/56GbE; since I have QSFP+ ports on the SX1024, I picked up two of these just to play with. If you need to update Mellanox NIC’s or change them from InfiniBand to Ethernet, there are good videos on YT. There are two things that you need, one is the latest software, and the other is the update tools. Both can be had from the Nvidia/Mellanox support website for anything CX3 or newer. 2Art Of Server has a good explanation of this. Thanks for taking the time to read. As always, comments and questions are welcome.\n","date":"October 21, 2025","externalUrl":null,"permalink":"/posts/251021_mellanox-nics/","section":"Posts","summary":"","title":"Mellanox NIC's","type":"posts"},{"content":"","date":"October 21, 2025","externalUrl":null,"permalink":"/tags/nic/","section":"Tags","summary":"","title":"NIC","type":"tags"},{"content":"In the previous post I focused a bit on a high level what-will-I-do for the network as a whole. In this post let’s dig into my thoughts for a new switch.\nI want to replace the ER-24 and a small 8 port TP-Link switch but keep the ER-16-POE as it provides the PoE for my Unifi access points and cameras and I’m not planning to change that part of my network at this time.\nSo the first question I need to answer is: How many ports do I need? A quick count says that I’m currently using 20 non-PoE ports, and I would like to keep that with room to expand. So, I’m setting a minimum of 32 ports with the ability to support both 1GbE and 10GbE. I could always move some of the 1GbE stuff to the ER-16-POE if needed.\nAs previously mentioned, STH has a long list of “affordable” 10GbE switches, but after a not-so-quick search, something with at least 32 ports is not so affordable. Next up… eBay. Several days later searching for any option I could think of, I came to a few conclusions:\nIn typical eBay fashion, the folks selling 10GbE switches think that I should be happy to pay them more than the new price for whatever they have. That I have very few requirements for a switch: Managed 10GbE, minimum 32 ports, and support VLAN’s. Anything above this would be a nice-to-have but not a requirement. The only thing a recently released switch offers that an older switch can’t is better energy efficiency. Beyond that, what? While this might be something I regret later, I can live with something that isn’t the lowest current draw on the market. With this in mind, a good option for a switch is something from the older enterprise genre. As almost all data centers have already, or are still in the process of, updating to 400GbE infrastructure; a lot of very good enterprise gear can be had for pennies on the dollar and 10GbE switches are on the low end of this spectrum.\nIt’s already too late to make a long story short, but after even more consideration I decided to go with a Mellanox SX1024. It provides 48 SPF+ cages and 12 QSPF+ cages with 1.92Tb/s of non-blocking throughput. After a bit of a wait, I was able to pick one up for $150 including taxes and delivery. Even though the 13 year old SX1024 is considered obsolete by most, it’s still a very capable switch and meets my very simple requirements. Compared to something like a MikroTik CRS317-1G-16S-RM which is in the 5 year old range and has only 16 1GbE ports at a current price of $450, the SX1024 looks like a good option. The downside is that it will require a bit of effort compared to something newer, and power consumption will be higher. I can live with both of these.\nThanks for taking the time to read. Comments and questions are welcome.\n","date":"October 19, 2025","externalUrl":null,"permalink":"/posts/251019_a-not-so-new-switch-for-my-network/","section":"Posts","summary":"","title":"A Not-So-New Switch","type":"posts"},{"content":"My current home network needs some work. It’s not a bad network… Ubiquiti ER-4, ES-24, ES-16-POE, Unifi WiFi, Unifi Protect DVR with 3 cameras, a Qnap NAS, and a handful of servers all connected via 1 GbE with a 1Gb/s fiber WAN. This supports my family and a small (but internet intensive) home business. It was closer to the cutting edge when I last updated it back in 2019 and it’s overdue. 1This is a picture from May 2021 when I was still on a cable modem. I agree, it\u0026rsquo;s not a good picture. My business could absolutely benefit from a boost in speed and since I’m on ATT fiber I could upgrade to 2Gb/s or even 5Gb/s, but my network would bottleneck since everything else is based on 1GbE. 2Gb/s would be the most cost effective at this time, but I’d like to make sure I could move to 5Gb/s in the future without having to go through this again. And who knows, ATT could roll out 10Gb/s at some point.\nInternally, I want to update my LAN connections to 10GbE wherever possible for a bit of future proofing. Why not 2.5 or 5GbE? As of now, 2.5GbE networking is not really cheaper and 5GbE networking is almost non-existing. So what are my options?\nUpdate my Ubiquiti stuff. It\u0026rsquo;s the Apple of networking. I like UniFi as a whole, but am souring on it because of costs, and assorted issues.\nChange to something else. I’ve looked into Mikrotik, TP-Link Omada, and quite a few up-and-coming routers/switches that you can find over on ServeTheHome.\nSome sort of network appliance or latest MiniForms computer that runs OpenWRT, pfSense, OpenSense, VyOS, or the like. But it’s not that much different than Option 2.\nBuild my own. It’s a rabbit hole, but one where I get to choose how deep I want to go. 2Only talking about a router here, not a switch. Switches are relatively cheap and easy to get, and it’s hard to build anything with even a modicum of performance. Of course I’m going with option 4, I like rabbits.\nThanks for taking the time to read. Comments and questions are welcome.\n","date":"October 10, 2025","externalUrl":null,"permalink":"/posts/251010_updating-my-network/","section":"Posts","summary":"","title":"Updating My Home Network","type":"posts"},{"content":"I can\u0026rsquo;t talk about me without first introducing you to my Dad. His name was Larry — a farm boy from northwest Iowa who was a hometown basketball hero in high school. He grew up to be a high school shop teacher, a carpenter, a cabinetmaker, a farmer, a business owner, a father of five, and my best friend. The best thing he ever did in his life was marry Mom. He never let his lack of knowing how to do something prevent him from doing that something; he would learn what he could and then he would just figure it out. That was one of the most important things he ever taught me: learn what you can, figure out the rest.\nSo back to the question — who am I?\nI was a central Iowa farm boy and high school nerd that grew up to be a carpenter, a cabinetmaker, an electrical engineer, and a father of one. The best thing I\u0026rsquo;ve ever done in my life was marry my wife.\nMy name is Mark, and I like to make things. My intention with this collection of eclectic musings is to capture some of the projects I\u0026rsquo;m working on as a way for me to document details that I can refer back to when I\u0026rsquo;m trying to remember what I\u0026rsquo;ve done. Whether it be woodworking, metalworking, networking, computer hardware, gadgetry, or tackling some home improvement project, I\u0026rsquo;m not really anyone special, and you probably shouldn\u0026rsquo;t take what I say here as gospel. But if you are reading this I do hope you find something useful, because what I write about is most likely stuff I couldn\u0026rsquo;t easily find elsewhere.\nWelcome to Wayward Labs.\nPS. Thanks, Dad.\n","externalUrl":null,"permalink":"/about/","section":"Wayward Labs","summary":"","title":"","type":"page"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"I\u0026rsquo;m not hard to reach, comments, questions, and disagreements welcomed. You can either leave a comment on a post or email me at\nmark@waywardlab.net\n","externalUrl":null,"permalink":"/contact/","section":"Wayward Labs","summary":"","title":"Contact","type":"page"},{"content":" This website was designed using Hugo and the Blowfish Theme.\nI use Claude Code to build and maintain these pages.\nThe idea to use sidenotes came from a blog site by Scott Laird. I don\u0026rsquo;t know Mr. Laird, but I really like the look of his blog. It\u0026rsquo;s very clean and concise. I hope he consideres imitation to be flattery.\nThe comment section is supported via a D1 database running on a Cloudflare Worker.\n","externalUrl":null,"permalink":"/credits/","section":"Wayward Labs","summary":"","title":"Credits","type":"page"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"},{"content":"As is normal for me, I have a plan for this page. But what is also normal is I can\u0026rsquo;t quite seem to pull it off. Someday I\u0026rsquo;ll get it together.\nIn the meantime, I hope you find something useful here.\n","externalUrl":null,"permalink":"/the-end/","section":"Wayward Labs","summary":"","title":"The End","type":"page"}]