Episode: 2913
Title: HPR2913: Windows, SDN, and Firewalls
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2913/hpr2913.mp3
Transcribed: 2025-10-24 13:10:12

---

This image PR episode 2,913 entitled, Windows, SCN and firewalls and is part of the series
networking, it is posted by BitO and in about 41 minutes long and carry my next visit flag.
The summary is, being a Windows user for the past three years, information on SCN and
the UI approach to the home firewall.
This episode of HBR is brought to you by an honesthost.com.
Get 15% discount on all shared hosting with the offer code HBR15, that's HBR15.
Bit or web hosting that's honest and fair at An Honesthost.com.
And here we go.
So hello everyone, this is BitO, Hacker Public Radio.
So it's been about, last upload from me was March 19, 2014, about 1,999 days ago, it's
been about 5 years, but it's been a long 5 years.
So first thing I want to say is, I just want to say that Hacker Public Radio has been
an instrumental community for me for the past 5 years, I've been listening to Hacker
Public Radio and it's provided me a lot of insight on what's been going on throughout
the community and a lot of the changes I have gone that have been going on in the world.
But in the past, in the last 5 years, I've been able to travel the world for work.
I've deployed a lot of things for work, a lot of cool things, a lot of really cool and
amazing things.
I've taken on a new role which moves me from working solely inside of data centers to
working a lot more with networks.
But in those 5 years, I learned a lot about data center operations, data center infrastructure.
I learned a lot about the different parts of the world and how we all come together as
one planet.
I've also read over like 3 dozen books in the past 5 years at least and that's been very
useful as a career, both for my career and for my personal life.
Another thing I've learned is that it's really important to have your house in order.
What I mean by that is opportunities are going to come across every day.
But if you're not ready to take those opportunities, you're not going to be entirely focused
or 100% committed to make sure that opportunity succeeds.
Some of the things that I've done in the past 5 years and from a personal perspective,
which is to help get my house in order, has been paying off debt and focusing on long-term
financial goals.
I know that's something that most people don't think about here at a young age especially,
but having the ability to get rid of the mundane expenses and service bills here and
expenses, spending money over here and credit cards over there getting rid of all that
stuff from your day to day can help you tremendously on developing long-term financial goals and
having those long-term financial goals helps you identify where you need to focus on and
also helps you in your decision-making when taking on no opportunities.
But three things that I continue to live by, something that I've learned on the Finding
Japan podcast, but it's humility, humanity and harmony.
These are three things I have committed to strive for in my personal life, work and hobbies.
This is in the past 5 years, I've seen, I've been in and out of a lot of airports.
I've seen a lot of different IT infrastructures and a lot of cool technologies, but without
thinking about the people first and thinking about how people make the world go round and
how we should always keep in mind of the folks who are around us helping us deliver that
awesome next shiny project or awesome next shiny technology.
Keeping those people around and taking care of them and treating them with respect and
as your peer will keep you on an even and predictable course in life.
And that's something that I found to be very important.
But enough of the intro, let's start the show off in the wrong direction, Windows.
So in the past 5 years, from 2014 to 2016, I was using Fedora Linux exclusively as my primary
workstation.
I actually did something a little crazy where I was using it as a primary workstation and
I would have KVM running and I'll have two VMs, one which was my firewall and the second
which was just a random VPN box.
I would have those two VMs running in the background while I use the workstation as an everyday
workstation.
Sounds a little crazy, but I learned a lot doing things that way.
I learned how to automate the startup and decryption of hard drives and using USB keys and
I learned a lot about automating KVM hosts as the most in the best way you possibly can.
I learned a lot about introducing a 10 gigabit networking into your environment.
That's when I first started to touch 10 gigabit nicks and tying those as setting up bridges
so that my VM host can use that for my clients.
I found that to be a very amazing experience to have put myself through the heartache
of having a Fedora box be my primary workstation as well as run my hypervisor and run all my
VMs, which was my firewall for the house.
So that was a very interesting experience, but what I learned out of that was number one,
I learned that when you break something and it's a critical system to your entire household,
you better know how to recover that immediately.
If you don't, you're going to have a lot of angry users and I feel that having learned
how to have this all-in-one box do everything inside of the home, it was a great experience,
but I realized that I needed a more stable environment, something that I can test things
in my lab and have the other half of the network not be touched by that so that other folks
can use or have other services on my network run without any issues.
So this was my adventure into Windows.
So 2016, I believe this was January 2016.
I began using Windows as a full-time machine.
I used a lot of old hardware, some AMD FX processor stuff and it's just old stuff, but it
still ran Windows 10 without any issues.
I still was able to use most of the features available in Windows 10, but one of the things
that I found to be a longing that I had missed from the Linux command line was, you
know, whether I'm using aptitude or yum or whatever the other tool is in Fedora, I realized
that I wanted to use something similar to a package manager in PowerShell.
So what I came across was something called Chocolaty or Chocolaty, yeah, it's got to be
Chocolaty.
And this tool is an excellent tool for, think of it as a package manager that you can
run inside of Windows PowerShell and you can from a few command lines, a few commands,
Chocolaty install, Audacity and in a few seconds, it will parse you and say, hey, are you
sure you want to install Audacity?
And sure enough, you'll get the latest version of Audacity installed onto your Windows machine.
If you ever want to upgrade any software that you installed your Chocolaty, you just
Chocolaty update all and it'll update all the software that all the software packages
that you've controlled using that command line tool.
An amazing tool, very easy to install and very reliable in terms of having the most
up-to-date packages available.
So most people out there, I feel that, you know, when you're downloading software off
the internet or you're downloading it off some sketchy website or, you know, you're just
installing something randomly, I feel that, you know, that's probably one of those experiences
in Windows that just makes it feel so dumb down that doesn't really make you want to
use it anymore because you feel like you don't need this dumb down version where I have
to click through this website and click on this box and click on this download link and
click on this executable and click through this executable and hit next.
I think that's one of the things that I definitely give Linux and, you know, any operating
system, any Linux operating system props for having a very good package manager.
So yeah, so Chocolaty, it's a great tool for download and free software from the Windows
PowerShell command line.
The second tool that I would say that has been instrumental in my Windows experience
for the past three years has been sublime text, sublime text, it's an excellent tool.
This is a text editor.
It's very powerful.
I use this to quickly parse data and conduct, you know, crazy red axis.
It's allow me red axis to allow me to edit data and then copy that data over to spreadsheet
or CSV values and do something else with it.
Overall, just a great tool.
I feel that it's a little more powerful because one example that I have for using sublime
text is, you know, let's say you have, you know, you copy and paste some value off of
some inspect element in Chrome and, you know, you want to be able to organize this data
so that for every div tag or whatever, you want a new line, hey, just like you do in
BI or said, you know, you're looking up through a rejects and then you'll, you know, you'll
say, hey, insert a new line here.
But one thing I like about sublime text is that, you know, you can reject search, you know,
those div tags or whatever it is that you're searching for and it'll basically highlight
every single one of those and it'll give you the opportunity to hit the enter button
and you get a new line, it'll give you opportunity to backspace that that that rejects
value and replace it with something by typing and replacing and seeing the live update of
that.
I feel that that's a very powerful tool because so many times have I thought that my
rejects search or said or my, my awk has done something and the only time I find out
is when I run the data through the whatever tool that I'm using and find out, oh, it
only actually replaced, you know, half or just the one or just, you know, one out of 16,
you know, I, I just find that visual response of what I'm editing to be a lot more powerful
inside of a sublime text.
But there's a ton of other tools and features inside sublime text and I highly recommend
it.
It's definitely, definitely something that you should put in your Windows toolbox.
Alright, so in summary, you know, it's important that it's important to understand what every
day Windows users are going through.
I've been able to solve a lot of problems by having this profile of a user in my toolbox,
you know, I guess the concept I'm giving is that there's the concept of switching hats
and, you know, one of these hats is Linux user, one of them is a Mac user, one of them is a,
you know, Chrome OS user, one of them is a Windows user and I'm able to switch hats frequently
because I force myself to explore using these operating systems as an everyday tool.
What I found is that using Windows to me is not the same as for most people and the reason
why I say that because for most people, they are using Windows in the more dumb down sense,
you know, they're just clicking through boxes and they're just accepting ULAS and just
using the tool and that's it.
They don't really have an understanding of the deeper nuances and some of the deeper
things you can do inside of Windows.
Alright, so in summary, the importance of being an everyday Windows user just allows me
to focus on solving problems in different and unique ways using different tools, using
tools that other people are using out there and the beautiful part is that I don't really
lose touch in my Linux, in my Linux command line, I've got my, I have my Ubuntu shell here,
I have a Cali Linux VM and these are all tools that just allow me to stay focused.
Alright, so moving on to the next one, web stuff. Alright, there's an awesome website
that I've discovered recently and it allows you to test and debug your RegX. This is called
RegX101.com. What I find very helpful about this site is that as your, whatever RegX is
that you're inputting into the site, you can put sample data there and it will also basically
show you what the result of your RegX formula is. In addition to that, it will also provide
some information about the RegX itself, what meaning, what different, what the different
components of your RegX is doing and I find it to be extremely helpful if whether you're
new or this is something, this is something that you're very accustomed to doing. It's
just a very helpful website that allows you to test your RegX formulas against some sample
data. The last thing that's extremely beneficial is that it allows you to share these
RegX formulas with everyone using the results that, using the results from the test data.
So, if you have, you know, a RegX value and some test data and you want to compare or
accelerate or share this on some site, you can use this site to save, similar to paste
bin or something of that nature, to share your RegX and the sample data and provide that
as an example for others to, you know, either critique or, you know, to use in their projects.
So, I find this to be a very helpful site, RegX101.com. All right, maps. In the U.S., if,
I know GPS's and, you know, phone GPS's and open street map or Google maps and we have
a lot of map tools available to us and all across the world. And these are all digital
map tools that require some sort of network connection. Some, you know, may require you to
download this information ahead of time before planning a hike or a trip or something like that.
And one of the really good map resources that are out there are the USGS maps.
What makes this a very unique site to download maps from is that you are able to download
PDF versions of map sections that are one in 24,000 units or 7.5 minute degree maps. So,
this is an awesome, awesome resource if you're into land navigation using a map, using a map
ruler or map protractor and being able to navigate latitude and longitude, look positions
using a quadrant-based map. I believe quadrant, I believe that's the correct tool or correct term.
But anyway, a quadrangle, quadrangle-based map. These are all topo maps, so you're going to get
elevations, you're going to get major rowways, you're going to get landmasses such as rivers and
lakes and stuff like that. These are not going to be like flight maps where you're going to get
airport data. And maybe in the next episode, I'll locate a resource that allows you to download
those types of maps, especially if you're like a drone pilot or someone who's still going to go
out there on a hiking trip or backpacking trip and want to know and you want to know where some of
your some of the aerial maps that are available out there, because it's really helpful to know
what were some of the air traffic. What are some aerial maps that pilots would use, because
that could be an instrument or resource in a survival situation, especially when you're out there
on your own hiking and wilderness. But I definitely recommend this. This is going to be on the USGS.
You have to go to the store, the USGS store, and you know, you can purchase maps that are already
printed on a piece of paper, or you can just download the maps yourselves as a PDF and print them
on your own paper on a plotter or something like that. So I highly recommend it. And most of the maps
that I've seen, they're about two, they're within two years, they're around one to two years old,
which is great. It's no problem. But the biggest benefit out of this is that you're going to have
the quadrangle, or your latin lungs are going to be painted or displayed on these maps, which will
allow you to conduct a land navigation using a map protractor or map ruler. But you'll need a one
and 24,000 scaled ruler. So you can't use like just if you use like a one and one thousand or
use like a different, if you use military stuff, if you use a, if you use anything different,
you won't get the accuracy that you're looking for when you're doing analog land navigation.
So last website that I have for the web stuff is SDN information. So if you're starting out
and software defined networking, I highly recommend that you take a look at this GitHub site that I
have is called Awesome-SDN. And this website is a basically a repository or a source of a lot of
different types of information regarding SDN. Now if you're just starting with SDN or you're
already deploying this in production at a site in your job, this is still a great site.
I use this for my northbound networks, which is in my Rubus switches that are SDN capable or
use an open flow. If you're using other switches that have different network operating systems on
there, this is still a great site to identify different types of controllers and libraries
and resources to allow you to configure your SDN environment.
The most important part here is that if you are not already, if you are in a network, if you work
on network infrastructure or network automation or networks in general, you have to start thinking
about network automation. You have to start thinking about how the network is going to deploy itself,
how the networking can become more self-healing, how the information, like such as SDN SNMP traps and
stuff like that, how those things can be more easily and automated, more easily communicated to
network operators or network administrators or network engineers so that your environment can
sustain network outages and network changes or protocol changes.
If you're not looking into SDN or if you're not looking into network automation in general,
such as using Ansible or maybe some proprietary level automation tool, you have to start looking
into this stuff, you have to start looking into this stuff. SDN is just one component in my opinion
of many tools available, one component of the many available tools out there. I guess that's
the right thing to say. But definitely start looking at SDN. Check out northbound networks for
their SDN devices. They got the cheapest switches you can purchase at 100 Meg and 1 Gig.
You can find a couple of other devices out there for some of the more mainstream
switching providers, but they get very expensive. The cheapest that you can find out there using
a 10G port is probably going to be about 500 bucks. You can build your own, and this is going to
segue into my firewall topic, but you can build your own for very inexpensive, sub-$200
or even sub-$100 if you want to go bare bones. But yeah, I highly recommend looking at an open
flow, open virtual switching, looking at network operating systems, and SDN controllers. These are
all great things to check out. Also, you can also look at, there is also a way that you
can virtualize an SDN environment. If you just want to test, you can create virtual switches.
In that fashion, you can just test a SDN controller against the virtual switches and have virtual
nodes tied to the virtual switches. That will allow you to test your SDN environment using
just virtual resources, which is a very common tool, which is very common when you're using
genosis. When using, what is this tool called? It's a genosis.
So, the tool is called GNS3. GNS3 is your way of deploying an SDN environment
without using any physical hardware. But anyway, moving on. One more thing to add to the SDN
topic is zero tier. There's an awesome, this is an awesome UDP pinning SDN or SD1 tool.
This is basically edge networking for your mobile devices and allows you to
basically connect to other devices that you own and you control. They have a virtual switch
on the actual device, which connects back and the controller will communicate to those devices
how to connect to the other devices in your environment, whether that's going to be
your firewall back at home or another mobile device in another place and on Earth.
And that's zero tier. I have those in the show notes. Home hacks.
All right, I'll only have one here and this is a home phone. If you are looking for a home phone
and you already have a Google voice number, then I highly recommend getting yourself an OB200
from OBTALK. And this will allow you to basically deploy a home landline phone system over a
SIP, a SIP telephone or VoIP telephone adapter, which will allow you to connect your Google voice
number as a SIP and other SIP resources as well. So if you want 911, you can pay for that per month
and you'll get 911 service. Or if you just want a free home phone, you just use your Google voice,
connect that to your OBTALK system, your OB200. And from there, you'll be good to go. You'll be
able to reach your home phone from any other phone and you'll have a home phone number, which is a
fantastic, a fantastic solution, especially if you're not interested in purchasing or paying for
a VoIP service through your internet service provider. So it's free. The service is free,
which is using Google voice. The device is about 50 bucks, I believe. I can't recall, but I'll have
a link to it in the show notes and fantastic tool. Fantastic tool. All right.
All right. Last one is firewalls. Okay. So in the past year and a half, I've been using ubiquity as
my primary network environment. And it's been a pretty good and useful tool. What I like about
ubiquity is that you have basically a controller that will send the configurations over to the
firewall, to the switch, to your wireless devices. And it's very useful. Very useful because you're
just using one web interface to control your entire network environment. Similar to what an
SDN environment is. And I think ubiquity, their sales team classifies this as an SDN tool,
or SDN network tool. But one thing I've discovered is that using the, using the, using the
unified secured gateway, the three-port device, which is about 100 bucks US. It's a decent device
if you're at a 50 megabits to 100 megabits, when uplink. But if you have a one gigabit,
when uplink, this device is completely useless for that type of network connectivity. And the
reason why I say that is because if you were to enable the IPS and the IDS and all the other
features that are tied to this device, you will be, you will have issues with your firewall
capabilities. And what I mean by that is, for example, let's say you have a one gigabit
upwind uplink. And you're going from your modem to your firewall at one gigabit connectivity.
And then you're going from your firewall to your LAN at one gigabit connectivity.
Now, the problem with all this is that you will not have end-to-end one gigabit throughput.
The reason behind that is because the ASIC inside of the firewall, you know, heating,
the features or the capabilities of the firewall, the bus, all that has, all that is going to have a
very important part in how your firewall performs when you start enabling these additional features.
So, one of the problems with the Unified Secure Gateway, the three-port one is, or USG3,
is that if you were to enable IPS, IDS, and try to push one gigabit where the traffic
throughout your household up to the when, your firewall is going to reach a limitation.
And for example, let's say we have about, you know, let's say we have about one million packets per
second that we want to transmit over our firewall. If we were to do the math, and let's just cut
that in half. Let's say 500,000 packets per second. And let's say each packet is 100 bytes.
When you do the math on this, what you end up, what ends up happening is that you end up with
approximately 400 megabits per second and throughput. So, think about that. If your firewall
has needs the capability of transmitting one 500,000 packets per second just to get 400 megabits
per second. The ASIC or the CPU in that firewall has to be beefy enough to support that capability.
And this is a lot of people have this problem when they're using these
fanless firewall solutions is that the CPU just can't handle one million packets per second.
And one million packets per second is more or less the equivalent of getting 800 to 900 megabits
per second in firewall throughput. So, and we're just talking firewalls. We're not talking
IPS IDS. Once you start enabling IPS IDS, your CPU is working harder and it may throttle down
that your traffic to 50 megs per second. So, you know, think about that. You've got a one gigabit
when uplink that can only transmit at 50 megabits per second over your firewall. And, you know,
that's it. You're done. You're not going to be able to get your 1080p. You're not going to be able
to gain. You're not going to be able to do uploads or anything like that. You are limited to that
50 megabits per second with the IPS enabled and firewall capabilities enabled. So,
so the best alternative would be to purchase dedicated hardware. And what I mean by that is
you could go with the ubiquity XG, which is, you know, a 10G capable and one million packets per
second capable. You know, you'll get the full throughput out of the device. But you're paying
over a thousand US dollars for that. That is a solution that is not good or not a good option for
a hobbyist or a home network hobbyist or someone with just a simple home network.
And if you want to, if you want to spend and save, if you want to save some cash and you want
to still get that one over one million packets per second throughput and have all the
capabilities of using IPS, IDS, VPN, you know, IPsec, whatever, whatever jargon you want to throw in
there, whatever special words you want to throw in, you'll get the capability if you bought dedicated
hardware. So a small form factor workstation like an AP HPZ 240. That's going to allow you to
deploy as, you know, a four core 8 threads beyond processor 32 gigabits of RAM to PCIe by 16 lanes
using by eight with a by with either by 16 or by eight connectivity. And with just that alone,
you'll be able to well surpass the one million packets per second connectivity by having a one gig
a bit connection on board and then deploying a, you know, a low, low profile two port 10 gigabit
SFP plus Nick on there. That's it. You're you will you will have the ability to
to do a lot more than you could with, you know, a usg3 and you would have saved almost about five even
seven hundred dollars. Then if you by opting out of purchasing an xg or, you know, a high end
dedicated hardware. And so so the most important part about this is the SFF option a small four
factor option. You want something that's small that's going to live inside of a network closet
or someplace where he is going to, you know, penetrate it 24 by seven. You want this thing to be
able to stay cool on its own, have some fans running on it. You want this to have the ability to
run the Z on processor with Z on processors. You have low clock rates, you know, 2.3 to 0.0 to
maybe even 3.0 if you spend some big dollars on there on the CPU. But at least you get four
cores eight threads out of the thing most of the time. You can still you could even go cheaper and go
core i3, core i4, core i5, core i7. And these are all these are all going to be, you know,
four generation IV bridge processors. So those things are out there for less than a hundred bucks
sometimes. With 32 gigs of 32 gigabytes of RAM, you got plenty of RAM to do to do whatever you
want with this dedicated firewall, dedicated firewall hardware. And you have at least four slots
to to to load up a three and a half inch drives. If you want, you could even you can even purchase
PCIe adapters that allow you to plug in a NVME drive, which will be fantastic solution to speed up
your your storage. And in the end, you have a dedicated system that is for your firewall that
has 10G connectivity or even, you know, four by you can even deploy, you know, multiple one gig
nicks, whatever whatever your flavor of connectivity you want, you can deploy here. And in the end,
you can have well past the one million packets per second, you can enable almost all the features
available on pfcent or so foes xg. And this will be a a very great piece of equipment to have
on your network and to allow for you to freely do whatever you want by utilizing that one gig
a bit whine up link. So to circle is all around with the intro and with my windows discussion.
When I one thing that I have done is that I've actually migrated from a dedicated firewall
system to a virtualized firewall system. And what I've done is a small I've taken a small form
factor PC, you know, like an HPZ 240, you know, paid, you know, 150 bucks for the thing or whatever it
was on eBay at the time. Loaded up some RAM, loaded up a decent Z on CPU, put a hard drive in
there and installed some and installed a hypervisor. After I installed a hypervisor, from there,
I was able to deploy firewalls as as VMs. And by deploying the firewall as a VM, I do lose some
performance, but not nothing that I'm going to notice with my one gig a bit whine up link.
And what I've gained out of all this is the freedom to run multiple firewall operating systems
on the same dedicated hardware. And I've been able to switch between firewalls. I've been able to
load balance between firewalls. I've been able to, you know, do performance tests against firewalls,
you know, do comparison tests, you know, deploy PF cents as a VM here. And, you know,
so far as XG on another VM here. And just swing the whine up link over virtually using the
virtual switch and the hypervisor. And boom, I'm now in seconds, I'm connected to a PF
sense box with all my brand new, you know, security policy or firewall policies. And oops,
looks like I messed something up, swing it back. And boom, I'm back on my SOFO's XG running my network.
So by virtualizing, by virtualizing the firewall and treating it as a service to my environment
and removing it as a dedicated operating system, I've been able to leverage this small form
factor system to not only do firewall testing, but to do all sorts of other testing. And,
and I found that to be a huge benefit in my environment. Okay. Well, I'm going to post this up now
in Audacity, clean it up, add some intros and outros to it. But I do encourage everyone to
to continue uploading, continue discussing what, you know, what you're doing and what you're
getting yourself into. And, and, you know, I hope this was of some help. I hope this was some useful
information that different people can, can take with them and use for whatever the projects they
have planned. I appreciate your time listening. You all have a great one. And until next time,
I hope it's not going to be 2000 days later, but I'll try to upload something again soon.
Until next time, everybody, take care and have a good one.
You've been listening to Hacker Public Radio as Hacker Public Radio. We are a community podcast
network that releases shows every weekday and Monday through Friday. Today's show, like all our
shows, was contributed by an HBR listener like yourself. If you ever thought of recording a
podcast, then click on our contribute ring to find out how easy it really is. Hacker Public
Radio was founded by the digital dog pound and the infonomicum computer club and is part of
the binary revolution and being revved.com. If you have comments on today's show, please email
the host directly, leave a comment on the website or record a follow-up episode yourself.
Unless otherwise stated, today's show is released on the creative comments,
attribution, share-like, free-to-lensance.