One place for hosting & domains

      Network

      Upcoming Changes Related to Network Infrastructure Upgrades


      Updated
      , by Linode

      Traducciones al Español

      Estamos traduciendo nuestros guías y tutoriales al Español. Es
      posible que usted esté viendo una traducción generada
      automáticamente. Estamos trabajando con traductores profesionales
      para verificar las traducciones de nuestro sitio web. Este proyecto
      es un trabajo en curso.

      Create a Linode account
      to try this guide with a $ credit.

      This credit will be applied to any valid services used during your first
       days.

      Throughout 2022, Linode is rolling out networking infrastructure upgrades to all of our existing data centers. These upgrades increase the stability and resiliency of our already reliable network. It also enables us to bring features, such as VLAN and IP Sharing, to every data center.

      For most customers, these upgrades are performed seamlessly behind the scenes. For customers that use certain features, such as IP Sharing and /116 IPv6 pools, there may be some changes that impact your current configuration. This document outlines what is changing, what data centers are impacted, and what, if anything, you may need to do in order to prepare for these upcoming changes.

      What’s New?

      • IP Sharing (IP failover) availability: The IP Sharing feature, as it exists prior to these upgrades, enables IP failover for public IPv4 addresses in select data centers. After the upgrades have been completed, this feature will be expanded to all data centers and will also support IPv6 routed ranges (/64 and /56). See our
        Configuring IP Failover on a Compute Instance guide to learn more about configuring IP failover.

      • VLAN availability:
        VLANs, which enable private layer 2 networking, will be launched across all data centers soon after the network upgrades have occurred.

      What’s Changing?

      The following is a list of breaking changes and any action that may be required if you are impacted by that change:

      • Deprecation of IPv6 /116 pools: /116 pools will no longer be provided to new Compute Instances. Existing /116 pools will be removed from Compute Instances when data center is undergoing upgrades.

        Action: If you are using /116 for IPv6 failover, consider using an IPv6 /64 instead.

      • IP failover through BGP: IP failover (IP Sharing) for public IPv4 addresses and IPv6 routed ranges will be facilitated through BGP instead of ARP (configured through
        keepalived).

        Action: If you have previously configured IP failover for a public IPv4 address, review the
        Configuring IP Failover on a Compute Instance guide to learn more about configuring IP failover using BGP. You can configure BGP ahead of time, but will not be able to test or use the configuration until after the network upgrades have been completed.

      Which Data Centers Have Been Upgraded?

      Review the table below to learn which data centers have been upgraded with the latest network enhancements.

      Data center Upgrade Status
      Atlanta (Georgia, USA) Coming soon
      Dallas (Texas, USA) Coming soon
      Frankfurt (Germany) Complete
      Fremont (California, USA) Coming soon
      London (United Kingdom) Complete
      Mumbai (India) Complete
      Newark (New Jersey, USA) Complete
      Singapore Complete
      Sydney (Australia) Coming soon
      Tokyo (Japan) Coming soon
      Toronto (Canada) Coming soon

      A status of complete indicates that all new Compute Instances (and most existing instances) are located on fully upgraded hardware. Compute Instances using legacy features, such as ARP-based failover and /116 ranges, may still be located on hardware that hasn’t yet been upgraded. These customers have been notified and a migration timeline has been shared.

      What Action is Required?

      • Migration of Compute Instances: Once a data center has started the network infrastructure upgrades, live migrations will be scheduled for all Compute Instances that do not reside on upgraded hardware. This live migration will occur while your Compute Instance is powered on and operating normally. After the migration has been successfully completed, there may be a brief period of downtime while the Compute Instance is rebooted.

      • Update IP failover configuration: If you have configured IP failover for a public IPv4 address, review the
        Configuring IP Failover on a Compute Instance guide to learn more about configuring IP failover using BGP. If you were using a now deprecated IPv6 /116 pool for IP failover, consider using an IPv6 /64 range instead. You can configure BGP ahead of time, but will not be able to test or use the configuration until after your Compute Instances are migrated to upgraded hardware.

      This page was originally published on



      Join the conversation.
      Read other comments or post your own below. Comments must be respectful,
      constructive, and relevant to the topic of the guide. Do not post external
      links or advertisements. Before posting, consider if your comment would be
      better addressed by contacting our
      Support team or asking on
      our
      Community Site.



      Source link

      How to Use a Content Delivery Network (CDN) with WordPress


      The world is moving faster than ever, and that means your website needs to keep up. No matter where you are in the world, chances are your users are scattered across the globe. For that reason, you need to make sure that your site is capable of performing quickly, regardless of geographic location.

      One way you can keep your site’s speed and performance consistent is by using a Content Delivery Network (CDN). A CDN is a network of remote servers spread worldwide, each of which contains a copy of your site that visitors can access. Not only will this setup make your site faster, but it can also help to secure it and reduce your bandwidth usage.

      What is a Content Delivery Network (CDN)?

      Cloudflare performance chart

      A Content Delivery Network (CDN) is a system of multiple servers that are placed in different locations around the world. When you use a CDN with your site, all those servers will be loaded with static versions of your files. These usually include code like CSS and JavaScript, images, documents, videos, and other data.

      While the two may seem similar, it’s important to recognize that a CDN is not the same thing as a web host. Your host is the server where your site ‘lives’, and it is sometimes called the ‘origin server.’ The CDN servers simply copy static files from your origin server to deliver them to your visitors more quickly.

      The Benefits of Using a CDN with Your WordPress Website

      Sucuri CDN performance chart

      Normally, when a user visits your site, they connect directly to the origin server through their browser and download all the necessary files from there. However, this process can lead to problems for users who are located far away from the origin server. This distance can cause significantly longer loading times.

      Your site’s speed can negatively affect its bounce rates, which can, in turn, be catastrophic for your conversions. Therefore, this is not a small issue. Since all visitors are requesting the same files from one server, you may even experience more downtime.

      That’s where a CDN comes in handy. When you use a CDN, visitors will instead connect to your site via the server closest to them. That way, your pages load much faster and will cause less strain on your origin server.

      Using a CDN also:

      • Makes your site more crash-resistant. If one CDN server goes down, the site will simply load from another. This setup enables your website to handle more traffic.
      • Improves the user experience. The fact that your site is effectively spread across the globe creates a more consistent experience for all visitors.
      • Improves your SEO rankings. A site’s speed is factored into its search engine rankings, so speeding it up makes it more likely to appear higher in search results.
      • Reduces bandwidth usage. Since your origin server doesn’t need to send as much data to each visitor, you minimize the amount of bandwidth used.
      • Helps protect against basic attacks. A CDN is designed to cope with large amounts of traffic, which helps against the most common types of malicious activity, such as Distributed Denial of Service (DDoS) attacks.

      As you can see, using a CDN can help improve a lot more than just your site’s speed and reliability. The only question left is how to get started. Let’s now take a look at some of the best CDN solutions you can implement on your WordPress site.

      Get Content Delivered Straight to Your Inbox

      Subscribe to our blog and receive great content just like this delivered straight to your inbox.

      9 Excellent CDN Solutions for WordPress

      Once you’ve decided to implement a CDN, you just need to find the solution that best suits your requirements. Here are 9 CDN solutions you can use alongside your WordPress site.

      Don’t forget that you can also improve your site’s speed by opting for a hosting plan that’s fully optimized for WordPress, such as our DreamPress service!

      1. Cloudflare

      Cloudflare

      Cloudflare is an immensely popular CDN solution for WordPress. Not only does it have over 275 data centers, but it’s also one of the few CDN providers that offer a free plan. This makes it a smart option for site owners who want a reliable solution that’s also simple to implement.

      Installing the Cloudflare plugin on a WordPress site is as easy as installing the plugin and creating a free account. You can then activate the default settings, and you’re good to go.

      Key Features

      • Easy to use alongside a WordPress website, with minimal configuration required
      • Automatically empties your cache when you update the site
      • Includes a Web Application Firewall (WAF) on all premium plans

      Pricing: Cloudflare is free to use but also offers several premium plans that start at $20/month. These include additional site services, such as image optimization, increased security, and prioritized support.

      2. Site Accelerator by Jetpack

      Jetpack Site Accelerator for WordPress

      Jetpack is one of the most comprehensive and popular WordPress plugins out there. However, you might not know that it also contains a neat little CDN solution called Site Accelerator. This CDN serves all your images from a cloud network to optimize your site’s speed. It also optimizes and serves static files such as CSS and JavaScript.

      Key Features

      • Requires no configuration
      • Automatically applies to all images and static files in your pages and posts
      • Improves performance, particularly on sites with many images

      Pricing: Site Accelerator is included with Jetpack. You can simply install the plugin for free and activate it on your website. Even better, if you’re a DreamPress Plus or Advanced user, you get Jetpack Pro (and all its top-notch, premium features) included with your hosting account for free.

      3. StackPath

      StackPath CDN

      StackPath is one of the most secure CDN solutions available. All plans include a firewall, as well as protection against DDoS attacks and request overloads. The developer tools enable additional configuration and provide access to real-time information about your site’s performance.

      Implementing StackPath’s CDN with WordPress can be done using one of several plugins, including WP Super Cache and Hyper Cache.

      Key Features

      • Offers excellent security features, including two-step authentication and a firewall
      • Enables developers to integrate their apps and websites
      • Includes real-time traffic analytics

      Pricing: StackPath offers a 15-day free trial when you sign up. After that, you can subscribe to one of its premium plans. While StackPath doesn’t currently list prices on its website, you can easily contact the sales department to inquire about rates and request a demo.

      4. MetaCDN

      MetaCDN

      MetaCDN is specially tailored for sites that feature videos and live streaming. With over 120 servers, it offers fast speeds and solid performance. Some of the premium plans also use a multi-CDN structure, which combines several CDN networks into one for even better performance. To integrate MetaCDN into WordPress, you must use the W3 Total Cache plugin.

      Key Features

      • Ideal for sites containing videos and live streams
      • Offers improved performance through a multi-CDN structure
      • Rolls over unused credits to the next month

      Pricing: MetaCDN offers a 7-day free trial that includes all of its features. You can then continue with one of its three premium plans, which can be paid either monthly or annually.

      5. Google Cloud CDN

      Cloud CDN

      Google Cloud CDN is the bespoke solution for websites hosted by Google Cloud. The Cloud CDN is seamlessly integrated into all sites hosted on this platform, so minimal configuration is required. This solution offers solid, reliable performance, as well as incorporated security measures.

      To use Google Cloud CDN, you must install WordPress on the Google Cloud Platform. You can then enable CDN functionality using the Cloud Platform’s interface.

      Key Features

      • Automatically integrated into the Google Cloud Platform
      • Offers SSL certification at no additional cost
      • Ensures that your site maintains the same IP address without requiring regional DNS

      Pricing: Google offers a free trial that does require a credit card but it won’t automatically charge you when the trial ends.

      6. Microsoft Azure CDN

      Azure CDN

      Microsoft Azure CDN is part of the Azure platform, which also offers cloud computing, security, and analytics tools. Azure optimizes your files and offers advanced caching functionality to make your site faster and more reliable.

      You can connect Azure CDN to WordPress by first using the Azure App. The CDN can then be implemented using a caching plugin, such as CDN Enabler or WP Super Cache.

      Key Features

      • Provides a solid choice for sites that offer streaming video and remote computing
      • Suits both beginners and advanced users
      • Offers two networks: Akamai and Verizon

      Pricing: Azure offers a 30-day free trial. The premium plans range from pay-as-you-go subscriptions to enterprise agreements.

      7. Sucuri

      Sucuri CDN

      Sucuri boasts impressive results, promising to make your site, on average, 70% faster after implementation. It also provides on-site security measures, such as malware cleaning and security alerts. These are useful features, although they may not be necessary depending on your web host (DreamHost plans come with a built-in firewall, for example).

      To activate the Sucuri platform, you need to use the DNS Manager. There you can add your details to activate your firewall and CDN.

      Key Features

      • Protects against spam, malware, and attacks
      • Integrates into your existing CDN provider
      • Requires no installation and provides help when setting it up

      Pricing: Sucuri offers two premium plans, starting from $9.99/month. Additional security plans start at $199.99/year.

      8. KeyCDN

      KeyCDN

      KeyCDN is another solid option that integrates easily into WordPress. Its servers are placed worldwide and use only SSD, which improves performance and shortens loading times.

      KeyCDN’s payment plans are also based on what you use, which can be handy to avoid paying more than you need. You can integrate KeyCDN into WordPress using the free CDN Enabler plugin.

      Key Features

      • Uses only SSD servers for excellent performance
      • Includes free SSL and HTTP/2 support
      • Instantly empties your cache when the site is updated

      Pricing: KeyCDN offers a free trial. Its pricing plans include pay-as-you-go subscriptions that start at $0.04 per GB. It also offers a price calculator, enabling you to get a quote.

      9. Amazon CloudFront

      Amazon CloudFront

      Amazon CloudFront is one of the most prominent CDN options available and is famously used by both Spotify and Slack. Its global network and security services help ensure that your site is fast and safe. It also offers full integration with its other AWS services.

      CloudFront can be integrated into WordPress using a caching plugin like WP Super Cache. You can also use the WP Offload S3 plugin to move your existing library into Amazon S3 and deliver it via CloudFront.

      Key Features

      • Provides trusted and reliable service
      • Includes full integration with all other AWS services
      • Offers 12 months of free usage

      Pricing: AWS offers a free tier that includes 12 months of free CloudFront usage. The premium plans for CloudFront are pay-as-you-go, with prices that depend on your location. For the United States, the prices start at $0.085 per GB.

      Speed Up Your WordPress Site

      Keeping your site fast and secure is paramount. You need to make sure that no matter where your users are located, they can access your website quickly. Using a Content Delivery Network (CDN) is a simple and affordable way to accomplish this while also helping to keep your site secure.

      Do More with DreamPress

      DreamPress Plus and Pro users get access to Jetpack Professional (and 200+ premium themes) at no added cost!

      Managed WordPress Hosting - DreamPress



      Source link

      Troubleshooting Network Issues – IPv4 and IPv6


      A successful internet circuit from host-to-host usually involves many components: from an application in one host, to an application in the desired target host. This tutorial covers troubleshooting connectivity between apps, and their hosts, whether over IPv4, IPv6, or an IPv6 tunnel over IPv4.

      Applications are usually chained to the network stack and capabilities of the host, therefore troubleshooting communications requires troubleshooting through the layers of the ISO OSI stack: through the host network communications layers, through the network interface card, then along the network path, through gateways, routers, and switches, until it meets the target host.

      It involves a working electrical circuit, correct host protocol information, correctly supplied information from local hosts, and verification that the local host’s network stack works. Proxies can make troubleshooting more complex because you must use application-specific techniques, so this is not covered in detail.

      The differences between troubleshooting IPv4 versus IPv6 stacks is simpler now than it used to be. Major operating systems treat them equally, often as parallel stacks. Troubleshooting IPv4 and/or IPv6 involves testing parallel stacks using parallel and common tools.

      Modern operating systems come with a handful of useful basic commands for the network communications software stack. Windows, macOS, and Linux already have common Unix-like network troubleshooting commands built-in, and other cross-platform testing tools are available to download.

      Troubleshooting Stack Configuration

      To start, you need to ensure you have power. Verify your electrical connection to the first router/switch/gateway leading to the rest of your network or internet.

      Wired Ethernet

      Wired Ethernet connections are generally on the back of the host and router/switch/gateway. Working cable connections are indicated by illuminated LEDs on the Ethernet jacks. For gigabit speeds, both LEDs on the cable jack should be lit, while a single lit LED indicates a 100mbp/s connection. The jack on the connected router/switch must also be lit. If the LEDs are not lit, you have no connection and the circuit is broken. This results from bad cables, bad jacks, wrong or incorrectly wired cables, and electrically dead jacks or routers.

      WiFi

      Where a WiFi connection is used, examine the local host to verify the status of the cable or WiFi connection. The connection must be alive and working according to the host desiring connection. Working WiFi supplicant verification is made either in the host in question, or through the WiFi router administration software.

      Once the electrical circuit and/or WiFi connections are verified, the host software stack becomes the second step in the troubleshooting procedure.

      Network Software Stack

      Next, check host protocol adherence. The basic IPv4 and IPv6 addressing scheme must match the needs of the next downstream device (router/gateway/switch/hub). At minimum, there must be a routable address, a correct network mask, and a gateway address (next hop of a router/gateway/switch that can forward packets). Most network stacks require a reachable DNS IP address or a DNS Fully Qualified Domain Name (FQDN) whose IPv4 and/or IPv6 address can be reached from the host.

      The boot process requires one of three types of suppliers of compliant address information. The first is a user/administrator-supplied static address that is permanent for the host (for fixed installations). The second supplier can be through proxy software, such as Mobile Device Management (MDM) like Microsoft’s Intune or IBM’s Maas360, or other proxy software that automates control of the host IP address. The third and most common supplier of addresses comes from the Dynamic Host Configuration Protocol (DHCP).

      DHCP Troubleshooting

      DHCP clients are configured to receive their IPv4/IPv6-compliant address through the DHCP protocol from a downstream host. If the DHCP address server is offline, a usable address for the host network stack is not available until the working DHCP server is re-contacted by the DHCP client.

      The DHCP address must be delivered within an IPv4/IPv6 range that permits the host address to be routed through the next gateway/switch/router to other downstream gateways, then on to the Internet (or the target host if on a local or private network). Many hosts substitute an IPv4 address if they fail to procure a DHCP address in the 169.XXX.XXX.XXX range, which is a point-to-point protocol for machine-to-machine connections not involving gateways.

      Note

      A DHCP server may also consult a RADIUS server for information, but become unusable if the RADIUS server cannot be found. DHCP and RADIUS servers can be combined in the same device, and serve as combined proxy authentication (RADIUS) and supplicant provider (DHCP) when confirming network addresses and credentials.

      If a Linode host requests a DHCP address, it receives an IPv4 and IPv6 address from a pool depending on where the host node is located. If a network host receives DHCP host addresses in the 169.XXX.XXX.XXX range, this indicates that the DHCP server did not supply an address correctly, and communications to the needed DHCP must be tested.

      When an IPv4/IPv6-compliant address is delivered to a requesting host, this address is not considered static. Most DHCP addresses are automatically renewed every 90 days, so dependencies on that IP address by applications are at risk when the address is renewed. If a host has been unavailable with a leased address and is re-introduced to the network, the DHCP server delivers the next available list in its pool, which may be different from previous address.

      DHCP servers test an address before leasing it to a DHCP client. However, users on the same local network may have been assigned a static address within the DHCP range. This causes a conflict because each address must be unique. Duplicate IP addresses cause each host with the same address to receive errors. To fix this, flush the Address Resolution Protocol (ARP) cache on each host assigned a duplicate address, as well as the cache on the DHCP server.

      DHCP servers delivered information can overwrite default settings, and overwrite settings of a default/preferred DNS server. Errors ensue if the default/preferred DNS server contains unique information needed by the requesting host (itself supplied with the wrong DNS server). Users have the ability to name a DNS server in a home environment that may conflict, or not be able to resolve within a local network. Administrative procedures must ensure that local organizational DNS servers take priority, or be listed as the first nameserver/DNS host.

      Host Network Stacks

      Even when the electrical circuit is verified, and the host has an IPv4/IPv6 client address, gateway/router/switch address, and DNS, other trouble may exist in the local host network software stack. Numerous shims can be placed in the stack that perform different steps, such as a VPN, authentication, proxies, unique or settings-specific protocols, and other services that impact network use.

      The host network stack is the currently defined and configured list of settings required to make the host a member of a network. These settings include:

      • Valid network address within the range that can be routed by the next downstream device with a correct network mask, which enables the downstream device to correctly address it.
      • Media Access Control (MAC) address that is unique for that subnet.
      • Gateway address for the downstream device to be a target of packets for routing.
      • DNS address, either user/administrator-controlled or delivered from the DHCP protocol, if not defined locally.

      There may be several software drivers in the stack. For example those needed for VPNs, special protocols, network card driver, and others.

      Troubleshooting the stack may require removing all but the base network address information and hardware driver. This minimal stack must work before other components are added. To verify the integrity of the stack, add services back one-at-a-time and test each new component until a culprit is found. Troubleshooting network stacks requires revealing stack settings for the network hardware in use. Keep in mind there are multiple hardware items in a host, and each has a network stack that controls it.

      All hosts display their stack when administratively accessed settings are chosen. This includes third-party network stack software insertions.

      Revealing The Stack In Windows

      GUI: Right-click the network/WiFi icon on the taskbar.

      CLI: ipconfig

      Revealing The Stack In macOS

      GUI: Click the network/WiFi icon and choose Settings, or go to Apple -> System Preferences -> Network.

      CLI: ifconfig

      Revealing The Stack In Linux

      GUI: Open Network-Manager, or right click the network/WiFi icon

      CLI: ifconfig, if, systemd -network-configuration

      If a Linux instance hosted in Linode needs its network stack revealed, the systemd commands are used.

      Windows, macOS, and Linux hosts all contain the ping command, which uses ICMP messaging, a different protocol than TCP or UDP. Pinging a host reveals if a circuit is complete, indicated by a reply to the ping. A few missing replies means there is latency, jitter, congestion, and/or other intermittent connection characteristics.

      The usual syntax of the ping command line tool is:

      ping <hostname or IP>
      

      If a route to a DNS server, resolver, or local hosts file isn’t present, ping fails where a fully qualified hostname has been used. If ping can find the hostname through a resolver, then it uses the IP address as its target. If no hostname resolution is found, the IP address of the host is preferable. If there is a reply from the host by IP address only, name resolution has failed, which is a DNS problem. If it’s successful, then the circuit path is good. Ping can show intermediate response slowdowns. The Windows version only shows four replies, but other versions show replies until the program is forced to stop with CTRL-C. Vast differences in response times point to network congestion between the hosts, router latencies, jitter, and/or other circuit problems

      The Windows native command line tool tracert, or traceroute in macOS and Linux, traces each host/gateway/router between two hosts. A better, downloadable cross-platform command line tool, mtr (the Windows Version is called WinMTR), performs an interactive traceroute that reveals jitter and latency between two hosts.

      Wireshark

      The Wireshark application is a protocol analyzer that works on Windows, macOS, and Linux. Most commonly used in a GUI, Wireshark captures network traffic seen by a host’s port. The captured traffic is analyzed to determine problems between hosts, and measure traffic on the local routable network.

      Wireshark requires hardware configurations to have full access to a desired network port on a host. Traffic can be viewed in real-time, or captured and analyzed for host pairing of conversations among hosts, and specific protocol analysis. It also permits decrypting IPsec and TLS.

      Firewalls and Other Network Traffic Controllers

      Windows, macOS, and Linux each have stateful firewalls. With exceptions for several standard traffic types, by default, they block all inbound traffic unless an outbound connection has been established to an external host. Each of these operating systems can have optional applications installed as traffic controllers, acting as a secondary firewall. These applications can change firewall settings and increase the complexity of troubleshooting networks.

      In Windows desktop and server editions, Control Panel -> System and Security -> Windows Defender Firewall, lets you examine blocked and permitted ports as well as settings for an Active Directory Domain, Private, and Public context.

      The macOS Firewall is turned off by default, but can be turned on, and viewed through Apple -> System Preferences -> Security and Privacy -> Firewall -> Firewall Options.

      Linux firewall primitives are in the Linux kernel, called netfilter. Netfilter control is provided by iptables, the ufw wrapper to iptables, or firewalld. Like Windows and macOS, Linux distros use a variety of added firewall products, which may or may not be chained to the default iptables (or its update, nftables).

      Third party firewalls on Windows, macOS, and Linux may use different commands, and troubleshooting them is vendor/version-specific.

      Additional network traffic control can be asserted to a host by third party software, typically a directory domain threading system such as Microsoft’s Active Directory, or MDM applications.

      Firewall Programming and Table Insertion

      Firewalls admit or deny host traffic for its protection. Troubleshooting firewalls requires knowing the network traffic types, addresses, and protocols needed by the host, as all others should be denied.

      Firewalls block or admit traffic into a host based on rules. A host usually has a default set of rules that can be user-modified, or inherited from proxy control or other tables of rules. Firewall rules tables must all be administratively protected.

      Depending on the firewall’s rules and added proxy control employed, rules files may be imported into the firewall at when it loads from a local or proxy agent. These modified rules may permit the altering of packets, blocking, admitting, routing, and other movements of network traffic through the host’s network interface(s).

      Once sure you have a working network electrical circuit and a correct client network stack, look for apparent blockages caused by firewall rule errors, rule overreach, and/or limitations imposed on one IP protocol but not the other. Both IPv4 and IPv6 rules should be comparable for the same communications path desired.

      Linux

      Linux iptables/nftables, UFW, and firewalld, all permit the inclusion of runtime-loaded rules files, which are integrated into the settings directives the host firewall uses. This aids other apps that can form them by learning. An example of a learning firewall aid is fail2ban, which can ban IP addresses directly to the iptables rules as an included table. The fail2ban app regularly re-writes the iptables rules according to its configuration by examining traffic, matching offenders that fail rules, then blocking them specifically in the iptables rules. These rules re-load each time iptables loads – like when you restart or boot a system – and can prevent iptables from passing traffic until tables are loaded into the Linux kernel netfilter framework. This delay can simulate a network failure because traffic is blocked until the potentially large tables are loaded into the framework.

      Third Party and Proxy Network Control Troubleshooting

      Proxy control of hosts requires application-specific techniques. Domain control, remote device management, MDM, and Cloud-Assisted Security Brokers can be inserted in most all modern operating systems as a proxy-authenticator, DNS controller, (site) Access Control List limiter, and general connection blocker. Network access to a specific host by domain, DNS resolution and/or IP address can be controlled by proxy. Proxies may prevent local troubleshooting, and by design, proxy control software operations may be masked at the local host from scrutiny.

      Proxy control software requires testing when inappropriate blockage of site-to-site communications is a function of misdirected control by the proxy, or is the result of another site or service blockage problem.

      Successful proxy control requires a working network path to the proxy controller, often located in the cloud, and proxy control problems likely can’t be performed until the proxy is reached.

      Troubleshooting network control proxy software and its agent/linkage software requires the removal of proxy control. Test whether the proxy stack is delivering incorrect blocks or presenting problems to desired and permitted target sites. If the proxy can be removed, and communication is successful, then troubleshooting points to problems in the network control proxy software stack. Troubleshooting the network control proxy stack is usually performed by a trained administrator or network engineer familiar with the specific software stack.

      Note

      If a proxy control is in the network circuit/stack, standard troubleshooting methods may fail. Only the proxy control vendor’s troubleshooting methods are successful in this case because the proxy controls the network circuits in non-standard ways.

      IPv4 and IPv6 Troubleshooting

      The aforementioned recommended tools and techniques should work with both IPv4 and IPv6 seamlessly. Where separate tools are necessary, an equivalent IPv6-specific tool is often available on modern hosts. The ping6 app, found in some operating systems, exclusively pings IPv6 hosts.

      Depending on the operating system family and version, two separate-but-equal networking stacks (IPv4 and IPv6) share the same network adapter. One stack may pass IPv4 traffic but not IPv6 traffic, or the reverse. When a DHCP address is given for each protocol, a DNS resolver may be given on the IPv6 protocol that cannot be found by an app that can only inquire IPv4 resolvers, and vice versa. If DHCP delivers a mixture of IPv4 and IPv6, examine both protocols when troubleshooting to complete a network connection successfully.

      In some operating systems, there are equivalent tools made exclusively for IPv6 traffic. For example, in Linux it’s common to see ip6tables as a separate netfilter component used to handle and route IPv6 traffic, because standard iptables does not. nftables, an iptables replacement, works with both IPv4 and IPv6.

      Priorities must be set when two protocols compete for the same resources. For example, a network interface card connection in the host. By default, Microsoft Windows prioritizes IPv6 over IPv4, while Linux commonly does the reverse. A host stack may also have IPv6 turned off, which is not recommended in Windows, but is nevertheless common in all hosts. It’s often an attempt to remove unwanted traffic and network card contention in environments where IPv6 isn’t commonly used. Most network engineers recommend against this, because IPv6 resources are used more seamlessly today.

      IPv6 Tunneling

      When IPv4 was running out of addresses, the large host and network address space rendered by IPv6 was seen as a huge necessary change, even though many routers were not IPv6-compatible. Network client protocol stacks were also not mature. However, any of these stacks may still be in use, and must be examined for version before troubleshooting. Several different methods of tunneling IPv6 over IPv4 were invented and may still be found in some network configurations today.

      For example, IP6to4 is a useful protocol used when a downstream link cannot support IPv6 traffic, as many international ISPs still do not support IPv6. Sometimes users inadvertently leave IPv6 enabled, leaving accidental responders active within their hosts. The IP6to4 protocol encapsulates IPv6 packets into IPv4 packets, disassembling the IPv4 information, and transforming the packet into an IPv6 packet once again. This tunneling action is deprecated but must be used where IPv6 routing isn’t available in the desired routing path between hosts.

      IP6to4 is a handicapped stack, and requires static routing, so that a target IPv6 host can be found. Because of this and other problems, Microsoft deprecated this method of packet tunneling, however IPv6 packet tunneling is still found on older hosts.

      Conclusion

      Successful network communication is completed when there is an electrical circuit, the host network stack works, and downstream routers/gateways/switches can connect to a target host/site. The network stack resident in the host is bound by protocols and firewall rules. There are iterative steps involving tools that are available by default in most modern host operating systems.

      Troubleshooting begins by examining the correct values in the host network stack, then the firewall rules. Proxy-controlled network stacks must be treated differently, because they may involve both business policy and specialized treatment germane to the stack proxy.

      Although IPv6 integration is treated separately as a protocol, most modern stacks use a separate set of equivalent tools to IPv4 for troubleshooting. Older IPv6 implementations can be buggy, and require stack version-specific techniques to troubleshoot IPv6 connectivity or interference issues with IPv4.



      Source link