Posts filed under ‘General’

Switching to nYNAB – Web edition

In the past, I’ve been somewhat outspoken in my dislike for changes made from YNAB4 to nYNAB.  It’s now had a year to improve…

I probably made too much of some of the issues with it, though there were two main issues that kept bothering me:

  1. Scheduled transactions don’t take effect until the scheduled date hits, and there’s no way to “force” them to take effect earlier, other than pre-dating them.  This means your category balance will show more than is truly available (since you’ve effectively spent some of that money), and your account balances will not show your planned activity.
  2. The Red Arrow to the Right – to push negative category balances to the future.

For #1…  Well, this still bothers me.  I really do wish there way some way to mark a “scheduled” transaction as if it had already passed, other than pre-dating it.  I think some people have basically said to treat it like a check…  You generally write those out and mail them, but date them when you write them.  I don’t particularly like that, but it works.

As for #2…  The Red Arrow was a tool I used readily.  As it turns out, I think I used it far too much.  One recent month had 11 categories pushing negative balances forward.  I do think that not having that easy ability will actually be a good thing for me, in terms of budgeting.  The money will need to come from somewhere, forcing me to make decisions that I’ve pushed off in the past.

One other issue that I think I first thought would be a bad thing is the single month view, versus the previous multi-month view.  But now that I’ve really been using it for a bit, I don’t think it’s really that big of a deal.

Anyhow, I’m really trying to switch this time.

January 5, 2017 at 7:15 pm Leave a comment

Withdrawing Roth IRA contributions without tax or penalty – How to file it?

Yes, this is a networking blog, primarily. I do sometimes post about personal finance, mostly related to YNAB, so this post isn’t entirely without precedence. Plus there is a tiny networking tie-in later.

I’ve read in multiple places that AT ANY TIME you can withdraw your Roth IRA contributions without tax or penalty… In at least one place, they suggested instead of funding an emergency fund that goes to a bank account, instead you fund a Roth IRA (up to the max each year), because you can take out what you put in whenever you want without penalty.

Here’s the problem: Last January I opened a Roth IRA (with a different company.  I already had a Roth opened years earlier with E*Trade). Within about 8 months, I decided that I didn’t want to continue contributing to that Roth, but would put the money that had been going into the Roth into my 401K instead, lowering my taxable income.  Instead of keeping this small Roth IRA, I decided to withdraw virtually all of my contributions and invest it in a non-retirement account.

Today, I downloaded my 1099-R form associated with this Roth IRA distribution. It had a distribution code of J in box 7, which didn’t mean much to me. I was not prepared for what happened next.

When entering that 1099-R into Turbo Tax, my tax liability jumped by over $575!

I called the company I got the Roth through, but they were not much help, not being tax professionals.  Searching around google, I found this article by one of my favorite writers about money, Jonathan Ping. (Yes, his last name is Ping. There’s that tiny networking tie-in I mentioned.)

From reading Jonathan’s article, I gathered that Form 8606 was the key to declaring the contribution amount.

After filling out the 1099-R, Turbo Tax asked me a bunch of questions, but didn’t ask for the total amount of my contributions. Searching around a bit lead me to an answer, though.

In the upper part of the screen, go to the My Account menu, then select Tools. In the pop-up window that appears next, select Topic Search, then type in 8606. With that form selected, hit the Go button.

Now it will lead you through the right line of questions so you can declare how much you contributed to your Roth IRA. Once you’ve filled that out and gone through the rest of the questions, you should find that your tax burden is much lighter… In my case, all $575+ of taxes melted right away.

Anyhow, this caused me a significant amount of stress for about 3 hours, so I thought I’d post it here and hopefully save someone else some frustration.

March 2, 2016 at 10:35 pm Leave a comment

Importance of Traffic Logs even for the home network

My little firewall logs just about everything that goes on. Blocked? Log it. Allowed? Log it. Most of the time, these logs roll over and I never even see the contents. However, every once in a while they come in very handy.

My wife usually spends a little while on Sunday evenings preparing attendance sheets for CCD (think Sunday school, but for Catholics). Our parish takes it very seriously, and they have given her a remote login to their data software, so she can update the attendance on-line, and they’ll have accurate records. This software appears to be SaaS (Software as a Service). Unfortunately, it’s not a web-based service. It is hosted on some remote system, and they provide her with something akin to a Citrix login to access the data. This software is PDS (Parish Data System) by ACS Technologies.

Recently the UPS on her computer started acting up. We had a quick blip tonight and her computer rebooted. When it came back up, she proceeded to connect back to this software, and was prompted with a small box asking for the Host. We don’t recall this being asked previously, as it usually just pops up a login box.

So, we checked the support website to see if they had any hints. A quick look around there seems to show that to get to any real support info, you need a Site code and a PIN, and my wife doesn’t know that. Their Live Chat support didn’t work. The only other options are Email (which also seems to require site details) and a toll free number, but they apparently don’t work weekends.

Thinking about the situation logically, I concluded that somehow this system “forgot” the remote hostname to which it normally connects. That’s what it’s prompting for connection details with a “Host” prompt.

It struck me that I might be able to find it in the logs, so off to my firewall I went. I filtered by my wife’s IP address, and tried filtering for the application “Citrix”. Zilch. Next, I started filtering out ports and applications that I knew it wouldn’t be, and told the firewall to lookup hostnames. Finally, after filtering out port 80, Facebook-base, Facebook-chat, iCloud-base, Twitter-base, and port 993 (secure Gmail in this case), I jumped from page 1 to page 10 (to get to a more appropriate time, prior to the power outage), and there it was. I recognized the name “”, so I tried that as the host. I believe at that point, I got a different error. So, we closed and restart the application, and it popped up and worked just fine.

So, if you have lots of logging going on with your firewall at the house, don’t bother trying to weed it down, just let it go. One day, it just might save you lots of time.

September 26, 2015 at 9:34 pm Leave a comment

Ad Blocking is stealing

I saw a quote the other day from someone in the online ad industry (I believe) who said that using an Ad Blocker is stealing.


I can see the argument related to movies and music.  I mean, for those items you have to buy a CD or a movie ticket (or buy a digital copy).  Downloading the content without legitimately purchasing it… Yea, I can see that being stealing.

Running an ad blocker and visiting a website, though?

Sorry, but no.  It’s not even in the same realm.

The real question publishers and ad companies need to ask is:

Why has Ad Blocking risen so much recently?

A recent focus has been Apple, with their release of IOS 9 that supports “content blocking”, which thus far has mainly been used to create ad blockers.  Why is this the case?

When I first got an iPhone 3GS, my first iPhone, browsing was fast.  Over the years, more and more advertising has been injected into mobile websites.  Advertising web servers are notoriously slow.  Advertising on mobile platforms has become more aggressive.  All this while bandwidth usage has spiked and most carriers have forced bandwidth caps on their customers.

With all these factors combined, the user experience is very poor.  To see how big of a difference it makes in load time, I invite you to try an ad blocker on on iPhone.  Visit sites that you normally visit, and you’ll see that the site pops up much faster than normal.  I expect that if you surf on your phone frequently, once you see the difference, you’ll want to keep using it.

September 20, 2015 at 9:48 pm Leave a comment

Monitoring a network with EIGRP

Most network monitoring involves polling.

So, you have a server (or farm of them) going out across the WAN every minute or so, talking to every remote device to ensure that they are up and running.

There are a number of products out there that do this, but what if you can do it smarter?

At my day job, we have hundreds of remote sites connected via T1 and they have an alternate link, soon to be LTE across the company.  We run EIGRP across our links so our routers know which links are available for traffic.  Yes, even our LTE links.  They all terminate on GRE tunnels on one router.  We set the EIGRP Hello time to 20 seconds and the Hold time to 60 seconds.  If 60 seconds pass without seeing a Hello, the link gets marked down.

I wrote a PHP program to handle this monitoring in a very efficient way.  Every minute, it performs an SSH into this router and runs a “show ip eigrp neighbors” command to get a list of all active neighbors.  This tells me that each of those neighbors are active at the time I performed the command.  I log this info to a database table.  I also run a command like “show ip route | inc Tu”.  Due to our database, my program knows which EIGRP neighbor is each location and which route belongs to each location.  If I see a connected route to any Tunnel, I know we are actively running traffic across the LTE link to that location.  Since this is done every minute, I’m logging each time that a remote device has an EIGRP connection to headquarters.  I track the state of all the locations and send SNMP traps to our central manager to create alarms when I see that an EIGRP connection that should be there is missing and when a route exists (meaning the LTE link is being actively used).

This database is tracking the total number of polls and the number of successful polls.  This lets me calculate an “Availability” number for that GRE Tunnel.  Note, this isn’t a real “Availability” number for the LTE link.  It’s an Availability number for the Tunnel, meaning it can easily be worse than the LTE link availability (if the remote router is down, perhaps).

If you described this to me as a monitoring solution, I wouldn’t expect it to work well.  The fact is that we’ve been running with this sort of solution for several years.  The difference now is that I’ve reduced the polling cycle from every 5 minutes to every minute to give me better granularity.  And it still works great, even with 150+ sites.  The beauty of this system is that adding more sites doesn’t really add more time (technically, it does, but it’s such a small number that it’s pretty much irrelevant).

September 18, 2015 at 9:59 pm Leave a comment

Best Cell Carrier coverage in the SouthEast US

Where I work, we wanted to put in LTE backup at all of our retail locations to handle communications in the event that our T1 circuit fails.  There are around 800 locations stretching from Louisiana, south to Key West, all the way to North Carolina.  We have relationships with the big three carriers, so we build survey boxes housing three CradlePoint cellular broadband adapters, one configured for each of the carriers, then took them around to our locations and ran a battery of Netperf tests to get real results for each location which were logged into a database.

Armed with that database of over 7000 test results, we selected the best carrier at each location by looking at the raw data.  My general criteria?  Look for the carrier with the best SINR (Signal to Interference + Noise Ratio), along with the best speed.  We are less concerned with cost, since they are all under $30 a month for our limited, pooled data plan.  Our goal is that we have a reliable backup that is at least as fast as the T1 circuit it would be “covering for” in the event of a T1 outage.  Most T1 outages would be measured in hours, so it needs to be available when we need it, first and foremost.  That said, we want better than 1.5 Mbps in both directions so that it can be a true T1 backup.  Looking at the data and making the selection was sometimes difficult, but we made our best guess in those cases.

I only have the actual numbers for the first 155 locations we have installed, which break down as follows:

AT&T was selected 50.9% of the time.
Verizon was selected 30.9% of the time.
Sprint was selected just over 18% of the time.

From the numbers I have seen (in passing), this pattern is pretty representative of the overall totals.

Now, I’m not much of an AT&T fan, but this is pretty impressive.


September 18, 2015 at 9:37 pm Leave a comment

F5 GTM iRule to enforce Google Safe Search

There are ton’s of tools you can use to enable Google Safe Search…  Essentially, you need to serve a custom record for that’s a CNAME pointing to

Anyhow, for our Customer Wifi, we want to take some steps to limit the visibility of adult results to our customers (both for liability and PR reasons).  Since we have a large number of retail locations, all running through a central data center, we run a high performance DNS cache using our F5.  While I’m sure there are lots of ways to solve this issue, we created an iRule to handle it:

when DNS_REQUEST {  
if { [DNS::question name] == "" } {   
set lookup "[RESOLV::lookup @[RESOLVING DNS SERVER HERE] -a ""]"
set ip [getfield $lookup " " 1]
DNS::answer insert " 300 IN CNAME"
DNS::answer insert " 300 IN A $ip"
if { [DNS::question name] ends_with "" } {
DNS::answer clear
DNS::header rcode NXDOMAIN

Just replace the text “[RESOLVING DNS SERVER HERE]” with the IP address of a server capable of resolving the forcesafesearch DNS query.  If you are using Route Domains, don’t forget to include it on the end of your DNS server IP.

As a bonus, this iRule also blocks, the domain that Bing uses to display thumbnails/videos for explicit content.

July 15, 2015 at 5:59 pm Leave a comment

Older Posts


July 2017
« May    

Posts by Month

Posts by Category