Recommended Posts

I have a bit of a dilemma at the moment, so here's some background:

 

Back in summer 2015, we had a third party contractor replace our wired and wireless networks, server infrastructure and a bunch of other things. Included in this was redesigning the network from scratch.

Our old network was on the 10.122.xxx.xxx IP range.

Our new network is on the 10.22.xxx.xxx IP range.

 

There is now nothing on 10.122.xxx.xxx, except for our IPT phone system, which has a controller on a static IP of 10.122.40.10, along with access points for the phones, also with static IP addresses in that range. However, the IPT system is not owned or controlled by us, it is leased and supported by a contractor, who charge for callouts.

 

Our main VLAN is 10.22.100.0/22 - however I cannot ping 10.122.40.10.

 

The contractor who upgraded our network created 'VLAN 40' on 10.22.40.0/24, with DHCP disabled (by design - as it causes major issues with our phone access points when it is enabled).

 

I have Port 4 on an edge switch untagged on VLAN 40. When I connect a laptop and set a static IP address of 10.122.40.50 (yes, that is 10.122.xxx.xxx - not 10.22.xxx.xxx), I can ping 10.122.40.10 and connect to its web interface.

 

My problem is that I do not always have physical access to that switch, as the cab is in a meeting room. Is it possible for me to access that web interface from any machine on VLAN 100? If so, how would I go about getting it to work?

 

Edit:

Upon checking the switch, it is true that port 4 of the edge switch is on VLAN, however I cannot determine the IP address range of that VLAN...I'm not sure how. I can ping 10.22.40.1 from my own workstation on VLAN 100, so it appears that VLAN 40 is configured as designed by the contractor. I just don't understand how a device on VLAN 40 is configured with 10.122.xxx.xxx instead of 10.22.xxx.xxx and still work.

 

Some steps that I have done:

1) Connected laptop to P4 on the edge switch. Configured the following IPV4 information:

Static IP: 10.122.40.50

Subnet: 255.255.0.0

Default Gateway: 10.122.40.1

I can successfully ping and connect to the IPT controller.

Note: The Ethernet controller displayed in 'Network Connections' shows this network as an 'Unrecognized network'.

 

2) Connected the same laptop to the same P4 on the same edge switch and configured the following IPV4 information:

Static IP: 10.22.40.50

Subnet: 255.255.0.0

Default Gateway: 10.22.40.1

I cannot ping or connect to the IPT controller.

Note: The Ethernet controller displayed in 'Network Connections' shows this network as recognized and shows our domain name.

 

Wondering if I can get any input from @BudManto query his knowledge?!

Edited by Daedroth

A vlan doesn't care what IP address is on it.. It is just an isolation of the layer 2 network.

 

You could run as many different layer 3 networks on top of that layer 2 as you want - this is really really bad design to run more than 1 layer 3 on the same layer 2.. But I see it done all the time by people that don't know any better.  If your on the same layer 2 there is no isolation.  Having devices on ip range A and other on range B does not "isolate" them from each other.

 

It would be very helpful to draw this out..

  On 21/06/2017 at 13:11, Daedroth said:

with DHCP disabled (by design - as it causes major issues with our phone access points when it is enabled).

 

Expand  

This seems odd.. Makes no sense that you would need to disable dhcp on a layer 2 - unless your going to run more than 1 layer 3 on it.  Then yes running a dhcp server would cause you all kinds of problems since any device on that layer 2 could get an address from that dhcp server.  To do multiple layer 3 on the same layer 2 with dhcp would require all devices to have reservations and your dhcp servers scopes would have to be set to not hand out any address that are not reserved, etc..

 

Can you please draw up this network - and and then we can dive in and correct any such nonsense like multiple layer 3 on the same L2.. It really really is BAD practice to do such a thing!!  And defeats any sort of security you might can by network segmentation..  Why not just run them all on the same layer 3, etc.

 

A /22 is a really large vlan - do you really have that many hosts on the same broadcast domain.  A /22 = 1022 hosts, that is a lot of broadcast and multicast on the wire unless your devices have been setup to not do the default noise they pump on the wire.. Window machines are broadcast/multicast noise makers!!!  Then add in the ipv6 on top of that and it gets nuts with that many devices on the same broadcast domain.

 

  Quote



Our main VLAN is 10.22.100.0/22 - however I cannot ping 10.122.40.10.

Expand  

 

What would be doing the routing between these networks?  Are you saying they are all on the same layer 2?

  On 21/06/2017 at 14:36, BudMan said:

This seems odd.. Makes no sense that you would need to disable dhcp on a layer 2 - unless your going to run more than 1 layer 3 on it.  Then yes running a dhcp server would cause you all kinds of problems since any device on that layer 2 could get an address from that dhcp server.  To do multiple layer 3 on the same layer 2 with dhcp would require all devices to have reservations and your dhcp servers scopes would have to be set to not hand out any address that are not reserved, etc..

Expand  

I'm not exactly sure why, but when DHCP is enabled (which is controlled by our DCs) it completely crashed the phone system. As soon as DHCP was disabled, it started working again...so it stayed off and has been off since.

 

  8 minutes ago, BudMan said:

Can you please draw up this network - and and then we can dive in and correct any such nonsense like multiple layer 3 on the same L2.. It really really is BAD practice to do such a thing!!  And defeats any sort of security you might can by network segmentation..  Why not just run them all on the same layer 3, etc.

Expand  

I'll try and draw it out tomorrow as I'll be finishing shortly and won't get a chance this evening.

  8 minutes ago, BudMan said:

 

A /22 is a really large vlan - do you really have that many hosts on the same broadcast domain.  A /22 = 1022 hosts, that is a lot of broadcast and multicast on the wire unless your devices have been setup to not do the default noise they pump on the wire.. Window machines are broadcast/multicast noise makers!!!  Then add in the ipv6 on top of that and it gets nuts with that many devices on the same broadcast domain.

Expand  

We are a small school with ~400 computers, ~200 laptops, ~100 tablets. The contractor originally configured the network with multiple VLANs, depending on the device, utilizing 802.1x and device security groups in AD, configured into these:

All staff desktops that were members of 'Dot1xStaff' joined a specific VLAN

All staff WiFi devices that were connected to our Ruckus WiFi and also members of 'Dot1xStaff' joined a specific VLAN

All student desktops that were members of 'Dot1xStudent' joined a specific VLAN

All student WiFi devices that were connected to our Ruckus WiFi and also members of 'Dot1xStudent' joined a specific VLAN

Any 'Unathenticed' devices joined another specific VLAN

 

However, we use a classroom management tool 'Impero' to view all of our computers and remotely control them across our site...and it also ties into our safeguarding policies. However, it does not work across VLANs. So the contractor configured everything to drop into the 'Unathenicated' VLAN. We've been waiting for the company to provide a solution, with it being on their 'road map', however nothing so far.

 

  8 minutes ago, BudMan said:

What would be doing the routing between these networks?  Are you saying they are all on the same layer 2?

Expand  

We have a HP Core Switch, which all of our HP edge switches connect to.

Ah ok.. Going to be a lot of broadcast traffic in the current setup... The specific vlans would be for sure more secure!!  Especially with require 802.1x auth, etc.

 

So your 2 vlans hang off the core? Would be the typical normal setup.  That you can not route between them seems like something setup wrong on your core.  Or your other phone vlan doesn't have gateway set to the core hp L3..  I assume your core switch is L3 doing routing.

 

Why are you using a /16 mask - when your other masks you gave are /22 and /24?

I've made a crude drawing of our setup (only the relevant segments) and attached it to this post. We have GVRP enabled across our site, except on Edge Switch 2. Any other core switch, I cannot manually add a port into VLAN 40 (or any other VLAN) because it complains about being dynamically assigned. Edge Switch 2 has GVRP disabled and ports can be manually assigned to VLAN 40.

 

  On 21/06/2017 at 16:39, BudMan said:

So your 2 vlans hang off the core? Would be the typical normal setup.  That you can not route between them seems like something setup wrong on your core.  Or your other phone vlan doesn't have gateway set to the core hp L3..  I assume your core switch is L3 doing routing.

Expand  

The thing is, I can route between VLAN 100 and VLAN 40, as I can ping 10.22.40.1 from my machine on VLAN 100 with an IP of 10.22.100.60. I just cannot connect to 10.122.40.10.

 

  Quote

Why are you using a /16 mask - when your other masks you gave are /22 and /24?

Expand  

That was the info given to us by the phone system engineers.

 

Network.PNG

You would have to configure and allow vlan 40 and pass through on your "core switch router" and your "edge switch 2" via trunking or lacp and you would have to allow vlan 40 on your ports between "edge switch 1" and "core switch router"

 

 

 

Basically, create the path for it to function....without a path defined on all equipment or some way to route to it, you aren't going anywhere by putting vlan 40 only on "edge switch 2" and "edge switch 1", vlan 40 needs to either exist on all switches/routers in between or a route has to exist so that your devices can communicate to it on other networks.  vlan 40 does not need an ip on each device, vlan 40 just needs to exist on each device (device in this case meaning router or switch).

ok lets be clear here

 

vlan 40

10.22.40.0/24

 

vlan100

10.22.100.0/22

 

Per your drawing they put your IPT controller and phones on "vlan 40" but gave them on network 10.122/16

 

Yeah that is borked.. This should be a completely different vlan, say vlan 122.  And you would have to allow/route it at your core. 

 

If the ports and such are setup for vlan 40, they are just running this different L3 network ontop of the same L2..   So you should be able to get those devices from any network on the vlan40 as long as you put the correct IP on it.  Like I said running multiple L3 networks on the same L2 is a borked config!

  On 22/06/2017 at 15:05, sc302 said:

You would have to configure and allow vlan 40 and pass through on your "core switch router" and your "edge switch 2" via trunking or lacp and you would have to allow vlan 40 on your ports between "edge switch 1" and "core switch router"

Expand  

It is trunked at the moment, which I think is why I can ping the gateway of VLAN 40 from my workstation.

  16 hours ago, sc302 said:

Basically, create the path for it to function....without a path defined on all equipment or some way to route to it, you aren't going anywhere by putting vlan 40 only on "edge switch 2" and "edge switch 1", vlan 40 needs to either exist on all switches/routers in between or a route has to exist so that your devices can communicate to it on other networks.  vlan 40 does not need an ip on each device, vlan 40 just needs to exist on each device (device in this case meaning router or switch).

Expand  

That diagram was only an example, all the VLANs are trunked across our whole site, by GVRP I'm assuming.

  On 22/06/2017 at 15:15, BudMan said:

ok lets be clear here

 

vlan 40

10.22.40.0/24

 

vlan100

10.22.100.0/22

 

Per your drawing they put your IPT controller and phones on "vlan 40" but gave them on network 10.122/16

 

Yeah that is borked.. This should be a completely different vlan, say vlan 122.  And you would have to allow/route it at your core. 

 

If the ports and such are setup for vlan 40, they are just running this different L3 network ontop of the same L2..   So you should be able to get those devices from any network on the vlan40 as long as you put the correct IP on it.  Like I said running multiple L3 networks on the same L2 is a borked config!

Expand  

Bah, I guess it isn't possible for me to access the 10.122/16 network from my machine on 10.22/16? The IPT setup pre-dates our new network by a number of years. The contractor we had in to do our network, like me, has no control over the hardware of the IPT, as it does not belong to us. We'd have to pay for an engineer call out to sort it...which management won't pay for because the phones work at the moment. Don't fix something that isn't broken. I guess it was our contractor that was at fault for not properly configuring the VLANs?

Yes. Contractor at fault for allowing multiple subsets on a single vlan. I am sure I can find ways around it but it would require after hours work and physical access to reset passwords (not config).

 

It has to be redesigned, slightly.

Yeah it should be on its own vlan for sure, especially for voice data should be on its own vs shared with a data vlan.

 

You would be able to access it from any 40 vlan just by placing an IP in their range on your device.  I think you already did that..  But that is borked config.  If you sniff on the 40 vlan your going to see all the broadcast traffic from all those devices. Arps, etc.

 

Your other option if under your control would be to redo your side of the vlan 40 and make it something else. That way you leave vlan for the phone network

Cheers for the responses.

It looks as though this isn't something I have the expertise or permission from the IPT supplier to sort myself, nor is it something management would sign off on payment for the IPT supplier or another third party to sort it out.

 

I guess it'll just have to stay as it is!

  On 01/07/2017 at 11:01, BudMan said:
That there is zero security between these 2 networks and completely BORKED - why should you have to pay for them to come fix their F up??

When they finished their installation two years ago, we had a list of issues for them to sort out. They addressed most of the issues, however this VLAN issue was only found recently and they will not come back on site to sort it as it was not something that was brought up earlier.

The only things we can do are: Do it myself (unlikely as I don't have the expertise and my employer won't pay for training), pay another contractor to come in and do it (won't happen because my employer won't pay for it), or get the IPT supplier in to re-address the IPT system (which my employer won't pay for).

As already stated just create NEW vlan, to move your devices that are on this 40 to.  You do not have to touch the current IPT system.

 

This is really basic 101 networking.. If you can not even create a vlan on your own network - what do you do exactly?  Replace the ink in the printer and users mice when they break? ;)

 

Do you not have access to any of these switches?  Do you not have access to the core switch?  If not then no there is nothing you can do.. How do you not have access to your own network infrastructure?

  On 01/07/2017 at 11:21, BudMan said:
As already stated just create NEW vlan, to move your devices that are on this 40 to.  You do not have to touch the current IPT system.
 
This is really basic 101 networking.. If you can not even create a vlan on your own network - what do you do exactly?  Replace the ink in the printer and users mice when they break? [emoji6]
 
Do you not have access to any of these switches?  Do you not have access to the core switch?  If not then no there is nothing you can do.. How do you not have access to your own network infrastructure?

I do have admin access to all of the networking equipment, however it's not something that we often access. We are a department of two, supporting nearly 1000 users, so we are stretched quite thin!

With my lack of networking experience, I don't want to risk making a mistake and causing further issues, especially as it is all working at the moment. What's that phrase? Don't fix something that isn't broken?

But it is broken and broken badly!  The fact that you can not even run dhcp server on this vlan 40 network shows you this.. Anyone that is on this vlan 40 with basic skill or simple google would be able to access any of the IPT system - so there is zero security here.  From a lay users point of view I can see how it seems to be working..  But from even the most basic network standpoint it is completely and utterly BORKED!!

  On 01/07/2017 at 13:29, BudMan said:
But it is broken and broken badly!  The fact that you can not even run dhcp server on this vlan 40 network shows you this.. Anyone that is on this vlan 40 with basic skill or simple google would be able to access any of the IPT system - so there is zero security here.  From a lay users point of view I can see how it seems to be working..  But from even the most basic network standpoint it is completely and utterly BORKED!!

I understand that, so how would I go about sorting it?
Should I rename VLAN 40 to VLAN 122 and change the DHCP range to 10.122.40.xxx?
Or should I leave the VLAN name as it is and change DHCP to 10.122.40.xxx?
GRVP is enabled on all the switches as far as I am aware.

You have 2 networks running on vlan 40.. You need to create a New vlan - either for your 10.122 network or for the other devices that are not ipt on vlan 40.

 

If you want to name it vlan 122 sure, what ID you use is not really important.  So either leave all those device how they are and create a new vlan for your devices that are on your vlan 40 "10.22.40.0/24" maybe call it vlan 22..

Cheers for the info. One last question I think:

 

As I mentioned previously, we have GVRP enabled across the site, except on this one edge switch in question. As GVRP is disabled on this switch, the port is manually tagged as VLAN 40 so that the engineer can connect his laptop up. My question: If GVRP was enabled, how would this engineer connect to VLAN 40 if the VLAN assignment is automatic?

I really don't know how your setup - it sounds like a complete mess!!  GVRP would be used on trunks ports for dynamic addition and pruning on the vlans on your trunk (uplinks to other switches)..  Are you saying you have every port set for GVRP?

 

You would setup GVRP to add a new vlan to trunk.  This allows you to create a vlan and let it propagate throughout your switching network so you don't have to go hit all your other uplinks and allow said vlan, etc.

 

Can you post up config of your core switch and a access switch?  PM it to me if you don't want to post it, or I can send you my email address in PM if your ok with sending me the config.

  On 07/07/2017 at 10:16, BudMan said:

I really don't know how your setup - it sounds like a complete mess!!  GVRP would be used on trunks ports for dynamic addition and pruning on the vlans on your trunk (uplinks to other switches)..  Are you saying you have every port set for GVRP?

 

You would setup GVRP to add a new vlan to trunk.  This allows you to create a vlan and let it propagate throughout your switching network so you don't have to go hit all your other uplinks and allow said vlan, etc.

 

Can you post up config of your core switch and a access switch?  PM it to me if you don't want to post it, or I can send you my email address in PM if your ok with sending me the config.

Expand  

Sorry, I've been reading over some previous emails and it appears my assumption of GVRP may have been incorrect. I think I may have confused it with 802.1x. That was originally on all of our ports on all of the edge switches, as I had to use the command on port 3 to allow the VLAN to be changed manually:

no aaa port-access authenticator 3

 

If 802.1x is enabled on that port and the engineer turns up with a laptop - how would he connect to VLAN 40?

What is your concern?

 

You have ports that are vlan 40, and your running more than one network address space on them!  If plugs into a port that is vlan 40 and sets the IP address for your IPT he will be able to talk to IPT, if sets an IP to talk to your other vlan 40 stuff he will be able to talk to that.

 

Once you FIX this mess - doesn't matter what vlan he connects to and what IP he uses he will be able to talk to IPT via its IP from the IP range of whatever vlan he is on via routing!

  On 07/07/2017 at 10:43, BudMan said:

What is your concern?

 

You have ports that are vlan 40, and your running more than one network address space on them!  If plugs into a port that is vlan 40 and sets the IP address for your IPT he will be able to talk to IPT, if sets an IP to talk to your other vlan 40 stuff he will be able to talk to that.

 

Once you FIX this mess - doesn't matter what vlan he connects to and what IP he uses he will be able to talk to IPT via its IP from the IP range of whatever vlan he is on via routing!

Expand  

I understand that, but it isn't something I can sort in the short term.

 

The whole issue is if the engineer turns up and he does not have physical access to the switch. Ideally, I'd like him to rock up to another room and connect into a network socket, regardless of what switch/port that is connected to. If he could somehow configure his laptop so that 802.1x automatically puts that port on VLAN 40 during that use...that would be grand. If not, I'd have to find the switch and port he is on, use PuTTY to connect to the switch and run that above command, just to allow him access. Then change it back when he's done. Though, if neither my colleague or I are on-site at the time the engineer is on-site...we wouldn't even be able to do that. Which is why if it could be automatically done, it would be great.

 

Does that make sense?

You really need to have a little understanding of what you are looking at. 

 

If it automatically assigns vlans, that can be either based on the user login/user groups the user is in or the pc and what that pc is a member of.  If it doesn't automatically assign vlans, the port on the switch is configured for the vlan he needs/wants to be on and can be done on the fly with the tech either sshing into the switch or the tech physically connecting in when he is there and changing the config.  I am not the tech, I am not on site, I cannot tell you what he is doing.   I also don't know the config of your environment, so for me to sit over here and tell you the right course of action would be asinine and could lead you into a complete misconfiguration taking down your entire network.  Best advice I can give, post your configs....if you don't want to post your configs of every switch (because each switch can be config'd differently)... learn your environment good enough to have a educated discussion, or hire someone to fix this mess. 

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Microsoft Edge gets new password feature and security fixes by Taras Buria Microsoft has released a new update for the Edge browser in the Stable Channel. Version 137.0.3296.83 introduces a new password feature and fixes security vulnerabilities to make your browsing experience safer. Starting with new features, Microsoft Edge 137 now supports Secure Password Deployment. Microsoft recently announced this for IT admins, allowing them to share encrypted passwords with user groups. This service lets users log into websites without seeing their passwords, thus enhancing the organization's security. You can read more about Microsoft Edge Secure Password Deployment in our recent article here. Security updates in Microsoft Edge 137.0.3296.83 include two fixes for Chromium vulnerabilities: CVE-2025-5958: Use after free in Media in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2025-5959: Type Confusion in V8 in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) You can update Microsoft Edge to the latest version by heading to edge://settings/help. The browser can also update itself automatically in the background and apply updates between restarts. In case you missed it, Microsoft released Edge 137 by the end of May. The update deprecated quite a lot of existing features, including Wallet, Image Editor, Image Hover, Mini menu, and Video Super Resolution. It also introduced Web Content Filtering and enhancements for the picture-in-picture player and Find on Page in Microsoft Edge for Business. The next feature update for Microsoft Edge, version 138, is expected on the week of June 26, 2025, as part of the standard four-week release cadence.
    • Microsoft commits to upskill 1 million UK workers in AI this year by Paul Hill Microsoft has partnered with the UK government in the latter’s ambitious plan to train 7.5 million workers in AI skills over the next five years. Specifically, Microsoft has committed to upskilling 1 million of those workers by the end of this year. This represents a significant portion of the overall target and within a very short timeframe. The education drive by Microsoft builds on its previous “Get On” program, which has given 1.5 million people basic digital skills. The effort to train up 1 million British workers in AI is part of Microsoft’s broader £2.5 billion investment in UK AI infrastructure. Ensuring workers have the skills to leverage AI tools is important. Microsoft CEO UK Darren Hardman said recently that two-thirds of business people wouldn’t hire someone lacking AI skills, showing just how vital it is to get people’s skills up to date. Microsoft's approach to AI skills development Microsoft has several platforms to offer AI training, including Microsoft Learn, AI Skills Navigator, and through partnerships with non-profit organisations such as Catch22 in the UK. Its educational materials cover everything from the basics of generative AI to helping you prepare for advanced roles like being an AI engineer. With Catch22, Microsoft helps to train people who face various challenges to getting tech skills, including gender and ethnicity barriers, homelessness, mental health issues, school exclusion and disability. Microsoft is also trying to get more women into tech fields through programmes like TechHer, where it has trained thousands of women across UK government departments. Many of the courses that Microsoft offers come complete with certificates that you can show off on your CV when applying for a job to impress potential employers and land a job. Who else is partnering with the UK government? While Microsoft is playing a massive role in the government’s plans, it’s not the only big tech giant helping out. The firms that have partnered with the government are: Accenture, Amazon, Barclays, BT, Google, IBM, Intuit, Microsoft, Sage, SAS, and Salesforce. While all of these firms are helping to train workers, Microsoft’s planned efforts are the most notable. This initiative by the government will help the country brace for the changes AI is expected to bring to the economy. In April, the United Nations said that AI will affect 40% of all jobs, so being ready is a must.
    • Microsoft has an update on Exchange Online Basic Auth removal for Office 365 by Sayan Sen Back in 2022, Microsoft announced the retirement of Basic Authentication as it was moving to modern OAuth 2.0 token-based authentication. The reason was simple, to move away from such simple username-password authentication to more secure sign-ins. While Microsoft had previously planned to "permanently remove support for Basic authentication with Client Submission (SMTP AUTH) in September 2025", the company has now updated this timeline, adding a final delay. Perhaps this was on the cards given that Microsoft recently extended Basic Auth support for High Volume Email to 2028. On the Microsoft 365 Admin Center, a new message has been posted that details the changes regarding SMTP (Simple Mail Transfer Protocol) AUTH Client Submission. The message says: Thus, starting March 1, 2026, Exchange Online will begin phasing out Basic authentication for sending emails via SMTP AUTH. At first, fewer attempts will be blocked, but by April 30, 2026, this older method will be fully disabled. After that, any apps or devices that want to send email this way will need to use OAuth. The message further adds how admins can proceed with the changes in case OAuth is not supported: Users who have access to the M365 Admin Center can view the message under ID MC786329.
    • Weekend PC Game Deals: Total War grabs, management freebies, demos to try, and more by Pulasthi Ariyasinghe Weekend PC Game Deals is where the hottest gaming deals from all over the internet are gathered into one place every week for your consumption. So kick back, relax, and hold on to your wallets. The Humble Store brought out a couple of fresh bundles this week, and up first is the Narrative Arc collection. This comes with Mutazione, Venba, and Frank and Drake in the starting tier with an $8 price tag. Going up a rung will cost you $14, and this adds on Season: A Letter to the Future and Dustborn. Lastly, paying $20 gets you Harold Halibut and Six Ages 2: Lights Going Out. Next, the Case and Consequences Collection landed. This bundle comes with Heavy Rain, Song of Farca, Lacuna, and Sherlock Holmes: Crimes and Punishments in the starting tier for $6. The second and final tier of this bundle costs $10, adding on Murders on the Yangtze River, BROK the InvestiGator, and Between Horizons. Both bundles will come to an end two weeks from now, so you have plenty of time to decide. The Epic Games Store's mystery giveaways came to an end this week, but the standard promotion has already returned, touting a freebie from Sega. The Two Point Studios-developed construction and sim experience Two Point Hospital is now yours to claim. Arriving as a spiritual successor to the classic title Theme Hospital, this also offers a humorous take on hospital management and patient treatment. You'll be creating treatment rooms, hiring doctors, and taking care of financials, all the while patients with the wildest illnesses pass through looking for cures. The Two Point Hospital giveaway will last until Thursday, June 19. This is also when The Operator will become the next free game on the platform. Free Events The demo festival that Valve hosts three times a year, Steam Next Fest, is back with a brand-new selection of games to try out. This promotion is slated to last until June 16, giving you just a few more days to try out gameplay slices from upcoming games. Several standard free events are currently active too. This includes the colony sim Stardeus, the dungeon-crawler roguelite Barony, the WW2-set hardcore first-person shooter Hell Let Loose, the building and management sim Construction Simulator, as well as the side-scrolling looter brawler Towerborne. Big Deals The Steam Summer Sale is just days away, but plenty of publishers already having big promotions on their games. This includes a Total War historical sale, Konami classics, 505's early summer promotions, and others. With those and more, here's our hand-picked big deals list for this weekend: SILENT HILL 2 – $41.99 on Steam Forza Horizon 5 – $29.99 on Steam Hell Let Loose – $24.99 on Steam Wasteland 3 – $19.99 on Steam Resident Evil 4 – $19.99 on Steam Metro Awakening – $19.99 on Steam Halo Infinite (Campaign) – $19.79 on Steam Mind Over Magic – $18.74 on Steam Castlevania Dominus Collection – $17.49 on Steam DEATH STRANDING DIRECTOR'S CUT – $15.99 on Steam Blasphemous 2 – $14.99 on Steam Grand Theft Auto V Enhanced – $14.99 on Steam Total War: THREE KINGDOMS – $14.99 on Steam Total War: ROME II - Emperor Edition – $14.99 on Steam DRAGON BALL Z: KAKAROT – $12.99 on Gamesplanet DREDGE – $12.49 on Steam Fable Anniversary – $12.24 on Steam METAL GEAR SOLID V: The Definitive Experience – $11.99 on Steam Total War: ROME REMASTERED – $10.19 on Steam Pillars of Eternity II: Deadfire – $9.99 on Steam Bloodstained: Ritual of the Night – $9.99 on Steam Ghostrunner 2 – $9.99 on Steam METAL GEAR SOLID 3: Snake Eater - Master Collection Version – $9.99 on Steam METAL GEAR SOLID 2: Sons of Liberty - Master Collection Version – $9.99 on Steam Barony – $9.99 on Steam Total War: PHARAOH – $9.99 on Steam DRAGON BALL FighterZ – $9.59 on Steam Deep Rock Galactic: Survivor – $9.09 on Steam The Callisto Protocol – $8.99 on Steam Quantum Break – $7.99 on Steam Oxygen Not Included – $7.49 on Steam The Ascent – $7.49 on Steam Ghostrunner – $7.49 on Steam Total War: SHOGUN 2 – $7.49 on Steam Overcooked! 2 – $6.24 on Steam Human Fall Flat – $5.99 on Steam Grand Theft Auto IV: The Complete Edition – $5.99 on Steam Don't Starve Together – $5.09 on Steam Last Day of June – $4.99 on Steam ABZU – $4.99 on Steam Super Meat Boy Forever – $4.99 on Steam Total War: MEDIEVAL II – Definitive Edition – $4.99 on Steam Legend of Grimrock 2 – $4.79 on Steam Golf With Your Friends – $4.49 on Steam Rise of the Tomb Raider – $4.49 on Steam Golf It! – $4.49 on Steam Sunset Overdrive – $3.99 on Steam Super Meat Boy – $3.74 on Steam Tomb Raider – $2.24 on Steam Crime Boss: Rockay City – $1.99 on Steam Mortal Shell – $1.49 on Steam Crypt of the NecroDancer – $1.49 on Steam This War of Mine – $0.99 on Steam Two Point Hospital – $0 on Epic Store DRM-free Specials The DRM-free discounts from the GOG store this weekend include open-world adventures, story-rich titles, indies, publisher sales, and more. Here are some highlights: No Man's Sky - $23.99 on GOG The Thaumaturge - $19.24 on GOG INDIKA - $16.24 on GOG Against the Storm - $14.99 on GOG Shadows of Doubt - $14.99 on GOG EVERSPACE 2 - $14.99 on GOG Core Keeper - $13.99 on GOG art of rally - $12.49 on GOG Shadowrun Trilogy - $10.07 on GOG Cold Waters - $9.99 on GOG Disco Elysium - The Final Cut - $9.99 on GOG Streets of Rage 4 - $9.99 on GOG Dying Light: The Following – Enhanced Edition - $8.99 on GOG Potion Craft: Alchemist Simulator - $7.99 on GOG Little Nightmares - $4.99 on GOG Edge Of Eternity - $4.49 on GOG Epistory - Typing Chronicles - $4.49 on GOG This War of Mine: Complete Edition - $4.07 on GOG Graveyard Keeper - $3.99 on GOG Alba: A Wildlife Adventure - $3.39 on GOG Chroma Squad - $2.24 on GOG EVERSPACE - $0.99 on GOG Keep in mind that availability and pricing for some deals could vary depending on the region. That's it for our pick of this weekend's PC game deals, and hopefully, some of you have enough self-restraint not to keep adding to your ever-growing backlogs. As always, there are an enormous number of other deals ready and waiting all over the interwebs, as well as on services you may already subscribe to if you comb through them, so keep your eyes open for those, and have a great weekend.
    • I've had the opposite honestly Linux always just works except for games with drm/anti cheat Windows is sometimes corrupted on first install Windows update downloading wrong drivers ...
  • Recent Achievements

    • One Month Later
      5i3zi1 earned a badge
      One Month Later
    • Week One Done
      5i3zi1 earned a badge
      Week One Done
    • Week One Done
      julien02 earned a badge
      Week One Done
    • One Year In
      Drewidian1 earned a badge
      One Year In
    • Explorer
      Case_f went up a rank
      Explorer
  • Popular Contributors

    1. 1
      +primortal
      538
    2. 2
      ATLien_0
      225
    3. 3
      +FloatingFatMan
      157
    4. 4
      Michael Scrip
      112
    5. 5
      +Edouard
      95
  • Tell a friend

    Love Neowin? Tell a friend!