--- Log opened Thu Apr 05 00:00:33 2018 00:15 < sharkinasuit> hey everyone 00:16 < sharkinasuit> anyone here into network security? 00:17 < sharkinasuit> network security anyone?? 00:18 < quantum> I need to set a static IPV6 address in a VM that is not in the LAN's CIDR. But it's not taking. The interface has the link-local, but will not take the public IP. 00:19 < quantum> I can set a piblic IP that's -in- the LAN's CIDR, but not one that's not. 00:19 < quantum> This is a DMZ machine and doesn't belong in the LAN's CIDR. 00:20 < pekster> You can set any IP you want, though that doesn't make it valid without actual routing support 00:20 < quantum> I can't set an IP that's outside the LAN's CIDR. It just doesn't show for the interface. 00:20 < quantum> The link-local does. 00:21 < E1ephant> can you assign it as a /128? 00:21 < quantum> And I can set it to an IP that's -in- the LAN's CIDR... but not -out-. 00:21 < pekster> Depends on the OS, but this works just fine on a Linux despite being invalid as an exmaple-RFC: `ip addr add 2001:db8::1001/64 dev enp5s0` 00:21 < quantum> RHEL. 00:21 < E1ephant> how are you expecting that IP to route to said node via link-local? just a static route upstream? 00:21 < pekster> That's not in my "LAN" CIDR, but IPv6 does not care because you can, and usually do, have multiple address in v6, at least link-local and a GUA IP 00:22 < E1ephant> yeah it's just another address, what error do you get when you assign it? 00:22 < pekster> If you can't set an IP like that on any modern Linux, something else is very wrong with your configuration. However, to properly make use of a secondary IP that's in a differnet subnet, you'll need cooperation from the router 00:22 < quantum> I don't expect that IP to route to said node via link-local? But a link-local is evidence that IPV6 is working. 00:23 < pekster> So yea, we'd need to know a lot more about your setup, like how this secondary network is routed. Is this a classic Ethernet topology? Point-to-point for the 2nd IP? Something else? 00:23 < quantum> I haven't set the router to IPV6 yet. (I think you actually mean the Gateway) 00:23 < E1ephant> lol 00:23 < pekster> router, gateway, same thing. Your next-hop 00:24 < quantum> IPV6 doesn't need a router. 00:24 < E1ephant> uhhhhhh 00:24 < pekster> If you want to route to any other networks, it does, same as IPv4 ;) 00:24 < quantum> ... but I'm putting it throug a gateway for an additional security layer. 00:24 < pekster> If you only have a flat topology then just use LL and never go anywhere else 00:24 < pekster> (that's not very useful though) 00:25 < E1ephant> do you want to connect to other subnets? because that is how you connect to other subnets 00:25 < E1ephant> other networks like the Internet 00:25 < E1ephant> are very popular 00:25 < quantum> The LAN points to the gateway, and the DMZ points to the gateway. 00:25 < pekster> Your system is presumably in your LAN. Or _a_ LAN at least 00:26 < pekster> The DMZ itself is a LAN. A "LAN" is just a fancy way of saying "1 or more computers on a broadcast domain" 00:26 < quantum> ... but I haven't given the gateway an IPV6 address yet. That's the only reason I can think the DMZ machine won't take an IP, which I've set 11 other machines successfully. 00:26 < E1ephant> or just a bunch of systems connected locally 00:26 < E1ephant> yeah what error do you get? 00:27 < pekster> I showed you an example above where I (very successfully) set an arbitrary IP (v6) address. Does that work for you, if you change the device to one on your system? 00:27 < quantum> It just will not set a public IPV6 IP. 00:27 < quantum> It has LL, and all IPV4. 00:27 < E1ephant> so no error or output at all? 00:27 < quantum> ... and when I set it to an IPV6 that's in the LAN's CIDR it tkes it just fine. 00:27 < quantum> No error. 00:28 < E1ephant> how are you expecting to get this GUA, DHCPv6? SLAAC? Static? 00:28 < quantum> Setting all to static for now, then will go to DHCP6 for the love of all that's holy. 00:29 < pekster> Are you using ip-address(8) for this? that will either add the IP or fail with an error message 00:29 < quantum> Setting IPs, firewalls, testing, and then the next step. 00:29 < quantum> Setting shorewall6 for each machine as I go. 00:29 < E1ephant> yeah are you sure there isn't an error in messages/syslog? 00:30 < pekster> So your problem is almost surely shorewall. Try using `ip` and if you can do that, your issue is your abstraction layer 00:30 < E1ephant> it sounds like some information is missing 00:30 < quantum> Shorewall6 won't interfere with setting a static6. 00:30 < pekster> Your issue isn't with adding the IP or IPv6 at all; it's your silly abstraction layer :\ 00:30 < pekster> protip: explain what you're doing when things go wrong next time 00:30 < drac_boy> hi 00:31 < quantum> Absolutely no errors in messages. 00:31 < pekster> Adding an IP address on an interface, say eth0, is really quite simple: `ip -6 addr add 2001:db8::1002/64 dev eth0` 00:31 < pekster> That's it 00:31 < drac_boy> is fddi basically only for internet/intranet or can one use it as a storage in some way instead? 00:31 < E1ephant> ^ 00:31 < quantum> pekster: I've done this already on 11 other machines... but they are all in the same CIDR. 00:32 < pekster> quantum: So, you've 1) not explaind you were using shorewall, instead saying you were "unable to add an IP". 2) you _still_ haven't explaind what you're doing, in case someone here actually knows about shorewall (I do not,) and 3) you have so far failed to provide any meaningful summary of your topology 00:32 < quantum> The instant I set one outsid that CIDR, no go. 00:32 < E1ephant> right, because why would that work? 00:32 < E1ephant> out of the box? 00:32 < E1ephant> you haven't explained that bit either 00:33 < E1ephant> you can't just assign addresses willy nilly with no routing and expect routing to happen no? 00:33 < petemc> quantum: i add a public ipv6 ip and use post-up lines to add a route for it 00:33 < quantum> To think that shorewall is related, is nonsense. 00:33 < quantum> I have explained the topo ^^ 00:33 < E1ephant> how is it not related, you're using it? 00:33 < pekster> Because "IPs can't be added" and "it worked 11 other places." Must be true. I flipped a coin 11 time and got tails. Must be a law of nature 00:34 < quantum> In setting a static IP with /etc/sysconfig/network-scripts/ifcfg-eth0? 00:34 < petemc> i use debian, but same principles apply 00:34 < quantum> Listen to me pekster! I CAN set a static IP on this machine, as long as it is in the same CIDR as the LAN. 00:34 < pekster> Did you see what I said above? 00:35 < E1ephant> yeah this has already been addressed 00:35 < pekster> Let's start without _any_ messy abstraction, OK? Can you add a specific test IP to your interface? 00:35 < pekster> If so, then your statement about being unable to do so, and getting "no errors" when you try is summarily false 00:35 < quantum> I can set any IP to this iunterface, as long as it's in the LAN's CIDR. 00:35 < pekster> False statements made without properly diagnoising where your problem is will get you no help, us frustrated, and anyone possibly interested in caring to stop caring 00:35 < E1ephant> with the ip command? 00:36 < E1ephant> all you have mentioned is distro specific config files 00:36 < pekster> So, one last time, what, _exactly_ did you enter at the command prompt that did not work? 00:36 < E1ephant> and what output did you get back? 00:36 < quantum> ip address 00:36 < pekster> If you have eth0, does `ip -6 addr add 2001:db8::1002/64 dev eth0` work? Replace eth0 with your NIC here 00:37 < pekster> You'll know if it worked, because 1) you'll get no error and the return code will be 0, and 2) if you then run `ip -6 addr show` you will see 2001:db8::1002/64 on that interface. It won't do anything meaningful, but it should show up 00:37 < quantum> Something's wrong with the command. I get > 00:38 < pekster> You don't type the ` (backtick), just the text between them 00:38 < quantum> Oh, I'd included the first tic. 00:38 < pekster> ^C and try again 00:38 < E1ephant> I'll just wait for op 00:38 < quantum> Yes that works. 00:38 < E1ephant> surely they'll get back 00:38 * E1ephant dies 00:38 < pekster> So you can add arbitrary IPv6 IPs just fine 00:39 < pekster> You just spend 10 minute trying so hard to say you couldn't 00:39 < pekster> spent* 00:39 < E1ephant> lol 00:39 < pekster> Bummer, I was going to offer congragulations for fixing the problem :( 00:39 < E1ephant> level of help: ragequit 00:40 < pekster> I'm sure the abstraction here is really awful too. Probably some VM layer that interfaces with shorewall6 and some poorly managed distro scripts, and "somewhere" in that mess the magic smoke has escaped 00:41 < E1ephant> yeah I wouldn't even want to head into that bush-maze of probably shitty ass stale perl scripts 00:42 < Paruza> I've got a little asus router here, which I have commandline access to (linux), having an odd issue. Trying to add a local route 10.8.9.0/24 (br0) via 192.168.1.11 which is locally connected also on br0. ipforward is enabled and the route is in the table. Additionally the FORWARD chain does not show any matches on any drop rules. I can see the traffic leave for the asus router, but it does not get forwarded. Any thoughts? 00:43 < E1ephant> hmmmm, are you trying to get to 10.8.9.0/24 from that linux box, or some other host in that same subnet? 00:43 < E1ephant> (may need IP_redirect?) 00:44 < pekster> If it's leaving the asus box, by definition it's forwarded, I think (unless you mean locally generated traffic) 00:44 < pekster> If I understood right 00:44 < Paruza> my system is on 10.8.9.x, I'm trying to reach 192.168.1.10 via my default gw 00:44 < E1ephant> yeah locally generated wouldn't have to ip-redirect 00:45 < Paruza> wireshark on .10 shows the traffic arrives, but that system has the asus router as it's gw, the traffic leaves for that but does not get routed to 10's gw 00:46 < E1ephant> errrr so where are your broadcast domainds, and where are your routes? 00:46 < E1ephant> is everything just plugged into the asus router? 00:47 < voidstar> @spockbot#9272 why is this relevant? 00:47 < voidstar> wrong channel 00:48 < Paruza> 10.8.9.0 is reached via the router (a windows openvpn server) 192.168.1.11. All 192.* systems have a default gw of 192.168.1.1 (the asus router) 00:48 < hypercore> how does a company like https://ipdata.co get their information? 00:48 < Paruza> so I add the static route to the asus router so that traffic destined for 10x heads to .11 00:48 < E1ephant> this windows host has an IP /interface in both subnets right? 00:48 < E1ephant> it is .11? 00:48 < Paruza> yup 00:48 < E1ephant> aye 00:49 < Paruza> if I add a local route to whatever system within 192.x it will work fine 00:49 < E1ephant> right 00:49 < pekster> Have you pushed a route to your connected VPN clients to reach back to your 192.168.1.0/24 network? Also, that's a *horrible* network to use with OpenVPN as it'll break if any remote clients are on a local version of that network 00:49 < Paruza> yeah 00:49 < pekster> (it's one of the 2 most popular RFC1918 nets on the planet) 00:49 < E1ephant> so basically the issue is that the next-hop for the route is in the same subnet 00:50 < E1ephant> so you wouldn't really route thisd 00:50 < Paruza> yeah I know its an aweful subnet, but thats what the company is at the moment 00:50 < Paruza> its not, the openvpn subnet is 10x 00:50 < hypercore> or does nobody know? 00:50 < pekster> Not OpenVPN, the _far_ network 00:50 < E1ephant> you would send an "ip-redirect" from the gateway/asus, telling subnet members that the next hop for that subnet is .11 00:50 < E1ephant> so they use the correct next-hop 00:50 < Paruza> yeah 00:51 < pekster> E1ephant: Um, what? Many clients just outright reject ip-redirect hext-hop anyway, but it's also not needed here with proper bi-directional routing 00:51 < d3x0r> hypercore https://www.iana.org/numbers and domain name location != IP subnet block registration... 00:51 < E1ephant> so I suspect ip-redirect might be disabled, or not used. 00:51 < d3x0r> cox recently shuffled IP's. The one I have stil reports as from Kansas. I'm not in Kansas. and also 00:51 < E1ephant> you could turn this on 00:52 < E1ephant> or in this scenario I actually just use a /31 or /30 link with the VPN server 00:52 < E1ephant> so I can route between my LAN and OVPN subnet 00:52 < E1ephant> pekster: right, it's not ideal to use ip-redirect at all 00:53 < E1ephant> this is a bit problematic I suspect though, unless the asus does dot1q 00:53 < hypercore> d3x0r: is it accurate enough to guess (with a high level of accuracy) a user's country? (given their ip) 00:53 < E1ephant> since you have 4 ports as a switch (br0?) so not actually four routed ports 00:53 < hypercore> doesn't have to be county/city 00:53 < d3x0r> hypercore there are databases for that 00:53 < hypercore> d3x0r: are they open source? 00:53 < hypercore> or freely available? 00:53 < Paruza> is this not a usual situation? a route should be able to head back out the same interface right? 00:54 < d3x0r> I don't know if you can find a download at iana (authority) I did find one that wanted like $275/6mo wiht updates 00:54 < E1ephant> nah, this is breaking what is called the "split-horizon" rule 00:54 < hypercore> d3x0r: geez 00:54 < pekster> Paruza: You've basically got some "triangle routing" going on, as the client sends to the LAN gw, that sends to the VPN box, then to the client. That's OK, but the reply goes to the VPN gateway, it sees the destination is on the local network, and that _might_ anger stateful firewalling on either the VPN host or the asus, depending on their configuration 00:55 < pekster> Sometimes that is an OK thing to do, *but* only if both your gateways are OK with that kind of a setup 00:55 < E1ephant> yeah I mean you're not routing if you're in the same subnet 00:55 < E1ephant> it's ip redirect 00:55 < pekster> Chances are either the asus gateway at your border or Windows is not, though you'd have to see how far the reply gets 00:55 < E1ephant> but yeah 00:55 < Stryyker> hypercore: Is there something you want to do with the information? Maybe there is a better way to solve your problem. 00:56 < pekster> You can route "across" the same broadcast domain using 2 discrete subnets like that, sure, it's just a setup for problems if not all devices agree on permitting the traffic 00:56 < hypercore> Stryyker: i'm in the middle of building a website, and it would be ideal if i can detect which country each user is so i can automatically load their language 00:56 < pekster> If it's not a full-Linux (openwrt or similar) on the asus, even money is on the asus or Windows throwing a tantrum here 00:56 < E1ephant> these subnets aren't in the same broadcast domain 00:56 < E1ephant> he is seperating them with the windows servert 00:57 < drac_boy> hmm same subnet .. not to interrupt this topic for something a bit different but I have to ask if its not too crazy to have two different nat ip ranges and somehow both groups can see each others no problem? (say 192.168* computer and 172.16* printer) 00:57 < Stryyker> hypercore: Probably better to respect the HTTP header language. 00:57 < hypercore> Stryyker: kind of like how stripe does (although they don't automatically change language) 00:57 < E1ephant> it's the next-hop that isn't consistent on the LAN subnet 00:57 < drac_boy> stryyker and if its blank don't force anything but just leave the user at a manual-select-your-language page 00:57 < pekster> E1ephant: Oh, yea, it's just the return-path "skips" the asus, right. Lack of a PtP style link to the VPN server may "be" the issue 00:57 < hypercore> Stryyker: how does stripe do it? 00:57 < xyxxy> how long would it take nmap to scan the top 100 ports on 7500 machines? 00:58 < Stryyker> I have not used stripe. No idea. People that travel will not like your scheme. 00:58 < E1ephant> the return path yeah, has to skip the asus, so yeah a ptp link with the vpn server and asus would fix. 00:58 < pekster> Or convincing the asus & Windows that asymmetric routing is OK here 00:58 < E1ephant> .11 has to be the next-hop for that subnet 00:59 < pekster> (if that's even possible) 00:59 < hypercore> Stryyker: ok, forget the changing language. How would i detect the location regardless? 00:59 < E1ephant> all the hosts have to know that .11 is the next-hop for the VPN subnet 00:59 < Stryyker> I think you're hell bent on doing something no matter how much it will blow up 00:59 < pekster> Assuming you can convince windows that it's OK to do it, and the asus that the "outbound-only" traffic is OK, the source shouldn't care that it's magically getting packets from a different MAC 01:00 < E1ephant> since the next-hop is in the same subnet 01:00 < E1ephant> if the next-hop was in a different subnet, sending to the gw/asus would be fine. 01:00 < Paruza> it's the asus router thats having the issue with it. If I add a static route on whatever system in that subnet I am trying to reach it will work fine. 01:00 < pekster> It could be either end; the issue is simply manifesting due to issue with the asymmetric L2 return-path 01:00 < Paruza> but yeah i think i ran into this once before, this might not be solvable on a little asus router... 01:01 < pekster> It might be if you flash OpenWRT on it and put VLANs on the downstream link ;) 01:01 < E1ephant> http://www.cymru.com/gillsr/documents/icmp-redirects-are-bad.htm 01:01 < pekster> (or physically separate links too, but that's more hardware. Save Cat-5! Configure trunks! :P) 01:02 < hypercore> Stryyker: hypothetically, how would you go about it? 01:03 < drac_boy> hypercore by serving a language selection welcome page :P 01:03 < pekster> Or, neat idea, do the openvpn on the openwrt router Paruza :D 01:03 < Paruza> yeah could do that 01:03 < pekster> Then it's the core router, and you no longer have a half-split in your routing topology 01:03 < hypercore> geez, forget the language thing. I want to serve location-specific content, why does it even matter? 01:04 < hypercore> maybe you just don't know how to do it, and this is your saving face 01:04 < drac_boy> hypercore again...serve a manual page or gtfo .. that's the only sensible way 01:04 < Paruza> in this case though theres only a couple systems that need to be reached, so I'll probably just add a static route on both of them and call it good :P 01:05 < E1ephant> can be the easiest way :) 01:06 < hypercore> drac_boy: lol you have no idea what i'm trying to accomplish 01:06 < hypercore> drac_boy: get over this "changing language" idea, that's not the primary objective 01:06 < Stryyker> Sounds like you want to piss off some site visitors. 01:07 < Stryyker> I hate it when newegg.com pops up crap thinking it is smart 01:07 < Stryyker> One site used stale information and gave me a site in Swedish. Rage! 01:08 < hypercore> Stryyker: just because you find something inconvenient, doesn't mean the majority of people do 01:08 < drac_boy> hypercore you're the one with zero clue tbh 01:09 < hypercore> drac_boy: nah man i'm sorry, you're wrong 01:09 < drac_boy> try ask someone in quebec why they can't get online and its more than likely due to no english page .. that exactly is why you need a manual language page period 01:09 < drac_boy> so if you can't get a clue then you shouldn't be trying to do it .. thats all 01:09 < Stryyker> the hint I'll give is whois 01:10 < Stryyker> but I see so many web devs competing with web devs at the detriment of visitor satisfaction. 01:10 < drac_boy> stryyker yeah more than often when I type in a specific domain stuffix I *meant* to go to that page regardingly 01:10 < drac_boy> and that includes images.google.de as well 01:10 < hypercore> Stryyker: isn't that only for domain name information? 01:11 < hypercore> drac_boy: once again, your anecdotal annoyances don't speak for the majority of users 01:11 < hypercore> drac_boy: try to be a little more open minded 01:14 < pekster> Anyone automating "whois" should be (figuratively) shot, or at least automatically banned from whois queries. Don't do that (it's in the terms every query you make FFS.) geo-ip or server-side LANG detection, if you insist on exploring that 01:14 < drac_boy> pekster tell that to clueless hypercore obviously :) 01:14 < pekster> You're the one who apparently "hinted" that `whois` is the way to do this :\ 01:14 < pekster> Oh, no, not you, my mistake :) 01:15 < Stryyker> That was me 01:15 < pekster> Right (and _you_ should feel bad ;) 01:16 < drac_boy> np pekster my one and only method is to present a manual list of possible languages and let user click on what actually suits their local home :) 01:18 < pekster> That's how most of the "big names" do it, yea, like UPS 01:19 < pekster> Sometimes you can spot where the clever attempts don't work so well, like hitting something via a tor exit. I've seen that on Google, though not sure how recently as I don't usually google over tor anymore 01:19 < lupine> unless you're an LIR, of course 01:19 < lupine> I wrote some quite good whois automation code 01:19 < Stryyker> Google etc. also have the geo-DNS stuff 01:21 < orlock> pekster: Just being a pedant, but that would depend on the WHOIS server you are querying 01:22 < pekster> orlock: Sure, I almost made that point too, but server-policies notwithstanding, it's stilly a crummy general solution/suggestion 01:22 < pekster> still* 01:22 < orlock> yeah, i didnt even see the issue it was an attempt to solve tbh 01:22 < orlock> i do some semi-automated whois queries on firewall log data 01:22 < orlock> but i know that it's always going to be hitting the same WHOIS server 01:23 < orlock> as i'm specifically filtering for ranges that the local NIC manages 01:25 < pekster> Yea, presumably you either know you're under the AUP rate, rate-limit yourself, or don't mind if the ban-hammer comes down. caveat emptor 01:27 < orlock> pekster: It's funny, one of of the queries i just made has some remarks from the ISP in the response 01:28 < orlock> saying before forwading any abusenotices, please use the _web interface_ the NIC provides to whois. 01:29 < orlock> .. It's all the same database... 01:51 < php> Hallo! 01:52 < php> I'm having an issue with my VPN between my home (the Client) and my Vultr router (the Server). Both are Vyatta-based (EdgeOS Client, VyOS Server). 01:53 < php> The Client has subnets 172.16.64.2/29 and 10.0.0.0/8 (subnetted). The Server has subnets 172.16.64.1/29 and a single public /23 01:53 < php> Client can ping Server on common subnet, and vice versa. Server cannot ping 10.0.0.0/8 on Client 02:20 < fahadash> When wiring the house does it make sense to run cat6e instead of cat6e? 02:21 < fahadash> Instead of cat5e*** 02:21 < Chewza> I mean, at this point if you're wiring it up might as well future proof it 02:22 < Chewza> cat6 will get you 10gb without issue, if you were to run 10gbase-t 02:22 < fahadash> What’s the fastest switch available out there? 02:24 < Meta> Probably 100gb 02:24 < Meta> My house is wired Cat6. Cat6e is just expensive and so is the hardware to take advantage of it. 02:26 < Meta> Once PCs start getting 10gb NICs, we might actually be able to take full advantage of the Cat6 02:27 < Chewza> is this old or new construction fahadash 02:29 < Chewza> I mean you can get 1000ft of cat6 from monoprice for about $90, not sure what's expensive about that 02:29 < Meta> The installation is the majority of the cost. 02:29 < Meta> And I said 6e. 02:37 < orlock> fahadash: It makes sense to install decent conduit 02:37 < fahadash> New 02:37 <+pppingme> fahadash the best thing to do is pull 1/2 or 3/4 flex conduit to everywhere, then changing out in the future is EASY 02:37 * orlock high fives pppingme 02:37 < Chewza> well considering there is no actual 6e standard, you must mean Cat6A or Class EA 02:37 < Meta> Yeah, that 02:38 < Meta> I can never remember. 02:38 < Chewza> $140 from monoprice fahadash https://www.monoprice.com/product?c_id=102&cp_id=10259&cs_id=1025901&p_id=18600&seq=1&format=2 02:38 < Chewza> if it's new construction, I highly recommend running conduit to your central network location from all your rooms 02:38 < Meta> I'm trying to find out how much our installation cost but it was in the thousands for pre-existing build. Probably much cheaper before the plasterboard goes up. 02:38 < Chewza> and run pull lines in the conduit to make pulling new stuff easier 02:40 < Chewza> probably wouldn't hurt to run OM3 if you wanted to get real crazy 02:40 < Chewza> I'd also run double the number of lines you think you'll need 02:40 < Meta> We terminated ours to a linen closet. Nice hidden spot. 02:47 < Meta> orlock: These the ones? https://www.cisco.com/c/dam/en/us/support/docs/SWTG/ProductImages/switches-sg300-10mp-10-port-gigabit-max-poe-managed-switch.jpg 02:51 < orlock> Meta: No. Not those. Never those. 02:51 < orlock> When i said " and i mean real IOS switches, not that crap SG stuff" 02:51 < orlock> That is the "Crap SG" stuff 02:51 < orlock> They dont run IOS, and the management is a joke 02:52 < Criggie> no CLI ? No thank you. 02:52 < orlock> They have a txt interface, but from what i remember, it's not CLI, its Curses style 02:52 < Meta> What is SG? 02:52 < orlock> Meta: The prefix on the model number of that switch image 02:53 < Meta> Oh, the model number 02:53 < Meta> Right 02:53 < orlock> also known as "Cisco Small Business" gear 02:53 < Criggie> Meta: Small Business" - acquired froim Linksys 02:53 < Meta> >Linksys 02:53 < Meta> Got it. 02:53 < orlock> I had a manager buy a pair because they were "So Cheap!" 02:54 < orlock> like, $350 instead of $2500 for a rakcmount 24 or 48 port 02:54 < orlock> with comparable throughput/PPS rates of a 2950 02:54 < Chewza> think he means these... https://www.cisco.com/c/en/us/products/switches/catalyst-2960-l-series-switches/index.html 02:54 < Meta> You get what you pay for, I guess 02:55 < Meta> I reckon I've seen those in insurance claims at work. I'm an admin assistant but as soon as someone sees something with computer gear, they come and ask for help. 02:55 < orlock> https://www.cisco.com/c/en/us/products/switches/catalyst-2960-cx-series-switches/index.html 02:56 < Meta> What are ports 9 and 10? 02:56 < Chewza> aww those are even cuter 02:56 < Criggie> guessing SFPs 02:56 < Meta> They're round. Adorable. 02:56 < Meta> Nope, they're 8P8C 02:56 < Criggie> wait they'r edual presentation ports 02:56 < orlock> The ones we have are 8x 100base, and 2xGig, available via either SFP or copper 02:56 < Criggie> so 9 copper goes with 9 SFP and you can only use one of them at a time 02:56 < orlock> The ones in that picture are different 02:57 < orlock> they have 9-10-11-12 02:57 < Meta> "uplinks" 02:57 < Criggie> yup - 9 will probably disable 11 and vise versa 02:57 < Meta> Ah okay. 02:57 < Meta> So it's functionally 1 SFP port? 02:57 < Criggie> 8 ports isn't even enough for my desk 02:57 < orlock> No, they would have the same number in that case 02:58 < Criggie> how many offices only need 8 ports ? 02:58 < Criggie> short sighted ones :-\ 02:58 < Meta> It was as a suggestion for extending my wallplates 02:58 < Criggie> The only good thing about such switches is they ar eprobably passively cooled and therefore silent. 02:58 < orlock> dual SFP for uplink, and then the local copper for redistribution 02:58 < Meta> I suspect one of the reasons we haven't extended it in that way is because then we'd have to muck about with STP 02:58 < Criggie> But having your switches all together means only one UPS required. 02:59 < Criggie> and its securable 02:59 < Criggie> a bunch of little switches under peoples desks is asking for problems 02:59 < Meta> Yeah, that's probably the other reason, we've got 2 UPSes, neither of them anywhere near the port shortage 02:59 < orlock> All depends on your requirements... 02:59 < orlock> Criggie: Better these than a Soho grade switch 02:59 < Meta> We're talking domestic here btw 02:59 < orlock> Also cheaper than adding more cables 02:59 < Criggie> Plus its cisco - a wee 8 port switch will still cost 10-20x what a chingchong kamakooza 8 port desk switch would cost. 03:00 < Meta> Though our domestic install is approaching SOHO 03:00 < Criggie> BTW catalyst is proper cisco, its better than the small business level. 03:00 < orlock> And it's still crap 03:00 < orlock> just less crap 03:00 < orlock> and the bugs are harder to find 03:01 < Criggie> all hardware is crap, somewhere 03:01 < orlock> the software is usually the problem 03:01 < Criggie> Meta: actually that might be a 12 port switch. The specs don't say "dual personality" or anythin 03:01 < Meta> I'm confused by what the arrows pointing at each other denote 03:02 < orlock> Criggie: It is, as the port numbers go to 12 03:02 < orlock> If ports are dual use, they share a number 03:02 < Criggie> HEHEHEHE they should have started numbering a 0 like Juniper 03:02 < Meta> Or are they ports designed to be connected to the same device, one for up, one for down? 03:02 < orlock> At home, i only have a single 4 port switch built into my router 03:02 < Criggie> that way "this one goes to 11" would be true :))) 03:02 < Meta> ARRAYS START AT WUN 03:02 < orlock> Meta: Those are the indicator LED's 03:02 < orlock> up arrow is for top port 03:02 < orlock> down is for bottom 03:03 < Meta> Ah 03:03 < orlock> And Cisco ASA's do count from 0 03:03 < Meta> There was plenty of space above them like the others 03:03 < Criggie> Meta: I'm making a movie reference. Not being serious 03:03 < Meta> That's dumb 03:03 < Meta> I was referencing this: https://i.redd.it/iwnqgrrbls5z.png 03:03 < Meta> References everywhere. 03:03 < orlock> I actually need to go and cable up one of those switches today 03:04 < orlock> to prevent people plugging in ASA's backwards and handing out DHCP addresses 03:04 < orlock> using the dhcp source verify stuff so only DHCp responses from the uplink port are allowed 03:05 < orlock> we have somewhere over 2000 ports worth of cisco stacks here 03:05 < orlock> pair of nexus for the core 03:06 < jvwjgames_> Hello 03:06 < jvwjgames_> i am still stuck on adding public ip's to a vm 03:06 < jvwjgames_> cans someone remote in and help me 03:07 < Meta> orlock: I've just finished the ICND1 book and need to do my studying before I go for an exam. Do you think the CCENT will help me get a helpdesk job? Currently struggling to get even an interview. Thought I'd ask coz I know you're in AU too. 03:07 < Criggie> jvwjgames_: never ever allow randos to connect to your hosts 03:07 < orlock> Eh thought i recognised the handle 03:07 < Criggie> jvwjgames_: what kind of VM is it ? 03:07 < Meta> :D 03:07 < jvwjgames_> no they will be connecting to my teamviewer opn my computer so i can watch them 03:08 < jvwjgames_> and kvm on virtualizor 03:08 < jvwjgames_> and then i would be connecting to the server from there 03:08 < orlock> Meta: Probably, but it can be a shitfight, especially without experience 03:08 < Criggie> jvwjgames_: well its your network. 03:08 < orlock> more often than not, it does come down to who you know, not what you know 03:09 < Criggie> jvwjgames_: I'd look in virt-manager 03:09 < Meta> orlock: It's confusing to me because I've got customer service experience. I work in insurance so I'm more than used to dealing with angry people. 03:09 < Criggie> and make sure the VM has the NICs you're expecting 03:09 < orlock> pretty sure when i was asked about cisco's here i said something about "I know them well enough to hate them, but i can make them do what i want" 03:09 < Meta> Hah 03:09 < Criggie> yup. Its when kit doesn't do what it should .... thats badness 03:09 < orlock> like, nagios, i hate nagios, i can rant about it's defeciencies 03:09 < Meta> I interviewed for a position at my partner's company a few months ago but I think my 4 week notice period was a dealbreaker because 6 people started within a week 03:09 < orlock> but guess what - everything else is crap too 03:10 < Criggie> all hardware is crap at some point 03:10 < Meta> They were desperate for NOC staff, so they couldn't really wait 4 weeks. 03:10 < Criggie> Meta: never work with your other half. harmony comes from time apart. 03:10 < Meta> And sadly my co-worker had just had a family disaster so my boss probably wouldn't have been open to reducing the notice period. 03:11 < Meta> Criggie: Entirely different areas. I probably would have interacted once a week to enter the data centre to change back up tapes. lol 03:11 < jvwjgames_> the bridge has the external ip but i can't ping or get out 03:12 < Criggie> meta: ok that's workable. 03:12 < jvwjgames_> i don't get it it should connect and ping 03:12 < forgotten> if an employer tried to set a "notice period" i'd throw up middle fingers 03:13 < Meta> I would never want to work directly under her. 03:13 < Meta> Notice periods are pretty standard in Australia... though my dad was telling me 4 weeks is a bit excessive. 03:14 < Meta> Usually it's based on pay cycles, which is every 2 weeks for me, not monthly. 03:14 < forgotten> it's like an unspoken, unwritten rule in the states usually. 2 weeks. 03:14 < forgotten> but both employer and employee can terminate employment at any time, without reason, or notice. 03:14 < forgotten> in most states. is law. 03:14 < Meta> Having been part of the company for nearly 2 years now, they struggle to find good/qualified staff. 03:15 < forgotten> how much they pay? i'll move to aus :P 03:15 < jvwjgames_> Criggie: i have 162.220.209.34 as my host 162.220.209.35 as the bridge and 162.220.209.36 as the vm all having the 162.220.209.33 as the gateway and all of them have 255.255.255.248 as the netmask 03:16 < Meta> forgotten: If you're cool with doing data entry and typing reports from dictation, my job pays $49k. lol 03:16 < forgotten> erm.. 03:16 < forgotten> and they have trouble finding "qualified staff" to do that? 03:17 < gzuh> I'm trying to set up a custom external Captive Portal page, but I need information on how to "ok" sessions 03:17 < Criggie> jvwjgames_: start by running tcpdump and confirm that packets are doing what you think 03:17 < Meta> I started off as a temp for 6 months before I applied for a permanent position. They had another temp that still couldn't do the maths side of things after about the same amount of time. 03:18 < Meta> The kinds of people that apply for "admin assistant" jobs are people without any other prospects. 03:18 < Criggie> jvwjgames_: from the internet I can ping 33, 34, and 35 03:18 < Criggie> jvwjgames_: so the problem is between 35 and 36 03:19 < Criggie> so on the host do a tcpdump -i any -nn host 162.220.209.36 03:19 < Criggie> and look for packets 03:21 < Meta> Keeping in mind I was one of those people and I'm grateful for it. 03:21 < jvwjgames_> criggie: ok i see arp traffic from 162.220.209.36 03:21 < orlock> eh, our admin assistant has a hard job here 03:22 < jvwjgames_> but for somereasone i can't get back into vm 03:22 < jvwjgames_> it* 03:22 < Meta> I don't find my job particularly difficult or interesting. 03:22 < Meta> But some people apparently struggle with it. 03:22 < orlock> she just has lots of work 03:22 < orlock> though its almost more of a PA role for the managers 03:22 < orlock> and dealing with travel booking and stuff 03:23 < orlock> local subsiduary of a F150 multinational conglomerate, there's a lot of travel and crap 03:23 < Meta> Yeah. My contract says admin assistant but my boss calls me a PA. I work with two people. 03:23 < Meta> Four when the other admin is away. 03:23 < Criggie> travel is horrible. 03:24 < orlock> Criggie: And we get forced to use a specific travel broker due to MegaCorp 03:24 < Meta> Hah 03:24 < orlock> may be great for the americans, not great down under 03:24 < Meta> We've got the same problem orlock 03:24 < Meta> I tried booking a flight for one of my guys to Darwin on less than a days' notice and all I could find wanted to jump him from Adelaide to Sydney to Brisbane to Darwin. 03:24 < Criggie> orlock: yeah - that said we use a bit of video conferencing. Its just as horrible, but at least there's not hours and days lost travelling 03:25 < Criggie> Meta: yeah - aussie's not really somewhere you jump in a car and drive 03:25 < orlock> We've been through several iterations ofvideoconferencing gear 03:25 < Meta> orlock: Is it Egencia? 03:25 < Criggie> orlock: heheheh the new gen is still in boxes, 12 months after it was delivered. 03:25 < Criggie> someone's reallocated the three TVs for use elsewhere 03:25 < forgotten> i was watching a thing about tazmania the other day and giant tiger snakes :D 03:26 < orlock> The latest lot has been sitting in the IT room for almost a year wauting to be installed... 03:26 < Criggie> orlock: dude 03:26 < Criggie> do you work here ? 03:26 < orlock> This includes the 65" Sony smart TV 03:26 < Meta> Criggie: Certainly not the 3,000km directly across the outback. lol 03:26 < Criggie> nah ours had 3x ~50" TVs for the cisco "boardroom table" crapola thing 03:26 < Criggie> immersive boardroom 03:27 < Meta> My work is still slowly implementing Skype for Business and Outlook. 03:27 < Meta> We're using IBM Notes. 03:27 < orlock> Yeah, we had that but Polcom 03:27 < orlock> but now we are looking at Bluejeans 03:27 < forgotten> i haev a video wall with 12, 55" tv's in our ops floor :D, watching basketball on 4 of them split right now 03:27 < orlock> but theres also Webex and S4B 03:27 < Meta> I've got friends that get PTSD flashbacks every time I mention Notes. lmao 03:27 < orlock> We have notes here 03:27 < Criggie> jesus = to be totally honest - google hangouts is all you need 03:27 < orlock> it's down 66% of the time 03:27 < Criggie> plus I can pick my nose while the meeting is on and noone will see. 03:28 < Criggie> prpobabkly 03:28 < Meta> Ours is surprsingly stable! 03:28 < Criggie> *brb( 03:28 < Meta> Our claims system goes down more often 03:32 < Meta> Finally got an answer on cabling installation. Re-routing phone cabling, patch panels, wall plates (I think there's 6, around 32 ports), 12 RU rack, all cabling, in an existing house, was around $4-5k 03:32 < Criggie> this is at home ? 03:33 < Meta> This is my house, yeah 03:33 < Criggie> you absolute fucking geek 03:33 < Criggie> :-P 03:33 < Meta> You missed my photos of our three racks? 03:33 < Criggie> (that's meant as a compliment btw) 03:33 < forgotten> 12u rack fer what? 03:33 < Meta> For the home network. 03:34 < forgotten> erm.. ok lol 03:34 < Meta> https://i.imgur.com/hfkl2CO.jpg 03:34 < Meta> This 03:34 < Criggie> https://imgur.com/a/bmVYy ? 03:34 < Meta> That one is the home lab 03:35 < jvwjgames_> criggie: So i see traffic from my vm to host but not from host to vm 03:36 < Meta> Criggie: We pride ourselves on having tradespeople come to the house and thinking we're NASA. ;) 03:37 < Criggie> Hehehhe Is that a 23" rack ? 03:37 < Meta> Which one? 03:37 < Criggie> the lab photo 03:38 < Criggie> What device is gallium? looks like a 5 port switch, but is in a nice 19" adapter 03:38 < Criggie> Seems to be a rack inside a white melamine cupboard 03:38 < forgotten> i just have a big ass desktop computer, beast of a thing. and then some small networking stuff. netgate 4port gig router with openbsd on it, 8port switch with span / vlans, netgear nighthawk AP mode for wireless etc. 03:39 < forgotten> try to keep the physical giant devices to a min for power saving 03:39 < Meta> The rack is bolted to the wall 03:39 < Meta> In that cupboard 03:39 < Meta> I think it's technically our linen cupboard because it's near the laundry. 03:41 < Meta> Criggie: Lemme go have a look at it. lol 03:41 < Meta> The big one is only 19" 03:42 < Meta> As for Gallium, it is an ADSL modem 03:46 < jvwjgames_> anyonme i can see nettraffic from .36 and i set gateway to .35 on .36 and am now able to ping .35 from .36 but still unable to acccess internet 03:46 < Criggie> Meta: ok it looks like theres a lot of space on the left 03:46 < Criggie> jvwjgames_: I think your gateway should be pointing at .33 03:47 < Criggie> meta: https://criggie.org.nz/network/2011-12_servers.jpg 03:47 < Criggie> 7 years out of date though 03:48 < Meta> I like your rack keyboard, that's cool. 03:49 < Meta> My partner operates the DC at her work. I need to arrange to have a tour at some point coz I think it would be interesting. 03:52 < Criggie> yeah its a compaq, goes with the HP KVM and the NOVA rack 03:53 < Criggie> all I need now is a DIGITAL thing 03:54 < Meta> Oh. Apparently Gallium is a POE switch for the WWAN on the roof. It's not longer in use. I was discussing port shortage with my partner and apparently that's what we'll be using to fix it. 03:54 < Criggie> ok - it was a nifty 19" holder is all. 03:54 < Criggie> I should update my rack photos before packing it all up for moving. 03:54 < Meta> It can hold 3 of them 03:54 < Criggie> Insurance etc. 03:55 < Meta> We need to change insurers but I noticed something going through the PDS the other day 03:55 < Meta> Sublimit of $10k for computer equipment, so make sure you check that. 04:00 < jvwjgames_> but if i sety it to .33 i get no connectivity 04:03 < jvwjgames> criggie correction gateway is set to .33 04:04 < jvwjgames> but for somereason it can reach .35 and .35 can reach .36 but .36 can't reach internet 04:04 < Criggie> jvwjgames: do you have any iptables rules running on the KVM host ? 04:04 < phirephly> TandyUK, re your question last night, I got my ASN last year for $550 + $100/yr from ARIN, then borrowed my /24+/48 from friends for free 04:04 < Criggie> tht's because they're in the same /29 subnet and don't need to talk to the gateway top see each other. 04:06 < jvwjgames> no firewalls running on kvm host or vm 04:10 < compdoc> jvwjgames, wasnt following, but if the cant see, then routing is messed up 04:10 < jvwjgames> compdoc .35 and .36 can see eachother 04:10 < jvwjgames> .35 can see intrenet 04:10 < jvwjgames> but .36 can't 04:11 < compdoc> whats the subnet and mask you use? 04:11 < jvwjgames> 162.220.209.xx 255.255.255.248 04:12 < compdoc> as a private lan, or are you setting up a firewall/router 04:12 < jvwjgames> no that range is a public block 04:13 < compdoc> yes 04:13 < jvwjgames> and i need some of the ip's to be on a vm 04:13 < compdoc> so theres a modem? is it cable? 04:13 < jvwjgames> no server is in a data center 04:14 < compdoc> Im asking how do you connect to the internet 04:14 < orlock> Is the VM bridged to the public network? 04:14 < Criggie> .33 is his gateway IP 04:14 < jvwjgames> yes 04:14 < Criggie> I can see .35 from the internet but not .36 04:18 < jvwjgames> is there anyway to make .33 says hey the mac address for this ip is here 04:19 < orlock> proxy arp 04:19 < jvwjgames> cause what if i set the mac address of my server to the vm 04:20 < jvwjgames> would that trick it into routing it there 04:20 < Criggie> No tricking - you'll just make things harder later 04:22 < jvwjgames> what can i provide you guys that would help me 04:22 < jvwjgames> any logs? 04:25 < jvwjgames> cause i really want this fixed tonight 04:33 < jvwjgames> criggie: what about a static route 04:33 < jvwjgames> would that work 04:34 < Criggie> no 04:34 < Criggie> your .36 IP - can it see .33 the gateway ? 04:34 < jvwjgames> no 04:34 < Criggie> I know .35 can so that's all cabled right 04:34 < jvwjgames> but .36 can see .35 04:37 < Criggie> so there's somethign wrong with KVM or how the .35 and .36 IPs are set 04:37 < Criggie> you're almost there 04:37 < Criggie> the packets are getting to the physical host 04:37 < Criggie> but failing at the last hop 04:37 < jvwjgames> any logs i can provide 04:38 < Criggie> Not to me - I haven't used KVM for many years. 04:38 < Criggie> Perhaps #kvm might be helpful ? 04:38 < jvwjgames> ok 04:38 < Criggie> cos you have 99% of it there 04:39 < Criggie> it is literally the last step, which is KVM config or maybe VM config 04:39 < Criggie> jvwjgames: if you get on the VM and run tcpdump -i any -nn icmp 04:39 < Criggie> do you see packets from outside your IP range? 04:40 < Criggie> I'm pinging you from a 200.207... IP 04:40 < ||cw> jvwjgames: is this collocated? guest can see host, host can see gateway, guest can't? 04:43 < jvwjgames> correct 04:43 < jvwjgames> and yes collocated 04:43 < jvwjgames> and criggie are you still pinging cause i see no traffic 04:44 < ||cw> provider probably has "port security" on, which means only the first MAC it sees will works. have then turn it off, or set you up a routed block and configure your host as a router for the kvm host-only network 04:51 < jvwjgames> i just asked voonami about port security 04:51 < jvwjgames> they will gewt back back to me 04:52 * linux_probe fails to believe it o_O... Set upload and download limits for updates https://www.zdnet.com/pictures/whats-new-in-windows-10-version-1803-the-spring-creators-update/9/ 04:52 < Criggie> Yes I have the ping running continuously. 04:52 < Criggie> I can see .35 04:52 < linux_probe> ping-pong ping-pong 04:54 < jvwjgames> still here had to close those though 04:54 < jvwjgames> i am going to try to spoof mac address 05:05 < Spice_Boy1> does anyone know of an online MIB creator tool? 05:06 < Spice_Boy1> or a local one they've used and can recommend 05:13 < jvwjgames> spoofing didn't work 05:16 < _AxS_> I thought I had this working before but apparently I don't.. cisco switch (4500 series if it matters), is there a way to configure LAGs in the switch so that the underlying ports still work as regular independent ports? I wanted to do lags with these two-nic servers, but i want to be able to pxeboot them (and the lag doesn't get set up until the OS boots) 05:16 < _AxS_> I thought if the switch was set to use lacp and the channel-group was passive, this would work, but based on what i'm seeing right at the moment it isn't.. 05:43 < _AxS_> damnit. its possible by disabling lacp-standalone in IOS-15, but IOS-12 (what this switch has) does not have this functionality. 05:43 < Criggie> OI 05:43 < Criggie> you fixed it 05:43 < Criggie> jvwjgames_: I can ping .36 mnow 05:44 < jvwjgames> ya 05:44 < orlock> lol /. seems a bit busted 05:44 < jvwjgames> thanks too #kvm 05:44 < orlock> aand its back 05:44 < Criggie> jvwjgames_: good stuff - what was the underlying problem ? 05:44 < jvwjgames> i had to add the bridged adapter to my physical nic as a master 05:45 < Criggie> ok - I would not have guessed that 05:45 < jvwjgames> here is the chat 05:46 < jvwjgames> https://paste.ee/p/Y6smJ 05:46 < orlock> jvwjgames: Didnt i ask that originally? 05:46 < orlock> Ah, didnt put your nick in the question 05:46 < orlock> nevermind 05:46 < orlock> :) 05:47 < Criggie> Nice work! 05:49 < jvwjgames> bad news 05:49 < jvwjgames> that bind just made me lose connectivity to my server 05:49 < jvwjgames> i can't get in via .34 05:50 < jvwjgames> i can get to vm ip but now i cm locked out from .34 05:51 < Criggie> yeah you probably want management on its own interface 05:51 < Criggie> Or manage it via the internal LAN interface 05:58 < jrc> I installed a TAP. really cool, didnt know until recently there was such a thing 06:03 < Criggie> jrc: hot or cold ? 06:04 < Criggie> I hate those ones that are supposed to be hot but backed by a tempering valve so they never get more than kinda-wam. 06:04 < jrc> a network tap!!! 06:05 < Criggie> hehehe open it and the frames pour out ? 06:05 < jrc> yeah packets were all over the floor 06:05 < Criggie> tsk-tsk-tsk put a bucket under it to catch any leaks 06:34 < forgotten> does icmp ever reach out with other tcp protocols on purpose under stand operation? like http, https? 06:34 < skyroveRR> no 06:35 < jrc> icmp isn't a tcp protocol 06:36 < forgotten> yeah but i can see tcp, 80/443 info inside the packets in wireshark 06:36 < forgotten> so like encapsulation, with big icmp packets. 06:37 < skyroveRR> It is still TCP, not ICMP. 06:38 < jrc> icmp is layer 3, http is like layer 7 06:38 < skyroveRR> Don't involve the OSI bullshit, that has nothing to do with it. 06:38 < jrc> yeah it does 06:38 < skyroveRR> It doesn't. 06:38 < jrc> icmp is so far from TCP it's not even on the same level 06:38 < jrc> yes it does 06:39 < forgotten> say you encapsulated the http packet data inside and sending it one way and receiving on the other side to reassemble and proxy out http etc. 06:39 < skyroveRR> Don't confuse people by bringing the archaic OSI bullshit. It doesn't apply any more. 06:39 < jrc> it definitely applies 06:39 < skyroveRR> You are sandwiching too many layers. It simply doesn't match them. 06:39 < jrc> some protocols mix the layers but in general it applies 06:40 < skyroveRR> In general, everything applies. As networking pros, we don't look into general stuff. We look into particular stuff. 06:40 < jrc> the question originally said "other tcp protocols" implying ICMP was a TCP protocol like HTTP is 06:41 < jrc> as networking pros, the reason you know the concept of the OSI model is because it mattered and that hasnt changed 06:41 < skyroveRR> We both answered that. 06:41 < forgotten> so if you capture an icmp packet, with wireshark, and you only have a single packet. 1 line. and then inside it you see snippts of tls certs, html codes, 403 codes. under trnsmission control protocol section it shows this. on the icmp packet. what would you make of that? the messages are Destination Unreachable. 06:41 < Criggie> skyroveRR: sure its old, but the first four layers are totally relevant 06:42 < Stryyker> forgotten: I would suggest updating wireshark - a new update released in the last day 06:42 < jrc> if OSI model is obsolete Level(3) is going to have to change their name 06:44 < forgotten> i dont think it's a wireshark problem. the data within / destination of it had to come from somewhere 06:44 < Stryyker> forgotten: upload screenshots 06:46 < orlock> forgotten: Eh, that sounds interesting 06:47 < orlock> forgotten: Where are you getting these packets from? 06:47 < forgotten> mostly aws hosts 06:47 < jrc> look here if you want to see an awesome map of the internet http://www.caida.org/research/topology/as_core_network/pics/2015/ascore-2015-jan-ipv4v6-poster.pdf (12 MB) 06:47 < orlock> Yeah, but specifically? 06:48 < orlock> Can you share a capture? 06:48 < forgotten> i mean i dont have ips with me not at work now but i can't share im sorry 06:48 < forgotten> was more trying to confrim abnormal behavior of icmp 06:48 < forgotten> cause it's super shady lookin 06:48 < orlock> heh 06:48 < orlock> yeah 06:49 < orlock> icmp's a bit of a weird one 06:49 < orlock> for example - looked at ping closely? 06:49 < jrc> I had to open a weird port range to get ping and traceroute to work right on my firewall 06:49 < orlock> i was getting negative packet loss 06:49 < forgotten> woah lol 06:49 < forgotten> like you are Neo of the matrix 06:49 < orlock> ICMP ID clashes 06:49 < Criggie> jrc: hahahaha I can see my ISP on the V6 chart 06:49 < orlock> due to two different ping libraries being used 06:50 < orlock> reminds me 06:50 < forgotten> crazy. hrm. 06:50 < orlock> i wonder if they have fixed the ping source location yet 06:50 < orlock> .. Nope. 06:50 < forgotten> honestly the hosts that are doing it have no business doing it either so it's even more shady thats about all i can say heh. 06:50 < orlock> forgotten: There is so much super-shady crap on the internet.. Sounds like hosts somehow tunneling traffic over ICMP to me 06:50 < jrc> Criggie: it's fascinating to visualize the links, right? 06:51 < orlock> forgotten: For some reason, i've seen several apparently legit UK companies according to WHOIS that.. dont exist... 06:51 < forgotten> thats what we suspect too, can't for the life of me see any legitimate reason for icmp bahaving this way 06:51 < forgotten> that would be the most shady ass vendor app in the universe if so 06:51 < orlock> crap library leaking mempory? 06:51 < orlock> how large are the packets? 06:51 < jrc> I saw someone's code to tunnel http over dns 06:51 < forgotten> about 590 bytes each 06:51 < orlock> are the ycoming from "your" systems? 06:52 < orlock> i dont use AWS enough to know how it deals with people doing promisc. network sniffing 06:52 < jrc> https://code.kryo.se/iodine/ 06:53 < orlock> jrc: it works on so many levels too 06:53 < orlock> Iodines atomic number is 53 06:53 < orlock> :) 06:53 < jrc> oh thats awesome 06:53 < forgotten> yes, from. 06:54 < orlock> forgotten: But it's not your code generating it? 06:54 < orlock> "vendor" code? 06:54 < forgotten> i monitor a lot of shit, i dont know who owns it only what it's function is etc. 06:54 < orlock> i know that feeling 06:55 < orlock> forgotten: i look at empty address space to see what hits it for fun 06:55 < forgotten> yeah thats always good. null route logs 06:55 < orlock> .. If you have a Mikrotik, make sure it's running software released in the past year please! 06:55 < orlock> forgotten: i mean routed and published legit address space that's unused. No hosts on it at all 06:55 < orlock> no hosts, no DNS, no nothing - drops everything 06:55 < jrc> I only have about 400 devices on my network so I was able to document every MAC address and corresponding model number, location, static IP 06:56 < forgotten> oh ok. hrm 06:56 < orlock> no reason for anything to ever be sending traffic to it 06:56 < orlock> so any traffic to it is security researchers or malicious 06:56 < forgotten> does that space change frequently? 06:56 < orlock> no, i have a few of them though 06:56 < orlock> /23's and /24's 06:56 < orlock> Been seeing a lot of individual telnet attempts recently 06:57 < forgotten> interesting. where do you get that info? 06:57 < orlock> One host connects a single time to a single IP vvia telnet 06:57 < orlock> .. I look at the firewall logs ;) 06:57 < forgotten> internal hosts? 06:57 < forgotten> outbound.. 06:57 < orlock> External hosts connecting inbound. 06:57 < forgotten> no i mean how do you know the unused space? 06:57 < forgotten> public space 06:57 < orlock> it's my employers 06:58 < orlock> it's routed here 06:58 < orlock> and then all traffic is dropped and logged 06:58 < forgotten> ohhh ok ic.. yeah ok 06:58 < orlock> Theres others as well 06:58 < forgotten> its super noisey out there. we get hit constantly 06:58 < orlock> known as "network telescopes" 06:59 < forgotten> there are prolly 500,000 assets in my network :S 06:59 < jrc> my firewall is always getting probed by bots from ukraine and china 07:00 < orlock> jrc: yeah 07:00 < orlock> 80% china 07:00 < orlock> I find it's the UK hosts that have been interesting recently 07:00 < orlock> fake companies 07:00 < orlock> with /23's and /24's allocated to them 07:00 < orlock> registered UK businesses 07:01 < orlock> physical addresses 07:01 < forgotten> i collect about 7mil logs a month at home :P 07:01 < orlock> but the domains and DNS are all hosted in Russia, Netherlands, etc etc 07:01 < jrc> Is there a law enforcement agency that tracks those people? or maybe it's impossible/waste of time 07:01 < orlock> forgotten: ~6.6 gig a day here from one firewall 07:02 < forgotten> at home? 07:02 < orlock> jrc: I informed the appropriate people, took a few tries to get them to pay attention 07:02 < orlock> Heh, at work. Dont even bother at home 07:03 < orlock> ok, time to go hook up a new cisco 07:03 < jrc> yay 07:03 < orlock> got it bolted to the wall on the factory floor 08:12 < the_k_> i absolutely hate making lan cables 08:12 < the_k_> you never know which end you messed up - even when using a tester 08:12 < the_k_> is there any way to find out? 08:13 < hey2> lol 08:13 < hey2> You can tell 08:13 < hey2> I have a Fluke Cable IQ and it tells me 08:25 < the_k_> :p 08:25 < the_k_> is there any way to test tho? 08:26 < the_k_> i'm thinking from now on i'm going to crimp one end then place the other into a wall socket and throw a working cable into that the the tester on the end of that 08:27 < the_k_> then i can see for sure that the first crimp is working. if it's not then i can obviously just push the wire into the socket piece again and if that doesn't solve it then i need to redo the first crimp 08:46 < orlock> the_k_: TDR meter should tell you 08:50 < the_k_> they're expensive though right? 08:52 < the_k_> https://www.aliexpress.com/item/Professional-LAN-Network-Cable-Tester-Wire-RJ45-BNC-Tester-Cable-Tester-Detector-Remote-Test-Tools-Networking/32815452413.html?spm=2114.search0104.3.29.35ca7e17jmvm3I&ws_ab_test=searchweb0_0,searchweb201602_5_10152_10151_10065_10344_10130_10068_10324_10342_10547_10325_10343_10340_10548_10341_10697_10696_10192_10190_10084_10083_10618_10307_10301_10303_10059 08:52 < the_k_> _10184_10534_308_100031_10103_441_10624_10623_10622_10621_10620,searchweb201603_25,ppcSwitch_7&algo_expid=9342a7c3-c407-4de3-ba82-ce7380474d57-4&algo_pvid=9342a7c3-c407-4de3-ba82-ce7380474d57&transAbTest=ae803_1&priceBeautifyAB=0 08:53 < the_k_> i just have one of these cheapo things 09:01 < the_k_> would be better if the voltage was applied via a coil that you wrap / hook around the cable, then when you attach the tester to the end it would actually show if the wires were conencted to the terminal end 09:21 < orlock> the_k_: Honestly, i dont do enough that it's ever been a problem, and if you are.. Buy a damn TDR meter 09:21 < orlock> Or get somebody who knows how to work a crimper to do it 10:06 <+pppingme> the_k_ you shouldn't be making lan cables.. if you need to bury something in the wall, you need to terminate it to JACKS, not plugs, on BOTH ends 10:07 <+pppingme> something that comes out of the wall should NEVER have a plug on it.. 10:11 < Logg> i've seen jacks that have a female<->female rj45 connector on them 10:12 < Logg> so then you don't need your punch tool 10:38 < ypo> Hello ! Having this configuration https://imgur.com/a/8rQTP I am getting :Line protocol on Interface GigabitEthernet0/3, changed state to down / up on cisco 3600 . Same applies to GigabitEthernet0/4 .Setting for speed and duplex was set to auto. I have set it on both sides to fduplex / 100mbps 10:38 < ypo> Unfortunately this did not solve the problem 10:51 < yawkat> do unifi aps not support a configured vlan on their downlink port? why? 10:51 < yawkat> i want to attach a user device on the downlink port, but id rather not give them trunk (or access to the wifi mgmt vlan) 10:55 <+catphish> downlink port? i've never seen one with 2 ports 10:56 <+catphish> given how APs are installed, i'd say that was an unusual configuration, so it wouldn't surprise me if the port was just a flat passthrough 10:56 <+catphish> but i don't know for sure as i've never seen such a port 10:56 <+catphish> oh yeah, the pro has 2 ports 10:57 < supaman> that is just for redundancy 10:58 < supaman> don't think the pro ap's call one of them uplink and the other downlink 10:58 <+catphish> from their website: Secondary UAP Ethernet ports don't provide PoE passthrough (to run current to a second powered device), but they do support data passthrough. It serves as a bridged interface between main / secondary Ethernet port. 10:58 <+catphish> This means users can connect the PoE cable to the main Ethernet port to supply power, then connect another, non-PoE device (e.g., IP camera, extra UAP) to the secondary Ethernet port to bridge connections. 10:58 <+catphish> but it's highly likely it's not configurable 10:59 <+catphish> you could use it for redundancy with STP if you wanted 11:00 <+catphish> though more likely you're using switch-PoE, so that would be a bit pointless 11:00 < yawkat> catphish: well what does "bridge" mean here 11:00 < yawkat> if it switches, which it should for gbit, id expect vlan tagging support 11:01 < yawkat> but i dont see a config option for it anywhere, and others are saying it's not possible 11:01 < yawkat> (sorry, i scrolled my buffer list and didnt see the answer :D) 11:01 <+pppingme> yawkat think of it like a 3 port switch 11:02 < yawkat> well with a 3-port switch id expect to be able to configure the port to be on a vlan. but it doesnt appear to be possible and im wondering why that is 11:02 <+catphish> yawkat: yes, it's a switch, and no, not all switches have configurable tagging 11:03 < yawkat> well you *can* tag the wifi network data 11:03 < supaman> but your asking what is in the mind of the Ubiquity developers, who knows but them :-) 11:03 <+pppingme> this is a unifi? 11:03 <+catphish> yawkat: you can, but that's not in *that* switch 11:03 < yawkat> yes. unifi ap ac pro 11:03 <+pppingme> I don't think those ports are bridged 11:03 <+catphish> that's in the AP, the switch is just a dumb one for convenience 11:03 <+catphish> pppingme: yes they are 11:03 <+catphish> pppingme: see my paste above 11:04 <+catphish> Secondary UAP Ethernet ports don't provide PoE passthrough (to run current to a second powered device), but they do support data passthrough. It serves as a bridged interface between main / secondary Ethernet port. 11:04 < yawkat> hmm let me see what the debug interface says 11:07 <+pppingme> hmm... I thought I had read in the past that you could direct traffic to each port as needed (i.e. steer 2.4 to one port, 5 to other port, or steer by ssid) 11:07 < hitman1> Hey, If I want to send some message to somebody who is in the same network of mine (LAN) then how can I? 11:07 < yawkat> catphish: yea your theory looks right. i can see AP traffic using tcpdump but not passthrough traffic 11:08 <+pppingme> hitman1 like what kind of message? 11:08 < yawkat> hitman1: well... lots of ways, basically any protocol could work 11:08 < yawkat> catphish: still kind of annoying :/ but that explains it at least 11:08 < hitman1> like I want to send - "HI THERE" mesg. 11:09 <+pppingme> hitman1 then you'd need to have some kind of software to listen for the message then display it on the screen 11:09 <+catphish> pppingme: afaik you can only do that to VLANs, and the port is dumb, i'm not certain about that part though, i'd have to look through the config options, and i don't have one with 2 ports, but i'd assume it's dumb 11:10 <+pppingme> I've never touched one with two ports either, but thought I had read that at one point 11:10 < hitman1> I want to surprise the reciever by message of mine.Like suppose I want to say "Happy Birthday " then how can I ? 11:10 <+pppingme> hitman1 then you'd need to have some kind of software to listen for the message then display it on the screen 11:10 < yawkat> well the AP OS appears to only have a single br0 interface on lan. so it likely doesnt matter which port is used how 11:11 <+pppingme> hitman1 what OS's are involved? 11:11 < hitman1> Ubuntu on both sides. 11:11 < yawkat> i wonder, are there small embedded devices that can vlan tag/filter any traffic on a given wire? 11:11 <+pppingme> hitman1 you could install pidgin, it will send messages via multicast without a server involved 11:11 < yawkat> (like a two-port managed switch) 11:12 < yawkat> though i suppose thatd need poe again... :/ 11:13 < yawkat> hmm, or a managed poe-powered switch with one uplink and two downlinks, at least one of which is poe (for the AP) 11:13 <+pppingme> what are you trying to hook to the 2nd port? 11:14 <+catphish> hitman1: you can't, windows has that feature, they probably removed it, it was so horribly abused 11:14 < yawkat> some user device. say a PC. doesnt need poe, but isolation from the wifi would be nice. it's unrelated to the wifi 11:14 < hitman1> I don't want to multicast or broadcast cause there are alot of other people on LAN too. 11:14 <+catphish> hitman1: there is nothing running on linux to achieve this, send an email :) 11:14 <+pppingme> yeah, I think XP was the last version to support it, then it was disabled with one of the SP's 11:14 < yawkat> unfortunately we only have a single wire here. 11:15 <+pppingme> hitman1 its a directed message.. so if everyone is using pidgin, you select the username/hostname (I foget which) off the pidgin list and it will only show on that device 11:15 < hitman1> yeah but anyone here don't have pidgon. 11:16 < hitman1> And it will ruin the surprise if I say. them to install it 11:16 <+pppingme> hitman1 well, as I said, its going to take some kind of software to receive then display the message.. 11:16 <+pppingme> there's nothing in the kernel, X, or gnome (or whatever ubuntu uses) to do this without another application 11:17 < hitman1> And if there is some port open on there system then ? 11:17 < hitman1> still not ? 11:18 <+pppingme> this isn't a firewall/port issue, again ***there's nothing in the kernel, X, or gnome (or whatever ubuntu uses) to do this without another application*** 11:19 <+pppingme> you have to have some app that is listening on the network, receives the message, then displays it on the screen.. 11:20 <+pppingme> does the user regularly keep a terminal window open, or ssh to another system? 11:22 <+pppingme> hitman1 does the user regularly keep a terminal window open, or ssh to another system? 11:22 < hitman1> yes user keep both open - terminal and ssh 11:22 < yawkat> i suppose what we could do is have AP on a trunk, have it put itself into the wifi mgmt vlan and hope users dont configure their pcs to do vlan tagging 11:23 <+pppingme> you could always use "talk".. its a 40 year old protocol, I'm not even sure if most distribs still include it 11:23 < Gollee_> yawkat: you should be able to define what vlans are allowed on the wlan-interface 11:24 < yawkat> Gollee_: im concerned about the ethernet passthrough 11:24 < djph> pppingme: there's always the non-technical approach --> walk over to their desk. 11:24 <+pppingme> yeah, post-its work real well 11:25 <+pppingme> yep, just looked, fedora still includes it 11:25 * hey2 tips fedora 11:25 < hitman1> pppingme: Not on ubuntu ? 11:25 < hitman1> And how do I use it ? 11:26 <+pppingme> duno, I don't use ubuntu 11:26 <+pppingme> you literally type "talk user@host" 11:26 <+pppingme> if talk is installed on @host, it will fire up in the users terminal 11:26 <+pppingme> its a text application 11:26 <+pppingme> technically, an ncurses app 11:26 < hitman1> woow great app 11:28 <+pppingme> hitman1 it really is... its from the days of dumb tubes 11:29 <+pppingme> where'd you have a box with 100's of dumb tubes and modems 11:29 < hitman1> Its not working. 11:29 <+pppingme> you on the same host, or a diff host? 11:30 < hitman1> what do you mean by host? 11:31 < hitman1> We two are in same lan. 11:31 <+pppingme> if you're ssh'd into the same box he has a terminal open to, you log in as user2, he's user1, then just do "talk user1" 11:32 < dna6a> anyone familiar with asus routers here? I have a quick question 11:32 <+pppingme> dna6a don't ask to ask, or ask for a skillset, just ask your question 11:33 < dna6a> Asus use AIMESH, I am going to keep my ac68u as a node and my new GT5300 as my main Router. My question is can I aggregate both routers to a NAS on each? 11:33 < hitman1> pppingme: it says listening from other user 11:34 < hitman1> and nothing happens 11:34 < dna6a> I am hardwiring the 5300 to the ac68u 11:34 <+pppingme> you just start typing.. and it shows on their terminal 11:35 < hitman1> we are on same host 11:35 < hitman1> I ran - talk he@ 11:35 <+pppingme> you're logged in with a diff username, right? 11:35 < hitman1> yes 11:35 <+pppingme> you dont' need the @ or hostname if you're on the same host 11:35 < hitman1> I was logged in with different hostname at that time 11:36 < hitman1> *different user 11:36 <+pppingme> then it shold just work 11:37 < hitman1> no it is not working 11:39 <+pppingme> hitman1 then follow whatever error you're getting.. 11:39 < hitman1> it says - checking for .. on caller's machine everytime 11:40 < hitman1> checking for invitation on callers machine 11:41 <+pppingme> maybe ubuntu doesn't really run it right then.. 11:41 <+pppingme> I duno 11:42 < dna6a> when backing up NAS to NAS why is SMB faster than rsync? 11:42 <+pppingme> I haven't touched it in 30 years probably, since the 90's 11:42 <+pppingme> since the early 90's 11:45 < hitman1> How do I accept the invitation other user is sending me ? 11:45 <+xand> dna6a: well rsync is more likely to be encrypted than smb 11:46 < dna6a> of course ta 11:46 < hitman1> pppingme: ^^ 11:47 <+pppingme> it should just show up 11:47 < dna6a> actually its not encrypted 11:47 < hitman1> there are two terminal I have opened up 11:48 < hitman1> on 1st - one user 11:48 < hitman1> on 2nd - other user 11:48 < hitman1> I typed on 1st - talk other-user 11:48 < hitman1> It is not showing then. 11:48 < hitman1> not showing anything on 2nd terminal. 11:49 <+pppingme> it should start a split screen, you type in top half, and it shows on their bottom half, and vice versa 11:49 < hitman1> yes it shows two screens but only one line appears on 1st half - 11:49 < hitman1> checking for invitation on callers machine 11:50 < hitman1> talk daemon is not starting the acknowledgement on other user. 11:50 <+pppingme> you have selinux enabled? 11:51 <+pppingme> woudln't surprise me if its causing issues 11:51 < djph> or not installed 11:52 <+pppingme> if the pieces weren't there, I'd expect it to say conn refused or something 11:56 < Palmar> Anyone wanna recommend a good cheap "red switch" (sfp and etherenet ports, redundant power) 11:57 < djph> pppingme: no idea, I'm too lazy to install it on one machine and see what happens 11:57 < hitman1> pppingme: what is selinux ? 11:57 <+pppingme> if you have to ask, its probably enabled by default 12:02 < hitman1> lol 12:07 <+pppingme> just tried it on one of my fedora boxes, and it just worked.. 12:15 < hitman1> pppingme: wow 12:15 < hitman1> I wish it work for me too. 12:32 < Shapeshifter> I have an Intel 7265 wireless controller and a FRTIZ!WLAN 1750E access point. They both support 5Ghz. The AP uses channel 44 and iw list shows that my adapter supports this channel: * 5220 MHz [44] (22.0 dBm) (no IR) But if I iw wlp2s0 scan, the 5Ghz SSID doesn't show up. What do I do? 12:38 < djph> pppingme: needed to install talk and talkd here 12:38 <+pppingme> I must of done it forever ago playing or something 12:38 < hitman1> djph: I have installed both already. 12:40 < djph> and then it just worked here :) 12:40 < djph> well, installed it on both boxes, and then talk me@other-box worked 12:48 < dogbert_2> hey djph 12:48 < dogbert_2> whazzup everyone? 12:49 < hitman1> what other box? 12:50 < hitman1> communication happens on single host. 12:51 <+pppingme> hitman1 if you're user1@host1 and there's a user2@host2 talk will work across the hosts 12:52 <+pppingme> with talk user2@host2 12:52 <+pppingme> this was extremely popular up until mid 90's 12:52 <+pppingme> I could reach almost any student at almost any school, as well as many workplaces 12:54 < ychaouche> Hello ##networking, I want to test some firewall rules for my IMAP server. I would like to appear as connecting from the outside, not from the LAN. What's easier : use a proxy or use command line tools ? (I'm thinking about netcat/nmap) 12:54 < ychaouche> I don't know how to do any of the two. 12:55 < ychaouche> linux on both the IMAP server and my testing machine. The firewall is software (shorewall) on the IMAP server. 12:56 <+pppingme> probably best way to test is to teather another pc to your phone and test from there 12:58 < meowschwitz> ychaouche: use an external box 13:05 < cr1t1cal> if Tor was made by the US government themselves 13:05 < cr1t1cal> then why do people trust it? 13:06 <+pppingme> because they don't believe it was created by the government 13:07 < dogbert_2> LOL 13:07 < cr1t1cal> but I have seen many people who do know Tor is a government project 13:07 < cr1t1cal> and still use it 13:08 < cr1t1cal> and trust it 13:08 < cr1t1cal> pppingme: so that answer is does not explain it all. 13:08 <+pppingme> they are gullible enough to think it hides them 13:08 < cr1t1cal> i also tend to think those people are rational so answering "They must have a mental disability" is not what I am looking for 13:08 < cr1t1cal> pppingme: but does it? 13:09 <+pppingme> no, thats the point 13:09 <+pppingme> it makes them EASIER to track 13:09 <+pppingme> and a good way to inject malware 13:09 < cr1t1cal> is the TorBrowser open source? 13:10 <+pppingme> that piece doesn't matter... you can use tor by running the tor daemons and plugging proxy settings into any web browser 13:12 < cr1t1cal> well if you answered me we could know if it was likely the TorBrowser was a bit of malware itself or not 13:14 <+pppingme> I doubt it is, but its not the piece thats important to focus on either.. 13:14 <+pppingme> its the fact that you are trusting someone to handle your data stream, and thats where the malware injection takes place 13:31 < djph> pppingme: oh, you mean that shady porn fetish site he doesn't want his ISP to know he's visiting? 13:35 < lupine> cr1t1cal: many things originate with government. it's not prima facie evidence of untrustworthiness 13:36 < djph> lupine: government is of man. man is untrustworthy. therefore, government is untrustworthy. 13:36 < djph> but then again, the internet is a public place, and one should have no notion of "privacy" there either. 13:36 < lupine> not all people are untrustworthy in all respects 13:36 < lupine> and the internet is not actually a public place 13:37 < lupine> you're welcome 13:37 < djph> lupine: no, but they're untrustworthy in enough of them. 13:37 < djph> also, expand on "internet is not public"? 13:38 < lupine> well, imagine you have a collection of networks, some of which are privately owned, and some of which are publicly owned 13:38 < lupine> further imagine that some of these networks have interchange agreements allowing through routing 13:40 < lupine> there's no sense in which the whole is public. even where some subset is public, chances are your own traffic has a significant part of its route going over privately owned and operated networks 13:42 < djph> while the "whole" of the set of machines connected to "the internet" is not publicly owned, it is no different than the shopping mall 10 minutes away. 13:42 < lupine> indeed, which is also private space masquerading as public 13:42 < djph> the building is privately owned. The stores inside are privately owned. 13:42 < djph> BUT when one is in there, one is "in public". 13:42 < lupine> compared to actual public space, the shortcomings are clear and obvious 13:42 < lupine> one is not 13:42 < lupine> in particular, various things that would be permitted in public are not permitted in this space 13:43 < djph> ... is english not your first language, or are you just being thick? 13:44 < lupine> aww 13:45 < lupine> the internet is not a public place, and neither is your shopping mall 13:45 < lupine> you are not in public in either of those places 13:45 < djph> "public" is simply "open to the view of all". In this instance, it has nothing to do with ~ownership~ of the space. 13:45 < djph> In a mall, anyone looking in my general direction sees me / what I do. 13:46 < lupine> the two are linked. consider photograph 13:46 < lupine> photography* 13:46 < lupine> in public places, when you are in public, you are permitted to take photos of anything and anyone 13:46 < djph> yes, and I have no expectations of *not* showing up in the background of someone's pictures in a makk. 13:46 < djph> *mall 13:46 < lupine> in a private place, such as a shopping mall, the owner of the mall can decide to restrict you from taking photographs 13:46 < lupine> and this is quite common 13:47 < djph> which has nothing whatsoever to do with the fact that one is still "in public" when they're walking through a mall 13:47 < lupine> rights and expectations of privacy differ significantly between the two conditions 13:47 < lupine> it is in fact the crux of the matter 13:47 < lupine> one is not in public when walking through a mall 13:47 < lupine> different rules and expectations about privacy are in operation 13:49 < djph> yes, one is. just as one is "in public" when walking down a street, or camping in a national park all alone, or at the dentists or anywhere else "outside". Now, yes, humanity does have some degree of expectations of privacy while still being in public -- such as closed stalls in *public* restrooms. 13:51 < lupine> no, rather differently 13:52 < lupine> the common factor in walking down a street vs. walking through a mall is that other people are around, but your interactions with those people are governed by very different rules in the two situations 13:52 < lupine> that's what I'm trying to get you to realise 13:52 <+xand> like many other words, "public" has several meanings :P 13:53 < djph> such as "in the view of others". Just because you're in a privately-owned establishment does not mean you are necessarily no longer "in public". 13:53 < detha> lupine: although a mall has 'Right of Admission Reserved' signs, for Joe Soap it counts as public space. 13:53 < lupine> I don't know who joe soap is 13:54 < lupine> but I expect he'd have a shock if he tried to do something permitted in public space but not permitted in the mall 13:54 < detha> Joe Soap == arbitrary citizen 13:54 < lupine> part of the problem here is that public space is relatively rare these days 13:54 < djph> there's public space all over ... city, state, national parks, etc. 13:54 < lupine> consider: I'm a busker, and have the appropriate busking license for my local authority. I go to the city park - all is well 13:54 < lupine> I go to the mall - I get kicked out 13:55 < lupine> now, imagine I'm a busker with permission of the mall owner. I can perform in both spaces, but only in the mall can I charge for photographs 13:55 < detha> Wrong type of 'public'. What you are looking for is the distinction between 'my space' and 'somebody else's space' 13:55 < djph> ^ 13:56 < lupine> these distinctions are directly relevant to the point you were making 13:56 < djph> no they aren't 13:56 < lupine> "other people are also on the internet" does not equate to "there is no expectation of privacy", because of them 13:56 < djph> no. 13:56 < djph> "other people on the internet" means "I have the same expectations of privacy as in a mall" 13:57 < lupine> which is not "no expectation" 13:57 < lupine> but rather "determined by the mall owner" 13:57 < djph> or in my local grocery store 13:57 < djph> or walking down the street 13:57 < lupine> walking down most streets differs 13:57 < lupine> although not all 13:57 < lupine> this is not difficult to grasp 13:58 < lupine> in most streets, nobody can stop you from taking a photograph 13:58 < lupine> in the mall, the owner can stop you from taking a photograph 13:58 < djph> "the internet" as a whole is "walking down the street". "someone's specific website" is "in the mall" 13:58 < lupine> it's not, though 13:58 < djph> lupine: you're still stuck on "my space" and "someone else's space", and entirely ignoring that you're using the wrong definition of "public" here. 13:58 < lupine> some websites are public, some hops are public. some of both are private 13:58 < lupine> private predominates 13:59 < lupine> nah, I've got this 14:03 < LambdaComplex> how much will i hate my life if i try to write a router program 14:04 < lupine> it's pretty simple 14:04 < lupine> the utility extends only to education though 14:04 < LambdaComplex> even the whole "dealing with raw sockets" part? 14:04 < lupine> last I did this, I used tun instead 14:05 < LambdaComplex> what's the difference exactly? 14:06 < lupine> you get to use libpcap with tun or tap devices 14:06 < lupine> I guess you could also use it directly on the interface 14:07 < LambdaComplex> would the same code work with both a tun interface and a real interface? 14:08 < LambdaComplex> or maybe i'd want tap. i'm not sure 14:09 < LambdaComplex> i think i'd want tap 14:09 < lupine> the link layer encapsulation differs, but you can detect which one it's going to be 14:11 < LambdaComplex> tbh if i could just make static routing work then i'd be happy 14:11 < LambdaComplex> that and inter-vlan routing 14:11 < lupine> "inter-vlan routing" 14:11 < lupine> aka routing 14:12 < LambdaComplex> yes :^) 14:12 < lupine> maybe if you lay out your problems there, you can avoid the need to write your own router 14:15 < Alexander-47u> hi all 14:16 < Alexander-47u> I wish to make an external database server, accessible through a local port by other devices 14:16 < Alexander-47u> how to go about this? 14:16 < petemc> first, create the universe.. 14:17 < detha> then, reconsider your life choices 14:17 < Alexander-47u> i guess you two have your funny pants on today ;p 14:17 < detha> sounds like an XY problem - normally you would open a hole in the firewall for clients to connect to the DB server 14:18 < petemc> its a pretty standard feature, so install your database of choice and configure it to listen on the interface you require 14:19 < Alexander-47u> i was thinking more of ssh tunneling 14:24 < detha> rather set up a site-to-site vpn, route through that 14:29 < Alexander-47u> thank you I have already found a better way, still figuring out google cloud 14:36 < revolve> Is there a canonical way to secure iSCSI traffic over the internet? 14:38 < mrtnt> How does OpenSSH "LogLevel" option work? Does it simply filter certain message IDs(https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml) depending on "LogLevel" value? 14:49 <+xand> revolve: VPN? however that sounds like you'll have performance issues 14:50 < grawity> mrtnt: logs are not directly related to SSH_MSG_ in any way 14:51 < grawity> log messages are arbitrary strings which might talk about SSH packet processing, or might not 14:51 < grawity> and each message specifies its level, e.g. syslog(LOG_INFO, "Trying key %s", path) 15:06 < mrtnt> grawity: I mean for example if I execute "ssh -o LogLevel=quiet 10.10.10.1", then I do not see the banner(message type 53), but i do see the password prompt(message type 60). When I change the Loglevel to INFO, then I also see the banner text from the network device. 15:11 < grawity> that's still not based on message IDs 15:12 < grawity> nor in any other way generic to ssh messages 15:13 < grawity> the input_userauth_banner() function just has a check for options.loglevel >= SYSLOG_LEVEL_INFO 15:13 < grawity> and either prints the received banner to stderr or not 15:20 < revolve> xand: thanks. looked into it and was reminded about CHAP. 15:23 < jvwjgames> someone gave me instructions on how to do forwarding in iptables 15:23 < jvwjgames> i am a little confused 15:25 < jvwjgames> https://pastebin.com/seG8yEs7 16:05 < ychaouche> so, for those interested, I have tested with hping3 and tcpdump with the help of ##security guys. I describe it here : https://ychaouche.informatick.net/firewalltest 16:07 < Gollee_> tested what? 16:13 < djph> Gollee_: "things" 16:15 < earnThis> Ive got a 4507R+E with dual supervisor 8-e linecards in slots 3 and 4 running in SSO mode. From what I understood, this configuration is supposed to give us 4 - 10Gb connections per supervisor, with interfaces te3/5-3/8 and te4/5-4/8 being inactive. However, on one supervisor, we're only getting 1 - 10Gb connection, and the other, the 4th won't connect: https://pastebin.com/jTz6cvFs 16:15 < Chewza> all the things 16:15 < earnThis> Interfaces te3/3, 3/4, and 4/4 won't connect when a 10Gb SFP is inserted w/ mode-conditioning patch cables. I've tried plugging in known-working 10Gb SFPs into the mentioned ports, and they still won't light up. 16:15 < djph> using the right cables? 16:16 < earnThis> djph: you mean non-mode conditioning ones? 16:17 < djph> well, SM for SM optics (or MM for MM optics). Not to mention UPC vs APC ... 16:18 < djph> granted I usually just get SM vs MM wrong (WHO THE HELL KEEPS BUYING THE MM!?) 16:24 < earnThis> djph: isnt MM still cheaper? 16:25 < djph> not when we're only buying SM optics 16:26 < earnThis> djph: right but are you using SM fiber for short runs? 16:26 < earnThis> like between racks and within a rack? 16:27 < djph> we SHOULD be, what with not having MM optics ;) 16:27 < djph> some dumbass keeps ordering MM cables every now and again. 16:28 < djph> although, most intra-rack connection is DAC 16:29 < earnThis> djph: ah gotcha 16:30 < djph> usually it's a "oh, we need this to work real quick, here's the optics and a cable" 16:33 < djph> and then "who the hell bought this!?" 16:35 < ychaouche> Gollee_: [11:54] Hello ##networking, I want to test some firewall rules for my IMAP server. I would like to appear as connecting from the outside, not from the LAN. What's easier : use a proxy or use command line tools ? (I'm thinking about netcat/nmap) 16:40 < ||cw> ychaouche: there are some free shell accounts out there that you could run simple tests from 16:41 < ychaouche> ||cw: free shell accounts ? 16:41 < ||cw> there's also a slew of tools at mxtoolbox,com 16:42 < ychaouche> the machine is not connected to the Internet for the moment 16:42 < ychaouche> so it's not accessible from outside; 16:42 < ||cw> then what are you testing 16:42 < ychaouche> well, it is connected to the Internet but not NATed 16:43 < ychaouche> access from the outside 16:43 < ||cw> you can't access things that aren't listening 16:43 < ychaouche> apparently I can 16:44 < ||cw> what does that mean 16:45 < ||cw> maybe the firewall would log the attempt if you configure that 16:48 < ychaouche> ||cw: I want to test the firewall rules on a test machine. The test machine is connected to the Internet, but it is not NATed, it doesn't have a public IP, so it can not be accessed from outside. Do you follow until this point ? 16:49 < ychaouche> my test machine has only one LAN IP, for the moment. 16:49 < ||cw> so you want to test the machine's local firewall? 16:49 < ychaouche> exactly 16:49 < ychaouche> the software firewall 16:49 < ||cw> so what's the problem? 16:50 < ychaouche> the problem is this : the rule is set to deny access from outside the LAN, and only allow LAN connexions in. Ok until this point ? 16:50 < ||cw> oh, you want to spoof as though you're being DNAT'd without actually doing that? 16:50 < ychaouche> I want to lure the firewall into thinking I am coming from outside, as if I had a WAN IP address. 16:51 < ychaouche> so it sees, for example, 201.04.10.20 instead of my LAN address which is, for example, 192.168.300.291 16:51 < ||cw> I guess you could set up a routed subnet on your LAN and test from that subnet 16:52 < ychaouche> what do you mean by a routed subnet ? 16:52 < ||cw> the only other option is spoofing, but that's likely to get dropped anyway 16:53 < ||cw> if you want to test the connection to coming from another IP block, it needs to actually come from another IP block 16:54 < ||cw> are you planning to setup DNAT for this host, or move it to where it actually gets a public IP? 16:54 < ||cw> you can always DNAT for an uncommon port so thats scanners won't easily find it and test that way 16:55 < ychaouche> ||cw: I have spoofed the IP and the packets weren't dropped. 16:56 < ychaouche> see : https://gist.github.com/ychaouche/32804b4c8c86255a89ad6ba9b170e59c 16:56 < ychaouche> Yes, when the tests show correct firewall setup I will move the machine to the appropriate VLAN and change its IP to the one that is already NATted 16:57 < detha> ychaouche: where did you generate those packets from? same host or elsewhere on the lan? 16:58 < ychaouche> detha: elsewhere on a nother VLAN 16:58 < ychaouche> another* 16:59 < detha> it would seem you need to tune the firewall a bit then, yeah 17:01 < ychaouche> detha: I didn't have to 17:01 < ychaouche> detha: or do you mean I should ? 17:02 < detha> I mean you should, it you expect it to drop those packets 17:03 < jvwjgames> hey guys so my vm witch i got working i am trying to get 162.220.209.36 to communicate to internet and someone is saying use nAT no i don't want to use nat i am trying to do public ip 17:03 < jvwjgames> how hard can it be 17:05 < ychaouche> detha: it works as I expect it to, actually. I'm trying to implement country based ACL. 17:06 < ychaouche> detha: so nobody connects to port 143 except those from this and this country. 17:07 < detha> ychaouche: so what is the problem, then? 17:07 < ychaouche> detha: I was looking for a way to do it and found it. Problem solved. 17:08 < ychaouche> I asked this morning but didn't get much tips. 17:08 < ychaouche> aside from : [11:58] ychaouche: use an external box 17:24 < noonien> hello folks! 17:24 < noonien> is there a channel specific for http/http2? 17:26 < purplex88> can we manually edit flows in switches? 17:30 < noonien> i'm having some issues with nginx, when uploading a file using a POST request via http/1.1 i get about 8MB/s to the server, doing the same with http/2.0, i only get about 1MB/s, i only use nginx as a reverse proxy. how can i start debugging this? 17:32 <+xand> noonien: #nginx for that 17:32 < noonien> xand: awesome, i asked there, thanks! 17:37 < zenix_2k2> guys base on which conditions that i can claim that 2 computers are on the same network ? 17:38 <+xand> define network 17:39 <+xand> depends what you mean by that - could be same subnet 17:39 <+xand> or same AS number or something else 17:39 < zenix_2k2> well like what if i wanna connect to another computer on the same network ??? 17:39 < zenix_2k2> something like that 17:39 <+xand> what if you do? 17:40 < zenix_2k2> ok, let's me try to simplify this 17:43 < zenix_2k2> so here are 2 python scripts that is used to connect 2 hosts --> https://pastebin.com/c1sPsR5P, so base on which conditions that the client can connect to the server ??? ( No NAT-ing, port-forwarding requires ) 17:43 < zenix_2k2> is that clear enough or should i try to simplify in another way ? 17:43 < zenix_2k2> oh yea, computer1 uses py2.py 17:43 < zenix_2k2> as the server 17:45 < jvwjgames> Can some one please help me :( 17:46 < ngc3982> hi guys. some hardware broke, and now i have transplanted my ubuntu 17.10 installation from a machine to the next. the network card is visible in ifconfig, but it does not receive a DHCP ip (so no web). how do i continue from here? 17:46 < zenix_2k2> or actually you can get that base on which conditions that i can claim 2 hosts are on the same LAN 17:46 < zenix_2k2> that is the best i can express 17:49 < zenix_2k2> so Ehm... guys ? 17:52 < skyroveRR> zenix_2k2: yes? 17:52 < jvwjgames> skyroveRR: can you help me with a firewall issue me trying to forward to my vm 17:53 < zenix_2k2> so... base on which conditions that i can claim 2 hosts are on the same LAN ? 17:53 < jvwjgames> ya 17:54 < jvwjgames> i have a link https://hello.freeconference.com/conf/call/6020478 so you can help me 17:55 < mrtnt> grawity: ok. And input_userauth_banner() function is called on this line: "ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);". SSH2_MSG_USERAUTH_BANNER is mapped to 53 in ssh2.h. However, message ID 60 seems to be handled by input_userauth_info_req() function which does not seem to have a test against "options.loglevel", i.e it is always printed. 18:00 < Nortd> Hello everyone! I've noticed that a L2 switch I was eyeing supports static ARP tables. Isn't that useless though? Shouldn't a switch just see MAC addresses leaving ARP to individual hosts? 18:05 < skupra> https://skupra.org 18:07 < ||cw> Nortd: typically used with arp inspection to stop spoofing at the source 18:09 < Nortd> ||cw: so it's just a way to verify that everything is as it should and notify the admin if it isn't? I was thinking, mine doesn't have it, so I set static ARP on the hosts, isn't that enough? 18:11 < ||cw> idk, it's just a tool in the arsenal. 18:13 < Nortd> ||cw: I see, well, that makes me wonder if I picked the wrong vendor. Thanks for your reply! Much appreciated. 18:16 < ||cw> it's just an option, you don't have to sue static arp 18:17 < quantum> Anyone really know IPV6? 18:17 < Nortd> ||cw: I want to, I was just wondering if having it set on the switch made any difference (it doesn't even have DAI) as it shouldn't be able to make any use of it since AFAIK it's a host's thing on L2 18:17 < quantum> # ip -6 addr add 2001:470:b:c3:1:2/64 dev eth2 18:17 < quantum> Error: inet6 prefix is expected rather than "2001:470:b:c3:1:2/64". 18:18 < Dagger> that's not a v6 address 18:18 < quantum> O? 18:18 < Dagger> 2001:470:b:c3::1:2, perhaps 18:19 < quantum> 7 groups? 18:19 < Dagger> it's short for 2001:470:b:c3:0:0:1:2 18:20 < quantum> For heavens sakes, thanks Dagger. 18:33 < quantum> Dagger: If you're still around: My LAN has a router which branches to the LAN, and to the DMZ. I'm converting to IPV6. 18:33 < quantum> Running CentOS7.4 everywhere. Are default IPV6 kernel settings good for a non-router? 18:36 < quantum> Second, right now I have static IPV6 IPs, but will soon set up a DHCP6 server on a VM in the LAN. The DMZ machine will send out a dhclient6 request, but will that be routed properly through the router to the LAN and the DHCP6 server with default kernel settings? 18:40 < Dagger> I don't change any settings here, other than forwarding and (for bridges) multicast filtering 18:40 < Dagger> note that if you have multiple networks then they need separate /64s (like you use separate /24s in v4). you can request a /48 from HE for that 18:40 < Dagger> DHCPv6 doesn't really go through routers, you need a server or relay on each network 18:40 < Dagger> (are you sure you want DHCPv6? SLAAC is easier and mostly does the job. and is required for e.g. Android anyway) 18:41 < UncleDrax> droid still doesn't do DHCPv6? lame 18:41 < quantum> I'll look at SLAAC, thanks. 18:42 < quantum> In Shorewall (iptables) I'll be plumbing port 67 from the DMZ to the DHCP6 (SLAAC?) server 18:42 < Dagger> it's literally just a flag in your RAs to enable, and you need to be sending those anyway 18:43 < UncleDrax> having not delved into it that far in any recent timeperiod, is there a SLACC-equivilent for me, as a SrvProv, knowing who has what address then? 18:43 < quantum> Do RAs necessarily come from the router? 18:44 < quantum> ... and is it possible to assign known IPs to given machines, and if so how is dynamic name service handled? 18:44 < Dagger> the router has to send them. that's how the default route is configured 18:45 < Dagger> the machines pick their own addresses, usually based on their MAC 18:46 < quantum> My LAN machines are each servers for something so I need some kind of name service. 18:47 < djph> quantum: bind 18:47 < Dagger> DNS would need to be registered by the clients, or done manually 18:47 < Dagger> (I just do it manually) 18:47 < quantum> I've always done it manually for IPV4, but it seems it'd just get out of hand with v6. 18:49 < quantum> djph: I've started setting up the package dhcp in CentOS. 18:49 < quantum> Haven't yet figured out where this 'info' string is to use in lieu of MAC though. 18:51 < ngc3982> i got the network working after ubuntu 17.10 transplant, but i cannot get it to resolve any host. i can ping all IPs, but not use 'internet'. 18:51 < ngc3982> any suggestions? 18:51 < ewew> are you using static ip or dynamic ip ? 18:52 < ngc3982> ewew: i have tried configuring netplan for both, with the same effect. right now: dynamic. 18:52 < Poster> try running: sudo resolvconf -u 18:53 < ewew> what does the ip addr and ip route command show ? 18:53 < ngc3982> Poster: that program is not installed. 18:53 < Poster> if it is missing, dhclient should be setting the contents of /etc/resolv.conf, from what you describe /etc/resolv.conf is missing or has incorrect entries as it pertains to nameservers 18:54 < Poster> can you pastebin /etc/resolv.conf ? 18:54 < ngc3982> ip addr shows a local inet ip, 192.168.1.166 and "broadcast, multicast, up, lower_up" and so on. 18:54 < Poster> you can also temporarily set it to use google's public DNS, add the following line to the top of /etc/resolv.conf 18:54 < Poster> nameserver 8.8.8.8 18:54 < ngc3982> due to the network error i cannot pastebinit, but /etc/resolv.conf contains: "nameserver 127.0.0.1" 18:54 < ngc3982> oh. 18:55 < Poster> ok that's dnsmasq 18:55 < quantum> Poster: Don't spread the G**gle virus... 18:55 < ewew> ok. change it to nameserver 8.8.8.8 18:55 < ngc3982> the file also say that it is automatically changed by resolvconf and should not be edited by hand. 18:55 < ewew> for now not relevant. 18:55 < ngc3982> ok 18:55 < ngc3982> changed 18:55 < Poster> it's fine, your local system is pointing to a dnsmasq instance which is probably pointing to the wrong place 18:56 < Poster> double check on the presence of resolvconf, it is most likely there 18:56 < ewew> quantum what about opendns ? 18:56 < ngc3982> oh i could install it 18:56 < ngc3982> resolvconf -u now? 18:57 < Poster> yep 18:57 < ngc3982> hey! it worked. 18:57 < quantum> ewew opendns is far better than G**gle and supports dnssec. 18:57 < ngc3982> ewew, Poster: thank you so much. :) 18:57 < Poster> ok it may not have, recheck /etc/resolv.conf and see if it only has nameserver 127.0.0.1 18:57 < Poster> unless you didn't add "nameserver 8.8.8.8" 18:58 < ngc3982> its still 8.8.8.8 18:58 < ngc3982> i did, and then i used resolvconf -u 18:58 < Poster> ok try removing the "nameserver 8.8.8.8" line from /etc/resolv.conf and retry public DNS resolution 18:59 < quantum> ewew: When I'm not using dnscrypt (rare) I use 185.121.177.177 18:59 < quantum> and 169.239.202.202. Forgot where they are, but are trustworthy. (and I'm paranoid) 18:59 < ngc3982> Poster: how do i "retry public dns resolution"? 18:59 < Poster> ping www.yahoo.com 18:59 < Poster> or something 18:59 < ngc3982> aha 18:59 < ngc3982> sorry. 18:59 * ngc3982 tries. 19:00 < ||cw> lol "idk where these are, but they are trustworthy I promise" 19:00 < quantum> lol I didn't say idk where they are. I've forgotten where they are. 19:00 < ||cw> are you sure they are still trustworthy? 19:01 < quantum> You don't need to worry about it. 19:01 < ewew> what about the dns server on 1.1.1.1 ? 19:01 < ||cw> once upon a time google was one of the most trustworthy companies out there 19:02 < ngc3982> Poster: when removing the line, i cannot ping a host name. 19:02 < quantum> I have dnscrypt and unbound running on a resolver VM. DNSCrypt automatically rotates through providers on a list. 19:03 < ewew> what about the rotate function of resolv.conf ? 19:03 < ngc3982> resolvconf -u? 19:03 < quantum> I only ever have my resolver set. (except in the rare cases it doesn't resolve) 19:03 < Poster> the default in Ubuntu is to set /etc/resolv.conf to point to 127.0.0.1, which is an instance of dnsmasq, intended to locally cache queries, I suspect dnsmasq is not going to a valid location and the chain is then broken 19:04 < quantum> Falling back to a cleartext resolver is not secure. 19:04 < ngc3982> Poster: i see. when i rerun resolvconf -u it adds the nameserver 8.8.8.8 to /etc/resolv.conf again. 19:05 < Poster> =S well you can run like that though the dnsmasq issue is still present 19:05 < Poster> I've not done much with the dnsmasq piece myself, I know it's present but I usually remove it from my own systems 19:05 < ngc3982> ok 19:05 < ngc3982> i have had so much problems with this system. 19:05 < ngc3982> i think ill simply reinstall ubuntu on the new machine. 19:06 < Poster> well that's one approach, though this problem may resurface in the future, so finding the fix may be a worthwhile investment of time 19:10 < ngc3982> Poster: the nic changed name from enp0s25 to eth0 after a reboot. 19:11 < ngc3982> also, resolv.conf is now empty. 19:13 < ngc3982> nope, not doing this. im reinstalling before my blood preassure stops working. 19:16 < ||cw> ngc3982: did you also switch from dhcp to static? 19:16 < ||cw> and did you specify DNS servers on the interfaces file? 19:16 < ngc3982> tried both, in the netplan config 19:16 < ngc3982> i do not have an interfaces file, afaik. 19:17 < ||cw> desktop? network manager then? 19:17 < ngc3982> but nope, not doing it. this is something like the eleventh thing that made me furious about this installation today, so i have already formated and is installing from live-usb now. 19:18 < ngc3982> i think netplan config files was the replacement for network/interfaces. 19:18 < ngc3982> thanks anyway for helping :). 19:26 < ||cw> ngc3982: is this 18.04? I haven't messed with that yet. 19:26 < ||cw> or 17.10 for that matter. 19:27 < ngc3982> 17.10. 19:39 < aditya7400> due to people (understandably) suggesting layer 8 solutions, i shall provide no context. I have a plan, an no idea how to execute it 19:39 < aditya7400> so i have 4 4g modems 19:39 < aditya7400> and a VPS 19:39 < aditya7400> and want to setup a machine 19:39 < aditya7400> to run a VPN over them so you can route everything though it 19:39 < aditya7400> and multiply the speed 19:40 < anamenotinuse> a few hours ago i configured my webserver and AAAA record. I tested it and it worked just fine, I could reach my webserver over the domain name. but for reasons i cant figure out the ipv6 record now does not resolve anymore 19:40 < anamenotinuse> how can i debug this? 19:40 < anamenotinuse> nginx should aswer the phone 19:40 < anamenotinuse> i tried restarting ofcourse 19:42 < Emperorpenguin> If it doesn't resolve in DNS it's not nginx's fault 19:43 < anamenotinuse> how can i identify the issue? 19:43 < anamenotinuse> https://imgur.com/NX8DkMm 19:43 < anamenotinuse> that shows part of eth0 interface output 19:44 < Emperorpenguin> That had nothing to do with dns 19:44 < anamenotinuse> the dns server is managed by my provider 19:45 < anamenotinuse> and it worked earlier 19:48 < quantum> Dagger: Earlier you mentioned that I'd need to request a /48 in order to have a DMZ. 19:50 < quantum> If my LAN is 2001:db8::0/96, isn't it enough to make the DMZ 2001:db8:::::1:/96? 19:52 < Dagger> different networks need different address ranges 19:53 < quantum> Sure, but :: is different from 1: 19:53 < Dagger> if you're using 10.1.2.0/24, then you can't have a second network using something like 10.1.2.200/24. it needs to be 10.1.3.0/24 or so 19:53 < Dagger> (it's just "::" for any number of zeroed blocks, ":::" or more isn't valid) 19:54 < quantum> Understand, but I'm trying to differentiate my IPV6 as you describe IPV4. 19:54 < quantum> ... with a /64 block 19:55 < Dagger> as a general rule, all onlink subnets in v6 should be /64. so you'd use 2001:db8:0:1::/64 for one network, 2001:db8:0:2::/64 for another, etc 19:56 < Dagger> so you should be trying to break up a /64 19:56 < quantum> Oh, I've been specifying /96 but I do have a /64 block. 19:56 < Dagger> er, damnit 19:56 < Dagger> so you shouldn't be trying to break up a /64* 19:57 < Dagger> bit of a difference in meaning there 19:57 < quantum> Got it. 19:57 < HEROnymous> the whole "every network should be a /64" thing doesn't make a lot of sense though, really. 19:57 < HEROnymous> it's largely more pandering to broken implementations and bad ideas than anything else 19:57 < Dagger> you're something like 20 years late to that discussion though 19:57 < HEROnymous> well, that's the thing - it was part of some drafts [20 years ago] and then it wasn't by the time that drafts became standards. 19:58 < quantum> Should I be a bad netzien and request my /48, even though I'll never ever use that many? 19:58 < Dagger> there's zero reason to use anything larger than /64 on-link 19:58 < Dagger> and you shouldn't really need to use anything smaller either, there's enough /64s floating around 19:59 < Dagger> quantum: numbers wise, we have about 5000 /48s available per person, so requesting one of them is way under your fair share (if such a concept even makes sense here) 19:59 < quantum> Ok so the last four groups in a /64 are in the same CIDR? 19:59 < HEROnymous> quantum, you never know how many you'll use, and having a /48 allocated doesn't hurt 20:00 < quantum> Well Ok, I'll request my /48, thanks. 20:00 < Dagger> /64 covers the last four groups, yeah 20:00 < HEROnymous> depending on your isp, you may get a /56 or somesuch too, not a /48 20:00 < quantum> Always an education here, thanks. 20:02 < HEROnymous> but yeah in ipv6 we tend to overprovision. even for, say, point to point links with 2-4 devices, I'll generally use a /112, which is some 65k addresses. 20:04 < quantum> Weird, my /64 is 2001:460:b:c3:: but my /48 is 2001:460:e9db:: 20:04 < quantum> I guess they give what they have. 20:04 < Dagger> what would a non-weird allocation look like? :p 20:04 < quantum> 2001:460:b: 20:05 < HEROnymous> they probably provision customer /64's out of there. 20:05 < Dagger> but then what about the person with 2001:460:b:c2::/64? 20:05 < quantum> Makes sense. 20:05 < HEROnymous> for example 2001:0460:000b:00c4::/64 is probably somebody else, etc 20:06 < Dagger> there have to be other people inside 2001:460:b::/48, because the only way to avoid that would be to reserve the entire /48 for you from the start... at which point there's be no point in having it behind a request button 20:07 < quantum> So I use my 48 now exclusively? Should I release my /64? (Tho I can'r see a way to do that) 20:07 < quantum> (hurricane) 20:09 < Dagger> I'd stick with the /48 alone, otherwise you'll have one network with a different range 20:09 < Dagger> you can't release it though. just ignore it 20:09 < quantum> K 20:25 < eduard> Hi! If internet domain name have and MX-record and wants to receive mail, is it mandatory to also have an A-record for that domain? Which standard regulates this? 20:26 < tds> afaik it's not mandatory, I've seen plenty of domains that don't 20:26 < ||cw> eduard: MX must point to an A, yes 20:26 < eduard> thanks 20:27 < qman__> right 20:27 < qman__> the MX record must point at a valid A record, but the name of the MX record doesn't need to be a name that also has an A record 20:27 < tds> oh, if you're talking about the hostname the MX points to, then yeah you want a + aaaa records 20:28 < tds> I mean you can run with just the aaaa, but you may find that lots of email goes missing ;) 20:28 < qman__> for example, an mx record for xyz.site could point to abc.site for mail, and there doesn't need to be an A record for xyz.site, just abc.site 20:29 < ||cw> oh, yeah, what it points to must have an A. 20:30 < eduard> qman__: that's exactly my question I want mail at example.com but I don't have and actually don't need any server to be A record of example.com 20:31 < Dagger> you don't need an A. it works fine with just an AAAA :| 20:31 < ||cw> that should be fine 20:31 < Dagger> (although that will limit which servers can connect) 20:33 < qman__> strictly speaking it could also be a CNAME 20:33 < qman__> but the point is that the MX record must point at a valid name to receive the mail, and that's it 20:34 < qman__> the name of the MX itself does not also need other resource records to exist 20:36 < qman__> bear in mind this is only for receiving mail, sending mail has different requirements 20:59 < tds> qman__: hmm, iirc having an mx pointing at a cname isn't valid, I've seen some servers reject it 21:00 < Apachez> A or AAAA record 21:10 < jgkamat> Hi, this is probably off topic (feel free to redir me), but I wanted to ask how exactly 'disconnections' are handled when opening connections. If I connect to freenode with 'nc', and sleep/unsleep my computer, the connection is closed, but if I do the same with gnutls-cli, it dosent. Is there a way to configure a timeout or similar (what's the proper way to determine when a conn has broken) 21:11 < bgsteiner> I use smtp.mydomain.com as a cname and my mx points to that for consistency 21:15 < ||cw> jgkamat: the connection is broken when the server or client decides that it is broken. I'm sure nc has a timeout setting 21:16 < jgkamat> hmm, I could find a timeout setting for nc, but not one for gnutls-cli, I suppose it might not support setting it (that would seem weird). 22:33 < black_13> how do i configure secondary nic card 22:33 < black_13> to have a static ip address 22:45 < ||cw> black_13: same way you'd configure a primary? it's OS specific. see your OS docs. 22:46 < nobody> hi :) 22:46 < ||cw> jgkamat: that might actually be more to do with SSL 22:47 < jgkamat> ||cw: hmm, is there any docs on that or keywords I can search to get more information on that? I'm pretty clueless for networking in general :/ 22:47 < jgkamat> I saw similar behavior using openssl s_client, so that seems like a good guess 22:48 < black_13> ||cw: ubuntu 22:49 < ||cw> jgkamat: I just don't expect TCP sessions to survive a sleep in general 22:49 < ||cw> if it does, bonus 22:50 < ||cw> black_13: well, ubuntu has docs and a channel here... 22:50 < jgkamat> it's more that I want a non-hacky way to determine when I should kill it and reconnect, this happens when I disconnect/reconnect to WIFI as well, for example :( 22:50 < ||cw> black_13: IIRC there's also a few ways and it depends on version and how you're config'ing things 22:50 < black_13> thank you very little 22:51 < ||cw> black_13: I mean, if you want to talk aboue subnetting and vlans and routers and TCP waits and stuff, this is a good place. if you want to configure ubunut, ask ubuntu 22:51 < black_13> gotcha 22:52 < black_13> the group (ubuntu) they seem to be interested in how to use crayons 22:52 < ||cw> lol I bet they're struggling too 22:52 * ||cw uses ubuntu, but also recently learned there's a new network config thing I don't know how to sue 22:53 < jgkamat> are they not using networkmanager anymore :o 22:53 < ||cw> and I apparently can't type either 22:54 < TJ-> jgkamat: Ubuntu certainly is and will continue to use network-manager for desktops, systemd-networkd for servers 22:56 < TJ-> jgkamat: ||cw what has happened is netplan.io YAML config files are used to do the initial network config (for 'cloud' orchestration). On each boot netplan then writes the appropriate config file for either network-manger or systemd-networkd, as appropriate. ifupdown has been deprecated. 22:57 < ||cw> TJ-: and if I want to use the interfaces file? 22:57 < TJ-> ||cw: install ifupdown, that's what it belongs to 22:57 < jgkamat> ah, that makes a lot more sense now :P. I like networkmanager a lot :) 22:58 < TJ-> jgkamat: me too, especially as it's a system service. I'ts very handy on non-GUI systems too because it has the command-line "nmcli" and "nmtui" ncurses client 22:59 < TJ-> On Ubuntu network-manager has always been configured to not touch any interface that is declared in ifupdown's /etc/network/interfaces 23:00 < ||cw> ah ok. I asked someone earlier if they were using network manager or interfaces and they said no they were using netplan. I took that to mean network manager wasn't involved 23:01 < TJ-> right. I don't like netplan, Canonical have stuck it in for 'cloud' but it's got nowhere near the functionality that desktop and many indepedent server's require. 23:01 < TJ-> You don't need to use netplan; ignore it, or delete it, and configure network interfaces the 'standard' way - via network-manager or systemd-networkd (or ifupdown!) 23:02 < ||cw> cool 23:06 < Criggie> netplan is another systemd / network manager solution 23:06 < Criggie> I hate them all. 23:06 < TJ-> Criggie: no, it's nothing like them. It's not a network manager, it's a config file generator 23:09 < Criggie> Ahhhh okay not quite so nad. 23:09 < Criggie> nbad 23:09 < Criggie> b a d 23:09 < Criggie> gosh I need more or less coffee. 23:15 < JamiePhan> Hi guys, kinda wanna ask how does company like Google get unique and memorable IP addresses? For example Google's 8.8.8.8/8.8.4.4 or cloudflares's 1.1.1.1? Am I able to get one myself too? 23:16 < TJ-> JamiePhan: lots of money 23:16 < petemc> if you have enough money 23:16 < JamiePhan> oh 23:16 < JamiePhan> assume I have lots of money (assume lmao), where can I buy them? 23:17 < TJ-> JamiePhan: do a deal with who-ever owns them 23:18 < Aeso> JamiePhan, typically you buy IPs in blocks of 256 or greater. IPs are going for ~$16USD a pop, but a block with a 'memorable' IP address in it may fetch considerably more. 23:18 < JamiePhan> ah thx guys! 23:18 < Aeso> There are websites where you can buy a block of IPs, and then you file a transfer form with your local RIR to transfer ownership. 23:21 < Aeso> Man, that's got to suck for new businesses looking to get an ASN + IP space. It's basically $4000 USD per physical location to even get started. 23:22 < infinisil> Aeso: That seems really low 23:23 < infinisil> I mean if you can't put out $4000 then you're probably not fit to do this 23:24 < ||cw> right, if you're going for an ASN, $4K is nothing. you'll drop 10 times that on one switch 23:25 < Aeso> infinisil, well it used to be $250/yr for an ASN and $250/yr per block when you could just request space via ARIN. low five-figure costs can be prohibitively expensive if you're a small enough business. 23:25 < skupra> https://skupra.org 23:27 < ||cw> being a small ISP used to be easy, an Ascend boxe and 2 T1 connections would get you started 23:29 < aditya7400> the solution was apparently big wifi dish antennae 23:47 < tds> Aeso: depending on what you're trying to do, you may be able to get a sponsored ASN and then get PI space or lease PA space, which is much cheaper than becoming an LIR 23:47 < tds> (for ripe at least, not a clue how it works in the us) --- Log closed Fri Apr 06 00:00:35 2018