--- Log opened Wed Apr 18 00:00:49 2018
00:01 < Dagger> and also with v4 for the past two decades or so
00:02 < wiresharked> Dagger: Should I block UPNP on my firewall?
00:02 < Dagger> didn't you want to know about PXE? how is UPNP relevant here?
00:03 < wiresharked> Dagger: What would a server be loading with RPL?
00:04 < wiresharked> In the context of being related to PXE
00:05 < Dagger> I don't know what "RPL" refers to here
00:05 < wiresharked> Dagger: Remote program load
00:06 < Dagger> which is what, exactly?
00:07 < lupine> aye, communism already won on the internet
00:07 < wiresharked> Dagger: "A protocol for starting a computer and loading its operating system from a server via a network"
00:08 < mniip> I'm trying to troubleshoot my IPSec setup with racoon
00:08 < wiresharked> mnlip: What is your issue?
00:09 < mniip> for some reason I can't get any packets back
00:09 < Dagger> wiresharked: that quote is from a page that answers your other questions about it
00:09 < wiresharked> Check your inbound firewall configuration
00:09 < mniip> I can see the NAT-T-encapsulated packets going client to server
00:09 < mniip> but for some reason the server doesn't reply with the same NAT-T-encapsulated packets
00:09 < wiresharked> mnlip: OK, so your outbound traffic is fine
00:10 < mniip> it seems to reply in cleartext, or at least that's what tcpdump on the server is telling me
00:10 < wiresharked> Sounds like HTTPS may not be configured correctly then
00:10 < mniip> sounds like what
00:12 < Dagger> mniip: FWIW I'm pretty sure he's trolling, hence all the time-wasting questions
00:12 < Dagger> unfortunately this is the kind of troll that IRC ops never want to ban, so we're just all expected to put up with the waste of time
00:30 < wiresharked> energizer: Are you going to upgrade to 802.11ax?
00:37 < Dagger> ^ see?
00:39 < Dagger> nobody will ban because "802.11ax is on-topic", but I'd still put "asking random people about random stuff that noone, not even the asker, cares about the answer to" as somewhere under the trolling label
01:17 < drac_boy> hi again
01:42 < drac_boy> hmm very un-chatty network tonight :-> heh
02:57 < xamithan> is show interface description a real command?  I can't find it on packet tracer
03:26 < cyberbob> Hi All, I'm working as a remote contractor and have to dial in VPN (openvpn) to access the client network and work.
03:26 < cyberbob> Some of the customer apps are accessible globally (as of yet atleast) but right now they have whitelisted a few IPs  for that (mine is not part of that for sure) and if sometimes I forget to dial in to openvpn or it get disconnected somehow my IP is blacklisted (being not part of whitelisted IPs) and I've to request them for white listing which is becoming a bit of embarassement.
03:27 < cyberbob> and client doesn't feel good for that at all
03:27 < cyberbob> I'm planning to have a dedicated (small) device to dial into openvpn server and use that device as an AP so that when my machine connects to that AP all traffic is routed through the openvpn interface.
03:28 < cyberbob> can you guys recomend such device with such capability ?
03:29 < lupine> APU2
03:29 < lupine> I use one for exactly that
03:30 < quint> Anyone familiar with the DNS zone editor in cpanel?
03:31 < quint> Need to set two values under one TXT, what's the proper way to delimit values in cpanel?
03:31 < cyberbob> lupine: which one are you using and which distro (pfsense ? )
03:31 < lupine> APU2C2 and debian stretch
03:31 < lupine> or maybe it's the b2
03:31 < lupine> doesn't make much difference
03:32 < lupine> the ECC ram isn't worth the extra moola for consumer use
03:33 < cyberbob> lupine: how much power that consumes ?
03:35 < lupine> about 15W?
03:35 < lupine> more than my ISP-supplied router, but not *much* more
03:35 < lupine> it gets ~90 minutes out of the mini UPS
03:36 < cyberbob> lupine: Thanks, but that is above my budget ~400$+ in AU :(
03:36 < cyberbob> unfortunately ..
03:36 < lupine> mine cost ~200GBP all-in
03:36 < cyberbob> I used raspberri pi 3B but that is not that much stable (atleast that is what my experience is with that)
03:37 < lupine> surely the exchange rate isn't *that* bad?
03:37 < cyberbob> yeah that is but the project is not that long, so not sure if I can put that money on this proj :) that is the only concern
03:38 < cyberbob> rpi3 crashes OS sometiems (out of sudden) on reboot . .
03:38 < tds> if you want something cheap, openwrt on a cheapo ap would run openvpn fine
03:38 < lupine> openwrt < debian
03:39 < cyberbob> tds: I've TL mr-3420 v3 but none of these opwrt, ddwrt doesn't support v3 :(
03:39 < cyberbob> But looking for some other cheap router which can do the same
03:40 < tds> lupine: I agree (and my personal routers all run debian), I was just suggesting it as a potentially cheaper alternative
03:40 < lupine> I had a buffalo router for ages that did openwrt really well
03:40 < lupine> it was <£100
03:42 < cyberbob> thanks lupine tds :) will search for some router for that else will buy some apu2 or something similar for running pfsense (if I've to spent that much budget will go for that as have some good experiene with pfsense)
03:43 < lupine> there is so much good about the APU2
03:43 < lupine> I run my mail server on mine, in addition to my website, vpn client, etc
03:46 < orlock> Anybody know what port tcp 64946 is?
03:51 < cyberbob> lupine: thanks for sure will look into this (If i've to go above my budget)
04:54 < zhangj__> Hello everyone, may I ask who understands the socket5 agent?
04:56 < zhangj__> How to set up a socket agent on both sides, or when to close the socket?
04:58 < zhangj__> A Clients -> open Socket5 -> B Service -> open socket ->
04:58 < zhangj__>  Forwarding data
04:59 < zhangj__> A Clients -> open Socket5 -> B Service -> open socket ->  Forwarding data
05:00 < zhangj__> I know when to open socket forwarding data, I do not know when to close the established socket
05:01 < zhangj__> I do not understand socket5's rfc1928 specification. Can anyone help me?
07:02 < Sircle> Hi
07:02 < Sircle> I want to buy ssl cert. Any suggestions on vendor?
07:03 < mniip> Letsencrypt? :p
07:18 < Sircle_>  I want to buy ssl cert. Any suggestions on vendor?
07:28 < detha> letsencrypt
07:30 < frankzinger> https://letsencrypt.org/ just in case there was some confusion
07:30 < detha> unless one is a bank/financial institution or otherwise swimming in money, and needs EV certs, one does not 'buy' certs. One gets certs.
09:31 < be2pal> Hi there all
09:31 < be2pal> need help with cisco managed switch
09:32 < be2pal> do we need to always connect to it with subnet mask even after first setup ?
09:33 < be2pal> setting up Cisco sg300-28pp first time
09:33 < Roq> No, you can use a console cable for direct physical access
09:33 < be2pal> using ethernet cable
09:33 < be2pal> I dont know about using console cable to connect to computer
09:33 < Roq> With an ethernet cable you need IP connectivity
09:34 < Roq> Connect the console cable to the switch, and connect it to the serial interface on your pc
09:34 < be2pal> yes. Roq the system led is blinking even though i set dynamic ip address
09:35 < be2pal> Basically, I am not able to access ip camera POE with default camera ip. Not pinging
09:36 < be2pal> Using a laptop. Unfortunately console cable is out of reach now
09:36 < be2pal> using wireshark to scan out ip address though
09:43 < mustu> guys, I'm brainstorming on how to weed duplicate packet when mirroring traffic.
09:45 < be2pal> I am not clear of this Roq. If switch and computer is on same subnet mask, does the IP camera needed to be same subnet ?
09:45 < mustu> I have multiple segments that interconnect via a firewall. I want to target only two zones. I want everything exchanged between those two and to/from the Internet. However, I want to weed out any traffic to/from the other zones that I don't want to tap.
09:45 < mustu> how to achieve that on switch
09:50 <+xand> mustu: unlikely port mirror on a switch is going to filter that
09:50 < mustu> xand yeah.. need to verify my thoughts and see if there is a workaround
09:51 <+xand> you can do the filtering on what's receiving the mirrored traffic... assuming this is like a one-off for debugging something
09:51 < vmnewb> Hello everyone, I have a virtual enviroment and I reset the VMs to a previous snapshot where everything should have worked. I have a server which does mss2016 dc/dns/routing wich has 2 NICs IP 10.151.0.212/17 GW/DNS: 10.151.4.1 - LAN and 10.151.210.1/28 DNS: 127.0.0.1 GW: none - Virtual Network. I have a few VMs in the Virtual Network and they have the IPs: 10.151.210.2(vm1),3(vm2)/28 GW/DNS: 10.151.210.1. Now I need to read a t
09:52 < mustu> xand yep that's the last resort... to drop packet based on destination IPs
11:08 < leonarth> PCI-DSS auditor is asking to implement an IDS/IPS solution for outgoing traffic, I was thinking about setting up a NAT gateway and put Snort or Surricata on it - what would you guys suggest?
11:10 < detha> leonarth: in-line? hmm.
11:14 < Sircle>  I want to buy ssl cert. Any suggestions on vendor?
11:17 < Sircle>  what type of ssl is advised for a shopping cart site?
11:17 <+xand> none, you should use TLS
11:20 < Sircle> xand,  what do you mean?
11:21 < Sircle> Transport Layer Security (TLS) is the successor to SSL
11:21 < Sircle> xand,  so where do I buy that?
11:22 < be2pal> Sircle:  TLS
11:22 < frankzinger> Sircle, once again: https://letsencrypt.org/
11:22 < Roq> Sircle: check out letsencrypt
11:22 < be2pal> Letsencrypt - absolutely free and open source
11:23 <+xand> hmm
11:25 < be2pal> a tech associate suggested to setup cisco switch from telnet via lan.
11:26 < be2pal> I find web gui has many options to get started. But I couldnt connect without being in particular subnet
11:26 < TotallyNotKim> be2pal: you'll learn to hate the web gui in a matter of seconds
11:27 < be2pal> :) kind of started already
11:27 < be2pal> Wheres the resource to dig about console or telnet operating.
11:28 < be2pal> By the way, switch hasnt enable telnet by defaulf
11:31 < Sircle> be2pal,  which vendor gives tls? this is not ssl cert the usual EV SSL?
11:32 <+xand> SSL is the wrong term to use, it's TLS now
11:32 < Sircle> frankzinger, Roq letsencrypt is free. Don't have problems in browsers that are free certs?
11:32 < Sircle> xand,  of so the EV cert is actually TLS cert and still named SSL?
11:33 < Sircle> xand,  so these are TLS? https://www.namecheap.com/security/ssl-certificates/
11:35 < be2pal> Sircle: major web browsers with latest version accept this particular free cert
11:36 < be2pal> TLS replaces ssl. And since you are beginning, may start with letsencrypt.
11:36 < be2pal> and you continue this without commercial cert
11:36 < Sircle> be2pal,  I have shopping cart sites. will letsencrypt suite or at least an ev cert?
11:37 < be2pal> Letsencrypt suits
11:37 < be2pal> how u hosting shopping cart ? Vps ?
11:37 < Sircle> so these are TLS? https://www.namecheap.com/security/ssl-certificates/
11:37 < Sircle> be2pal,  hm
11:38 < Sircle> be2pal,  letsencrypt will show the green bar?
11:39 < be2pal> I am not sure of green bar
11:39 < be2pal> but letsencrypt will give your secure site.
11:41 < be2pal> Commercial vendors try to sell you with something like green bar is better or assure visitors security
11:41 < Sircle> be2pal,  I see its hard to get started with letsencrypt. It wont just register and get the certs downloaded
11:42 < be2pal> I believe you are just starting shopping cart at initial stage. Please focus on other aspect on the site. So ssl/tls, letsencryption is good.
11:43 < be2pal> Sircle: follow the instruction. its not like commercial where you click to buy. Download the cert and upload to cpanel
11:43 < frankzinger> Sircle, once again: https://letsencrypt.org/
11:43 < frankzinger> woops, didn't mean that
11:43 < frankzinger> wrong window
11:43 < be2pal> Letsencrypt has fairly simple instruction
11:44 < be2pal> Sircle: check your hosting provider. Cpanel may has option to obtain letsencrypt cert
11:44 < vlt> Can letsencrypt.org issue EV certificates?
11:45 < frankzinger> vlt, no
11:45 < be2pal> Only domain-validated certificates are being issued, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.[15]
11:46 < be2pal> https://en.wikipedia.org/wiki/Letsencrypt
11:46 < vlt> Thank you.
11:47 < be2pal> Sircle: if you are not advance webmaster, its time to brush off
11:47 < Sircle> be2pal,  k
11:49 < be2pal> Shopping cart can be demanding as growing bigger
11:49 < Sircle> I cant just place the cert files to new server once I have generated them? Why certbot is required to be placed where website is hosted?
11:50 < be2pal> Sircle: there r two options. Its depend what type of hosting
11:51 < be2pal> You can automate cert. Renewal with setting up online
11:51 < djph> Sircle: are you literally asking why you have to put the certs on the server that's hosting your website?  That's like asking why you have to put fuel in your car, or the key in the ignition (barring, ofc, one of the start-button-radio-keys)
11:51 < be2pal> Or setup locally to renew manually then upload
11:52 < be2pal> djph: I understand tech but not cars ;)
11:52 < frankzinger> djph, i think he meant "and leave it be"
11:52 < Sircle> djph,  no, I was asking why not just put certs in apache and why install certbot on each hosting server ?
11:52 < djph> Sircle: ahhh
11:55 < be2pal> Sircle: letsencrypt needs renewal on 3 months period. Installing certbot can auto renew without admin
11:59 < Ta-moko> hi, shopping for network cables, i don't want to assume too much, but may i assume CAT6A cables are basically same port shape and pins as CAT6E?
11:59 < Ta-moko> (thanks ahead of time)
12:02 < djph> Ta-moko: they'd better be, what with copper standardizing on 8p-8c connectors
12:03 < be2pal> Category 6e is not a standard, and is frequently misused because category 5 followed with 5e as an enhancement on category 5. Soon after the ratification of Cat 6, a number of manufacturers began offering cable labeled as "Category 6e". Their intent was to suggest their offering was an upgrade to the Category 6 standard
12:07 < djph> IIRC, it was "pre-standard" for 6a
12:07 < djph> 5 -> 5e / 6 -> 6e ... but then they decided "6a" was less confusing
12:09 < Sircle> be2pal,   I just installed it. What it does now is while loading it says "secure" on the bar and when the site loads, it says this site is not encrypted
12:14 < Sircle> be2pal,  nevermind
12:15 < be2pal> Sircle: does it says unencrypted
12:18 < well0ne> hello, i am having a routing problem . https://pastebin.com/QwFd2Tp5  iam inside the 192.168.0.0 subnet and cannot assecc the 10.* ranges . can anyone help to set the right routes
12:19 < djph> on your 10.* gateway, set a route to 192.168/16 via 10.whatever
12:20 < Sircle> be2pal,  there were few images fetched from outside. Maybe thats why. I will remove them and review again
12:20 < djph> assuming, of course, the 192.168 subnet is not being NAT to 10.whatever
12:20 < well0ne> okay, so i have to work with iptables?
12:21 < lolusux> Hi, I'm going to get a 42U server rack, out of which approximately half of it will be used to install various devices, I'm afraid I will have a heating problem because the rack will not have a separate room with AC, how do I determine whether I will have a heating problem at all and if so what kind of cooling solution should I look for?
12:23 < light> you can look at the manual for your servers to find the heat load
12:23 < be2pal> Sircle: best wishes for your shopping site
12:23 < light> you will want air conditioning
12:26 < well0ne> @djph so i need to use iptables to solve this problem`?
12:26 < be2pal> I hate managed switch. :(
12:27 < djph> be2pal: just thing of how much worse it'd be if it was a dumb switch.
12:27 < djph> well0ne: iptables is a packet filter, not a routing engine
12:29 < be2pal> djph: i like to configure but its not even start working.
12:30 < well0ne> okay, so what would be appropriate to try?
12:31 < light> well0ne: draw a network diagram and label the ip, netmask, gateway and routes for each device
12:38 < purplex88> why does my network ping decreases when I download stuff?
12:38 < purplex88> only download speed should decrease isn't
12:38 < purplex88> it
12:40 < well0ne> okay
12:41 < djph> purplex88: you mean the ping times increase?
12:41 < djph> be2pal: RMA as DOA?
12:41 < purplex88> ah, yes sorry increase
12:42 < light> congestion
12:42 < djph> purplex88: well, ICMP packets have a size.  Think it through.
12:42 < purplex88> i mean is it normal?
12:42 < purplex88> or just me
12:42 < light> yes
12:43 < purplex88> ah
12:43 < purplex88> makes sense i guess
12:43 < purplex88> icmp packets have to get through the crowd of other packets
12:44 < purplex88> but latency increases
12:44 < purplex88> its not just ICMP packets.. I experience lag in chat too
12:45 < light> yeah..
12:45 < bcjdk> Holy shit
12:45 < djph> funny how saturating your connection with porn means the other stuff can't get through
12:45 < purplex88> e.g. my download speed is 1 MB/s and I download stuff at 500 KB/s
12:46 < purplex88> why it still causes delay?
12:46 < purplex88> can it?
12:47 < Stryyker> It could be many things
12:47 < light> how much increase in ping times are you seeing?
12:47 < light> is your link symmetric? are ACKs getting delayed?
12:48 < purplex88> 34 ms to ~400 ms
12:48 < purplex88> it happens in context of torrenting
12:48 < purplex88> ADSL
12:48 < Stryyker> torrenting also has uploads
12:49 < djph> torrenting uses as much bandwidth as it can - in both directions.  Limit your upload speed
12:49 < purplex88> yes i use upload at the same time too
12:49 < purplex88> if i use all my upload speed, does it mean i can't download at full speed?
12:50 < purplex88> guess that what asymmertic thing means?
12:51 < Stryyker> a part of downloading is uploading information to say you got the packet. If you saturate downstream or upstream you'll see the increase in latency
12:51 < light> ADSL has poor upload bandwidth that's easy to saturate
12:51 < purplex88> i see ACKs
12:52 < Stryyker> that is why 2 decades ago some of the P2P guides had some rough guides on how to limit up/down speeds to keep things smoother.
12:53 < purplex88> what the difference in  link being symmetric or asymmetric?
12:53 < Epic|> It's literally in the definition of the words
12:53 < bcjdk> Holy shit^2
12:53 < bcjdk> I can't even
12:54 < light> a symmetric link is the same speed both directions
12:54 < light> an asymmetric link is not
12:54 < purplex88> means upload doesn't impact download speed?
12:54 < light> no
12:54 < purplex88> in case of?
12:54 < light> wat?
12:54 < purplex88> symmetric
12:55 < light> you've lost me
12:55 < Stryyker> you're conflating things and adding in stuff people are not saying
12:56 < djph> purplex88: "symmetric" connection -> you can upload and download at the same speed (e.g. 10 mbps).  "asymmetric" means one direction is slower than the other (e.g. DSL with 5/1)
12:56 < light> If you're on 1 mbit down ADSL I imagine your upload is even lower
12:57 < djph> probably 256k
12:58 < purplex88> but if I use all my upload speed then to download at full speed isn't possible
12:58 < purplex88> upload impacting download
12:59 < purplex88> i guess its true in both cases symmetric and asymmetric
12:59 <+catphish> technically speaking, uploading should not affect download speed, but... downloading with TCP requires some data to be uploaded (ACK), so maxing out upload can break this process
12:59 < purplex88> as we said because of ACKs
13:03 < aaa_> lol..
13:03 < purplex88> thanks understood
13:03 < purplex88> so this tells me "upload" link was the cause of i was experiencing latency
13:04 <+catphish> saturating upload is a common cause of terrible connectivity on residential links
13:04 <+catphish> 1) they usually have small upload speeds 2) they usually have large buffers, so if the buffer is full stuff can get really delayed
13:09 < cu_cucambur> Why does linux bridge has an ip assigned?
13:09 < cu_cucambur> have*
13:09 <+catphish> cu_cucambur: the host itself is connected to the bridge, that's the hosts's IP on its own port on the bridge
13:12 <+catphish> so if you have a bridge for example br0 that has 2 physical ports connected: eth0 and eth1, it also always has an invisible extra port than connects to the local host, this allows the host itself to communicate with that network
13:13 <+catphish> if there was no IP on this port, the host would have no way to talk to this network (the one connected to eth0/eth1)
13:15 < djph> catphish: so you could make a linux box a dumb switch...
13:16 <+catphish> you could, or a reasonably smart one, it supports STP and VLANs
13:16 <+catphish> and filtering
13:17 < djph> well, yeah - but I meant by dumping the IP address on br#, it'd act as a dumb switch for the interfaces attached to it
13:17 <+catphish> well by putting the interfaces in the bridge at all, it acts as a bridge
13:18 <+catphish> the IP just determines whether you want to connect the host itself to the network or not, i geuss the difference between a l2 switch and a l3 switch :)
13:18 < djph> yeah, that's what I was trying to get at ... and poorly
13:18 < tbcsj> Hi all - I've got a future situation where I have an access switch receiving .1q frames over n trunk ports, and I want to push a 2nd tag onto them to a northbound PE
13:19 < tbcsj> One of the .1q vlans is management that needs to terminate on the northbound PE
13:19 < tbcsj> Whereas the other VLANs traverse the MPLS network using t-ldp tunnels
13:19 < djph> so tag it on another port and send it over to that "northbound PE", and terminate it there.
13:20 < tbcsj> djph: I can either do selective q-in-q on the northbound switch
13:20 < tbcsj> Or use the vlan-tags outer [outer] inner [inner] on the PE
13:20 < tbcsj> s/northbound/access
13:21 < tbcsj> needs to be on the same trunk on the switch and on the same uplink port to PE
13:21 < djph> <enter> is not punctuation.
13:22 < tbcsj> Ok
13:22 < detha> tbcsj: you could do tricks with native vlan
13:23 < tbcsj> detha: I think I want to do one of the options I mentioned
13:23 < tbcsj> But I was wondering whether one solution is better than the other?
13:25 < detha> that probably depends on what equipment you have at hand, and which bugs in it you hit.
13:27 < drathir> mornin/evenin...
13:27 < djph> heyo drathir
13:27 < drathir> djph: hi, hi ^^
13:41 < drathir> lol amazon making android browsers ;p
13:46 < Apachez> nasdaq have been down for more than 6 hours... due to "fire related issue", their disaster recovery site is still not up and running...
13:48 < djph> Apachez: "all that DR stuff is too expensive, we haven't had a problem in my time here ever, budget denied"
13:50 < Apachez> I doubt it since they deal with stock exchange
13:50 < Apachez> money is not an issue :)
13:50 < djph> Apachez: I take it you've never worked with MBAs then
13:51 < Apachez> I have been in the financial world previously
13:51 < Apachez> but sure the prioritization can be fun at times
13:57 < dogbert2> hey djph Apachez
14:00 < Apachez> hi
14:04 < Apachez> they even fail to maintain their homepage online https://www.nasdaqomxnordic.com/
14:05 < Spice_Boy> I just tried out sslstrip for the first time, and it seems to work for https web sites to show passwords, but that's not really what I'm after. I have a device that does a port 443 VPN to somewhere, and I'd like to see what's in it. Is this at all possible?
14:05 < Apachez> Spice_Boy: maybe
14:05 < Spice_Boy> do tell
14:05 < Apachez> depends on the client and server software
14:06 < dogbert2> bwhahaaha...Jim Carrey doing Welcome to the Jungle in the Dead Pool
14:06 < Apachez> if they verify each other and use perfect forward secrecy (aka diffiehellman or such) then you wont be able to use sslstrip on that ssl vpn
14:06 < Spice_Boy> but is sslstrip even the right tool for a non-browser thing?
14:06 < Apachez> but if either part doesnt verify the other one (like if the client can be reconfigured to trust your sslstrip cert instead) then you can decrypt the session
14:06 < Spice_Boy> I looked up the server, and the cert seems to be signed by their company root ca
14:06 < Apachez> sslstrip just strips ssl
14:06 < Apachez> as far as I know
14:07 < Apachez> I might be wrong
14:07 < Apachez> another method is to run stunnel in debug mode
14:07 < Apachez> but the thing is again on how the client and server verifies each other and if perfect foward secrecy is being used or not
14:08 < Spice_Boy> I'll have to check that out
14:08 < Spice_Boy> just need to see about the tools first
14:09 < Spice_Boy> on a browser I get the cert error warning, but that's because it's signed by their own CA
14:17 < Spice_Boy> Apachez: this mentions some DHE stuff  https://pastebin.com/VYEVfsyL
14:19 < Spice_Boy> if I just go to the address on a browser, I get the nginx/1.10.1  messages (403)
15:47 < Apachez> https://www.youtube.com/watch?v=Q1TXk7ZdiQE
16:21 < conjunctivitis> i just installed a new os (avlinux, based on debian stretch) and i can connect successfully to my vpn as a client, and ping the server, but can't ping 8.8.8.8 or reach the internet
16:22 < conjunctivitis> if i launch openvpn via command line everything works normally, so i think it's a permissions problem with nm-applet
16:22 < conjunctivitis> any advice would be hugely appreciated
16:24 < compdoc> think theres a setting about using the gateway on the remote, versus not
16:26 < ||cw> conjunctivitis: check ip route with both methods and see what's different
16:27 < jason85> How can I tell from a DNS response that it is an authoritative answer of the requested domain or if it directs me to other nameservers?
16:27 < conjunctivitis> ||cw, can you please tell me exactly what command to use?
16:27 < ||cw> "ip route"
16:28 < ||cw> lol
16:28 < conjunctivitis> ||cw, sorry i'm a beginner, that's why i'm here :-/
16:28 < UncleDrax> hey now, plenty non-beginners here too :(
16:28 < ||cw> :) guess I should have put it in quotes the first time
16:29 < ||cw> you're looking for a difference in the "default" and for your subnets.  post on a pastebin if you like, feel free to mask the public IPs
16:39 < conjunctivitis> ||cw, i'm not sure which ips to mask
16:39 < conjunctivitis> and which ones you need
16:41 < conjunctivitis> the big difference i noticed right away is that the cli one starts with 0.0.0.0/1 via xx.xx.xx.xx dev tun0
16:41 < conjunctivitis> (this one works)
16:42 < conjunctivitis> the nm-applet one starts with this:
16:42 < conjunctivitis> default via xx.xx.xx.xx dev tun0 proto static metric 50
16:43 < conjunctivitis> this one doesn't work
16:44 < drathir> conjunctivitis: bad gateway in dhcp?
16:44 < ||cw> the /1 seems odd, but the metric 50 does as well.  when there's a metric it's usually because there's multiple of the same subnet, so the rest of the lines are improtant.
16:45 < conjunctivitis> ok
16:45 < drathir> conjunctivitis: both via are the sam addreses?
16:45 < drathir> sam/same*
16:45 < conjunctivitis> not sure what you mean
16:45 < ||cw> the public IP is all you'd need to mask, the 192.* and 10.* don't really matter
16:45 < drathir> conjunctivitis: in Your masked examples...
16:46 < conjunctivitis> drathir, no, they're different
16:46 < zenix_2k2> one question, why there are so many different protocols of each layer of a networking model ??? ( TCP/IP, OSI model ), isn't 1 of each is enough to establish connections between computers ???
16:46 < conjunctivitis> i think my vpn queries a dns to get the specific ip when it connects (i don't enter an ip to configure, it uses a dns to request the ip because they have a lot of servers all over the world)
16:46 < zenix_2k2> and sorry if that question is too noob
16:47 < conjunctivitis> guys i have to run, thank you for your help
16:47 < conjunctivitis> i will be back later
16:47 < ||cw> conjunctivitis: so, the issue is the nm is setting up the route wrong.  idk how to fix that though since I don't use nm
16:47 < conjunctivitis> sorry, i found this channel after asking for help for about an hour and getting automated bot responses in other channels
16:47 < conjunctivitis> i'll come back later
16:48 < zenix_2k2> um hello ???
16:48 < drathir> zenix_2k2: udp vs tcp get eg. different usage thats main purpose of differencies i guess...
16:48 < ||cw> zenix_2k2: that is a complicated questions....
16:49 < zenix_2k2> well yea i suppose it is
16:49 < ||cw> basically, it's for compatibility
16:49 < zenix_2k2> i always wonder why each layer has so much protocols that most of them do the same jobs ( with just some minor differences )
16:49 < zenix_2k2> but pretty much they can do each other task ( on the same layer )
16:51 < ||cw> the 100baset layer 1 and the wifi layer 1 and the fiber layer 2 are all very different.  but at layer 2 the frames are similar
16:51 < zenix_2k2> OSI model or TCP/IP you mean ?
16:52 < ||cw> then you add in things like dialup modems and SLIP links that are different all the up to layer 3, but at layer 4 all things can start talking
16:52 < ||cw> osi model
16:52 < zenix_2k2> how about TCP/IP ??? i am into it more than OSI model
16:53 < zenix_2k2> since OSI model is kinda out-dated to most of people
16:55 < kepler> zenix_2k2: tcp/ip operates within the layers of the osi model, they aren't comparable
16:55 < ||cw> ip ls layer 4, tcp/udp/whatever is 6, http/imap/irc/etc. are layer 7
16:55 < ||cw> there are other things that can run on these layers too
16:56 < ||cw> it's all about flexibility and comparability
16:56 < zenix_2k2> but WHAT IF each layer only has 1 protocol, can connections between computers still accomplish ???
16:56 < Roq> What? no. IP is layer 3, tcp/udp is layer4
16:56 < kepler> zenix_2k2: no, you need the full stack
16:56 < mAniAk-_1> ||cw: no..
16:56 < ||cw> oh, right, subtract 1
16:57 < mAniAk-_1> still wrong
16:58 < Roq> zenix_2k2: The OSI model isn't outdated, it's the standard
16:58 < ||cw> not just the standard, it's the fundamentals of how the Internet works at all
16:58 < zenix_2k2> well, but why people don't usually talk about it anymore ???
16:58 < zenix_2k2> but TCP/IP Instead
16:58 < kepler> actually understanding the osi model will help you troubleshoot more than just about anything else
16:58 < mAniAk-_1> anyway, think of it as layers of encapsulation, the tcp/ip and osi models can help you visualise it, but all protocols do not fit neatly in one layer so it's just a guide
16:58 < kepler> tcp/ip operates within the OSI model
16:58 < Roq> Then you're talking to the wrong people, or about different subjects
16:59 < ||cw> zenix_2k2: it's just a model.  what we talk about are the implementations
16:59 < zenix_2k2> kepler: what does it mean by "operates within the OSI model"
16:59 < kepler> that they are different, they aren't comparable
17:00 < zenix_2k2> if they aren't comparable, how can they operate within each other ???
17:00 < kepler> well, you operate on planet earth, are you comparable to planet earth?
17:00 < ||cw> zenix_2k2: when you're doing spectrum analysis to see where wifi and microwaves conflict, you'd working on layer 1 in the model.  when you're certifying ethernet cables for cross talk, also layer 1.
17:00 < zenix_2k2> well, as a part of it, i think i am somehow
17:01 < kepler> OSI is required for tcp/ip to work. tcp/ip is not required to maintain the OSI model
17:01 < zenix_2k2> well, that is more cleared
17:01 < mAniAk-_1> wtf?
17:01 < kepler> tcp/ip was developed within the OSI model
17:02 < mAniAk-_1> what are you even talking about
17:02 < zenix_2k2> models and protocols
17:02 < Budd> Is there any way to assume a mapping between some link-local IPv6 addresses and MAC addresses, to avoid neighbor discovery?
17:03 < mAniAk-_1> zenix_2k2: i know what they are, but youre both just speaking nonsense now
17:03 < Gollee> why do you want to avoid neighbor discovery? Budd ?
17:03 < zenix_2k2> ||cw: so what protocol that is used to analyze the conflict between wifi and microwaves ???
17:03 < tds> Budd: yes, there's an algorithm for it, iirc you flip a bit and put ff:fe in the middle
17:03 < kepler> mAniAk-_1: comparing tcp/ip to the osi model wrong, how is that nonsense, one is a model for running networks, one is a protocol developed within the model
17:04 < Budd> Gollee: just curious because babel uses multicast instead of unicast in some cases to avoid ND. But I think wireless multicast goes at a lower bitrate.
17:04 < ||cw> zenix_2k2: RF radio.
17:04 < mAniAk-_1> kepler: what? Both OSI and tcp/ip have their own protocol stacks, neither are just a model
17:05 < ||cw> zenix_2k2: layer 1 is how the elections move on the wire, or the lights flash in the fiber, or the radio waves... uh, wave...
17:05 < mAniAk-_1> kepler: osi has it's own ip, tcp, udp, etc, equivalent
17:05 < kepler> mAniAk-_1: he is refering to osi model
17:05 < Dagger> its*
17:05 < Dagger> c'mon >.>
17:06 < zenix_2k2> ||cw: so for an example, when my mobile turns on its flash light, it also means it is using one of the protocol from layer 1 ?
17:06 < zenix_2k2> as far as i know, layer 1 is about hardware
17:06 < zenix_2k2> but as you said, it sounds a bit farer than i thought but not sure if i thought is correct
17:06 < ||cw> is turning on a flashlight a network operation?
17:06 < zenix_2k2> so what do you mean by "or the lights flash in the fiber" ???
17:06 < ||cw> is there a systems interconnect there?
17:07 < zenix_2k2> i always confuse that part
17:07 < UncleDrax> ||cw: these days, I wouldn't be suprised if there is some Internet-Cloud managed Flashlight solutions out there.
17:07 < tds> Budd: it's worth keeping in mind that you can't always rely on that, though (eg I think network-manager generates its own ll addresses, rather than using the mac address)
17:07 < ||cw> fiber connections work by shining LEDs or lasers into a fiberoptic tube
17:07 < Budd> tds: yes - I suspected as much.
17:07 < drathir> zenix_2k2: why not if reciver understand flash blinking ? ^^
17:07 < ||cw> they blink them really fast to represent bits
17:08 < tds> and you can do other similar things manually if you want (eg I have some routers with static link local IPs)
17:08 < Budd> tds: what's the point in picking a random LL, though? It's not like you're obfuscating your MAC.
17:09 < drathir> tds: or just uls...
17:09 < drathir> ula-s*
17:09 < zenix_2k2> drathir: sorry but i didn't get what you mean
17:09 < zenix_2k2> i am not good with english metaphors or networking metaphors in english
17:10  * UncleDrax randomly headdesks because adding support contracts on vendor sites is a thing that seems overly complicated.
17:11 < Dagger> Budd: SEND?
17:12 < jason85>  How can I tell from a DNS response that it is an authoritative answer of the requested domain or if it directs me to other nameservers?
17:13 < tds> Budd: I've no idea why network-manager does that, I guess the reasoning is probably documented somewhere though
17:13 < djph> it'll say it's an authorative answer
17:13 <+xand> nslookup tells you
17:14 < djph> or rather it'll say if its non-authorative
17:16 < drathir> zenix_2k2: < zenix_2k2> ||cw: so for an example, when my mobile turns on its flash light, it also means it is using  one of the protocol from layer 1 ?
17:16 < drathir> zenix_2k2: if reciver understand that blinking why not ?
17:17 < ||cw> sure, if you're blinking a light and some receiver understands those blinks, that could be a layer 1
17:17 < zenix_2k2> well, fair enough
17:21 < ||cw> that's also the basis of free-space optic networking
18:12 < wtflux> is DNS and stuff like that discussed here?
18:13 < lupine> sure
18:15 < wtflux> ok i've got what i hope is a simple dns issue here, but im trying not to be long winded tho it will require some explanation
18:16 < wtflux> im supporting a co-workers website at nearlyfreespeech.net and transferred my domain to their Nameservers and created DNS records
18:17 < wtflux> they created the A records and several others automatically, i created an alias record to www.hostname.com which points to hostname.com which points to host.nfshost.com (the SOA i think?) anyways, when people visit www.hostname.com it redirects to hostname.com and the site is a wordpress site so when she gives people links to her blog posts they always want to append www. to hostname.com/wordpress/blog.php which doesnt work upon
18:18 < wtflux> i dont quite understand whats going on here, i've never had to make cname records or aliases for www usually the nameservers just "worked" but not so with this host
18:19 < wtflux> in plain terms i wish www.hostname.com would stop redirecting to hostname.com and remain www in the address bar
18:19 < wtflux> but i think something about the way nearly free speech's setup their nameservers prevent this from happening because hostname.com is the A record, rather than the www alias
18:21 < wtflux> this host's nameservers seems to do the exact opposite of what every host i've experienced in the past, and all websites do... when you visit amazon.com you are redirected to www.amazon.com in your browser, and the address stays www.amazon.com, my site is doing the exact opposite
18:22 < wtflux> if you visit renchispace.com (my coworkers website) you'll be redirected to renchispace.com and this is where the problem lies
18:22 < wtflux> er, www.renchispace.com redirects to renchispace.com
18:23 < wtflux> sorry if that explanation was confusing im doing my best here, im not thoroughly DNS savy
18:24 < wtflux> never in my life have i needed to create a cname record for www
18:25 < ||cw> wtflux: I'm sure there's providers that automatically make www records, but that is not inherent to DNS.  something has to add it.
18:26 < wtflux> ok thats understandable but what exactly am i dealing with here?
18:26 < ||cw> the redirect is in the web server config.
18:26 < wtflux> i just want my friends site to be viewable as www.renchispace.com
18:26 < wtflux> and it seems like this host's nameservers/DNS are setup to NOT do that
18:27 < wtflux> i've poured thru the host's DNS documentation and its rather ambiguous, it says to create the records, which i've done, but nothing about the redirect issue
18:27 < tds> assuming both the A/AAAA records point to the same web server for www and the root domain, that's fine, you just need to configure the web server to do a redirect from root -> www
18:27 < ||cw> right, the redirect has nothing to do with dns
18:27 < ||cw> it's in the web server
18:28 < wtflux> ok thanks i didnt realize that
18:28 < ||cw> dns only resolves names, nothing more
18:28 < wtflux> this is shared hosting so that probably wont be an option
18:29 < tds> most decent shared hosting systems should support redirects
18:30 < wtflux> tds: but that is something the hostmaster would have to fix right?
18:30 < tds> looks like they support it with a plain htaccess file: https://faq.nearlyfreespeech.net/section/customization/forwardsite#forwardsite
18:31 < ||cw> yeah, it's just set backwards
18:31 < wtflux> tds thanks this seems like it will help.
18:31 < wtflux> ||cw what exactly is set backwards? something on my end or his?
18:33 < tds> ah, I only just remembered you said this is a wordpress site
18:33 < ||cw> wtflux: it's redirecting www to tld, you want tld to www.
18:34 < tds> wordpress by default will do redirects to whatever URL it thinks the site is hosted as (eg adding/removing www as required)
18:34 < ||cw> so it's in the wordpress config then?
18:34 < wtflux> i'll check there as well
18:34 < wtflux> and adjust accordingly
18:34 < wtflux> one thing im getting confused about, the CNAME record www.renchispace.com for renchispace.com would mean that renchispace.com is canonical correct?
18:36 < tds> dns only controls what web server the request goes to, the actual redirect is down to whatever is returned by that web server
18:36 < tds> both of those resolve to 208.94.117.240, so that looks fine
18:37 < tds> (but you should really add aaaa records as well, since it looks like nearlyfreespeech support ipv6 :)
18:37 < wtflux> yeah im just getting confused about which is the canonical name, im reading a blog here, which discusses the .htaccess info you linked to tds, and its saying to use the www. as the canonical name, and not the hostname.com
18:38 < ||cw> it doesn't matter
18:38 < wtflux> and im like ok how is that possible when they created the A record which would be the canonical name
18:38 < wtflux> and this is a NFS blog post, that seems to contradict their own info from the .htaccess FAQ
18:38 < wtflux> https://blog.nearlyfreespeech.net/2006/11/17/forwarding-sites-url-rewriting/
18:40 < ||cw> wtflux: the "best practice" preference is that the tld has the A record and the www is a cname.  but it doesn't really matter, and has zero effect on the redirect
18:41 < ||cw> you could have both as A, or both as cname to something else and it would work the same
18:42 < tds> "both as cname" - worth keeping in mind a cname on a root domain isn't valid (unless you can persuade the tld to put it in their zone)
18:42 < Apachez> A server00494 1.2.3.4
18:42 < wtflux> So this .htaccess file in the root is a common thing and is how its done professionally?
18:43 < Apachez> www CNAME server00494
18:43 < wtflux> and it only goes in the root? no where else, or copied multiple times?
18:43 < Apachez> define "professionally"?
18:43 < Apachez> "professionally" you harden your webserver which means you DONT allow .ht files at all
18:43 < Apachez> all config is made by root prev of the httpd.conf directly
18:43 < Apachez> allowing .ht files is a common rookie mistake
18:44 < wtflux> well heck
18:45 < wtflux> i have a xampp install im gonna look in the httpd.conf and see how mine could differ from theirs
18:47 < ||cw> Apachez: AllowOverride can control what can be done from htaccess, but it's still generally to be avoided.  shared hosting uses it a lot though
18:47 < wtflux> Apachez: would the configuration you alluded to be the "alias_module" config?
18:49 < wtflux> Apachez: or, if you'd be so kind, you can tell me what the proper setup would be, so i can know how to do it correctly in the future when im running my own LAMP at some point so idont make the same mistake? then i'll go  with the htaccess file since its not my show
18:53 < Apachez> wtflux: disable everything and start from there?
18:53 < ||cw> wtflux: I think Apachez is saying that the proper setup would be a control panel that takes validated config and generates the server conf file directives from it.
18:54 < ||cw> using htaccess is the easy way out in shared hosting, with some trade offs.
18:56 < wtflux> oh i see, i was just curious what the particular configuration apachez was referring to perhaps he wasnt alluding to a specific one
18:57 < wtflux> ||cw: the RedirectPermanent directive, mentioned in that FAQ, it says to setup a forwarding site i dont understand what they mean by that
18:59 < wtflux> nevermind im gonna use mod_rewrite since it seems no second site is required to set it up.
18:59 < Apachez> wtflux: I was "alluding" to how you are supposed to configure stuff nowadays
19:00 < Apachez> disable everything and ONLY enable the features you really need
19:00 < Apachez> not the other way around (enable everything by default and then get surprised that your server got hacked)
19:03 < philwong> Hey guys. If you do a hard reset of a phone, will your phone number still be saved when you go into the "About Device" section of the phone?
19:04 < philwong> I'm referring to an Android
19:05 < Quatermass> try #android
19:06 < Quatermass> and the phone number is in the simcard
19:06 <@pppingme> philwong yeah, that comes from the sim card, not affected with a reset
19:06 < philwong> Ok
19:07 < philwong> But what if the sim card gets disabled by my phone provider, would it still show my number?
19:07 < Quatermass> sigh
19:08 <@pppingme> thats up to the provider
19:08 <@pppingme> depends on "how" they disable the sim card
19:11 < djph> we use a small thermite charge.  takes out the card, phone, and hopefully the user's hand.
19:13 < philwong> So when a simcard displays the information in your phone, it is actually through a signal and not something saved in the simcard?
19:14 < philwong> The reason I ask is I had my phyone stolen a few weeks ago
19:14 < philwong> Although I had nothing on the phone and did a hard reset when he stole it, I didn't want my phone number showing on the phone
19:15 <@pppingme> you managed to do a hard reset on the phone as it was being stolen?
19:15 < philwong> No
19:15 < philwong> I did a hard reset before. Coicidently
19:17 < philwong> the only thing is, it was possible I left my old sim card in thre but the sim card was not activated and disabled
19:17 <@pppingme> did you report the stolen sim to your provider?
19:17 < philwong> It was already disabled
19:17 <@pppingme> why do you care if this guy finds your number, was the phone hot or something?
19:17 <@pppingme> your story seems to be falling apart
19:19 < philwong> I care because he can post it anywhere and spam it
19:19 < philwong> or who knows
19:19 < skyroveRR> Hi pppingme
19:19 < philwong> Thats why I wanted to know if a phone number still shows on a disabled sim card
19:19 <@pppingme> unless you've pissed this guy off, or there's something crooked about the transaction, why would he do that?
19:20 < philwong> There is always a chance, and I like to be safe, thats all
19:20 <@pppingme> then change your number
19:21 < philwong> yeah I guess I could
19:21 < tds> also, it's probably worth reporting the phone stolen anyway, as the network should be able to blacklist the IMEI of the device
20:18 < Sircle> be2pal, when certbot installs certs, it asks to redirect http to https. If I choose that, it does not do it. I also added `Redirect permanent "/" "https://mysite.com"` but it again does not do it. What could be the reason?
20:21 < ||cw> Sircle: did you reload the server config?
20:21 < Sircle> ||cw,  yes
20:21 < ||cw> do you have rewrite enabled?
20:22 < Sircle> ||cw, how to check?
20:22 < ||cw> depends on what web server.  likely best answered in that software's channels
20:24 < Sircle> Loaded Modules:
20:24 < Sircle> rewrite_module (shared)
20:24 < Sircle> ||cw,  ^
20:25 < be2pal> Sircle: use server configuration rather than .htaccess
20:25 < Sircle> I have it in server config
20:26 < be2pal> http://stackoverflow.com/questions/4083221/ddg#21798882
20:27 < Sircle> IS the <VirtualHost *:443> part needed? I have it running without the :443 part. Just cannot redirect it. https://pastebin.mozilla.org/9083346
20:30 < be2pal> Isnt better to use RewriteRule than Redirect Perment
20:31 < be2pal> https://serverfault.com/questions/664768/redirect-permanent-http-to-https
20:34 < Sircle> be2pal,  I read it, add both. Not working
20:34 < be2pal> remove permant redirect and try ?
20:35 < be2pal> Just with rewrite rule
20:36 < Sircle> hm
20:36 < Sircle> ok
20:40 < Sircle> be2pal,  now I have https://pastebin.mozilla.org/9083349  and reloaded
20:40 < Sircle> not restarted though
20:52 < Sircle> be2pal,  any clues?
20:54 < be2pal> Sircle: not sure now. Need to take a look at config file.
20:54 < be2pal> Maybe somebody will try to assist you today. I am dosing off now. Bye for now
20:54 < Sircle> k
20:54 < Sircle> thanks be2pal
20:58 < be2pal> Sircle: join telegram group for networking hep://t.me/Teck_N00bs
20:59 < apb1963> I'm not sure if my DNS is working or not...  dig seems to say yes... mxtoolbox.com says no.
20:59 < be2pal> Sircle: https://t.me/Teck_N00bs_Networking
20:59 < UncleDrax> prob an Apache/web-server IRC channel
21:00 < Sircle> ok
21:01 < be2pal> Sircle: like what UncleDrax said, much better chance at apache channel
21:05 < Sircle> k
21:06 < conjunctivitis> ||cw, you still around?
21:08 < conjunctivitis> anyone here who can help me troubleshoot openvpn on linux?
21:08 < Guddu> I have a receipt printer which is connected to Network cable but is still not discoverable in the Ethernet Utility that the manufacturer provides. What could be the reason?
21:08 < Guddu> I have Firewall disabled.
21:08 < Guddu> Printer model is this http://www.citizen-systems.com/en/printer/pos/ct-s4000
21:09  * UncleDrax runs away from Printer talk
21:10 < ||cw> conjunctivitis: I don't really know much more about it
21:10 < electricmilk> Guddu,  Is the printer in the same subnet?
21:10 < ||cw> Guddu: is your dhcp giving it an ip?
21:10 < conjunctivitis> ok i made a mistake before with ip route
21:10 < conjunctivitis> i was using 2 different servers in different countries
21:10 < ||cw> Guddu: that doens't seem to be a network printer....
21:10 < conjunctivitis> would it be revealing if i show you the updated ip route?
21:11 < Guddu> electricmilk, ||cw That's what i don't know i it has a IP. I tried printing a config label but that does not have any networking details/
21:11 < conjunctivitis> working vs not workinng?
21:11 < electricmilk> Guddu,  Lame.  You could check DHCP leases
21:11 < Guddu> ||cw, I have it connected using network cable. There is a variant which comes with ethernet card.
21:11 < electricmilk> Guddu,  Or even use Nmap to discover it
21:11 < ||cw> oh, there's the options.  doens't say lan up top, but does later
21:11 < Guddu> electricmilk, How do i check DHCP Leases? I am on Windows
21:11 < electricmilk> Guddu,  Do you know what you are using for a DHCP server?
21:12 < electricmilk> This a home network?
21:12 < Guddu> electricmilk, It is a modem provided by my service provider.
21:12 < Guddu> electricmilk, Yes. Home Network.
21:12 < ||cw> Guddu: open the dhcp admin program and sort by lease expiration.  newer leases will have later expirations
21:12 < electricmilk> Ah okay. So login to your box and it might tell you what IP's it has leased
21:13 < ||cw> oh, home router doing dhcp, check it's admin page
21:13 < electricmilk> Guddu,  Super lame your printer doesn't print out network settings...I'd check the manual to confirm this...its pretty standard
21:13 < electricmilk> Guddu,  Sometimes you have to hold down a button to have it print
21:14 < electricmilk> Guddu,  Since its a home network you likely don't have that many devices...personally I just use nmap with the -A option to discover devices.
21:14 < Guddu> electricmilk, I preseed feed while pressing power. That's all it says it has.
21:14 < ||cw> electricmilk: with the inconsistencies on that product page I'm not very surprised
21:14 < electricmilk> lame
21:14 < electricmilk> Does the printer have ethernet lights when you plug in the cable?
21:15 < electricmilk> And is this printer new?  If its used it likely has a static IP set.
21:16 < Guddu> electricmilk, Yes. Light are blinking. Not sure if it might have a static IP but don't have a way to see that either.
21:16 < Guddu> This is my network map...None of them is the printer http://prntscr.com/j71oq9
21:17 < electricmilk> Guddu,  Once the printer has an IP you could likely connect to it through your browser to configure
21:17 < electricmilk> Guddu,  I'd read the manual inside out...there has to at least be a way to reset the config on the printer
21:18 < electricmilk> You could also try swapping out the ethernet cable in the off chance the cable is bad
21:20 < conjunctivitis> my openvpn connects via nm-applet but i can't get to the internet.  pinging 8.8.8.8 doesn't work.  if i launch it from the command line using the same config, it works fine.  can anyone help?
21:21 < ||cw> Guddu: if it comes with a static IP you either need to factory reset it, or use its docs to see what the factory static address is.  then you need to set your PCs ip to a static in the same subnet so that the config tool can find it
21:23 < tds> conjunctivitis: if you run "ip a" and "ip r" while you have openvpn connected via running it manually and via nm-cli, is there any difference?
21:23 < electricmilk> ||cw,  Ah yes I forgot about checking to see if the factory static IP is in a different subnet
21:24 < conjunctivitis> tds, ill check that, just to make sure i'm doing things right i'll go through what i've done so far
21:24 < conjunctivitis> to launch openvpn from cli i use these commands:
21:24 < conjunctivitis> sudo service openvpn start
21:24 < conjunctivitis> then sudo openvpn /path/to/server.ovpn
21:25 < conjunctivitis> neither of these works withoutt sudo
21:26 < tds> you shouldn't need to mess with the service if you're then manually running openpvn like that
21:26 < tds> the service just automatically starts/stops instances of openvpn with the config files in /etc/openvpn
21:26 < conjunctivitis> tds, so should i do sudo service openvpn stop?
21:26 < tds> it doesn't matter, the server probably isn't doing anything anyway
21:27 < tds> s/server/service/
21:27 < conjunctivitis> iirc openvpn by itself didn't do anything until i started the service
21:27 < conjunctivitis> in the sense that i tried to check if it was in my path by pressinng tab and it didn't complete until i started the service
21:28 < electricmilk> Anyone know if it is possible to have a SonicWALL configured so that if our wireless p2p go down it will swap over to VPN?
21:29 < electricmilk> I imagine all I have to do is configure the AD for the routes
21:29 < tds> conjunctivitis: hmm, that doesn't sound right
21:29 < conjunctivitis> i may be mistaken, i've been beating my head against this for a few days
21:30 < conjunctivitis> maybe i'll reboot and try what you asked and come back with some results?
21:30 < conjunctivitis> will you be around for a few minutes?
21:37 < conjunctivitis> dps
21:38 < conjunctivitis> tds, you still here?
21:43 < tds> conjunctivitis: yes
21:44 < conjunctivitis> i checked, ip a is pretty much the same (i presume we're interested in the tun0: entry?)
21:44 < conjunctivitis> ip r is different
21:46 < tds> conjunctivitis: yes, tun0 is likely the interesting part, what's the difference with ip r?
21:47 < conjunctivitis> tds, just a second, i'm making a pastebin
21:48 < conjunctivitis> tds, https://pastebin.com/bF9qhwLn
21:51 < tds> conjunctivitis: ah, so openvpn is adding two /1 routes to override the default route, while network manager is using metrics
21:51 < tds> either of those approaches should work, though
21:53 < conjunctivitis> but one is not
21:53 < conjunctivitis> would it be useful to see the same output from another computer using a previous version of the os where it's working correctly via nm-applet?
21:57 < tds> conjunctivitis: oh, hang on a second, what is the IP of the openvpn server?
21:58 < tds> in both cases there was a static /32 route added via the old default gateway (which lets openvpn route back to the server), but the ip is different between the two configs
21:58 < conjunctivitis> i need to disconnect to check that
21:58 < conjunctivitis> tds, brb
21:58 < conjunctivitis> no, my bad i have it here
21:59 < tds> it's probably either 178.162.222.40 or 178.162.211.114
22:04 < conjunctivitis> tds, i wrote you in a dialog window, did you see that?
22:30 < mawk> I've got a /48 prefix routed to my server
22:31 < mawk> so it would make no sense if I added 2001:db8::1/48 as an address to my WAN interface, it would route unknown subprefixes to the internet
22:31 < mawk> knowing that the prefix is routed to me
22:31 < mawk> so I could add the address as 2001:db8::1/128, but then it's not as cool as having a /48 address
22:31 < mawk> so what I did is adding 2001:db8::1/48 noprefixroute, to not generate the route
22:32 < mawk> but still packets for unknown subprefixes will be routed to the internet, so I added an unreachable route for the whole /48 to block packets for unknown subprefixes
22:32 < mawk> is that the canonical way ?
22:33 < tds> yeah, I'd bind a /128 to loopback and then have a /48 unreachable route for your entire prefix
22:33 < tds> (and then you can have a load of more specific routes for internal stuff as you like)
22:33 < mawk> so overall I do: `ip addr add 2001:db8::1/48 dev eno1 noprefixroute; ip route add unreachable 2001:db8::/48; ip route add 2001:db8:0:100::/64 dev vmbr0; ip route add 2001:db8:0:200::/56 dev wg0; # etc'
22:34 < mawk> I see
22:34 < mawk> you set the /128 on loopback ? why not on the WAN interface ?
22:35 < mawk> I know that with ip forwarding it's kinda the same but morally it makes more sense to me to put it on the WAN interface
22:42 < tds> my routers have various interfaces for transit, peers and links to other internal routers, so it wouldn't make sense to put the router's /128 on any physical interface
23:11 < pi-> Hello people.
23:11 < pi-> I asked this a couple of weeks ago, my mind keeps returning to it.
23:12 < pi-> Suppose I have several thousand users in a crowd; is there any direct way to network them?
23:12 < pi-> So that e.g. if one of them sends a message, all of them receive that message with minimal latency (<20ms say)
23:13 < pi-> I think it's very nontrivial problem.
23:13 < pi-> users = iOS/Android users
23:13 < S_SubZero> well, what assumptions can we make about their network setup
23:13 < pi-> All I can guarantee is that I can design an iOS/Android app and get them all using it.
23:14 < S_SubZero> then no.
23:15 < blawiz_> are there internet modems with routers? (so dont need two boxes for internet)
23:15 < pi-> Maybe certain android users could be 'hubs' .. (I don't know how much of a walled garden Android is)
23:16 < S_SubZero> blawiz_: look for "gateway" devices.  I have one.
23:17 < S_SubZero> cable modem, 4-port gig-e switch, 802.11ac in one box
23:20 < blawiz_> S_SubZero: that sounds like a generic description?
23:20 < S_SubZero> well that's what they are called.
23:21 < blawiz_> :]
23:26 < S_SubZero> i was thinking of replacing mine with one with USB ports for home NAS stuff
23:26 < blawiz_> S_SubZero: maybe this works? https://www.nikktech.com/main/images/pics/reviews/linksys/wrt_1900_ac/linksys_wrt_1900_ac_12.JPG
23:27 < S_SubZero> well you'd have to read the specs and make sure it has what you need.  Does that have wireless?
23:27 < blawiz_> i think so
23:28 < blawiz_> prob works as modem since it has one(actually two!) of thos connectors
23:29 < wiresharked> blawiz_: What is the manufacturer?
23:29 < S_SubZero> it doesn't appear to have any antennas nor is standing up like internal antenna models do
23:29 < blawiz_> its one of those (famous?) linksys wrt
23:30 < wiresharked> Of course it is..
23:30 < blawiz_> https://www.nikktech.com/main/articles/peripherals/network/modem-routers/4704-linksys-wrt1900ac-ac1900-smart-wi-fi-wireless-router-review?showall=&start=3
23:30 < blawiz_> wiresharked: wut? iz bad?
23:30 < wiresharked> blawiz_: I know that it's linksys, which is not a bad brand
23:36 < xamithan> I don't see why people buy those things.  I've replaced my modem 4-5x more times than the router
23:37 < blawiz_> ive never replaced the modem, also i think the internet company would do it, i think its theirs
23:37 < wiresharked> xamithan: I say to make sure at least one of them has DD-WRT
23:37 < blawiz_> anyway, i need some slp -.-
23:37 < blawiz_> gnite!
23:38 < xamithan> dd-wrt has gone downhill though.  I thought everyone was using openwrt
23:39 < wiresharked> xamithan: Or just don't use a linksys router
23:49 < qman> dd-wrt is a bit slapdash in comparison, lots of bugs and regressions
23:49 < wiresharked> qman: Regressions in terms of what?
23:56 < jvwjgames> if i have two subnet assigned to me can i further subnet them down
23:57 < wiresharked> jvwjgames: You probably don't need to. Do you have a subnet mask of 255.255.0.0?
23:57 < wiresharked> And I believe you are talking about supernetting here
23:58 < jvwjgames> no they are 255.255.255.240 and 255.255.255.248
23:58 < wiresharked> jvwjgame: So a /64 then?
23:58 < jvwjgames> yes
23:58 < wiresharked> I think that you have quite a bit of IP address space here
23:59 < xamithan> What?  That is /29 and /28.  You could subnet them down but they are pretty small already
23:59 < wiresharked> xamithan: Oh, sorry, I thought they were /64
23:59 < jvwjgames> how do i subnet them down do i have to tell the dc to do that
--- Log closed Thu Apr 19 00:00:02 2018