--- Log opened Thu Apr 19 00:00:02 2018
--- Day changed Thu Apr 19 2018
00:00 < wiresharked> jvwjgames: You should ask that in ##windows-server
00:01 < jvwjgames> and by the way
00:01 < xamithan> You'd have to set up a gateway for each
00:01 < jvwjgames> i don't have a windows server
00:01 < wiresharked> jvwjgames: OK, so why else did you mention a domain controller?
00:02 < xamithan> I think he meant datacenter wiresharked
00:02 < wiresharked> xamithan: Linksys is not a good brand
00:02 < jvwjgames> no dc as in data center
00:02 < jvwjgames> my bad i am sorry should have clarified
00:02 < wiresharked> jvwgames: I know what you meant
00:03 < asig> https://www.youtube.com/watch?v=WHdRzt8sJ9s <-- esta filóloga no tiene acento murciano, pero explica muy bien ciertas peculiaridades de la pronunciación
00:04 < wiresharked> jvwjgames: I know what you meant
00:04 < asig> por favor, pasad videos educativos como estos, de vuestras zonas
00:04 < wiresharked> asig: What is that video about?
00:04 < asig> ups, sorry! Wrong channel
00:04 < wiresharked> xamithan: And I saw the building where my school's domain controller is
00:05 < Gurkenglas> My Tabletop Simulator game disconnected, my browser won't load a site, my Discord client disconnected, my smartphone on my WLAN isn't getting internet, but IRC works. wat?
00:06 < Criggie> Gurkenglas: good protocols endure
00:06 < jkemppainen> asig: say what?
00:07 < Gurkenglas> Would someone Google Vodafone's Berlin service hotline for me? x.x
00:09 < asig> I have mede a mistake. My post goes to "#spanish"
00:09 < asig> it's a video about the "murcianico" argot, a dialect of South of Spain, Murcia
00:13 < jkemppainen> asig: fascinating
00:13 < jkemppainen> asig: I find the phenomenon of ceceo of Cádiz to be particularly interesting
00:24 < drac_boy> hi
00:47 < Gurkenglas> (everything's fine now. no idea what happened, I'd guess isp maintenance or something? triggered at midnight methinks)
00:49 < jason85> If a dns response looks like this:
00:49 < jason85> ;; AUTHORITY SECTION:
00:49 < jason85> ua.nl.			3600	IN	NS	ns1.openprovider.nl.
00:49 < jason85> how do I know the IP of this nameserver?
00:51 < xamithan> Depends what it says under the ANSWER SECTION:
00:51 < xamithan> er ADDITIONAL: rather
00:53 < xamithan> You could always dig the nameserver directly
00:55 < jason85> xamithan, the problem is some dns servers provide the IP of the nameserver in the additional section but others don't
00:56 < jason85> Would a dns resolver do another dns request for the nameserver in this case?
00:56 < tds> a recursive resolver will have followed up the chain from the root, so it'll have found the nameserver for the domain through that process
00:57 < jason85> tds, yes I'm making an iterative resolver and I need to know the IP addresses of the nameservers, but they are not always given
00:58 < xamithan> So query a different DNS for it
00:58 < xamithan> One of them will ahve the IPs
00:58 < tds> ^ if you get an NS record back with hostname and no IP (ie no glue record), you'll have to recursively resolve that
00:59 < jason85> Alright, thanks
01:00 < tds> out of interest, what is this for?
01:01 < jason85> just a homework assignment
01:01 < tds> trying to make your own recursive resolver to include in something sounds like the wrong way to go about doing it, if it's just for fun to learn then go ahead :)
01:19 < ephemer0l_> PAAAACCET WRAAAANGLERS!!!
01:19 < ephemer0l_> Hi'ya I need some advice on the topography of my network. Anyone around the way?
01:19 < ephemer0l_> I know, I know, don't ask to ask...
01:19 < Criggie> ephemer0l_: just, ask.
01:19 < Criggie> ephemer0l_: pre-prepared network diagrammes help too :)
01:20 < ephemer0l_> :-)
01:20 < ephemer0l_> ok, so, whats worse?  Or rather, whats more important? Quality switch, or quality router?
01:21 < yitz> How do I find out what existing sessions exist, eg to see what NAT things are in use? ie if I set up a DNAT, it stores state for return packets. I want to examine that state
01:21 < drac_boy> depends what setup you have tbh ephemer
01:22 < tds> yitz: what platform is this on?
01:22 < yitz> Linux, iptables
01:23 < tds> if it's iptables, you can install the conntrack package, and use conntrack -L iirc
01:23 < ephemer0l_> drac_boy: this is not an enterprise network. Mostly traffic on the LAN. I do have a 24 port Enterprise switch, but I'm currently running a consumer grade 10/100/1000.
01:23 < yitz> Oh. Nice. Thanks, tds
01:23 < tds> (and -f ipv6 if you want v6, confused me at first when I ran conntrack -L and it didn't show any states :)
01:27 < ephemer0l_> two devices 10/100 and one 10/100/1000 'server' on a switch that connects to a cheap 10/100/1000 router via cat 5e connected to a NAS via 10/100/1000. Server uses NFS4 to NAS, 10/100 devices talk to 'server' and dump to NAS. Before I dig out wireshark I wondered what people would prioritize for quality? Switch, or router?
01:27 < SmashingX> what “metric” means in a firewall
01:28 < SmashingX> I have two entries and one says 5 and the other entry says 4
01:28 < ephemer0l_> packet window size I think SmashingX
01:28 < SmashingX> doesn’t that have to do with priority?
01:28 < ephemer0l_> thats QOS
01:29 < SmashingX> I have two ports in my firewall one connected to ISP 1 and another for ISP 2
01:29 < SmashingX> so if for any reason ISP 1 fails my boss told me to change the metric numbers
01:29 < ephemer0l_> MTR = Maximum transmition unit
01:29 < SmashingX> MTR?
01:29 < SmashingX> I’m talking about metric
01:29 < ephemer0l_> what firewall
01:30 < SmashingX> palo alto firewall
01:31 < SmashingX> I have IPS 1 currently has metric set to 4 and ISP 2 currently set to 5
01:31 < teprrr> route metric maybe?
01:31 < SmashingX> He told me to change the ISP 2 to 3
01:32 < SmashingX> so I’m thinking that has to do with priority
01:32 < SmashingX> so in the end if ISP 1 fails ISP will have a lower metric
01:32 < SmashingX> anyone?
01:32 < teprrr> https://serverfault.com/questions/648276/routing-selection-specificity-vs-metric
01:33 < teprrr> it's not about a firewall most likely, but about routing
01:33 < teprrr> you can think it as a priority
01:33 < orlock> What brand firewall?
01:33 < teprrr> 01:30:04       SmashingX | palo alto firewall                                     │
01:33 < ephemer0l_> ^
01:36 < SmashingX> So I was right, it’s about priority
01:36  * drac_boy used to look at dedicated firewalls out of curiousity some time ago then realize that they never ever work with dual connections unless you put it downstream which didn't made a lot of configuration sense :-s
01:36  * ephemer0l_ says Gentoo
01:36 < orlock> drac_boy: ASA's support BGP now
01:37 < orlock> but exactly what you mean by "dual connections" is a whole other thing
01:37 < ephemer0l_> orlock: failover
01:37 < ephemer0l_> SO, quality dumb switch, or quality router for LAN traffic throughput?
01:37 < orlock> Failover for a real internet connection, or failover for a wannnabe internet connection?
01:38 < ephemer0l_> packet must go
01:38 < ephemer0l_> I'd imagine.
01:38 < orlock> and by that i mean, BGP and AS, or are you just borrowing your ISP's IP's?
01:38 < ephemer0l_> Secure Facility/ important content
01:43 < tds> orlock: why not the fun of bgp over vpns over a wannabee internet connection? ;)
01:43 < drac_boy> orlock .. failover to a different type of connection unrelated to the first one ;)
01:46 < orlock> drac_boy: .. The hard part always comes down to hosted services.
01:46 < orlock> is the service itself capable of redundancy on some level, etc
01:47 < orlock> For example, MX and DNS verses http
01:48 < orlock> If you actually have your _own ip range_ that you can route anywhere, you make things so much easier and get much greater flexibility
01:48 < orlock> otherwise you are just borrowing somemebody elses IP's
01:49 < tds> if you're borrowing IPs that also makes life rather more difficult if you want to keep existing connections open
01:56 < Demos[m]> If I’m using IPSec transport mode to authenticate (and maybe secure) traffic coming through my firewall is there any need to have my firewall look at the IPSec header? Or does the fact that whoever sent the packet was able to get an SA mean that my firewall can know it’s not a bogus packet
01:56 < Demos[m]> The firewall isn’t an endpoint here
02:03 < electricmilk> Dumb question...will SNMP work if the monitoring software is in a different subnet?  It has a route set that is working.
02:03 < lupine> sure
02:03 < electricmilk> hmm. Wonder why its not working for my EdgeRouter X
02:19 < ephemer0l_> thanks for nothing. a microprocessor in a switch would make more of a difference than a better router.
02:20 < ephemer0l_> PAAACKET WRRRANGLERS!
03:37 < iateadonut> websites that are only accessible in the US, like hulu; if you connect from a foreign country over a socks proxy (using ssh), it can still tell that you are not in the USA.
03:38 < iateadonut> however, if you run a browser over X over ssh, then it picks you up as within the USA
03:38 < iateadonut> my question is, when you are running over a socks proxy, how does the website know that you are not in the USA?
03:39 < Criggie> cos noone uses socks unless they're being nefarious ?
03:42 < iateadonut> (well, i won't get into the pedantics of defining "nefarious")  - no, because if you tunnel over socks through that X over ssh server, it still shows you as able to connect.
04:53 < Apachez> https://imgur.com/gallery/eW25vun
05:12 < Apachez> any of you who knows what command created the picture shown in "basic topology example"?  https://docs.cumulusnetworks.com/display/DOCS/Prescriptive+Topology+Manager+-+PTM
05:16 < b5509cd> hey I'm at a school in an undeveloped country, the internet sucks but people's mobile internet is kind of okay. I am thinking if there was a way to join everybody's hotspots together into a megahotspot...
05:16 < b5509cd> is this remotely possible or no?
05:18 < orlock> Whats the goal?
05:18 < orlock> Boiling water to sanitise it?
05:18 < b5509cd> what? do you know what a hotspot is?
05:19 < b5509cd> I mean a mobile access point, you know
05:19 < b5509cd> when you make your mobile phone into a wifi access point and router?
05:19 < b5509cd> mobile == handy == cell phone
05:20 < orlock> yeah, maybe you wanted to focus all of the radiation in one spot to heat something?
05:20 < orlock> anyway, yes, it's possible, but maybe not with the infrastructure in place
05:20 < orlock> and then you would just end up with one selfish prick hogging all the bandwidth
05:22 < orlock> one of the common terms for what you want is "connection bonding"
05:38 < b5509cd> cool https://github.com/Morhaus/dispatch-proxy
06:06 < THE_GFR|HOME> hey everyone
06:07 < THE_GFR|HOME> just got my new pcengines apu2c4 box for pfsense it's awesome
06:07 < THE_GFR|HOME> http://www.pcengines.ch/apu2c4.htm
06:33 < Criggie> THE_GFR|HOME: heck yes - they're damn nice
06:34 < Criggie> Long term I'm going to have one running in a carp pair where the other host is a VM
07:05 < Catatronic> neat. i hadn't seen pc engines before.
07:08 < Logg> $132 seems a lot cheaper than the $350 something netgate wants for the sg-3100
07:09 < Logg> might have to get one.
07:10 < vectr0n> im on the fence w/ the sg-3100 and the apu2c4
07:14 < Catatronic> vectr0n, why?
07:15 < vectr0n> the built in switch on the sg-3100 for home use is handy, but usd -> cad makes it ridiculous
07:16 < Logg> a tplink gigabit switch is like, $10. I picked one up at goodwill for $2 the other day. I don't feel like it should be a consideration
07:17 < Logg> the apu2c4 THE_GFR|HOME linked has "similar to better" components from what I can tell, and costs over $200 less. But you don't get the "prebuilt warrantied package" and optional netgate techsupport (with subscription).
07:17 < Catatronic> i like openvpn but don't wanna risk performance, and i don't want to spend $1300, so i don't buy any specialized hardware and just use old laptops
07:17 < Catatronic> oh well
07:17 < vectr0n> i would never let anything tplink in my house, all piles of crap lol
07:18 < Logg> just saying lol. you can get even a 10 port cisco gigabit switch for $100 off ebay, and still be saving money
07:18 < vectr0n> ya ive thought of many things, just not sure yet, the apu2c4 comes w/ more ram as well
07:19 < vectr0n> just have to sit down and really weigh the pros and cons to each device
07:20 < Catatronic> APU2 boards achieve about 100 Mbit/s continuous throughput on OpenVPN on pfSense 2.4. Hardware should be able to achieve much more, but OpenVPN isn't multithreading and the throughput is limited to single core per connection.
07:20 < Catatronic> not bad
07:20 < orlock> Logg: Cisco SG gear doesnt count.
07:20 < orlock> That shit can die in a fucking fire
07:20 < Catatronic> that apu2 board looks even sexier now
07:21 < Logg> nah, real ios orlock. I got a couple C2960cgs for less than a hundred a few months ago
07:21 < Logg> (each)
07:21 < vectr0n> corpshadow sells a kit and they also show cad
07:22 < Criggie> orlock: dude - don't be restrained .... tell us how you really feel about Cisco SG gear
08:07 < CountryfiedLinux> howdy
08:08 < CountryfiedLinux> What's that port 2nd from the far right for? https://imgur.com/a/QqnERtH
08:08 < Logg> that's a compacted ethernet port. when you stick in the cable, it opens up
08:09 < yitz> 2nd port would be USB-C. I don't think a lock counts as a port.
08:10 < Logg> well... that one is actually labeled in the picture lol. A kensington lock hole is kind of like a port!
08:11 < CountryfiedLinux> Logg: Oh ok thanks
08:13 < Logg> CountryfiedLinux, it's done in the name of thinness, but you don't need like a special adapter. Any normal ethernet cable fits.
08:35 < OMART> https://youtu.be/OXdlnMcFzJA
09:33 < dexta> morning
09:45 < phirephly> Anyone have any strong opinions on fs.com fiberstore optics? I'm looking at buying a dozen "Cisco" LX SFPs
09:49 < cu_cucambur> How do I setup the nameserver?
09:50 < cu_cucambur> I connected my physical interface to a bridge and now domains can't be resolved
09:51 < cu_cucambur> I can ping the nameserver 127.0.0.1 in my case and it's added in /etc/resolv.conf but nothing is resolved
09:52 <@pppingme> 127.0.0.1 is YOUR pc
09:52 < cu_cucambur> pppingme, yeah I figured how dumb I'm :D
09:53 < cu_cucambur> add 8.8.8.8 everything works
10:20 < cluelessperson> hey guys, does anyone know how to make the unifi settings permanent so that the equipment doesn't need a unifi controller on boot?
10:20 < cluelessperson> at the moment it seems like they boot, get provisioned, then come up
10:22 <+xand> cluelessperson: umm they don't need one on boot
10:22 < cluelessperson> xand: hum
10:22 <+xand> the controller pushes out the config and devices remember it
10:22 <+xand> they don't need constant connection to controller
10:23 < cluelessperson> xand: but to boot?
10:23 <+xand> should be OK without it
10:24 < cluelessperson> xand: in the past, I've had to manually save the running-config to ... startup-config in order for them to boot and remember stuff, (with cisco stuff)
10:24 < cluelessperson> xand: ah, thanks, I'm just a little confused, because these flash grey before they're readopted.
10:24 < cluelessperson> hrm
10:24 <+xand> it'll try to connect when it boots but should work if it can't
10:35 < cluelessperson> so, I'm not sure what hte issue is
10:36 < cluelessperson> but my internal subnet doesn't give me an IPV6 address
10:38 < nuclearnadal> hello, I am connected to this wifi network, how do i see the security and encryption type? any tool to check for it please
10:39 < cluelessperson> nuclearnadal: windows?
10:39 < Gollee> depends on the OS, but google is your friend
10:39 < nuclearnadal> yes , windows 10
10:40 < cluelessperson> nuclearnadal: google this, "windows 10 view network details"
10:40 < cluelessperson> :)
10:40 < cluelessperson> nuclearnadal: if you're talking about wifi,  "windows 10 view wifi network"
10:42 < nuclearnadal> ok
10:42 < nuclearnadal> thanks
10:43 < cluelessperson> :P
10:44 < cluelessperson> oh wait, I'm wrong, it's working
10:44 < cluelessperson> brb
11:08 < foo_> hi
12:02 < muAdmDev> I got a system hooked up directly to our internet router. This system can't ping a specific other system on the internet. traceroute stops at the last hop. the IT guy on the other side says it's not their fault.
12:02 < muAdmDev> using other systems in our LAN or a webservice, I can ping this other system in the internet. any hints?
12:06 < djph> firewall rules on their end vs. source IP on yours
12:20 < muAdmDev> djph: asked about firewall rules on the other end, will ask again. What do you mean by source IP? Yes, its another one, doesn't that also go into the direction of this IP being blocked?
12:21 < Example12> hello everyone
12:29 < djph> muAdmDev: depends on what your setup is.  If everything's getting NAT to one external IP address, then different servers shouldn't matter.  If you're doing something else (e.g. 1-1 for that one server, or no NAT at all... )
12:32 <+xand> 18*0 = 20*0 => 18 = 20 => 18>19
12:32 <+xand> oops
12:48 < batch> hey, when talking about an uplink, is it more like the wan port of a router or more like a switch port?
12:48 <+xand> probably switch port uplink
12:49 < djph> batch: "it depends"
12:49 < batch> ?
12:49 < batch> i'm trying to make a bridge with systemd-networkd
12:50 < djph> it depends on what the device is being "uplinked" to
12:50 < batch> but when taking wanport for uplink it will not work
12:50 < batch> oh hmm
12:50 < batch> now what do you called uplinked
12:50 < batch> plz define a little more
12:50 <+xand> whatttt
12:51 < djph> it's just the connection to the next "upstream" device.  Whether that "uplink" port is switched or routed depends on what you need ...
12:51 < batch> oh like that
12:52 < batch> still not making sense haha
12:52 < batch> so i have a cable running from my router to a pi zero, i wanna bridge it from 192.168.1.10 to 10.0.0.0/16
12:52 < djph> that's not a bridge, that'd be a router.
12:53 < batch> hmm
12:53 < batch> well yeah
12:53 < batch> i'd be internal ipv4 forwarding and open all outgoing traffic
12:53 < batch> hmm
12:54 < batch> i thought this was a bridged gateway
12:54 < batch> ?
12:54 < detha> I suspect systemd has redefined the term 'uplink' to something very specific, just like they redefined 'reliable' to mean 'runs on my laptop for at least ten minutes'
12:54 <+xand> ha
12:54 < djph> a "bridge" is either (1) a hardware device, like an AP (or other media-converter) OR (2) a way to connect multiple ethernet interfaces together in order to make them act like a switch.
12:55 < liveuser> if dark sarcasm were loaded as hotkeys on your keyboard
12:55 < dogbert2> hey djph
12:55 < djph> batch: so far what you've described is a router.
12:55 < djph> yo dogbert2
12:55 < liveuser> how many F8 presses until human rights are stripped
12:55 < liveuser> 2 mebbe 3
12:55 < batch> goddamn teacher
12:55 < djph> batch: hmm?
12:56 < liveuser> those teachers
12:56 < liveuser> police teach from the berrol of a gun
12:56 < liveuser> F8
12:56 < batch> djph well i've been doing that in windows and attached vyos to that bridge as router
12:56 < liveuser> F8
12:56 < liveuser> F8
12:56 < liveuser> POW!
12:56 < batch> but now i wanna do it in linux with systemd-networkd
12:56 < batch> i was able to switch networks some time back ago but after some reboots it borked again
12:57 < batch> tried too much configuring i guess
12:57 < pekster> A bridge connects OSI Layer 2 (Ethernet) devices. A router connects OSI Layer 3 (IP, or more commonly described in this case as "networks")
12:57 < dogbert2> you need to add the routes in linux so they load at boot time...
12:58 < dogbert2> that way they hold across reboots...though you shouldn't be rebooting a linux or unix box all that often
12:58 < pekster> If you have 2 discrete networks that need to talk, you want to route them; to bridge separate networks is like having 2 different network layouts all plugged into a traditional dumb-switch
12:58 < batch> ooh hmmm right right
12:58 < batch> oke thats making sense
12:59 < liveuser> batch: have you ever seen a dog dig and bark somwhere where there is nothing?
13:00 < pekster> You can of course routing using a bridge interface, but be sure not to confuse the terms. My home router has a bridge made up of the wifi device and a network port on the device (connects the 2 Ethernet segments for wifi & wired) while it also routes across that interface to connect to my WAN Internet uplink and other internal networks. But I'm still routing those separate networks
13:00 < liveuser> now what if you have swarms of humanoids with the same behaviour
13:01 < liveuser> do you know how they say a fly vomits each time it lands?
13:02 < liveuser> we have the nerve to talk about washing clothes
13:02 < djph> batch: you *can* route over a bridged interface, but if you were doing that, you would have something like br0 = eth1/wlan0 and then you'd route between br0 and eth0
13:02 < liveuser> they are pouring motor oil in the landry machines
13:02 < batch> i see
13:02 < liveuser> batch: goto eof
13:04 < djph> liveuser: well, even laundry machines need lubricant
13:07 < liveuser> djph what is the command to see when a user left?
13:08 < djph> dunno, never cared
13:08 < batch> djph pekster this is what i'm trying to do in iptables, maybe you can tell if i'm doing it right or wrong from here: http://ix.io/18by
13:09 < grawity> you flush the filter chains but not the nat chains
13:10 < pekster> You should be restoring your rules with iptables-restore(8), not a series of `iptables` commands. That's atomic and works with entire tables, not individual commands. That avoids any issue of forgetting to flush or race-conditions as your rules are building
13:10 < batch> hmmz
13:10 < liveuser> djph: do you care if you see a man walking around with what looks like a barnacle drilled into his head
13:11 < liveuser> and anybody talked to about it changes the subject
13:11 < djph> liveuser: not really, no.  else the brain slug will probably want to use me as a host.
13:11 < liveuser> while the russian mafia presses F8
13:11 < pekster> You also should use `-j MASQUERADE` on the Internet-facing uplink interface unless it's static, in which case SNAT is fine (and slightly more efficient, which won't matter at the scale you're using anyway)
13:11 < djph> although, that's not really on-topic for "networking"
13:11 < liveuser> it is
13:12 < liveuser> barnacle is a network tool
13:13 < dogbert2> not much ph33r: 04:12:37 up 4 days, 10:17,  1 user,  load average: 0.00, 0.04, 0.00
13:13 < liveuser> it looked like possibly a wifi barnacle drilled into the skull
13:14 < liveuser> we only change the subject and yell "hebe menally ill"
13:14 < liveuser> then call the police because of the color of clothes
13:15 < liveuser> and smear bacteria all over everything while hebe in jail for wrong clothing
13:16 < liveuser> joel are you running linux?
13:16 < liveuser> I can go over the entire history starting with the nexus insurance plan
13:18 < liveuser> Rashad!
13:18 < Rashad> Hello.
13:18 < liveuser> it's all "good" Rashad ?
13:18 < Rashad> Do I know you?
13:18 < djph> doubt it ...
13:20 < liveuser> joel looks like years of bugs
13:20 < liveuser> since the sata started the fiber link
13:20 < liveuser> and every computer became a remote spy tool
13:28 < liveuser> pkg remove bolo-ng
13:30 < liveuser> are you surrounded by fake wifi
13:30 < liveuser> vlans everywhere
13:31 < liveuser> 2 or three days after buying a cable line they connect it to a wireshark
13:33 < liveuser> years of fake google
13:33 < liveuser> have you been able to find a server accepting the konami code?
13:34 < liveuser> is it all "good" there also?
13:37 < mawk> hi
13:37 < mawk> a pointopoint interface needs to have a LL ipv6 address ?
13:38 < djph> no
13:38 < djph> I mean, you can do point to point with ipv4 as well ... or well, probably any other protocol if you don't feel like IP.
13:40 < mawk> good
13:40 <+xand> do you want to use ipv6 over it?
13:40 < grawity> mawk: it *should* if you intend to run things like OSPF over it
13:40 < grawity> and in general, no reason to go out of your way to remove it
13:41 < mawk> ipv6 over the pointopoint yes
13:41 < mawk> the pointopoint stuff is over ipv4 already
13:41 < mawk> actually there's no adresse when I create the interface grawity
13:41 < mawk> that's why I wondered if I needed to add one
13:42 < mawk> but it seems incompatible with the principe of point to point
13:43 < mawk> ipv6 over it already works, but I've only added a global address
13:43 < mawk> so I thought some applications may malfunction without a LL address
13:44 < grawity> it's not incompatible at all
13:44 < grawity> a point-to-point link is still a link
13:44 < mawk> with no broadcast or multicast function
13:44 < mawk> in my case at least
13:44 <@catphish> i'd imagine it would get a LL address, i see no reason to fight whatever the default is though
13:44 < grawity> uh, so?
13:45 < grawity> nothing about link-local addresses requires multicast or broadcast
13:45 < mawk> no, but it's what you need for multicast
13:45 <@catphish> it usually makes sense for every interface with l3 capability to have one
13:45 < grawity> but it doesn't imply the opposite
13:45 < mawk> and apart from that use I don't see how it could be used
13:45 < mawk> yeah
13:45 < mawk> there's no default catphish
13:45 < mawk> well, the default is empty
13:45 < grawity> older Linux kernels didn't create link-local addresses for gre6 and ipip6 tunnels, but that was due to a bug and fixed in 4.11 or so
13:46 < grawity> link-local addresses have nothing to do with multicast *at all*
13:46 < grawity> they can be used with multicast, in the same way that global addresses can be
13:46 <@catphish> mawk:  then i wouldn't bother assigning one, i can't think it would be needed, since next hop will just be the interface itself
13:46 < grawity> but there's nothing that strongly ties these two functions together
13:47 <@catphish> but if one is assigned, i'd similarly leave it alone
13:58 < batch> pekster djph this is what i'm trying to create, i lost this page for some time https://www.glennklockwood.com/sysadmin-howtos/rpi-wifi-island.html
13:58 < batch> but yes like you see it does not use systemd-networkd
13:59 < batch> which is why i asked for what the meaning of uplink is, 'uplink' found  in another tutorial
14:00 < liveuser> it is supposed to connect to a star
14:00 < liveuser> uplink
14:01 < batch> lol!
14:01 < djph> "uplink" is just the connection to the "upstream" device
14:01 < djph> is all
14:01 < liveuser> though some of them don't look to be pointing up
14:01 < grawity> 'uplink': connection to a provider (from a consumer)
14:02 < liveuser> uplink is a satcom term
14:02 < liveuser> though they don't have concept of security
14:03 < djph> on a laptop, my "uplink" is the WLAN card.  On the wireless AP, the "uplink" is the ethernet port.  On a switch, the "uplink" is whatever port is connected to the switch closer to the router (or the router itself).  On a router, the "uplink" is whatever port is connected to the modem (or another network's switch, or another router ...) ...
14:03 < liveuser> offensive security kalilinux uses luks and plops the key right on the same disk encrypted
14:03 < liveuser> think NASA launched the sattelites the same way?
14:04 < batch> sweet! thankyou both!
14:08  * drathir not into kali...
14:14 < dogbert2> need to get an 8 port unmanaged switch (need more ports than my poor router has) <LOL>
14:15 < djph> dogbert2: err ... US-8?
14:15 < drathir> dogbert2: tplink...
14:16 <+xand> netgear gs108
14:16 < dogbert2> heh...my current router is a D-Link...so I'll get a D-Link...saw it at Frys for $32.50 (inc. tax)...8 port MDIX 10/100/1000
14:16 < drathir> xand: netgear burn in hellfire ™
14:16 < dogbert2> LAWL
14:16 < drathir> xand: not as low grade ^^
14:17 < drathir> dogbert2: or mikrotik soon™ something...
14:18 < liveuser> freenode was active before the let's encrypt keys were installed
14:18 < dogbert2> well, I could also get an ERL and a switch
14:20 < djph> skip the ERL, get an ER-4 ... newer / faster.
14:20 < liveuser> why is an oftc server named graviton
14:21 < drathir> dogbert2: but i guess the mostly tplink will fit just fine... https://www.tp-link.com/za/products/details/cat-42_TL-SG108.html or https://www.tp-link.com/za/products/details/cat-42_TL-SG1008P.html
14:21 < liveuser> freenode is referenced for support in much open source software
14:21 < dogbert2> :-)
14:21 < liveuser> so I connect here for it is more likely to have another liveuser
14:22 < drathir> or there is also https://www.tp-link.com/za/products/details/cat-42_TL-SG1008D.html as good remember...
14:22 < liveuser> seems like freenode is more likely to be the graviton
14:23 < drathir> liveuser: fn is just stream of knowledge ;p
14:24 < batch> i have gs305, gs308 is also available, which is more recent then gs105 or gs108
14:33 < dogbert2> ER-4 looks interesting :)
14:35 < kenlumbo> We do listen to MEDs from other customers and peers and pass those along, we do not remove them.
14:35 < kenlumbo> anyone ever experience this?
14:36 < kenlumbo> I've never had this from a peer before, and we certainly do not do the same
14:36 < kenlumbo> I thought MED values are not supposed to be passed along
14:37 < kenlumbo> I'm not even 100% sure how to do it without redistributing the routes, but that seems like a lot of work for every network you learn....
14:42 < ShalokShalom> hi there
14:42 < ShalokShalom> http://docs.humhub.org/admin-installation.html#file-permissions
14:43 < ShalokShalom> its about the section file permissions
14:43 < mervin> kenlumbo, one way is with bgp communities
14:43 < ShalokShalom> how to change them on a linux server?
14:43 < djph> ShalokShalom: what?
14:43 < ShalokShalom> http://docs.humhub.org/admin-installation.html#file-permissions
14:43 < ShalokShalom> its about the section file permissions
14:43 < ShalokShalom> they say "Make the following directories/files writable by the webserver"
14:44 < ShalokShalom> How?
14:44 < ShalokShalom> Apache
14:45 < kenlumbo> mervin: you can pass along MED values with communities?
14:50 < mervin> kenlumbo, you mark prefix A with community X if you want med50, Y for med100, Z for med150. they read community list for prefix A on input and set metric accordingly. I will test some med scenario myself now... explanations in here: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/112965-bgpmed-attr-00.html are... sick
14:50 < mervin> wanna see myself the behavior
14:51 < kenlumbo> well the closest I see is Scenario 2
14:52 < kenlumbo> just to be clear, this isn't routes they own and are advertising with a MED value, this is other peers advertising MED values to them, and they are passing this along to me
14:54 < kenlumbo> mervin: so have you experienced this?
15:06 < lite4y> what is the use of a mac address
15:07 < djph> lite4y: ethernet (L2) addressing.
15:07 < kenlumbo> https://en.wikipedia.org/wiki/MAC_address
15:20 < TonySoprano> hi
15:20 < mervin> hi
15:22 < TonySoprano> i got some user that is sending some requests massively to make my Mysql server crash
15:22 < TonySoprano> i've ban the IP but want to avoid it with other attackers
15:22 < TonySoprano> https://bpaste.net/show/db1cbf33d949
15:22 < TonySoprano> https://bpaste.net/show/f1aed7f4ba6b
15:23 < Donjuanal> is your mysql up to date?
15:24 < TonySoprano> Donjuanal, good question
15:25 < TonySoprano> i guess not
15:25 < detha> TonySoprano: can unauthenticated clients send requests that make your app do massive database queries?
15:26 < TonySoprano> detha, as you can see i'm using a wordpress site, i dont know if it's normal or not
15:26 < TonySoprano> he's spamming xmlrpc.php with POST method
15:27 < TonySoprano> mysql  Ver 14.14 Distrib 5.5.55, for debian-linux-gnu (x86_64) using readline 6.3
15:28 < detha> 5.5.59 is current; but that probably isn't the problem. Wordpress up-to-date?
15:29 < TonySoprano> wp is up to date yeah
15:31 < TonySoprano> wp 4.9.5
15:31 < detha> Nothing much you can do then, except throw some more memory at it, and maybe a fail2ban tuned to look for that particular request
15:31 < TonySoprano> detha, into the error log it seems a matter of memory yeah?
15:33 < detha> Looked like it was hitting memory yes. You could try tuning down mysql's memory use, but do that wrong and your entire site slows down to a crawl
15:34 < tds> it might be worth flat out disabling xmlrpc if you don't use it, as well
15:34 < TonySoprano> detha, on the contraray maybe the default mysql settings is limitating the usable memory?
15:35 < TonySoprano> tds, actually i dont know what's it's used for?
15:36 < TonySoprano> ok i've updated mysql to mysql  Ver 14.14 Distrib 5.5.59, for debian-linux-gnu (x86_64) using readline 6.3
15:37 < detha> TonySoprano: hitting a server with lots of requests where each request chews a lot of memory in joins, kills your entire server. Give mysql a bit less workspace, and it will optimize for slightly slower but less memory-intensive
15:37 < tds> I seem to remember the wordpress mobile app uses it, I'm sure there are other things as well
15:37 < TonySoprano> detha, ok
15:38 < TonySoprano> 2 questions
15:38 < TonySoprano> if mysql service is going down, why it's not restarting itself?
15:39 < detha> If you crash a process on OOM, what would restart it?
15:40 < TonySoprano> the service was left in this state: https://bpaste.net/show/9de52fe64fe3
15:42 < detha> eew systemd. There are ways you can make that auto-restart a service I believe.
15:42 < TonySoprano> it's marked "active" but "exited" , it's confusing
16:03 < drac_boy> hi
16:15 < drac_boy> just curious about it but anyone have or seen a networked paper scanner? (and I specifically mean simply a scanner)
16:16 < djph> drac_boy: only attached to printers
16:23 < LissajousPattern> cool
16:26 < ju_2018> Does anybody here know anything about setting up any extra networking card that has two 10Gbit throughput  ???   Thanks
16:26 < djph> ju_2018: plug it in?
16:26 < Phil-Work> ju_2018, you're going to have to be more specific than that
16:27 < ju_2018> ok, thanks... It is in. Dell Server R730xd
16:27 < drac_boy> djph thanks, have to wonder who's paying the 4-digit pricetags on these but anyway never mind that :)
16:27 < ju_2018> networking works but so far only on eth0
16:27 < Phil-Work> ju_2018, which OS?
16:28 < djph> drac_boy: I got a brother MFP for like $500
16:28 < ju_2018> the two 10Gbit need to be failover as they go to different switches..   Debian
16:28 < Phil-Work> ju_2018, LACP?
16:28 < ju_2018> linux as I might change as Dell supports this better i think
16:29 < Phil-Work> if you want active/passive failover of LACP you need the ifenslave package on Debian
16:29 < tyzoid> I'm trying to set up a proxmox cluster between two nodes, and I keep getting stuck at the point where they're trying to communicate.
16:29 < tyzoid> Their wiki says it uses multicast
16:29 < tyzoid> so I'm trying to debug why that's not working
16:30 < ju_2018> These servers are in different room and are to be set up for elasticsearch
16:30 < Gollee> are the two clusters in the same subnet tyzoid ?
16:30 < Gollee> the nodes*
16:30 < tyzoid> Testing with iperf (using https://taosecurity.blogspot.com/2006/09/generating-multicast-traffic.html ), yields "connect failed: Permission denied", even when run as root
16:30 < tyzoid> Gollee: Yup, both are in 23.92.211.56/29. Server 1 has 23.92.211.58, server 2 has 23.92.211.59
16:31 < Gollee> ok great
16:31 < tyzoid> talking to the same router/switch
16:31 < tyzoid> the /29 is onlink
16:31 < Gollee> I was asking because routers don't forward multicast
16:31 < Gollee> but since it's being switched you don't have that problem
16:31 < tyzoid> it's possible, but I'm trying to figure out the permission denied issue
16:32 < drac_boy> hm anyway djph other thing if you don't mind .. are all intel-powered quad ethernet card good or theres still some intel chipsets to avoid whenever possible? I'm thinking of older models for $ reason in this case
16:33 < tyzoid> iirc, it's a router with multiple switched ports. Not my hardware, though. It's the DC's hardware that I've got two dedis plugged into .
16:33 < ju_2018> <Phil-Work>: I will look into LACP.  In that this is for elasticsearch and I think these will be running in docker containers how do I get them to run through the 10Gbit ports ?  thanks
16:37 < mAniAk-_1> ju_2018: same as you would with 1G ports?
16:40 < ju_2018> <mAniAk-_1>: ok.  I think I need to do more testing than wonder aloud.  Thanks
16:41 < mAniAk-_1> ju_2018: yes, elasticsearch should have some documentation for how you set it up with docker
16:42 < mAniAk-_1> ju_2018: usually the container is behind NAT and you just forward some ports to it
16:49 < ju_2018> <mAniAk-_1>: Ahh... ok.. Docker to normal eth port
16:49 < ju_2018> and this is natted ?
16:49 < mAniAk-_1> ?
16:52 < ju_2018> You said "container is behind NAT" and forward some ....
16:53 < mAniAk-_1> yes
16:53 < mawk> ju_2018: no need for the < > when you address someone
16:53 < mawk> just like I do
16:55 < ju_2018> ok thanks
17:15 < THE_GFR|WORK> hey everyone
17:18 < Kemopan> Herrow, help me plz, I have an issue with common linux bridges, I assigned ip addresses to br10 for pc-A and pc-B, made vxlan10 between them and added it as part of bridges, I can ping one bridge from another
17:19 < Kemopan> but when I add physical interface into bridge and want to ping other side, I see ARP-reques and ARP-replies on bridge interface, but I see no ARP-replies inside of vxlan tunnel
17:20 < Kemopan> seems like bridge droped it for some reason
17:30 < ||cw> Kemopan: what guide are you following? you wouldn't normally add an IP to the br interface I think
17:32 < Kemopan> ||cw, no guides, its okay to assign IP to Bridge interface and I'm doing it as part of troubleshooting, its weird to assign IP to interface under bridge I think
17:33 < Kemopan> ||cw, for example IP assigned to bridge is common practice in OpenWRT frimware :P
17:35 < ||cw> so you made name spaces, then veth# devices, adding veth# to ns, gave them IP, made br#, added veth# to br#, made vxlan#, added vxlan# to br# ... ?
17:36 < ||cw> the bridge is between the veth and vxlan, not the host device.  that's why it's weird to put an IP on it
17:37 < ||cw> the vxlan gets done via the host device, which could be another br that's has multiple nics, but you still need the vx-veth br too
17:39 < ||cw> that's assuming you're doing vxlan for tenant isolation across hosts without having to make a bunch of real vlans
17:41 < tds> I think that vxlan interfaces use multicast for broadcast traffic (ie arp) - from some googling it looks like you can tell if to specifically forward traffic to the 00:... mac address over the vxlan interface, that might be useful?
17:41 < tds> https://vincent.bernat.im/en/blog/2017-vxlan-linux#unicast-with-static-flooding
17:55 < Kemopan> ||cw, lanA-eth1(PC-A)eth0-ethernet-eth0(PC-B)eth1-LanB , then I create vxlan10 between PC-A(eth0) to PC-B(eth0), then I create bridge on PC-A with members (eth1, vxlan10), same for PC-B, then I assign IP to bridge interfaces
17:57 < Kemopan> I did same configuration before and it works fine :) L2 traffic can go from LanA to LanB
17:58 < Kemopan> but now something is wrong :P
17:59 < qman> IPs should be assigned at the most abstracted layer
17:59 < qman> if you assign IPs below that it bypasses those layers of abstraction
18:00 < Kemopan> which is bridge o_O
18:01 < Kemopan> actually I have also OSPF there and build vxlan from one router-ID to another :P
18:02 < ||cw> Kemopan: ip should be on eth1 in that model
18:02 < Kemopan> I can live without IP address on bridge
18:05 < tda> does anyone know how to connect an ftp server with non standard port on windows? ftp://user@example.com:990 times out, but windows doesn't say it doesnt understand the url. i can make the connection in filezilla
18:07 < AlexPortable> Is there any downside of combining two ports on a switch to one device?
18:07 < acresearch> people, i am trying to use CISCO anyconnect in linux, but it seems not possible, so i am trying to connect my computer to my iphone and from my iphone use the anyconnect application, but even though i have the VPN connected, and the computer connected to the iphone, the computer is not using the VPN. can anyone assist me on how to make the computer use the iphone vpn?
18:09 < UncleDrax> I've used Cisco AnyConnect on linux. that said, on my current (debian/ubuntu/xubuntu based install) laptop.. that said I remember I had to install some extra package, and unf I can't recall exactly what it was (unf I don't have that laptop avail to look this minute)
18:11 < acresearch> UncleDrax: openconnect was much better, but it is no longer possible to use it (i am not sure why), so i am stuck with this stupid VPN client. and since i cannot use it my work has stopped for 3 weeks now. so UncleDrax if you can find out it would be much appriciated it,   i am on antergos/arch linux
18:11 < tda> acresearch: can you access anything on the vpn by ip? i have a feeling the iphone does not set dns for its tethered clients in the way you expect
18:11 < acresearch> tda: how do i do that?
18:11 < tda> try to access something on the vpn by its ip and check your dns settings
18:11 < AlexPortable> btw the other day I asked because I had some switch/ap problem, can it be related to the router being 1 gbps, and the switch 100 ?
18:11 < acresearch> tda: ah you mean like ping?
18:12 < acresearch> tda: it does not work
18:12 < tda> what exactly does it say
18:12 < acresearch> tda: so if i try to ssh into the university supercomputer from my laptop tethered to the iphone which opened the VPN the ip does not work
18:13 < acresearch> tda: Connection timed out
18:14 < tda> https://apple.stackexchange.com/questions/266871/is-there-a-way-to-force-tethered-data-to-go-through-an-ios-vpn-instead-of-passi?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa
18:14 < tda> maybe not able to do that. are you able to connect to vpn from the laptop?
18:14 < UncleDrax> yeap I think i just had some version of OpenConnect or something.. not sure. if you haven't already, i'd inquiry to the Uni IT group and Arch-specific venues.
18:15 < LissajousPattern> what is the cheapest way to get really fast internet anywhere while traveling?
18:15 < acresearch> tda: no, i cannot install anyconnect thus i cannot connect to the VPN
18:15 < UncleDrax> LissajousPattern: only goto places that have open WiFi?
18:15 < LissajousPattern> well without using public wifi
18:15 < LissajousPattern> should have stated that
18:16 < acresearch> tda: hmmm so the iphone vpn tether is not possible ha?
18:16 < tda> http://www.infradead.org/openconnect/
18:16 < acresearch> tda: i used to be able to use openconnect, but the university blocked it
18:17 < acresearch> tda: i get prompted for an anyconnect certificate
18:17 < tda> that's what it sounds like. im finding other people having the same problem with different vpn clients
18:18 < tda> maybe could work on android if you can root it and get control of the routing and firewall
18:19 < acresearch> tda: sorry got disconnected while removing the iphone
18:20 < acresearch> so tda: so openconnect is having problems with other clients not just anyconnect?
18:20 < tda> acresearch: no, i mean other people are not able to get tethered devices to use the iphone vpn connection, regardless of the vpn they are using
18:20 < acresearch> tda: ah i see
18:22 < acresearch> tda: so there is no way around it? i cannot use the cisco vpn on linux anymore?
18:23 < tda> get the laptop to connect to vpn directly
18:23 < thejohnnyapol> ^ yeah the iphone VPN only applies to applications running locally IIRC
18:23 < acresearch> tda: how?
18:23 < tda> https://wiki.archlinux.org/index.php/OpenConnect
18:24 < acresearch> tda: i have openconnect, it cannot connect
18:24 < UncleDrax> have you talked to your Uni IT ?
18:24 < acresearch> UncleDrax: yes
18:24 < tda> not sure. not familar with it. there should be a way to set it up manually
18:25 < tda> i know openvpn as a config file the client loads
18:25 < UncleDrax> acresearch: and thier answer is 'install windows, use Cisco Anyconnect' i take it?
18:25 < acresearch> UncleDrax: they tell me i should be using windows, and i went into trouble for installing linux into one of their computer,,, fucking idiots
18:25 < UncleDrax> ok fair enough
18:25 < ||cw> AlexPortable: you're talking about LACP or some other bonding?  there's a few things you have to be aware of doing it, but done right there's not really a downside
18:26 < tda> ugh if thats their answer try asking someone in cs department. one of them probably figured it out
18:26 < ||cw> AlexPortable: at worst, there's no advantage other than redundancy on the cable.
18:26 < tda> probably would work in virtualized windows if thats an option, but linux still wouldnt be able to use with out a lot more work
18:27 < ||cw> AlexPortable: and 1G vs 100M is a matter of what the ports support.  most 1G ports will drop to 100M just fine if you leave it in auto.
18:27 < acresearch> tda: the supercomputer people just use ubuntu, which apparantly is easy to install anyconnect
18:28 < acresearch> i might have to switch to ubuntu just so i can actually do my work
18:28 < ||cw> acresearch: well, if it's their computer, then yeah.  install linux to a VM and NAT to the VPN interface
18:28 < tda> ask on arch channel if they have one
18:28 < Apachez> any of you who recalls what the name is of the adapter where you can make it into a lc without a splicer? that is you take the raw fiber and cut it and the form the ferull around it?
18:31 < acresearch> tda: ok
18:37 < AlexPortable> what things do you have to be aware of ||cw ?
18:38 < ||cw> mostly how your switch handles it
18:55 < Spades> Hello
18:56 < Spades> I have VirtualBox on MacOS and installed 2 Guest OS :  1) Kali Linux   2) Metasploitable2
18:56 < Spades> I would like Kali to be connected to the internet via Host OS but also connected to the Metasploitable2 network at the same time
18:56 < Spades> How to achieve that?
18:58 < cthulchu> you set it as a proxy
18:58 < cthulchu> then set it as a proxy for metasplit
18:58 < cthulchu> now metasploit's traffic will go through kali
18:58 < cthulchu> no, probably not the thing you want
19:00 < Spades> Ok I ceated a second adapter on Kali. So both Kali and Meta are Host-Only on a single network. And Kali is also Bridged to Host on the second adapter
19:16 < lite4y> what does a DNS look up through dig mean?
19:17 < lite4y> if i do a dig www.google.com; does it give me the global vip of google?
19:19 < mdibella> I use this service: https://www.whatsmydns.net/ to check global DNS propagation
19:20 < skyroveRR> "vip"?
19:21 < VirusInsane> I use https://geopeeker.com/
19:21 < VirusInsane> See how a site appears to the rest of the world
19:23 < inire> virtual ip
19:23 < lite4y> skyroveRR: virtual ip
19:23 < inire> in most lingo
19:25 < Harlock> dns doesn't propagate
19:26 < tds> google uses anycast dns, so your dns request should go to the closest (ish) name server to the dns resolver you're using, and that will return an ip that'll get routed to a localish server
19:26 < detha> lite4y: and to the previous question, 'no'. Google doesn't have a 'global vip', they use both DNS and anycast
19:29 < ExoUNX> greetings
19:30 < lite4y> tds: what is anycast
19:30 < ExoUNX> I have some Unifi AC Pros, can I allow easy roaming by just making the AP SSID and authentication that same
19:30 < ExoUNX> or will I strictly need to enable meshing
19:32 < lite4y> detha: tds im really new to networking.. could someone tell me what exactly DNS lookup means.. for eg: correct me if im wrong.. when we do a `dig www.google.com` we are able to find the dns server that google uses?
19:34 < detha> lite4y: dig (without +trace) just asks your DNS server what www.google.com's address is. Your server then asks from. to .com to google.com until it gets an address
19:35 < lite4y> detha: with trace?
19:35 < detha> with +trace dig does everything itself, asks for .com, asks for google.com, asks for www.google.com
19:36 < ExoUNX> looks like I should enable fast roaming
19:36 < ExoUNX> which I have
19:37 < lite4y> detha: with trace it uses local dns server and without that it uses google dns server address?
19:40 < detha> lite4y: without trace it uses whatever your default server is, with trace it goes all the way down from root to google's NS
19:46 < tds> (it's worth keeping in mind that iirc +trace doesn't do it entirely recursively, it'll query the specified dns server for both the root and any ns records it finds)
19:59 < thothcastel_> cisco asa5525-x is it possible to set it up to connect to 3 different sites (VPN?) with a single fibre internet connection and a single public IP?
19:59 < thothcastel_> I have not seen that before and I don't think it is possible - unless port-forwarding in terms of selection of data, etc - but thought I would get second opinions if any available please???
20:10 < ||cw> thothcastel_: as in be a VPN client to 3 different servers?
20:10 < ||cw> or to be a VPN server?
20:11 < thothcastel_> actually site to site vpns
20:11 < ||cw> specs say 750 IPsec VPN peers, 2 SSL VPN peers
20:11 < thothcastel_> apparently there are some other uniquely identified options in a tunnel
20:12 < ||cw> seems like a beefy router tho
20:13 < thothcastel_> beefy??
20:13 < thothcastel_> meaning of beefy please
20:14 < xingu> thothcastel_: https://supportforums.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442
20:29 < ||cw> thothcastel_: having a lot of muscle, power.
20:31 < thothcastel_> right
20:31 < thothcastel_> ||cw: that is good then lol
20:31 < thothcastel_> to have asa5525
20:32 < hetii> Hi :)
21:14 < liveuser> do you use pastevin
21:16 < liveuser> cdown do you use pastevin
21:16 < liveuser> is hugh doing well?
21:17 < liveuser> _chrisP_: are you alive the plugin hasn't been updated
21:17 < liveuser> was it a dream?
21:18 < liveuser> is this the only evidence?
21:18 < liveuser> looking at the radio tower and thinking such
21:19 < liveuser> is it only I and snake eyes"?
21:20 < liveuser> how long can hatred echoe
21:21 < liveuser> the gift and the curse
21:21 < liveuser> N.A.S.
21:23 < liveuser> Abhish: welcome
21:26 < liveuser> dogbert2 find anything?
21:28 < liveuser> My email password perhapse?
21:29 < liveuser> are you under attack?
21:30 < liveuser> one third of the stars swept from the sky
21:31 < liveuser> notice the stars have variance
21:31 < liveuser> so it seems
21:31 < liveuser> while the sand pours down the hourglass
21:32 < liveuser> is it the perfect denial
21:34 < liveuser> the first act of faith we look up and see lights
21:34 < liveuser> yep
21:34 < liveuser> and the last act of faith?
21:34 < liveuser> how long can hatred echoe
21:34 < liveuser> until it converges on a singularity
21:35 < liveuser> it may not make sense to you
21:35 < liveuser> it may not make sense at all
21:35 < liveuser> things which do not make sense happen
21:39 < ejr> does anybody know how to get a wpa2-leap encrypted wifi connection running via the interfaces file?
21:43 < qman> when you say "the interfaces file" I assume you're talking about a debian-based linux distro, in which case you need wpa-supplicant or a frontend for it to handle the wpa for you
21:44 < ejr> wman: yes, and I also looked into wpa_supplicant already. Unfortunately there are many ambiguous explanations on how one might get leap to work with it
21:47 < qman> yeah, it's definitely what you need, but the specific combination of settings depends on the network's implementation, there are lots of ways to do it
21:47 < qman> so unless you know exactly, you'll have to play with it until you get it to connect
21:52 < acresearch> people anyone knows how to install anyconnect in antergos (based on arch)? i seem to have installed the program without errors and i see the program icon, yet it fails to start
21:53 < tda> start it from the terminal
21:54 < ejr> wman: alright, thanks.
21:56 < ejr> *qman
22:11 < acresearch> tda: how?
22:11 < acresearch> tda: i don't have a cisco or anyconnect command in the terminal, i get a command not found
22:12 < tda> you installed it from pacakge?
22:12 < acresearch> tda: yes
22:13 < acresearch> tda: sudo sh anyconnect.sh
22:13 < acresearch> i also had to install pangox-compat for some reason
22:14 < tda> i would expect that would install in /usr/local or /opt
22:15 < acresearch> tda: sorry what do you mean? i should look for it there?
22:16 < tda> what do the instructions say? does it tell you how to run? or did the install script say?
22:18 < bezaban> query files in the package with pacman(?)
22:18 < bezaban> disclaimr, I
22:18 < bezaban> I
22:18 < bezaban> ugh. never used arch / whatever derivatives and on plane wifi, so hard :)
22:19 < acresearch> tda: actually there was no instructions, i had to read online what forums say
22:21 < bezaban> acresearch: pacman -Ql [pkgname] is what google finally suggested for that
22:21 < acresearch> bezaban: ok i got a list of paths, what am i looking for?
22:22 < bezaban> acresearch: not files? looking for anythng in *bin/
22:22 < acresearch> bezaban: https://paste.debian.net/1021105/
22:24 < bezaban> acresearch: pango is a library for layout and rendering of text
22:24 < acresearch> bezaban: aha, then what package should i be searching? anyconnect does not exist in pacman
22:24 < bezaban> might be a dependency for what you are trying to do, but that isnt anyconnect
22:25 < bezaban> acresearch: if there isnt a package pacman cant help you
22:25 < Demos[m]> OpenConnect
22:25 < Demos[m]> definately openconnect
22:25 < bezaban> yay!
22:25 < acresearch> Demos[m]: my universtiy is blocking openconnect, i used to use it then they blocked it
22:25 < Demos[m]> what the actual hell
22:25 < Demos[m]> do they need the trojan thing?
22:26 < bezaban> your uni isnt blocking an application, its blocking a set of ports or a protocol
22:26 < acresearch> Demos[m]: it gives me Failed to obtain WebVPN cookie
22:26 < Demos[m]> wait are you trying to tunnel into your univ or out of your univ
22:26 < acresearch> bezaban: into uni
22:26 < acresearch> i am home right now, i need to tunnel in to use our supercomputer
22:26 < bezaban> how did you assume that was an issue due to blocking?
22:27 < acresearch> bezaban: i don't understand netowrking, i am a biologist, openconnect worked in the past then it no lomger works and the people at the university told me not to use openconnect
22:28 < bezaban> acresearch: what did they tell you to use?
22:28 < acresearch> bezaban: anyconnect
22:33 < bezaban> acresearch: right :) Cisco doesnt package it for aur, only rpms and debs afaik. there may or may not be a community maintained version or you can try a custom install of a binary package or dismantling one of the other packages, but no guarantees that will work
22:34 < acresearch> bezaban: well i got the linux bash script from cisco itself that should install anyconnect when i run it, it completes without any errors, but the program fails to start, and i don't know how to find out the problem
22:34 < bezaban> someone might know if there a web client / java app for anytconnect? seem to recall it
22:34 < acresearch> bezaban: you mean APT has an anyconnect that i can install? so i can avoid this installation mess on ubuntu?
22:34 < bezaban> acresearch: google suggest that is for systems with sysv init, later distros would likely be systemd
22:35 < bezaban> acresearch: might not be in default repos, but there should be an ubuntu package
22:36 < bezaban> but basically they don't do any validation against arch so ymmv
22:36 < bezaban> or derivatives
22:36 < acresearch> bezaban: hmmm, i might have to wait then for next week until 18.04 is out. but are you sure it is easier on ubuntu? i don't want to wait another week just to reutrn to my same position
22:36 < bezaban> acresearch: not sure at all
22:36 < acresearch> bezaban: oh
22:36 < Demos[m]> that doesn't mean said package will work
22:37 < acresearch> bezaban: Demos[m] then what do you siggest i do? been weeks without the ability to do any work
22:37 < bezaban> acresearch: talk to it
22:37 < acresearch> bezaban: to whome?
22:37 < bezaban> acresearch: sorry, hehe. it dept
22:38 < bezaban> they might know of success stories, but you probably wont get far with asking them to sort out an unsupported stack
22:40 < acresearch> bezaban: IT department tells me to stop using linux and use windows, i actually got into trouble for installing linux on a university computer, so i doubt they will give me a reasonable solution
22:42 < acresearch> but on the other hand, if anyconnect provides an installation for linux, why can't i get it to work?
22:42 < bezaban> acresearch: ah, I support your effort.
22:42 < bezaban> acresearch: linux is just the kernel, distributions manage their own dependency trees and file structures etc, so you can't really make a generic linux package
22:43 < ||cw> I kind doubt cisco is going to support 18.04 right away, it's got some large changes under the hood
22:43 < bezaban> it will often work with a simple binary or something you can compile from source after pulling in the right libs etc, but not great
22:43 < acresearch> bezaban: ||cw the official download page does not specify which distro it is for not how to run the installation, how can i find out?
22:44 < bezaban> s/great/point&click/
22:44 < bezaban> it
22:44 < ||cw> read the docs?
22:44 < bezaban> its a shell script that may or may not work if I'm looking at the same thing
22:44 < acresearch> ||cw: there are no docs
22:44 < bezaban> plane landing now, have to go. good luck!
22:44 < acresearch> bezaban: yes it is a shell script
22:44 < bezaban> sorry for cutting it short
22:45 < acresearch> bezaban: its ok i understand
22:45 < acresearch> ||cw: what sould Linux x86_64 mean? would that be part of a spesific distro?
22:48 < ||cw> acresearch: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect45/release/notes/b_Release_Notes_AnyConnect_4_5.html#reference_DABA1C4FF5CB45F4904B538BAB32749E
22:49 < acresearch> ||cw: oh ok so 16.04 i can try that now
22:50 < acresearch> thanks, be back in several hours :-)
22:58 < dirac1> If I'm going to have a small router for a SOHO, it is any good to have a Proxy cache service inside the router (linux router)
23:00 < Aeso> dirac1, proxy cache for what? DNS?
23:00 < dirac1> oh sorry, for HTTP.
23:01 < Aeso> dirac1, are you worried about bandwidth? Is there some HTTP service you use in a SOHO setting that you've identified?
23:03 < dirac1> Not in particular (the http service). But It'll improve the bandwidth use, right? And usually the SOHO/SMEs don't have a great bandwidth allocation, it would be great to improve this kind of requests.
23:04 < Aeso> Probably not by as much as you think. Most HTTP traffic is HTTPS these days, which your HTTP cache won't support. It sounds like what you really want is a reasonable QoS configuration if bandwidth is your concern.
23:06 < dirac1> Aeso, Oh, yes you are right. So.. instead of a HTTP proxy server, use tc to reconfigure the bandwidth use?
23:07 < dirac1> any other simpler alternative to tc?
23:11 < dirac1> Ugh.. I'm talking about tc from iproute2. pardon.
23:11 < Aeso> dirac1, you're not looking to apply ToS/CoS tags; Your ISP will ignore them anyways. What you want to do is classify your own traffic and then run them through your own upload/download queues, so you can drop bulk traffic ahead of real time services
23:13 < Aeso> It's worth mentioning I have no idea what the tools for that are, but given most SOHO routers are just linux underneath, I assume they exist.
23:14 < Aeso> Of course all of this is a big waste of time if you get the real time app performance you're looking for without the queues. I would test first and if you're unhappy, revisit.
23:17 < k2gremlin> So question for some of you using google dns, 1dot or 9dot dns.. Anyone able to resolve mail.mil?
23:18 < tda> 1dot? 9dot?
23:18 < k2gremlin> 1.1.1.1 or 9.9.9.9
23:18 < k2gremlin> you know.. the new and exciting dns servers
23:19 < tda> yeah, just never seen them refered to that way
23:19 < k2gremlin> The one network admins are freaking out about because they use 1.1.1.1 as a placeholder for garbage stuff? lol
23:19 < ||cw> it's not resolving for me and I'm not using any of those
23:19 < Mead> is that the DNS server that swears it doesn't keep logs?
23:20 < k2gremlin> Mead, yea
23:20 < Aeso> k2gremlin, you can use nslookup or dig and specify the server you want to query against to see if they work for you.
23:20 < k2gremlin> tda, the domain is literally jitters2012@gmail.com
23:20 < k2gremlin> err sorry
23:20 < dirac1> Aeso, thanks for you comments :). Yes I'm aware that I have to do the QoS queue to the LAN side. And of course, I can't handle a "general" case. Therefore, I must consider the needs of a particular SOHO.
23:20 < k2gremlin> tda, 1dot1dot1dot1.cloudflare-dns.com
23:20 < tda> doubt quad1 is trustworthy, giving who runs it and what they do
23:20 < k2gremlin> you mean one of the better companies at protecting from ddos?
23:21 < k2gremlin> *had to look up and make sure I was in the networking channel*
23:21 < ||cw> k2gremlin: I can resolve MX, but there's no A record
23:21 < Mead> If you want real DNS privacy, set up your own recursive DNS server
23:21 < k2gremlin> ||cw, thanks. Thats what I thought
23:21 < tda> one of the better companies at intercepting peoples data
23:22 < tda> you do realize the service is essentially a massive mitm right?
23:22 < ||cw> k2gremlin: sdns1.csd.disa.mil directly also doens't report A
23:22 < k2gremlin> lmfao wow
23:22 < k2gremlin> crazy
23:22 < Capprentice> How to do a load balacing and failover with two wan Links coming from two different ISPs giving seperate Subnets?
23:22 < k2gremlin> Capprentice, per session?
23:22 < Capprentice> Per Destination
23:22 < Mead> honestly I'm surprised that there isn't a legitimate DNS alternative to get around icann
23:22 < k2gremlin> session/destination is almost one in the same :)
23:23 < ||cw> Capprentice: well, you follow your routers documentation.  it's different for all of them
23:23 < tda> i cant resolve mail.mil on anyone of those or at&t
23:23 < k2gremlin> tda wondering when that changed. Use to be able to hit it from any DNS I ever used
23:23 < ||cw> tda: the domain doens't have an A record.  it does report MX though
23:24 < Capprentice> Im planning on purchasing a router and combining the links. Which router do you recommend for this setup? I have two 155 Mbps drops
23:24 < k2gremlin> Capprentice, what vendor ?
23:24 < k2gremlin> Either Cisco or Juniper?
23:24 < Capprentice> Suggest me..
23:24 < k2gremlin> both can do it
23:24 < ||cw> Capprentice: I've done it with a linux box before.
23:24 < Capprentice> PfSense?
23:24 < k2gremlin> Could use a CentOS vm
23:24 < k2gremlin> :)
23:24 < ||cw> that's BSD, probably also can do it
23:25 < k2gremlin> combined 300Mbits is nothing
23:25 < ||cw> well, depends on the hardware :)
23:25 < k2gremlin> ehhh.. could almost take an old netgear and tomato it
23:25 < k2gremlin> lol
23:25 < ||cw> but anything PCIe and dual core should do it no sweat
23:25 < Aeso> Capprentice, to be clear, all of your connections on the failed WAN are going to reset
23:25 < Capprentice> Thats all I have. The subnets are different and coming from two different ISPs. How would you set them?
23:26 < ||cw> but find an early P4 and we get into "maybe" territory
23:26 < k2gremlin> Capp
23:26 < ||cw> k2gremlin: yeah but that's hardware dedicated to the task
23:26 < Capprentice> I can do a failover using IP SLA
23:26 < k2gremlin> Are you having throughput issues?
23:26 < k2gremlin> I was going to suggest that
23:26 < k2gremlin> oor ACLs for different LAN subnets to use different links
23:27 < orlock> Capprentice: Are they both from the same ISP? have you discussed this with them?
23:27 < Capprentice> Using route maps?
23:27 < k2gremlin> He said different ISPs
23:27 < orlock> Oh, different ISP's.
23:27 < k2gremlin> yea route maps and vrfs
23:27 < orlock> Inbound or outbound traffic, got AS, got your own netblock?
23:27 < k2gremlin> orlock, prepend lists go!
23:27 < k2gremlin> :)
23:28 < k2gremlin> err prefix.. fk been a while since I bgped
23:28 < k2gremlin> Capprentice, you doing any multicast?
23:28 < Capprentice> I can not use VRFs. All traffic is supposed to handled by a middlewire propritery isp billing solution
23:28 < Capprentice> NO.
23:29 < orlock> "middlewire propritery isp billing solution"
23:29 < orlock> lolwut?
23:29 < k2gremlin> lol
23:29 < Capprentice> hehe
23:29 < k2gremlin> I was going to leave that one alone
23:29 < orlock> so what you are saying is that your manager got taken out to a strip club?
23:30 < Capprentice> Its basically a Network Authentication Server which will talk to a Radius Instance and do the billing and shaping./
23:31 < k2gremlin> wait... billed per  meg.gig?
23:31 < k2gremlin> meg/gig/
23:31 < k2gremlin> ?
23:31 < Capprentice> The topo is as follows - WAN1 + WAN2 ====> NAS= >Distribution Switch
23:31 < Capprentice> Yes.
23:31 < Capprentice> Mbp/s
23:31 < k2gremlin> if so whichever one is cheaper I would make primary and do failover
23:32 < k2gremlin> https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.html   IOS NAT LBing
23:32 < Capprentice> If I could use masquerade I would have not even asked this question./
23:32 < k2gremlin> lmfao
23:35 < Aeso> sounds like what you need is an ASN and some transit rather than a couple of traditional ISPs
23:35 < Capprentice> Exactly.
23:35 < Capprentice> I have applied for ISP license and ASN
23:35 < Capprentice> Until that arrives Im stuck
23:36 < tds> "ISP license"
23:37 < tds> is that actually a thing anywhere?
23:37 < Capprentice> Yes, it is.
23:37 < Capprentice> ;)
23:37 < orlock> Some places
23:37 < orlock> All depends on the country
23:37 < Aeso> Capprentice, yeah, you might be SOL in the mean time
23:37  * tds has an asn, I hope I'm not meant to have a license to go with it :P
23:37 < Aeso> cross your fingers and only run on one ISP :P
23:37 < orlock> here, it's called a carrier licence, and it's more of a telco thing than specifically an ISP thing
23:38 < orlock> But it has nothing to do with getting an ASN or block and using bgp
23:38 < orlock> but more to do with transmitting data across property boundaries iirc
23:39 < Capprentice> Applying for ASN does not require ISP License here either.
23:40 < orlock> It just requires forking over money and documentation to the regional NIC usually
23:40 < Capprentice> true.
23:40 < orlock> getting your own netblocks is the tricky bit
23:40 < orlock> though, apaprently you can just steal peoples and nobody will care too much
23:41 < Aeso> orlock, tricky? that one's solved with money these days too
23:41 < tds> not so bad for v6, but expensive for v4 :/
23:41 < Aeso> You can get /24s for ~$16USD/IP
23:41 < Capprentice> Ipv10
23:41 < Aeso> that number is going up quick, too
23:42 < orlock> Aeso: so about $4k for a /24? Seems cheap?
23:42 < ironpillow> hi all, what does this mean "logically separated networks" when talking about routing. I don't get the "logical" part. Are IP address logical and MAC address not? thakns!
23:42 < Aeso> nothing about ethernet is logical in the modern day :P
23:43 < orlock> Aeso: Where is this ipv4 netblock market? I'd like to invest.
23:43 < ironpillow> Aeso: :) getting that feeling the more I read about networking
23:43 < orlock> ironpillow: at a guess, i'd say vlans
23:43 < orlock> but thats not really about routing
23:44 < Whiskey`> pclover you hiding in here ?
23:44 < Aeso> ironpillow, to me 'logically seperated networks' sounds like subnets
23:45 < Aeso> orlock, that's right about market price. If you want to use a broker you can expect to spend ~40% more on a /24.
23:46 < orlock> we probably have 5 or 6 unused /24's, honestly
23:46 < orlock> i like watching the deny logs.
23:46 < ironpillow> vlans, subnets. so basically a way to separate devices so that communication between them is sand boxed
23:46 < orlock> internets full of shit.
23:46 < Aeso> ironpillow, the only caveat being that you can have multiple subnets on a vlan, but not vice versa
23:47 < Aeso> not that you necessarily ever _want_ more than one subnet per vlan, lol
23:47 < tds> orlock: much quieter over on v6 ;)
23:47 < ironpillow> Aeso: :) for now I will make sure to have only one subnet per vlans
23:47 < orlock> tds: I bet, lot less interesting too
23:48 < orlock> tds: There's so many bogus companies around now. It's fucked up.
23:48 < orlock> I'm not sure at what point they become bogus, but there's netblocks that all look legit, but.. there's no actual company operating them
23:48 < orlock> the details are all fake
23:54 < jvwjgames> is it ok to allow game servers to be running in a vps environment
23:55 < lupine> depends on the business model
23:55 < Criggie> sure its okay - depends on your firewalling skills, and a lot on the VPS' TOS
23:55 < jvwjgames> especially if it is a paid enironment
23:55 < jvwjgames> and the person that is running the server's isn't paying
23:56 < orlock> i'd say that's a question for the people that run the VPS/own the hardware
23:56 < jvwjgames> aka me
23:56 < orlock> many of them have specific rules against game servers
23:56 < Aeso> jvwjgames, depends: Are you controlling that vps environment? Do you have any guarantees that your provider isn't going to fuck you by overloading the physical servers you're sharing?
23:56 < tds> are you a vps provider, or are you the customer, or some kind of inbetween reseller?
23:56 < orlock> because of thd chance of ddos attacks after somebody gets butthurt
23:57 < jvwjgames> i host the vps environment via Proxmox through my company Blue Peaks Hosting and his game servers are using alot of ram and cpu
23:57 < jvwjgames> he said he needs 4 Gb of ram and 4 cores of CPU
23:58 < Criggie>  that's.... not a lot.
23:58 < jvwjgames> my server has 16GB of ram
23:58 < Criggie> We have server VMs with 240 GB ram and 64 cores, in AWS
23:59 < Aeso> jvwjgames, those are some tiny hosts, lol
23:59 < k2gremlin> orlock, I couldn't tell you how many /24's my org has unused lol
23:59 < k2gremlin> but its a lot
23:59 < Aeso> k2gremlin, gibe pls
23:59 < Aeso> :P
--- Log closed Fri Apr 20 00:00:04 2018