--- Log opened Fri Apr 27 00:00:00 2018 --- Day changed Fri Apr 27 2018 00:00 <@pppingme> ok, there's two basic ways to fix this, depending on who controls what.. first, do you own/control the "vpn server" 00:00 < LFSveteran> yes , full control 00:00 < LFSveteran> the vpn connection is working 00:01 <@pppingme> ok, assuming thats just a typical point to point link, on the "vpn server" you simply need to add "ip route add 192.168.0.0/24 dev tun0" 00:02 <@pppingme> if thats more of an L2 type link, the command would be "ip route add 192.168.0.0/24 via 192.168.10.2" 00:02 < LFSveteran> never thought of, adjusting the server. Was more thinking about configuring the "router" 00:03 < LFSveteran> but if this works , fine 00:03 <@pppingme> the sloppy way would be to make the client nat everything as it passes out 00:03 < LFSveteran> the simpler , the better 00:03 <@pppingme> but thats sloppy, and will cause the server to log everything as the single ip of the vpn-client 00:04 <@pppingme> thats not simpler, its sloppier 00:04 <@pppingme> a single route fixes this thing, assuming no firewall rules will screw with you after the fact 00:07 < Phil-Work> ironpill_, no - that sort of defeats the point 00:07 < Phil-Work> the certificate on the server can have chain certificates in it, but the root must be installed on the client machine already 00:09 < ironpill_> Phil-Work: I just installed freeradius and by default they generate example certs, CA, server and client. So when I logged in to the network, my laptop downloaded two certs. 00:10 < ironpill_> also wouldn't having a known CA already on the machine for radius authentication bad? hence the reason for self-signed CAs in case of radius. 00:12 < Miguel2013> I want to know which network card is windows using for connecting to the internet and the local net 00:12 < lememer> hey...looking for something to do 1Gig throughput, basic firewalling, basic routing, DHCP 00:13 < lememer> anyone know of something that isnt crazy $$$? I have an mx64 now but thats just not enough throughput 00:13 < {HD}> Whats a female to female patch panel called? Plug patch cable into both sides. 00:16 < {HD}> Like a coupler panel or something? 00:17 < Miguel2013> lememer, hey those firewalls cost a lot 00:17 < djph> {HD}: "a bad idea" 00:18 < djph> ironpill_: a known CA wouldn't necessarily be a "bad" thing -- but holy hell paying for that many certs would be hilariously expensive 00:18 < {HD}> djph: yea too many breaks in line but I have seen them in the field I just want to know what to call it 00:18 < djph> {HD}: what's wrong with just using a keystone panel? 00:18 < lememer> @Miguel2013 - it was free, just go to a seminar :P 00:19 < djph> lememer: Ubiquiti Edgerouters? 00:19 < lememer> @djph someone on /r/networking was having issues with vlans and edgerouter lite 00:19 < djph> although, honestly I have no idea how much throughput a mx64 has ... 00:19 < lememer> not keeping up with 1gbps...ill look into other models 00:20 < lememer> so mx64 is software limited to 250 by meraki 00:20 < lememer> but if you know the right people you can get it to do "whatever itll run" 00:20 < lememer> so i get about 500mbps with most features off 00:21 < lememer> mx 100 is like $1500 at NFR pricing, but thats still a lot and its VERY LOUD 00:21 < {HD}> djph: nothing wrong with that... 00:24 < lememer> djph: ubquiti ER-8 may do it....just don't want to run into the VLAN issue the guy was running into on the subreddit 00:25 < djph> lememer: ERL will push gbps across all ports as well ... 00:26 < djph> lememer: vlans are solid on them, although it kinda depends on how many you're planning on running 00:26 < djph> {HD}: so then *use* a keystone panel :) 00:26 < lememer> djph: dude on subreddit was having issues with ERL not pushing 1gig, seemed like it was related to tagging being on but maybe it was something else completely 00:26 < djph> probably 00:27 < djph> I've got a few dozen out in the wild that've been running for a while now. 00:27 < djph> last count was 44, plus the random lab ones I have (but, those don't really count) 00:28 < djph> although most are at smaller establishments, so they're not likely pushing a constant gpbs 00:30 < djph> obviously though, testing straight to an ERL will result in slower speeds; because it's slow :) 00:31 < stan7> i have problems opening port 80, i called to my isp provider and they told me i need to pay for monthly $30 usd for Approved ip, is it right? i think they are wrong, i dont need to pay for open ports, do i should change my isp provider or i need to pay? 00:32 < djph> stan7: opening port80 is at the discretion of your ISP. If their TOS is "pay $30 for runnign servers", then you pay them $30 for a server 00:33 < stan7> sorry , i dont understand it, im new in networking 00:33 < stan7> what do you mean? 00:34 < stan7> i need to pay for that Approved ip 00:34 < djph> I mean that if your ISP says that as part of using their service, you cannot run a server without paying an extra $30, then you cannot run a server without paying an extra $30 00:34 < stan7> or they need to fix that problem 00:34 < stan7> i got it 00:34 < stan7> so it its not included i need to pay 00:35 < stan7> what i can do is to call to another company and ask about that service 00:35 < stan7> i just wanna open my port 80 to run apache server 00:35 < stan7> but i cant, i already call my isp to right configuration and they told me is right, only is that, that i need to pay for special ip monthly 00:36 < stan7> in spanish is homologada i dont know in english how you name that ip lol 00:36 < lememer> @stan7 you could use a different port and forward that to 80 on the server internally 00:36 < lememer> @stan7 your ISP cant possibly block all inbound ports :P 00:37 < stan7> what i did is to change in my apache conf the port 80 to 8080 and i open 8080 ports in my router configuration but still same problem 00:38 < stan7> im gonna ask and call to another isp provider company 00:38 < stan7> and lets see what they say 00:38 < stan7> but anyway thanks a lot for your support 00:38 < stan7> thank you so much 00:39 < djph> most residential ISPs (ESPECIALLY the smaller ones) block you from running servers 00:40 < stan7> really? i didnt know about it 00:40 < stan7> so its normal 00:40 < stan7> from small companies 00:41 < djph> yup, especially newer small ones who have to use CGNAT because they only have a /27 or something else small to play with 00:42 < stan7> thanks a lot 00:42 < stan7> so do you recommend to me to change to bigger one , i mean better company? or to pay for $30 usd monthly 00:42 < stan7> ?? 00:43 < WishBoy> or they need to fix that problem 00:43 < djph> for $30 a month, you'd be better off with like digital ocean or linode or some other VPS (Virtual Private Server) provider 00:44 < WishBoy> stan7 almost all ISP blocks 21/53/80/110/443, etc! 00:44 < djph> WishBoy: no problem - they block inbound port80 to residential customers unless they pay for an IP (probably one of only a handful of publics they own) 00:44 < WishBoy> stan7 is only allowed for "business plans" 00:44 < WishBoy> stan7 static IP. 00:44 < djph> WishBoy: AT&T blocks nothing (although port 123 outbound is funny) 00:45 < WishBoy> stan7 no Dynamic. 00:45 < djph> WishBoy: and I'm on a dynamic IP 00:45 < WishBoy> djph 80 is openned? 00:46 < stan7> i got it 00:46 < stan7> why they do that? why they block it? 00:47 < WishBoy> stan7 to block people to make dedicated servers at home 00:47 < stan7> lol 00:48 < drudge`> they can charge you more for a business account 00:48 < stan7> how about if i open another port and i change my apache 80 to that port? 00:48 < WishBoy> stan7 Download 100Mbits / 100Mbits Upload (Fiber) + a computer, BINGO, you can host many websites and server games :) 00:48 < stan7> i already did last time and i still couldnt, maybe i should try again 00:49 < WishBoy> stan7 my browser can not see your server in another port, only if i type URL:port 00:49 < drudge`> try again 00:49 < WishBoy> how you can do a "REAL BUSINESS" with https://ebay.com:8635 00:49 < WishBoy> stranger, no? 00:49 < drudge`> when you test make sure to include your enw port in the uri 00:50 < drudge`> https://www.seemslegit.top:8080 00:50 < WishBoy> imagine you sell hosting plans, but to enter your site you have to enter https://dedicatedusa.com:48956 00:50 < stan7> i got it 00:50 < stan7> thanks a lot 00:53 < drudge`> +1 00:53 < WishBoy> imagine you being a dentist and the website of your clinic hosted in your home and your 'business card' so "please visit my website https://newtondentistry.com:51326" 00:53 < WishBoy> :D 00:53 < WishBoy> hehe 00:53 < WishBoy> :P 00:57 < {HD}> djph: do the panels I described exist? 00:59 < c0dergirl98> Hello, im trying to make a program in c that intercepts TCP packets and switches the destination address does anyone have any experience playing around with the ip headers? 01:00 < electricmilk> hmm. Replacing a router/firewall during business hours is just asking for trouble but don't have a choice. I wish I could test it first but the boxes are doing DHCP and would likely cause conflicts 01:00 < electricmilk> What happens when you have two devices handing out DHCP leases in the same pool? 01:00 < drac_boy> hi 01:00 < electricmilk> (Only for a few minutes to test the new box) 01:01 < electricmilk> hi drac_boy 01:01 < drac_boy> how doing? 01:02 < electricmilk> Good you? 01:03 < drac_boy> doing ok beside still deciding about which board for this multi-purpose box thought I had .. nothing special tho so I'll sort it out myself :) 01:03 < electricmilk> right on 01:03 < electricmilk> Man I wish there was a SonicWALL channel on this server 01:04 < electricmilk> Why the hell does the firmware page have a separate download for SNMP MIP's? I can't find anywhere to upload the SNMP MIP file..my guess is it is included in the firmware update 01:05 < drac_boy> electricmilk well tbh this is more of like eg a matx board with plain freebsd install and run a few different services 'in one' including documents-only storage as well 01:05 < drac_boy> but to our own :) 01:05 < electricmilk> Sounds fun 01:06 < electricmilk> Ah nevermind. The damn SNMP MIB's files are from march of 2017..considering its a new box I should be current 01:06 < drac_boy> yeah it is 01:07 < drac_boy> and sorry I can't help with anything sonicwall anyhow...someone else in here might know tho if you wait around a bit 01:07 < electricmilk> Am I supposed to upload the MIB files to my networking monitoring software? 01:07 < electricmilk> seems to work just fine without it 01:07 < electricmilk> I need to learn more about SNMP..outside of my basic knowledge 01:08 < electricmilk> drac_boy, perhaps you can help with my question before you signed in. 01:08 < electricmilk> What happens when you have two devices handing out DHCP leases in the same pool? 01:08 < electricmilk> I want to test a new box before replacing it...would all hell break loose? 01:09 < lupine> generally to be avoided 01:09 < lupine> if you give them non-conflicting ranges it might be ok 01:09 < drac_boy> hmm sorry that one I would have to say "sorry not my problem!" .. I mean tbh how do you have two dhcp in the first place if you don't mind me asking? 01:09 < lupine> the client will receive multiple DHCPOFFER packets and will pick one 01:10 < electricmilk> Well my intention is replacing a an EdgeRouter-X with a SonicWALL TZ-300 01:10 < lupine> drac_boy: it's quite simple. I used to run 300 DHCP servers on a single server 01:10 < electricmilk> I want to make sure everything is configured correctly before swapping over and wanted to test it 01:10 < electricmilk> Meh I know what I'll do 01:10 < djph> electricmilk: that's kinda going the wrong way 01:10 < lupine> electricmilk: if you're handing out from a /24, just give the first 128 addresses to the ERX to hand out, and the last 128 to the sonicwall 01:11 < djph> really the issue's gonna be handing out the default gateway f 01:11 < electricmilk> ah yes 01:11 < electricmilk> Perhaps I just disable DHCP...give the new box a different interface IP in the same subnet...and manually set the IP's on a couple devices to test 01:12 < electricmilk> My boss wants this done during business hours...christ 01:12 < lupine> personally I'd keep the network segments separate. configure the sonicwall as if it's going into prod, then just plug a few devices in directly to test 01:12 < lupine> isolated from the prod env, I mean 01:13 < electricmilk> hmm but then I'd have to setup routes for a subnet I'm not going to end up using 01:13 < electricmilk> suppose it wouldn't hurt 01:13 < lupine> no you wouldn't 01:13 < electricmilk> I wouldn't? 01:13 < lupine> no. you configure it as if it's going into prod 01:14 < lupine> if the testing is good, you can swap it in without reconfiguring 01:14 < electricmilk> oh but don't connect it to the switch? 01:14 < lupine> right 01:14 < lupine> if you need an upstream, you can fake that too 01:14 < electricmilk> hmm I didn't think about that 01:15 < electricmilk> Do you think I should enable OSPF? There are only 4 subnets for the entire network? 01:16 < electricmilk> Right now it just has static routes 01:20 < hithere> this is a long shot but does anybody know of any tools that can convert pcap files into time series of packets per second? 01:21 < lupine> no, but it's a 30-minute effort to build 01:27 < lupine> hithere: try `ruby -rpcaprub -e "::Pcap.open_offline('file.pcap').each_packet { |packet| puts packet.time }" 01:27 < lupine> might need to install ruby-pcaprub first 01:28 < hithere> im buildng a tool for it in python 01:28 < lupine> oh, make it a 4-hour development effort then 01:29 < hithere> I mean, I don't know how to use ruby so..... 01:29 < lupine> that's ok, the above will give you a valid CSV file you can pop into localc for charts 01:30 < lupine> just bin it by seconds and go 01:30 < hithere> Would I be able to use it spread out over like 100 files? 01:31 < lupine> with a little rejigging 01:31 < Miguel2013> c0dergirl98, I have experience playing with trailers 01:32 < lupine> translate into python if you're more comfortable with that, I'm sure they have libpcap bindings 01:36 < Miguel2013> I bought a https://www.amazon.com/APA-M25-directional-antenna-connector-WL-ANT-157/dp/B00R1PA9EO/ref=sr_1_2?ie=UTF8&qid=1524785726&sr=8-2&keywords=apa-m25 to get higher strenght how to check if my strenght has inreased 01:37 < djph> don't forget to turn your AP's Tx power down by 10dB 01:37 < Miguel2013> testing doing ping the router gives me same result as am antenna that looks like this https://www.amazon.com/Panda-Wireless-PAU06-300Mbps-Adapter/dp/B00JDVRCI0/ref=sr_1_13?s=electronics&ie=UTF8&qid=1524785812&sr=1-13&keywords=wireless+n+antenna 01:37 < Miguel2013> dowm or up 01:38 < djph> well, yeah, because ping has sweet fuckall to do with the signal strength 01:38 < Miguel2013> I don't know if my comcast router does that. and it does 10db on 5ghz don't know if I'm on 5 it's a wireless ncard 01:39 < djph> you have to REDUCE the transmit power of whatever device you plugged that 10 dBi antenna into by 10 dB -- UNLESS its Tx power + 10 dB is equal to or lower than the max EIRP allowed in your country of residence 01:39 < djph> otherwise you're (likely) operating at illegal power levels, and can find you get slapped around by the feds. 01:39 < c0dergirl98> Miguel2013, wym trailers? 01:40 < Miguel2013> c0dergirl98, haha that was a joke 01:42 < lupine> man, I totally wrote https://gist.github.com/lupine/829425c0fae005583a260d9d42105d90 for hithere and he's buggered off 01:43 < c0dergirl98> o lol 01:43 < lupine> I'm really proud of it too 01:43 < Miguel2013> c0dergirl98, I don't know if what you want is in either one either 01:44 < lupine> I'm a big grumpy that HTTP trailers forbid the Content-Length header 01:44 < lupine> whose bright idea was that? 01:44 < drac_boy> the what? 01:44 < lupine> trailer, I guess I should say 01:44 < Miguel2013> djph, they dont' care if people are doing drugs and they listen to our phones 01:45 < c0dergirl98> Miguel2013, what you mean 01:46 < djph> he's arguing that he shouldn't have to follow fcc regs. 01:47 < djph> or his local equivalent if not in the US 01:48 < djph> honestly, "getting caught" is probably low, but the fcc doesn't take kindly to it if they catch you. Do wifi & ptp microwave pretty often, so professionally I *have* to stay in the regs 01:48 < Miguel2013> c0dergirl98, the packets have headers and trailers but trailers are not talked about too much 01:49 < drac_boy> djph more or less same here..the only one still-ongoing exception is that I've been happy to use channel 14 quite many times and apparently its never ever been turned over for more than six years now 01:50 < djph> drac_boy: not the best idea ... but it's your rep 01:50 < Miguel2013> I am free 01:51 < drac_boy> djph yeah, I probably wouldn't have had to do it if so many idiotic condo users would stop jamming the wifi just because they couldn't bother plugging in a simple 3-ft cable between the router and tower pc sitting on the same desk -_- 01:51 * drac_boy has had to "wire" them up too many times to count 01:51 < Miguel2013> drac_boy, I agree 01:51 < Miguel2013> me too 01:52 < drac_boy> in residential area or anywhere outside the city I'm happy to stay under channel 11 .. in fact sometimes not even have to bother changing the default setting 01:52 < Miguel2013> let's save trouble and not use the alfa antenna 01:52 < Miguel2013> I want to be free to drink my coffee at 5 01:53 < djph> drac_boy: I had one of those. Pointed an airFiber at the condo for a week 01:54 < pwnz0r> anyone here an expert in the ssh protocol? Im specifically interested in channels (rfc4254). I am trying to understand if channels are supposed to be disposable or if they can be reused. 01:55 < djph> eventually, probably 01:57 < djph> but the channel number is a 32-bit unsigned int, so 65535 channels 01:58 < pwnz0r> right, but in the case of a pty-req for instance. 01:58 < pwnz0r> would each command be transmitted through 1 channel 01:58 < pwnz0r> or if you had two commands for instance 01:58 < pwnz0r> could be transmit one command then the second on the same channel 01:58 < pwnz0r> i suppose its implementation dependent 01:58 < Miguel2013> is 5dBi high gain 01:59 < Miguel2013> there's a rascal selling a wireless n usb wifi saying it's high gain for 20 dolares 02:02 < koala_man> pwnz0r: are you asking whether you can reuse the channel number for a new channel, or whether you can continue using a single channel? 02:04 < Miguel2013> Can I use 3 wireless adapters on a laptop to get more download speed from 3 diffferent isps 02:05 < Miguel2013> yes? 02:06 < koala_man> yes, if the wireless adapter is the bottleneck. 02:07 < drac_boy> "different isps" = you mean different wap's right? 02:07 < djph> Miguel2013: no. 02:13 < Miguel2013> djph, please? 02:14 < djph> Miguel2013: transfers don't work that way 02:14 < Miguel2013> drac_boy, of course one router per isp 02:15 < Miguel2013> djph, can some download manager help me? 02:15 < Miguel2013> djph, it depends on the server right? 02:15 < djph> no 02:15 < djph> it's simply not how transfers work 02:16 < djph> I mean, maybe torrents would work, but not standard http/s downloads 02:17 < Miguel2013> ohh how about tor browser 02:17 < Miguel2013> I need to read my book 02:18 < djph> wouldn't change the "one isp = one unique stream" thing 02:27 < ironpillow> djph: yeah makes sense. too many certs 02:28 < ironpillow> any good resource/book on 802.1x, wpa2, eap (tls, peap, ttls)? thanks 02:36 < djph> ironpillow: don't know any offhand. I'd *imagine* there's at least one o'reilly text on the matter 02:36 < ironpillow> :) yeah was just browsing o'reilly 02:39 < djph> i just wish they didn't shit up their e-books 02:40 < djph> they were the *one* publisher I liked for their no-nonsense "buy the ebook, here ya go" approach ... and now htey moved to that safari horseshit 02:41 < ironpillow> I went ahead and bought safarionline account few months ago :( I agree it was super easy. 02:43 < djph> yeah, I consider it every so often, but then every time I'm about to pull the trigger, humblebundle has something for like $20 that happens to have the book I was considering buying 02:43 < djph> and then I get a shitton of other books for free 02:56 < dogbert2> now have a good heat sink on my libre computer :) 02:58 < djph> dogbert2: a gin & tonic? 02:58 < dogbert2> LOL... 02:59 < Miguel2013> hey I got 99% 1ms and the rest 2ms from my pc wired to the router through a intermediate switch. the cable that connects all devices connected to the switch to the internet or the cable that goes from the switch to the router is 50 feet and 15 years old and has many weak wore points isn't it very good for such an old cable 02:59 < Miguel2013> or is wired always fast? 03:01 < djph> wired is pretty much always fast. 03:01 < djph> unless it's damaged (but then it usually "doesn't work") 03:01 < fryguy> if you aren't getting packet loss and you are achieving the throughput that you are expecting, then it's good 03:07 < Miguel2013> fryguy, does ping tells me if packet loose is at good ratio 03:07 < ||cw> usually 03:08 < Miguel2013> it sent like 500 packets and all recveived but the cable to the router has damage like everyday people walk over it 03:08 < fryguy> not really, it'll show you some of the more eggregious stuff 03:08 < Miguel2013> ahh 03:08 < ||cw> are you actually having an issue or does the cable just look bad? 03:08 < dogbert2> if retail stores want to stay in business, they'd better learn how to take care of consumers :) 03:09 < dogbert2> what is new, djph 03:11 < dogbert2> w00t: [Bug 11341] PoC code for adding Credit/Debit Card Mag Stripe Processing to ClamAV DLP 03:12 < dogbert2> PoC for adding swift transaction tracking codes (CDN Banking System) to clamav 03:12 < dogbert2> [Bug 11392] New code for ClamAV (Credit Card Magnetic Stripe detection) :) 03:12 < dogbert2> now if they can get it into ClamAV :P 03:14 < ||cw> why does clamav need this? 03:17 < Miguel2013> ||cw, it just looks bad 03:17 < Miguel2013> ||cw, like it used to disconnect me a lot and it was cause I twisted it too much 03:18 < Miguel2013> fryguy, why ping not enogh? 03:18 < fryguy> because the packet rate for ping is quite low 03:20 < Miguel2013> fryguy, I sent 500 packets 03:20 < Miguel2013> at 64 bytes each 03:20 < fryguy> like i said. packet rate is quite low 03:20 < dogbert2> improves cleartext detection of those things...currently isn't tracked 03:23 < Miguel2013> fryguy, I can try with 1000 times bigger packet size 03:23 < Miguel2013> ) 03:24 < Miguel2013> is giving me higher ms time delay 03:24 < Miguel2013> 65000 bytes 03:25 < Miguel2013> yea still little 03:26 < Miguel2013> avg 16ms now going turh the 50 feets cable 03:30 < Miguel2013> wait aren't packets usually 1500 bytes over ethernet 03:30 < Miguel2013> did I went over the limit 03:42 < djph> by quite a bit, genius. 04:16 < ironpillow> if I don't have active directory or google auth, why use radius server? why is radius useful? thanks 04:43 < mellotto> Radius is used for triple A services. (authentication, authorization and access) 04:43 < mellotto> there is plenty of information about Radius services over the internet. What is exactly you looking for? 04:55 < ironpillow> if I don't have active directory or google auth, why use radius server? why is radius useful? thanks, sorry if someone answered the question. I lost network connection. 05:21 < mellotto> Radius is used for triple A services. (authentication, authorization and access) 05:21 < mellotto> there is plenty of information about Radius services over the internet. What is exactly you looking for? 05:33 < ironpillow> mellotto: I am learning about 802.1x. So far what I understand is that 802.1x is IEEE name for EAPol, correct? And EAP-TTLS-PAP, for example, is how EAP messages (credentials) are encrypted and exchanged. Now for AAA, 802.1x uses RADIUS, but doesn't have to. Say I want to use google auth for authenticating users, why would I need to use RADIUS if I don't need accounts, but just need authentication and authorization? thanks 05:42 < Intee> Hello everyone, could someone help me work out why I can access my web server (Running on a VM on my workstation) from inside the same local network as the server itself but from an external address. However, if I try and access the web server from another network using the same IP it doesn't work.(EG: From my workstation (VM Host) I can access the web server via external IP Address) 05:42 < mellotto> why you worry about Radius, if you are satisfied with google? Please, reformulate your question and be clear and objective when you ask. 05:42 < Intee> The port forwards are working fine as far as I can tell. port 80 is open and pointing to the correct internal IP and my SSH port forward to the webserver still works remotely 05:43 < Intee> Also, as I said it works if I access the external address from the same network the web server is attached too 05:46 < light> it's not clear what you're doing 05:49 < light> you'll need to clarify the question 05:50 < Intee> yeah sorry 05:50 < Intee> It's hard. 05:51 < Intee> So, from home I can access home.intergage.org that resolve to the same network my home machine is on 05:51 < Intee> Port 80 is forwarded to my webserver on my home network. 05:52 < Intee> So when access home.intergage.org from inside my home network it works perfectly BUT it is resolving to the external IP address 05:52 < ironpillow> mellotto: sorry for not being clear. I don't have/use google. I was reading about google auth and then came across radius. Hence, my confusion about why I would need radius if someone would use google auth. 05:52 < Intee> So unless there is some crazy caching going on or something I'm assuming my home computer is retriving the web information from the external IP home.intergage.org resolves too 05:52 < Intee> However, if I try and access home.intergage.org from my work network I get nothing. 05:53 < Intee> It's as if the domain doesn't resolve at all but I can nslookup that domain and get the external IP Address I'd expect to see 06:55 <@pppingme> Spice_Boy thought you died 07:06 < CWNE88> pppingme: what? 07:06 < CWNE88> I'm around 07:06 <+pppingme> Hadn't seen you online for several days 07:06 < CWNE88> I'm on all the time 07:06 < CWNE88> this computer stays on now 07:07 < CWNE88> and these computers take next to no power, now that I've been looking 07:07 < CWNE88> at night the whole house only uses between 300 and 350watts 07:08 < CWNE88> someone had an issue of 5GHz wifi not working... it was some 5GHz motion sensors they installed that killed it 07:08 < CWNE88> 5GHz will be as bad as 2.4 soon 07:08 <+pppingme> the motion sensors used 5ghz to detect (like radar or something) or used 5ghz to communicate? 07:09 < CWNE88> to detect 07:09 < Criggie> idiot designers. 07:09 < CWNE88> they have IR too... they used to only have IR, but got new ones and then had trouble 07:10 < CWNE88> http://shop.mysmart.com.au/assets/brochures/MS-MWS6-PRM.pdf 07:16 <+pppingme> CWNE88 spec sheet says 5.8ghz, can you stick to lower channels on the A side? 07:17 < CWNE88> A side? 07:17 < CWNE88> a 7" record? :P 07:17 <+pppingme> 802.11a/ac 5ghz.. 07:17 < CWNE88> yeah of course 07:17 < CWNE88> that's what will have to be done.... normally, but it affected some director so they're going to replace them for the IR only ones 07:18 < CWNE88> it's at a uni 07:26 < realEstateKing> I want to create a way to load the mobile wikipedia page in my browser instead of the web page. Should I do this with a proxy? 07:29 < light> realEstateKing: click "mobile view" at the bottom 07:29 < light> or just switch to en.m.wikipedia.org 07:29 <+pppingme> realEstateKing just go to the m. site instead of the www. site 07:53 < ASmith> Need help with iptable rules to enable my webserver to work properly with and from tun0 07:53 < ASmith> iptables -t nat -A PREROUTING -p tcp -m multiport --dport 80,443 -i tun0 -d 10.10.10.3 -j DNAT --to-destination 192.168.0.1 07:53 < ASmith> iptables -t nat -A POSTROUTING -o tun0 -p tcp -m multiport --dport 80,443 -d 10.10.10.3 -j SNAT --to-source 192.168.0.1 07:54 < ASmith> I need to add the iptables rules to connect public ip (172.120.32.12) to network address tun0 (10.10.10.2) to local address (192.168.0.1) both ways for my webserver to function. 08:14 < `whoami`> ASmith: I might miss something here, but why don't you just add a "-A INPUT -i tun0 -p tcp -m multiport --dports 80,443 -j ACCEPT" rule ? 08:14 < `whoami`> isn't your webserver listening to the tun interface ? 08:16 < `whoami`> oh got it, the vpn isn't on the same machine, maybe 08:16 < ASmith> I can't seem to get the webserver to respond to that, however I'll point my domain.name to the VPN IP address and see if it'll respond 08:16 < ASmith> right its a remote VPN server `whoami` 08:17 < `whoami`> no no, what I meant is: is you vpn server on the same machine as your httpd ? 08:17 < `whoami`> buut it seems to, finally. 08:17 < `whoami`> -u 08:17 < ASmith> no it isn't, its on a remote server 08:17 < `whoami`> mkay 08:19 < ASmith> the platform is running all the apps through that vpn but I can't get any outside connection to my webserver on the local system 08:20 < `whoami`> you'll probably need to play with forwarding and masquerading 08:20 < ASmith> iptables -t nat -A POSTROUTING -s 10.10.10.6 -o eth0 -j MASQUERADE 08:20 < `whoami`> but I might be mistaken, so maybe wait for someone else to share his knowledge 08:21 < `whoami`> have you sysctl the thing to enable ip_forward ? (echo 1 > /proc/sys/net/ipv4/ip_forward) 08:21 < detha> ASmith: I still do not understand what you are trying to accomplish there 08:21 < ASmith> I need to add the iptables rules to connect public ip (172.120.32.12) to network address tun0 (10.10.10.2) to local address (192.168.0.1) both ways for my webserver to function. 08:22 < ASmith> the VPN provided public IP to the network address tun0 to my servers local address... ports 80,443 08:22 < detha> That does not make sense. You do not connect to a tunnel, you route over a tunnel 08:22 < ASmith> you are saying a VPN tunnel is not bi-directional? 08:23 < detha> What is your setup? 172.120 is where ? 08:23 <+pppingme> ASmith is this "server" routing back out through the vpn? 08:23 <+pppingme> or is it using the default gateway on your lan? 08:23 < ASmith> iptables -A INPUT -i tun0 -j ACCEPT 08:23 < ASmith> iptables -A FORWARD -i tun0 -j ACCEPT 08:23 < ASmith> iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 08:23 < ASmith> iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT 08:24 < detha> pppingme: I suspect the server isn't, and routing goes asymmetric, but I don't have the full picture yet 08:24 < ASmith> iptables -t nat -A POSTROUTING -s 10.10.10.6 -o eth0 -j MASQUERADE 08:24 < ASmith> ? 08:24 < ASmith> iptables -A OUTPUT -o tun0 -j ACCEPT 08:24 <+pppingme> ASmith if the inbound traffic passes through a particular nat setup, the outbound (replies) HAS to pass back through the same nat box 08:25 <+pppingme> that isn't optional 08:25 < detha> ASmith: stop with the rules, explain what you are trying to accomplish in 'this IP is on this machine, that ip is on that machine, I want traffic to flow this way' 08:25 < ASmith> Website locally, Vpn remotely, platform is connected to the remote VPN server via tun0 which provides a public IP 08:26 < detha> 'platform' ? 08:26 <+pppingme> define "platform" do you mean this webserver? 08:26 < ASmith> I want to use 'that' public IP with my webserver 08:26 < ASmith> platform, box, server, etc. 08:26 <+pppingme> what is the default gateway of the webserver? 08:27 < ASmith> platform, all the apps are connected 08:27 < ASmith> 192.168.0.X 08:27 <+pppingme> and what is that? 08:27 < ASmith> the default gateway 08:27 <+pppingme> crap 08:28 <+pppingme> lets start again.. If I ask a question "A", and you reply, then I ask what your reply means, the answer isn't my original question.. EVER 08:28 <+pppingme> lets start again 08:28 <+pppingme> what is the default gateway of the web server? 08:28 < ASmith> as in the NAT address or ? 08:28 < CWNE88> haha 08:29 <+pppingme> this is a simple question.. 08:29 <+pppingme> what is the default gateway of the web server? 08:29 < ASmith> local address 08:29 < ASmith> 192.168.0.X 08:29 <+pppingme> local address that points to WHAT??? 08:29 < ASmith> that points to that server locally 08:30 <+pppingme> so its pointing to itself as its gateway??? 08:30 < ASmith> you asked, I answered 08:30 <+pppingme> I don't have time for trolls, and you dont' seem to want to give straight forward answers 08:31 < ASmith> I have multiple trusted domains for the webserver two are local, localhost which works as 127.0.0.1:80, and the local network address 192.168.0.X 08:32 <+pppingme> read all of my statements, the answer is there, if you're smart enough to read it.. 08:33 < ASmith> tun0 ip adress 10.10.10.x, broadcast address 10.10.10.x 08:33 <+pppingme> ASmith is this "server" routing back out through the vpn? 08:33 <+pppingme> or is it using the default gateway on your lan? 08:33 <+pppingme> ASmith if the inbound traffic passes through a particular nat setup, the outbound (replies) HAS to pass back through the same nat box 08:33 <+pppingme> * itsnubs has quit (Remote host closed the connection) 08:33 <+pppingme> that isn't optional 08:33 < ASmith> its using the gateway on my lan 08:34 <+pppingme> READ 08:34 < ASmith> what I need is for the server to route bidirectionally through the vpn 08:35 < detha> pppingme: lost cause. without a diagram of what is what here, or proper answers, this will take 3 hours 08:36 < Kaidok5797> Hello, I'm using bitnami on my computer to host a local wordpress environment for testing. I can access the wordpress test environment just fine on the host computer on wich bitnami is installed. However my issue is that I want to also be able to access it on mobile devices or other computers that are also connected to my local network. 08:36 < ASmith> server <-> NAT 192.168.0.x <-> tun0 10.10.10.x <-> IP 172.120.12.xx 08:36 <+pppingme> He did finally answer, but only after being asked 20 times.. 08:37 <+pppingme> its using the gateway on my lan 08:37 < detha> yeah. and I still have no idea between where and where the tunnel is. 08:37 < detha> not to the server, apparently. 08:37 < ASmith> the tun0 is on the server 08:38 <+pppingme> what OS is this "server" 08:38 < ASmith> linux ubuntu/mint 08:38 < Kaidok5797> Who me? 08:38 < ASmith> xenial LTS amd64 08:38 <+pppingme> ASmith do you know what pastebin is? or will that be another task in pulling teeth? 08:38 < ASmith> why, I'm asking about iptable rules and you are asking about my gateway? 08:39 <+pppingme> because your problem isn't iptable rules, its routing 08:39 < detha> ASmith: as somebody said, make the server listen on tun0, problem solved 08:39 <+pppingme> ASmith do you know what pastebin is? or will that be another task in pulling teeth? 08:40 < ASmith> sure, I use pastebin now and then 08:40 <+pppingme> ok, from this "server" pastebin the output of "ip route" 08:40 < Kaidok5797> ooo I walked in on the middle of something... oopps 08:40 < Kaidok5797> my bad 08:41 <+pppingme> Kaidok5797 plugging the ip address in (or local dns name) of the server doesn't bring it up? what does come up or what happens? 08:41 < Kaidok5797> blank page 08:42 <+pppingme> no an error, an actual blank page? 08:42 < Kaidok5797> correct... testing on an iPad Pro 08:43 < Kaidok5797> on iphone I get "Safari cannot open the page becasue it could not connect to the server 08:43 <+pppingme> if you do view source, do you at least see a head and body tags? 08:43 <+pppingme> oh, thats more info.. 08:43 < Kaidok5797> don't think you can view source on ipad 08:43 <+pppingme> I'd start by checking two things.. firewall (just eliminate it for testing), and be sure the web server is listening on the lan ip 08:43 < Kaidok5797> when I go to "localhost" on the host PC though, the bitnami page comes up just fine 08:44 <+pppingme> don't need source, your next statement told me all we need to know 08:44 < ASmith> https://pastebin.com/vUUbhGCF 08:44 < ASmith> there you are pppingme 08:44 < Kaidok5797> Ok let me disable firewall real quick 08:45 < Kaidok5797> disabling firewall did not help 08:45 <+pppingme> ASmith do "ip link show dev tun0" and paste ONLY the first line into the channel 08:46 < Kaidok5797> Ok I'm new at this... I should go into the Apache Web Server config file to check the lan IP correct? 08:46 < Kaidok5797> #Listen 12.34.56.78:80 08:46 < Kaidok5797> Listen 80 08:46 < Kaidok5797> thats whats in the Apache config file for listen 08:46 < detha> That should listen on all interfaces 08:47 <+pppingme> Kaidok5797 is this on a linux box? 08:47 < Kaidok5797> no I'm on windows 08:47 < ASmith> tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100 08:47 <+pppingme> Kaidok5797 from the "server" instead of going to localhost, go to the servers lan ip, does that work? 08:48 < Kaidok5797> I just tried that as I was waiting for you. It seems to try to load then, but it never finishes 08:49 < Kaidok5797> loading progress bar hangs for awhile, then it stops trying and I get the same error. 08:50 <+pppingme> Kaidok5797 quick sanity check, you sure you know the ip of the server?? worth double checking.. does it have more than one ip for any reason? 08:50 < Kaidok5797> I'll go back in the config file and double check 08:51 <+pppingme> if all you have is "Listen 80" then we are most likely past an apache issue.. 08:52 < Kaidok5797> later on in the config file I see this: 08:52 < Kaidok5797> # 08:52 < Kaidok5797> # ServerName gives the name and port that the server uses to identify itself. 08:52 < Kaidok5797> # This can often be determined automatically, but we recommend you specify 08:52 < Kaidok5797> # it explicitly to prevent problems during startup. 08:52 < Kaidok5797> # 08:52 < Kaidok5797> # If your host doesn't have a registered DNS name, enter its IP address here. 08:52 < Kaidok5797> # 08:52 < Kaidok5797> ServerName localhost:80 08:53 < Kaidok5797> Is it possible that installing bitnami with the wordpress stack with my firewall ON caused an issue? possibly uninstalled and reinstall with firewall OFF? 08:53 < detha> You can try commenting that out, apache will then pick whatever IP the machine has (or a DNS name if it can find one), and restart apache 08:54 < Kaidok5797> Ok.. Let me try that. It does take a few min to install so give me a few 08:54 <+pppingme> the "servername" directive wouldn't cause a timeout, its more about virtual hosting.. 08:54 < Kaidok5797> ok 08:55 <+pppingme> I guess I shouldn't say "wouldn't" but rather "shouldn't" 08:55 < Kaidok5797> 192.168.0.8 is the machine's ip 08:56 < Kaidok5797> hmm 08:56 < detha> pppingme: yeah, but if that install script puts stuff in some file in httpd/conf.d/ (whatever the windows equiv is) things may get strange 08:56 < Kaidok5797> gotcha gotcha 08:56 < Kaidok5797> let me uninstall and reinstall 08:56 < Kaidok5797> with a fresh copy 08:56 < Kaidok5797> with nothing tweaked 08:56 <+pppingme> shouldn't need to do that 08:56 < Kaidok5797> just to be 100% sure on everything 08:56 < ASmith> this looks like the 'gateway' you were asking about pppingme default via 192.168.1.1 dev enp0s31f6 proto static metric 100 08:56 <+pppingme> you sure FW is disabled? 08:57 < Kaidok5797> yes. absolutly 100% sure firewall is disabled 08:57 <+pppingme> ASmith yeah, I'm past you for now, maybe I'll think about it in a few.. 09:00 < detha> ASmith: that's a split-default, with effective default going through wherever that tunnel goes. 09:00 < ASmith> looks like the gateway is what I need, the server's local is 192.168.1.3 09:04 <+pppingme> Kaidok5797 just for kicks and grins, change the "Listen" to "Listen 192.168.0.8:80" and restart apache 09:04 < Kaidok5797> pppingme its currently uninstalling.. then I'll reinstall and try that out and report back 09:05 < Kaidok5797> reinstalling now 09:34 < ring> Can I make a question about adhoc wireless networking? 09:38 < ring> I was create a adhoc connection beetwen two computers, that was estable but past a few minutes conection comes degraded losing about 50-60 % of paquets. 09:39 < ring> I dont know why 09:43 < Kaidok5797> pppingme I reinstalled 09:44 < Kaidok5797> I can now access it on mobile devices but I have to use my host machines ip address... 09:44 < Kaidok5797> localhost 09:44 < Kaidok5797> does not work 09:44 < Kaidok5797> My IP address isn't persistant so that might cause issues. 09:44 <+pppingme> localhost ALWAYS refers to the device your on, so doing "localhost" on say a tablet, will look for a webserver running on THAT tablet.. 09:44 < detha> Kaidok5797: you have the 'Listen 192.168..' in there? 09:45 < Kaidok5797> AHHHHHHH ok... so localhost will never work on a remote device then. 09:45 < Kaidok5797> detha - I didn't change a thing. I just uninstalled and reinstalled. 09:46 < Kaidok5797> listen is still: #Listen 12.34.56.78:80 09:46 < Kaidok5797> Listen 80 09:46 < detha> ok, so IP/hostname of server works from other things, localhost works from the server? 09:46 < Kaidok5797> correct 09:47 < ASmith> anyone here able to help me connect my server to my remote VPN server IP ? 09:47 < detha> That is how it should be 09:47 < Kaidok5797> ok great. I'm guessing setting up with my FW on the first time messed things up 09:48 < Kaidok5797> I do have my firewall back on now and it still works.. so i'm golden. Thanks detha and pppingme ! 09:49 < ASmith> 172.83.40.19 via 192.168.1.1 dev eth0 so I need a preroute of my local address to the default connection 192.168.1.1 ? 09:50 <+pppingme> what do you mean "your local address" ????? 09:50 < ASmith> my local address example 192.168.1.4 09:50 < ASmith> most any app I've used uses that exact name for it 09:51 <+pppingme> nevermind, I'm spinning again 09:51 < ASmith> Default Route apparently is your term for 'Gateway' pppingme ? 09:52 < ASmith> 'says "Default Route" on the Linux Connection Information, no 'Gateway' label there at all 09:52 < detha> ASmith: what address do clients connect to, and from where do they connect? 09:53 < ASmith> 172.83.40.19 via 192.168.1.1 dev eth0 09:53 < ASmith> from where, in 'Canada' on a remote server 09:54 < detha> Is the remote server in Canada in any way part of this tunnel/local setup ? 09:54 < ASmith> so do I need a prerouting call on iptables? 09:54 < ASmith> that's the other end of tun0 detha 09:55 < detha> Stop thinking about iptables. Think about routing. 09:55 <+pppingme> so its your vpn server, right? 09:55 < ASmith> yes but my webserver is what I need to route... 09:55 <+pppingme> it has to add a route to it, otherwise when you load a default route on the tunnel, it wont' be able to talk to the vpn server anymore 09:55 < djwraith> is there a good book / article somewhere that deals with webrtc as a network protocol instead of javascript api? 09:56 < ASmith> my other apps run as servers without any issues at all 09:56 < ASmith> my apache webserver does not 09:56 < detha> ASmith: Are the clients running on the server that the tunnel connects to? 09:57 < ASmith> yes, everything except the apache webserver 09:57 < ASmith> client running, you mean data packets fed from remote clients/peers 09:57 < detha> So why do you want the clients to connect to an external IP, and not to the tunnel IP ? 09:58 < ASmith> I .... can't.... get my apache server to connect to anything except locally 09:58 < detha> The apache server is the thing you are running on your end of the tunnel? 09:59 < ASmith> among other servers and apps yes 10:00 < ASmith> all the other apps work fine, several are working as servers processing data back and forth 10:00 < detha> Does the apache server need to connect to anything except clients? 10:00 <+pppingme> djwraith just looked, there are several books on safari about it 10:01 < ASmith> not that I'm aware of, its set at the moment with plain port 80 10:01 < djwraith> safari then? lemme check 10:01 < ASmith> it runs successfully as a hidden server via tor routing but cannot find a way out with regular clearnet 10:01 < detha> ASmith: so then why don't you let the clients connect to the tunnel IP, 10.0.0.1 I seem to remember ? 10:02 < ASmith> that's like that remote servers lan addy detha 10:02 < djwraith> both Learning WebRTC and Introduction to WebRTC deals with the javascript side of the things 10:02 < detha> So what is the IP of the tunnel on your end? 10:03 <+pppingme> https://www.safaribooksonline.com/library/view/real-time-communication-with/9781449371869/ 10:03 < ASmith> 172.83.40.19 via 192.168.1.1 dev eth0 10:03 < ASmith> when I point my domain.name to 172.83.40.19 it doesn't reach my webserver 10:03 < detha> That is a route. To an external IP. I doubt your end of the tunnel has a routable IP 10:03 <+pppingme> ASmith yes, thats your vpn server, a route is added so when your default changes, it can still find the vpn server 10:04 < ASmith> that's the IP detha 10:04 < djwraith> pppingme: that one deals with webrtc as in javascript api 10:04 < detha> ASmith: please pastebin the output of 'ip addr show tun0' on the apache end. 10:04 <+pppingme> nmap -P0 -p 80 172.83.40.19 10:04 <+pppingme> 80/tcp open http 10:05 < ASmith> https://pastebin.com/vUUbhGCF 10:06 <+pppingme> you need to do any testing from OUTSIDE your network 10:06 < detha> Not what was asked, but it reveal that your side's IP is 10.0.0.6 10:07 < detha> So what don't you let clients connect to 10.0.0.6 ? 10:07 < detha> s/what/why 10:07 <+pppingme> you mean 10.10.10.5 ?? 10:08 < detha> if that is the apache side, its IP is 10.0.0.6 10:08 < detha> 10.0.0.5 is the vpn server's side 10:09 <+pppingme> djwraith By the end of this book, you will have an extensive understanding of real-time communication and the WebRTC protocol and APIs. 10:09 < detha> ehm, s/10.0.0/10.10.10/ 10:09 <+pppingme> thats from https://www.safaribooksonline.com/library/view/learning-webrtc/9781783983667/ 10:09 < ASmith> hmm 10.52.10.1 perhaps? 10:09 <+pppingme> detha oops, but yeah 10:10 < detha> 10.52? where does that come from ? 10:10 < ASmith> from the ip route 10:10 < ASmith> doesn't even ping however 10:10 <+pppingme> detha dont' forget, ASmith likes to kick out random unrelated answers.. 10:10 < detha> So I've noticed 10:11 < ASmith> that's rather rude pppingme 10:11 < detha> ASmith: but accurate. 10:12 < ASmith> I'll point the domain to 10.52.xx.xx and see if that connects directly then... I doubt it 10:13 < detha> Unless you have other routes in place that you have not shown, it will not. 10:13 < djwraith> pppingme: found this one: https://tools.ietf.org/html/rfc3550 10:14 < ASmith> wait what? it wouldn't work but didn't you suggest it?? 10:14 < djwraith> ^ this one doesn't stink of javascript 10:15 < detha> ASmith: I suggested connecting to 10.10.10.6. You made a 10.52.0.0/16 network appear out of thin air. 10:15 <+pppingme> rtp/rtcp is a bit different than webrtc 10:15 < ASmith> nope, instantly connection on port 80 refused 10:15 <+pppingme> detha ASmith 80/tcp open http 10:17 < detha> pppingme: yeah. but if he's running it on the server that that IP sits on, it won't work, unless there is some rather involved hairpinning in place 10:17 <+pppingme> he apparently has it in place if I can hit port80 from outside 10:17 < ne2k> anyone know how to, properly, so it actually works, get both a static and a dhcp address on the same interface on modern debianish OS? ifupdown. ubuntu 16.04 server. i.e. working so that if DHCP isn't available at boot, it still has the static, and then when DHCP comes to life it picks it up and still has the static as well. auto eth0 eth0:0; iface eth0 inet dhcp; iface eth0:0 inet static; looks like it might work, but 10:17 < ne2k> appears to go wrong if dhcp is not available at boot 10:19 < ring> bye 10:20 <+pppingme> ne2k its not really a supported situation.. best I can advise is add a final scrip to your startup and "test" to see if you got an IP, if not, set it manually 10:32 < ASmith> nothing at all detha, localhost, 192.168.1.X works, xyz.onion works but no clearnet domains pointed back because I'm lacking some needed iptables here 10:33 < ASmith> the 10.xx.xx.xx ip didn't work at all detha, tried both using two parked domains, nothing 10:33 < detha> ASmith: you are lacking a clear picture. Nowhere in the information you have given did it say anything about tor. 10:34 < ASmith> I also run the apache server over tor detha, you thought its all or nothing? 10:34 < ASmith> do you run any servers over tor yourself detha ? 10:35 < detha> No. Why would I want to attract attention to myself? 10:36 < ASmith> ah, yes such has nothing to do with attracting attention detha it has everything to do with freedoms, privacys and libertys IMO 10:36 < yuung> ASmith you sound like a cop XD 10:36 < ASmith> but somefolks I guess still use facebook also, lol ;) 10:37 < ASmith> I sound like a beta user of 5+ years on retroshare, one of the few full on encrypted, anonymous global communication network apps 10:37 < ASmith> what do coppers sound like yunng? 10:37 < yuung> doesn't mean you can't be a cop ;) 10:37 < ASmith> I've been asked my IP here by just about everyone that offered some advise 10:39 < ASmith> I'm just trying to get a website online here 10:39 < ASmith> if there's an agenda, other than that, I don't have one, do you yuung ? 10:39 < yuung> yes 10:39 * yuung was a cop the whole time 10:39 < ASmith> good for you 10:40 * Kaidok5797 pulls out some popcorn 10:40 < ASmith> was as in past tense? 10:40 < quarterback> anybody familiar with snmp here? This is on linux computers, not on routers. 10:40 < ASmith> I have some snap packages but not snmp? 10:41 < quarterback> snmp is cisco's simple network management protocol in which a network manager station polls hosts which are spread out in a lan. 10:42 < ASmith> thanks quarterback , nope sorry 10:42 * linux_probe does the quarterback sneak 10:42 < ne2k> quarterback, Cisco's?! 10:42 < linux_probe> runs like an backwards swan "Bernoe Kozar" style 10:42 < ne2k> I'm fairly confident that Cisco did not invent SNMP 10:42 < linux_probe> Bernie** 10:43 < ne2k> quarterback, I am relatively familiar with SNMP. what do you want to know? 10:44 < ASmith> darn I was hoping someone here was familiar enough with iptables they could lend a hand getting my webserver able to communicate to the clearnet merely on http, I guess not, thanks though 10:45 * Kaidok5797 continues to eat popcorn 10:45 < Kaidok5797> was that guy serioulsy wanting help setting something up on the darknet? 10:46 < detha> 8/10 troll 10:46 < Kaidok5797> gotcha 10:48 < linux_probe> darknet LOL 10:49 < linux_probe> more liek SHARTNET 10:49 < Kaidok5797> fair 10:50 < yuung> linux_pro you mean fartnet? 10:50 < Kaidok5797> ha 10:51 < yuung> one day i'll get a 'haha' out of here...i'm 50% of the way 10:51 < yuung> til then...enjoy your computers \/ 10:54 < quarterback> ne2k, I had enabled loopback for snmp now, I had to add a line rocommunity public 127.0.0.1 10:55 < quarterback> this is /etc/snmpd/snmpd.conf 10:55 < quarterback> this is /etc/snmp/snmpd.conf * 11:15 < TotallyNotKim> sooo my local, locked away unifi controller just send me a pw reset mail.. 11:15 < TotallyNotKim> I didnt request it and wasnt on the controller page for like 3 weeks 11:41 < afx_> drathir, detha hi there ! 11:42 < detha> afx_: good morning 11:42 < afx_> found a solution to my problem . There were 2 problems to my issue 11:43 < afx_> one was cabling - i was falsey told that they were tested 11:44 < afx_> the other one was the priority should be given to the cisco switch and not hirschmann 11:44 < afx_> :) 11:45 < detha> Nice, so one interface was flapping because of cabling, and STP took a bit of time to converge? 11:54 < MaxFrames> hello 11:55 < light> hello 11:55 < MaxFrames> I need to save the config of a lan device on a sftp server on the wan; the lan device is on vlan 300 and subnet 10.x.x.x, the subnet is natted to the firewall's wan interface (which is on vlan 1) 11:56 < ne2k> MaxFrames, ...? 11:56 < MaxFrames> I am logging everything, and the destination firewall never sees the incoming transmission 11:56 < ne2k> MaxFrames, you haven't described the setup and the traffic very thoroughly 11:57 < MaxFrames> I see an entry in the local firewall log from interface (vlan 300), source (lan device), destination (sftp server on the wan), dest port 22 11:57 < MaxFrames> I suspect this connection is not getting nat'd to the firewall's external ip address, despite an outbound nat rule being in place 11:58 < MaxFrames> ne2k: I am trying to describe 11:59 < MaxFrames> I am allowing all outgoing traffic, and logging. on the remote firewall, I am allowing incoming traffic FROM (local firewall ip address) TO (sftp server) on port 22 and this rule is never being hit, so the traffic is not getting to the destination 11:59 < MaxFrames> and I am not logging anything TO (sftp server) on the local firewall, so it really seems the connection never leaves the local firewall, it gets lost before it's natted? 12:02 < ne2k> MaxFrames, so the connection is from client ---> (inside) LOCAL FW : masq (outside) ---> WAN ---> (outside) dnat: REMOTE FW (inside) ---> server 12:02 < ne2k> or what? 12:02 < ne2k> you need to describe the entire chain 12:02 < MaxFrames> client->local firewall->masquerading to the local firewall's wan ip->remote firewall->server 12:04 < MaxFrames> I see logs for the client->local firewall part; I am _not_ seeing logs for the actual outbound connection (local firewall->remote firewall); and the remote firewall is not logging any connection attempt either 12:04 < dogbert2> whazzup? 12:04 < MaxFrames> at some point, I should see a log entry on the local firewall, with source ip=the local firewall's wan ip; that's what masq does, right? 12:05 < afx_> detha, yes and this caused the loss of other devices connected to 3600 12:06 < afx_> btw the cables were ca108m. I reduced the length to 95m and now the flapping does not occur. But I am a bit sceptical for this length too 12:08 < ne2k> MaxFrames, I don't know whether you would see a log entry as I know nothing about your firewall. I would do a packet trace on LOCALFW WAN for host = REMOTEFW port = remoteport 12:08 < afx_> should man use an extender or booster for that length ? 12:08 < afx_> I mean if there is any :) 12:09 < ne2k> MaxFrames, in most normal setups, masquerading outbound from LAN to WAN is covered by a very generic rule, so if it works at all, it should work for this 12:09 < afx_> or should I consider upgrading the site to fiber? 12:09 < grawity> tbh I'd say run fiber 12:09 < grawity> an ethernet "extender or booster" is usually called a switch 12:10 < detha> afx_: technically 100m is the limit, but 95m is uncomfortably close yeah 12:10 < afx_> grawity, Ok in that case a switch is not really an option 12:10 < ne2k> stoar and foreward 12:10 < MaxFrames> I have found where nat is logged on my firewall (pfsense): diagnostics-states 12:10 < MaxFrames> and I can not see any active "state" for this outbound connection 12:10 < ne2k> MaxFrames, just ssh in and run tcpdump 12:11 < MaxFrames> ssh in the local firewall? 12:12 < drathir> afx_: hi, hi ^^ 12:13 < afx_> drathir, hellO! 12:14 < drathir> detha: afx_ probably triggering stp by cabling delays... Good that figured out... 12:14 < afx_> yes finally :) 12:14 < afx_> I would be much easier if I was told that the cabling was over 100m in first place 12:15 < afx_> they told me about 76m , so... 12:16 < afx_> grawity, found this http://www.cablinginstall.com/articles/2015/05/blackbox-lan-extension-blog.html 12:16 < afx_> about extenders 12:16 < afx_> can you or someone else confirm that these extenders work ? 12:17 < afx_> I mean ethernet to dsl 12:17 < grawity> that's not the kind of "Ethernet extender" that you were asking about 12:17 < drathir> MaxFrames: all outgoing conn will be with fw gateway ip... 12:17 < MaxFrames> found the issue! 12:17 < MaxFrames> I have two gateways on the local firewall, connection was being routed to the "wrong" one 12:17 < drathir> MaxFrames: not local lan ip rane i guess... 12:19 < drathir> afx_: good cables vs "good cables" problem too occurs... 12:20 < afx_> drathir, true 12:22 < drathir> afx_: sadly there hw mater too one h in theoru could allow on long line establish stable connection other hw could have problems... 12:23 < afx_> yeah but I mean 95m is too close to the limit 12:23 < afx_> no matter waht 12:23 < afx_> that is why I am looking for alternatives 12:24 < grawity> fiber and forget it 12:24 < afx_> grawity, I am looking at fiber to ethernet media converters atm 12:24 < afx_> do you have something in mind? 12:24 < drathir> afx_: good to have certification of cable one level up if thats noname one cable just in case if weak quality its still should be closer to real lower one cattegory... 12:24 < drathir> grawity: thats true... 12:24 < grawity> Fiber and Forget, trademark pending 12:25 < djph> afx_: switches don't have SFPs? 12:25 < afx_> djph, cisco do , hirschmann don't 12:25 < djph> replace 'em? 12:26 < drathir> afx_: "limit" there for sure are nasty ones instalation much over 100m which works too, but when problems come harder to debug... 12:26 < afx_> djph, you don't trust the conversion? 12:26 < grawity> out of principle, I guess 12:26 < grawity> though some of the older media converters here at $work just take a sfp 12:26 < drathir> afx_: cisco core hirschmann to users delivery... 12:27 < afx_> drathir, if there wasn't the stp problem to hang com with other devices too, no one would notice 12:27 < drathir> afx_: but upgrade only to full fiber reasonable in my opinion... 12:28 < grawity> afx_: more importantly, get converters (and fiber) with matching specifications 12:28 < afx_> grawity, will look into that 12:28 < drathir> afx_: You wanna sleep calm, do networkin right ^^ 12:29 < afx_> :) 12:29 < afx_> apparently I am not a networking guy :) 12:30 < grawity> hmm does fs.com have a section for cables of this purpose 12:30 < djph> afx_: more that it's "one more thing to go bad" 12:30 < grawity> or does one just go "patch cables -> custom length -> 150 m" 12:30 < afx_> djph, yes I understand 12:30 < drathir> afx_: but still You wanna things working w/o problem infra shoud be done corectly, w/o unecessary savings, bc that always revenge in future... 12:31 < afx_> I am sure 12:32 < MarcWeber> I try to setup a archer C60 ip-link as access point. I've switched off dhcpd and set a manual IP address on LAN which is the same submet as the router (eg .1 or .254). However routing doesn't work. 12:32 < MarcWeber> Its not the router, because configuring my linux machine manually and setting a default gw works. 12:33 < drathir> MarcWeber: set a gateway? 12:34 < grawity> please clarify "routing doesn't work" 12:34 < grawity> where do you see packets going? 12:34 < MarcWeber> network destination, subnet mask, default gateway, interface ... can be set as static routing. 12:34 < grawity> or not going 12:34 < mawk> how are the wires plugged into the access point MarcWeber ? 12:34 < mawk> you didn't plug your router's LAN into the "WAN" port did you ? 12:34 < grawity> so I'm assuming the problem situation is with DHCP enabled on clients? 12:35 < drathir> MarcWeber: AP and PC mosty should have set the same gateway to router... 12:36 < MarcWeber> The tp-link has 'diagnostics' tools, pinging an ip like 46.252.26.133 fails. 12:36 < grawity> the AP's own gateway isn't very important 12:36 < MarcWeber> So it must be the routing of the tp-link. 12:36 < grawity> because in this situation you're trying to make the AP act as a bridge, not a router 12:37 < grawity> (APs pretty much are bridges) 12:37 < MarcWeber> There is network -> advanced routing allowing me to set network-desitnation, subnet mask, default-gw, interface 12:37 < ne2k> MarcWeber, the AP doesn't need an IP address or gateway at all in order to work as a AP and bridge. they are merely a convenience for administering it 12:38 <+pppingme> imagine an AP as nothing more than a switch 12:39 < MarcWeber> When resetting the devvice it works until I reboot 12:39 < drathir> grawity: correct, but depent on ap mode i guess, as good remember tplink get two ap modes available if nothing changed... 12:39 < grawity> well they *call* them "AP modes" but 12:39 < MarcWeber> Its fine to switch off dhcpd and set IP address manually -> then it works until I reboot. 12:39 < ne2k> MarcWeber, are you saying that a wireless client, when given static settings, can reach the internet, but when set to dhcp client, it cannot? 12:39 < MarcWeber> I didn't try that. 12:40 < MarcWeber> Perfect behavior would be the client getting dhcp information from router. 12:40 < drathir> grawity: one act as bridge second as kinda router... 12:40 < ne2k> MarcWeber, can you connect the same client directly to the router by cable for a test? 12:40 < MarcWeber> Y. 12:41 < ne2k> MarcWeber, and does DHCP work correctly then? 12:41 < MarcWeber> But the admin interface's tools cannot ping ips from the internet. Is this expected? 12:41 < grawity> MarcWeber: as mentioned earlier, that's independent from clients 12:41 < ne2k> MarcWeber, admin interface of what? we're talkikng about client (DHCP) -> cable -> router atm 12:42 < MarcWeber> laptop -> wifi -> access point -> cable -> router -> internet 12:42 < grawity> so it's very possible that clients work but the AP's internal "ping" doesn't, or vice versa 12:42 < ne2k> MarcWeber, wut 12:43 < ne2k> MarcWeber, does laptop (dhcp) -> cable -> router -> internet work? 12:51 < MarcWeber> Y (wifi is off and everything is fine). 12:54 < ne2k> MarcWeber, stupid question, you've not got the laptop connected to the router via wire /and/ via wireless at the same time when the test is failing, have you? 12:54 < drathir> MarcWeber: just in case You not get static ip assigned to eth? 12:55 < drathir> ne2k: pretty little loop ^^ 12:55 < MarcWeber> No, I double checked IPv4 is set to automatic (LAN) -> works. Wireless settings -> DHCPD -> fails when connecting to AP. 12:56 < ne2k> drathir, it wouldn't be a loop as the laptop is very unlikely to be bridging lan and wlan interfaces. 12:56 < MarcWeber> But it works with my other laptop. 12:57 < ne2k> MarcWeber, is the dhcp pool exhausted? 12:57 < drathir> MarcWeber: mac/ dhcp lease? 12:58 < drathir> ne2k: m$ in theory should screaming the same gateways... 12:58 < ne2k> MarcWeber, ok, so laptop1 dhcp -> wlan -> ap -> rtr works, laptop2 static -> wlan -> ap -> rtr works, and laptop2 dhcp -> wired -> rtr works, but laptop2 dhcp -> wlan -> ap -> rtr does not? 12:58 < drathir> ne2k: not sure abot linux... 12:59 < drathir> ne2k: not surprised if would work normally with eth and wifi one time up if separate ip-s assigned ;p 13:01 < ne2k> MarcWeber, correct? 13:03 < drathir> MarcWeber: just for test maybe try too get laptop2 wifi assigned ip into laptop1 wifi statically and check if will work... 13:37 < waqstar> Hello. Quick question, which subnet mask do I need to cover IP addresses from 10.104.25.0 upto 10.104.50.0? 13:37 <+pppingme> waqstar is this ##homework 13:38 < detha> Also, that is not one netmask 13:38 < waqstar> detha, I can split it into multiple nets. 13:38 <+pppingme> 10.104.25.0/18 would cover 10.104.0.0 - 10.104.63.255 13:39 < waqstar> pppingme, No, its for aws, just learning how it works. I want to have some machines inside VPC 13:39 < waqstar> pppingme, Cant use .0 there. it HAS to be from 10.104.25 13:40 <+pppingme> to step down to 10.104.25.0/19 would only cover 10.104.0.0 - 10.104.31.255 13:40 <+pppingme> so that doesn't get the upper end of what you want 13:40 <+pppingme> why do you need such a large range? 13:40 < waqstar> BTw im complete networking noob so excuse the noobness 13:41 < ne2k> detha, um wut 13:41 < detha> can you change it to 10.104.24.0 - 10.104.63 or so? 13:41 < ne2k> waqstar, what is this actually for? 13:41 < ne2k> XY 13:41 < waqstar> detha, hm, let me check. 13:42 < qman__> if you must start at 25, that limits you to /24 which means adding lots of subnets 13:42 < detha> that. 13:42 < ne2k> ARGH!!!! 13:42 < detha> 24 is a much nicer number 13:42 < qman__> if you can start at 24 that broadens the max subnet size 13:42 <+pppingme> as ne2k says, describe your problem instead of trying to force a solution 13:42 < o_miguel> I can not send tcp/ip packages of size of exactly: 459 bytes... (460 or 458 or other sizes seem to work fine). I can fix it by setting MTU under 400. Is this acceptable? And what might be the reason for this behaviur? 13:43 < waqstar> ne2k, this is for some testing, not critcal at all, just learning 13:43 < waqstar> qman__, yeah thats what I though, meaning I have to create 25 /24 subnets to cover from 25 to 50 :) 13:43 < mawk> doesn't look very acceptable to me o_miguel 13:44 < waqstar> qman__, I can start at 24. Which would be the subnet mask for that? 13:44 <+pppingme> describe your issue, and why you're stuck on those ip's 13:44 < detha> waqstar: if exact boundaries are not critical, grab something like 10.104.32/19, gives you 10.104.32.0 to 10.104.63.255 13:44 < o_miguel> mawk: I experience this problem only under debian (win works fine without chaning anything, not sure what is the default mtu size there). 13:44 < ne2k> waqstar, if the question is "what is the smallest network that covers the range specified", the answer is 10.104.0.0/18. If the question is "what is the smallest list of networks that covers the range specified", that can be answered too 13:45 < qman__> with 24, you can start with a /27 13:45 < dreadkopp> hey guys. got a teeny tiny problem with a bridge on a bonding here :) 13:45 < o_miguel> mawk: ah it seems also to be 1500 under windows 13:45 < mawk> yes o_miguel 13:46 < mawk> 1280 is the minimum for ipv6, for instance 13:46 < mawk> 1500 is the most common size, you have stuff like 1492 for tunnels with light headers, or maybe 1460 for openvpn over tcp, or 1420 for wireguard over ipv4, etc 13:47 < waqstar> OK ill explain. In the current on premise network, we have webservers in 10.104.0.0/24, 10.104.23.0/24 is redis cache servers. now from 10.104.25.0 - 50.0 is database servers. I know this doesnt make sense in terms of subnetting but its basically just a IP addressing convention theyve chosen here. I want to pick it up and replicate in aws 13:47 < o_miguel> mawk: any idea what might be causing this? I expeirence it on two different debian machines with different hardware. And I do not experience it under windows on one of this machines. 13:47 < dreadkopp> i aggregated interfaces em1-em4 to bond0. works fine, host is reachable under the bonds IP. then i created a bridge br0 and connected the bond to it . then i fired up a vm which is connected via br0 (vnet7). The VM then fails to get a IP Adress via DHCP however. Where did i make a wrong turn ? 13:47 < dreadkopp> :~# brctl show 13:47 < dreadkopp> bridge name bridge id STP enabled interfaces 13:47 < dreadkopp> br0 8000.a0d3c1fa4500 no bond0 13:47 < dreadkopp> vnet7 13:49 <+pppingme> dreadkopp where is the dhcp server? 13:49 < ne2k> dreadkopp, does dhcp from the vm work if you dispense with the bond and just use a single link? 13:49 < detha> waqstar: track down whoever set that up, and forbid that person to ever touch a network again 13:49 < ne2k> dreadkopp, and what flavour of bond is it? 13:49 < qman__> how many database servers do you have? that range is massive 13:50 < dreadkopp> pppingme dhcpserver is on a ipfire machine. 13:51 < dreadkopp> ne2k dhcp from the vm works if i add it to a bridge whioch is connected to a single nic (no bond). Bond mode for the bond is 6 (balance-alb), connecting to host via bonmd works a-okay :) 13:51 <+pppingme> dreadkopp when you create the bridge, you need to remove any ip settings from bond0 and apply them to the bridge.. is that what you've done? 13:51 < waqstar> detha, Its my boss lol. but to be fair we have a /16 from 10.104.0.0 for all private machines on premise. 25.0 - 50.0 is purely a convention. i.e. database servers are in this range of IP addresses 13:51 < mawk> o_miguel: docs say that a too low MTU value can cause "kernel crashes" 13:51 < mawk> so I wouldn't look too hard for why this happens 13:51 < dreadkopp> pppingme: yeah: https://hastebin.com/nakifafaqu.pl 13:52 < waqstar> qman__, Only have about 50 or so but this is what the documentation says that 25-50 will be DB servers. 13:52 < dreadkopp> as i said host is accessible without problems @10.0.6.1. only vms connected to the bridge fail 13:53 < waqstar> I think I can get away with doing /24 in aws as that will actually cover all DB servers we currently have (just 50).. 13:53 < qman__> waqstar: then for your testing, just add one /24, it'll be way simpler and more than enough 13:53 < o_miguel> mawk: I can not send any package of the EXACT length 459bytes (unless I set this insane MTU value <=400). I have to definitely find out WHY this happens, right? 13:53 < waqstar> qman__, Perfect, thank you so much guys 13:54 < mawk> even with higher MTU values o_miguel ? 13:54 < o_miguel> mawk: It took me ages to find this problem :P 13:54 < mawk> lol 13:54 < o_miguel> mawk: only with higher mtu values 13:54 < mawk> uh 13:54 < o_miguel> I Was expeirencing random looose of connetivity when downloading images through my browser, only to find out that all requests measuring 459bytes in length get dropped somwehere 13:55 < o_miguel> smallest variations in the headers like referer or reloading changes this size 13:55 < o_miguel> it only happens with eexactlyy 459 bytes, and it gets fixed when i set the mtu < 400 13:55 < o_miguel> happens on two differnt computers with differnet drivers 13:55 < o_miguel> but it does NOT happen on windows 13:56 < o_miguel> so i can rule out, that it is my routers fault, or drivers fault I suppose? 13:56 < detha> o_miguel: do the packets make it back to your machine and get dropped in the network stack, or do you never see them? 13:56 < o_miguel> I also can hardly beleive it is linux kernels fault 13:57 < mawk> 469 is close to the default TCP MSS value when you enable TCP MTU probing 13:57 < mawk> it could come from that 13:57 < o_miguel> detha: I see them leaving my interface with tcpdump, but I never see them arriving at their destation (where I wait for them with tcpdump too) 13:58 < o_miguel> detha: not sure if this answers your question.. 13:58 < detha> o_miguel: would be interesting to see how far they make it, mtr with different oacket sizes maybe 13:58 < waqstar> btw on the topic of AWS and cloud providers. Has anyone set up a VPN to google cloud from pfsense before? I did it for AWS but GCP doesnt connect, and no actual decent logs 13:58 < o_miguel> detha: they reach destiatnion when I Set mtu under 400 (which is not accaptable as mawk pointed out) 13:59 < o_miguel> I have to look up what mtr is.. 13:59 < o_miguel> :P 13:59 < detha> o_miguel: yeah. but the question is, where do they get dropped? 13:59 < detha> think traceroute 13:59 < o_miguel> can I traceroute a specific package size? 13:59 < o_miguel> Ill tr 13:59 < o_miguel> try 14:02 < mAniAk-_-> o_miguel: tracepath 14:04 < o_miguel> traceroute is udp right? 14:04 < o_miguel> hmmm 14:04 < o_miguel> maybe my problem affects tcp traffic only.. 14:05 < detha> this is why I suggested mtr ;p. It has -s packetsize, does icmp by default but also has --udp and --tcp 14:06 < o_miguel> detha: ah ok thank you.. I was not aware mtr refers to a traceroute tool :) 14:06 < o_miguel> tought it is some parameter like mtu ;) 14:10 < o_miguel> mtr example.com --tcp reports 100% loss at my very closest host which is marked as ??? 14:10 < o_miguel> --udp very similar... 14:11 < o_miguel> without --tcp / --udp no loss at all... 14:11 < detha> that is odd. outbound firewall rules? 14:12 < lithiumpt> are you behind pppoe? 14:12 < o_miguel> I see no rules (iptables -L , iptable -L -t nat) 14:13 < o_miguel> lithiumpt: not that I know of.. 14:13 < detha> o_miguel: and normal traceroute ? 14:13 < o_miguel> my provider switched to ipv6 some time ago 14:14 < o_miguel> still giving me an ipv4 dynamic addy , not sure how this works in detail 14:14 < o_miguel> detha: normal traceroute works fine, as well as this mtr (without extra params as --udp or --tcp) 14:15 < detha> traceoute by default is udp, so it should do the same as mtr --udp. Odd. 14:15 < o_miguel> I do not understand how to read traceroute.. 100% loss at nearest(?) host ,~16% at next one.. and 0% all following hosts 14:15 < o_miguel> mtr traceroute 14:16 < lithiumpt> i'm thinking tcp offloading 14:17 < o_miguel> what makes me wonder the most is why I experience this behaviour only under linux 14:17 < lithiumpt> try disabling tcp offloading 14:17 < o_miguel> otherwise I would be quite sure it is the fault of my isp 14:17 < detha> lithiumpt: quite possible. Let me guess, realtek 14:17 < o_miguel> the router? cisco 14:17 < detha> the NIC 14:18 < detha> what does ethtool say about offloading? 14:19 < o_miguel> I experience it on two different machines with different nic's .. one is intel wifi 14:19 < lithiumpt> ethtool -K eth0 gso off 14:19 < lithiumpt> humm 14:19 < o_miguel> the other is intel as well 14:20 < vlt> dreadkopp: If you have access to the VM, can you use something like tcpdump there to check if any packets arrive there at all? 14:21 < o_miguel> lithiumpt: gso off did not fix it.. 14:21 < lithiumpt> http://docs.gz.ro/node/282 14:21 < lithiumpt> try the several tcp acceleration features 14:21 < lithiumpt> disable/enable one by one 14:21 < o_miguel> ok thank you 14:22 < o_miguel> http://paste.debian.net/1022322/ 14:22 < o_miguel> this are my features btw 14:25 < detha> not that many that can be tweaked, by the looks of it 14:25 < o_miguel> most tell me: Cannot change rx-checksumming 14:25 < o_miguel> etcd 14:25 < o_miguel> etc 14:26 < o_miguel> http://paste.debian.net/1022324/ 14:26 < o_miguel> this seem to be the only ones that are not FIXED 14:27 < lithiumpt> when you said two different NIC, both wifi? 14:27 < o_miguel> no 14:27 < o_miguel> only one 14:28 < o_miguel> hmm and it seems I can not even cahnge the non-fixed featrues... 14:28 < detha> try to keep wifi out of it, it never makes things easier 14:28 < o_miguel> ok I will try on the other macchine 14:31 < o_miguel> :( on the other machine (non-wifi) I did tx off, rx off, sg off, gso off, tso off... still same problem 14:33 < detha> so, probably not offloading then 14:34 < o_miguel> ah there is rx-vlan offload too 14:34 < o_miguel> not sure how to disable it.. do I have to guess this abbreviations ? 14:34 < detha> unlikely to make a difference, unless you have vlans 14:34 < o_miguel> :) 14:34 < o_miguel> ok 14:35 < detha> back to traceroute and friends I guess 14:35 < o_miguel> ok, so we can rule out offloading 14:36 < o_miguel> mtr example.com gives 0% loss 14:37 < o_miguel> but --tcp and --udp result in 100% at some points 14:37 < Jorja> Hello 14:39 < Jorja> I am trying to use my wifi and when I connect a device that has been connected before it says connecting... then on one device it says save secured (the other one says nothing) neither is connecting to the wifi. I am using the internet though ethernet from modem to router to the pc. What all can be done to fix this issue? 14:39 < ne2k> is the AP perhaps not working? 14:40 < Jorja> I do not know what AP is 14:40 < Jorja> and both devices see the router 14:40 < ne2k> wireless Access Point. the thing that accepts wireless stations to connect to it 14:40 < detha> o_miguel: only some, or some point and everything behind it? 14:40 < Jorja> I don't know 14:41 < ne2k> Jorja, you're going to have to describe your setup in considerably more detail if anyone is to have a hope of helping you 14:41 < Jorja> I described it I don't know how more to describe the setup 14:42 < Jorja> Modem to router is the setup I have unless you need to the pc which I am using right now 14:42 < Jorja> That is the setup 14:42 < o_miguel> detha: only some 14:42 < o_miguel> behind 100% again 14:43 < djph> Jorja: what's the make / model of the router? 14:43 < Jorja> .Linksys E1200 14:43 < detha> o_miguel: that's sort of normal, not all routers play nice with TTL expired 14:43 < detha> o_miguel: and if you start playing with -s packetsize in mtr ? 14:44 < o_miguel> detha: ok I understand..I will try to find the packetsize the causes problems. 14:44 < detha> (not sure how mtr defines that, in- or excluding headers etc) 14:44 < o_miguel> detha: yeah. I can monitor with wireshakr or something 14:45 < o_miguel> to reprorduce the one I already have with curl 14:45 < o_miguel> thank you very much 14:56 < drathir> waqstar: maybe x.x.x.25-50? 14:57 < Jorja> Hello? 14:58 < skyroveRR> hi Jorja 14:59 < ne2k> Jorja, you've been asked to describe your setup more fully, and you have not, so no-one is answering you 14:59 < Jorja> Modem to router is the setup I have unless you need to the pc which I am using right now 15:00 < ne2k> Jorja, "modem to router" is not a description of a network 15:00 < Jorja> I do not know how to describe it better then the effing setup is 15:00 < Jorja> Secured network I even said that 15:01 < ne2k> Jorja, swearing, whether bowdlerized or not, is unlikely to encourage anyone to help you. you are saying that you are connecting devices that you have connected before. you have not said what those devices are, what OS they are running, or what you are trying to connect them to 15:01 < jvdmr> Jorja: we need more details as in: how is the pc connected to the router? via ethernet cable or wifi? and how does the router connect to the modem? Then, how is your wifi access point connected to all this, to the modem, router or pc? finally, which device are you trying to connect to the wifi access point? 15:01 < Time-Warp> hey lol anyone ever seen something called minissdpd 15:02 < Time-Warp> its in /etc/default does someting with upnp 15:02 < djph> He's using a Linksys E1200 ... it's an all-in-one consumer device ... 15:02 < djph> Jorja: have you rebooted that thing recently? 15:02 < Jorja> Nevermind I must be too stupid to do this 15:02 < ne2k> my suggestion would be to gather up all the devices, cables, modem, router, etc., and place them in a cardboard box, and then throw the whole lot, including yourself, off the nearest cliff 15:02 < Jorja> yes 15:03 < ne2k> but that might be a bit harsh so I shan't suggest that 15:03 < Jorja> I dont get why I have to reset the thing when I have internet on the computer that is hooked to it 15:03 < ne2k> Jorja, and that, I guess, is the reason why you came here for help 15:03 < djph> Jorja: because if the router is falling over for whatever reason, it tends to affect WiFi moreso than wired. 15:04 < Jorja> It did not fail 15:04 < ne2k> Jorja, ok, so it's not failing. great! so everything works then. no problem 15:04 < djph> dunno *why* exactly - but I have a hypothesis it's due to the encryption / handshaking that wifi does. 15:06 < o_miguel> ok i found the problematic size for mtr -s.. "mtr -4 www.example.com -s 445" 15:07 < o_miguel> it just makes it to my router: 192.168.0.1 15:07 < o_miguel> right after that ??? with 100% loss 15:07 < ne2k> fully describe the setup, i.e. all devices, including make/model and OS, all the interfaces on all the devices, how they are interconnected, and all the addresses/masks on all the interfaces of all the devices. then describe what you are trying to achieve, what you did, what you expected to happen and what actually happened. then you might get some help. otherwise, move on 15:07 < o_miguel> -6 and other values for -s make it to the destiantion 15:12 < detha> o_miguel: what type of internet connection is that? adsl/fiber/cable/... ? 15:13 < o_miguel> you ask about the connection between my router and the first ??? right after that (which is some box in the basement i suppose) right? 15:15 < o_miguel> it is a coaxial cable (guess this is the name) 15:16 < detha> hmm. no experience with that, but at least it's not DSL so I don't have to try to match it up with ATM cell size 15:17 < o_miguel> ok, i have the same under windows too 15:17 < detha> tried with winmtr? 15:17 < o_miguel> curl under windows resulted in a little bit other size in my preliminary testing 15:17 < o_miguel> I have a curl http request and it blocks for ages 15:17 < MarcWeber> grawity,drathir ne2k: It turns out that Windows is causing the problem - linux on the same machine has had no problems. 15:17 < o_miguel> when it has specific length 15:17 < o_miguel> and retursn: empty reply from server 15:17 < o_miguel> returns 15:18 < MarcWeber> connecting to wifi and getting routing/IP/..information. 15:18 < detha> I would start shouting at your ISP 15:19 < Jorja> I am trying to use my wifi and when I connect a device that has been connected before it says connecting... then on one device it says save secured (the other one says nothing) neither is connecting to the wifi. I am using the internet though ethernet from modem to router to the pc. What all can be done to fix this issue? 15:19 < o_miguel> yeah, I guess the time had come.. I wanted to make sure it is not my fault.. and the fact it worked under windows made me uncertain.. but now checking with wireshark I see it's a problem universal to all my computers and operating systems 15:20 < detha> Your biggest problem now is to get through to someone at the ISP that understands what you are talking about - good luck with that 15:21 < o_miguel> haha yeah. thanks :) 15:22 < o_miguel> but in technial terms what happens is : all ip packaes (udp/icmp/tcp) of exact length=459bytes only make it to my router and then get stuck. does this make sens? 15:22 < o_miguel> sense 15:23 < detha> it does. (well, it doesn't, but it is what is happening) 15:24 < o_miguel> ok, thank you very very much for your support 15:24 < detha> I suspect some old anti-DDoS rule in an ISP router - tons of packets of exactly X bytes, easy to block it like that 15:26 < detha> o_miguel: if you ever find out from them what it was, please tell me 15:26 < o_miguel> detha: sure 15:26 < o_miguel> i hope they can fix it remotely 15:57 < drathir> MarcWeber: mac verify... 16:06 < o_miguel> detha: aaah, they fixed it 16:07 < o_miguel> detha: It was a bug in the routers firmware and they updated it remotely 16:08 < detha> o_miguel: that is ........ an interesting bug. How in Murphy's name would firmware do that? 16:09 < o_miguel> detha: they claimed it had to do with the upgrade to ipv6 (???) but I do not belive them a word :P 16:09 < o_miguel> i was experiencing this bug for several months.. and it affected ipv4 only 16:10 < o_miguel> but the fact is: they said they upgrade my routers firmware and restart my router, and now the bug is gone... 16:10 < detha> o_miguel: well, however they fixed it, it's fixed. Good outcome. 16:11 < o_miguel> detha: yeah. i wonder if I can sue them for my wasted time, energy and hope :P 16:11 < o_miguel> but I am happy it works now 16:11 < o_miguel> thank you very much again! for all your help 16:12 < detha> The small print will say all you can sue them for is subscription fees for those months, which will be less than a lawyer will cost you 16:13 < o_miguel> haha yeah, I even doubt the small footprint would allow to get back the subscription fees :P 16:16 < o_miguel> sorry, my router did not work as expected for the last 10 years, but I did not tell you anything..pleas give me back all my money :P 16:16 < o_miguel> anyway, I am soo reliefed it works now! 16:21 < thothcastel___> what exactly is needed to setup a vpn to a 'hub vpn' 16:21 < thothcastel___> just their public IP address? 16:21 < thothcastel___> I am using an asa 5525-x 16:24 < thothcastel___> site2site vpn tunnel 16:26 < rexwin_> How to access my modem admin page which has the default gateway as 10.227.0.1? 16:27 < rexwin_> right it says This site can’t be reached 16:28 < djph> your modem's gateway is 10.227.0.1? Or thats the local IP address of your router? 16:28 < rexwin_> it the second one I suppose 16:28 < djph> http://10.227.0.1 SHOULD load the web interface 16:29 < rexwin_> but it does says ERR_CONNECTION_REFUSED 16:29 < djph> means the device is rejecting HTTP. 16:29 < djph> try https 16:29 < rexwin_> I can ping that address 16:29 < thothcastel___> try https: 16:29 < djph> and, of course, read the manual 16:29 < rexwin_> same thing 16:29 < thothcastel___> new router? 16:29 < rexwin_> yes 16:30 < thothcastel___> it could also be another ip address 16:30 < thothcastel___> try .254 16:30 < djph> odd that a new router would be set to anything other than 192.168.[0-9].1 16:30 < djph> or *254 16:30 < thothcastel___> http://10.227.0.254 16:30 < thothcastel___> yep djph 16:31 < rexwin_> https://pastebin.com/HEwxnepu 16:31 < djph> this sounds like a case of RTFM, or alternately "guess your ISP doesn't want you fucking with their kit" 16:32 < djph> make and model of the router? 16:32 < rexwin_> I dont know 16:33 < djph> err, is this an ISP-supplied device? 16:33 < rexwin_> yes 16:33 < rexwin_> they hooked it up 16:33 < djph> guess it's a case of "we don't want you fucking with our stuff" 16:34 < rexwin_> ok got it. I will contact them over phone. ty for your input 17:28 < UncleDrax> so FreeRADIUS still good? any admin-front ends that don't suck? (for exposing/delegating user mgmt to a trusted group, etc). Been like a decade since I've looked at that space 17:43 < thothcastel___> UncleDrax: what is FreeRADIUS?? 17:46 < UncleDrax> thothcastel___: it's a RADIUS software 17:47 < thothcastel___> similar to TACACS? 17:47 < UncleDrax> similar, yes. centralized user auth 17:47 < thothcastel___> I see... 17:48 < thothcastel___> does it run out of a virtual machine? 17:48 < thothcastel___> or is it some sort of plugin to be installed on a router/firewall 17:50 < UncleDrax> it's a server/deamon, so it can run on whatever you run it on (so traditioanl servers, VMs, Containers, blahblahblah) 18:02 < thothcastel___> cool - it sounds very good 18:03 < thothcastel___> do you know if it integrates with Active directory? what about Cisco ISE? 18:06 < adip> I'm setting up a vlans for the first time. I'll use pfsense as my router. Do I understand this correctly? I have to connect pfsense's lan interface to trunk port on my switch? 18:09 < UncleDrax> thothcastel___: I don't know what a Cisco ISE is and I don't run AD, so no idea. but those details exist if you look 18:09 < thothcastel___> alright - thanks for the info 18:09 < thothcastel___> UncleDrax: 18:10 < UncleDrax> thothcastel___: I imagine ISE's datasheet will say 'works with RADIUS' if it..works with RADIUS 18:13 < andreww> hi everyone, i'm trying to configure 2 network interfaces on a virtual box vm with ubuntu server 18.04 with netplan. One interface is NAT with dhcp to reach internet, the other is host-only. Host is Win 10 , guest is ubuntu server 18.04. Thanks 18:14 < andreww> ps. I don't know where to start :( 18:15 < UncleDrax> adip: speaking in general (I haven't done it in pfSense): yes your switch will have to hand dot1q tagged VLAN pkts to your pfSense box, your pfSense box will have to be VLAN aware so it knows to look for tagged pkts and act on them however 18:15 < adip> andreww: I don 18:18 < andreww> adip: did you managed to do it? 18:18 < adip> I don't use virtualbox. I'm not sure what you'd want to accomplish here. You could use one interface for host, and other one as a bridge for VMs 18:19 < andreww> adip: yes that's what i need to do. One NAT interfaces to reach internet and one host-only interfaces for VMs to talk to each other. I just don't know where to start writing the netplan file 18:21 < adip> andreww: sorry, I can't help you with this. I've never played with netplan. my setup works on gentoo and libvirt 18:22 < andreww> adip: thanks anyway :) 18:40 < HEROnymous> opening a gopro box is confusing. 18:43 < tda> step 1: cut a hole in the box 18:45 < UncleDrax> step 0: have a gopro to film unboxing video of gopro. 18:47 < tda> step -1: hack your gopro and activate it before you unpack it, so it can record its own unboxing 18:47 < compdoc> uh huh 19:22 < djph> tda: instructions unclear, dick stuck in box 19:26 < sleepingforest> is there anyway in linux to inspect the NFQUEUEs to see how its performing? 19:36 < admiralspark> sup 19:36 < admiralspark> so 19:36 < admiralspark> Cisco WLC's.....have a MAC address at a remote office that I need to find which AP it's on 19:37 < admiralspark> the traps don't ahve any roaming logs for this device on the AP's 19:37 < admiralspark> anyone know of a command that can be used on a WLC to show which AP is transmitting for a specific mac address? 19:37 < admiralspark> Obvs these AP's are lites, not full standalones 19:38 < admiralspark> something similar to 'sh mac add | in xxxx' is my goal 19:54 < UncleDrax> did Apple just email me a MaintNote with a clear TO list of everyone, ripe for Reply-All tomfoolery? tsk tsk 19:55 < UncleDrax> BCC.. use it. love it. 20:08 < julius> hi 20:10 <+catphish> hello 20:10 < julius> my router has a ipv6 ip on the internet and it allows me to forward traffic from the internet to internal pcs mac's, ive added a rule that sends traffic from port 22 up to port 22 to my ubuntus mac adress...but from outside i cant so "ssh myipv6" it says: connection refused 20:10 < julius> from the lan i can connect find to the ubuntus ipv4 adress 20:13 < UncleDrax> can you connect to it's v6 address on your LAN? 20:14 < UncleDrax> (your ubuntu server, via SSH) 20:15 < UncleDrax> julius: likely scenarios are: your SSH is not listening on it's ipv6 addresses (by default or from explicit conf), or it's not uncommon for people on linux to explicitly disable IPv6 in the kernel. Additionally if you're running something like UFW (or Iptables, etc..) on your Ubuntu box, it's a new rule to Allow it for IPv6 20:16 < julius> UncleDrax, i was under the impression that the router would forward the ssh connection to ipv4 20:16 < UncleDrax> for any of the above scenarios though, you should have no connectivity inside the LAN either 20:17 < UncleDrax> julius: that's 6to4 translation. so possible, but you'd have to consult your specific router docco 20:17 <+catphish> julius: does your PC have an ipv6 address? that's what you should be ssh'ing to 20:17 < julius> ah ok...let me tr 20:18 <+catphish> julius: you said you tested ipv4 on the lan, but ipv6 is what you're interested in 20:18 < julius> one second 20:18 < mawk> your router is making you do IPv6 NAT julius ? 20:18 < mawk> what kind of router is that ? 20:19 <+catphish> mawk: i doubt that 20:19 < mawk> yeah 20:19 <+catphish> lets start from the beginning: does the host have an ipv6 address? 20:21 < julius> yes it does 20:21 <+catphish> ok, and can you ssh to the address from other computers on the lan? 20:21 < julius> default ubuntu 18.04 config, i can reach the ipv6666 via lan 20:21 < julius> usually i use ipv4 inside the lan, but v6 works too 20:21 <+catphish> ok, great and what happens when you ssh to that same ipv6 address from the internet? 20:22 < julius> from a box on the internet i can run ssh myipv6 but it just hangs and on my ubuntu box, this shows nothing: tcpdump -i enp0s31f6 port 22 and not host 192.168.0.38 20:22 <+catphish> ok, so your router is firewalling it 20:22 <+catphish> you need to allow the traffic on the router's firewall 20:22 < julius> let me look again...need 5 minutes to get something to bite 20:25 * catphish bites 20:27 < weyland|yutani> catphish, stop chewing # stuff 20:28 < drathir> https://slashdot.org/story/17/09/05/1750238/its-official-users-navigate-flat-ui-designs-22-percent-slower Yea following m$ ideas... 20:30 < S_SubZero> i can't imagine how simply making the UI flat causes that. Oh noes, the Safari icon doesn't look like an actual physical compass on a desk in Microsoft Bob, now all of my efficiency is destroyed 20:33 < S_SubZero> I do think MS's current strategy of splitting configs into Settings and Control Panel is a growing pain. 20:33 < S_SubZero> the Setting panel is already showing it's limits as they have to cram more and more stuff into the menus and yeah that's not pretty 20:40 < Bin4ry> Hi there, is 802.11ac good enough if say to implement in go-kart and AP that covers the whole track 20:41 < drathir> Bin4ry: depend on device... 20:41 <+catphish> depends how big the track is 20:41 < Bin4ry> Its around 1.2km, I'm looking to stream HD videos from each of the kart. 20:41 < julius> catphish, theres a filter tab for the router...but no filters are defined 20:41 < drathir> Bin4ry: You best invest in ac meshing... 20:42 <+catphish> probably going to have trouble, maybe consider multiple APs in a special zero handoff configuration 20:42 <+catphish> ie one virtual access point with lots of physical transmitters 20:43 < Bin4ry> Ahh I see. Never come across meshing. 20:43 < drathir> Bin4ry: look at ubnt staff othing lower not reccomending... 20:47 < Bin4ry> Hmm this is really something new. Does this UniFi thing does seamless (no drop) when client connecting another endpoint? (i.e. out of ap #1 range) 20:50 < drathir> Bin4ry: https://unifi-mesh.ubnt.com/ 20:50 < drathir> Bin4ry: thatdepend on cliend device suport... 20:51 < drathir> Bin4ry: client* 20:51 < Bin4ry> drathir: looks like the connectivity on the kart will be an issue 20:51 < Bin4ry> anyways much thanks! I think I should enquire ubnt for more 20:52 < drathir> Bin4ry: mesh is good when You not able eth cables delivery... 20:55 < adip> I wanted to setup lan address on pfsense to 10.0.0.0/24, but it complains that this is incorrect, "network" address. somehow there's no problem with 10.0.1.0/16. Shouldn't I be able to use any 10.xxx.xxx.xxx address I want? 20:55 < drathir> Bin4ry: othervise when cabling no problem goes https://www.ubnt.com/unifi/unifi-ap-ac-lr/ or https://www.ubnt.com/unifi/unifi-ap-ac-pro/ 20:56 < adip> 192.168.... would be enough for me, I just wanted nice 10.0 in front 20:56 < Bin4ry> drathir: that I would need to wire the entire track up right? say at least 5~6 ap station over 1.2km length 20:57 < mawk> it's not an address adip 20:57 < mawk> 10.0.0.1/24 would be better 20:58 < detha> Bin4ry: not necessarily. directional antennas each covering part of the track from one or two points, as long as you can keep line-of-sight 20:59 < detha> (also, thanks for a wifi question where the immediate 'use wires' answer cannot be used) 20:59 < drathir> Bin4ry: for mobile devices is harder, bc You need nice coverage, bc of client weak transmit power... 21:01 <+catphish> adip: are you sure that's not supposed to be the interface address? 21:01 < drathir> Bin4ry: with clients get directional antennas You goes just with sector antennas... 21:01 <+catphish> 10.0.0.0/24 isn't a valid interface address, but 10.0.1.0/16 is 21:02 < detha> drathir: clients can't have directional in this application, so max 6 to 9 dBi on the client 21:02 < Bin4ry> drathir: I see. what about budgeting over this 2 different implementation, will mesh cost a lot more? 21:02 <+catphish> adip: if it's an interface you can use any address you like that's not the first or last address in the subnet 21:03 <+catphish> oh, mawk already answered, as he suggested, 10.0.0.1/24 would be a valid interface address in the 10.0.0.0/24 network 21:03 < drathir> Bin4ry: mesh is definetly more flexible way You can just add/remove devices on needs... 21:04 < detha> Also, somebody correct me if I am wrong, but I would stay far away from 802.11ac for fast-moving clients. ac gets most of its speed from multipath, and recalibrates for changes in the paths every 100ms or so 21:06 < drathir> detha: that is more tricky as i heared there need to be client support devices need to be set at correct channel and all support roaming kinda thing... and kinda slow glitch for sure will happen on moving from one device to another... 21:07 < adip> catphish: "not the first or last" thx, I didn't know about this 21:07 <+catphish> Bin4ry: if you were smart / lucky you could achieve it with just a couple of directional antennas maybe :) 21:07 < Bin4ry> catphish: that I'd need to get a network engineer I think 21:07 <+catphish> adip: for example in 10.0.0.0/24, 10.0.0.0 and 10.0.0.255 are reserved 21:08 < adip> catphish: ok 21:08 < julius> i hate my router 21:08 < drathir> pole at center of track with 4 sectors antennas for direct client ap-s probably woyld be fine, but for phones? not so sure... 21:09 <+catphish> julius: you couldn't work out how to open the firewall? 21:09 < julius> according to the router its open 21:09 < julius> just nothing coming trough 21:09 <+catphish> julius: :( 21:10 <+catphish> a lot of routers don't even have any way to configue their firewall, they just block all incoming connections without any choice 21:10 <+catphish> many have port forwarding for ipv4 NAT, but no other firewall options 21:13 < julius> i think i can circumvent my router problem by having my internet machine connect to a internet one via lan 21:15 < adip> I'm using older switch (hp j9028b) and I can't create single port trunk. it needs at least 2 ports. Is it normall? 21:15 < drathir> Bin4ry: funny part if You have track planes new unifi controller allow add virtual devices to map as good remember... 21:16 < adip> and, do I need to add trunk to every vlan I'm planning to use it with? 21:16 < Bin4ry> drathir: could u elaborate on that? 21:18 < detha> adip: 'trunk' is what HP calls bond or LAG 21:19 < drathir> Bin4ry: http://dl.ubnt.com/unifi/5.7.23/UniFi-installer.exe 21:19 < detha> so yes, you need at least 2 ports to bond 21:19 < Bin4ry> drathir: sorry not in windows. what is it? 21:21 < adip> detha: damn, I wanted vlan trunks..... I was suspecting it's bonding 21:21 < detha> adip: it probably also supports that, it's just called something else 21:21 < drathir> Bin4ry: its a software to manage devices t allow to point devices on map where are located and get signal coverage.. 21:22 < Bin4ry> drathir: thats brilliant. have u tried it? 21:23 < drathir> Bin4ry: 21:23 < drathir> Bin4ry: https://demo.ubnt.com/manage/site/default 21:23 < detha> adip: http://www.petenetlive.com/KB/Article/0000741 21:24 < Bin4ry> drathir: thats the prettiest UI i've seen across so many network vendor 21:24 < drathir> Bin4ry: 3rd icon on left... 21:26 < drathir> Bin4ry: yep ubnt mosly try to care at customers and pretty often deliver upgrades/bugfixes... 21:26 < adip> detha: thx, but my switch doesn't have a serial port, it seems like it's just webinterface 21:27 < adip> *it seems like it has only web interface 21:28 < detha> adip: ah,one of those 'web managed' things? I think some had limited telnet or ssh config, but most stuff was GUI only 21:28 < detha> (haven't had to deal with HP switches in many years, which is a good thing) 21:30 < adip> detha: this switch may be 10 years old :P 21:31 < drathir> Bin4ry: and yea using controler by myself too... 22:08 < xyxxy> how do i get a hostname of a server on my network? i type host 100.100.100.100 in bash and get host 100.332.21.in-add.arpa not found. :-( 22:08 <+catphish> xyxxy: you can't really 22:09 <+catphish> host would be the correct way, but clearly you don't have reverse dns set up 22:09 < turtle> so what you're describing is not magic it's just a dns lookup and that dns record has to actually exist for it to work 22:10 < wiggo> I've established a bgp session with a new provider and announced a prefix, but the major core routers nearby gives info "(received-only)" and "Origin incomplete" about the announce update and refuses to add the route in the routing table. What could be the cause of this? 22:11 < MACscr> Hmm, i have a host with 4 nics, 3 of them bonded, bridged and vlan'ed. I think have another linux host acting as a gateway that is working fine for all of my systems except this new one i just setup. Seems i can ping the internal gateway ip, the wan gateway ip, but cant reach the internet. Here are my tests and configs http://paste.debian.net/hidden/95d4201c/. any suggestions are sincerely appreciated 22:14 < UncleDrax> wiggo: https://www.noction.com/blog/lesser-known-bgp-path-attributes talks about it some. (I cannot warrentee the info thereof, don't break the internet ;] ) 22:17 < wiggo> UncleDrax: Thanks, i'll give it a look 22:17 < UncleDrax> wiggo: just gives you something to start looking at. hopefully enough to google-fu the rest though 22:20 <+catphish> wiggo: the obvious reason for people not accepting your accouncements is that you didn't configure the routes properly with the registry 22:21 <+catphish> oh, it's not a new route, so that shouldn't be the problem 22:22 <+catphish> wiggo: is your new ISP accepting your route? if so, i'd be inclined to ask them to investigate why it's not propagating further 22:23 < wiggo> +catphish: yeah, it's been announced for some months, but I got a third ISP connection now with shorter AS path to the major routers around here 22:23 <+catphish> wiggo: i don't understand what you mean by refusing to add the route to the table 22:24 < UncleDrax> does the new ISP have some sorta burn-in/turn-up/vetting period - sometimes designed to make sure you are advertising correctly 22:24 <+catphish> i assume the route is already in their table from elsewhere 22:24 < wiggo> +catphish: The routers see the announcement when doing a BGP looking glass, but the parameters that differs from the other announced paths is that it says "(received-only)" and "Origin incomplete" and therefore does not seem to accept the route 22:24 < Apachez> perhaps your routers are being racist? 22:24 < UncleDrax> although a burn-in period wouldn't let the route show up at other routers 22:24 <+catphish> you're quite lucky you're managing to see multiple versions of your route at all 22:24 < drathir> lol 22:25 < banisterfiend> hi, what are link-local ip addresses used for and how are they different to LAN ips ? (such as 192.168.0.1) 22:25 <+catphish> maybe they just prefer the existing route, hard to guess though 22:25 < UncleDrax> ^ 22:25 < MACscr> any ideas on my question? =) 22:26 < wiggo> UncleDrax: So my ISP seems to export the prefixes, but the core routers around here does not choose the path, and instead choose the longer paths that does not have the "(received-only)" and "Origin incomplete" 22:27 < wiggo> Don't really get what received-only mean, is this a decision that the (other ISP) router make, or it a parameter supplied in the bgp update? 22:27 < UncleDrax> your core routers or ISP3's core routers, or someone else's core routers? 22:27 <+catphish> wiggo: what's the prefix? and what's the AS of ISP3? 22:28 < wiggo> https://lg.telia.net/ 22:28 < wiggo> 185.168.216.0/24 22:28 < wiggo> ISP3 AS is 43948 22:28 <+catphish> telia is the ISP? 22:28 <+catphish> ok 22:28 <+catphish> well, i can tell you that some people are seeing your prefix via AS43948 22:29 <+catphish> always 42708 43948 204521 22:30 <+catphish> so "Portlane" are accepting the prefix from GleSYS 22:30 < wiggo> Yeah, and Portlane seems to export the prefix upstream 22:31 < wiggo> I think cisco ranks "Origin incomplete" lower than "Origin IGP" 22:31 <+catphish> wiggo: your RIPE data looks perfect, you remembered to add "to AS43948 announce AS204521" 22:31 <+catphish> yeah, the world is seeing your prefix via portlane 22:32 < wiggo> yeah 22:32 <+catphish> however everyone else is taking needlessly long paths via your other providers 22:33 < wiggo> What tool do use to check that easily? 22:33 <+catphish> http://lg.ring.nlnog.net/prefix_detail/lg01/ipv4?q=185.168.216.0/24 22:33 <+catphish> however in many cases there's a better route via AS20473 22:33 < obcecado> scenic routing :) 22:34 < wiggo> That's a useful tool, well, it seems that at least some use the 43948 path 22:34 <+catphish> it's totally possible that maybe 1) your new ISP simply isn't the better route you think it is 2) your new route hasn't propagated to everyone's policies yet 22:35 <+catphish> i didn't look on the telia tool 22:35 <+catphish> but it may be that telia simply don't trust ISP3 to announce your route yet 22:35 < UncleDrax> i have no paths via as43948 22:35 <+catphish> it may take time to update the filters 22:35 < UncleDrax> ya propagation delay 22:36 < UncleDrax> (here meaning.. telia might not update thier IRR filters until midnight local time.. or something) 22:36 <+catphish> i'd complain to ISP3, tell them your route doesn't seem to be accepted by whoever you're expectin to accept it, see what they say 22:36 <+catphish> sometimes ISPs have to manually tell their upstreams what prefixes they will announce 22:36 < wiggo> Maybe the "Origin incomplete" makes Telia not trust the path 22:36 <+catphish> i think it probably implies that telia are seeing the route but aren't trusting it 22:37 <+catphish> could be several reasons for that, but i'd ask ISP3 to check that all their important peers are accepting the route 22:37 < banisterfiend> hi, what are link-local ip addresses used for and how are they different to LAN ips ? (such as 192.168.0.1) 22:37 <+catphish> if you're their customer, it's their job to deal with that 22:38 <+catphish> banisterfiend: local-link IPs are for LAN communication only, they're non-routable 22:38 < banisterfiend> cool but what are they used for homie 22:38 <+catphish> banisterfiend: the concept of them is that they *always* exist, even if there's no internet connection available, so LAN communication is always possible 22:38 <+catphish> they'd be used for things like local file sharing, streaming music to a local speaker, than kind of thing 22:39 <+catphish> stuff that needs to work even if there's no internet available to provide global IPs 22:39 < banisterfiend> but why not just use a lan ip like, 192.168.0.5 why us a link-local ip? 22:39 < banisterfiend> use* 22:39 < wiggo> Yeah, the bgp session was setup just 2 days ago. Maybe I wait over the weekend and see how it turns out and call them on monday. Maybe it just needs some time ot rank up 22:40 < wiggo> Thanks for the help 22:42 < UncleDrax> MACscr: so "vpn.net.myiacon" (your default route) is reachable? (quick, is that the working 67.xxxx addr you ping?) 22:42 < UncleDrax> *quick look/guess 22:43 < MACscr> UncleDrax yes, that public ip .71 that is reachable is the wan ip for the gateway 22:43 <+catphish> banisterfiend: first of all, are you talking about ipv4, or ipv6? 22:43 <+catphish> banisterfiend: because all those terms have rather different meanings between the 2 protocols 22:44 < banisterfiend> catphish ipv4 22:44 <+catphish> banisterfiend: oh, ok, then the answer is a little different 22:45 <+catphish> in ipv4, a link-local IP is often assigned automatically if no other IP is configured 22:45 <+catphish> so basically, if there's no DHCP, and no static IP, then it will assign a link-local IP (ie a 169.254.x.x) address as a last resort, in order to allow LAN communication to work 22:46 < UncleDrax> MACscr: triage pass would be you can talk to your GW, so must be something on the GW prohibiting it. you have ACLs/FWs or anything on the gateway ? (just something to check, i gotta head out, so gluck) 22:46 <+catphish> it's that simple, it's really no different from any other IP, it's just chosen at random from that range if there's no other option 22:46 <+catphish> it *is* a LAN IP, it's just a specific range dedicated to last-resort-auto-configuration 22:46 <+catphish> wiggo: good luck 22:47 <+catphish> in ipv6 it's a bit different, hosts always have a link-local IP, even if they have real global IPs, so they're always available for LAN communication 22:49 < banisterfiend> catphish interesting thanks....that's cool! 22:49 < banisterfiend> catphish can you explain a bit more about link local in ipv6 22:51 < Dagger> 192.168.0.1 isn't a "LAN IP" 22:52 < Dagger> I mean... RFC1918 addresses are very commonly used on LANs because people very commonly need to use NAT, but you're supposed to be using a global allocation from your upstream 22:53 < banisterfiend> Dagger hmm they're at least called private network ips right? wikipedia does anyway https://en.wikipedia.org/wiki/Private_network 22:54 < Dagger> it's just one of the IP ranges that might be on a LAN 22:56 < Dagger> the other thing is that the link-local range needs to be hardcoded in everything so that it can be configured autonomously, so it needs to have an allocated range for that -- and they're not going to allocate a range that clashes with some other use 23:39 < EvanR> Here is a question, when using a datagram socket, it is possible to ever receive (using e.g. recvfrom or recvmsg) only a fragment of a datagram. In the sense of IP fragmentation. --- Log closed Sat Apr 28 00:00:00 2018