05:13 < ScriptGeek> Well, that looks pretty basic for such a powerful antenna
05:17 < drathir> ScriptGeek: longer more elements give You less noise and wder operate spectrum kinda i think, the short ones base at wave multipling technic to adjst into different band from lower one.. probably at network are examples which stts affect that directly...
05:20 < drathir> ScriptGeek: probably no problem but needed clean LOS and second end also used directional antennna for p2p link...
06:17 < winsoff> WAIT A SECOND GUYS
06:17 < winsoff> If an OpenVPN client (named G) VPNs into a network (named A), can hosts on network A also connect to client G, typically?
06:18 < winsoff> Obviously.
06:19 < winsoff> Holy fug.
06:24 < HickorySmokedBac> Anyone know how 'good' Verizon wireless 'unlimited' would be for use as a real ISP rather than backup ?
06:32 < qman__> worthless
06:32 < qman__> most hotspot plans end around 5GB
06:33 < HickorySmokedBac> qman__: SOme say they put the .6 Mb/s throttle on after 22 GBs
06:33 < HickorySmokedBac> That'd be better than nothing
06:34 < qman__> yes, better than nothing, in both senses of the term
06:34 < HickorySmokedBac> Right now that's what I have
06:35 < HickorySmokedBac> Pretty much nothing
06:35 < HickorySmokedBac> I had to move
06:37 < qman__> I used 678GB last month, and that's pretty average for me
06:38 < HickorySmokedBac> That's a lot even for cable
06:40 < qman__> not really, my cable is pretty slow and it's not like I'm constantly downloading stuff
06:40 < qman__> 60/5mbps
06:40 < qman__> I do have quite a few users, though
06:40 < qman__> last july I did 1.01TB
06:40 < HickorySmokedBac> ATT probably would disconnect that
06:41 < HickorySmokedBac> lol
06:41 < qman__> March was a slower month, 436GB
06:43 < qman__> point being, trying to use any mobile plan as a primary internet connection would result in it being completely consumed in a day
06:44 < HickorySmokedBac> Well, the only alternative here is paying $360 for the first month without contract
06:44 < HickorySmokedBac> then $60 a month
06:44 < HickorySmokedBac> I don't really want to do that
06:44 < HickorySmokedBac> $100 setup fee, $200 without contract, and 4 Mbps is $60
06:46 < qman__> verizon's definitely not going to be cheaper than that
06:46 < qman__> maybe t-mobile
06:47 < HickorySmokedBac> $75 a month for the phone ?
06:47 < qman__> but you're still going to run into caps
06:47 < HickorySmokedBac> is all
06:47 < HickorySmokedBac> only 35 more than the $40 unlimited talk/text/3GB
06:50 < qman__> "Use your capable smartphone as Wi-Fi hotspot at no additional cost. Tethering speeds up to 600kbps on the $75 unlimited plan." - it's also throttled after 10GB, and you have to buy a phone, plus fees
06:51 < HickorySmokedBac> I already got the phone
06:51 < HickorySmokedBac> Using it now tethered
06:51 < HickorySmokedBac> They said it'd be about .6 Mbps , that 600 kbps
06:51 < HickorySmokedBac> Not sure if I believe that
06:52 < HickorySmokedBac> I couldn't just take my ViaSat account with me
06:52 < HickorySmokedBac> Or rather my dad's
06:52 < HickorySmokedBac> Or I wouldn't have any problems
07:33 < MACscr> i cant seem to get an l2tp vpn working on  my ubiquiti edgerouter. I have it all setup http://paste.debian.net/1022764/, but when i try to connect to it from my mac, it says the server didnt respond. My swantctl --log is completely empty as well
07:34 < MACscr> im assuming my l2tp outside-address should be the same one that is assigned to my wan interface (eth0)?
07:37 < MACscr> since i cant really get any logging that im seeing on the ubiquiti in regards to this, im not sure wehre to start troubleshooting the issue
08:09 < MACscr> ok, i think i got it
08:10 < MACscr> cant seem to access any of the subnets though from the vpn connection
08:10 < liveuser1> Los Angeles
08:10 < liveuser1> If I can hold your stinking rotten flesh in my arms.
08:11 < liveuser1> For all who love me.
08:11 < liveuser1> Suppose it hasn't been done.
08:11 < liveuser1> To alter the course of the universe and regenerate one man of halflife.
08:12 < liveuser1> If the muslims can hold the koran in memory.
08:13 < liveuser1> While looking at #bioinformatics what is the overreaching rythm of My Flesh
08:13 < liveuser1> My MY
08:13 < liveuser1> ANd all of tha naive wanting an old testament church, forecast a would be 3rd gen curse.
08:17 < MACscr> ah, i guess im used to pushing routes by the server config with openvpn
08:43 < MACscr> damn, not being able to push routes to the clients is a huge drawback
08:43 < MACscr> of using pretty much anything other option than openvpn. ugh
09:13 < anddam> hello, need a bit of wireless wisdom
09:14 < anddam> I have two laptops, a macbookpro 2011 and a Clevo barebone model Something.Something, both in the same room therefore at the same distance from an AP, a home ADSLv2 modem-router-AP-dishwasher-hairdryer
09:16 < anddam> now my issue is that the Clevo clearly struggles browsing, the perceived connection quality is not good, also with a ubuntu based distribution the wireless icon in the menu bar has usually few filled lines, one out of three or four
09:16 < anddam> the macbook next to it shows a full wireless icon, and seems to browse much faster
09:17 < anddam> now I now the icons mean nothing without knowing exactly what the agent is programmed to display there
09:17 < anddam> I see both showing an average RSSI of -66 dBm and a noise level of about -88 dBm
09:18 < anddam> no, actually the macbook utility display the noise, I can only see the "Signal level" with iwconfig on linux
09:19 < anddam> I thought the Clevo had a bad antenna, maybe internally disconnected or so, but since I read roughly the same signal strenght that shouldn't be the case, right?
09:40 < detha> If both read the same signal strength, both have roughly equivalent antennas (if things report signal strenght correctly).
09:41 < detha> But 22 dB SNR is not much to work with - may well be that the chipset or firmware blob on the clevo is not as good as on the mac
09:47 < anddam> likely
09:47 < anddam> I was actually surprised by the low signal, are these common values?
09:48 < anddam> I mean in power terms this is a nanowatt or so
09:48 < detha> "it depends". RF and walls/ceilings/windows is magic. But it sounds rather low
09:48 < anddam> actually less, isn't it?
09:50 < detha> thinking about RF in watts doesn't really work (maybe unless you are designing equipment or trying to make sense out of govt. regulations)
09:50 < anddam>  ok, btw this was the reason I was pestering the channel about accessing that AP device, I have a LaFonera 2100 that's been collecting dust for years now, figured it could well WiFi-light up this room
09:51 < anddam> detha: no I got that
09:52 < anddam> just a consideration in absolute terms
09:56 < anddam> detha: oh, the main difference I see in the wireless card configs is that the macbookpro picks a Txrate of 130Mbps
09:56 < anddam> the Clevo 52 Mbps
09:57 < anddam> I'm using GNOME network manager to automagically config the thing and there I couldn't find any setting about the transmission rate
09:57 < detha> sounds like it is only doing n ?
09:57 < anddam> considering the Clevo has  Intel Corporation Wireless 3160  chipset it should go higher, shouldn't it?
09:57 < anddam> it's ac
09:58 < detha> what the chipset supports and what the driver supports can be two very different things
09:59 < anddam> damn computing stuff
09:59 < anddam> so I should check if the driver I'm running in kernel supports more, right?
10:01 < detha> yeah. what kernel version is that?
10:01 < anddam> from dmesg I *guess* the driver is called iwlwifi
10:07 < anddam> 4.13.0
10:07 < anddam> it's an ubuntu based system
10:16 < detha> fairly recent, that should do ac. And intel normally supplies decent drivers
10:18 < anddam> I think it's just a matter of some config, and Network Manager has a simple UI not allowing the wifi specifics
10:24 < detha> off to hostapd.conf. which doesn't have a decent man page, alas
10:28 < anddam> thanks for the info
11:07 < meth> hey are these stats qualify for 100Mbps https://i.imgur.com/t8ygfYH.png it's on FTTC
11:07 < meth> ISP says I can't sync on 100Mbps
11:08 < meth> are they lying to me>?
11:08 <+xand> you are synced at ~40Mbps
11:08 < meth> yeah
11:09 < meth> I mean from the stats above do I earn the 100Mbps lottery on FTTC?
11:09 < light> you may get 90 mbit instead of 100 mbit, but that's still a lot more than 40 mbit
11:10 < meth> it's 133Mbps
11:10 < light> what is
11:10 < meth> the max
11:11 < meth> the max i can recieve on down stream
11:11 < light> allegedly, but probably not really
11:11 < meth> wait, why?!
11:11 < meth> routers lie?
11:17 < shanee> Hi. I have a network that requires access be via a web proxy and login. I want to build a hotspot that bridges to this network in such a way that those connecting via my hotspot don't need to configure the webproxy themselves and it looks like normal internet access to them. What is this setup called and are they any existing programs or resources I should look at?
11:18 < light> shanee: supply the proxy via DHCP?
11:20 < detha> shanee: transparent proxy. also find out how proxy.pac works.
11:21 < shanee> light, Essentially, I'm trying to connect some IoT devices that don't support web proxies to a network that requires one be used. I think a DHCP solution would require that the device supported a web proxy?
11:21 < shanee> detha, I'll look into this now.
11:25 < detha> shanee: if the device doesn't support proxies (likely for IoT shit), a transparent proxy would be the only way. But that doesn't work nicely for SSL unless you can add a CA cert to the devices
11:26 < shanee> I see. Thank you. Transparent proxy looks like it's what I want! Thanks.
11:56 < Reventlov> I'd go with a access point masquerading a normal device
11:56 < Reventlov> without any proxy
11:58 < detha> Ehm, isn't that a description of a transparent proxy setup?
11:58 < djph> detha: yes?
11:59 < Reventlov> detha: maybe; I was associating "transparent proxy" with stuff like squid and so on
11:59 < Reventlov> But i'm pretty sure nftables / iptables would be enough, no ?
12:06 < detha> Reventlov: not if there is no direct internet access out of the network. Think 'all traffic from inside network to internet is blocked'
12:07 < meth> guys is that could be with vectoring https://i.imgur.com/t8ygfYH.png, does vectoring impact the latency ?
12:24 < royal_screwup21> I'm trying to dump some json into my local host and then retrieve it back. Here's what I've tried in java https://thepasteb.in/p/GZhWP0AkWn0IV While I'm able to dump the json, I'm not later able to acces my localhost - the request takes too long. How do I fix this? i'D love a pointer or two in the right direction :)
12:38 < banisterfiend> hi guys, 128.0.0.0/8 is the block of loopback in ipv4, what is the equivalent for ipv6?
12:38 < Peng_> 127.0.0.0/8
12:38 <+xand> ::1
12:38 <+xand> and yes it's 127 for ipv4...
12:44 <+catphish> woo, my 34" curved display arrived :)
12:45 <+catphish> it's not clear to me why in ipv6 it was determined that only one IP would be used for loopback instead of a range, but i guess there are other IPs you could use for the purpose if you wanted
12:45 < Peng_> well, you know, don't want to run out
12:45 <+catphish> lol
12:45 < Dagger> it does feel like they went from extreme overkill to extreme underkill
12:46 < Dagger> but ULA is there for you if you need it
12:46 <+catphish> yeah, that was my thought, no reason you can't use routable IPs for loopback
12:50 < drathir> catphish: im not get that trend of curved ones this times...
12:51 <+catphish> drathir: well, previously i used 2 screens, they were placed at an angle so that all parts of both screens were roughly the same distance from my eyes, curved screen just achieves the same
12:58 < usvi> hmm
12:59 < drathir> catphish: but still ot of $$ more for shape wonder how them compare with alife hours... also advantage of two screens thin frames them can be used as separatefeeding eg fulscreen movie and work monitoring...
13:00 < usvi> for dhclient, are the scripts in dhclient-exit-hooks.d protected from concurency issues by any chance?
13:00 <+catphish> drathir: i didn't think the curve actually added significantly to the price (not nearly as much as the price of one large high res screen vs 2 small ones anyway), i'm not sure if the separation is ever useful, i don't watch videos at work much :)
13:00 <+catphish> i guess i'll see, i like it so far though
13:02 < drathir> catphish: ot thats kinda good things bc will be not surprised when even for color the prices differ... ^^
13:03 < usvi> of course safest is to assume that the scripts should be protected against concurrency
13:03 < drathir> catphish: may i ask if You will share usage experience eg angles of view  from this one?
13:06 < thothcastel___> can a single internet linkwith static IP address have a VPN tunnel as well as direct connection to the internet?
13:06 < light> yes
13:06 <+catphish> drathir: because of the curve it's pretty useless at steep viewing angles, although technically it works well, it reflects ambient light from all kinds of angles when you try to view it sideways
13:07 < drathir> thothcastel___: yep it can...
13:07 <+catphish> thothcastel___: yes
13:07 < drathir> thothcastel___: there a lot of outgoin portys for use ^^
13:07 <+catphish> you simply choose which traffic should go to the internet and which traffic should use the tunnel
13:07 < thothcastel___> I need all trffic on ports 80 and 443 to point to zscaler
13:08 <+catphish> you can do that :)
13:08 < thothcastel___> and all other traffic to point to the MPLS network
13:08 < drathir> thothcastel___: probably iptables rules i guess?
13:08 <+catphish> you'll need a router with policy routing
13:08 < thothcastel___> it is a cisco router
13:08 < thothcastel___> will I need routing?
13:08 < light> yes, you will need routing ._.
13:08 < thothcastel___> at the moment I have a static route point all traffic to the next hop (ISP
13:08 <+catphish> you can do it on linux using iptables to mark the packets based on port, then policy routing to send them to a different routing table
13:09 <+catphish> dunno about other routers
13:09 <+catphish> thothcastel___: you just need to work out if your cisco router can route based on destination tcp port, try #cisco
13:11 < Roq> You can make a route-map and apply that policy to the interface
13:12 < thothcastel___> can Cisco C891F-K9 cisco router can route based on destination tcp port? using static routing
13:13 < Roq> thothcastel___: yeah
13:14 < thothcastel___> Roq: could you please give me an example?
13:15 < thothcastel___> basically I need traffic on the 10.0.0.0/24 to go through the mpls and all http and https traffic to go directly out on the same link
13:15 < thothcastel___> 10.0.0.0/24 is already reachable via a VPN tunnel
13:16 < Roq> Just google "cisco pbr https http forward". Plenty of examples for similar cases
13:17 < banisterfiend> xand oh so there's only one loopback ip for ipv6? unlke in ipv4 where there's an entire subnet?
13:18 <+catphish> banisterfiend: yes
13:18 < banisterfiend> why is that?
13:19 < light> there's just not enough free ipv6 addresses
13:19 <+catphish> with ipv4 it was a bit of a mess, there was a whole /8 set aside for loopback, but OSs just used 1 IP by default
13:19 < thothcastel___> thanks Roq
13:19 <+catphish> now there's just one well known loopback address, which all OSs use (as before), but you can also use *any* other IP you like for loopback
13:20 <+catphish> if you want more addresses, simply assign yourself some ULA (private) addresses, and use them for loopback
13:21 < thothcastel___> Roq: will the static route 0.0.0.0/0 NextHopIP  need to be removed if PBR is in place?
13:22 < tester> i'm having some issues with chromecast (never tried it before) where devices can't find each other. i believe the system relies on some sort of network broadcast and i presume that's blocked somehow(?). how do i even start debugging this?
13:22 < tester> the 2 devices i want to connect are connected to the same ap
13:23 < tester> i cant find any settings on the ap that may even possibly be related to this
13:23 < mAniAk-_-> client isolation maybe?
13:24 < tester> can't find such a setting.
13:24 < Apachez> client hug mode?
13:25 < tester> what's that?
13:25 < Apachez> when clients hug each other
13:25 < tester> ..
13:25 <+xand> special hug time
13:26 < tester> im not even sure you're being sarcastic or not now
13:28 < drathir> Apachez: ^^ ++
13:31 < drathir> tester: but router fw log shoud catch blocked requests...
13:31 < dogbert2> LOL
13:31 <+xand> that's gonna be a busy log
13:32 < djph> ^
14:02 < hjf> man, the bullshit one has to read on slashdot nowadays
14:02 <+catphish> you don't have to
14:02 < hjf> there's an idiot claiming he can get 250mbps from wifi
14:02 <+catphish> well you can
14:03 < hjf> anywhere on his multi-storey 4100 square feet house
14:03 < hjf> with a single AP
14:03 <+catphish> that last part makes it slightly less likely :)
14:03 < hjf> yeah, no. been installing wifi since 2004. I know what wifi can and cannot do
14:03 <+catphish> is his home in the wilderness, with all power off apart from the 2 devices?
14:04 <+catphish> it's not totally impossible if there were zero interference, but still unlikely
14:04 < hjf> well likely he wouldn't be able to get a 250mbps+ internet service  in the wilderness
14:04 <+catphish> i didn't know that was a factor here
14:05 <+catphish> lol
14:05 < hjf> the point of my post there was that ISPs are now selling 500, 1000, 2000mbps packages
14:05 <+catphish> my ISP just increases their top package from 100 to 350
14:05 <+catphish> and probably more if you ask / pay :)
14:05 < hjf> and i said sure, they can sell you 10gbit if they want. but most people use it over wifi that it's very unlikely to get anywhere near that
14:06 <+catphish> indeed
14:06 <+catphish> not many people even have a router than can exceed about 500mbps
14:06 < hjf> and this clown comes in claiming he has a single device that can do 250mbit in such  a large house
14:06 < hjf> and he could "easily saturate his 1gbit internet connection if he had more devices"
14:06 <+catphish> lol
14:07 <+catphish> "no"
14:07 < hjf> why do people have to make up bullshit stories to win an argument?
14:09 < djph> catphish: I do :)  granted upstream is being weird and sitting at 350 when down is consistently 900. hmm ...
14:09 < djph> too lazy to really look into it though
14:09 <+catphish> i'm preparing for a fight with my ISP who want to offer 10:1 upload ratios
14:10 <+catphish> i'm hoping they'll be nice and offer me better
14:10 < hjf> i had 30/10 VDSL
14:10 < hjf> but one day the decided meh, we'll give you 20/3
14:10 < hjf> so they just did
14:10 < hjf> wtf?
14:11 < djph> was it that they forcibly downgraded you, or issues on the line or something
14:11 <+catphish> my ISP just announced they upgraded their network and introduced new packages, they're changing the package i'm on from 100/50 to 100/10, now i'm sad
14:11 < hjf> not really sure. their 30/10 plan is not even on their website anymore
14:11 <+catphish> but hopefully they'll help
14:11 <+xand> catphish: a real upgrade to be sure
14:11 <+catphish> xand: indeed :(
14:12 <+xand> who owns your FTTP?
14:12 <+catphish> they now offer all sorts of speeds, but always at 10:1, i can get 350/35
14:12 <+catphish> xand: https://www.wessexinternet.com/home-fibre-broadband/
14:12 <+xand> catphish: didn't you install it?
14:13 < hjf> but my isp recently merged with another that's selling 50 and 100mbit packages. i think they want people to move over to their new brand
14:13 <+xand> do they have a cab somewhere like BT do that it goes to?
14:13 <+catphish> xand: physically yes, but yes, they have a cab nearby
14:13 <+catphish> i really like them, great service
14:13 <+catphish> but unsure why they're being mean on upload speeds
14:14 <+xand> it shows a 100/20 service there
14:14 <+catphish> there are a few possible reasons, i asked them, but i think the email got lost, gonna ask again
14:14 <+catphish> xand: that's true, i'm on the "home office" one
14:14 <+xand> I have 40/7 :X
14:14 <+xand> installing FTTP would not be practical
14:15 <+xand> I obviously need to move. given I'm changing jobs soon I should anyway but I'm lazy
14:16 <+catphish> changing jobs? :o
14:18 <+xand> going to work at king's college london
14:19 <+catphish> right, going to raise a support ticket about this speed thing :)
14:22 < lupine> needs more remote-only
14:30 <+xand> lupine: don't want to WFH all the time
14:43 < lupine> xand: that's what places that are not home are for
14:44 <+xand> lupine: I also don't want to do lots of work on a laptop
14:44 <+xand> requirements include decent internet connection, large amount of screen space, and my ssh connections not dropped from the day before :P
14:45 <+catphish> xand: those are very sensible demands!
14:47 < jvwjgames> i need some advice the data center where my server is hosted currently has a 10 mbps connection is that enough for a game server plus whatever i need to do to run my vuisnness if i upload any important files they complain cause the ping spikes up to 8000ms is there any way i can fix this
14:47 < jvwjgames> correction 800ms
14:47 < r0ss> A datacentre with a 10Mbps connection?
14:48 < dogbert2> I have 30-35mbit/sec at home
14:48 < jvwjgames> they have other plans but to start out it's 10
14:48 < dogbert2> and at work, I have a 10Gbit/sec data pipe
14:49 < dogbert2> best DSL can do here is 3-6mbit/sec
14:49 < jvwjgames> but the higher you go the higher the rates like for a 5-mbps is an extra 1$5/month
14:49 < jvwjgames> $150*
14:49 < dogbert2> sounds like highway robbery
14:50 < jvwjgames> 50mbps*
14:50 < r0ss> I would think 10Mbps would be ok for a game server but I don't run any myself so hard to say. RE your business it completely depends what you are doing. Those speeds seem odd in 2018...is there not anywhere else you can host?
14:50 < jvwjgames> i have another server in another data center in the same state that has our billing system that one is at a rate of 100mbps
14:52 < jvwjgames> i would swap locations but i can't afford the downtime just for one customers complaint plus that customer aka my friend isn't paying but i should make him pay
14:55 < r0ss> I'd be looking at swapping locations but I guess you could look at rate limiting the file transfers you are doing in an attempt to not saturate the circuit and spike the latency
14:56 < jvwjgames> or i could pay an extra $50/month to get another port so he has a dedicated connection
14:56 <+catphish> 10Mbps should be enough for a game server really, but may depend on the game
14:57 <+catphish> it really shouldnt be hard to check, play the game, see how much bandwidth it uses
14:57 <+catphish> but seriously consider looking for a better provided, 10Mbps is really really bad
14:57 < jvwjgames> ok
14:57 < Apachez> depends on game
14:57 < jvwjgames> let me check the pfsense firewall logs
14:57 < Apachez> like cs loads custom maps from the gameserver
14:57 < jvwjgames> cause it has a bandwidth monitor
14:57 < Apachez> in those cases having 100Mbps pipe is a good thing
14:57 < Apachez> but gamewise its give or take 100kbps per client
14:58 <+catphish> i have 50 at home, so 10 seems totally unreasonable for a server
14:58 < Apachez> thats including sound
14:58 < jvwjgames> i have a 1gbps pipe at home
14:58 < detha> also, if you can't move servers without causing serious downtime I would re-think the way the hosting is set up
14:58 < Apachez> so 32 concurrent clients should be fine with 32*100kbps = 3.2Mbps
14:58 < Apachez> during gameplay
14:58 < jvwjgames> but it wouldn't be profession to host my buiness vm software from my house would it?
14:58 <+catphish> cutting it a bit fine really
14:58 < Apachez> so 10Mbps should be sufficient also for downloading maps through the server
14:58 <+catphish> jvwjgames: depends how good the connection is
14:59 < jvwjgames> it is unturned
14:59 <+catphish> a data centre has power and network SLAs, your home doesn't
14:59 < jvwjgames> i know that
15:00 < Apachez> sure your home can have sla's
15:00 < Apachez> I got sla's
15:01 < Apachez> for my internetpipe
15:01 < Apachez> at home
15:01 < Apachez> its a companypipe
15:01 < Apachez> but still terminates at my home
15:01 < Apachez> and it has sla's
15:01 < Apachez> I have more uptime at home than nasdaq stock exchange got
15:02 < Apachez> and I got ups too :)
15:02 < Apachez> but sure, still lacking one or two submarine diesel engines on the frontyard :P
15:02 < r0ss> what are you running at home then?
15:02 < Apachez> techporn
15:03 < Apachez> dnsservers, webservers, gameservers
15:03 < Apachez> and my own workstations
15:03 < Apachez> and irc :P
15:03 < Apachez> and probably tnings I forgot about
15:04 < Apachez> having a 1600VA UPS is a sane thing to have nowadays
15:04 < Apachez> gives you an additional hour or so of internet when the rest of the neighbourhood goes poff
15:04 < r0ss> would be no use for me as I take an Ethernet service and the ISP's switches in the electrical risers would die before a UPS like that
15:05 < Apachez> our isp devices are upsed
15:05 < Apachez> dual 1600VA
15:05 < Apachez> eaton pro
15:05 < Apachez> good shit
15:05 < Apachez> also have nice displays so you can see current status and estimated runtime if shit goes south
15:06 < r0ss> I work for the ISP in question and I'm pretty sure we don't UPS the switches in the smaller comms risers, just the main one
15:06 < Apachez> http://powerquality.eaton.com/Products-services/Backup-Power-UPS/Ellipse-PRO.aspx
15:06 < r0ss> its more to protect equipment from instant power off than to keep service running if there is a power outage though
15:06 < jvwjgames> can having a desktop gui on the game server hamper proformance
15:07 < Apachez> why would you have a desktop gui on a gameserver?
15:07 < Apachez> does not compute...
15:07 <+catphish> jvwjgames: probably not
15:07 <+catphish> all my windows are a little bent today
15:07 < jvwjgames> i advised against it cuase of how much cpu and ram i gave him and he said he needed it
15:07 < Apachez> http://powerquality.eaton.com/ELP1600DIN.aspx?cx=98
15:08 <+catphish> well a GUI is going to use RAM certainly
15:08 < jvwjgames> cause he doesn't know how to use a command line
15:08 < djph> jvwjgames: yes, a GUI will hamper performance
15:08 <+catphish> leaving less for the games
15:08 < Apachez> then its time for him to learn?
15:08 <+catphish> an idle desktop really shouldn't be a problem
15:08 <+catphish> but i'd still avoid it, waste of ram
15:08 < Windy> heya, i have an IKEv2 question.  if one side sets very restrictive traffic selectors, say - three pairs of /32 addresses, and the other side sets a single traffic selector with subnets containing said /32s, will it be possible for three Child SAs to come up?  or how will that negotiate
15:09 < jvwjgames> and he keeps telling me that it's not the GUI it is the ram
15:09 < jvwjgames> and i said i can't just give you more ram like its candy and cpu cores
15:09 < jvwjgames> right now he is requesting 4 cpu cores and 4 gb of ram
15:09 < r0ss> is this the friend that doesn't pay?
15:10 < jvwjgames> correct
15:10 <+catphish> afaik they have to match, not certain though, try it?
15:10 < detha> Windy: most likely, "not", if the selectors don't match exactly
15:10 < Apachez> then have him pay
15:10 <+catphish> Windy: ^
15:10 < Apachez> problem solved
15:10 < Apachez> dont forget the powerbill too
15:10 < recesfulu> anyone knows why in ipcpv6 in ppp ipv6 prefix is not confugred?
15:10 < jvwjgames> that's why i am not incressing it cause it is unfair to the other customers that are paying
15:10 < djph> jvwjgames: tell him to gitgud with the CLI?
15:10 < Apachez> a server that averages at 100W in total goes for 72kWh/month
15:11 < Apachez> so 5-10 USD depending on country
15:11 < Windy> detha,catphish: how does one typically traffic selectors when you have a large number of addresses?  we're looking at 12 on one side, and 6 on another and the other side won't do subnets.  so to make them match exactly I'd need 72 traffics selectors
15:11 <+catphish> of course a data centre will charge more than that for power, because dual feeds, UPS, etc
15:11 < Apachez> and about as much in cooling if you got a DC
15:12 <+catphish> oh yeah, plus cooling
15:12 < Apachez> yeah this was pure power
15:12 <+catphish> which is usually included in power cost
15:12 < Apachez> assuming you already have power and air to your home
15:12 <+catphish> true
15:12 < jvwjgames> he doesn't have a job and won't get a job like we have been trying for years to get him
15:12 <+catphish> power's cheap at home
15:12 < Apachez> depends on country
15:12 <+catphish> kill him with an axe?
15:12 < Apachez> here in sweden its like taxed 3 times or so
15:12 < r0ss> he shouldn't expect you to hand all this out to him for free then
15:12 < jvwjgames> what about if i try and install light GUI
15:13 < detha> Windy: never had to deal with that - I just map a subnet, if only a few addresses are needed ACL the rest off
15:13 < Apachez> what about if you stop trolling?
15:13 < Apachez> tell him to learn cli or get some other friend to screw?
15:13 < jvwjgames> lol
15:13 < Windy> detha: that would be my preference, but the engineer on the other end is adamant about not including the whole subnet in the traffic selectors.  it's a sonic wall :-S
15:14 < detha> "sonic wall" "engineer". Conflict in concepts.
15:14 <+catphish> Windy: honestly, i've only ever done like 2 subnets on each end, so mine are always matching and simple
15:15 <+catphish> Windy: oh, actually i now use GRE instead, so routes can be whatever, so i'm not that sure about it
15:15 <+catphish> it's so much easier just to encrypt the gre, then route stuff over that
15:19 < jvwjgames> have pfsense bandwidth monitor up and running real time now logging into game server as a player
15:20 < jvwjgames> 12 -30kb for one player
15:21 < Apachez> and if you enable team speak within the game?
15:21 < Apachez> along with downloading assets through the server
15:24 < jvwjgames> no teamspeak or downloading
15:52 < drathir> ipt possible fast iptables masquarade gateways ?
15:53 < drathir> ipt/is*
15:53 < djph> drathir: err, what?
15:53 < drathir> djph: in case when device get wrong gateway set to access that device...
15:54 < djph> drathir: that's still not making a whole lot of sense :(
15:54 < djph> I probably need more coffee
15:55 < drathir> djph: device get .1.111 gateway is set to .1.3 and network true gateway is .1.1...
15:56 < drathir> djph: router able reach mtr .1.111 but not any other device in network looks like...
15:57 < drathir> djph: i guess the best solution jus directly connect that decice to notebook when goes near it...
15:58 < djph> er, so "device" is getting routed thru a fake gateway / transparent proxy?
16:00 < drathir> djph: yep device is routing to wrong gateway... that it cant be reached by any other device in network only router...
16:00 < djph> so fix its setup?
16:00 < r0ss> put the wrong gateway IP on the real gateway if you have a suitable device
16:01 < drathir> djph: yea need to get into device im wondered if its a way remote temporaly redirect to correct gateway...
16:02 < psprint_> Netmask for 7-bit network is 255.255.255.128 ?
16:02 < drathir> r0ss: hmmm that good idea...
16:02 < UncleDrax> We only transmit in octets in this house, mister!
16:02 < drathir> let me check...
16:09 < djph> psprint_: /25 (7 bits for hosts) is what you wrote, yes.
16:15 < roger_padactor> hello, I have a domain registerd with one company. the nameservers point to another company that hosts the site and the email.  I need to change the domain name to point to an IP address but I need the email to keep working. Should I make the changes with the company that the domain is registered to or the hosting company?
16:16 < djph> roger_padactor: whichever entity is actually handling hte DNS records
16:18 < roger_padactor> thank
16:34 < drathir> djph: r0ss looks like get directly into correct vlan granted access to decice...
16:36 < drathir> and gateway was 0.0.0.0 a i see set... ;p
16:41 < psprint_> djph: thanks
16:44 <+catphish> my ISPs reply to my question of why they only offer 10:1 upload speed ratio was that anything more is "exceptionally fast and surplus to requirement"
16:45 < Dalton> according to whose standards?
16:45 <+catphish> "We have reviewed our packages recently and for our fibre packages, the upload speed was much higher than customers actually required. For usual internet browsing, speeds of up to 50Mb/s are exceptionally fast and surplus to requirement, unless you are uploading huge amounts to the the internet."
16:45 <+catphish> i've pointed out that just because i don't upload much doesn't mean i want to wait for it :(
16:45 <+catphish> very odd industry practice :(
16:48 < tds> catphish: are they able to offer you anything custom, or is it just "pick one of these standard packages"? :/
16:49 < detha> Citizen, consume. How dare you have the initiative to want to upload content?
16:49 <+catphish> tds: they should be able to offer something custom, that was the reason for my email, they said other options are available on request, so i've replied with a more explicit request :)
16:50 < Dalton> catphish: you're in .uk no?
16:50 <+catphish> yeah
16:50 < tds> ah, I guess that's good at least :)
16:50 <+catphish> i also explicitly asked them if it would be OK to run my 20Mbps CCTV stream :)
16:50 <+catphish> since there's a difference between paying for the bandwidth, and having the audacity to actually use it :)
16:51 < drathir> catphish: when You will constanly upload them cut a line, bc too high traffic ... such a logic ;/
16:51 <+catphish> drathir: lol
16:51 <+catphish> drathir: i fear that may be the logic here
17:17 < redrabbit> isps are stupid
17:17 < redrabbit> stuck with 100/5 here
17:18 < Demos[m]> Man dealing with Merit at work has spoiled me
17:18 < djph> I keep getting called by TWC - " buy our 50/5 for $stupid"
17:18 < Demos[m]> AT&T does give me 1000/1000 though
17:18 < djph> .. guys, I'm not gonna buy it, *ever*.  AT&T has you beat handily.
17:19 <+catphish> this bandwidth symmetry thing is odd
17:19 <+catphish> some ISPs don't seem to care, others love to be restrictive with it
17:19 < Demos[m]> FTTC + 1000base-t
17:19 < Demos[m]> Even get working v6 with prefix delegation
17:19 < skyroveRR> Hiya catphish
17:20 < djph> Demos[m]: yup, is nice
17:20 <+catphish> i have ethernet to the home, though they can't seem to get ipv6 working on their ppp servers
17:21 < Demos[m]> I kinda wish they just put fiber to the wall, but shrug
17:22 < djph> I've got fiber all the way into the ONT.  I'd kill to scrap that and just use an SFP (yeah, yeah, bidi blahblah)
17:22 < Demos[m]> My bet is they have like 24ish fibers coming in and then 40g to each floor
17:22 <+catphish> nice
17:23 < Demos[m]> Meh if your going to a switch nearby then why bidi?
17:24 < Apachez> why not?
17:24 <+catphish> why not indeed, less splicing :)
17:25 < Apachez> but personally I prefer non bidi unless really needed
17:25 <+catphish> though i'm happy with tx+rx, easier top upgrade to 100G later :)
17:25 < Apachez> the -U and -D is a nightmare
17:25 <+catphish> yeah i'd agree
17:25 < Apachez> you often end up with two -U or two -D which is no bueno
17:25 <+catphish> i didn't know they were asymmetric, makes sense though
17:25 < Demos[m]> The transceivers are more expensive and your going electrical before really exiting
17:25 <+catphish> different tx and rx band on each end
17:27 < Demos[m]> Besides in a large building you may be going to DWDM before exiting your building
17:27 < Demos[m]> And (I think) bidi will still need two dwdm wavelengths in the end
17:28 < Apachez> catphish: well its often like 1310 nm in one direction and 1550 in the other
17:28 < Apachez> so -D is like TX 1310 RX 1550
17:29 < Apachez> and -U is TX 1550 RX 1310
17:29 < Apachez> or if its the other way around
17:29 <+catphish> yep, makes perfect sense
17:32 < kenlumbo> thats what all ours seem to be, 1550/1310, but if tons of fiber to spare I prefer non bidi
17:37 <+catphish> non bidi seems the better option for most cases
17:40 < Apachez> and its cheap
17:40 < Apachez> $6 for 1G from fs.com
17:41 <+catphish> yep, the only downside is less density or more splicing
17:41 < mAniAk-_-> not LR are that costly
17:41 < mAniAk-_-> LX*
17:41 <+catphish> this monitor really is lovely
17:43 < Apachez> mAniAk-_-: ?
17:45 < mAniAk-_-> Apachez: compared to bidi
17:47 < Apachez> $6 for MMF
17:47 < Apachez> $7 for SMF
17:47 < Apachez> 10km
17:48 < ryao> catphish: non bidi is cheaper for upgrades too. The optics needed to have two wavelenghts in opposite directions on a cable are pricy. ^_^;;
17:48 <+catphish> indeed, easier upgrades / general compatibility is a great reason not to bidi
17:49 < ryao> catphish: Well, the bidi SMF stuff will likely be upgradable up to 1PbE if that ever becomes a thing, but at great expense. ^_^;;
17:49 < ryao> You don't really get economics of scale on those because the cheaper duplex stuff eats away at any market opportunity for them to be widely used outside of long distance links.
17:50 < Apachez> -D goes for $12 and -U for $9
17:50 < Apachez> ohh and you need SMF for that to work
17:50 < Apachez> so its like $21 per pair isntead of $6-14
18:03 < ||cw> the thing is, with ADSL and cable there are reasonable technical reasons for the difference.  with fiber, there just isn't.  it's really just to slow down servers across the board without having to resort to protocol aware traffic shaping and nothing more
18:04 < ||cw> whoah, I was scrolled way apparently
18:19 < king_button> If I connect(...) a socket specifying address and port, that specifies what port to send data to but what port is listened to to receive data?
18:19 <+xand> OS will choose one
18:20 < Apachez> ||cw: YOU SEEM TO BE WAY OUT OF SYNC
18:20 < Apachez> oops
18:20 < Apachez> caps?
18:20 < Apachez> actuaolly the tcpstack in the os will select srcport automagically
18:20 < Apachez> unless you specify one
18:20 < ||cw> Apachez: I've flushed my cache, all good now
18:20 < Apachez> then you might get an error if that port is already in use
18:21 <+xand> or if you're not root and choose one < 1024
18:22 < Apachez> or above 65535
18:22 < Apachez> but those only works in hollywood productions
18:22 < hweaving> Are there any good rules of thumb for choosing TX and RX ring sizes?
18:23 < king_button> would I specify a port (not that I'd want to) via a bind before connect?
18:23 < Apachez> say that again?
18:23 < arooni> question; with ufw on ubuntu 16.04; i have the rule 32400                      ALLOW       Anywhere ;; yet when ufw is enabled; i can't telnet to that port from another machine on my network through my routers public ip address (i have port forwarded both tcip and udp )
18:23 < Apachez> RX and TX ring size?
18:23 < hweaving> I'm seeing millions of cache misses for a short test run, and I'm wondering if my TX/RX rings are too big
18:23 <+catphish> king_button: you can, but you usually shouldn't :)
18:23 < Apachez> you mean buffers or something else?
18:24 < hweaving> Apachez:  yes, ring buffers
18:24 < Apachez> na
18:24 < Apachez> large buffers are just bufferbloat
18:24 < Apachez> as in you occupy mem but never really use it
18:24 < Apachez> you can have the other way around too small buffers
18:24 < hweaving> My system has max RX of 8192, current ring size is set to 1024...that doesn't look too big
18:25 < Apachez> should be sufficient
18:25 < Apachez> I prefer 10000 as TX buffers on 1G and upwards
18:25 < hweaving> I'm just wondering what's causing millions of cache misses, since I'm trying to do very high bandwidth gigabit networking and wondering if some of my huge buffer settings are contributing to it.
18:25 < Apachez> also those occurs when your cpu is busy
18:25 < Apachez> so in a normal system they should rarely occur
18:28 < hweaving> if I raise rx ring buffer size from 1024 to 8192, my cache misses basically double
18:28 < hweaving> hmmmmm
18:34 < hweaving> I'll be, lowering ring size reduces CPU usage
18:35 < hweaving> "ethtool -g eth0 rx 512" or similar...I wonder how low is safe, like 256?
18:35 < hweaving> From 1024 to 512 made me go from 160,000,000 cache misses to about 8,000,000 cache misses
18:41 <+catphish> i can't see how lowering the ring size could possibly reduce cpu usage
18:42 <+catphish> i might be wrong, but i'd think a larger ring is always better
18:45 < hweaving> catphish: That's what I would have thought
18:45 < hweaving> but I ran across this
18:45 < hweaving> https://www.napatech.com/vpp-200g-nic/
18:46 < detha> size of ring versus size of L1/L2 cache, or some silliness like that ?
18:46 < hweaving> and I'm seeing the same sort of behavior.  With ethtool setting RX ring buffer to 1024 or larger, I get hundreds of millions of cache misses for a 20-second test
18:46 < hweaving> 512 or smaller is 8 million max
18:46 < hweaving> I don't fully understand why yet, but the article does mention that among other performance factors
18:47 <+catphish> but you can't be using cache, every read is new data
18:49 < hweaving> I'm not sure why, all I can see are the results :(
19:01 < Apachez> perhaps you have a buggy driver?
19:03 < UncleDrax> Buggy driver? Amish over IP Networking? (sorry.. had to)
19:04 < Project86__> What exactly does mysql do?
19:07 < hweaving> Apachez: maybe, but that article author seemed pretty confident.  I think it's just more complex than it appears
19:13 < MACscr> ok, so according to my findings so far, with a l2tp/ipsec vpn (ubiquti), i have to setup all subnet routing on the clients themselves instead of having it pushed from the vpn server?
19:18 < UncleDrax> Project86 - it's a database (specifically it's a SQL based RDBMS). so it stores data in a manner that is 'easy' to retreive. You can look up the wikipedia entry or one of a gazillion articles on any more detailed questions.
19:56 < GenteelBen> mrBen2k2k2k_: greetings, my fellow Ben.
20:02 < xdroop> Anybody have a Fedora pptp guide using Network Mangler and cli only?
20:03 < xdroop> Suitable for Fedora 27?
20:26 < Poster> PPTP should be largely replaced by now, do you have any other options for ipsec/openvpn on the remote side?
20:29 < hweaving> xingu:  Are you still around these days?
20:30 < hweaving> I seem to remember you had some ideas about methods for spreading interrupts between CPUs.  I think that would be my next option to reducing CPU overhead without actually doing the drastic step of moving everything into userspace ala DPDK and/or VPP and/or Snabb
20:31 < hweaving> but I think I'd have to use different VLANs to divide the interrupts up
20:34 < ravi_> is computer networks - a top down approach a good book to learn networking?
20:36 < UncleDrax> I believe the channel favorite was Tanenbaum's book. That said, I have not read any of those formal texts on the topic
20:38 < ravi_> noob here! can anyone suggest good cryptography channel?
20:39 < FuttBucker101> Sure, ravi!
20:39 < FuttBucker101> Why don't we chat about it?I am in
20:39 < FuttBucker101> the bitcoin channel
20:42 < kenlumbo> http://bfy.tw/HvQ3
20:42 < kenlumbo> ;)
20:42 < FuttBucker101> hi ken
20:52 <+catphish> ravi_: ##crypto
20:53 <+catphish> the problem with people who know about cryptography is that they believe that only people who already know crypto should be allowed to use it
20:54 < kenlumbo> thats the only problem?
20:54 < kenlumbo> haha
20:54 < FuttBucker101> hi cat
20:54 < skunkz> Hello, me and my friend live in the same building and we are both connected (I guess) to the same network. Here are our ipconfig outputs : https://paste.debian.net/1022848/. The problem is I can't ping his computer nor can we create LAN rooms on a game. How could I troubleshoot that?
20:55 < FuttBucker101> hi skunkz
20:55 < ||cw> skunkz: sounds like client isolation in effect.  there's nothing to troubleshoot
20:56 <+catphish> kenlumbo: probably the most gatekeepered topic of all
20:56 < UncleDrax> I second ||cw . esp with a /16
20:56 <+catphish> A: I have a question about this algorithm B: don't implement crypto yourself, you will fail
20:57 < UncleDrax> I encrypt everything in ROT0
20:57 < skunkz> Ok so I won't be able to bypass this unless I have access to the router's configuration I guess ?
20:57 < mawk> is the windows firewall enabled skunkz ?
20:57 <+catphish> skunkz: is it wifi? soudns like client isolation
20:58 <+catphish> oh yeah, could be OS firewall
20:58 < skunkz> No we are both connected via ethernet
20:58 < UncleDrax> you can use one of those Internet LAN meet-me services (like Hamatchi or whatever). that might solve your problem.
20:58 < ||cw> skunkz: right, and that's a good thing really.  you do not want to see your neighbors malware infected PCs
20:59 <+catphish> skunkz: well that should work :( although the /16 implies this is a complicated LAN, it probably has protection stopping you doing this :(
20:59 < skunkz> haha I just want to avoid buying another copy of the game !
20:59 <+catphish> can you just connect with an ethernet cable?
21:00 < skunkz> How can we be sure that we are on the same network ?
21:00 <+catphish> or are these computers in different parts of a large building?
21:00 < mawk> so skunkz is the windows firewall enabled ?
21:00 < skunkz> we have an ethernet plug in the wall of our room, then we need to authenticate to a portal
21:00 < mawk> ah, portal usually means client isolation
21:00 < ||cw> skunkz: you can use arp to find the mac address of the gateway, if it's the same, it's the same network
21:00 <+catphish> skunkz: yeah, the LAN almost certainly doesn't allow what you're trying to do, that kind of LAN very often doesn't
21:01 < skunkz> mawk: Mine isn't, I don't know about his
21:01 < mawk> use that hamachi thing, it looks good
21:01 < mawk> or use a vps if you already own one
21:01 <+catphish> very likely this LAN uses "private VLAN" where it appears to be one large network but in reality every user has their own private connection to the router :(
21:02 <+catphish> a VPS and a VPN would solve it :) openvpn in tap mode looks like a lan to software
21:02 < tds> better than the hotel I was in recently where everything was on one giant flat /16 (with no isolation) :P
21:02 < mawk> hamachi is very simple to setup, I remember using it in my gaming days when I was 12 or something
21:02 < kottt> tds: *shudder*
21:02 < kenlumbo> those are fun
21:02 < redrabbit> or build your own lam
21:03 < kenlumbo> find out who is using chromecast
21:03 < redrabbit> lan
21:03 < kenlumbo> start casting Macho man clips
21:03 < mawk> they can't do that if they can't talk to each other redrabbit
21:03 < skunkz> ok I'm gonna look at this hamachi thing thanks
21:03 < mawk> they need a middle man
21:03 < kottt> skunkz: congratulations: You're going to have a LAN party! :D
21:03 < UncleDrax> a time honored traditioanl truely!
21:03 < redrabbit> dvorak noob; dont mind the typos
21:03 < kottt> get a switch and some chips and invent your buddy over for beer and games
21:04 < kottt> invite*
21:04 < skunkz> that's a solution aswell
21:04 < redrabbit> use wifi
21:04 < mawk> connect the two computers with the ethernet cable
21:04 < mawk> ah, or wifi indeed
21:04 < mawk> adhoc wifi or something
21:04 < Apachez> catphish: or "Protected VLAN" which is what you described
21:04 < xz> hey, imagine there is a server behind the router, e.g. FTP on port 23. There is port forwarding set up on router, so the server is usable for the clients from the outside. Now how will Ethernet header look like if I as a client send the request to that server? Will it contain router MAC address as a destination or server MAC address?
21:05 < Apachez> aka port isolation
21:05 < redrabbit> mawk: same building
21:05 < Apachez> xz: why would you run ftp on tcp 23 ?
21:05 < xz> Apachez, 21, whatever is the port
21:05 < mawk> xz: where would that client be located ? behind that router ?
21:06 < skunkz> I have no wifi card on my desktop haha, I'll try sharing wifi from my phone and he will connect to the same wifi before trying hamachi
21:06 <+catphish> i run my ftp on port 70000 to ensure nobody can get into it
21:06 < redrabbit> id buy a cheap router/ap
21:06 < xz> mawk, nope. Only server is behind the router, client will be any client on the internet (public/outside)
21:06 < mawk> lol
21:06 < redrabbit> done
21:06 < mawk> then behind the router you'll have the server MAC, xz
21:06 < mawk> after routing
21:06 < UncleDrax> xz: the router will route & translate the packet appropriately. Port Forwarding is more a specific instruction for where that will go
21:06 < ||cw> xz: the client only sees the router MAC/IP, if it sees a mac at all
21:06 < Apachez> sounds like a homework question to me =)
21:07 < Apachez> the server will most likely see the mac of the router
21:07 < Apachez> or whatever L2 domain you might have
21:07 < redrabbit> skunkz: lan > router )))))) your bud
21:07 < UncleDrax> catphish: custom TCP stack? tbh that would be prety secure.
21:07 < ||cw> xz: you might to study more on port forwarding and connection tracking (aka contrack)
21:07 < xz> wait, are you saying the 'destination MAC address' field within the packet will change depending if it's before routing or after routing?
21:07 < tds> catphish: the real trick is to put it on the current unix timestamp mod 65535, then nobody will ever notice it ;)
21:07 < redrabbit> you wont use wifi
21:07 < skunkz> redrabbit: I don't get it
21:07 < mawk> is OOB on TCP a bad idea ?
21:07 < Apachez> you have one ethernet one WAN of router
21:07 < xamithan> Why are we answering homework questions
21:07 < Apachez> and another ethernet on LAN of router
21:07 < mawk> I'd like to use it instead of some special protocol
21:07 < Apachez> your ftp server is on LAN of router
21:08 < redrabbit> only your friend
21:08 < Apachez> your clients are on WAN of router
21:08 < xz> Apachez, correct
21:08 <+catphish> xamithan: i don't think you are
21:08 < Apachez> which gives that the ethernet frame is replaced when passing your router
21:08 < xamithan> I am not,  but people are
21:08 < Apachez> and the dstip too if you use portforwarding
21:08 <+catphish> xamithan: in fact you haven't answered anything, so either help, or stop criticising others
21:08 < redrabbit> skunkz: you > wired lan > router > wifi > your bud
21:09 < mawk> the fact that a new OOB byte will make any previous unread OOB bytes drop into the in-band data queue is very annoying tho
21:09 < UncleDrax> say it with me: layer cake muthafsckr! MAC address are L2.. they don't survive 'through' being routed.
21:09 < mawk> who designed that thing
21:09 < xz> Apachez, interesting, I didn't know router rewrites certain fields of the packet. So initially (before routing) dest MAC address will be the one of a router, and then after packet gets forwarded to LAN side of router, it will have actual, server MAC address as destination?
21:09 < Apachez> xz: depends on the router
21:09 < Apachez> you just said you had a portforward didnt you?
21:10 < skunkz> redrabbit: I still don't get it, I am indeed connected to the wired lan but I don't understand the router wifi and my friend in this scheme
21:10 < Apachez> well if you dont then the router wont touch the dstip
21:10 < Apachez> and there is no conntrack either needed
21:10 < Apachez> conntrack is only needed if srcip, srcport, dstip or dstport is changed
21:10 < xz> Apachez, well, if I don't use port forwarding then the packet would never reach my server, isn't that the case?
21:10 < redrabbit> skunkz: you > wired lan > router/AP that you have to buy > wifi > your bud
21:10 < Apachez> so it can keep track of a session and put back the original stuff when the returning packets flows by
21:10 < Apachez> xz: well depends on your network
21:10 < Apachez> assumption is the mother of all fuckups
21:10 < skunkz> ah ok that's the part I missed, you want me to buy a router ^^
21:11 < Apachez> we just assumed your router was connected to internet
21:11 < Apachez> normally you just have just one ip to internet
21:11 < redrabbit> router on a separate subnet
21:11 < Apachez> so you need portforwarding on your router so somebody from internet can reach a server on your LAN
21:11 < Apachez> BUT
21:11 < skunkz> unfortunately he won't receive my wifi signal from where he lives
21:11 < Apachez> if you have plenty of public ip addresses
21:11 < xz> Apachez, hah, I'm not too experienced with routing. Let's say I have cheap dd-wrt router with 1 external IP, server behind that router and port-forwarding turned on.
21:11 < Apachez> there is no need to nat
21:11 < Apachez> and if you dont nat there is no need for conntrack
21:11 < redrabbit> no internet on it just lan
21:12 < Apachez> and since you dont nat the dstip wont change
21:12 < Apachez> actually the ip header and tcp header should be intact
21:12 < tds> Apachez: well, unless you're firewalling on the router (which I'd expect a small home network to do)
21:12 < Apachez> only thing that changes is the ethernet frame header
21:12 < Apachez> who is ripped off once entering the router
21:12 < ||cw> skunkz: are you at a school?  if so check your ToS on using your own router/wifi
21:12 < Apachez> and then appended on the other side with the srcmac of the router etc
21:12 < redrabbit> skunkz: even with directionnal antenna?
21:12 < Apachez> tds: you can firewalling without nating
21:12 < Apachez> they have nothong to do with each other
21:13 < Apachez> -oií
21:13 < Apachez> yhäöldfsdfrgjrgönl
21:13 < Apachez> fucking keyboard
21:13 < xz> Apachez, and that operation of rewriting Ethernet header, does it happen both ways? for incoming/outcoming packets?
21:13 < Apachez> they have nothing to do with each other
21:13 < redrabbit> tyou can run your own vpn then
21:13 < Apachez> xz: yes unless your router is in transparent mode aka bridge :)
21:13 < tds> Apachez: yes, absolutely, but you still need conntrack if you're going to do stateful firewalling like a home router is likely to
21:13 < Apachez> nowadays we have switches that routes packets
21:13 < Apachez> routers who route packets on src/dstport and not just src/dstip
21:13 < skunkz> I'm not at school but I'm sure no one looks at what happens on the building network given the gb of copyrighted content dl'ed from there lol
21:14 < Apachez> firewalls who are transparent
21:14 < Apachez> etc
21:14 < Apachez> routers who doesnt decrease the TTL value of the packet flowing by
21:14 < Apachez> etc
21:14 < xz> Apachez, and does that happen also to control packets, like ICMP/SYN/ACK etc.?
21:14 < Apachez> tds: no, conntrack is only needed when you do nating (and/or pating)
21:14 < redrabbit> skunkz: you can run your own vpn then
21:14 < redrabbit> openvpn on a vps
21:14 < Apachez> xz: yes, a regular router (or l3 switch) have two different L2 domains for a single flow
21:15 < skunkz> yeah that's the last option if hamachi doesn't work well enough
21:15 < Apachez> one L2 domain on WAN and another on LAN
21:15 < Apachez> that is one mac address on WAN interface
21:15 < Apachez> and another mac address on LAN interface
21:15 < Apachez> L2 protocols are just nexthop protocols
21:15 < tds> Apachez: hmm, I may be missing something, but for a home network wouldn't you expect the router to allow outgoing connections from the lan, but not incoming from wan? (assuming plain routed traffic with public IPs)
21:15 < Apachez> they are stripped at every L3 hop
21:15 < tds> and to do that you'll need to do connection tracking
21:16 < Apachez> tds: well my home network have public ip's on the LAN side and the firewall is transparent
21:16 < Apachez> so my firewall blocks bad things
21:16 < Apachez> and allows good things
21:16 < Apachez> and there is no nating involved
21:16 < Apachez> so no need to waste cpu and ram resources on conntrack
21:16 < tds> ah, I mentioned earlier that I was assuming the firewall would drop non-established traffic coming from wan
21:16  * tds has to deal with conntrackd between home routers :/
21:18 < xz> Apachez, hey thanks for explaining it
21:19 < LFSveteran> had my routing script working, but when I wanted to backup, stuff crashed....argh
21:19 < LFSveteran> only have some notes: https://pastebin.com/F3w9VMHs
21:20 < LFSveteran> setup: request to eth0 is forwarded to 192.168.10.1 and back
21:20 < Windy> my CA "recommends" RSA2048 certs for https.  is there a reason not to use 4096, or better: elliptic curve?
21:21 < LFSveteran> server is 192.168.10.1, router 192.168.10.2
21:21 < LFSveteran> eth0 is 192.168.0.2
21:21 < MACscr> ok, if my vpn client gets an ip of 10.8.0.x and can ping 10.0.1.2 and 192.168.0.2 that are assigned to lan interfaces on the vpn server, what do i need to do on the server to allow the client to access those subnets as a whole. the vpn server of course can ping any ip on that subnet as well
21:22 < Apachez> xz: the basics are that in computer networks you have different layers which does different things
21:22 < Apachez> the first layer is the physical one
21:22 < Apachez> here you got the actual encoding onto the wire
21:23 < Apachez> frequencies, speed, 8/10 encoding and what else
21:23 < Apachez> this is strickly hop by hop
21:23 < Apachez> also referred to a collision domain
21:23 < Apachez> next layer is layer 2, here is where we got srcmac and dstmac and whatelse
21:24 < Apachez> this is more "device to device with logic" sort of speak
21:24 < Apachez> like router1 <-> switch <-> switch <-> switch <-> router2
21:24 < Apachez> then router2 will see router1 srcmac if they are both on the same l2 domain
21:25 < Apachez> so this will address the physical interface of another device who sits in the same L2 domain as myself
21:25 < Apachez> then at layer3 we got srcip, dstip, ttl and whatelse
21:26 < Apachez> this is like if we zoom out another notch
21:26 < Apachez> now we tell who this information is designed for far far away
21:26 < Apachez> and then layer4 who is the srcport and dstport
21:26 < Apachez> whcih then connects to application runned on client/server
21:27 < Apachez> so the application really only cares for src/dstip and src/dstport
21:27 < Apachez> while the server will then find out who to send this packet to (default gateway) and through arp find out what mac address the physical interface on this router this packet should be sent to as a frame
21:28 < xz> so then router doesn't touch IP header (layer 3) ?
21:28 < Apachez> actually it does
21:28 < Apachez> normally each L3 hop will decrease the TTL value in the ip header
21:29 < Apachez> the L3 hop where the TTL becomes equal to 0 should drop the packet and send an icmp back to the srcip of this packet that "ICMP TRANSMIT EXCEEDED" or whatever that icmp code is called
21:29 < xz> does router touch IP addresses in IP header?
21:30 < Apachez> but other than that the ip header shouldnt be touched
21:30 < Apachez> a regular router shouldnt touch the srcip or dstip of the ip header
21:30 < xz> I guess it might for incoming packets (as they have external IP address as destination)
21:30 < Apachez> unless the router is performing nat
21:30 < xz> right
21:30 < Apachez> sourcenat and/or destinationnat
21:30 < Apachez> then it will change srcip and/or dstip
21:30 < Apachez> before forwarding the packet
21:31 < Apachez> so a regular home setup usually just have one ipv4 address on WAN interface
21:31 < Apachez> and then you use a rfc1918 aka private iprange on the LAN side like 10.0.0.0/8 or whatever
21:31 < Apachez> in that case if your ftp server use ip 10.0.0.1 then the router will have to destination nat incoming packets
21:32 < Apachez> because the packets will be addressed to the wan ip of the router
21:32 < Apachez> and not the server itself
21:32 < Apachez> so the router changes the destination ip and forwards the packet while it at the same time creates a connection track entry in its conntrack table
21:32 <+catphish> a "normal" router will only look at the destination, address, and won't change it, NAT routers are a bit more complicated and will change those addresses as needed
21:32 < Apachez> so when the server responds back to the srcip the router knows it should change the srcip of the returning packet to the wan ip instead of the server ip
21:33 < Apachez> the problem with nat comes with anchient protocols like ftp
21:33 < Apachez> where the server will inform the client which ip to connect to
21:33 < kottt> ethernet frames get stripped off an replaced at every hop on a path, right? so as a rule your src/dst mac address info is just gonna be the hw addresses of the adjacent devices for the most recent hop.
21:33 < Apachez> however the server will tell the cleint to connect to 10.0.0.1
21:33 < xz> as they use port range instead of single port?
21:34 < Apachez> whcih will never find its way to the wan ip
21:34 < Apachez> so server can be manually configured to give out the wan ip of your router instead to make this work anyway
21:34 < Apachez> anyway things goes south quick :)
21:34 <+catphish> kottt: yes ethernet headers are totally replaced at every hop
21:34 < Apachez> as catphish said a regular router just routes traffic
21:34 < Apachez> that is it looks at dstip and then it looks at its routing table to find out what next hop is and then just forward the packet to the nexthop
21:34 <+catphish> kottt: those addresses are only useful inside the LAN, as you say
21:35 < kottt> source IP address is till gonna be the original sender (eg outside client reaching the FTP server), and your router, doing port forwarding, is literally translating the destination address when it sees traffic that triggers its rule (eg port 21 -> 10.0.0.7 or wherever your FTP server is privately)
21:35 < Apachez> while a homerouter normally also does nat to make stuff work
21:35 < Apachez> like snat for outbound traffic and dnat for inbound traffic
21:36 < tds> to make internal connections to services exposed externally you're also stuck with either doing nat reflection or split dns (assuming you're doing nat)
21:36 < kottt> is there even a technical distinction between port forwarding and NAT/PAT? isn't PF just a higher level extrapolation of NAT?
21:36 < kottt> targeted at non-technical weenies
21:37 < Apachez> sorry for killing the channel :(
21:38 < UncleDrax> (how dare you explain something to someone that wants to learn!)  [sarcasm should be obvious]
21:38 <+catphish> kottt: there are loads of terms for types of NAT, i wouldn't pay too much attention to them
21:38 < MACscr> am i asking dumb questions or am i muted right now or something?
21:38 <+catphish> NAT, PAT, NAPT, port forwarding, SNAT, DNAT
21:39 <+catphish> MACscr: bad timing probably, channel is busy
21:39 < tds> people also like calling plain NAT done on prefixes "NPT" for v6
21:39 < UncleDrax> MACscr: Apachez had the token.. darned shared collision domain networks
21:40 <+catphish> kottt: it's more important just to recognize what is being rewritten in your specific case
21:40 < kottt> yeah, I guess that's what the different terms help to identify
21:40 <+catphish> personally i use the terms "source nat" to means the source ip (and possibly port) and changed, and "destination nat" meaning the destion ip (and possibly port) are changed
21:41 < kottt> it's all just network address translation, but port forward kind of implicitly means "traffic directed to the local zone of a routing device is redirected to an internal IP"
21:41 <+catphish> but there's lots of alternative terms, if in doubt, seek clarification of what is actually being rewritten
21:42 <+catphish> port forward is unambiguous, it's call i call "destination nat", the destination IP (and probably port) is rewritten
21:42 < MACscr> ok, if my vpn client gets an ip of 10.8.0.x and can ping 10.0.1.2 and 192.168.0.2 that are assigned to lan interfaces on the vpn server, what do i need to do on the server to allow the client to access those subnets as a whole? the vpn server of course can ping any ip on that subnet as well. Its an ubiquiti edgerouter.
21:43 < MACscr> i know when doing my own vpn with iptables and openvpn, i did something like: iptables -I FORWARD -i tun0 -o eth+ -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
21:43 <+catphish> also, don't forget that when doing some kind of NAT, you usually need to do the opposite NAT on reply packets going the other way
21:43 <+catphish> so with port forwarding, you rewrite the destination address and port, on the way in, but you have to rewrite the source address and port on the replies going out too :)
21:44 <+catphish> stateful firewalls know to do this automatically, you only have to set it up one way
21:44 < kottt> bah, it's all handled in conntrack
21:44 < kottt> <_<
21:44 <+catphish> yep
21:44 < Apachez> kottt: every L3 hop
21:44 < Apachez> so passing through a L2 switch the ethernet frame is intact
21:45 < Apachez> kottt: port forwarding is just the common name
21:45 < Apachez> while NAT and PAT is the more technical description
21:45 < Apachez> where NAT operates on srcip/dstip
21:45 < Apachez> and PAT operates on srcport/dstport
21:46 <+catphish> or "NAPT" which means both i believe
21:46 < Apachez> which gives when people say NAT-router they usually mean NAT/PAT-router
21:46 < Apachez> never heard of NAPT during the years
21:46 < Apachez> N-APT perhaps
21:46 < Apachez> national advanced persistent threat :P
21:46 <+catphish> https://en.wikipedia.org/wiki/NAPT
21:47 <+catphish> you're a national advanced persistent threat
21:47 < LFSveteran> NAT enabled for certain ports is NAPT?
21:47 <+catphish> MACscr: your problem is likely that there's no return routes from those hosts back to your client
21:48 < UncleDrax> ANPT? (damn pipe threading)
21:48 <+catphish> you can send packets to 10.0.1.99, but it doesn't know how to send packets back to your 10.8.0.x IP
21:48 <+catphish> MACscr: there are 2 solution, 1) set up a route on that remote network's router, so it knows to sent 10.0.8.0/24 via the vpn server
21:49 <+catphish> MACscr: or 2) use NAT so all the packets appear to come from the VPN server's IP
21:49 < MACscr> catphish all im doing though is replacing my openvpn server/gateway with this edgerouter
21:49 <+catphish> err
21:49 <+catphish> is the vpn serer also the default gateway for those networks?
21:49 < MACscr> ah, though i guess i do have this test one as 192.168.0.2 and not 192.168.0.1, which acts as the gateway for those hosts
21:49 < Apachez> MACscr: have you read the ubnt howtos?
21:50 < MACscr> ah, i think that might be it. going to do a test
21:50 <+catphish> it'll only work if the vpn server is the gateway for those networks
21:50 <+catphish> otherwise you'll need static routes
21:50 < MACscr> yep, that was it. thanks!
21:50 < MACscr> i knew i was missing something simple
21:51 <+catphish> cool
21:51 < LFSveteran> sound like my problem
21:54 < xdroop> Poster: no, this is a VPN given to me by a partner for access to their network -- they are not networking guys so this is all they can do
22:01 < LFSveteran> where can I find info about routing with conntrack?
22:01 < LFSveteran> If I can create the rules myself the better
22:03 < Craig__> Hello
22:03 < ||cw> LFSveteran: you don't exactly route with conntrack.  conntrack just helps out with NAT keeping track of where connections go
22:04 < ||cw> LFSveteran: you shouldn't need to do anything with it, except maybe for something FTP-like that it doens't already handle
22:04 < LFSveteran> it bundles different routes? eg. group them?
22:04 < ||cw> no?
22:04 < LFSveteran> ok
22:05 < ||cw> it tracks connections.  like, it inspect for FTP traffic and looks for the alternate port commands and sets up that connection map automatically
22:06 < ||cw> most protocols don't really need it, standard NAT tracking works fine
22:06 < LFSveteran> ok, need to dive into NAT then
22:07 < LFSveteran> problem: "router" listens to eth0 at certain port, and forwards this through eth1 to external server, and traffic is to be routed back
22:07 < MACscr> catphish everything is working perfectly. Thanks again for the help. Was able to retire my lxc based vpn/gateway. Only negative ive found so far is that i couldnt push routes to the clients, but oh well at this point
22:08 <+catphish> cool :)
22:08 < LFSveteran> let's say its a webpage, I use the address of eth0 and the webserver which the request is routed to is on the network with eth1 of the router
22:09 <+catphish> catfish fact: the catfish is not a type of cat at all, in fact it is a fish
22:10 < UncleDrax> and also delicious
22:11 < ||cw> LFSveteran: do you mean port forwarding?  it's not clear what you want here.  routers don't normally listen on ports and forward to external servers
22:11 < LFSveteran> a fish specially for cats?
22:11 < LFSveteran> typical port forwarding
22:12 < LFSveteran> I call it router, but propably not a router my bad
22:12 < ||cw> port forwarding is for external clients to connect the router and it forwards to an internal server on the LAN
22:12 < ||cw> eth0/1 arne't important either, but which is WAN and which is LAN are
22:13 < ||cw> so, what's the question?
22:13 < ||cw> how do to it?  it depends on your OS
22:15 <+catphish> lalalalalalala
22:15 < LFSveteran> https://awwapp.com/b/u6d9sxgjp/
22:16 < LFSveteran> and done with linux/iptables
22:17 < ||cw> LFSveteran: is the middle box a router?  this is really unclear
22:17 < ||cw> IDK why you'd do that
22:17 <+catphish> someone erased my drawing :(
22:17 < ||cw> what network is the middle box a router for?
22:17 < LFSveteran> the middle is the "router" e.g. the machine to configure
22:18 < LFSveteran> left is LAN A, right is LAN B or internet
22:19 < ||cw> if you want .2 to pretend to be the web server, you probably actually want a reverse proxy/  nginx or apache can do that
22:19 < LFSveteran> so request is done to the box, forwarded to the webserver and response of webserver is routed back through the box to the pc
22:19 < LFSveteran> actually it will be some samba ports
22:19 < ||cw> if you want the middle box to be a router, then do that, and the PC would then connect tot he web server directly
22:20 < ||cw> CIFS can work over the Internet with normal router.  it's generally a bad idea thought
22:20 < ||cw> use a VPN
22:21 < LFSveteran> it's not the router to the internet, so not the default route
22:21 < ||cw> so make a route on your router to send traffic to that subnet out that alternate gateway
22:22 < ||cw> is that already a VPN?
22:22 < LFSveteran> so modified drawing
22:23 < ||cw> I dont' quite understand LAN B.  is it internet?  or a private lan?
22:23 < LFSveteran> private lan
22:23 < ||cw> I get you're trying to be minimalist in what info you expose, but you're being too minimal.
22:23 < LFSveteran> just two separate lans
22:24 < ||cw> then why does it have a public IP?
22:25 < ||cw> you just need to add routes.  you need the middle box to act as a router, without NAT probably, and modify the router that's the default route on both LANs to direct traffic to the other subnet over this middel box
22:26 < ||cw> the big ugly question is, why is it going through this middle box in the first place?  just make your router do it, that's what routers do.
22:27 < LFSveteran> I want the server seperated from the rest
22:31 < ||cw> then add your routes on the routers.  you could add them on each client that needs access across
22:32 < ||cw> since you said samba share I'll assume the PC is windows.  something like this would do: route add 192.168.10.0 mask 255.255.255.0 192.168.0.2
22:33 < ||cw> and something similar on that server too
22:33 < LFSveteran> trying to use the router then
23:08 < mawk> is TCP out-of-band bad ?
23:36 < truckcrash> So google has just made .app publicly open to registration - they stipulate that users of .app must use https. This raises a number of questions but primarily how do they plan on enforcing that? Anyone know?
23:39 < AlexPortable> Would you say wpa2-enterprise is more secure than wpa2-personal?
23:40 < ||cw> mawk: out of what band?
23:40 < qman__> AlexPortable: depends on the threat and the implementation
23:41 < ||cw> AlexPortable: sure, users all using the same password isn't really very secure
23:41 < AlexPortable> every user/device another password?
23:41 < ||cw> one user leaks it and you don't really have a password anymore
23:42 < AlexPortable> but isn't that just the same problem as with wpa2-personal?
23:42 < ||cw> no, you can disable one user or change their password and all the other users are unaffected
23:43 < AlexPortable> can i somehow limit one password per device?
23:43 < ||cw> are you sure you know what wpa2-enterprise is?
23:43 < AlexPortable> yes
23:43 < ||cw> then why are you asking that?
23:43 < AlexPortable> i dont know if its possible
23:44 < mawk> just out-of-band ||cw
23:44 < ||cw> if what is possible, the question makes no sense
23:44 < mawk> OOB data over TCP
23:44 < ||cw> mawk: and into what other band?
23:44 < mawk> it's send in priority over normal (in-band) data
23:44 < mawk> sent
23:45 < ||cw> that's not what out of band means
23:46 < mawk> I'm not responsible for how they called that
23:46 < ||cw> who
23:46 < mawk> people who designed TCP OOB
23:47 < mawk> using send(2) with flags = MSG_OOB allows to send 1 byte that should be transmitted with high priority to the recipient, and it will generate a SIGURG signal
23:47 < mawk> and the byte can be read with recv(2) with flags = MSG_OOB, given some conditions
23:49 < ||cw> that doens't seem useful for transmitting actual data.  more for sending a command to interrupt normal processing
23:49 < mawk> yeah, exactly
23:49 < mawk> I was wondering if the usage of this thing is recommended against or not
23:49 < mawk> I know telnet uses it extensively
23:50 < ||cw> I wouldn't use it unless you really need it
23:50 < ||cw> just like many other things that affect priority
23:50 < mawk> it would be to cancel a transaction
23:50 < ||cw> that would seem important
23:52 < joro_> Hi guys, i want to ask... is it possible to learn computer networks, only if you read books... and how would someone practice computer networking ?
23:53 < ||cw> joro_: at a basic level you can learn with virtual machines and their virtual host-only and NAT networks
23:54 < mawk> systemd-nspawn is great for this
23:54 < mawk> especially with a btrfs file system, it takes no time to clone a container and add it to a network
23:54 < mawk> then you can play around with networking, with NAT and all
23:55 < ||cw> assuming you're using a system that supports containers :)
23:56 < joro_> hmm
23:57 < tester> i have 2 aps on the same network. different brands (tplink and some chinese company). both run 802.11n.
23:57 < tester> when i use the same phone to do speed testing, and place it 20cm from each router
23:57 < tester> i get 45mbps on one of them, and 15~20mbps on the other.
23:57 < tester> what can explain this?
23:58 < tester> both are configured to run on 40mhz
23:59 < joro_> i started with docker days ago, is systemd-nspawn better ?
--- Log closed Wed May 02 00:00:04 2018