--- Log opened Thu May 03 00:00:06 2018 00:33 < royal_screwup21> why is 127.0.0.1 also termed local host? 00:34 < ngc0202> because that address will always refer to your local machine via the loopback interface 00:38 < linux_probe> lol 00:39 < Criggie> "localhost" is a hostname, and 127.0.0.1 is an ipv4 IP address that resolves to/from that hostname 00:39 < Criggie> ::1 is an ipv6 IP address that resolves to and from "localhost" as well 00:40 < Criggie> here at work we have a fairly smart internal DNS system using powerdns, that looks up "remotehost" to return the IP for the other box that does redundancy for the one you're on 00:40 <@pppingme> point.. it resolves because the name is in /etc/hosts (or whatever your os's equivalent is) 00:40 < Criggie> its kinda neat. 00:40 < Criggie> yup 00:41 < Criggie> OH MAN 00:41 < Criggie> we had a cellphone arrive at work and get on the wireless, and pfsense issued an IP via DHCP 00:41 <@pppingme> and yes, I've seen people screw it up thinking it wasn't needed 00:41 < Criggie> but pfsense added thhe phone's hostname to DNS too 00:41 < Criggie> phone was called "localhost" 00:41 < Criggie> that screwed up SO MUCH STUFF 00:41 <@pppingme> ouch 00:41 < Criggie> yeah - it was insane 00:41 < Criggie> So our DNS servers all have a localhost --> 127.0.0.1 record now. 00:42 < Criggie> Never found who owned the phone, just that it was a samsung and probably on a certain floor. 00:42 < Criggie> It never came back either 00:42 < Criggie> So, if you want to screw up random networks, give your device the hostname of "localhost" 00:43 < Criggie> and make it do DHCP requests :) 00:43 < CWNE88> might try that one day 00:44 < tds> evening/morning CWNE88 00:44 < CWNE88> good morning 00:45 < CWNE88> breakfast time 00:51 < kottt> hey, I'm a complete idiot and i love pain, and I set up my old RT-n66u router as a wireless repeater for my unifi home wireless. I honestly think it may give me a more reliable connection than the TP-Link powerline adapter i've been using (which would drop connection several times per day, for minutes at a time) 00:51 < kottt> so far, $$$ 00:51 < kottt> however! I can't see any of the other devices on my LAN from a device behind the repeater 00:52 < kottt> i'm wondering if it's possible to work around this, as I'd prefer to be able to reach devices on my network other than just my gateway router 00:52 < kottt> (and the repeater itself) 00:53 < linux_probe> check the settings in both the unifi and the asus, look for something listed as "client isolation" 00:57 < linux_probe> in unifi i think it's listed "access control" I think it's only enabled if you have "guest access" portal and a cntroller enabled 01:05 < spaces> Criggie you had a setting wrong in pfsense ;) 01:09 < AlexPortable> What's the best EAP protocol? 01:10 < kottt> @linux_probe: Thanks, I looked through the unifi controller extensively and didn't find it. I do not have the guest access portal enabled, no need for it. Then I came back to this machine, and realized I was trying to reach my unifi controller from the wrong IP address. 01:10 < kottt> so it turns out i didnt have a problem at all, i'm just an idiot :derp: =) 01:12 < Criggie> kottt: great spotting - well done 01:12 < Criggie> spaces: yeah - allowing DHCP requests to go into DNS 01:13 < kottt> my next problem is that the only device computer i have hardwired into the network now isn't guaranteed to have 100% uptime and last time i closed the unifi controller app on it, the wireless shut off entirely... so I need to figure out how to make the unifi controller not be mandatory, or rustle up a device to host it that I can be assured will have 100% uptime... 01:13 < kottt> or bite the bullet and buy the cloud key... (blegh) 01:13 < linux_probe> hahaha @ Criggie 01:14 < linux_probe> if you have guest access or anything beyond basci access point function enabled, Unifi requires a controller 24/7 01:15 < linux_probe> if i recall, having more then one SSID requirescontroller also, when controller gets lost it reverts to single SSID setup 01:16 < kottt> yeah, I don't have guest access/guest portal enabled, no desire for it. only one SSID; it should be a pretty barebones setup. which is why i was surprised the wireless shat itself when i closed the unifi controller 01:23 < linux_probe> you must have something enabled the requires controller then kottt 01:24 < kottt> i'll give rebooting that machine another try after wife goes to bed 01:24 < kottt> wireless was down for five minutes when we got home and she started making this noise that im not... really sure how to define. 01:24 < linux_probe> lol, 01:25 < siwica> Both my printer and my phone are in the same network (same wlan, same IP-network, both receive IPs over DHCP). Interestingly my printer always makes a noise when I either switch my phone on or off. Any idea what is going on there behind the scenes? 01:26 < kottt> this is quite remarkable though. even with my connection going over a wireless repeater, i'm getting <1.5ms ping time to the gateway, and barely any jitter 01:26 < linux_probe> the phone is connecting to it to print, automatic junk in background 01:28 < siwica> linux_probe: You mean it establishes or kills a TCP-connection to the printer which might for some reason cause the printer to make some noise? 01:29 < linux_probe> tcp or udp, who knows, but probably "bonjour" 01:30 < linux_probe> https://en.wikipedia.org/wiki/Bonjour_(software) 01:31 < siwica> linux_probe: Neither of the devices is from Apple though 01:31 < linux_probe> probably can change the printer settings to not alert or disable it if not using it for other computers and such. 01:31 < linux_probe> but bonjour is used on most everything now 01:32 < linux_probe> also mDNS 01:33 < linux_probe> also listed as "ZeroConf" 01:34 < siwica> Hm, maybe I should switch my wlan card into promiscous mode and analyze a network dump 01:35 < linux_probe> anyways, guaranteed it's part of ther "zeroconf/mdns/bonjour" print services. it's built into nearly everything now, all phones, tablets, windows 10 etc. 01:41 < siwica> linux_probe: Ok, thanks for the hint. I will check it out. Didn't know it was built into android aswell though. 01:42 < linux_probe> only phones without it are ancient flip-phons pre-android that I can think of 02:27 < spaces> Criggie indeed, that can be ideal in some situations but not for clients :) 03:23 < AlexPortable> new house, cat7(a) or fiber? 03:38 < ExoUNX> evening 03:38 < ExoUNX> So, I was able to assign a vlan to my lan port and didn't have to configure it 03:38 < ExoUNX> on the switch 03:39 < ExoUNX> It's a Meraki switch, 8 port 03:39 < ExoUNX> I just told my unifi ap wireless network to use the vlan and it just worked 03:39 < ExoUNX> however these netgear switches I'm working with don't seem to just work 03:48 <@pppingme> AlexPortable there' 03:48 <@pppingme> AlexPortable there's hardly no justifiable reason to run either.. cat6 should be sufficient for years to come 03:49 < dogbert2> hey pppingme 03:49 <@pppingme> AlexPortable I will tell you this, don't worry about what you're pulling, BUT, make it easier to pull in the future, put in conduit, plastic flexible is fine, but put it in, then you can EASILY change it out in the future for only the cost of cable and jacks, no real labor involved 03:49 < CWNE88> or throw in an AP :P 03:50 < AlexPortable> hm 03:50 < AlexPortable> it'll be way harder to put in conduit than the cable though 03:50 <@pppingme> naw, wire everything, still ok to drop a couple ap's around the hosue depending on size, but anything that wont' move (tv, desktops, etc, especially stuff that streams like tv, set top boxes, etc) should be WIRED 03:50 <@pppingme> is this new construction or some kind of retrofit? 03:51 <@pppingme> you said new... conduit is EASY at this point, before sheetrock is up 03:51 < AlexPortable> well new after 'delivery' 03:51 < AlexPortable> so finished product 03:51 <@pppingme> its well worth the expense, and its not hardly any more labor than pulling cable 03:51 <@pppingme> spec it before sheetrock goes up 03:52 <@pppingme> if you jsut spec empty conduit, it'd probably be cheaper than them pulling and terminating cable 03:52 <@pppingme> then you can pull your own 03:52 < ExoUNX> ffs, these switches are garbage 03:52 <@pppingme> CWNE88 I think owner in ##networking-social misses you 03:54 < ExoUNX> gs748tp to be exact 03:55 < CWNE88> pppingme: that channel is just stupid 03:55 <@pppingme> CWNE88 get more peep's in it 03:55 < CWNE88> got better things to do 03:59 < ExoUNX> so the switch doesn't even show ports below the vlan membership section 03:59 < ExoUNX> https://i.imgur.com/HaA2qgt.png 03:59 < ExoUNX> compared to 03:59 < ExoUNX> http://www.downloads.netgear.com/files/answer_media/images/ryanfiles/29997/4.PNG 04:03 < Evidlo> anyone know if I can resolve shares to IP addresses with smbclient? 04:14 < ||cw> Evidlo: a UNC path includes a hostname, so yes? 04:14 < ExoUNX> screw it 04:14 < ExoUNX> I'll probably just buy some unifi switches 04:14 < ExoUNX> 9+ year old switches suck, especially netgear 04:15 < Evidlo> ||cw: I just did `smbclient -L printserver.example.com` and I get a list of shares across the entire network 04:16 < Evidlo> but the list is just the share names, not what their hostnames are 04:16 < ||cw> is that a DFS server? 04:17 < Evidlo> how can I tell? 04:18 < Evidlo> the first line of the listing says thats its Windows Server 2012 04:19 < ||cw> IIRC windows will tell you what hosts participate in the share, there's probably a way from linux, but that's a samba question more than a networking one. 04:20 < ||cw> smbclient does know the host as DFS is really just a redirect, the real host is connected to directly. maybe just enable some higher debug options. 04:20 < Evidlo> supposedly nmblookup can do this, but I don't understand its usage. 04:34 < Evidlo> ||cw: I'm not sure if that assertion is correct. I'm looking at my connections when I have smbclient open and it just connects directly to the print server 04:48 < Evidlo> still can't get smbclient to give me the ip address 04:48 < light> why not just nslookup? 04:50 < xamithan> Is it using a netbios name? 04:51 < Evidlo> its a print server at '\\foobar.example.com'. I was able to get a list of services with `smbclient -L '\\foobar.example.com\' -U evidlo` 04:52 < Evidlo> but I want to figure out what the actual addresses of these services/printers are 04:52 < xamithan> nmblookup might work, or nslookup as others said 04:55 < Evidlo> I tried `nmblookup -U '\\foobar.example.com' 'printer01'`, but it doesn't even prompt me to login and just says 'name query failed to find name printer01' 04:57 < xamithan> Try the findsmb command, looks to be what you need 04:58 < xamithan> I've no idea how to use it though =o 05:06 < Evidlo> I hate dealing with active directory and samba 05:14 < Kingrat> Evidlo, ive not had the best luck with it either, it works, but it doesnt support everything and ive always had to deal with quirks 05:16 < Evidlo> is that ip address even accessible through the print server? I always thought that jobs went through the printserver and the client never knows what the printers real address is 05:17 < Kingrat> i had to put my samba dcs on a rotation where a cron job restarts the samba service on each one on alternating weeks because the dc was locking up 05:18 < Kingrat> if you have it shared with samba, the client should never have to touch the printer, if you add the printer to the computer via AD and you arent using the printer share, it would be printing directly to it 05:25 < Evidlo> but is there any way to pull the address from the printserver? 05:53 < Harlock> Evidlo print the config page 07:00 < Milos> Why does `ping 0` aka `ping 0.0.0.0` work identically to `ping 127.0.0.1` ? 07:00 < Milos> Since when is 0.0.0.0 meant to be routable in any way? 07:00 < Project86__> I had a more detailed question that escapes me for the moment, but what can I do to hide what I do from my isp? Will dns solve this? If I used a vpn, don't they only see I'm using a vpn and nothing more? 07:03 < Milos> I think I've answered my own question; RFC 1122 defines 0.0.0.0/32 as "this host on this network". But if that's the case, then it should be implemented the same way on any operating system. On Windows trying to ping 0/32 gives an error. 07:11 < Terminus> Milos: mac here. doesn't ping 127.0.0.1 either. just tried linux and it's the only one so far that does that. 07:11 < Terminus> i don't have BSDs handy for testing. 07:13 < Milos> It's weird. I would have thought 0.0.0.0 is basically a black hole if you try to use it anywhere, but I guess if it "turns into" 127.0.0.1 then sort of makes sense. 07:13 < Milos> (In terms of getting a reply, that is.) 07:17 < Terminus> just tried on a mac and ping 192.168.0.0 works. i assumed pinging 0.0.0.0 is like pinging the network address of the entire ipv4 range. 07:17 < Terminus> but then, who controls the entire ipv4 range as a single network? icann? =) 07:18 < Terminus> oh durrr... iana i mean. 07:18 < Terminus> oh lol. iana is a department of icann. 07:19 < Project86__> Anybody? 07:19 < Project86__> I've heard VPN doesn't actually mask what u do from isp 07:20 < Project86__> So does changing default dns do this? 07:23 < Terminus> oooh.. nice. my router can send wake on lan to my PC. 07:26 < Terminus> derp. won't work. desktop is only on wifi. >_< 07:53 < pepee> so, my router is pointing 1.1.1.1 to itself. how do I fix this? 07:53 < kershaw69> hey 07:53 < kershaw69> hos it goin 07:53 < kershaw69> can i ask a question about computer networking 07:53 < pepee> just ask 07:54 < kershaw69> will u answer it 07:55 < pepee> of course not 07:58 < pepee> surely someone else will be able to, though 08:00 <@pppingme> kershaw69 ask your question, everyone has different strenghts, someone who knows your question best is likely to speak up 08:01 < pekster> Given that 1.1.1.1 belongs to APNIC and now managed by Cloudflare, your router "hijacking" that IP or subnet is not just undesirable, but flat-out against RFC 08:01 <@pppingme> pepee what router, and why do you think its doing this? 08:02 < pekster> Keep in mind 1.1.1.1 is now run/managed by Cloudflare as a global DNS recursor 08:02 < Apachez-> pepe the router 08:02 < detha_> pepee: contact the router manufacturer and demand updated firmware 08:02 < Apachez-> pekster: piping logs straight to NSA :D 08:03 < pepee> pppingme, because, even when the resolver points to cloudflare, mtr shows only one hop, and latency is consistent with pinging my router 08:03 < pekster> Apachez-: 'eh, they already had the ability to get gag-order tap warrants through FISA, and that was assuming they don't have more "room 641A" units everywhere by now 08:03 < kershaw69> how do i connect 2 computers 08:03 <@pppingme> pepee what router? 08:03 < kershaw69> togetehr 08:03 < pepee> detha_, yeah, I guess I'll have to do that, but... this is telefonica in south america, I don't think they will care much about my complaints 08:04 < pepee> pppingme, some modified (by telefonica) askey router 08:04 < Apachez-> pekster: this way no orders is needed when the "clients" on their own send all their data to them 08:04 < detha_> pepee: if you can put it in bridge mode and supply your own router, that's about the only way then 08:04 <@pppingme> kershaw69 whats your goal? usually just by plugging into the same switch 08:05 < pepee> detha_, yeah, my new router is en route from china 08:05 < pekster> Apachez-: ISPs, yes, but google/cloudflare seem to have their head's in the right place, and I'd wager their hearts too 08:05 < pepee> though it should have arrived some weeks ago... 08:06 < Apachez-> pekster: fun fact, they dont 08:06 < Terminus> pepee: what new router did you buy? i'm a mikrotik shill now. :D 08:06 < kershaw69> pppingme no internet access 08:06 < pepee> Terminus, xiaomi router 3g 08:06 < Terminus> ah... 08:06 < pepee> Terminus, first thing to do: overwrite the firmware with openwrt/LEDE 08:06 < pekster> Except "piping to the NSA" is a bit too tin-foil for my view on government. Tune your own hat layers to taste though :) 08:07 <@pppingme> kershaw69 you're saying these two computers don't ahve internet and thats what you want? or what? 08:07 < kershaw69> yes 08:07 < kershaw69> offline 08:07 < kershaw69> in DMZ zone 08:07 < kershaw69> or watever 08:07 < Apachez> tin-foil you say? https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html?noredirect=on&utm_term=.709d2ad36434 08:08 <@pppingme> your answers are vague, are you saying you want them offline? 08:08 < Terminus> pepee: my attitude towards stuff like that is "ewww..." =D 08:08 < pekster> Thanks for making my point; "broken into" != "active help by a corporate entity" 08:08 < pepee> Apachez, there is a famous image 08:09 < pepee> https://cdn57.androidauthority.net/wp-content/uploads/2014/06/SSL-Added-and-Removed-Here.jpg 08:09 < pekster> And yes, anyone not a fool in OpSec assumes government-level alphabet soup groups have the ability do do that, but this is straying a bit far from networking concepts now.. 08:09 < pepee> Terminus, why? 08:09 < Terminus> pepee: i just don't see hackish firmware as capable enough or stable enough. 08:09 <@pppingme> anonymip 193.183.116.81 ? 08:09 < Apachez> pekster: not really since its the data networks who are being wiretapped 08:10 < Apachez> and thats not a tin-foil thingy 08:10 < pepee> Terminus, ah. well, that's what the LEDE forums are for. some people say they got it running very stable 08:10 < Terminus> pepee: that's why i chose a mikrotik hap ac for myself and i'm really happy with it. does everything i need it to do and way more. i can do OSPF, BGP, MPLS, etc. on it if i wanted to. 08:11 < pepee> but yeah, these are dev firmwares, they are not stable releases 08:11 < pepee> Terminus, I don't know much about networking, only the most basic stuff 08:11 < pepee> openwrt/LEDE works great for me 08:11 < Terminus> pepee: there's also the fact that you pay for what you get and good hardware isn't gonna be on a cheap router. i paid $145 for mine. it's got triple chain wifi which is overkill for my needs. 08:12 < pepee> though I do want to learn more about networking 08:12 < pekster> Running any project's trunk / git-master is less stable than defined releases, yes. I've run LEDE/openwrt for quite a while generally staying at release points, sometimes backporting specific patches if I had a special need 08:12 < pepee> Terminus, the xiaomi one was $30 08:12 < kershaw69> i wanna transfer files from one comp to another directly 08:12 < kershaw69> but i dont have internet connection 08:12 < kershaw69> it has to be offline' 08:12 < kershaw69> without removable storage device 08:12 < Terminus> pepee: i have friends who bought the cheaper hap ac lite for $60 though and they're very happy with it. 08:12 <@pppingme> kershaw69 you don't need internet, simplest way is to plug into a common switch 08:12 < kershaw69> oh ok 08:13 < Terminus> pepee: yeah, i tend to look at $30 routers as having cut corners everywhere. 08:13 < kershaw69> like private IP addressing? 08:13 <@pppingme> if there's a router (no, the router doesn't need an active internet connection) its even easier, since dhcp and all that will be handled for you 08:13 < Terminus> kershaw69: plug one end of an ethernet cable in one PC, the other end in another PC, and use link-local addresses. 08:13 < pekster> Terminus: My border is a $35 (used and/or sale price mind you) with 2.4+5 dual-stack wifi, 5x GigE with full 802.1Q support, and the MIPS CPU is able to route at ~350 Mbps (tested) and that's with a firewall ruleset enabled 08:14 < Terminus> that's what i do when i transfer files from my PC to laptop and vice-versa. i even use the link-local ipv6 address for that. 08:14 < kershaw69> u cant set link-local address 08:14 < pepee> Terminus, as long as it works, it's not a problem for me. the xiaomi one has wifi n/ac and GbE ports 08:14 < pekster> Granted I bought my hardware carefully and it's not the newest MIMO wifi stuff out there, but you can indeed get "decent" (yes, not "high end" at that price-point) stuff without breaking the bank 08:14 < kershaw69> it built into computer 08:14 < kershaw69> i think 08:14 < kershaw69> like MAC address 08:14 < kershaw69> u cannot change 08:15 < Terminus> pekster: can't deny that. it just takes a lot of effort and at some point, you've got diminishing returns with the amount of time you take looking at the the $30 price range. 08:15 < pepee> Terminus, actually, it's a bit more expensive, I bought it for $30 at a sale 08:15 < Terminus> kershaw69: yes but you only want to transfer files. why would you need to change it? 08:16 <@pppingme> kershaw69 you dont' need to "set" the link-local ip, you jsut use it, taking advantage that its there.. 08:16 <@pppingme> if you plug a bunch of win10 computers into a common switch, with no internet or other network, they WILL be able to share files, etc.. 08:16 < Terminus> the only gotcha is if file sharing on windows is only set for private profile, you have to change the profile of that connection to private. windows will always default to public profile for link-local connections. 08:16 < pepee> also, the hardware itself seems good: https://forum.lede-project.org/t/xiaomi-wifi-router-3g/5377 08:17 < pepee> dual-core, 880 MHz (mediatek CPU, though...), 256MB of RAM, 128MB of flash 08:17 < pepee> that's a lot for openwrt/LEDE :P 08:19 < Terminus> and IMO, you should never turn on file sharing for the public profile on windows. isolate that stuff. 08:19 < pepee> only 2+1xGbE, though 08:19 < pekster> If it can trunk VLANs just get an 802.1Q-aware switch and that's little issue 08:19 < pepee> use ssh to transfer files! 08:20 < pekster> Or a dumb-switch is there's no need for separate broadcast domains on the downstream side 08:22 < Terminus> not everything can do ssh by default. also, why would you add the encryption overhead of ssh when your physical connection is already inherently secure? =P 08:22 < pepee> true 08:23 <@pppingme> Terminus because you never know the environment something will be implemented in.. 08:26 < pepee> Terminus, err, it was $40, not $30. still, cheaper than any other ac+gbe router supported by LEDE that I could find in my country 08:26 < kershaw69> anhyone interested in buying a computer 08:26 < pepee> though hopefully I won't get taxed for it 08:27 < kershaw69> original price $2000 08:27 < kershaw69> but cracked screen 08:27 < kershaw69> can do for 750 08:27 < pepee> kershaw69, the screen is probably not the most expensive part of that computer 08:28 < kershaw69> screen repair quote is half the price of the computer alone 08:28 < pepee> just don't ask scamming "technicians" about prices 08:29 < kershaw69> screen cracking is like taking a new car and driving it for 5 seconds 08:29 < pepee> they, as us, can detect when you don't know much about computers 08:29 < kershaw69> instantly price drops 50% 08:29 < pepee> I'm telling you, don't lose your money 08:30 < kershaw69> screen crack is very expensive to fix 08:30 < kershaw69> even if only small crack 08:30 < pepee> kershaw69, the screen is probably not the most expensive part of that computer 08:30 < kershaw69> yeah it is 08:30 < kershaw69> what else is? 08:30 < pepee> ok 08:31 < detha_> pepee: component-wise, for laptops the screen is probably >1/3 of the bill 08:31 < kershaw69> no 08:31 < kershaw69> half 08:31 < kershaw69> at least 08:31 < kershaw69> usuallky more 08:31 < kershaw69> even CPU damage is less than screen 08:31 < pepee> depends on the laptop 08:32 < pepee> and only because parts are hard to find 08:32 < pepee> the computer itself is the most expensive part, of course 08:32 < kershaw69> wrong 08:32 < kershaw69> screen is 08:32 < pepee> and you don't even "repair" hardware these days, you replace it 08:32 < kershaw69> exactly 08:32 < kershaw69> replacing screen 08:32 < kershaw69> they quoted me half price of computer 08:33 < pepee> and if you know a thing or two, you know where to find replacements, and how to replace it yourself 08:33 < kershaw69> i dont know how to replace a screen 08:33 < pepee> you find the part, by looking for the part number, and then look for manuals/watch videos on youtube on how to disassemble the laptop 08:34 < kershaw69> laptop screens are not designed to be replaced 08:34 < kershaw69> same with graphics card 08:34 < detha_> replacing a screen is relatively easy. Finding exactly the right component is more trouble than it's worth. 08:34 < pepee> they are easy. ^ is the problem 08:34 < kershaw69> laptops are designed to be replaced entirely 08:34 < kershaw69> not repaired 08:34 < pepee> which is why technicians charge so much... they know where to find stuff 08:35 < pepee> kershaw69, well, if it's apple hardware, then I agree 08:35 < kershaw69> not apple 08:35 < kershaw69> this is HP 08:35 < pepee> btw, which computer is it? 08:35 < kershaw69> HP Spectre 08:36 < pepee> specific model 08:36 < pepee> HP parts finder: http://partsurfer.hp.com/Search.aspx?searchText= 08:38 < kershaw69> HP Spectre x360 NoteBook PC 08:38 < kershaw69> i7-6500CPU @ 2.50 GHz 08:39 < pepee> the cpu alone is $200, though it's a bit old 08:40 < pepee> wait, it's a i7-6500U? 08:41 < kershaw69> yes 08:41 < pepee> ah 08:43 < pepee> I could find 8 HP spectre x360 laptops with that CPU 08:45 < Terminus> i know there's a greater chance of finding replacement screens for cheap laptops here than a spectre. everybody has cheap laptops here so lots of parts to be harvested. spectres, not so much. 08:46 < pepee> yeah, you are right 08:47 < pepee> still, I guess you can find these parts in aliexpress 08:48 < pepee> as an example, you can find a display for this one: http://partsurfer.hp.com/Search.aspx?type=PROD&SearchText=Z8J46US for $50 08:49 < pepee> wait, no, it's much more expensive 08:50 < pepee> $250 on ebay 08:51 < talx> morning guys 08:51 < talx> I have a little situation, I have a linux mint installed on a machine. when I'm using wifi everything seems alright but when I plug in a cable it gives me disconnections 08:52 < talx> and not smooth as it should be obviously 08:53 < talx> any idea what could I check? I'be switched the cable and it still occurs 08:53 < talx> any idea ? 08:53 < pepee> check if networkmanager is running. if so, kill it with fire :P 08:54 < pepee> half joking... check the system logs, especially at the time when you connect the cables 08:56 < talx> which logs though ? 08:56 < talx> /var/log/messages ? 08:57 < talx> pepee: I could use tail right? but on which logs file I apply it ? 08:57 < pepee> dmesg / /var/log/syslog 08:57 < pepee> well, /var/log/syslog . run "less /var/log/syslog", then press F 08:57 < pepee> to quit, press ctrl+c, then q 08:59 < talx> ty 08:59 < talx> I will try 09:14 < pepee> later 09:31 < winsoff_> Client A connects to VPN B, of which Client C is a member. Can Client C VNC into client A if the vnc server is running? 09:31 <@pppingme> easy answer... maybe 09:32 < winsoff_> pppingme: If Client A is a windows user, will the firewall act special on the vpn interface? 09:33 <@pppingme> I don't know windows defaults.. 09:33 < winsoff_> I have it set not to use the default gateway on the remote network, but I'm not certain if that provides connectivity. I also might just be running tigervnc incorrectly. 09:33 < funabashi> Hi guys can anyone help me in right direction of my troubleshooting in my home network. wlan router from my ISP and my laptop, i drop pings. but directlly ethernet cable i get no drops. 09:33 < TotallyNotKim> use 5Ghz 09:33 <@pppingme> firewall issues aside, most vpn's have some kind of peer to peer option.. if this is on, the clients can most likely communicate, if off, they can't 09:34 < funabashi> TotallyNotKim: i do? 09:34 <@pppingme> of course this also assumes clients are all directly connected and not a subnet behind the directly connected client, in which case you'd also have to deal with routing 09:34 < TotallyNotKim> funabashi: are you sure? Seperated SSID's? Sounds more like common 2.4 problems 09:34 < funabashi> aha you mean i should maybe disable 2.4Gz also? 09:34 < funabashi> great 09:35 <@pppingme> funabashi in most cases, a clean connection over wired, but a crappy connection over wifi, to the same network, is almost always interference.. 09:35 <@pppingme> funabashi do you live in an apartment or other relatively dense housing? 09:37 < talx> pepee 09:37 < talx> ureadahead[334] ureadahead:/var/lib/NetWorkManager/dhclient-wlps0.conf no such file or directory 09:37 < talx> anyone have ever seen this ? 09:37 < TotallyNotKim> fuck network managers 09:37 <@pppingme> talx did you manually type that or copy/paste it? 09:38 < talx> manually typed it 09:38 < talx> heh 09:38 < pepee> afaik, ureadahead is a process that sort of preloads config files 09:38 <@pppingme> cause I've never seen the "W" in NetWork capitalized.. if thats accurate, something is buggy 09:38 < pepee> you need to find the line where networkmanager is changing network configs 09:38 < talx> its not I prolly typo it 09:39 < pepee> also, yeah, no need to type all of that by hand 09:39 < pepee> anyway, I'm gonna sleep... later 09:39 <@pppingme> ok, assuming thats not an issue, that *should* be the info that dhclient got from the dhcp server, its immediately saved for other things to reference it 09:39 <@pppingme> do you see the file, or something similar? 09:41 < talx> well 09:41 < talx> File does not exist 09:41 < talx> at least when I do vi and try to complete with tab 09:41 <@pppingme> talx cd to /var/lib/ 09:41 <@pppingme> and run find | grep wlps0 09:42 <@pppingme> is wlps0 the same interface name that shows up in "ip link" ? 09:42 < talx> ip link 09:42 < talx> you mean and command 09:42 < talx> ? 09:43 < talx> when I type ifconfig the name of the interface is enp0s31f6 09:43 <@pppingme> if you do "ip link" you get a list of interfaces, does wlps0 show up as one of the interfaces? 09:43 < talx> yes 09:44 < talx> well it says wko1s9 09:44 < talx> wlp1s0 09:44 < talx> actually 09:44 <@pppingme> so its not listed? 09:44 < talx> nope 09:44 < talx> its like the first time I use linux mint 09:45 < talx> 2nd actually so bare with me 09:45 < talx> :p 09:46 < funabashi> pppingme TotallyNotKim i have now disabled 2.4GHz seems better now. is that in gernal an issue or just on cheap wlan routers? I live in an apartment 09:46 < talx> I've added the line 'ethtool -s autoneg off speed 1000' to /etc/rc.local 09:46 < TotallyNotKim> funabashi: stupid devices dont use 5ghz automagically 09:46 < TotallyNotKim> if you dont have any older devices, that only support 2.4ghz, just leave it disabled 09:47 < funabashi> ok perfecto 09:47 <@pppingme> funabashi the cause is too many neighbors.. 09:47 < funabashi> yeah i have many neighbours 09:47 < TotallyNotKim> 5ghz does a better job at handling this + there arent that many households that use 5ghz yet 09:48 < TotallyNotKim> so less clutter on your end 09:48 < TotallyNotKim> = better signal 09:48 <@pppingme> thats part of it, the other part is that 5ghz penetrates very poorly, won't even pass through some wall/floor/ceiling material.. so harder to see your neighbors 09:48 <@pppingme> and it may not even work across your own apartment 09:48 < TotallyNotKim> thats the downside 09:49 < TotallyNotKim> and upside I guess 09:49 < funabashi> pppingme: i live tiny so no issue with that 09:49 < funabashi> i get very often disconnected so it has been an issue for me. but now it looks nice 09:49 < TotallyNotKim> just get a ethernet cable drum and attach to body then :D 09:50 < funabashi> hehe 09:50 <@pppingme> I'd try different channels on 2.4 as well.. 09:50 < winsoff_> pppingme: from windows, what's the easiest way to ask if a router can see a route to a specific host? ping, right? 09:50 <@pppingme> even with a small apartment, the issue isn't distance, its penetration.. 5ghz can have pretty decent range, assuming nothing is in the way 09:51 <@pppingme> winsoff_ simple, but not totally reliable, since the paranoid of this world like to block icmp 09:51 < funabashi> pppingme TotallyNotKim so if you are network admin for a company and has expensive wlan AP you should not use 2.4Ghz together with 5? 09:51 < winsoff_> true, though i guess pinging a windows host won't give me much 09:51 < winsoff_> so I guess I just nmap -Pn? Will that still tell me if it seems down, though? Hmm. 09:51 < TotallyNotKim> funabashi: ofc you can and should 09:52 <@pppingme> funabashi of course I use both, and I place AP's strategically, taking building structure into account.. 09:53 <@pppingme> a lot of devices, especially tablets and phones, don't have 5ghz 09:53 <@pppingme> and when I implement both, I essentially double my bandwidth to end users 09:53 < funabashi> ok 09:54 <@pppingme> so if I roll 6 ap's, its like rolling 12.. 09:54 < funabashi> so on cheap devices its an issue in general? 09:54 < TotallyNotKim> funabashi: not an issue, more an incapability 09:54 < funabashi> ok 09:55 < TotallyNotKim> but yes, most cheaper phones / tablets or just older devices 09:56 <@pppingme> I also wire anything that doens't move.. displays, networked tv's, etc.. more especially anything that streams 09:56 < winsoff_> How does nmap know that a device is up if every port it tries is filtered? 09:56 < TotallyNotKim> winsoff_: if it responses at all, maybe? 09:56 <@pppingme> winsoff_ it either responded to a ping (if across a rotuer), an arp request (if on same network), or you ran with -P0 09:57 < winsoff_> Oh, it auto-assumes the host is up if I use -Pn? or did you mean P0 literally 09:57 <@pppingme> probably most -Pn options 09:58 < winsoff_> When we say it's on the same network, does a VPN make ARP requests visible to clients on both networks? 09:59 <@pppingme> probably for an L2 vpn, which is usually a stupid idea 10:01 < winsoff_> Ah, interesting. 10:02 < talx> hey 10:02 < talx> would restarting the interface should help ? 10:02 < talx> I have a lot of packetloss when connecting through lan 10:02 < detha_> L2 VPNs often include some form of proxy-ARP, to stop the chatter 10:02 < talx> (cable) 10:03 <@pppingme> talx possibly, but this feel more like whacked info in a config file somewhere.. 10:03 < talx> okay 10:03 < talx> but I don't know where to check 10:03 < talx> I'm a newcommer 10:04 < talx> would really like some guidence in this matter if possible 10:04 < talx> :p 10:04 <@pppingme> if you're seeing packet loss over a wired connection, start by replacing the cable 10:05 < winsoff_> Alright, so if I've got two networks--one run by an asuswrt router, the other by an edgerouter x--and I want to test if I can see and connect to hosts from the asuswrt network (which are vpn'd into the asuswrt network) while all of my devices are on the erx network, is there a simple way to do this? 10:05 < winsoff_> If I have two devices on the erx network, I can just connect both to the asuswrt's vpn and see if one device can network with the other device through the IPs exposed by the asuswrt router, right? 10:06 < winsoff_> Both networks are behind nat, obviously 10:07 <@pppingme> there shouldn't be any nat between your own private subnets 10:11 < talx> so I've switched the cable 10:11 < talx> and I'm doing ping right now to 8.8.8.8 10:12 < talx> it says 55% packetloss 10:12 < talx> :o 10:14 < aubrey101> what could be the problem , webservice is accessible over lan but failing over VPN , telnet and ping works fine , http over telnet confirms okey with same port ? 10:14 < xdroop> Anybody know how long it will take for a Cisco 5506X to upgrade Firepower from 5.4.1.7 to 6.0.0.0? 10:15 < xdroop> Like can I go back to bed for a couple hours? 10:17 < needle> heya, anyone using already segment routing on end nodes and services? 10:17 < needle> s/and/and for services 10:20 < MrMart> Hi! I'm looking for a project on github I recall seeing some time ago that increased the packets sent but gave a more stable connection. It was for places with spotty connection. Does any body recall seeing something like this? 10:21 < MrMart> The latency and throughput was stable but it sent about 25% more packets I believe 10:22 < winsoff_> pppingme: What do you mean? They get what seems to be their own NAT, right? Or are you saying that there is no need to translate addresses on a client connected to the asuswrt network? 10:22 < winsoff_> Since the addresses should just be easily access 10:22 < winsoff_> Accessed* 10:22 < talx> pppingme 10:22 < talx> any ideas? 10:23 <@pppingme> winsoff_ no, you should NEVER be doing nat, the only acceptable place to nat is when you hand off to your ipv4 isp.. there is no reason for nat within your own network, including vpn clients, remote sites, or anything 10:24 <@pppingme> talx if you tried a new cable, then you have a bad nic or bad switchport.. try different ports on your switch 10:25 < winsoff_> To clarify, I'm not NATing anything other than what is already going on. The VPN server is running on a router that has NAT enabled, and the VPN client will be on a network that also has NAT enabled. That's all I'm saying. The VPN server, I presume, is not NATting anything, to my knowledge. It gives the vpn client an ip address that's on the network (192.168.10.2 in this case). 10:32 <@pppingme> winsoff_ sounds like you aren't clear where nat is acting.. nat doesn't work across an entire router, it works across a single interface (more than one if programmed to do so) 10:33 < winsoff_> Right; I just figure that the only way for these two clients to talk is through the interfaces on the routers that face the internet, since that's their connection. 10:35 < winsoff_> I think both networks are 192.168.1.1/24, but when I connect a client from the erx network to the asuswrt's pptp network (too lazy to download openvpn), the address given to that client device is 192.168.10.2 (I suppose this is a configured address given from a configured pool). I'm not sure if this is relevant for the purpose of connecting devices on these networks. 10:36 < winsoff_> Essentially, I'm wondering if I can connect a second device to the asuswrt's vpn server and then try to connect to my original connected device, and if THAT works, if I can guarantee that a device on the asuswrt network (which isn't configured with any special vlans or anything) could connect to said original client, as well. 10:36 < winsoff_> I just want vnc without having to configure ipsec on the erx network. ;-; 10:37 <@pppingme> winsoff_ if you've built a tunnel of some sort between them, then stuff over the tunnel shouldn't be nat'd, if it is, your config is dorked 10:38 < winsoff_> How would I know if I'm building a tunnel? 10:38 <@pppingme> thats more or less a loose definition of a vpn 10:39 < winsoff_> Right. So when you say NAT'd, what do you mean? I only know that if something can't be addressed without first addressing a router itself, it's NAT'd. 10:39 < winsoff_> or some NATting device, that is. 10:39 < winsoff_> So in that instance, the router's giving the device an internal-to-the-vpn IP, but is that NAT? 10:46 < winsoff_> Back in a minute! 11:03 < ne2k> I am aware that this is a "horses for courses" question, so I don't want a lecture. The question is: Hairpin NAT or Split DNS – which wins overall, most often? 11:05 < djph> Residential or biz network (note "biz" assumes a network person doing the work) 11:05 < djph> ? 11:05 < refeaime> Hello, guys. Can you help me with devices that supports Wi-Fi roaming (IEEE 802.11k/r) and can make bridge on wlan and lan interfaces? and can be tiny. 11:06 < refeaime> I think of raspberry pi 3, but it cannot make bridge, so NAT and routes will be needed. 11:06 < refeaime> Mikrotik can do bridges, but does not support roaming at all. 11:06 < refeaime> What else can do that? 11:06 < djph> ne2k: I mean if we're talking overall (res + biz), I'd imagine that hairpin wins, since every 'consumer' router out there does hairpin (at least that I've seen) 11:07 < djph> refeaime: UBNT UAP-AC-* should do r/k these days (although I stick to the beta tracks, so maybe it's only r in general availability). That being said, you don't NEED r/k to facilitate roaming over wifi. 11:09 <+pppingme> djph I've seen the opposite, its rare that I've seen a consumer router that does 11:12 < djph> pppingme: near on all the ones I've run into will hairpin if you set up dnsname.tld to point to 'home'. 11:13 < refeaime> djph: what if such AP does not OK? 11:13 < djph> but then again, maybe I'm forgetting something key, like "they had a *wrt firmware" 11:13 < djph> refeaime: huh? 11:13 < refeaime> djph: about roaming device. 11:14 < djph> refeaime: "roaming" is up to the client. 802.11r(/k) are "newer" methods for facilitating faster roaming for client devices. 11:14 < refeaime> Because this little AP will be sit on car. In that case IP65 will be needed. 11:14 < djph> o_O 11:14 < djph> err, what? 11:14 < refeaime> djph: Yes, i know, thats client side. So AP must have roaming support as client 11:15 < djph> then you're not likely to want an *AP* 11:15 < djph> ... did I miss some part of your story? what're you trying to do? 11:16 < refeaime> What? Huge place, where static APs will provide stable Wi-Fi connection + roaming support. ANd there will be few cars, where IP cams will be set. IP cams have wire. Not OK. Need to add device, that will bridge IP cam to wi-fi with roaming support. 11:16 < djph> cars typically move too fast for wifi. I don't think even 802.11r will fix that. 11:17 < refeaime> djph: this will be warehouse cars 11:17 < refeaime> They not too fats. 11:17 < refeaime> fast* 11:18 < refeaime> And peoples washing them very hard. So IP65 is munimum. Or very small size, then it can be hide into cat 11:18 < refeaime> car* 11:18 < refeaime> ATM i really think of raspberry Pi 3, because its have roaming support and can be powered from 5V 1A USB. 11:19 < djph> ... every wifi client has "roaming support" (note, trying to use an AP as a client likely won't, because it's an AP) 11:19 < refeaime> But with bridge... need to create routes and stuff. DHCP from wi-fi wount get to lan of IP cam 11:19 < djph> ... that's not a bridge then 11:19 < refeaime> Thats why i came here! 11:19 < djph> in other words - you configured the rpi wrong. 11:19 < refeaime> To ask you, what can be done 11:20 < refeaime> djph: rPi3 cannot bridge interfaces like that. 11:20 < refeaime> I checked. 11:20 < djph> refeaime: rpi3 is still a generic computing device running raspbian, right? 11:21 < refeaime> IPv4 package forwarding from wlan to lan will NOT give DHCP area in whic APs are working. 11:21 < djph> or well, raspbian or any generic linux image you want to. 11:21 < refeaime> djph: yes, its bedian inside. 11:21 < djph> refeaime: because IPv4 packet *forwarding* is *routing*. 11:21 < TotallyNotKim> that car has a RJ45 and you want it to be wireless, did I get this right? 11:22 < refeaime> TotallyNotKim: its have IP cam with wire, yes. 11:22 < djph> refeaime: you need to create a bridge interface, and stick the nic / wlan card into it. 11:22 < TotallyNotKim> yep. ^this 11:22 < djph> refeaime: although, honestly, "get a wireless camera" is the easiest option. 11:22 < refeaime> djph: huh? take rpi3 and USB dongle? 11:22 < refeaime> djph: wireless cameras do not have roaming support =) 11:23 < TotallyNotKim> yes they do 11:23 < refeaime> ANd iP66 11:23 < TotallyNotKim> that's a different story 11:23 < djph> refeaime: just because they don't have "802.11r" DOES NOT MEAN THEY CANNOT ROAM 11:23 < refeaime> TotallyNotKim: i have asked few vendors, thay said - no. 11:23 < TotallyNotKim> you mean you speaked to some salesman? 11:23 < djph> you're asking the wrong questions. However, yeah, ip66 is teh diffecult one. 11:23 < TotallyNotKim> spoke* 11:24 < refeaime> No, i have straight contatcs to tech guys. 11:24 < refeaime> Axis, Mobotix, bosch. 11:24 < djph> TotallyNotKim: he probably asked "does it do 802.11r" (no), thus he assumes it cannot roam (even though 802.11r isn't a prerequisite for roaming) 11:24 < TotallyNotKim> yep 11:24 < refeaime> djph: no, i presented them my case, and asked, will it work. 11:24 < djph> TotallyNotKim: at least that's my understanding of the situation. 11:25 < refeaime> All i need is not frames drop at wireless connection in huge warehouse. 11:25 < refeaime> no frames drop* 11:25 < TotallyNotKim> if you want no framedrops make sure to stream using tcp 11:25 < TotallyNotKim> but 11:26 < TotallyNotKim> you're still doomed if the connection goes down 11:26 < refeaime> I know. 11:26 < refeaime> Thats why i seting up roamed Wi-Fi network on few APs. 11:26 < refeaime> It will be Edimax OAP1750. 11:27 < refeaime> roaming supported and i've got openWRT FW for them, if internal FW will be not enough. 11:27 < TotallyNotKim> cool 11:27 < TotallyNotKim> im done here 11:28 < refeaime> Now clients side in case. I cannot find such clients, that will make bridge. APs, that can do bridges - they developed to be static APs. And cannot roam. 11:28 < refeaime> So... 11:28 < refeaime> Damn. 11:33 < djph> honestly, it sounds like a better idea is to use a dashcam with local storage, and then upload it to a fileserver or something at the end of a shift. Might mean more cameras (or at least a bunch of SDcards) 11:33 < djph> unless for some reason "realtime viewing" of the thing is a requirement 11:38 < refeaime> djph: dashcam not an option. Operators want to see livestream from NVR. And if needed - send stream to clients. To see how boxes are managed. 11:38 < djph> of course they do... 11:38 < refeaime> Yeah... 11:39 < djph> "we want something that doesn't exist, will likely never exist, and don't want to spend a penny on it" 11:39 < refeaime> Get one stream from camera without frame drop to NVR, and multiply stream from NVR to anywhere. 11:39 < refeaime> djph: are you russian? 11:39 < djph> no, but business is business 11:40 < refeaime> =) you speak like russian in our dialog. 11:41 < refeaime> Like, if you will come in russian forum or MUC with issue, all guys will say that you are moron and will give 100500 proofs of that. No solutions or description to a case. 11:41 < refeaime> English world is more userfriendly. Like stackoverflow 11:44 < refeaime> Localy i did tests or rPi3 roaming. And get failed. Get all dumps and send them to edimax for help, maybe i configured something wrong. And still got no answer... =( 11:45 < refeaime> djph: open network with white mac list will solve this issue? I mean, roaming is fast client switch between encrypted wireless stream. 11:45 < refeaime> If no encryption set, so no roaming needed. 11:45 < TotallyNotKim> dont even think about it 11:45 < refeaime> TotallyNotKim: why? 11:45 < TotallyNotKim> because 11:46 < refeaime> ? 0o 11:46 < refeaime> Hide SSID, set white mac address filter and get it done. TotallyNotKim 11:47 < refeaime> Sniffers may be there, but could not get access to local network due whitelist. 11:47 <+xand> hiding SSID is less secure than not hiding it 11:47 <+xand> and MAC whitelists are not secure as you can just change your MAC address 11:47 < TotallyNotKim> park 10 meters away, fire up a good antenna, spy a couple of minutes and spoof your mac 11:47 <+xand> also you can sniff all the traffic 11:48 < refeaime> xand: sniff videostreams? Lol. Okay. 11:48 < refeaime> Mac change yes, this is can be done... 11:48 < refeaime> But what the profit. 11:49 < refeaime> Hm... then can be granted access to logistic... 11:49 < TotallyNotKim> cams and other stuff on the same network? 11:49 < refeaime> Maybe some mac blacklist for servers?) allow only NVR access. 11:49 < TotallyNotKim> you are building a ticking bomb 11:50 < TotallyNotKim> and it's already at 10 seconds 11:50 < refeaime> TotallyNotKim: i can ask them to provide fully closed network for survaillance 11:50 < refeaime> I just cannot get this case solved 11:50 < refeaime> Searching for variants. 11:51 < refeaime> Or get it more safer, if use VLANs... 11:51 < TotallyNotKim> put that damn cams in at least a properly secured vlan, setup your aps and use your rp3 as a bridge whatsoever 11:52 < TotallyNotKim> encrypted wlan. 11:52 < TotallyNotKim> bonus points for whitelisting the bridges 11:52 < refeaime> TotallyNotKim: rpi3 cannot make L1 bridge! 11:52 < TotallyNotKim> as you have been told numerous times now, you have to forward the traffic 11:53 < refeaime> TotallyNotKim: yes, forward. Then setup on every rpi3 NAT. Awesome. 11:53 < refeaime> and VLAN over all of that. 11:54 < TotallyNotKim> you dont need nat if you do it right 11:54 < TotallyNotKim> in that case the pi gets an ip and so does the cam 11:55 < ne2k> refeaime, can you cable between APs for this fast handoff scenario? 11:55 < refeaime> TotallyNotKim: not sure, how DHCP server can reach IP cam interface via rpi, like it does not exists. DHCP is worked for interface. If rpi wlan get IP from DHCP, lan will not provide DHCP lease to other network on wire. 11:55 < refeaime> ne2k: what? 11:56 < refeaime> i will need to setup DHCP server on every rPi3. Do not want to use static on cameras. 11:56 < ne2k> refeaime, just come back, skimmed the older messages; I think you want roaming clients that can connect to one of several APs to transmit streaming video back to a central location; correct? 11:57 < TotallyNotKim> refeaime: http://www.microhowto.info/howto/bridge_traffic_between_two_or_more_ethernet_interfaces_on_linux.html 11:57 < refeaime> ne2k: i want wireless client, that can roam between APs and provide bridged wire interface. 11:57 < ne2k> refeaime, so are we discussing the roaming bit of the bridge bit? 11:58 < refeaime> ne2k: damn, i do not understand you... 11:58 < TotallyNotKim> ne2k: serveral aps, I hope cable connected, and a rpi3 as client. IP Cam bridged into the ap network via the RJ45 interface of the rpi 11:59 < ne2k> refeaime, if you control both ends (client and AP), you can do true bridging using 4 address frames (basically, WDS); but if you want something that works with different vendors, you need to use pseudobridge, i.e. do MAC SNAT on the client 11:59 < refeaime> Yes, all APs are static and connected with wire to switches. 11:59 < ne2k> refeaime, if you haven't already bought the APs, you might consider Ubiquiti with their zero handoff protocol 12:00 < refeaime> ne2k: well, i am working for the edimax... so.. ubnt is not an option =) 12:00 < refeaime> OAP1750 will be used. I have few of them on hands. 12:01 < ne2k> refeaime, ok. it's a shame that no-one else has done an implementation of zero handoff. I saw a research paper on it once and it doesn't seem particularly complicated in principle 12:02 < refeaime> ne2k: edimax may have zerohandoff. But i cannot be sure, due edimax tech guys are offline =( 12:03 < ne2k> basically, you put the individual APs all on the same frequency and in monitor mode; they don't actually run AP software. you then have a connection that sends raw 802.11 frames back over wire to a central device that actually running the AP software, so there is only one BSSID. it throws away duplicates, and when it sends, it sends to the AP that is nearest based on the RSSIs of incomings 12:04 < refeaime> ne2k: hm... 12:06 < refeaime> ne2k: not sure, that OAP1750 can be brainless. 12:08 < refeaime> There is feature called "Smart Handover", when AP sends DEAUTH to client, if connection is low. And client have to connect to more stable network. But this is AP chooses. Not client. 12:08 < refeaime> It can make a lot of headache. 12:09 < refeaime> In any case, clients again need to get full auth with new AP. 12:14 < refeaime> TotallyNotKim: you want me to use this config? 12:14 < refeaime> auto wlan0 12:14 < refeaime> iface wlan0 inet manual 12:14 < refeaime> auto eth0 12:14 < refeaime> iface eth0 inet manual 12:14 < refeaime> auto br0 12:14 < refeaime> iface br0 inet dhcp 12:14 < refeaime> bridge_ports eth0 wlan0 12:14 < refeaime> with wpa_supplicant config, ofc. 12:16 < TotallyNotKim> im currently not that sure how you would handle supplicant 12:16 < TotallyNotKim> probably still on the wlan part 12:16 < TotallyNotKim> but yes 12:17 < TotallyNotKim> if wlan is connected dhcp requests on eth0 should travel via wlan to the dhcp server 12:17 < refeaime> TotallyNotKim: um... well, in that case i am not sure, that wired client on rj45 of rPi3 will ged DHCP lease from wlan0 network 12:17 < TotallyNotKim> you have to get the ip on the bridge 12:18 < TotallyNotKim> you already set "iface br0 inet dhcp" 12:18 < TotallyNotKim> should be good 12:18 < refeaime> yes, and interfaces to manual 12:22 < refeaime> TotallyNotKim: um... my coworkers, says, that this will not work. Due rPi3 is not a router. 12:24 < TotallyNotKim> rpi runs linux and linux can be used to route 12:24 < djph> you don't need a router 12:25 < djph> you just need to create br0, stick eth0 and wlan0 (or enp89wq34t5ryewrfhd / wlsdogitfqh3498 if you're using those stupid udev names) into it, and then let it ... well, bridge. 12:30 < refeaime> djph: its not router by HW. 12:30 < refeaime> Not all can be done on SW level 12:31 < TotallyNotKim> stop telling us what we can and cannot do 12:32 < refeaime> damn, you sure, that can be done? 12:32 < djph> refeaime: sure, it's not a "router ASIC" ... but that doesn't mean I can't edit /etc/sysctl.conf and make it route. That being said, you wanted to *bridge* not *route* 12:33 < TotallyNotKim> you can do it the hard way. Static Ip for the cam and for rpi eth0. RPI ip as the gateway on the cam. Connect wlan0 as usual. Enable /proc/sys/net/ipv4/ip_forward and add iptables rule to 1) DNAT + forward incoming stream requests to the cam and 2) SNAT everything that comes from the cam and goes into the network 12:33 < TotallyNotKim> I dont know why you want this so hard 12:33 < dogbert2> hey djph 12:34 < TotallyNotKim> it's much more complex and basically overkill 12:34 < refeaime> TotallyNotKim: just enable ipv4 forward and create bridge? 12:34 < ne2k> refeaime, tell the person you're speaking to that they need to stop being such a Cisco fanboy with no brain 12:34 < TotallyNotKim> do you even read? 12:34 < dogbert2> cameras should always be a DHCP addr 12:34 < refeaime> TotallyNotKim: i do read 12:35 < TotallyNotKim> dogbert2: not in that point to point case, which he shouldnt do anyway. the rpi would get the ip via dhcp in that case 12:35 < djph> 'sup dogbert2 12:35 < refeaime> Ok, will again setup my rPi3, wpa_supplicant config, pre and post behaviour of interfaces and create bridge. 12:35 < refeaime> Then will test that. 12:36 < djph> TotallyNotKim: obviously not. 12:36 < ne2k> refeaime, like I told you, you cannot bridge wired clients behind a station unless you use 4-addr mode (WDS), which requires both ends to agree and support it, or you need to pseudobridge by MAC SNATing on the client 12:36 < dogbert2> yeah, but cameras aren't a thing which should be done via static IP...if we did that at work, we wouldn't be doing anything else :P 12:36 < refeaime> After will test again roaming between APs. 12:36 < djph> dogbert2: sparknotes version -> he has wired cameras that he's sticking on golfcarts (?) that need wifi now... and he doesn't understand what a bridge does. 12:36 < ne2k> refeaime, do you actually have a requirement for bridging? why not use routing on the rpi? 12:37 < needle> bridging is so complex compared to routing, and much more failure prone 12:37 < refeaime> ne2k: i am cretin at routing... 12:37 < needle> l do not get why people prefer bridging over IP routing 12:38 < ne2k> refeaime, start from scratch and tell us your actual setup and actual requirements 12:38 < needle> maybe because they are used to configure bridging, and not all devices are routing-capable 12:38 < needle> but a rpi can route 12:39 < TotallyNotKim> for the routing approach, this should be applicable, right? https://pimylifeup.com/raspberry-pi-wifi-bridge/ 12:39 < refeaime> i prefer bridging, beacuse i worked a lot with ProxMox. So... When case comes to routes - i asked my Cisco/Mikrotik guys to do it. 12:40 < TotallyNotKim> only that he needs to add the port forwards 12:40 < dogbert2> yeah, a RPi can function as a router... 12:40 < TotallyNotKim> while it says "bridge" in the url, they actually dont bridge the interfaces 12:41 < ne2k> refeaime, what are your actual requirements 12:43 < refeaime> ne2k: what scratches you want me to write. I already described case to you. 12:43 < refeaime> Huge warehouse, Edimax OAP1750 is setuped at right places to provide stable Wi-Fi and roaming. 12:43 < refeaime> Connected to PoE switches. 12:43 < refeaime> In warehouse cars with wired IP cams are moving. There is power supply, so devices CAN be powered. 12:43 < refeaime> IP cam have IP66 support. Need to send livestream from this cameras to NVR. 12:43 < ne2k> refeaime, does the camera initiate the connection, or the nvr? 12:44 < refeaime> question in device, that will connect IP cam with wireless network without frame drops at AP switch. 12:44 < refeaime> ne2k: NVR. I suppose Synology will be used/. 12:44 < ne2k> refeaime, do you have a desire or a requirement to use DHCP on the camera? 12:45 < refeaime> ne2k: desire. Its just more easy to control. 12:46 < ne2k> refeaime, ok. I would do routing on the rpi. run dhcp relay on eth0 and run a single dhcp server centrally with a segment for each rpi. create static routes at the centre for each rpi's client subnet 12:47 < ne2k> or you can run dhcp server on each pi, but it's more difficult to manage 12:47 < ne2k> I think you're biggest difficulty is going to be having no drops 12:47 < ne2k> your* 12:47 < ne2k> you might consider a completely different approach, viz. wifibroadcast by befinitiv 12:48 < refeaime> ne2k: yeah... need to be sure, that rPi3 uses roaming. As i asked here some time before - no special config in wpa_supplicant needed for it. 12:48 < refeaime> But i did tests, and get iperf3 speed drops for a few seconds. 12:49 < ne2k> refeaime, how much latency can you tolerate end to end? 12:49 < refeaime> video codec (h.264/h.265) can handle that, but not always. If its will be main frame dropped... 12:49 < ne2k> refeaime, you could look at intra refresh 12:50 < ne2k> x264 supports it instead of keyframes. it's very nice 12:50 < refeaime> ne2k: its early for real tests on place. I still on HW research. 12:50 < refeaime> So can say nothing about latency tolerate. 12:51 < refeaime> ne2k: i think, we will use h.265. Its more "light" for storage and network load. 12:51 < ne2k> refeaime, well, you presumably know what the video is being streamed for. would it matter if it arrived a second late? 12:51 < nostrora> Hello everybody, my #1 pfsense router have 192.168.1.1 address. and my #2 pfsense router (where my parent lives) have also 192.168.1.1. When i connect to vpn to my parent. 192.168.1.1 is #1 router and not #2. how can i manage this ? 12:52 < refeaime> ne2k: second late - OK. Due to wireless connection there usually 2-5 sec latency, as i know. 12:52 < nostrora> i mean, how can i choose if i want vpn router or mine router ? 12:52 < ne2k> nostrora, either a) some horrible ugly twice NAT nonsense setup or b) change the addressing so they don't conflict 12:53 < ne2k> refeaime, wifi should add no more than a few ms of latency. if you're getting 2–5 s of latency, you have a serious problem somewhere 12:53 < nostrora> ne2k: something like 192.168.2.1 at my parent router ? 12:53 < ne2k> nostrora, sure. but make sure you understand the consequences of changing this 12:54 < nostrora> ne2k: Sure 12:54 < refeaime> ne2k: in synology. 12:54 < refeaime> There was few setups: phone))) ((( Wi-Fi AP --- router=== Synology + camera. 12:54 < refeaime> In such setup image on phone from synology app was late for 5 sec. 12:54 < refeaime> Thats normal =D 12:55 < nostrora> ne2k: But this solution also seems horrible to me 12:55 < refeaime> If watch stream from synology and be connected wired - all good. 12:55 < ne2k> five seconds of latency is not a real-time video stream any more 12:55 < refeaime> ne2k: yes it is =D 12:55 < ne2k> refeaime, what is the purpose of receiving the video ultimately? 12:56 < refeaime> ne2k: to operators and clients watch how and what boxes are managed. 12:56 < ne2k> nostrora, if you want to connect two networks together, whether locally or over a VPN, either a) they need to not conflict or b) you need to do some vile workaround for the conflict. there is no two ways about it 12:57 < refeaime> ^^ synology case is just an example, that comes real if phone and synology AP is used. 12:57 < ne2k> refeaime, if you can tolerate that amount of latency, you should have no trouble with roaming. just use TCP streaming to ensure reliable, in-order delivery 12:57 < refeaime> RTSP stream from camera right into phone have minimum lag. 12:57 < nostrora> ne2k: for a enterprise network. i can use 10.x.x.x right? maybe it can be the solution for my #2 router 12:57 < refeaime> nostrora: just use another subnet. 12:57 < ne2k> nostrora, I am baffled 12:57 < refeaime> 192.168.22.X/24 12:58 < nostrora> refeaime: with this solution i'm limited with 256 router 12:58 < ne2k> nostrora, whut 12:59 < refeaime> nostrora: um... okay. use more length subnet. like 11111111.11111111.11111111.11111110 12:59 < nostrora> ne2k: imagine i have 257 friends.. all of my friend have a router with VPN access.. i don't want to tell to all my friend. please use 192.168.1.x - 192.168.2.x 192.168.3.x etc. 12:59 < refeaime> And you will have a lot of subnets 12:59 < refeaime> That will be mask 31 12:59 < refeaime> =D 13:00 < refeaime> OR! use mask 16 13:00 < refeaime> and you will have a lot of IPs with 2 subnets. 13:00 < ne2k> nostrora, perhaps you'd better go back to the start and describe the situation fully so we know what question you're really asking 13:01 < refeaime> ne2k: or he can use mask 16 and have no issues =) 13:01 < ne2k> refeaime, stupid question – you can't just cover the whole space with static cameras, can you? 13:01 < refeaime> except... that only 2 subnet can exist. 13:02 < ne2k> refeaime, there is no possible way that you can know what he needs when he hasn't described what he is actually trying to do 13:02 < refeaime> ne2k: no, i cant. its must be dashcam with live view. 13:02 < ne2k> we went from two subnets to 257 in the blink of an eye 13:02 < ne2k> nostrora, I think you would probably do well to investigate the difference between a site-to-site VPN and a remote-access VPN. 13:03 < ne2k> 257 PoPs with a full mesh of tunnels running OSPF! 13:04 < refeaime> ne2k: i am afk. Will comeback some time later. 13:04 < refeaime> if you need me - wrote me to jabber. me@refeaime.gdn 13:18 < kekmeizter> Would someone like explain some (probably very simple) dns stuff for me? 13:18 < kekmeizter> If i host a domain at AWS (for example), i automatically get NS records (pointing to some ns-1234-awsdns-12.org type domains). 13:18 < kekmeizter> What do these do? 13:19 < tds> kekmeizter: you need to provide them to your registrar, then the NS records will be added in the parent zone (eg .com for example.com) 13:19 < kekmeizter> tds: I know that, but what are they exactly? Are they simple the domains for "this" dns server? 13:20 < tds> they tell any recursive resolvers that in order to find records under example.com, they need to query the nameservers specified in the NS records 13:20 < tds> so you can find records for any domain by following the chain of NS records up from the root 13:26 < djph> every non-authorative server pretty much works forwards from the TLD (unless they already have an entry cached) 13:27 < djph> the TLDs have a ... whatsitcalled ... glue record, I think ... 13:28 < djph> so for "example.com", the "com" TLD server has "example -> ask the nameserver ns01.amazon.com" (or whatever) 13:28 < AlexPortable> What is the best EAP to use? 13:29 < djph> EAP? now you're setting up wpa-enterprise?! 13:29 < nostrora> How to choice if i use 192.168.x.x or 10.x.x.x. for my network, i think i need 50 ip no more 13:29 < AlexPortable> why does it matter djph? 13:29 < djph> nostrora: which one do you like the looks of better? 13:30 < Peng_> nostrora: Flip a coin? You could also use 172.16/12 13:30 < nostrora> djph: 192.168. but for me it's more for home network (i know that dns't count) 13:30 < djph> AlexPortable: because yesterday you were having trouble with vlans and an ISP trash gateway. 13:30 < needle> take 10.x.x.x nostrora 13:30 < kekmeizter> djph: What im not getting is why do both I and the parent dns need these NS records? 13:30 < djph> nostrora: well, then use 192.168.x.x 13:30 < nostrora> lol 13:31 < kekmeizter> djph: Wouldn't it be sufficient that the parent had them? 13:31 < AlexPortable> djph: yes that's another network 13:31 < nostrora> 10 or 192 ? x) 13:31 < Peng_> kekmeizter: In theory, you're probably right. But it's a rule, so you have to do it. 13:31 < needle> nostrora: take 192.0.2.0/24 13:31 < Peng_> kekmeizter: I don't know what the technical rationale for the rule is. 13:32 < djph> kekmeizter: "you" have them cached, so that in 5 minutes when you go from "www.example.com/index.html" to "www.example.com/cool_links.html", you don't have to ask the parent (root) nameservers again for "example.com" 13:32 < djph> kekmeizter: or, did you mean something else? 13:33 < kekmeizter> djph: When i said "me" i meant me as in the dns of example.com 13:33 < kekmeizter> So why do both example.com dns and .com dns need the same ns records 13:33 < djph> kekmeizter: you need them, because you're the authorative server for "example.com". 13:34 < djph> the ".com" TLD literally just has "example.com -> go ask kekmeizter's DNS server" 13:34 < Peng_> You "need" them because the protocol tells you to, but I don't know of a technical reason for it. 13:34 < Peng_> In an alternate universe, if DNS was designed without authoritative DNS records, alterna-DNS would also work. 13:34 < Peng_> Probably. 13:34 < tds> I've seen this discussed several times before here and on #dns, I don't think I've seen a technical reason yet 13:35 < Peng_> Nice :D 13:35 < Peng_> I assume it's either in RFC 103x or there's a mid-1990s mailing list post explaining all 13:36 < djph> ultimately, the root DNS servers are low-tier info desks "oh, you wanted example.com? Go three doors down to ns1.amazon.com, and ask them. They'll have everything you need." 13:36 < djph> the TLD servers themselves don't have "example.com -> 192.0.2.200" 13:37 < tds> well, I guess they might do if you had an NS record pointing to the domain itself and then a glue record? 13:37 < tds> ...is that even possible? 13:37 < Peng_> Yes 13:37 < Peng_> It's still only glue 13:37 < Peng_> tds: psg.com does it 13:39 < AlexPortable> What is the best EAP to use? 13:40 < djph> I'm not entirely sure how it works out when domain.com's authorative servers are ns##.domain.com. I *suppose* that someone (registrar maybe?) has a "my primary DNS is 192.0.2.10" type record, so that there's "somewhere" that can resolve. 13:40 < djph> but that'd mean reading the RFCs and I don't wanna :) 13:40 < djph> AlexPortable: "best" is subjective. 13:41 < tds> djph: that's with glue records (extra A/AAAA records in the parent zone) 13:41 < AlexPortable> most secure ? 13:41 < Peng_> djph: Yes. You enter the glue A and AAAA records at your registrar, and they give them to the registry. 13:41 < djph> ah right, getting the format of glue records screwey because I'm trying to simplify it ... lalalla 13:43 < djph> AlexPortable: depends on cipher(s) available. Last I looked, EAP-TLS was pretty generally considered good 13:44 < djph> but you *can* of course implement PEAP or EAP-FAST using EAP-TLS, so ... 13:44 < Reventlov> Do you know some tools "like" iperf but that interface well with WiFi networks? (keeping trace of the mcs used, bitrate, tx power, etc, for example) 13:45 < djph> no 13:46 < djph> I mean, maybe kismet or wifi analyzer -- but realistically, most "wifi check" tools are going to show the immediate stats of the WLAN, and it'll probably be up to you to do magic with the logs (if any) 13:56 < compdoc> anyone good with netplan? 14:02 < BenderRodriguez> Can someone explain to me what a MIB is? 14:02 < BenderRodriguez> I know what SNMP is and how it generally works 14:03 < BenderRodriguez> but what I don't grasp is the concept of MIBs 14:03 < BenderRodriguez> Couldn't you query a device using an OID and get the result and parse it however you wish? 14:11 < Phil-Work> BenderRodriguez, it maps OID to name 14:19 < djph> ^ 14:20 < djph> the "phone book" for SNMP 14:26 < detha_> it is slightly more, it defines what type each OID is, and the possible values for enumerations 14:26 < AlexPortable> djph password-only EAP ? 14:26 < djph> AlexPortable: I mean, I *guess* you can do that, but it's no better than WPA-PSK then 14:27 < AlexPortable> well multiple passwords no? 14:27 < djph> (not that WPA_PSK is insecure by any means) 14:27 < AlexPortable> and limiting devices per user 14:27 < djph> oh, you mean EAP w/ like Kerberos / ldap integration to AD then? 14:27 < AlexPortable> no 14:29 < djph> AD or not, you're gonna need something to manage the users via RADIUS. 14:29 < AlexPortable> users file no? 14:29 < djph> unless you can set them right in RADIUS; but I've never done that. 14:29 < djph> it's always been cert-auth, or LDAP backend 14:29 < djph> (or both) 14:30 < AlexPortable> well if you use ldap/passwords, is it more secure than wpa-psk? 14:30 < djph> no 14:30 < djph> it's all WPA2. It's just a different authentication mechanism. 14:31 < AlexPortable> is it less secure? 14:32 < djph> The benefits for WPA-Enterprise come in when you consider "centralized management" of the users. They already have their LDAP/AD/whatever login, or you can push out the new certs via GPO, etc. People can't "forget(tm)" the wifi password, etc. 14:32 < djph> as far as security, it's all a wash. 14:33 <+xand> and you don't need to change it to block someone 14:33 < djph> unless people knowing the password is a security problem (which it can be, e.g. in say creditcard stuff - you don't want dumbass kid at the register connecting their iDevice to the CC processing network 14:34 < djph> xand: ^ that too 14:47 < refeaime> Ha! i came back. 14:47 < ^7heo> impressive. 14:47 < ^7heo> can you leave again too? 14:47 < ^7heo> because THAT would be really impressive. 14:48 < compdoc> ^7heo is mean 14:48 < ^7heo> Wow, good job Sherlock. 14:49 < ^7heo> I hope you didn't burn too many brain cells on that one. 14:49 < compdoc> result of poor parenting 14:49 < ^7heo> compdoc: for poor parenting, you need parenting. 14:49 < ^7heo> compdoc: but keep talking about what you know nothing about, you'll fit right in. 14:50 < compdoc> ty 14:53 < de-facto> how can i have networking service restart on ethernet cable replug? i need it to ask for a new dhcp lease 14:54 < Emperorpenguin> de-facto: os? distro? but most importantly: no you don't 14:55 < de-facto> raspbian on raspi3: networking via /etc/network/interfaces for soldered ethernet chip 14:56 < Sout> well I'm sure there are more elegant solutions. but a hack at work is we poll to see if /sys/class/net/eth0/carrier exists. it it does the ethernet is connect. (assumin eth0 is your iface) 14:56 < de-facto> once i replug it wont ask for new dhcp lease, so connectivity is lost until power cycle 14:57 < de-facto> isnt there a networking option so it restarts dhclient on replug? 14:57 < djph> fairly certain that's supposed to happen on loss-of-carrier already... 14:58 < de-facto> i thought so, yet it stays on its old ip which makes it unreachable 14:59 < djph> although, on the other hand, if the lease hasn't expired yet, that could be sane 14:59 < djph> *could be considered sane 15:00 < Sout> de-facto, that sounds really funny. do the pi forums really complain about that? As i suspect there should be alot of info about that bug if it exists. 15:00 < djph> although, one would have to check the RFC to verify if "assume the old address is still OK" (and for how long) 15:01 < de-facto> i guess it just stays until the lease expires, yet doesnt check if cable was unplugged meanwhile, which should invalidate it imho 15:02 < de-facto> e.g. assume lease is gone once connection is lost and ask for a new one once cable is replugged 15:02 < djph> it should - I mean, I'd expect a short delay because reasons; but if longer than <1s delay, dump the IP 15:03 < de-facto> yes, how can i configure that in eth/networking/interfaces? 15:03 < djph> Wait, are you running any network manager? 15:03 < de-facto> not that i know of 15:04 < djph> perhaps 'allow hotplug' (or whatever the syntax is) 15:04 < de-facto> i have "auto eth0" and " iface eth0 inet dhcp" 15:04 < de-facto> yes tried " allow-hotplug eth0" yet i read its for usb interfaces 15:05 < de-facto> so no effect for physically soldered chips 15:05 < djph> no 15:05 < djph> wtf insanity is that 15:06 < djph> "allow-hotplug" just tells the system to enumerate whenever (even if not plugged in right now) 15:06 < AlexPortable> how can i limit a specific device per login on radius? 15:07 < djph> ah fuck, I misread the line, you're right de-facto it's for the *controller* being plugged in or not, not one of its interfaces 15:07 < djph> AlexPortable: mac address? 15:07 < de-facto> i tried it, allow-hotplug didnt make any difference 15:07 < djph> I mean, it's not perfect, but ... 15:07 < djph> de-facto: guess unplug it and read dmesg, see if something's being dumb? 15:08 < AlexPortable> djph: is that safe? 15:08 < djph> AlexPortable: "safe" in what sense? 15:09 < AlexPortable> spoofing 15:10 < djph> AlexPortable: I'm not sure what you're asking anymore -- what'd you mean by "limit a specific device per login"? 15:10 < de-facto> i guess network manager could do it, yet id like to stay with standard networking service 15:10 < AlexPortable> well user 'foo' only is allowed to login from his phone, not from his laptop 15:10 < djph> de-facto: maybe systemd is getting weird (IDK ... ) 15:10 < AlexPortable> also if he would give the details to someone else, the person shouldn't be able to login 15:11 < djph> AlexPortable: I *suppose* a MAC check could be used -- but realistically, it sounds to be rather arbitrary of a restriction. 15:12 < AlexPortable> what do you mean? 15:12 < djph> also, if he gives his credentials out, he's still the responsible party when that other person does something bad. 15:13 < AlexPortable> well but no way to limit that? 15:13 < AlexPortable> can't really say "hey the person that came in here 5 minutes ago you are responsible for x" 15:13 < djph> I mean that "you can login from device A, but not device B" doesn't seem to be anything beyond an arbitrary rule 15:14 < djph> AlexPortable: that's the entire POINT of having WPA-Enterprise logins. When the feds say "hey, we see your IP address is doing something bad on $DATE", you look at your logs and say "that was done by $USER" 15:15 < djph> or internal auditing, anything else. If a user is stupid enough to give out their credentials to your network, and someone else does something bad, well too bad to the idiot who gave out his credentials. 15:15 < detha_> AlexPortable: (x) You are proposing a technical solution for a management problem. 15:15 < AlexPortable> well how do i identify those idiots? 15:16 < AlexPortable> since it's mostly just random users 15:16 < djph> AlexPortable: YOU DON'T. That's the point. HR just fires them for downloading whatever illegal activity. 15:16 < detha_> You don't restrict it. You detect it. Then you take the user to a conference room and apply the clue-by-4 15:17 < djph> wait .. what is the usecase here? Is this *not* for a corporate-trusted-network? 15:18 < shtrb|work> djph, jurisdiction , and you are requesting to retain logs which can be not legal 15:18 < djph> shtrb|work: huh, what? 15:19 < shtrb|work> welcome to 2018, if you have buisness in the EU (or even have workers with EU citizenship) you MUST have a proff that the user know data is retained 15:19 < detha_> shtrb|work: luckily most of the world doesn't suffer from GDPR yet 15:19 < shtrb|work> lol 15:19 < shtrb|work> detha_, I took only two days of a week long training for it, it's a nightmare 15:20 < djph> shtrb|work: that makes no fucking sense. It's the businesses data, you have no "personal privacy" there. 15:20 < shtrb|work> djph, that not that simple 15:20 < djph> shtrb|work: look, he apparently wants a WPA-Enterprise network. THERE IS NO PERSONAL DATA 15:21 < detha_> shtrb|work: I know. It's one of those things that lead to 'Please tick this box if you are .eu resident'. On checkout: 'Sorry, you are .eu resident, we will not sell $goodies to you' 15:21 < shtrb|work> djph, the crazy part it apply to you even if you don't even handle end user data 15:21 < cnf> of course there is personal data 15:21 < djph> but good news, while the US is the third world, we at least recognize that a corporate network is owned by the company, and your user account is not "personal information" 15:22 < djph> I mean, it's probably *linked* to personal info ... but ... 15:22 < cnf> djph: well, i would say that makes the US a 3rd world country 15:22 < djph> cnf: meh, we're third world for other reasons :) 15:22 < shtrb|work> djph, a US regestiered firm that has workers in the EU need to behave 15:23 < shtrb|work> I don't know how other AS A service provider handle that fun 15:24 < djph> err, good for them? 15:25 < shtrb|work> djph, will your workers ask for a sick day ? (hence personal privacy ) 15:25 < shtrb|work> you call in sick ? you use the work phone for that 15:25 < djph> but seriously though, GDPR probably doesn't cover "John Doe was identified by his workplace's infosec as downloading kiddie-porn; and now he's trying to tell HR that he gave his credentials to shtrb." 15:26 < djph> and if it does ... "what the goddamn fuck" 15:26 < shtrb|work> djph, good by BYOD :) 15:27 < djph> shtrb|work: you're making no sense 15:27 < shtrb|work> if users can't use their own devices they can't connect to WiFi 15:27 < djph> shtrb|work: so? 15:28 < shtrb|work> give them only ethernet access 15:28 * shtrb|work grabs the evil IT hat 15:28 < djph> shtrb|work: until he says otherwise, AlexPortable's situation is "WPA-Enterprise ... how do I prove user JDoe gave his credentials to someone else?" The answer is "You don't. If the user account was determined to be doing bad things, JDoe is at fault." 15:28 < detha_> shtrb|work: I predict a lot of rogue AP hunting in your future ;) 15:29 < shtrb|work> :D 15:29 < shtrb|work> no one suggested EAP-SIM ? 15:30 < djph> realistically, AlexPortable has to give the full scenario - there are too many gaps that we have to fill with assumptions. 15:30 < grawity> are you a mobile operator who issues their own SIM cards? no? then good luck using EAP-SIM 15:30 < djph> ^ 15:30 < grawity> honestly I kinda wish it was a thing 15:31 < djph> EAP can use smartcards tho, right? 15:31 < shtrb|work> grawity, you do not need to be an operator to have sim issued (test sim cards) 15:31 < shtrb|work> djph, EAP-AKA I think 15:31 < detha_> It would fix my current issues with getting users to install certs on random android devices 15:32 < grawity> EAP-AKA is EAP-SIM but for 3G (or 4G was it?) 15:32 < grawity> smartcard stuff would be ... ordinary EAP-TLS with client certs 15:32 < shtrb|work> grawity, thanks for the correction 15:33 < grawity> shtrb|work: and how do you combine those test sim cards with real employee phones and BYOD and all that 15:33 < rmoore> hey everyone. bit of a repost at request. I am looking for a publicly available sandbox environment to work on network administration skills. 15:33 < Terminus> has anybody here ever gotten wifi wake on lan to work? i've got wake on pcie enabled in bios and have wake on lan enabled for my wifi interface in windows 10 device manager but it still doesn't seem to be working. what else can i check to troubleshoot it? 15:33 < UncleDrax> rmoore: packetracer, GNS3, and a few others 15:33 < shtrb|work> grawity, you don't you use the sim card as an auth mechanism (plug in the sim card reader ) 15:34 < grawity> sigh I think I reconnected to the same server I was on :| 15:34 < rmoore> packetracer looked more like an interactive module series to me from my limited exploration of it. I wasl ooking for an open environment to break and (ideally) unbreak stuff in 15:34 < grawity> hopefully less laggy, this time 15:34 < shtrb|work> grawity, you don't you use the sim card as an auth mechanism (plug in the sim card reader ) 15:35 < detha_> rmoore: gns3, or a bunch of VMs 15:35 < grawity> shtrb|work: so like have a standalone simcard just for EAP-SIM, and a standalone card reader hanging off USB? 15:35 < shtrb|work> grawity, sim card readers are default on corporate laptops 15:36 < UncleDrax> rmoore: PT lets you dink in the configs you could still use that for easy Cisco-specific practice. (I'm not sure what level of admin skill you possess currently.. so. that) 15:36 < shtrb|work> grawity, I think it will be phased out for the eSIM 15:36 < grawity> shtrb|worK: but uh, I see absolutely no advantage in that over "traditional" smartcards 15:37 < UncleDrax> but ya, your options are that, GNS3, VMs, PHY hardware, and/or a combination of all of the above. 15:37 < grawity> well maybe I do, more standard interface and less shitty vendor drivers 15:37 < shtrb|work> grawity, there is nothing better in any of the options (they are equvivalent ) just what your vendor us 15:37 < grawity> but I question whether issuing SIM cards wouldn't be more difficult and counterbalance that 15:38 < shtrb|work> getting sims is just print another batch in a place I worked with in the past (something like 30 minutes ) , again it depends on your system 15:38 < grawity> oh, it's probably the Linode<->NTT pipe that's clogged 15:38 < dogbert2> good link for windows command line reference: https://isc.sans.edu/forums/diary/Windows+Commands+Reference+An+InfoSec+Must+Have/23613/ 15:45 < shtrb|work> How tf do you loose 20 million accounts ?! 15:46 <+xand> er 15:47 < shtrb|work> sorry forgot to add the link http://www.bbc.com/news/business-43985233 , there must be someone checking his CV 15:48 < AlexPortable> djph: they are not employees 15:49 < shtrb|work> AlexPortable, who are the users to you ? (end user/guest/reneters /etc) 15:49 < AlexPortable> end users and guests 15:50 < shtrb|work> Is there a chance that they have EU citizenship or you are a EU buisness ? 15:51 < AlexPortable> yes 15:51 < shtrb|work> GDPR ! 15:52 < shtrb|work> Maybe something you own would be a good option (smart card for each customer to perform the auth ) 15:53 < AlexPortable> smartcard on smartphones? 15:53 < shtrb|work> AlexPortable, https://en.wikipedia.org/wiki/General_Data_Protection_Regulation 15:53 < shtrb|work> no , give them a physical device 15:55 < AlexPortable> for what purpose? 15:56 < shtrb|work> authentication ( if you gave your card to someone else you are liable to the actions ) 15:56 < shtrb|work> it's like if you let someone use your car and he commit a crime (you will find yourself in jail) 15:56 < AlexPortable> uh and how does this prevent people from getting inside the network? 15:57 < shtrb|work> it's audit , to who is allowed to connect (if you setup enterprise wireless / wired network) 15:57 < AlexPortable> yes but i mean i only want one account per device 15:58 <+xand> what kind of device? you can use certificates and 802.1x 15:59 < AlexPortable> smartphones and some laptops 16:00 < shtrb|work> maybe you could record the result of running GSM algorithm and use the same keys each time to perform your authntication against the user sim card 16:04 < shtrb|work> And for laptop force them to run dmidecode and get the laptop serial 16:05 < shtrb|work> AlexPortable, but a user could always use his cell as a hotspot 16:05 < AlexPortable> you mean sharing the wifi network 16:05 < shtrb|work> yes 16:06 < shtrb|work> or connecting over usb cable/bluetooth 16:07 < AlexPortable> well thats fine then 16:07 < adip> I have a newbie question. I have two vlans 10.0.5.0/24 and 10.0.6.0/24 and I machines different vlans to talk to eatch other. (i'm using vyos) I assume that I'm suposed to use static routing for that? I tried to find some tutorial, but most are about settups with multiple routers 16:08 < mAniAk-_-> adip: typically each network has its own default gateway and can reach eachother via the gateways 16:10 < djph> adip: check the firewalls on the hosts. Assuming the gateway / router for both 10.0.5 and 10.0.6 are the same device, the routing is already in place. 16:12 < djph> otherwise, yeah, the routers for 10.0.5 and 10.0.6 will potentially need a route added - if one is downstream of the other (e.g. 10.0.6 uses 10.0.5 as a default route), then you only need 10.0.5 to have a route to 10.0.6. If they're interconnected via a third network (172.16.0.0/30 - say a VPN for example), then each network would have a route to the other via that 172.16.x block. 16:35 < Sepultura> Hallo 16:48 < hamdjan> hi 16:50 < hamdjan> im confused about my huawei lte router, which comes with one ethernet port. now when i connect my pc directly to the huawei's ethernet port i can connect to its 192.168.8.1 IP, but if I connect the huawei lte router and my pc to a switch I can't connect to the huawei lte router's IP 192.168.8.1 anymore, why so? 16:51 < grawity> is it a simple unmanaged switch? 16:51 < grawity> does your PC receive an IP address via DHCP in both cases? 16:52 < Atro> I have a stupid question 16:52 < Atro> Can 2 PC's use GRE to the same destination if they're behind a SNAT-ing router? 16:53 < Atro> IP47 has no port 16:53 < hamdjan> it's an unmanaged switch (it could be managed but i just checked the switch's configuration and all ports are in the same vlan) 16:53 < grawity> Atro: mmmmmaybe if they use different GRE keys (tunnel IDs) and the router's conntrack code is capable of distinguishing that 16:53 < grawity> hamdjan: uhh, if it has configuration, it's by definition managed 16:54 < hamdjan> grawity, when connected directly to the huawei I receive an IP from the huaweis DHCP, over the switch I add a static IP, i can try dynamic IP with the switch too if necessary 16:54 < Atro> grawity: so a differentiator is clearly needed 16:54 < Atro> hmm 16:54 < grawity> hamdjan: you shouldn't be changing multiple things at once when trying to work out a problem 16:55 < tds> Atro: I've also done similar things before with just two public IPs on the SNATing router, using keys sounds like a neat idea though 16:55 < hamdjan> grawity, the port on the huawei says "LAN/WAN" 16:56 < hamdjan> grawity, ok i will check with dynamic and report back 16:56 < tds> hmm, apparently conntrack on linux can identify by gre key, so I guess you might just be able to use connmarks 16:56 < grawity> hamdjan: also, you mean static/dynamic on PC, right? 16:56 < grawity> I just checked and Linux's nf_nat_proto_gre understands keys but only for GREv1 (i.e. the thing PPTP and Mikrotik's EoIP use) 16:57 < grawity> not GREv0 (the kind used by regular tunnels) 16:57 < grawity> though, let's see where the conntrack code lives 16:57 < grawity> maybe it can at least *track* them, since NATing doesn't make sense anyway 16:57 < grawity> due to keys being manually chosen, rather than negotiated 16:58 < grawity> ah yeah, you're right 16:58 < grawity> nf_conntrack_proto_gre understands keys in either case 16:58 < tds> interesting solution with the second answer here: https://stackoverflow.com/questions/24743157/how-to-match-gre-key-using/28792111 17:00 < grawity> tds: I'm not sure if anything extra is even needed these days 17:00 < grawity> as long as conntrack can distinguish them, 17:00 < ExoUNX> morning 17:00 < tds> ah, if it's fixed in conntrack that sounds like a much nicer solution :) 17:00 < grawity> "While porting some changes of the 2.6.21-rc7 pptp/proto_gre conntrack and nat modules to a 2.4.32 kernel" 17:00 < grawity> I bloody hope that's fixed by now 17:01 < ExoUNX> just to give you an idea how bad the Netgear GS748TPs are, I had to download Netscape Navigator just tag ports for VLANs 17:01 < grawity> what version 17:02 < ExoUNX> 9 17:03 < grawity> meh 17:04 < ExoUNX> I mean, the browser is over 10 years old now lol 17:04 < grawity> that's like needing an old Firefox 17:04 < grawity> what did it want – Java? 17:04 < ExoUNX> no 17:04 < ExoUNX> the interface is mainly JS 17:06 < ExoUNX> It's like going back to IE8 lol 17:08 < ExoUNX> It's funny because I google'd vlan configuration gs748tp 17:08 < ExoUNX> and the first link I got was - https://kb.netgear.com/23841/The-VLAN-and-LAG-configuration-screens-do-not-display-correctly-on-my-switch 17:14 < ychaouche> hello ##networking 17:20 < hamdjan> grawity, sorry to report back so late, it worked with dynamic IP, I then disabled the DHCP and enforced LAN mode for the LAN/WAN port and it works now with a static IP too, I'm still going to do some tests 17:35 < ychaouche> I was wondering if XTI is a completely different implementation of the network stack, an alternative to BSD sockets ? 17:49 < skyroveRR> Yolla 17:59 < phre4k> guys, I need a FOSS replacement for Exchange, it's mostly email and contacts. Is there some cool new webapp everyone's using or can you recommend anyhting? Thinking about Nextcloud+addons 17:59 < skyroveRR> I don't think nextcloud does mails... 17:59 < skyroveRR> phre4k: I think some apps on prism-break.org might be useful. 18:02 < phre4k> skyroveRR: oh, yeah, didn't think about that 18:02 < phre4k> skyroveRR: https://nextcloud.com/groupware/ 18:03 < ||cw> phre4k: FOSS required or just cheaper and runs on not-windows? I've used Kerio Connect, and IceWarp seems nice 18:03 < OliverUK> I have a GRE tunnel from a remote site, this is then encrypted using IPSec. On the remote site I have set a default route to the other side of the GRE tunnel (I want all internet traffic to go through the tunnel except the tunnel itself). ICMP and UDP traffic is working fine but TCP traffic doesn't work, it is putting logs into System Logs in Firewall with the protocol as "TCP:SA", any ideas how I could go about diagnosing this? 18:03 < freakynl> phre4k: kopano? 18:04 < ||cw> phre4k: that link is just a web client for imap, so you still have to set that up and hope your mobile client plays nice 18:05 < freakynl> ||cw: why wouldn't mobile client play nice? Been using imap for over a decade to have my mails in sync on multiple devices 18:05 < ||cw> phre4k: Kerio and Icewarp you can use activesync, and use outlook just like with exchange, which is a huge plus in the business world 18:06 < ||cw> freakynl: does it sync your contacts and calendar with your desktop? 18:06 < phre4k> ||cw: FOSS is a requirement, big plus if it's already audited 18:06 < freakynl> ||cw: do you see anything related to contacts and calendar in something called 'Internet Message Access Protocol'? 18:06 < phre4k> this is for a few journalists working with __very__ sensitive sources 18:07 < freakynl> I sync those to nextcloud, or google account 18:07 < phre4k> they'll only be able to access this through VPN with a Linux image I'll provide. 18:08 < phre4k> freakynl: how many contacts? Thought about nextcloud but feared it might turn tits up if there are >7000 contacts with dozens of groups 18:09 < phre4k> I usually provide Nextcloud + mailcow which covers mail, contacts, files and calendars. 18:09 < freakynl> phre4k: I don't have that much contacts, about 250. And I have them mostly for the phone addresses (I don't care much for contacts e-mail wise, then again, I usually respond to them ;)). 18:09 < phre4k> but all of my other clients only have a few hundred contacts and it's already not super responsive (contact load times >1s if you do it over the webapp, synchronising sometimes taking minutes) 18:11 < freakynl> kopano is an exchange replacement and more. nextcloud is basically a filesharing thingy with addons 18:11 < phre4k> didn't really optimise much though, just grabbed the docker images 18:12 < phre4k> freakynl: how about kopano + nextcloud? I see you can integrate NC into Kopano; but Kopano has its own CalDAV/CardDAV implementation? 18:12 < ||cw> been a while since i evaluated Zimbra, but it worked and still seem actively developed 18:12 < phre4k> ||cw: Zimbra gave me nightmares a few years ago 18:12 < phre4k> it's written in obfuscated Java AFAIR 18:14 < phre4k> why is it that nobody does benchmarks for these apps 18:14 < phre4k> like "opening 1000 contacts takes X seconds" 18:14 < freakynl> kopano is a fork of zarafa (which has ceased to exist now) with addition of desktop sharing and some other stuff 18:15 < phre4k> ouch, the nextcloud contacts issue is actually known pretty well: https://help.nextcloud.com/t/handling-a-large-number-1000-of-contacts-in-the-web-ui/22064 18:15 < freakynl> maybe because it doesn't really matter that much. My clients download a copy to local and I access the local stuff. Whether the background sync takes 5 seconds or 15 minutes is not something I'm usually concerned with 18:15 < phre4k> seems to be the case that >500 contacts slow the system down and >2000 is unusable? 18:15 < phre4k> wonder what happens if I just dump the >7k contacts into a test installation 18:15 < phre4k> sadly they won't give me the contacts because some data in it is sensitive :/ 18:16 < phre4k> freakynl: nice, I still know Zarafa. Used it in the past, wondered why I didn't know Kopano :D 18:16 < phre4k> all this rebranding… 18:32 < ychaouche> phre4k: open exchange ? open365 ? 18:33 * ychaouche is quite happy with roundcube and the global contacts plugin. 18:39 < Terminus> phre4k: zimbra. heavy on the resources but uses common open source stuff and has quite fast full text search. like i've searched 150GB inboxes with it. 18:40 < phre4k> Terminus: current server only has 8G RAM, is that enough? 18:40 < phre4k> for like, 8 users 18:41 < Terminus> phre4k: should be. i've run it on 4GB before but 8GB was much more comfortable. 18:41 < Terminus> phre4k: also, it can be integrated with AD so when the user changes his password on AD, password is changed for mail. 18:42 < phre4k> can't integrate with AD 18:42 < phre4k> they all have laptops separate from each other 18:43 < Terminus> phre4k: well, it's just an option assuming you already have an AD environment. personally, i like having AD around. 18:43 < Terminus> phre4k: also, just because you're working primarily on laptops doesn't mean you can't do AD, at least if you have the budget for it. 18:44 < Terminus> phre4k: but well, you won't really have good AD if you don't trust MS. 18:47 < Terminus> phre4k: just scrolled up and saw your message regarding zimbra source code. doesn't look obfuscated to me. as an example, https://github.com/Zimbra/zm-mailbox/blob/develop/store/src/java/com/zimbra/cs/account/Account.java 18:49 < Terminus> oh, looks like they chopped out AD support for the open source version. bummer. 18:52 < phre4k> Terminus: don't have the budget, it's nigh impossible to separate all of this (required by the client, working with sensitive data about informants and stuff) with AD 18:52 < phre4k> I'd have to be a way bigger company :'D 18:53 < phre4k> that said, you can have a pretty good AD with Samba 4, at least for everything I used it; you can even use most of Microsoft's admin tools 18:53 < phre4k> only thing which didn't work was WSUS 18:53 < phre4k> that said, I don't support clients with >80 clients 18:53 < phre4k> er, yeah, … English is hard :D 18:53 < Terminus> phre4k: yeah, and you can configure openvpn to autoconnect after login so that takes care of the vpn part as well. 18:54 < Terminus> i dunno. i just go the easy way. if a company requires AD, i tell them to pay for windows server. 18:54 < phre4k> Terminus: I fail to see the connection 18:54 < phre4k> between OpenVPN and AD that is 18:55 < Terminus> phre4k: for when a laptop is always on the road. cached AD stuff expire after 30 days IIRC. you want the laptop to still get sync AD stuff so you need a VPN for that. 18:56 < phre4k> aaaah, got it 18:56 < Terminus> well, not exactly need but exposed windows servers are not a good idea for me. 18:56 < phre4k> yeah that's how I do it for my AD-addicted clients 18:56 < phre4k> for me neither ;'D 18:57 < Terminus> of course, there's the L2TP option as well. =) 18:57 < phre4k> eeeerrrr… L2TP… 18:57 < phre4k> not my most favourite 18:58 < Terminus> phre4k: not mine either but mostly because i never really got an open source implementation of it to work properly plus IIRC, there're problems with NAT with it. 18:59 < phre4k> I once got it to work with xl2tpd but… I think I had to reset it once a week 19:00 < phre4k> L2TP is an abysmal protocol 19:00 < phre4k> Wireguard sounds so cool but I'm sad that it's in beta still 19:00 < Terminus> phre4k: yeah, openvpn is just much easier. 19:00 <+pppingme> just use openvpn, it works smoothly through nat, doesn't have the complications of other protocols 19:03 < Terminus> phre4k: hmmm... so far i'm not reading anything that makes wireguard a compelling option over openvpn. 19:03 < phre4k> pppingme: yeah, sure, me too, I just also like shiny new things 19:04 < phre4k> Terminus: well roaming with OpenVPN has been a hiccup in the past, that is if you switch between multiple network interfaces on the client 19:04 < phre4k> e.g. one notebook kept disconnecting when changing between LTE and wifi, idk why though because it worked with other notebooks from the same series… 19:05 < phre4k> Wireguard in beta also seems to be a bit more performant, that is less resource heavy 19:05 < Terminus> phre4k: hmmm... i've never been in that situation but what i do know is that openvpn gracefully recovers on my desktop whenever i reboot my router or whatever. 19:06 < phre4k> yeah spotty connections are fine, it's the network adapter switch which hiccups from time to time 19:06 < phre4k> didn't get the budget to investigate yet though :D 19:07 < phre4k> they rather spend 300€ on LTE credits than on me fixing this 19:08 < phre4k> fuck clients and their boring-ass budgets 19:09 <+pppingme> I wouldn't call l2tp shiny or new.. 19:10 < phre4k> me neither 19:10 <+pppingme> as far as "roaming" (client flipping connections), except for a "pause", I've never had an issue 19:10 < phre4k> Wireguard though 19:18 < phre4k> fyi @ ##networking: I decided to go with SOGo because a) I know it and b) it works and c) I don't have the budget to make a decision for some new and shiny stuff 19:18 < phre4k> I'll do Nextcloud + SOGo + mailcow 19:38 < adip> I'm back and I still have problem with these vlans. one more time, my setup look like this. vyos, 3 interface: 'wan' (home network ip from dhcp. it probably doesn't matter here), vlan5 (10.0.5.1/25), vlan6 (10.0.6.1/24). My goal it to allow hosts from different vlans to talk to each other. Right now I can only ping, the router on ther other interface for ex: I can ping 10.0.6.1 from 10.0.5.100 but I 19:38 < adip> cannot ping 10.0.6.100 from 10.0.5.100. Most static routing tutorials are about setups with multiple routers, what would be the "next-hop" in the setup like mine ? 19:39 < Donjuanal> you shouldn't even need a static route the networks are directly connected 19:40 < Donjuanal> it sounds like firewalls preventing host to host communication 19:40 < djph> ^ 19:40 < linux_probe> most likely your hitting the "end device" firewalls 19:40 < adip> I tried to configure a nat, and it's working only on vlan5 19:40 < djph> you don't need NAT 19:40 < Donjuanal> you don't need to NAT either 19:41 < djph> What's the default gateway for 10.0.6.100? What's the default gateway for 10.0.5.100? 19:43 < Apachez> is djph drunk again and ircing? 19:43 < adip> gateywas are 10.0.5.1 and 10.0.6.1 19:43 < adip> I'll remove nat and test again :s 19:44 < djph> Apachez: no, but making sure adip did it right. 19:45 < djph> adip: take out the NAT, and make sure the windows firewall on each host allows communication with the other network. Also, don't forget setting the right VLANs on the switch(es) 19:47 < adip> djph: i'm using linux laptop and ubuntu vm for ping and iperf testing. vlans on switch are configured correctly, or at least everything seems to work on that part. 19:48 < djph> and the host machine for the VM is getting the right IP? VM isn't behind its own NAT? 19:48 < linux_probe> by default windows and most all os's with active firewall, will block/drop out of subnet inbound traffic :0 19:49 < adip> vm's ip is 10.0.5.102 and laptop's ip is 10.0.6.100 19:51 < bartoc> anyone know how to coax nss into exporting just a cert to a pk12 file? 19:51 < adip> vm is on a bridge, it shouldn't matter here 19:51 < djph> just for giggles, the VM isn't running on the laptop, is it? 19:51 < Demos> anyone know how to coax NSS to export just a cert (and not it's private key) to a pkcs12 file? 19:52 < Demos> anyone know how to get NSS to export just the cert and not the private key to a pkcs12 file? 19:55 < djph> asking every minute isn't gonna change the answer 19:55 < Demos> sorry, irc client bugs 19:56 < Demos> please forgive me 19:59 < ash_work> I'm missing something pretty basic here... I'm trying to boot a vm using pxe; a lot of threads say that when you set virtualbox to use NAT it automatically creates a DHCP server for you, but pxe is never able to connect to it 20:00 < ExoUNX> ash_work, https://github.com/defunctzombie/virtualbox-pxe-boot 20:01 < ash_work> ExoUNX: I've followed that 20:01 < ash_work> the system never gets past checking DHCP 20:01 < ExoUNX> ash_work, otherwise - https://docs.oracle.com/html/E50247_08/vmiug-install-pxe.html 20:01 < adip> I remove nat, vlans still don't work and I cannot ping my home router (192.168.1.1) from either vlan 20:02 < djph> ash_work: sure, the "guest" (VM) side of the network will have a DHCP server. 20:02 < ash_work> djph: isn't that all I need? 20:02 < djph> ash_work: dunno, never bothered with PXE in VMs 20:03 < djph> adip: Where is the VM in relation to the laptop? 20:03 < adip> ash_work: but is dhcp behind the nat the one you want to use 20:04 < ash_work> adip: I assume so... virtualbox supposedly looks in a vm config dir for your pxe script if it exists. 20:05 < ash_work> so it shouldn't really have to have access to the internet or anything else... just whatever local network configuration available to the guest, afaict 20:06 < adip> djph: crude drawing https://imgur.com/BzzzQUb 20:06 < adip> I'll add ip addresses in a second 20:08 < djph> adip: sorry, WHAT MACHINE is hosting the VM? 20:09 < adip> version with IPs https://imgur.com/wBEYnut 20:10 * linux_probe screams "firewalls" at adip yet again 20:12 < adip> djph: It doesn't matter her. Vm is connected via tun/tap to a bridge, bridge is connected to eno3 interface, and ethernet port is connected to the switch. 20:13 < djph> adip: it does in case you fucked it up and bridged the VM to the ethernet interface that's plugged into an "untagged vlan 6" switchport. 20:13 < djph> instead of bridging the VM to eth0.5 20:14 < adip> djph: it is tagged, vm has correct address from dhcp, I can ping vyos's interface on 10.0.6.1 20:14 < adip> linux_probe: iptables --list accept, accept, accept 20:19 < agirus> hey, anyone who understand openvpn? 20:20 < linux_probe> that's like asking if someone wants to randomly fight 90 headed beasts 20:20 < djph> probably a few 20:22 < agirus> i mean mainly with tunneling an public ip from one server to the second. the second is behind nat 20:35 < adip> djph: I'll try to recreate my setup without physical switch, just with virtualization. What would be the correct way to setup internet access for laptop in this setup https://imgur.com/wBEYnut. assuming that I can't rebuild the home network. Why is 2nd nat such a bad idea? 20:45 < ash_work> adip: http://g.jk.gs/FX.png 20:45 < tds> adip: are you able to add static routes on the "home network" router? 20:46 < tds> if so, just a static route for 10.0.0.0/16 (or similar) would solve the problems and wouldn't require double nat 20:47 < adip> ash_work: thx 20:47 < ash_work> adip: you can make them pretty easily here: http://g.jk.gs/index.php 20:47 < adip> tds: I'll try this later, I need working vlans first 21:16 < djph> you probably have working VLANs, and the issue is "testing with a laptop and a VM on that laptop"... 21:18 < Andrew_0010bit> ^ 21:18 < Andrew_0010bit> If someone would've told me that ages ago, it would've helped. 21:18 < Andrew_0010bit> Just because you can't reach it doesn't mean it's not working. 21:20 < adip> djph: it actually wasn't. guys in some other channell helped me. Solution was simple http://dpaste.com/06T0HJ2 21:20 < djph> you shouldn't have to write that into ANY configs anywhere. o_O 21:20 < adip> ^^ that adderss is wan address, I'll have to set it to static 21:21 < djph> something is fubar in some setup somewhere - if you're getting a DHCP address, the default gateway is defined by the DHCP offer... 21:21 < adip> djph: it's just how it looks in vyos config 21:21 < detha> that has so many levels of "eeeew" in it.... 21:21 < djph> ^ 21:22 < djph> adip: no, I literally mean you SHOULD NOT be defining a static route if you're getting upstream connectivity from DHCP 21:22 < djph> *static default route 21:23 < adip> djph: I know, I'm changing it to static. 21:25 < adip> his is how it really looks http://dpaste.com/13F36CX 21:29 < djph> kind of a random IP for a network gateway, but okay. 21:35 < hweaving> Finally I have a question that doesn't involve low-level kernel stuff 21:36 < hweaving> I can use ff02:whatever as a multicast address and send/receive between machines with no problem. 21:36 < hweaving> If I try using ff16 as the prefix instead, I get lookup failures with getaddrinfo returning ENOENT 21:37 < hweaving> According to "route -6", "ff00::/8" is in the routing table, and I believe that applies to both multicast addresses. 21:38 < hweaving> Why would ff16 be different from ff02 on Linux? 21:40 < ngc0202> does anyone know what unit the SCTP SRTT is in? 21:40 < ngc0202> I can't figure out why I'm just getting 0, unless it's seconds 21:48 < jhed9> ngc0202: I'm looking through a SCTP packet cap, but I don't see an SRTT. 21:49 < jhed9> Then again, i'm a sctp newb. 21:49 < ||cw> ngc0202: should be milliseconds 21:49 < ngc0202> it's something the kernel keeps track of internally, but you can get it from getsockopt 21:49 < ngc0202> oh really? hrmm 21:49 < ||cw> according to page 118 of https://tools.ietf.org/html/rfc4960 21:50 < jhed9> ah 21:52 < ngc0202> now I'm a little more worreid about why I'm getting back 0 22:16 < dreadkopp10> Hey community! I currently have the following configuration (minus the Backup filer and the 4 Gbit nics on the right of the ubuntu host) set up which works fine > https://goo.gl/yrWw5N . 22:16 < dreadkopp10> Now I want to add a filer to the network on which the backups should be stored. 22:16 < dreadkopp10> I got a spare 4-port Gbit Nic I'd like to add to the vm host, the filer itself also has 4 Gbit nics. 22:16 < dreadkopp10> For maximum bandwith i'd like to set up the 4 nics on each side as a bond in mode 4 aka 802.3ad. Now the big question: 22:16 < dreadkopp10> do i need a 802.3ad-capable 8+ -port switch in the middle or can i connect all nics 1:1 to each other ? 22:17 < djph> I don't see why you couldn't do nic-to-nic. 22:17 < djph> you'll just have to use the ubuntu host as a router, of course. 22:18 < ||cw> you can do direct, but it's not going to increase your bandwidth unless you also have multiple sessions 22:18 < dreadkopp10> djph: router is the pfsense vm, the bonding bond0 and bridge br0 are managed by the ubuntu host though 22:18 < felda> pfsense YES 22:18 < ||cw> or you use a multipathing protocol (which uses multiple sessions, so same thing really 22:19 < djph> If it's supposed to be able to backup from all hosts on the network (rather than just this ubuntu box), then a switch is a better idea. 22:19 < dreadkopp10> since it is connected to bridge br0 which is connected to the physical switch via bond0 it should be accessible from the physical pcs as well, shouldn't it ? 22:20 < djph> in theory. I misread which host(s) were doing what 22:21 < dreadkopp10> pfsense is doing the router / firewall job. ubuntu host just hosts the vms and managed bond0 in balance-alb (since physical switch doesn't support 802.3ad) 22:21 < Johnjay> i heard about pfsense a lot, what makes it superior to just other kind of linux? 22:21 < felda> pfsense is not gnu+linux 22:21 <+xand> pfsense isn't a linux distro 22:21 < felda> pfsense is freebsd 22:21 <+xand> it's bsd 22:22 < Johnjay> ok. 22:22 < Johnjay> so bsd is better than linux is the idea? 22:22 < ||cw> and it's optimized for firewall/router 22:22 < felda> no 22:22 <+xand> I'd say that's rather subjective 22:22 < Johnjay> then why bring it up 22:22 < dreadkopp10> Johnjay I guess you could set up any linux distro to do the same job 22:22 < ||cw> which is the important part 22:22 < dreadkopp10> pfsense is just for the ease of use 22:22 < felda> pfsense is a fork of m0n0wall which was made on freebsd so it stayed there 22:22 < Johnjay> ^dreadkopp10 22:23 < tds> it's just got a pretty web ui that lets you easily set it up as a router, you could easily do the same thing yourself with whatever distro you prefer 22:23 < felda> but them packages 22:23 < Johnjay> yeah tds that's what i was kind of thinking 22:23 < Johnjay> I don't care about gui, just that it works and i can configure it 22:23 < ||cw> well, "easily" is arguable, some might find it easy :) 22:24 < dreadkopp10> you could also do it with a WinXP install on a old P III ;) 22:24 < ||cw> please don't 22:24 < felda> most people aren't linux experts 22:24 < dreadkopp10> however.... I was under the suspicion that bonding in mode 4 / 802.3ad would also increase bandwidth... that isn't the case ? 22:25 < felda> in a VM situation perhaps not 22:25 < ||cw> dreadkopp10: it will, but only with multiple clients 22:25 < ||cw> or multiple sessions with a bit of careful config on the applications 22:25 < purplex88> are "nodes" computers? 22:26 < dreadkopp10> huh... okay. good to know.... 22:26 < tds> it'll just hash across a certain link based on the mac addresses (and potentially IPs/ports as well), so a single connection will never see more than a single link's bandwidth 22:26 < ||cw> dreadkopp10: any single tcp session can only use 1 NIC 22:26 < dreadkopp10> so actually I could i.e. run 4 similar rsync session to the filer and thereby use the full 4 Gbit ? 22:28 < ||cw> potentially, yes 22:28 < dreadkopp10> hrmm.... guess 2 10gbit nics are the better way to do it and add the 4 nics to bond0. not what I wanted but I guess that's the better way to set it up 22:28 < ||cw> but yeah, 10G nics are cheap enough now, it's the better option 22:32 < dreadkopp10> but .... a pair of 10Gbit Nics would be so.... easy..... so much less tinkering ... not sure I like it XD 22:33 < tds> get multiple 10Gbit NICs, then you get even more bandwidth and it's still a more complex project ;) 22:34 < dreadkopp10> haha :) only the two machines I could connect with 10gbit nics. 22:35 < dreadkopp10> to connect all the desktops.... o boy... don't want to think about the costs and needed craftsmanship for all the cable work ..... nah.... 22:36 < ||cw> but a switch with a couple SFP+ ports could manage the desktops, you'd still see >1G speeds to the servers 22:37 < ||cw> what you wouldn't have is redundancy, unless you got 2 nics each 22:37 < dreadkopp10> for that I already use a 4-nic bond in balance-alb :) 22:37 < ||cw> right, which you wouldn't need with a switch with a couple 10G ports 22:39 < dreadkopp10> :) sure... but that would mean I would not only need a bunch of 10gbit nics but also a bunch of switches with 10gbit ports XD 22:40 < ||cw> based on your diagram, just one, and it only needs a couple, maybe 4 SPF+ ports. the rest would still be gigE 22:41 < dreadkopp10> nah... while that might be nice just because of... reasons it would be total overkill for the rest of the network :) outbound connection is only .5 Gbit. internal network is 50:50 1Gbit and even 100 Mbit 22:42 < dreadkopp10> just need a fast connection between host server and the filer :) 22:44 < dreadkopp10> since the first physical switch itself is connected to 3x Gbit 48 port switches and 1x 100mbit 48port switch without complete makeover of the infrastructure I am limited to 1Gbit (per switch) anyways 22:44 < ||cw> just put it on the wishlist for the next switch upgrade. you're already doing 8G to the server, so you seem to think you need all that, but really you're rarely going to get 8G even with 8+ clients sending full 1G speeds 22:45 < ||cw> with a 10G, you would see the speeds. 22:45 < dreadkopp10> :) 22:45 < ||cw> and free up some ports for your other switch uplinks to get more than 1G on the uplinks 22:47 < ||cw> having a future plan is nice. especially when the boss wants to upgrade the 100mbit switch 22:48 < compdoc> dont those damn bosses know that change is bad? 22:49 < ||cw> only the bad ones 22:50 < dreadkopp10> on the 100mbit there is only printers though :) 22:51 < ||cw> how'd you manage that 22:51 < dreadkopp10> well... in near future haha :) 22:51 < ||cw> my printers are all over the place 22:51 < dreadkopp10> there might be some pcs connected to it as well :/ 22:52 < dreadkopp10> switches -> big switch panel -> ports in the walls in the offices 22:54 < dreadkopp10> but just back to LACP bonding from nics to nics without a switch between ? works? anyone had done this before ? 22:54 < ||cw> I don't see why not 22:55 < dreadkopp10> because... dunno switch need to do his part for the whole LACP-voodoo to work ?! what the hell do I know XD 22:55 < ||cw> but since you need multiple sessions to make it work, you'll get more control if you just put 4 IPs on them without bonding 22:56 < ||cw> and use 4 different subnets to the routing tables don't get weird 22:58 < ||cw> but you could simply the backup side a bit by using iscsi, scst is nice. 22:58 < ||cw> bit of a learning curve to configure, but works well 22:58 < dreadkopp10> hmmm.... using bonds I don't have to worry about that though .... so various clients from the physical pcs can sync to it and for host->filer transfer I guess I simply start 4 simultaneous jobs for each of the 4 storage pools on the host 22:58 < ||cw> yeah, it's not that simple. 4 jobs from the same host could easily land all on 1 nic 22:59 < ||cw> bonding is not a magic cure all. 22:59 < meth> anyone knows traffic shaping detection tool? 23:00 < dreadkopp10> "bonding is not a magic cure all." -> dang it! 23:00 < dreadkopp10> ;) 23:00 <+catphish> bonding is a magic cure for some things, like switch or NIC failure :) 23:00 < meth> on which layer traffic shaping is done? 23:00 < meth> 3? 23:02 <+catphish> you can inspect at any layer you like 23:02 <+catphish> since the action is just to drop packets, there is no layer involved 23:02 < aaa__> layer 8 23:02 < aaa__> i made a protocol with 12 layer 23:02 < aaa__> can you believe it ? 23:02 <+catphish> that's too many layers 23:02 <+catphish> really the limit should be 10.3 23:03 < aaa__> 10.3333333? 23:03 <+catphish> no, 10.3 exactly 23:03 < aaa__> how you do 23:03 <+catphish> very well thank you 23:03 < aaa__> and dont ask me ? 23:03 <+catphish> ok 23:03 < aaa__> ok 23:06 < linux_probe> now, if taco bell would only make an 12 layer burrito :)) 23:06 < S_SubZero> OSI-compliant 7-layer burrito 23:07 < linux_probe> heh 23:08 < meth> what is the point of traffic shaping? 23:08 < meth> ISP wants more money? 23:08 < Johnjay> what is the point of meth? 23:08 < linux_probe> lol 23:09 < linux_probe> meth is bad, meths is good 23:09 < S_SubZero> https://en.wikipedia.org/wiki/Traffic_shaping 23:09 < meth> there is a wiki about it 23:10 < meth> you guys are ISP employees 23:10 < Johnjay> they are? 23:10 < linux_probe> employees or not, everyone [ays like a slave for shitty connection :)) 23:10 < meth> another question 23:11 < meth> shitty connections are everywhere. 23:11 < Johnjay> you're connection can't possibly be shittier than mine 23:12 * linux_probe connects 14.4 dialup 23:12 < Johnjay> linux_probe: what's the biggest file you can download? 23:13 < linux_probe> lol, I used to download all sorts of stuff on dialup, just used a download manager that could restart 23:13 < meth> latest ubuntu iso takes 3 minutes to download 23:15 < meth> the other question, if the line stats are the same and traffic is shapped where is the shaping is done, firewall or router or the void? 23:15 < meth> like going from 100Mbit to 2Mbit 23:15 < meth> How they do that 23:15 * linux_probe recalls downloading 4GB dvd's on dialup 23:15 < meth> staph trolling and answer meh 23:20 < Johnjay> linux_probe: that's more than I can download. my connection is highly unstable and stops ~1GB 23:20 < linux_probe> lol 23:20 < Johnjay> yes i've had to get well acquainted with wget since firefox redesigned its plugin system and thus terminally fracked my download manager 23:20 < linux_probe> i havent had dialup since 2003 23:21 < S_SubZero> are you guys waving around your bad connection e-peens 23:21 < Johnjay> yeah. it's like saying my std is worse than your std 23:21 * linux_probe suggests http://www.dslreports.com/speedtest 23:21 < linux_probe> then go fix your broken ness 23:22 < S_SubZero> "My connection is SO bad." "HOW BAD IS IT?!" "My connection is so bad.. it's so bad.. so bad tha$&@@%@!!**NO CARRIER" 23:22 < linux_probe> heh 23:23 < linux_probe> oh loo a whole 17.83Mbps x 1.77Mbps 23:23 < linux_probe> it says BAD =p 23:24 < Harlock> +++ath0 23:24 < linux_probe> quality D lol. bufferbloat A! 23:27 < electricmilk> Would having a ton of cellular phones in one area potentially cause congestion? 23:27 < linux_probe> without me traffic shaping, I get lots of F's 23:27 < lupine> electricmilk: definitely 23:27 < linux_probe> of course it would electricmilk 23:28 < lupine> although just registering the phone against a cell tower is pretty cheap 23:28 < dreadkopp10> one last question: first or second ? https://tinyurl.com/yavlbkx6 23:28 < lupine> the problem comes when all of them want to make a call at once 23:28 < S_SubZero> 'a ton' meaning like 28,000,000,000,000? Yes. 23:28 < lupine> every new year demonstrates that the network is overcommitted 23:28 < electricmilk> nah just 50 23:29 < S_SubZero> it's 2018 how could have not possibly been somewhere that the cell service was overloaded 23:29 < electricmilk> phones work great outside of the location...no service when they are together 23:29 < lupine> a lot depends on your precise location 23:29 < lupine> perhaps there's actually a femtocell nearby fucking everything up 23:29 < S_SubZero> go to any big concert or festival or outdoor event and try streaming youtube 23:29 < lupine> hell, try reading your email 23:29 < lupine> ENOBANDWIDTH 23:30 < electricmilk> Youtube wont stream at a large event? 23:30 < S_SubZero> wow, you.. don't get out much 23:30 < electricmilk> haha not really 23:33 < S_SubZero> Do you understand the concept of a cell tower and what it does 23:33 < electricmilk> so the signal in the area is pretty good according to this app i have (not sure how accurate it is but the reviews said it was good) but if the issue is due to all the cell congestion from all the devices talking to the cell tower then nothing I can do about that and they will just have to deal while they go 50 to outside the building 23:33 < electricmilk> ehh not really 23:34 < S_SubZero> you may want to defer to someone that does. 23:34 < djph> ^ 23:34 < electricmilk> So call the provider? 23:34 < S_SubZero> whoever told you to do this task, tell them you're not the right person and find someone else. 23:35 < linux_probe> together, is this an indoor location? 23:35 < electricmilk> yes 23:35 < electricmilk> But phones from other providers work great 23:36 < S_SubZero> it may be a carrier with poor service in that particular spot. 23:36 < electricmilk> makes sense 23:37 < linux_probe> maybe it's on a repeater 23:41 < electricmilk> yes they are on repeaters. Otherwise they would have no signal as its a huge concrete garage. 23:42 < djph> have that problem in one of my friends apartments. He's got an AT*T cell tower next door (or close enough), verizon's is forever far away 23:43 < djph> get crap signal ther 23:43 < djph> *there 23:52 * spaces is a repeater 23:59 < ghostyy> ##networking whats youre favorite VPN software? --- Log closed Fri May 04 00:00:03 2018