--- Log opened Fri May 04 00:00:03 2018
--- Day changed Fri May 04 2018
00:00 < S_SubZero> the one that connects me to the endpoint
00:00 < ghostyy> whoa i want that one
00:00 < ghostyy> which one is that?
00:00 < S_SubZero> that one
00:00 < yuljk> Using StrongSWAN on Android and Greenbow VPN on Windows for IKEv2 stuff
00:01 < ghostyy> ooh
00:01 < ghostyy> yeah i wanna use it on android + linux systems i think
00:06 < redrabbit> openvpn
00:33 < drac_boy> hi
00:34 < ash_work> o/
00:34 < drac_boy> just had to wonder but like in general whats the minimum you need in term of hardware (well, ups aside) for to be able to extend adsl service to a further point on map?
00:37 < xamithan> You mean like a dsl repeater ?
00:37 < drac_boy> yeah
00:38 < xamithan> telco uses those in really rural areas.  As a consumer I doubt you could use one
00:39 < drac_boy> so its just one single box .. like with wifi repeater?
00:39 < xamithan> https://www.idpc.com/loop-extenders.htm
00:41 < drac_boy> xamithan I must have been using the wrong keywords when I first thought about it this morning .. thanks for that link
00:41 < drac_boy> anyway yeah I don't doubt you about it not being available to random peasants :)
00:42 < xamithan> A random peasant would have to settle for a point to point link wireless =/
00:45 < drac_boy> xamithan heh well ptp does have its own new issues in certain conditions too but fair enough still :)
00:45 < drac_boy> that aside hows you tonight?
00:48 < electricmilk> SonicWALL is asking for a hostname under WAN interface settings only when I choose DHCP.  Any idea on what I'm supposed to put there?
00:48 < electricmilk> Its just connecting to Cox Business Cable
00:49 < electricmilk> Doesn't look required
00:49 < xamithan> Just asking you what you want the sonicwall to be called
00:51 < electricmilk> xamithan,  But its under the WAN interface port setting and only when set to DHCP...when clicking static the hostname field disappears
00:51 < electricmilk> Its not the system wide setting for the device hostname
00:51 < xamithan> Its a setting for the WAN port hostname
00:52 < electricmilk> weird.  Any idea why its asking for a WAN hostname only when using DHCP?
00:53 < xamithan> No idea,  I'm just going by what the manual says
00:54 < electricmilk> Come to think of it...where is the damn hostname setting for this device??
00:54 < electricmilk> Ugh Sonicwall
00:54 < THE_GFR|WORK> I really dislike Sonicwall
00:54 < electricmilk> It has a "Firewall Name" section which I imagine is the hostname
00:55 < electricmilk> You do get a lot of features for the price...and we were given a TZ300 and a TZ500 for free with enhansed security licenses of 3 years
00:55 < electricmilk> But yea...configuring is a bitch
00:55 < xamithan> I've never actually used a sonicwall but I see lots of them.  The older ones that only do 100m
00:56 < electricmilk> These are new...honestly not as bad as I thought.  The older ones I worked on were HELL
00:57 < electricmilk> okay so I take it they call hostname "Firewall Name"...but on interfaces with DHCP its called a hostname..so confusing
00:58 < electricmilk> Screw it I'm gonna scan it with nmap -A and see what it says for the hostname.  Good way to test the IPS/IDS
00:59 < THE_GFR|WORK> yea
01:01 < electricmilk> hmm. no hostname coming up
01:01 < electricmilk> Logs: 	Flood Protection	Alert	Possible SYN Flood on IF X0 - src: 192.168.254.126:54013 dst: 192.168.254.1:3404 ; Attacks	Alert	TCP Null Flag dropped ; Attacks	Alert	TCP Xmas Tree dropped
01:12 < drac_boy> xamithan not to go a bit too off here but if theres one thing I really don't like .. its that almost noone ever sells a dsl modem anymore which sometimes makes it difficult to do repairs even less new install at times :-|
01:13 < electricmilk> Dude I can't even configure the X3 and X4 interfaces on this thing...what the heck SonicWALL
01:14 < xamithan> Good,  DSL needs to die and make room for fiber
01:14 < electricmilk> Fiber is too expensive out here
01:14 < electricmilk> Running Ethernet over Copper and Cable :-/
01:15 < drac_boy> xamithan wrong
01:15 < drac_boy> electricmilk and fiber access can't even work without copper still needing to be there too anyway so its a moot point
01:15 < xamithan> The DSL provider here can't give more than 20/.5 meg
01:16 < electricmilk> Our main office is running a pitiful 25Mbps up/down
01:17 < electricmilk> Ah I figured it out...I had to go to "portshields" and set the interfaces as unassigned
01:17 < electricmilk> I wish there was a sonicwall channel on this server
01:17 < S_SubZero> make one
01:17 < drac_boy> electricmilk all I care for is getting the handshake for 5-10mb .. its only very rare that even 5mb wouldn't stay up and I have to then phone the super-high tech line and ask them to take over this house for me
01:17 < drac_boy> :)
01:17 < electricmilk> Bah..alright
01:27 < electricmilk> meh alright so I made ##sonicwall.  If anyone ever has SW questions please send them over.
02:15 < Johnjay> i guess my question is is it a company or a product
02:15 < Johnjay> https://en.wikipedia.org/wiki/SonicWall
02:19 < electricmilk> Johnjay,  Both
02:19 < electricmilk> I'm dumbfounded people haven't heard of SonicWALL
02:20 < ^7heo> yet they know that ubuntu is for power users
02:20 < ^7heo> see how life is awesome?
02:21 < ^7heo> full of clever people
02:23 < electricmilk> hehe
05:25 < ironpillow> hi all, question regarding meraki guest ambassador https://meraki.cisco.com/blog/2013/05/guest-ambassadors-providing-simple-and-secure-guest-access/. Does it use RADIUS in the background? thanks :)
06:04 < Nautilus> I have a device I've added to my Netgear router (WNDR3400v2) which obtained a DHCP'd IP at install time. I've since made an Address Reservation for the MAC address in the DHCP range, but it won't move off the original IP to the reserved one. Any ideas how I can do that? Is there a way to expire a lease?
06:10 < SporkWitch> Nautilus: search "renew ip on [operating system]"
06:11 < Nautilus> oh you mean the deive end, didn't think of that, hmmmm. an IoT thing, but lemme sign in
06:12 < Nautilus> device*
06:13 < SporkWitch> yeah; the client has no reason to check until the lease expires
06:15 < Nautilus> Makes sense, but don't have that option in the UI.
06:16 < SporkWitch> what is it?
06:16 < SporkWitch> and what was the result of the search i told you to run?
06:16 < Nautilus> D-Link DCS-936L (wifi camera)
06:17 < Nautilus> can't search on an unknown "OS"
06:17 < SporkWitch> disconnect and reconnect
06:17 < Nautilus> have done that
06:17 < SporkWitch> with a bare minimum of critical thought you could replace [operating system] with [device model]
06:17 < Nautilus> left it off 24 hours but the lease is probably more like 7 days.
06:17 < Nautilus> ah, sorry ;)
06:18 < Demos[m]> ugh.... ipsec
06:18 < Demos[m]> please kill me
06:18 < Demos[m]> spent all day setting up goddamn libreswan
06:22 < Nautilus> SporkWitch: my search "renew ip on D-Link DCS-936L" is coming up short on my issue. One thing the UI will let me do is set a static IP address. I could change that (to something outside the DHCP range), but am unsure if it then just "shows up" in the router there after a reboot. Don't want to lose control of it.
06:23 < SporkWitch> Nautilus: assuming you've configured the static lease correctly, just set the static on the device to the desired IP then set it back to dhcp
06:24 < Nautilus> ohh, ok, that sounds like a great idea
06:30 < veek> are there any cheap/adsl+wifi-2Mbit BUT secure router alternatives to dlink
06:30 < Nautilus> sprodag nab, back to the original IP
06:30 < Nautilus> SporkWitch: dag nab, back to the original IP
06:31 < skyroveRR> veek: all commercial ADSL routers are shitty as fuck, forget about security.
06:31 < SporkWitch> Nautilus: dunno what to tell you mate; assuming you correctly configured the static lease on the DHCP server, this is an issue with the device, not a networking problem
06:31 < skyroveRR> Hi SporkWitch
06:31 < SporkWitch> hi...
06:32 < Nautilus> SporkWitch: yep, I agree about device issues
06:32 < veek> wish there was a way to diy adsl
06:33 < skyroveRR> veek: well, there isn't.
06:33 < skyroveRR> Next question.
06:33 < Nautilus> adsl modem and separate router doesn't help him?
06:35 < veek> Nautilus, i just use one laptop so a router isn't really necessary
06:35 < veek> i used to use adsl in bridge mode.. but the trouble is the lousy security on the adsl
06:36 < veek> if worry about open ports or not firewalling Xorg on the pc
06:36 < Nautilus> wired connection to the laptop?
06:36 < veek> so it would be nice to have a 2stage process
06:37 < veek> yeah - pretty much till yesterday i bought a dlink-adsl+wifi
06:37 < veek> but i can't close off the dlink lan ports - buggy firmware
06:38 < Anatzum> I need to test an api to see how well it handles mass requests, Is there a server service that takes all traffic and discards it? The only thing I could think of would be to spoof and ddos it but I would need a recipient that just discards all that traffic. Is there a better way to do this?
06:38 < Nautilus> veek: what I'm getting at is a simple adsl modem connected to a better router
06:39 < veek> Nautilus, what features would the router have to enforce security? what features should i be looking for
06:40 < Nautilus> oh wait, you're looking to turn off lan ports?
06:41 < Nautilus> so get a wifi only unit to plug into the modem?
06:41 < veek> Nautilus, the dlink-adsl-wifi has acl's for its ports.. i blocked modem-dtp/telnet/ping using acls but i can still connect so.. it's not working (internal lan-side)
06:41 < veek> s/dtp/ftp
06:43 < veek> Nautilus, lets say i did things afresh.. what router features should i be looking for.. eg: if the adsl gets hacked, the guy could spoof arp or snoop (on a hub type router)
06:43 < SporkWitch> an all-in-one isn't working right? this is unheard of.  Next thing I know you'll suggest water is wet
06:44 < Nautilus> you're getting a bit past me, sorry. I think of an ADSL modem as npthing more than DSL wires in and a Ethernet port. Blocking and such happen more in the router.
06:45 < Nautilus> nothing*
06:46 < Project86__> mawk: drathir , y'all here?
06:46 < veek> Nautilus, well even a simple adsl comes with telnet/ftp/snmp/web/dns/iptables and a cpu/32mb ram so.. if it does get hacked.. the guy could redirect traffic directly from the simple adsl
06:47 < Nautilus> oh. I think there's simpler ones.
06:47 < veek> bridge mode only protects the wan side of things.. but the guy can hop into the modem  from the lan side
06:47 < veek> Nautilus, ah name?
06:50 < Nautilus> anything thats JUST a dsl modem. Not a recommendation, but like this: https://www.amazon.com/SpeedStream-5360-Ethernet-DSL-Modem/dp/B00006HW8A
06:50 < Nautilus> aaand i just realized I dont know what the A means in ASDL
06:52 < Project86__> Perhaps not... either way, I used their help to change my dns to 'netgateway 9.9.9.9' in resolv.conf. however there is a 2nd gateway that looks like an extended bssid number (syntax-wise). And when I "cat /etc/resolv.conf" it still responds with Hitron something or another (god I hate them). So did I not change dns? I saw a tut where they changed it in another file (dhcp.d* I believe)
06:54 < Nautilus> veek: this is an ADSL moem: https://www.ebay.com/itm/Siemens-SpeedStream-4100-Ethernet-ADSL-Modem-with-Power-Adapter/173296027669?hash=item28593f8815:g:JS8AAOSwng9ZsrLa
06:56 < veek> Nautilus, hmm.. so it bridges the wan with the lan side? trying to understand what's the diff.. can someone flash the firmware with their own tools?
06:57 < veek> does it use a microcontroller/cpu/ram/flashmem?
06:57 < Project86__> I guess I'm asking 1) what does changing dns in resolv.conf do, if not completely change the dns? 2) what is the secondary gateway for and do i need to modify that one as well? 3) if I change all settings successfully,  will "cat /etc/resolv.conf.conf" respond with a hitron line either way, since that's the router in use?
06:58 < veek> Project86__, resolv.conf can search order for dns - secondary's used if primary's slow
06:59 < veek> man resolv.conf
07:00 < Nautilus> veek: it has phone-line based DSL upstream (copper pair) 'input', and a single Ethernet downstream 'output', a fairly dedicated device. I assume it has smarts inside but not a lot of compromise can happen there.
07:00 < Project86__> veek: so they go in order from top to bottom?
07:02 < veek> Project86__, you can check that with tcpdump -i ppp0 -s0 -a -n
07:02 < veek> err -A -n
07:02 < veek> and dig yahoo.com
07:06 < Project86__> Veek the first command is just showing a bunch of router advertisements coming in. Dig yahoo.com, I don't understand the output
07:07 < veek> dig queries the dns servers.. and tcpdump shows you which nameserver's being queried first
07:07 < Project86__> veek: all these commands are new to me as well, it seems man just tells what what something does? Very useful, thank you.
07:08 < veek> man = manual
07:08 < Project86__> Awesome
07:09 < Project86__> Dig said it took 21msec to reach the 6 ips
07:09 < Project86__> Tcpdump seems like what wireshark does, correct?
07:09 < veek> yeah
07:10 < Project86__> Neat
07:11 < Project86__> But this dig output, how does that tell me my dns is working properly?
07:11 < veek> because firefox and all the other apps use the same underlying library/dns-thingy dig uses
07:12 < veek> The  resolver  is a set of routines in the C library that provide access to the Internet Domain Name        System (DNS
07:12 < veek> resolver configuration file contains information that is  read  by  the  resolver        routines  the  first  time they are invoked by a process.
07:15 < Project86__> But if i ran the dig command with default settings in resolv.conf, dig would still work, right?  So how do i tell the difference by output?
07:52 < xz> hi there, I'm trying to set up .htaccess/.htpasswd method to password protect a website/directory. I followed that tutorial: http://www.htaccesstools.com/articles/password-protection/ but as of now nothing is password protected. The caveat in my case is that all website files physically exist within /home/me/website/ and they are symlinked to /var/
07:52 < xz> www/html/
07:52 < xz> do you have any experience with setting up .htpasswd? I might be using wrong directories, or .htpasswd might be incompatible with symlinks
07:56 < detha> xz: do you have to appropriate allowoverride in your main config?
07:57 < xz> detha I don't think I do, here is my config: https://hastebin.com/rerokexuqu.apache
07:58 < xz> wait, that's not main config, is it?
07:59 < detha> xz: sorry, can't read javascript bins. But you should have allowoverride authconfig somewhere on the site or directory level
08:00 < xz> detha should it be in apache2.conf or within my website conf file?
08:01 < detha> website main config should suffice. The manual says to preferably not do this in your main server config, or something to that effect
08:02 < xz> ok, let me play with it
08:10 < xz> kind of works now, at least I get pop-up asking for username and password. However, I enter correct credentials (ones from .htpasswd file) and it won't redirect me through it
08:11 < xz> asks to input login/password again :/
08:12 < xz> I think password in .htpasswd has to be md5 instead of clear text
08:13 < detha> Check log files, password file needs to be spec'ed as absolute path
08:13 < xz> yeah, md5 worked
08:13 < xz> sweet
08:13 < detha> cool
08:13 < xz> is the .htaccess/.htpasswd reliable method?
08:14 < detha> as reliable as the web server
08:15 < detha> note that when using http it goes over the line in clear, so only use it on https. Another thing is that there is no way for the server to log someone out
08:20 < xz> right, I have everything over HTTP now
08:21 < xz> do I have to do cert and all that fun stuff to enable HTTPS?
08:25 < detha> yes. letsencrypt is your friend
08:27 < xz> ok will do that
08:27 < xz> I also need a domain as I remember
08:27 < xz> https is so much work
08:30 < detha> yes. and not needed in most cases, except for authentication. If http had included a non-sucky way for authentication, things would have been a lot easier
08:46 < psprint_> I want to run redis-server through tunnel, as redis sends passwords and data in clear text. I cannot recall why ssh tunnel wasn't an option. Has anyone setup remote redis-server, how? It should be: machine-A = redis-server, machine-B = 127.0.0.1:1234 (port leading to machine-A:1234)
09:15 < Kershaw18> hey
09:16 < Kershaw18> is there any way i can connect my laptop to my television without a hdmi cable
09:16 < Kershaw18> like wirelessly
09:17 <+pppingme> Kershaw18 what os?
09:17 < Kershaw18> windows
09:17 <+pppingme> 10?
09:17 < Kershaw18> yeh
09:17 <+pppingme> possibly
09:18 < Kershaw18> what about my phone
09:18 < Kershaw18> cause i have android not iOS
09:18 < Kershaw18> connect to my TV
09:18 < Live> well what TV do you have
09:18 < Kershaw18> a fairly new one
09:18 < Live> thats very specific ;)
09:18 < Kershaw18> it has internal antenna
09:18 <+pppingme> android supported it for a little bit, but recent versions have dropped support for wireless creen sharing
09:24 <+pppingme> Kershaw18 you're looking for "miracast"  some tv's have it built in, you can find dongles for under $20
09:24 < Kershaw18> is this like bluetooth
09:25 <+pppingme> it actually works over wifi-direct
09:25 < Kershaw18> i will look into it
09:27 <+pppingme> its great for slides, presentations, etc..  not so great for video
09:46 < phre4k> Kershaw18: what TV? Miracast goes by many names nowadays
09:47 < Kershaw18> i dont know the fucking specs its TCL
09:47 < Project86__> pppingme: I thought they had a new android one to work with mirrorcast? Used to be called AllCast
09:47 < grawity> allcast seems to be a proprietary app
09:47 <+pppingme> earlier versions suppored it natively, now its just an add-on, like any other app
09:49 < Project86__> I just know I saw a recent tut to mirrorcast showbox from phone. It didn't show as a mirrorcast device however. And further settings didn't seem to work. It linked, just no mirror. That was a shittt tablet though, haven't tried from my phone.
09:50 <+pppingme> I think it was just android 4.x that supported it, nothing older, nothing newer
09:51 < Project86__> I may have used wrong setup too. But I am pretty sure I did everything right. I was going to mirrorcast from phone to win10 laptop, that has hdmi to large monitor (the minister isn't "smart" though)
09:52 < Project86__> pppingme: maybe I should downgrade on one of my 4 old phones to run 4.4 then
09:52 < Project86__> *monitor. Lol
09:52 <+pppingme> I'm not even sure all versions of 4.x supported it, like I said, it seemed to have a very short life on android
09:52 < grawity> hmm it's present in my stock android 6, did they remove it in 7?
09:53 < Project86__> It's present in mine too, but there's also a sharecast? Something similar. Newer. Says it evolved from AllCast
09:53 <+pppingme> I've got android6 devices its not supported..  maybe added back in by manufacturer??
09:53 < grawity> manufacturer being Google in this case
09:54 < grawity> I've successfully "casted" the thing into a Win10 laptop, haven't tried actual TVs though
09:54 <+pppingme> sweet
09:54 < grawity> maybe it's *removed* by manufacturers
09:54 < grawity> since wifi direct needs some additional hardware capabilities
09:54 < Project86__> grawity: how did you accomplish it?
09:54 < Project86__> To win10
09:54 <+pppingme> my phone and tablet both do wifi-direct
09:55 < Project86__> pppingme: same
09:55 < grawity> Project86__: literally enabled the feature in Settings and it showed up in my phone
09:55 < Project86__> Yet it would only see it as a regular bt
09:55 < grawity> though android 6 has a checkbox (off by default) "Enable wireless displays" in the Cast menu
09:55 < Project86__> grawity: lol. Yeah, I tried all that onve
09:55 < grawity> I think *by default* it only shows Chromecast if that's off
09:56 < grawity> but yeah, no apps were used
09:56 < Project86__> Didn't chest cast menu...
09:56 < grawity> it was bloody useless though
09:56 < Project86__> Oh? So not worth movies?
09:56 < grawity> idk, like I said I didn't try with a TV personally
09:57 < Project86__> I got mine to do the pic vast and DOWNLOADED vid. But not live stream
09:57 < Project86__> *cast
09:58  * Project86__ getting tired. Can't type right
09:58 < grawity> https://i.imgur.com/xbiH3aQ.png
09:59 < Project86__> About to check it
10:02 < Project86__> Speaking of windows grawity , is there a way to completely turn off the annoying updates that happen even when you have autoupdates off, and it says, hey, sorry, were downloading stuff.
10:02 < grawity> ¯\_(ツ)_/¯
10:03 < grawity> I don't care, it's not like we have data limits here
10:03 < Project86__> Even better. To actually completely disable firewall besides what they allow you too now?
10:03 < Emperorpenguin> ^
10:06 < Project86__> It's not about the limits, I want to install what I want, and discard what I don't like old times. (Haven't used window in quite some years). And I want to be able to control my defender. It was sneaky to the people not too familiar, but could be completely disabled. Not anymore
10:06  * Project86__ rambling..
10:06 < grawity> are you talking about the network firewall or about the antivirus system?
10:06 < Project86__> So does defender
10:07 < Project86__> *windows defender
10:07 < Project86__> You can "turn it off" but it auto contains anything it doesn't like
10:07 < Project86__> Off or not
10:35 < cr1t1cal> apparently smtp is the protocol used between mail servers
10:35 < cr1t1cal> so what is the protocol used between user agents/clients and mail servers
10:35 < grawity> also SMTP
10:35 < grawity> or, a profile of SMTP called "Mail Submission"
10:35 < grawity> er, "Message Submission"
10:36 < cr1t1cal> okay
10:36 < cr1t1cal> thanks
10:36 < cr1t1cal> grawity can you link me to any sources?
10:36 < grawity> https://tools.ietf.org/html/rfc6409 – different port, requires auth, may perform header cleanups/filtering, but still SMTP
10:37 < grawity> (in the past, mail clients *did* use exactly the same SMTP on port 25)
10:37 < grawity> (but it was split because the requirements were different, after all)
10:38 < grawity> for message retrieval *from* a server, it's usually IMAP4 or POP3
10:50 <+pppingme> or a number of proprietary protocols like mapi, or something web based that may query the mail database directly (most web based groupware would work this way)
10:51 < grawity> most of the ones I tried still use IMAP
10:56 < drathir> Project86__: yep...
10:57 < drathir> mornin/evenin...
11:12 < Guest74972> hi. is there a way to check a subnet's details? we have a tool for that and it's down. it provides data like network, netmask, broadcast, country, domain, acronym, pool, comment, dhcp server, created etc.
11:13 < Guest74972> powershell or admin cmd window?
11:20 < Emperorpenguin> Guest74972: I'm not sure I understood what you mean
11:20 < djph> ^
11:20 < Emperorpenguin> shouldn't you like check the router's configuration?
11:21 < Emperorpenguin> or are you using your internal IPAM tool?
11:21 < Emperorpenguin> there's no way to know when a subnet was created unless you write it down when you do it
11:21 < djph> it sounds like perhaps their "tool for that" is a windows AD thing.
11:21 < Guest74972> it is a global corp with 300k+ devices. there is a tool where i can search for ips or hostnames. then i can get the details of the subnet
11:22 < needle> also the question is from which side to check the subnet details, from the client side or from the router side?
11:22 < Guest74972> yeah it's a company tool.. so i'm not sure it can be done "externally"
11:22 < djph> I mean, "country, domain, acronym, pool, comment, dhcp server, comment" all sound like random trash database tables
11:22 < thothcastel____> asdm not accessible through the vp ntunnel currently in place asa5525-x
11:22 < thothcastel____> I am able to access the single local network that is attached to the firewall from the datacentre through the tunnel but unable to launch the ASDM
11:22 < thothcastel____> I am able to access the access switch that is plugged onto it via ssh and also able to jump onto the firewall via ssh through this local switch
11:22 < enfire> Hello, I'm looking for a tool that would allow me to draw a graph of network usage between two hosts. I tried Wireshark, but it cannot handle the load, as I transfer quite large amounts of data and wireshark is not even able to load the capture files. I do not need the packet data, just the visual graphs.
11:22 < thothcastel____> I really need to regain access to this firewall via asdm - anybody knows how to enable this connectivity through cli?
11:22 < enfire> (for windows)
11:23 < Guest74972> https://ibb.co/gTCGpS here is a pic that's all i can send no actual data duh.
11:23 < enfire> Wireshark also seems to hinder with the network speed, so I really am hesitant to use it.
11:23 < djph> use another host / mirror the switchport.
11:41 < frederik_> Anyone know how reliable powerline networking is?
11:41 < frederik_> For sure better than 5GHz WiFi through 3 concrete walls
11:41 < frederik_> But is it as good as dragging an ethernet cable from the router?
11:42 < Phil-Work> frederik_, it's alright
11:43 < Phil-Work> depends on the quality of your wiring, in a lot of cases
11:43 <+xand> it's not as good as an ethernet cable though, no
11:43 < grawity> and sometimes on what appliances are connected, and such
11:43 < Phil-Work> depends on requirements
11:43 < frederik_> I see :)
11:44 < Phil-Work> I run a few IP Cameras over powerline - no issues there
11:44 < grawity> it's like wi-fi in that quality varies between environments, you need to care about interference etc.
11:44 < Phil-Work> but I'd rather not run my PC over it if I can avoid it
11:45 < frederik_> yeah its for my PC :(
11:45 < frederik_> and interference might be a problem
11:45 < frederik_> bluetooth devices, 5&2.4GHz wifi, microwave, all that stuff is pretty close
11:53 < Reventlov> Hi
11:54 < Reventlov> I have a kind of "problem" with Wifi Sniffing
11:54 < truthr> what is the problem
11:54 < Reventlov> I'm using iperf to benchmark a connection to an open network, and another interface in monitor mode
11:54 < Reventlov> The pcap I get is this one (I got it from scapy): https://ptpb.pw/N95L.pcap
11:55 < Reventlov> It seems it "misses" most of the packets, as there are mainly only "acknowledgment" in this pcap
11:57 < Reventlov> Is this because the AP is in 40MHz ?
11:57 < grawity> it's possible
11:58 < Reventlov> Ok, so let's find a way to sniff on 40MHz.
11:59 < CutieCat> Sniff sniff
11:59 < CutieCat> Do you peeps recommend buying a range extender to steal wifi?
12:00 < Reventlov> ?
12:02 < thothcastel____> in order to set up 2 separate vpn tunnels site2site to remote location, will a cisco router need 2 crypto maps?
12:03 < thothcastel____> what about the transform-set if they are to use the same type of  encryption
12:13 < Sepultura> Hallo, if TLS is a Transport Layer Protocol like TCP and UDP why do Routers only have UDP and TCP Port redirections?
12:14 < ^7heo> because it's not.
12:14 < Sepultura> there are only UDP and TCP?
12:14 < publicarray> TLS runs on top of TCP (and maybe UDP)
12:14 < grawity> it's not a transport layer protocol, no
12:14 < grawity> maybe session layer if you want
12:15 < mAniAk-_-> Sepultura: osi does not translate well to reality
12:15 <+catphish> it's not
12:15 < grawity> it's called that only because it sits on top of a transport layer protocol
12:15 < grawity> (really, I think it'd fit into the session layer.)
12:15 < grawity> but if you asked about *actual* transport protocols, like SCTP or DCCP, then the answer would be "because the routers you're buying are made for people who don't use these"
12:16 <+catphish> Sepultura: tcp and udp are the only protocols with ports, and the only ones you'd need to forward in almost all circumstances
12:16 < grawity> lies, SCTP also has ports
12:16 <+catphish> true, as grawity says, other exist, but nobody with home routers uses them
12:16 < grawity> so either they're omitted due to laziness, or in order to avoid confusing users, or both
12:17 <+catphish> does linux even support nat on those protocols?
12:17 < grawity> yes
12:17 <+catphish> cool
12:17 <+catphish> but also pointless mostly :)
12:17 < grawity> they recently made the support non-modular so that router makers would stop forgetting to enable it >_>
12:18 < Sepultura> grawity: theoretically everyone could invent such protocols?
12:18 < grawity> ...anyway, TLS *could* be proxied in a similar manner to port-forwarding, based on ALPN and/or SNI, like sniproxy does
12:18 < grawity> Sepultura: yes
12:18 < grawity> very small chance of it going through home routers (due to what we're discussing right now)
12:18 < Sepultura> grawity: so TLS is sitting on top of TCP?
12:18 < grawity> yes
12:19 < grawity> (though it could work over stream transport really)
12:19 < grawity> there's also DTLS which is adapted for UDP and other datagram protocols
12:20 < Sepultura> Is SCTP better than TCP?
12:21 < grawity> in some ways
12:21 < grawity> but still not 'better' enough to become popular
12:28 < cr1t1cal> does an inbox stay on one and only one mail server?
12:29 < cr1t1cal> meaning if the mail server were to go kaput so will the inbox?
12:29 < Emperorpenguin> depnds how you configure it
12:29 < Emperorpenguin> obviously
12:29 < Emperorpenguin> one server one disk? gone
12:29 < Emperorpenguin> multiple servers shared storage? you're good
12:31 < cr1t1cal> alright
12:31 < mAniAk-_-> Sepultura: it's not a replacement for tcp, it was developed to carry ss7 over ip
12:33 <+catphish> is ss7 over ip a thing? i might actually need to do that
12:33 < grawity> that doesn't preclude it from being a replacement for tcp
12:34 <+catphish> i'll have to look into it, i thought ss7 only worked over ss7 hardware interfaces
12:34 < mAniAk-_-> nope, but that was not the intention of the protocol either
12:35 < Emperorpenguin> catphish: ss7? cool
12:36 < Emperorpenguin> i have NO idea how that works
12:36 < grawity> catphish: well there's https://github.com/openss7/openss7 apparently
12:37 < grawity> also this is how you know someone is a telecom dev https://github.com/openss7/openss7/issues/8
12:39 < mAniAk-_-> catphish: look up SIGTRAN
12:40 < mawk> how to programmaticaly send an ICMP error to a connected party ?
12:41 < mawk> opening a raw socket is too ugly
12:41 < mawk> there should be a nice clean way
12:41 < mawk> akin to how you can receive icmp errors
12:46 < mAniAk-_-> mawk: why? icmp is typically only sent by the os/network stack as a response to something recieved, not by any application
12:52 < fabolous> what is this page? http://www.thedubber.altervista.org/ip/
12:52 <+catphish> thanks
13:07 < mphj> Hello guys! I'm just wondering about domain fronting usecase for companies like amazon (aws) or google (gogole app engine), why do they have such this feature, they don't set a special ip for each of their services?? and another question, cdn servers that helps applications like signal or telegram to do domain fronting, do these servers act like a reverse proxy?? if yes, then why?? i know cdns and reverse proxy almost do similar work (at least i think), but
13:07 < mphj>  why a cdn should forward the request to the request's hostname without restriction?, why they don't restrict requests, for example a cdn like cloudflare, says that i just cache requests with hostname example.com and not others?
13:08 < grawity> there's no use case for the companies themselves – it's not a feature they *offer*, it's a side effect of their configuration (or lack thereof)
13:08 < grawity> they do *have* to host multiple domains on the same IP addresses because there just aren't that many IPv4 addresses
13:09 < grawity> it's not exactly a reverse proxy – both the 'front' and 'back' domains usually live on the same server, or the same cdn node, or whatever
13:10 < grawity> it certainly doesn't work with sites hosted somewhere else entirely, so the restriction you mention is already always in place
13:11 < localhorse> if i buy an ethernet to usb adapter, plug it into my tablet, then use an ethernet cable between tablet and laptop, can i communicate between tablet and laptop? like it works between Rpi and laptop without router
13:11 < mphj> great answer grawity! thank you man, you saved my day!
13:12 < localhorse> test
13:12 < grawity> it's like having two vhosts on a single Apache service: your TLS handshake is for vhost 1, your HTTP request is for vhost 2, and Apache only cares about the latter
13:12 < grawity> unless you enable https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstrictsnivhostcheck that is
13:13 < grawity> localhorse: it should generally work the same, yes
13:13 < grawity> as long as the tablet has the correct drivers for the adapter
13:28 < mawk> mAniAk-_-: because I'm part of the network stack
13:28 < mawk> I'm doing stuff with a tun device
13:28 < mawk> I want to send icmp host unreachable to nodes trying to reach other unknown nodes
13:29 < frederik1> My server in the DMZ can ping 8.8.8.8 but no other hosts in its subnet, not even the router
13:29 < frederik1> it does get an IP though
13:30 < frederik1> how do I debug this?
13:30 < frederik1> ip routes tell me default gateway is correct
13:32 <+catphish> frederik1: you're using DHCP for servers in your DMZ?
13:32 < frederik1> Yes
13:32 <+catphish> well this is going to be very dependend on the devices involved, if you can ping the internet but not your gateway, then very likely it's just not configured to respond to ping, mine don't
13:33 <+catphish> as for other hosts on the network, there could be various reasons for that, firewalls in particular
13:34 < frederik1> The other hosts are responding as intended, responding to pings from the internal network behind the DMZ
13:34 < frederik1> This particular host isn't
13:34 <+catphish> that's totally different from what yo said a moment ago
13:34 <+catphish> what is the exact problem you want to debug?
13:35 < frederik1> Yeah I realize I didn't properly outline, let me try again
13:36 < frederik1> I have a DMZ with several hosts that can all be contacted from the internal network. I want the same thing for a new host in the DMZ. This host, when connected, gets an IP from the DMZ router, but can't contact the router by ping or be contacted from the internal network
13:36 < frederik1> It can, however, ping WAN IPs
13:37 <+catphish> sounds like perhaps it hasn't been allowed by the firewall
13:38 < frederik1> Does sound like a iptables thing doesn't it? :s
13:39 < dogbert2> looking at a Synology DS216j 2 bay NAS...any thoughts?
13:41 < localhorse> grawity: thanks. btw, can i also share the phone's wifi to the laptop that way?
13:42 < localhorse> or is it not capable of routing packets between its wifi and usb ethernet connection?
13:42 < localhorse> (OnePlus One / Cyanogen OS)
13:43 < GenteelBen> dogbert2, how much RAM does it have?
13:43 < GenteelBen> It probably doesn't allow you to upgrade RAM, either.
13:44 < dogbert2> 512MB...
13:44 < GenteelBen> A new NAS needs at least 2GB of RAM.
13:44 < GenteelBen> LOL
13:44 < GenteelBen> dogbert2, that's the price you pay for a cheap NAS: market segmentation.
13:44 < dogbert2> yeah...Synology gets very high ratings...let me see what else I can find
13:44 < dogbert2> IMO, WD is way overpriced for home use :)
13:44 < GenteelBen> They keep the RAM spec low enough that nobody in business can buy j-series NASes.
13:45 < GenteelBen> dogbert2, Synology NASes are overpriced if you just look at hardware, but their software is 1000x better than anybody else's.
13:45 < dogbert2> go figure, right :)
13:45 < GenteelBen> Case in point my DS1812+ still gets feature + security updates at the same time and frequency as their latest 2018 NASes.
13:45 < GenteelBen> DS1812+ = early 2012, IIRC.
13:46 < GenteelBen> Plus they do something nobody else can (AFAIK) do: SHR/SHR-2, their name for tech which lets you mix and match drive sizes without much wasted space. It's kind of like a RAIDed JBOD.
13:47 < GenteelBen> So you can start off with 4x 2TB disks and then change to 3x 2TB + 1x 4TB, then 2x 2TB + 2x 4TB, for example.
13:47 < GenteelBen> Though though you only get more space in the second example. The first just gives you better redundancy.
13:47 < GenteelBen> Try this: https://www.synology.com/en-us/support/RAID_calculator
13:48 < GenteelBen> But yeah the #1 complaint of Synology NASes comes when people buy a home NAS and then realise 512MB is too damn low. I wouldn't recommend it.
13:55 < dogbert2> I think I will go with the DS218 (2 bay, 64-bit quad core processor, 2GB DDR4)
13:55 < dogbert2> 4K 10-bit H.265 video transcoding on the fly
13:55 < GenteelBen> Good choice.
13:56 < GenteelBen> It has the GenteelBen seal of approval.
13:56 < dogbert2> :{
13:56 < GenteelBen> It's also my NAS pick of the week.
13:56 < GenteelBen> You sure you wouldn't rather get a four-bay NAS?
13:56 < GenteelBen> Redundancy, dogbert2.
13:56 <+catphish> i also like synology :)
13:56 < GenteelBen> You could do SHR-1 and have like 4x 2TB disks for 6TB raw usable.
13:56 < dogbert2> I can run the unit in a RAID-1...more than enuf
13:57 < dogbert2> Realtek RTD1296 Quad-core 1.4 GHz processor
13:57 < GenteelBen> How big are the HDDs?
13:57 < dogbert2> can handle up tp 2x12TB drives
13:57 < GenteelBen> That's still a shameful ARM CPU, dogbert2.
13:57 < dogbert2> so is this: http://snoopy.ciscofreak.com/libre.html :P
13:57 < GenteelBen> That's official support; there's nothing stopping it from supporting 14/16TB HDDs either.
13:58 < dogbert2> pfft...I'
13:58 < GenteelBen> What's the difference between the 218 and 218play?
13:58 < dogbert2> 218play looks like it's a streaming and video unit, which I don't need
13:59 < GenteelBen> 218play is cheaper isn't it?
13:59 < GenteelBen> They usually use RAM and Ethernet ports to differentiate.
13:59 < GenteelBen> There's also the DS218+, if you're a pro. B)
14:00 < GenteelBen> https://www.synology.com/en-global/products/compare/DS218/DS218+/DS218play/DS718+
14:00 < GenteelBen> The 218+ has an x86 CPU.
14:00 < GenteelBen> 218...must be a listing mistake because it doesn't mention AVC there.
14:01 < GenteelBen> Also, you shouldn't be using that NAS to do encoding unless it's for YT videos or something. The image quality isn't as good as a CPU encode.
14:03 < dogbert2> https://www.synology.com/en-us/products/compare/DS218/DS218+/DS218play (the 218+ is a better option but costs more)...
14:03 < dogbert2> the ram is also expandable in the 218+ to a max of 6GB (2GB installed + 4GB chip)
14:26 <+catphish> iscsi is still confusing me, it's so weirdly put together
14:31 < L3gacy> that feeling when the server room temp is 28C...
14:32 < L3gacy> Not sure if fans are trying to cool, or I now have "hover servers"
14:32 <+catphish> toasty
14:47 < AlexPortable> What is the most secure password based EAP method?
14:49 < djph> AlexPortable: PEAP
14:49 < djph> MSCHAPv1
14:49 < AlexPortable> http://deployingradius.com/documents/protocols/compatibility.html
14:49 < AlexPortable> only clear text passwords in PEAP apparently
14:49 < djph> AlexPortable: Did you ever tell us the usecase yesterday?
14:50 < AlexPortable> for what?
14:50 < dogbert2> crashed my windows 7 ultimate desktop :)
14:50 < djph> AlexPortable: your desire for WPA-Enterprise in the first place.
14:50 <+xand> AlexPortable: but it goes over TLS
14:50 < AlexPortable> separate passwords for each user
14:50 <+xand> look at the eduroam stuff and do it that way
14:51 < djph> AlexPortable: Yesterday, we were all under the assumption that "this is internal use for a business entitiy" - is that the usecase, or not?
14:51 < AlexPortable> yes
14:51 < AlexPortable> but maybe also for guests
14:51 < djph> Guests get a different auth method, different VLAN, different everything.
14:52 < AlexPortable> why
14:52 <+xand> maybe
14:52 <+xand> well different VLAN sure
14:52 < AlexPortable> speaking of vlans, how to prevent communication between clients in a vlan?
14:52 <+xand> (probably)
14:52 <+xand> client isolation which is an AP feature
14:53 < djph> Because why go through the trouble of setting them up with a RADIUS login when "touch the banana for a guest wifi voucher" gets them connected?
14:53 < AlexPortable> djph: what?
14:53 < djph> I mean, most high-end vendors have "voucher-based guest auth" already
14:54 < AlexPortable> what banana do you mean
14:54 <+xand> banana in your pants?
14:54 < djph> the banana thing was someone on reddit.  Instead of a simple pushbutton, he measured the difference in capacitance of a banana sitting on a desk to kick off the "generate & print voucher code" process.
14:55 < djph> because it's funny.
14:55 < AlexPortable> more likely create account for new user
14:55 < AlexPortable> not just a button
14:56 < djph> err, I suppose you and I have a different opinion of "guests" then.  I'd never set them up with an account on any systems in my networks, ever.
14:56 <+xand> I can confirm that doing 802.1x for casual visitors is a PITA though
14:56 <+xand> many years experience of that here
14:56 <+xand> there are different kinds of visitor though
14:56 < djph> ^ less years of experience, but it's a PITA nonetheless.
14:56 <+xand> some are just here for their own reasons, others are here as e.g. IT contractors
14:57 < djph> xand: everywhere I've worked, "contractors" are considered "employees" in terms of "where on the network they live"
14:57 <+xand> ha
14:57 <+xand> here that depends whose contractors they are and how stupid they're considered :D
14:58 < djph> unless you mean vendor dudes who're in to replace hardware or something else
14:58 < djph> where they're only expected to be in for like a week or someting
14:58 < AlexPortable> I think that covers the situation here
14:58 < AlexPortable> one week guests
15:01 < dogbert2> hey djph
15:02 < djph> heyo dogbert2
15:03 < djph> AlexPortable: then a voucher or other portal type guest network is likely to be fine.
15:03 < AlexPortable> possible, but i dont have such a system
15:03 < djph> but I suppose that it also depends on what kind of access *to your network* they need (if any)
15:04 < djph> ... then you get one ...
15:12 < sine0> I would like to whitelist some ip ranges 86.12* to 86.18* and I know up until 86.120.0.0/16
15:13 < sine0> can i do a 86.120.0.0/16 -> 86.180.0.0/16
15:13 < Emperorpenguin> sure
15:13 < Emperorpenguin> but you have to subnet it properly
15:13 < sine0> yea mean with the 255
15:14 < Sepultura> IRC is using TCP?
15:14 < sine0> how do i do the range though
15:14 < Emperorpenguin> so it'll be like 86.128.0.0 to 86.160.0.0/19
15:14 < Emperorpenguin> and then smaller subnets till you fill up all the space
15:14 < Emperorpenguin> or you just do 60 /16
15:14 < light> Sepultura: yes
15:14 < Emperorpenguin> Sepultura: yes
15:16 < djph> sine0: what do you mean "86.120/16 -> 86.180/16" ? That's just the range you want to allow?
15:17 < Emperorpenguin> he wants to whitelist a range of 60 /16
15:17 < Emperorpenguin> too bad they go by powers of 2
15:17 < Emperorpenguin> so sine0 the quickest way to do it is just adding 60 /16 lines in your firewall
15:17 < Emperorpenguin> or
15:17 < Emperorpenguin> you can do 120->127
15:17 < Emperorpenguin> 128->160
15:17 < Emperorpenguin> 160->175
15:17 < sine0> ok
15:18 < Emperorpenguin> 176->179
15:18 < Emperorpenguin> and 180
15:18 < Emperorpenguin> now you do the subnetting
15:18 < sine0> ok let me think my heads hurting i want to work it out
15:18 < sine0> djph: yea
15:19 < djph> in which case, you'll need multiple rules (e.g. 86.120/13; 86.128/11; 86.160/16)
15:19 < sine0> guys does this click after a while or hwat ?
15:19 < djph> err, oops, I thought it ended at 160
15:19 < Emperorpenguin> sine0: yes
15:20 < djph> 86.160/12 ... and then whatever else to get from 176 - 180 (likely 176-179, then 180/16)
15:20 < sine0> i did not know you could just shorten it like that
15:20 < djph> shorten what?
15:20 < sine0> 86.120/13
15:20 < Emperorpenguin> no
15:20 < Emperorpenguin> sine0: it's all about powers of 2
15:20 < Emperorpenguin> is 120 a power of 2?
15:20 < Emperorpenguin> no
15:21 < tds> iirc the . will get expanded to .0.0. (maybe)
15:21 < Emperorpenguin> which is the closest? 128
15:21 < djph> I'm just stripping out the zeroes -- "86.120/13" is similar to writing "::" for v6
15:21 < Emperorpenguin> can you get down to 128 from 128 with one power of 2?
15:21 < Emperorpenguin> yes
15:21 < Emperorpenguin> 8
15:21 < Emperorpenguin> so you can do 120/13
15:22 < Emperorpenguin> can you get from 128 to 180 in one power of 2?
15:22 < Emperorpenguin> no
15:22 < Emperorpenguin> you need to do 32 (159) + 16 (171) + 8 (179) +1 (180)
15:23 < Emperorpenguin> so that' a /11
15:23 < Emperorpenguin> then a /12
15:23 < Emperorpenguin> then a /13
15:23 < Emperorpenguin> then a/16
15:23 < djph> hey, I did it right
15:24 < djph> started second-guessing my maths there for a minute :)
15:24 < skunkz> Hi, I have configured a vpn on a aws free tier instance so me and my friend can play "lan" games. We can both connect and to the vpn and have managed to join a LAN room together but when he gave me his ip I can't ping him so I don't understand, why can we play together but I'm not able to ping him ?
15:24 < sine0> I think that maths is not natural for me and my brain
15:25 < Emperorpenguin> sine0: it's simple
15:25 < sine0> I can see the chart
15:25 < Emperorpenguin> all you need to remember is the power of 2 up to 256
15:25 < Emperorpenguin> so 1 2 4 8 16 32 64 128 265
15:25 < Emperorpenguin> so 1 2 4 8 16 32 64 128 *256
15:25 < Emperorpenguin> that's ALL you need
15:25 < sine0> but there are 3 people machine gunning the channel with numbers its like the matrix screen
15:25 < djph> skunkz: the game may be punching holes in his PC's local firewall
15:25 < dogbert2> calculus = da agony and dx/dt :)
15:26 < sine0> I have this online tool it shows me, im having a play
15:26 < skunkz> djph: ok so his firewall prevents me from pinging but allows the game to connect each other ?
15:27 < djph> skunkz: yeah, the game is likely telling the PC "hey, I gotta listen for game traffic on port 12345, let it thru please"
15:27 < djph> *PC firewall, rather
15:28 < skunkz> Ok I see, I have another question: the room I created doesn't show up when he browses the LAN party finder, but there's a direct connexion button that works when he enters my ip. Any idea why the room doesn't appear?
15:29 < sine0> 86.150.0.0/100
15:29 < sine0> 10 not 100 lol
15:29 < ||cw> skunkz: ping is and ICMP packet, and the ICMP is often filtered out at firewalls for "security"
15:29 < sine0> I can see now how the mask takes a certain block and you build around it where it starts and ends
15:30 < UncleDrax> sine0: i think if you wrote it out in binary, it'd make more sense
15:30 < Sepultura> is Softether a dead project?
15:31 < UncleDrax> a lot of ppl that struggle with teh concepts of subnetting, imo, are taught wrong so it just appeasr to be arbietary numbers without reason
15:31 < skunkz> ok I thought ping was a good test to see if two devices are correctly connected but I didn't think of user firewalls
15:31 < sine0> UncleDrax: yea I know that part of it, the bits etc but i didnt know how it would take the range, now i can see it visually (which is how my artistic brain works) I can see it.
15:32 < UncleDrax> incidently, I think if you're taught classful networking, or rather the math of it, it can help with that idea.. even if you have to toss most of what you just learned out because it's obsolete.
15:33 < sine0> cos ip6
15:33 < skunkz> do you have any idea why the room doesn't show up yet my friend can join it with direct connection to my local ip on the vpn ?
15:34 < sine0> allow from 86.144.0.0/12 86.160.0.0/11
15:35 < UncleDrax> if it's a LAN mode room, it's likely because its using a layer-2 (LAN) discovery protocol that isn't being passed through the VPN.
15:35 < djph> sine0: obsolete because CIDR, not because IPv6
15:35 < UncleDrax> or ya, ofc end-user FW issues and stuch too
15:35 < sine0> djph: why is it obsolete then
15:35 < UncleDrax> sine0: because it is.
15:36 < UncleDrax> Classful networking only allowed for (discounting class D & E space) 3 usable subnet sizes
15:36 < UncleDrax> a Class A, B, and C.
15:36 < Emperorpenguin> eeww
15:36 < Emperorpenguin> EEEEEEEWWWW
15:37 < djph> sine0: because CLASSFUL networking was "class A -> IP addresses in binary start 10 (you get 256 Class B)/ Class B -> IP addresses start 110 (you get 256 Class C) / Class C -> start 1110 (you get 256 host addresses) ...
15:37 < UncleDrax> CIDR (Classless Inter-Domain Routing) allows for around 30 different usable subnet sizes.. and more importantly, the ability to use something like a CIDR /24 inside the old Class A space
15:37 < skunkz> how could I try to pass this discovery protocol to the vpn ? UncleDrax ?
15:37 < UncleDrax> skunkz: no idea.
15:38 < UncleDrax> skunkz: well, i have ideas, but they would be complex. or you can use something designed for this like Hamatchi
15:39 < djph> IIRC, once you owned a classful network, you "could" subnet it farther (that is, your entire site didn't have to be 65,536 hosts on a flat network, if you owned a class B), but it is rather unweildy nonetheless
15:39 < UncleDrax> ya, I was thinking more from the IP allocation standpoint
15:41 < djph> skunkz: You'd honestly have to do a lot of fiddling - the direct connection is the most straightforward option.
15:41 < djph> UncleDrax: yeh, classful networking sucked.  Glad my intro to it was "here's what it was, why it was bad, and what came out of it"
15:42 < UncleDrax> djph: yeap. but I still got routers that don't display CIDR notation if the route falls on a classful boundary
15:42 < UncleDrax> which is annoying
15:42 < djph> ew
15:43 < UncleDrax> fortunately we don't let them do anything real anymore though
15:43 < UncleDrax> ya, Cisco 7600s
15:43 < UncleDrax> prob a way-to-old load
15:44 < djph> haha
15:47 < dogbert2> stupid router :p
15:58 < djph> is it that the router's stupid, or the admin is, for leaving it at an ancient IOS version? hmmm
15:59 < UncleDrax> ya, this is a case of 'uptime is not really a good thing'. but that said, it hasn't done anything beyond a sub-/28 static route in many years.
15:59 < UncleDrax> so really it just a switch
16:00 < UncleDrax> well i mean as far as we use it
16:00 < djph> ah
16:00 < UncleDrax> but it's def been roadmapped to be surplussed
16:00 < UncleDrax> the problem is meatsacks to finish the job
16:00 < UncleDrax> (as in, not enough)
16:01 < djph> if you paid well (and didn't involve entire digging up me roots here ...)
16:01 < UncleDrax> and if we were hiring anyone to replace the meatsacks that leave ;]
16:01 < UncleDrax> but ya.
16:02 < UncleDrax> well i put ;], but I meant :[
16:02 < UncleDrax> but enough about layer 8-10 problems
16:21 < djph> meatsacks, manglement, and ... ?
16:25 < hweaving> Checking one more time today here in case there's someone who isn't in #ipv6
16:25 < hweaving> Does anyone know offhand why Linux fails lookups for site-local multicast addresses
16:25 < hweaving> e.g. "ping6 ff12::1234%eth0" doesn't do anything useful but doesn't fail
16:25 < hweaving> while "pign6 ff15::1234%eth0" outright fails with an unknown host error
16:25 < Andrew_0010bit> May the 4th be with you all.
16:25 < hweaving> *ping6
16:25 < hweaving> Andrew_0010bit: and with you
16:36 < stan7> my isp doesnt let me open port 80 for my apache server, its blocking it, what do you recommend? if i configure apache for opening different port, wich port do you recommend? any port? it works?
16:37 < tds> stan7: if they allow other ports then that would work (eg 8080 is quite common for a web server), but browsers won't use ports other than 80/443 by default
16:42 < stan7> so its not gonna work?
16:43 < stan7> why they block it? because dont wanna have people installing server at home?
17:00 < UncleDrax> stan7: on purpose or by malicious-bot-net, yes
17:01 < UncleDrax> stan7: which is seperate from the discussion of 'is that effective/just/right/morally-acceptible' to block it
17:01 < tds> if you call them they might be willing to unblock it, but probably only if you pay for a business connection ;)
17:07 < ash_work> I was thinking of striving for a plug-and-play like effect in the data center. My thought was to have a mgmt server run a conf-tool to set up new bare metal servers by connecting over IPMI, installing an OS using iPXE and configuring containers, networking, etc... I thought you could have a dhcp server container hand out static ips to BMC MACs for this, but you still need to manually (a) add the MAC to the dhcp server configurat
17:07 < ash_work> so (a) is this a good idea? and (b) should I find (is there) some way to trigger the conf-mgmt script automatically when a configured MAC is discovered?
17:09 < detha> ash_work: in that type of setup, config mgmt generally pushes the MAC out to the dhcp server
17:10 < needle> why trigger a MAC address, when hthe installation routine is finished, the server that has been setup could send the MAC address to to responsible DHCP server.
17:11 < detha> needle: what if I want some servers to load centos, some debian, and some windows?
17:11 < ash_work> detha: like, you run a conf-script locally that gives your tool that information?
17:11 < ash_work> needle: it's not the MAC of the server... it'd be the MAC on the bmc
17:12 < detha> ash_work: like, you get the MAC address, enter things in config mgmt, that triggers an update to the DHCP server
17:12 < detha> once that is done, you connect the server
17:13 < ash_work> detha: wouldn't the conftool connect to the server at that point? (and set it up?)
17:13 < detha> ash_work: depends on your workflow. if you want to enter things after the fact, yes.
17:16 < ash_work> okay, so I can see why you'd want your conf tool to manage the dhcp server... since I think it's probably not ideal to manage it directly and managing it as a container... I don't think you want to redeploy your dns server on every conf change... I can see that getting hairy...
17:17 < ash_work> detha: okay, but what about part (b)? like, even incorporating your advice, my idea would be that would take place before the server is even delievered (so that you're sure what the host is for the bmc, rather than somebody plugs it in and it's accidentally automatically allocated)
17:17 < detha> ash_work: you can make it as complex as you like.... e.g., dhcp server that hands out a PXE boot for any unknown address that does nothing but connect to mgmt, and create a ticket 'Please configure 00:4a:00:12:34:56'
17:18 < ash_work> detha: oooo, that sounds like a good fallback
17:18  * ash_work writes that down
17:18 < ash_work> detha: but, should I be stiving to automate when the conftool decides to setup that server, given what I said about delievery?
17:20 < tds> ash_work: I guess if you have an existing system to keep track of what switch ports are used by what, you could also just lookup the mac addresses on the switches and avoid storing them
17:20 < detha> ash_work: normally invoices/delivery notes have the MAC address on them. So your normal workflow could be 'on delivery note, have someone enter that MAC, and what role that server should take'. Fallback to 'create a ticket for an unknown server on the network'
17:20 < ash_work> like, somehow listen for a bmc that has been connected
17:21 < ash_work> detha: right that... but when the person actually plugs it in... should I be trying to involve a process that tells the mgmt server, "ok, do your thing."
17:21 < ash_work> rather than me issuing an ansible command or something manually
17:23 < detha> that should be automatic. PXE boots an install image that gets its config from, e.g., some http server. The http server runs perl or python scripts that pull from the config database, and generate config on the fly
17:24 < ash_work> detha: assuming the box is set to network boot on delievery?
17:24 < detha> yeah. If it isn't, you're basically stuffed for anything automagic
17:25 < detha> you could scan for new BMCs periodically can if you find one, kick off something to go install it, but meh
17:26 < ash_work> detha: okay, so I'm with you there
17:26 < ash_work> I'm banging the gavel on part (b) as 'meh'
17:26 < detha> Also, that can lead to lots of fun and games if the config database goes offline for a bit. All servers are suddenly 'new' and get reinstalled
17:27 < ash_work> detha: well, my idea... that wouldn't happen
17:27 < ash_work> because the only purpose of the IPMI stuff was just to set the boot order
17:28 < ash_work> supposedly, the conf tools should be idempotent enough not to run over already installed plays
17:28 < ash_work> or something... maybe it would happen.... idk... I haven't thought this through all the way
17:30 < detha> think about it in a 'event' -> 'action' type of way. Event can be server plugged in, check-in to config mgmt, etc. Action is 'some salt/ansible/whatever task does something'
17:33 < ash_work> detha: yes, but that's too abstract for me
17:34 < ash_work> like, what the actual "check-in" process is
17:35 < ash_work> detha: I'm still trying to chew on your earlier statements
17:36 < ash_work> detha: when you were saying "that pull form the config database, and generate config on the fly" were you talking about the config for the whole machine, or like a networking config, or...?
17:36 < ash_work> (because isn't that really ansible/puppet/salt's job?
17:39 < needle> the tool really does not matter in that case, it is more a question of what is the initiator of the process, manually, automatically, half-automatic, event-driven...
17:40 < needle> with perl and python you could do all the "magic" you want. It is up to you.
17:41 < ash_work> well, I'm really liking this 'configure me' stuff if say a server is plugged in without any setting for it
17:41 < ash_work> but my point was just to clarify that we are indeed talking about the right 'step'
17:41 < ash_work> s/right/same
17:42 < ash_work> but when I say this is too ambiguous... so like do you write your own script that listens for such an event like "server get's plugged in"? How?
17:45 < ash_work> I am surprised I am getting so much information in this channel
17:46 < needle> yes, this channel is really amazing looking from that perspective.
18:02 < ash_work> detha: okay, so suppose you want to set up a new webserver as a node in a docker swarm; at some point, something must run `docker swarm join ...`; taking your advice is that something done by what you're install via pxe? or after pxe installs the os (ie, like you were saying before: pulling the config from a config database... idk how that would work though), or a conftool runs a webserver configuration script?
18:07 < detha> ash_work: it depends. some places build fancy images with everything pre-installed, other places do a PXE boot of a generic minimal install that on first boot pulls the rest of 'what needs to be done' from config mgmt
18:08 < ash_work> detha: so the installed image is responsible for communicating with the config tool?
18:08 < ash_work> (in that case)
18:08 < detha> correct. the second style seems to be winning, boot into something that has network stack, basic tools and package manager, and pulls the rest of the config from a config server
18:09 < ash_work> detha: well, my idea was to use rancher-os which has a cloud-config for the basic system configuration
18:09 < ash_work> and they have a ipxe script too; although I was unsuccessful in testing this on a vm because I guess it doesn't support bz compressed initrd
18:10 < ash_work> but the could-config can't do things like `docker-machine` and `docker swarm` commands
18:12 < detha> ash_work: never played with rancheros, but as long as there is a way to have docker either in the install image or pulled in through package manager, why not
18:13 < ash_work> so things I need to investigate are how to set up the dhcp server to handout the right pxe image (in my case a different script per cloud-config) and how to get the system to tell the mgmt config to run post-install
18:14 < ash_work> the latter of which I basically still want to ask here
18:15 < ash_work> this is probably better asked in #rancher
18:15 < ash_work> thanks so much detha, that was a huge help
18:15 < ash_work> detha: ftr, are you more a fan of "some places build fancy images with everything pre-installed"?
18:31 < detha> ash_work: no. building 'golden images' is a pain.
18:32 < detha> It has a place, like standard corporate desktops with windows+office+SAP
18:32 < ash_work> good to know. Thanks ;)
18:36 < fnDross> either of you well versed in networking?
18:37 < redrabbit> no
18:41 < detha> fnDross: I know about 3% of what I can imagine one can know about networking. Does that qualify as well-versed?
18:42 < fnDross> it might, https://ibin.co/3wZx0gWjNDUu.jpg   << trying to put actual guest network on the dir-835
18:42 < Apachez> https://twitter.com/Rotarywings1/status/992281756177854466
18:42 < screwsss> 130 megabits per second. sound about right for the read transfer speed of a regular HDD
18:43 < fnDross> dont want to put another dhcp&vlan on the dva(router1)
18:44 < fnDross> ive read up on routes, but read nothing about routing in this scenario
18:45 < ||cw> screwsss: bytes yes, bits no
18:45 < usvi> if police was logging my ssh connections, could they be so stupid that they would always drop the initial connection, forcing me to take another, succeeding one?
18:46 < skyroveRR> usvi: a censorship tool isn't always guaranteed to work........ people need to FORCE IT to work.
18:46 < skyroveRR> A censorship tool or an MITM tool for that matter.
18:46 < usvi> yeah
18:46 < usvi> I need to dig into this
18:47 < usvi> my best friend, university buddy, turned out to be the biggest drug dealer of finland
18:48 < usvi> I think the police could be trying anything at this point to catch additional bad guys
18:49 < usvi> I must admit, of course, that Im also quite the tinfoil guy
18:51 < skyroveRR> Doesn't matter, they probably figured out who you are at this point.
18:52 < screwsss> balls
18:52 < screwsss> somethings wrong with me home network then
18:52 < usvi> skyroveRR: I have no secret identities, I dont even have those fancy contemporary drug dealer apps like.. was it wicr or something
18:55 < usvi> police arrested one tor network forum admin probably because he was telling me in car that he was the admin. car was bugged, he was in custody like 1-2 months. for having a forum on tor network
18:57 < usvi> and why do all these kinds of guys seek my company you ask? I kind of dont know. maybe being some kind of local privacy advocate makes this happen
19:06 < redrabbit> cool story
19:07 < screwsss> police bugged ur car?
19:07 < usvi> my friends car. the forum admin
19:10 < screwsss> 0wn3d.
19:10 < screwsss> spent 2 months in slammer?
19:11 < usvi> redrabbit: yeah.. I guess if you google Douppikauppa, you get some articles. some of them might even be english
19:11 < djph> so what I'm hearin' is that usvi is a plant
19:11 < usvi> screwsss: yes he did. 1 or 2, I dont rmember which one
19:12 < usvi> djph: I have thought many times that my friends must be thinking Im a snitch or something :D
19:12 < screwsss> i download plenty of torrents
19:12 < usvi> but it is just bad luck
19:12 < screwsss> one after the other
19:13 < screwsss> never even been sent a letter
19:17 < usvi> screwsss: yeah, I also fight those letters, I have an operation
19:18 < usvi> not  abusiness, charity work without pay
19:25 < coco> usvi what kind of forum was it?
19:30 < screwsss> bit torrent
19:36 < usvi> coco: kind of imageboard in tor network, but used also for drug deals by users
19:41 < coco> imageboard of what?
19:45 < screwsss> drug dealers just use craigs list lol
19:46 < superkuh> I put every site that I host on the clear web on tor as well.
19:46 < superkuh> (as a hidden service)
19:47 < fstd> a-are you a hacker?
19:47 < fstd> oh this isn't ##C, shit
19:47 < needle> It's strange that many users assume tor being a kind of "illegal" network.
19:48 < coco> yea, why would anybody assume that
19:48 < lupine> probably due to its overwhelming use for illegal activities
19:48 < kenlumbo> "dark web"
19:48 < kenlumbo> lol, my fav
19:48 < needle> On the other side, one never hears good things about tor, only the negative stuff gets public.
19:48 < kenlumbo> "oh I found it on the dark web"
19:48 < lupine> facebook
19:48 < kenlumbo> you mean it wasn't on facebook...
19:48 < coco> i totally want my legal content to be more difficult to access and slower
19:48 < lupine> nono, facebook *is* the dark web
19:48 < kenlumbo> #fakenews web
19:49 < kenlumbo> I cringe everytime I hear a commercial or some talking head say dark web
19:49 < screwsss> dark web
19:49 < kenlumbo> just because you say it's a thing, doesn't mean it's a thing
19:49 < coco> have you heard the one where they say the dark web is 10x bigger than the normal web? lol
19:49 < coco> I think i surfed most of it in an afternoon
19:50 < lupine> *facebook is the dark web*
19:50 < lupine> so, no, you did not
19:51 < coco> i'm wrong and you're right
19:51 < lupine> <3
19:52 < Ryvius> How are you gentlemen. May I have your best ideas for Wifi names
19:52 < SporkWitch> doesn't facebook have an onion site? lol
19:52 < SporkWitch> Ryvius: https://lmgtfy.com/?s=d&q=best+ideas+for+Wifi+names
19:52 < coco> so the hotel I'm staying at has a nazi DPI that blocks everything including vpn
19:53 < coco> and airvpn.org (best vpn bar none) has ssl tunneling
19:53 < coco> so to fight the man I'm going to kep the line saturated for my entire stay
19:54 < usvi> coco: it was like a very small-scale finnish 4chan
19:54 < coco> is that what they're calling it these days
19:57 < `whoami`> Ryvius: Surveillance Van #3
19:57 < needle> If the holel WAN uplink is saturated I setup a IPv6 DHCP server and route  the incoming IPv6 packets to /dev/null, thanks to happy eyeballs after some minutes the link is not that saturated anymore.
19:57 < lnks> hello, anyone familiar with the raritan terminal servers?
19:57 < usvi> coco: I think imageboard is the common name for 4chan-like boards
20:17 < xz> why would one use duckduckgo
20:21 < ||cw> xz: that seems prety clear from the website
20:21 < SporkWitch> ^
20:21 < ||cw> and from wiki "DuckDuckGo (DDG) is an Internet search engine that emphasizes protecting searchers' privacy and avoiding the filter bubble of personalized search results."
20:22 < SporkWitch> nolove: yes
20:22 < nolove> lol
20:22 < xz> you can use google search in incognito mode for the same functionality
20:23 < ||cw> google will track you by IP and browser signature, just less aggressively
20:23 < SporkWitch> xz: not quite.  They don't track it the same, but you shouldn't assume they aren't still tracking things in some way as to be useful to them.
20:23 < xz> you mean fingerprinting ||cw ?
20:23 < ||cw> yeah
20:23 < xz> I have some plugin to address that
20:23 < xz> not sure how efficient it is, however
20:24 < ||cw> DDG does it just by default, no matter who's computer you're on
20:27 < redrabbit> https://www.startpage.com/
20:57 < t0x0sh> Hi, I have a KVM networking question. I have 2 VM (vm1, vm2), and I want to forbide communication between them. What's the best solution ? Creating a bridge interface and a subnet for each VM ?
21:03 < SporkWitch> t0x0sh: sounds like a kvm question, not a networking question
21:05 < t0x0sh> ok :(
21:10 < kuahara> I setup a L2TP/IPSec VPN on a sonicwall in one of our county networks.  I've tested it out from my office and from my home PC.  The connection works fine.  I have two customers in other counties that cannot connect and both just happened to be sitting behind different Cisco ASAs.  I don't have access to either, so I can't be model specific, but in general, does outbound L2TP need to be
21:10 < kuahara> specifically permitted before it will work?
21:12 < E1ephant> t0x0sh: I think it may be possible https://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges
21:12 < E1ephant> the ebtables seem the fullproof way, but hard to manage.
21:13 < E1ephant> https://tools.ietf.org/html/rfc5517 is the rfc for pvlans, linux calls this "l2 client isolation?" ofc?
22:11 < cluelessperson> can unifi isolate clients?
22:12 <+catphish> cluelessperson: yes
22:14 <+catphish> cluelessperson: although looking through the config, i can't see it
22:16 <+catphish> cluelessperson: so, no idea :( should be possible, but can't find the setting on mine
22:22 < cluelessperson> catphish: also lan clients. :P
23:49 < ironpillow> hi all, trying to understand how meraki ambassador works: https://meraki.cisco.com/blog/2013/05/guest-ambassadors-providing-simple-and-secure-guest-access/. Does it use radius server in the background? thanks!
--- Log closed Sat May 05 00:00:09 2018