--- Log opened Wed May 09 00:00:13 2018 00:22 < DoYouKnow> join #bioinformatics 00:41 < wadadli> whenever I config a new host I set the hostname to $host.wadadli.internal 00:41 < wadadli> I can ssh to these hosts on (granted they are on the network) by ssh $host but never ssh $host.wadadli.internal 00:51 <+catphish> DoYouKnow: y tho? 00:56 < spaces> internet is f*cked up, we need something new 00:57 < spaces> catphish do you have an idea ? 00:58 <+catphish> i have lots of ideas, all of them great, but i'm taking them to my grave 00:58 <+catphish> in the mean time, i think i should sleep :) 00:58 < spaces> catphish die(); then! 00:58 < spaces> we will dig them out :P 00:59 < spaces> that is something new he said he was thinking! 01:23 < tds> wadadli: iirc .internal isn't reserved at all, so you should probably avoid it since it might get registered as a real tld 01:24 < tds> assuming you just mean you tell the installer the domain though, you'd also need to tell whatever updates dns records (eg your dhcp server) the domain 01:24 < tds> it's possible they're being resolved through some mechanism other than normal dns though (eg netbios, mdns) 01:29 < wadadli> tds ▸ ah! using router from att. perhaps this is why. 01:29 < wadadli> should probably change to wadadli.invalid 01:29 < tds> if you own a real domain, normally I'd just say to use that or a subdomain (eg lan.example.com) 01:30 < wadadli> I own wadadli.me 01:31 < wadadli> I don't really want my personal laptop reachable lol 02:16 < batch> hey i have this in vbox: https://imgur.com/a/Pxx7I0l 02:16 < batch> how can i emulate this in a linux computer? 02:21 < djph> batch: install vbox? 02:21 < djph> batch: or turn the *nix box into a (NAT) router 02:22 < batch> fuck virtualbox pff 02:23 < batch> NAT inside a homenetwork is hard to figure out 02:23 < batch> what am i doing 02:24 < Whiskey`> ... 02:24 < Whiskey`> what is the issue you need to fix? 02:25 < batch> i like ur nickname 02:25 < djph> it's fucking trivial. (1) enable v4 forwarding in sysctl. (2) iptables -t nat -A POSTROUTING -o -j MASQUERADE 02:25 < Whiskey`> why does he want nat in the lan? that doesnt make sense 02:26 < batch> Whiskey` yeah i think i'm just trying to figure it out the wrong way 02:26 < batch> so i think i know what i'm doing 02:26 < Whiskey`> well, tell me what you are trying to get done 02:26 < batch> oke so ehm 02:26 < rewt> http://xyproblem.info 02:27 < djph> Whiskey`: no it doesn't, but I'm three beers in, and don't fucking care :) 02:27 < djph> Whiskey`: also, I'm out of your namesak... ohwait I have the emergency bottle o jack 02:27 < batch> ix.io/19Qm 02:27 < batch> ix.io/19Ik 02:27 < batch> ok so 02:27 < batch> these are the settings i'm using kinda 02:28 < batch> but now i'm trying contact that nat network through my home router 02:28 < batch> and i think i need to connect it directly to it 02:28 < batch> that's prolly my problem 02:28 < batch> sorry if i hurt ur eyes with those iptable rules 02:29 < batch> so what i mean is 02:29 < rewt> batch, the print iptables at the end should be just 1 line: iptables-save 02:29 < batch> i need to connect my pc directly to the virtual router 02:29 < batch> oh 02:30 < Whiskey`> batch: where is the virtual router located compared to your pc? 02:30 < batch> i'm making a raspberry pi zero W with 2 usb-to-ethernet adapters a NAT router Whiskey` 02:30 < Whiskey`> ok, what does that have to do with this other setup? 02:31 < batch> so my homerouter between it is my problem right? 02:31 < batch> nothing really 02:31 < Whiskey`> well... maybe, you have not exact stated where this stuff is located and how you connect to it 02:31 < batch> i'm just kinda migrating it from a test to a proper test 02:31 < Whiskey`> lol rewt you had it in one 02:31 < batch> oke so 02:32 < Whiskey`> batch: well it sounds like what you really want is "how do i make my rpi a router and enable nat on it?" 02:32 < batch> in virtualbox i have both just 2 computers connected to each network that's described in there 02:32 < Whiskey`> which djph answered right off 02:32 < Whiskey`> ok full stop 02:32 < Whiskey`> what dos some vbox setup have to do with this? 02:32 < Whiskey`> its not going to migrate over at all 02:33 < batch> erh no i agree 02:33 < batch> so 02:33 < batch> i done this in school 02:33 < energizer> I'm having problems connecting to vpn sometimes. It usually works if i restart the computer. ubuntu 17.10. Here's syslog of a failed attempt https://paste.pound-python.org/raw/7kIr4IIEXvbrBbe4v2EP/ 02:33 < batch> i had it working 02:33 < batch> then i made it work at home 02:33 < batch> now i try to put it to actual hardware 02:33 < batch> that don't work 02:33 < BitShack> Does anyone think the destruction of net neutrality will lead to you needing a license to operate a server or computer of any kind? 02:34 < batch> and no this isn't definitly not like homework lol 02:34 < batch> but i'll try anyway meh 02:35 < djph> energizer: seems like your link is fubar somewhere ... 02:35 < Whiskey`> BitShack: not at this time but only time will tell 02:35 < tds> energizer: looks like a dns issue - "/usr/sbin/vpnc: unknown host `vpn.example.com'" 02:35 < BitShack> Cuz that will be some bullshit 02:35 < tds> can you resolve other hostnames (eg example.com) when it fails to connect? 02:35 < BitShack> Especially for private users 02:35 < BitShack> tds: I think so 02:35 < Whiskey`> BitShack: yea not sure how they will manage to make that legal to do 02:36 < tds> BitShack: that was to energizer 02:36 < c|oneman> 5Ghz penetration is such dogshit 02:36 < BitShack> Mmmm 02:36 < BitShack> Sounds dirty 02:36 < djph> c|oneman: better than 60GHz 02:36 < energizer> tds: no i cant 02:36 < Whiskey`> c|oneman: meh i dont have any issues 02:36 < Whiskey`> but i use good gear =-) 02:37 < energizer> tds: er i can resolve most urls just not on that domain 02:37 < c|oneman> well sure, if you're an in appartment thats 800sq ft 02:37 < Whiskey`> djph: 60ghz is used exactly because it doesnt 02:37 < Whiskey`> its for same room multi gig links 02:37 < djph> Whiskey`: don't bring facts to this! :P 02:37 < Whiskey`> but ive got some outdoor 60ghz stuff im liking, waiting on the big units next 02:37 < tds> energizer: hmm, could you upload the contents of /etc/resolv.conf and the output of systemd-resolve --status? 02:37 < Whiskey`> djph: true i sohuld leave em at the door 02:37 < djph> Whiskey`: (also, that was kinda the point ;) ) 02:38 < tds> probably time to go and blame whoever runs the local dns resolver though 02:38 < c|oneman> Whiskey`: I think good gear is expenive and doesnt really offer more range, that's whats annoying 02:38 < djph> well, yeah, because *physics* and all ... 02:38 < Whiskey`> c|oneman: well you are wrong(ish) 02:38 < c|oneman> well, we have Cisco AC crap at work. it's fine, but it doesn't have good range 02:38 < Whiskey`> so much of it depends on the enviroment nad the install that even good gear might not work for you 02:39 < Whiskey`> no cisco sucks donkey dick 02:39 < c|oneman> I suppose the brick wall is problematic 02:39 < djph> or, is it that the person who installed it purposely decided that "per-ap range" wasn't a huge factor? 02:39 < Whiskey`> c|oneman: YES IT IS 02:39 < djph> ^^^^^^^^^^^^^^^^6 02:39 < Whiskey`> c|oneman: jfc, for the cost of the cisco, you coulda got ubnt/mt and done it right 02:39 < c|oneman> still, why can't we have a WiFi technology with the range of DECT phones? 02:39 < Whiskey`> c|oneman: WE do, ITS JUST slow 02:39 < djph> we do, but 900MHz is a joke 02:40 < c|oneman> yeah, and nothing supports it 02:40 < Whiskey`> djph: I have a 900mhz link doing 80mbit so suck it 02:40 < c|oneman> Whiskey`: I'm not the one who set this shit up 02:40 < djph> Whiskey`: ooo, 80mbit. I have a piece of copper here doing 1000 mbit :P 02:41 < Whiskey`> c|oneman: well you need a $50 mt to toss in to fill the zone 02:41 < c|oneman> a what now 02:41 < Whiskey`> djph: lets see you pull that copper 5mi in a forest 02:41 < Whiskey`> c|oneman: mikrotik 02:42 < energizer> tds: resolv.conf says: nameserver 127.0.0.53 ; search host.example.com example.com , and systemd-resolve --status DNS Domain have those as well 02:42 < tds> energizer: can you upload the full output of systemd-resolve --status? 02:43 < tds> does it show multiple interfaces, and what resolvers on those interfaces? 02:43 < energizer> tds: https://ptpb.pw/Qpo5/text 02:44 < tds> oh yay the networking mess of docker 02:44 < tds> I'd do a direct lookup against that resolver (eg host vpn.example.com 192.168.0.1), if that fails go blame whoever runs that dns resolver 02:46 < djph> Whiskey`: sure can! granted I'll have to use xDSL or something then (or fiber!) suck it noob :P 02:47 < energizer> tds: https://ptpb.pw/nQzu/text 02:48 < tds> hmm, and if you don't specify a dns resolver (so it'll use systemd-resolved) do you get the same response? 02:49 < energizer> tds: $ host 192.168.0.1 -> 1.0.168.192.in-addr.arpa domain name pointer gateway. 02:49 < tds> no, that does an rdns lookup of the resolver's ip 02:49 < tds> you want to run host vpn.example.com 02:49 < energizer> oh 02:50 < energizer> tds: host not found: 2(SERVFAIL) 02:50 < tds> weird 02:50 < tds> what's the output of systemd-resolve vpn.example.com? 02:50 * tds wonders if systemd is being useful for once and validating dnssec 02:51 < energizer> tds: resolve call failed: No appropriate name servers or networks for name found 02:52 < tds> hmm, weird, I wonder if systemd-resolved is picking up on the dns domain being set globally and then failing to find an interface with that dns name 02:54 < Whiskey`> djph: but it wont be giving you that 1000mb then 02:55 < tds> energizer: this issue may be useful: https://github.com/systemd/systemd/issues/6976 02:55 < djph> Whiskey`: but the *fiber* would :D 02:55 < Whiskey`> djph: assuming all thing being rihgt sure, now price that out to a 900mhz link heh 02:56 < Whiskey`> djph: and you didint forget me right? 02:56 < djph> zip it you :P 02:56 < Whiskey`> ill zip and tar you 02:56 * djph slaps Whiskey` around with a large trout 02:56 * Whiskey` slaps djph with a empty bottle 02:56 < djph> :( 02:56 < djph> why's the rum always gone 02:57 < Whiskey`> because ME 02:57 < energizer> tds: they say uninstall resolvconf, so ill try that 02:57 < Whiskey`> while i like rum, broubon is my downfall 02:57 < Whiskey`> but any whiskey old enough to fornicate with too 02:58 < tds> energizer: yeah, if you do that and make it so all that's listed in /etc/resolv.conf is the systemd-resolved address, I think that'll sort it 02:58 < tds> weirdly though, I have search domains listed in /etc/resolv.conf on my personal machines and systemd-resolved works fine 02:59 < energizer> tds: sorry what should be the contents of /etc/resolv.conf? 02:59 < tds> just nameserver 127.0.0.53 02:59 < tds> no search domains 02:59 < energizer> ok 03:00 < energizer> tds: im noticing that resolv.conf is a symlink /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf 03:00 < energizer> is that normal? 03:00 < tds> yes 03:01 < energizer> ok ill edit it 03:01 < tds> hmm, that file is automatically generated, so you probably shouldn't edit it 03:02 < tds> it's possible that now it's a symlink to the systemd file rather than the resolvconf one, systemd-resolved will ignore the options in it 03:02 < tds> so restarting systemd-resolved *might* fix it 03:06 < energizer> tds: vpn is online now. i'm gonna try rebooting and see if the settings stick around. brb 03:09 < energizer> tds: yep, works. thanks! 03:17 < RoadRunner> connection problem: https://paste.ubuntu.com/p/jwp5Xcg73f/ 03:18 < tds> RoadRunner: try the same as the last person ;) 03:18 < tds> what's the output of systemd-resolve --status? 03:21 < RoadRunner> tds: just entered the channel, so don't know what was said :); as far as systemd-relolve: am running os version 16.04, so am getting: "systemd-resolve - unrecognized option "--status" 03:22 < tds> hmm, that's odd, --status should definitely be a valid option 03:23 < xamithan> It isn't on 16.04 ubuntu 03:24 < RoadRunner> any other commands to try? 03:24 < tds> hmm, good point, seems weird that the comments in /etc/resolv.conf are incorrect 03:26 < mgolisch> does it use systemd-resolved by default? 03:27 < RoadRunner> no idea what's normal and what's not any more... 03:27 < xamithan> It uses resolvconf 03:27 < tds> I thought 16.04 was dnsmasq by default, but I might be getting mixed up 03:30 < CHENG08> hi guys can you help me about openwrt, when I change my router firmware to OpenWrt Chaos Calmer it has no wifi. I dont know how to configure router to enabled wifi 03:30 < cmj> resolvconf is what i use 03:31 < CHENG08> resolvconf? 03:31 < mgolisch> i remember previous versions having a unencrypted wifi setup by default so you can configure it but i have not used openwrt in a while 03:31 < mgolisch> maybe read their documentation? 03:31 < xamithan> https://wiki.openwrt.org/doc/uci/wireless ? 03:33 < CHENG08> yes sir cmj I try that documentation but I got a problem on the driver 03:33 < cmj> CHENG08: it's a package that controls and overrides dns entries 03:34 < RoadRunner> anyone then? 03:34 < mgolisch> RoadRunner: can the machine resolve any dns hosts? 03:34 < mgolisch> like nslookup google.com 03:35 < CHENG08> when I accessing the config of openwrt, I cant see the wireless config 03:35 < CHENG08> when I try to nslookup sir this is the result 03:35 < CHENG08> Server: 127.0.0.1 Address 1: 127.0.0.1 localhost Name: google.com Address 1: 2607:f8b0:4007:80c::200e lax17s15-in-x0e.1e100.net Address 2: 172.217.11.78 lax17s34-in-f14.1e100.net 03:36 < CHENG08> and I used only lan 03:37 < tds> that looks fine, it looks like it's not using systemd-resolved though (assuming systemd-resolved only binds to 127.0.0.53 on that version?) 03:38 < CHENG08> yes sir 03:39 < RoadRunner> mgolisch: nslookup google.com: "connection timed out; no servers could be reached" 03:39 < mgolisch> so it means there is no dns server listening on the ip specified in your resolv.conf 03:39 < tds> oh oops, I'm getting RoadRunner and CHENG08 mixed up 03:40 < xamithan> My resolvconf lists 127.0.1.1 not the other address that systemd-resolve uses 03:40 < mgolisch> how did you configure your networking? 03:41 < RoadRunner> the comp is not on a static ip, dns ip is fed to it by the gateway (small wall) 03:41 < RoadRunner> *is now on... 03:42 < RoadRunner> the comp IS now on a static ip (sorry) 03:42 < mgolisch> looks like the local resolver your resolv.conf points to isnt listening 03:43 < mgolisch> maybe it crashed? 03:44 < mgolisch> you use networkmanager? 03:44 < RoadRunner> is there a command similar to 'systemd-resolve --status' that I can run on my system to find out? 03:45 < mgolisch> try resolving a name using it 03:45 < mgolisch> systemd-resolve google.com 03:45 < RoadRunner> networkmanager: https://paste.ubuntu.com/p/7FYDvcPc5x/ 03:46 < tds> what's the output of netstat -nulp? 03:46 < tds> you might need to run it as root 03:46 < tds> I suspect you might have dnsmasq listening, and somehow you're using the resolv.conf file for systemd-resolved 03:50 < CHENG08> sir mgolisch when I setup my wireless config I got an error message: wl0(broadcom): Interface type not supported 03:52 < Guest55> I have been seeing weird activity on my apache access logs 03:53 < RoadRunner> tds: mgolisch: https://paste.ubuntu.com/p/THhxs2sknV/ 03:53 < Guest55> I think there must be a new exploit for jboss. I have been getting requests for jmx-console from 62 different ip address. I don't even have jboss installed 03:54 < tds> RoadRunner: do you have resolvconf installed? 03:55 < tds> installing that should make resolv.conf be managed properly again, then it'll use 127.0.1.1 (dnsmasq) as a resolver and everything should work 03:56 < RoadRunner> tds: well, if I have the /etc/resolv.conf file and resolveconf dir, then isn't it installed? If not, how do I find out? and finally, how can I install anything without connection to repositories? 03:57 < tds> ah, to get it working for now you can just edit /etc/resolv.conf so the nameserver line says "nameserver 127.0.1.1" 03:58 < tds> then you probably want to run apt install resolvconf, and possibly dpkg-reconfigure resolvconf if it's already installed 03:59 < RoadRunner> tds: I'll try that; so, is that going to introduce an alternative package to my system or restore the original? 04:01 < tds> iirc on 16.04 /etc/resolv.conf is managed by resolvconf, and normally just points to dnsmasq (which is then managed by network-manager), I'm not sure why it would point to the systemd-resolved configuration in the first place 04:02 < RoadRunner> and once I do what you suggested, it will be a permanent change (not overwritten on next reboot) and the comp will work fine in any environment (auto dhcp or static ip)? 04:08 < energizer> In ufw I have XXX.XXX.XX.0/26 ALLOW, and i'm trying to ssh from XXX.XXX.XX.122 but logs say UFW BLOCK. I'm able to connect from other allowed ips. Is that ufw rule supposed to allow that ip? 04:10 < tds> RoadRunner: just editing the file will be temporary (systemd-resolved will overwrite the file on boot), doing it properly with resolvconf should fix it permanently 04:12 < RoadRunner> tds: thank you, I shall be back if I fail :) 04:12 < energizer> can i find out why ufw is blocking my ip? like explain against each rule? 04:14 < xamithan> A /26 block is only 64 addresses. If it is a x.x.x.0 I don't see why it would include a .122 04:16 < Guest55> Has anyone here tried block all ips except cloudflare's 04:20 < energizer> xamithan: ok i dont know how this works. is there a simple way or tool i can use to check which blocks match which ips? 04:21 < xamithan> I use a simple php script if I'm feeling lazy. There is tons of calculators out there though, like: http://www.subnet-calculator.com/ 04:24 < energizer> xamithan: ok i put network class C, mask bits 26, i tried my ip with subnet mask 255.255.255.192 subnet bits 2 max subnets 4 mask bits 26 hosts per subnet 62, and it gives me a range XXX.XXX.XX.65 - .126 04:25 < xamithan> Yeah, so if you wanted to allow that range you'd use x.x.x.65/26 04:26 < xamithan> Not x.x.x.0/26 04:27 < xamithan> It doesn't even need to be a /26. Just needs to have the IP in the same subnet 04:36 < energizer> thanks xamithan 04:36 < RoadRunner> tds: should I prepare /etc/resolv.conf for dynamic updates? 04:44 < RoadRunner> I guess tds is done for the day, xamithan: you prob know, in configuring resolvconf, should I prepare /etc/resolv.conf for dynamic updates? 04:44 < xamithan> it'll get overwritten on boot 04:45 < xamithan> IF resolvconf is working you shouldn't need to do anything to it 04:45 < RoadRunner> no, I mean I isntalled the resolvconf package and am configuring it (dpkg-reconfigure resolvconf) 04:46 < xamithan> Oh is it asking you a question? If so, sure let it configure for dynamic 04:46 < Mead> is anyone aware of a method for cacheing ipv6 traffic to a specific url? 04:48 < Mead> or should I say "from a specific url" 05:04 < ghostyy> how do i understand VPN software 05:04 < ghostyy> i am trying to configure strongswan and all of the configuration options look like gibberish 05:12 < SporkWitch> ghostyy: https://lmgtfy.com/?s=d&q=how+to+set+up+strongswan for the main query, let us know if you have specific questions we might be able to help with 05:12 < ghostyy> i read that but they just tell you what to write and not what any of it means 05:13 < SporkWitch> that will typically be a question for the documentation 06:06 < ghostyy> i guess here is a concrete question, what is meant by "left" and "right" in strongswan connection configuration syntax? 06:07 < ghostyy> eg i see left=... leftprotoport=... right=... rightprotoport=... 07:32 < c50a326> hey if I try to connect to a wifi network using network manager, it connects but dhcp isn't working, it just times out 07:32 < c50a326> if I manually wpa_supplicant and dhcpcd it works 07:32 < c50a326> just for 1 network, which used to work 07:32 < c50a326> other networks are fine. wtaf? 09:15 < luxio> what happens if I change my MAC address to one of a device that's already on the network? 09:15 < luxio> will it refuse my connection? 09:17 < Terminus> luxio: you'll get a conflict. a switch won't know which MAC address to send ethernet frames to. 09:17 < regdude> depends on what is your traffic, what devices and if switch is a smart switch 09:18 < regdude> Layer2 UDP will work, but you are probably using some PCs, they require ARP and as a result your router will only choose one address 09:23 < mAniAk-_-> luxio: the switch learns where mac's are based on incoming frames, so it will update its forwarding table alternating between the two ports, nothing will work well 10:07 < regdude> anyone had an issue with GNS3 and VPCS that when you open the console and start typing "ip" it autocompletes the command? 11:46 < sliddis> regdude: autocompletes to what? 11:47 < regdude> sliddis: well, for example, I try to set an IP address so > ip ... and it shows up all possible commands without allowing me to input 102.168.... 11:48 < sliddis> regdude: ok sounds weird, havent seen it myself, and ive used gns3 latest versions a lot 11:49 < regdude> might be a console problem that it adds extra character, saw that it is using xterm so there are some options to configure 11:51 < CHENG08> Hi guys can you help me about my linksys e1200 with openwrt firm, when I disabled the dhcp of the router i cant access the gui of openwrt and I cant also access using ssh..when I try to reset it, i cant reset it. 11:52 < djph> does your PC have an IP address in the subnet that the router is configured to handle? 11:54 < CHENG08> yes I set ip address 192.168.1.2 and the default gateway is 192.168.1.1 11:54 < light> can you ping 192.168.1.1 ? 11:54 < shtrb> CHENG08, use wireshark to see what ip is boradcasted after you restart it (while your pc is connected over cable) 11:56 < shtrb> if you have no ip broadcast , manually setup your card ip to the previously configured ip range (if you had 192.168.1,0/24 you could declare it 192.168.1.100 ) and scan the entire zone to see the router ip 11:56 < shtrb> but make sure avahi and friends are DISABLED on your card because there is no dhcp server running (avahi will give you a zero conf address) 11:57 < cheng08_> when I ping 192.168.1.1 it says Reply from 192.168.1.2: Destination host unreachable. 11:57 < shtrb> can you nmap the entire range ? 11:58 < mAniAk-_-> cheng08_: no arp answer in that case 11:58 < cheng08_> and my linksys router install firmware openwrt no wifi, I only connected using lan cable 11:58 < mAniAk-_-> cheng08_: reset router config 11:58 < shtrb> Check your gateway ip and try to access it over HTTP/HTTPS 11:59 < shtrb> if you have luci or something like that you could start/stop services 11:59 < cheng08_> when i access the gateway before I can access it but now now after I disabled the dhcp 12:00 < cheng08_> my problem on the router is I cant access it using http, https and telnet and ssh 12:00 < cheng08_> when I connect using ssh it says network connection timeout 12:01 < mAniAk-_-> cheng08_: reset router config 12:01 < djph> set the kit of fire, throw it out the window, and replace it with something else? 12:01 < cheng08_> maniAK I try to reset it but it cant reset I dont know why I try all the tutorial on google but notworking 12:01 < djph> also, just for giggles, you're setting the IP address on the *correct* interface in your PC, yes? 12:02 < cheng08_> yes dpjh 12:02 < mAniAk-_-> cheng08_: usually you just press the reset button with a needle or pen for some time 12:02 < cheng08_> when I resseting the router I plug the lan cable connected on my pc 12:02 < cheng08_> yes i press it in 30 seconds but not working 12:03 < cheng08_> before when it installed a dd-wrt I cant reset it 12:03 < cheng08_> but when I change the firmware to openwrt. I cant reset and the lingth is not blinking 12:04 < mAniAk-_-> cheng08_: tried dhcp with the client after a reset? 12:04 < mAniAk-_-> maybe it doesnt have 192.168.1.1 anymore 12:04 < cheng08_> yes sir 12:04 < cheng08_> I think I cant access it because of dhcp 12:04 < shtrb> you can connect the router's wan port to your laptop and use wireshark to see what IP it get's request 12:05 < cheng08_> okay sir shtrb I will try 12:05 < shtrb> openwrt had a failsafe when you press a button just after restart it will open a telnet service 12:05 < shtrb> (or ssh ) 12:06 < djph> shtrb: that makes no fucking sense 12:06 < shtrb> djph, failsafe doesn't make any fucking sense ? 12:06 < djph> cheng08_: are you 100% positive that the router's address was "192.168.1.1"? 12:06 < bezaban> the wan port part :P 12:06 < djph> ^ 12:07 < shtrb> bezaban, the wan part is when your router will try to connect it will advertsie it's messages (I'm listening on XXX or press blabla to go to failsafe) 12:07 < cheng08_> Im not sure sir because I assign 192.168.1.1 on Ethernet then when ipconfig it show the gateways is 192.168.1.1 12:08 < bezaban> shtrb: it uses it's wan network port as a console? 12:08 < djph> cheng08_: well, yeah, if you TELL the computer to use IP 192.168.1.x / gateway 192.168.1.1 it'll tell you that's what its gateway is 12:08 < djph> holy fuck that's a bad idea. remind me to slap whoever thought that was sane around with a cat5e-o-nine-tails 12:09 < mAniAk-_-> it just uses the first interface, which is usually also the wan interface 12:09 < mAniAk-_-> cheng08_: https://wiki.openwrt.org/doc/howto/generic.failsafe 12:09 < djph> yeah, but still ... eww 12:09 < bezaban> ouch. 12:10 < mAniAk-_-> it doesnt really matter... 12:10 < bezaban> mAniAk-_-: as long as nobody ever logs anything that shouldn't be public. 12:10 < cheng08_> mAniAK: I try that but not working 12:10 < shtrb> cheng08_, I just checked the current failsafe - you need to use the Network cable (lan ) and not WAN (unlpug it ) set your pc ip to 192.168.1.2 and restart the router, just after the led blink click on the configuration button (https://wiki.openwrt.org/doc/howto/generic.failsafe ) 12:11 < mAniAk-_-> bezaban: what? 12:11 < shtrb> bezaban, I remember the message after the boot over WAN, acording to the doc I was wrong 12:11 * linux_probe plays not into the bargbagey of today 12:11 < cheng08_> heres I do when the router cant access, I change the br_wan to wlan before it set to eth0 12:11 < linux_probe> CHIAN own USA due to debt buying and being so=near sole supplier of chinesium 12:12 < linux_probe> not much manufatured in USA today 12:12 < linux_probe> we are sitting ducks, I see it , and am halting it, how aou tthat 12:12 < shtrb> cheng08_, there should be only ONE cable connected to the device , and you can use failsafe only in a very short period after boot 12:13 < cheng08_> shtrb: I will try again the failsafe 12:13 < shtrb> Timing is very important 12:14 < cheng08_> sir shtrb can I contact you using facebook ? 12:14 < bezaban> oh I see, right 12:14 < shtrb> no 12:15 < shtrb> cheng08_, no , but you are using facebook zero check if you can setup a vpn over it to some free server so you could use IRC without extra charge 12:16 < shtrb> I'm thinking about facebookzero because it's the only sane reason to have it today 12:16 < cheng08_> how about skype sir? 12:16 < shtrb> What wrong with IRC here ? 12:16 < cheng08_> because I will continue it tommorow. 12:17 < shtrb> oh , no, just connect here and ask again 12:17 < shtrb> someone will know what to do 12:17 < cheng08_> okay sir 13:35 < system16> Hi, is onion (tor) part of tthe dark web or the deep web ? 13:35 < grawity> the fuck is the difference between the two, anyway? 13:36 <+xand> system16: those are nonsense terms 13:36 < system16> deep web : anything on the web that doesnt show up on search engines 13:36 < djph> as I've had it explained, "deep"web is the stuff not indexed in a search engine. "dark" is ... presumably all the illegal stuff 13:36 < grawity> ah yea, "deep web: not indexed by search engines for any reason" vs "dark web: requires specific software to access" 13:37 < grawity> well, .onion sites would be both 13:37 < system16> dark web : its mostly used for bad things 13:37 < grawity> but mostly the latter because I'm sure I have seen an .onion search engine 13:37 < system16> so using tor and onion sites aint safe ? 13:37 < djph> IIRC "dark" is a subset of "deep" 13:37 < system16> tor 13:37 < regdude> the internet is not safe 13:37 < djph> ^ 13:38 < system16> so onion (tor) is in the dark web ? 13:39 < system16> but google will show results for the pirate bay and that site is a onion based site. 13:39 < djph> given that "you need specific software to access it", apparently so. 13:39 < system16> ^^ 13:39 < djph> because you can get to it via a standard (non .onion) address as well (usually) 13:41 < system16> www.thepiratebay.com << this is a normal link and thepiratebay.onion is not ? 13:41 <+xand> specific software, like a web browser? 13:41 < grawity> xand: in terms of relative popularity, I'd go with "no" 13:42 < system16> oh and is anything useful in deep web ? 13:42 < system16> (onion sites) 13:43 < djph> xand: given that "web" is already part of the name, I think it's "something other than a basic web browser" 13:43 < royal_screwup21> what does it mean to: "(HTML-)escape any user-generated 13:43 < royal_screwup21> content that you display in a HTML page" 13:43 < djph> royal_screwup21: it means exactly what it sounds like 13:43 < royal_screwup21> what does it mean to "escape" something/ 13:43 < regdude> system16: depends on your intentions 13:43 < djph> system16: sure, my websites are perfectly useful (to me) 13:44 < system16> i think i dont need dark web and deep web 13:44 < djph> royal_screwup21: generally it means to mark it as "not a special character" 13:44 < system16> since im not a hacker 13:44 < regdude> you don't need to be a hacker, you can be anybody in dark web 13:44 < djph> royal_screwup21: e.g. unix filenames with a space have to be written (by you) as file\ name (as "space" is a special character to the shell) 13:45 < royal_screwup21> ah cool thanks for clarifying 13:45 < djph> royal_screwup21: although, for HTML, I'd expect it's more like "convert < to <" (etc.) 13:46 < royal_screwup21> ah that makes sense 13:48 < system16> btw how tf IDM downloads files 5x faster than chrome ? 13:49 < system16> Internet Download Manager. 13:50 < disposable2> regdude: until somebody turns the light on 13:54 < regdude> system16: it creates multiple connections to a server whenever possible 13:55 < system16> regdude, and that makes it faster ? 13:57 < regdude> system16: sort of, yes 13:57 < system16> so the limit is set to 8 . should i set the limit on 32 ? 13:58 < djph> probably not 13:58 < system16> but servers would think that im trying to ddos them . 13:58 < djph> also, it's a dick move starting more sessions so you get stuff faster 13:59 < system16> u mean connections ? 13:59 < djph> yup 13:59 < system16> lets go with 16. 13:59 < djph> how about you go with "one" 13:59 <+catphish> seems like you're just messing with whatever balancing has been implemented 14:00 < system16> 1 ? LOL 14:00 <+catphish> what's the context? 14:00 < system16> default max connection is 8 14:00 <+catphish> connection to what? 14:01 < djph> catphish: apparently a download manager so he can get faster HTTP downloads from "where-ever" 14:01 < system16> to a server 14:02 <+catphish> system16: why would you want more than one connection? 14:03 < system16> because i can download files quickly 14:04 < detha> system16: if you are not competing with other things for bandwidth, more sessions do not make a difference. If you are, running multiple sessions steals some bandwidth from others, and is generally considered anti-social behavior 14:04 <+catphish> system16: servers will share bandwidth equally across all users, by making more connections, you're not increasing the capacity of anything, you're simply taking bandwidth away from other users 14:04 <+catphish> seems antisocial 14:05 < system16> well I did not knew that. 14:06 <+catphish> although there may be other reasons for slow downloads, packet loss, latency 14:06 <+catphish> making a couple of connections isn't going to harm anyone, but 8 seems like a lot 14:06 < system16> it takes 35 min to download a 500 MB file without idm but it takes 20 min with idm 14:06 <+catphish> have you considered asking whoever provides the service about the performance? 14:07 < system16> yes but they say thats the max speed that i can get 14:07 < system16> is 2 mbps 14:07 <+catphish> well then there you go 14:08 <+catphish> download at 2mbps 14:08 <+catphish> if they're capping it at that speed on purpose, doesn't it seem rude to try to evade that policy? 14:09 < system16> no because my friends have like ~15 mbps 14:09 < system16> and they have the same isp 14:09 <+catphish> then i have no idea why they'd tell you the max is 2 :| 14:09 <+catphish> no idea 14:10 < system16> and they arent paying more than me 14:10 <+catphish> if you can increase it by making a couple of connections, sure, just don't be silly with it 14:10 < system16> at least i have an internet connection. i should be thankful for that 14:12 < system16> lol it makes no difference. 16=8 14:12 < djph> catphish: probably because distance, crap lines, or he doesn't wanna pay 14:13 <+catphish> actually i have no idea where the bottleneck is here 14:13 <+catphish> i was assuming it was the server 14:13 < system16> probably its because my isp is an a****** 14:14 < djph> catphish: well, for starters, it's language. After that, it's general "i don't know how the internet works". Finally it's either XY problems, or "the user always lies" 14:14 < system16> lol my speed dropped to 56KB/sec 14:15 < system16> Client: HexChat 2.12.4 • OS: Microsoft Windows 10 Pro (x64) • CPU: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz (2.80GHz) • Memory: 3.0 GiB Total (1.6 GiB Free) • Storage: 194.4 GiB / 297.6 GiB (103.2 GiB Free) • VGA: NVIDIA GeForce 9400 GT • Uptime: 49m 24s 14:16 < system16> maybe its because of my pc ? 14:16 < djph> win 10 on 3G of RAM?! masochist. 14:16 < system16> y not ? 14:16 < system16> minimum is 2 GB 14:17 < djph> ... well, w10 in general ... but ewww, 3G of RAM 14:17 < Epic|> 3gb win10 is fine for a lot of stuff. It handles low ram much better than old versions 14:17 < Epic|> Especially with an SSD 14:17 < system16> and it runs fine. no slow downs and its even faster than my main pc which has 8 GB of ram 14:17 < regdude> non symetric RAM 14:18 < Epic|> A significant portion of the population has not autistic need for symmetry 14:18 < Epic|> They can sort mismatched sticks of ram into the same pile without a fuck to be found 14:23 <+catphish> system16: there are so many things that can effect speed 14:27 < djph> Epic|: then they didn't perform the task of "sort the RAM" properly. DO IT AGAIN 14:38 < dogbert2> hey djph 15:08 < veek> why does the wifi modem drop an existing download every time i try to browse..? 26 link -82 lvl 15:08 < veek> what's normal 15:08 < veek> noise - 256 15:09 < veek> 4000 retry 15:09 < veek> but no disconnects 15:12 < regdude> -82 dBm rx signal levle? that is very bad 15:13 < regdude> and noise floor -256dBm is unreal 15:14 <+catphish> veek: what do you mean by dropping a download? 15:14 < veek> regdude, nothing can be done about the noise.. it's orrible here.. everyone runs wifi at max 15:15 < veek> catphish, got wget running and if i browse the wget retries 15:15 <+catphish> veek: do you get a specific error from the wget? 15:16 < veek> nope it just retries the moment i browse 15:16 <+catphish> that's a rather unusual symptom 15:16 < regdude> I mean -256 dBm noise floor means that everything weaker than -256 is ignored. That is a lot of noise for your wlan card to process, seems wrong 15:16 <+catphish> what OS are you using? 15:17 <+catphish> normally even a full wifi reconnect won't kill connections on my linux machine 15:17 < veek> linux 15:19 < veek> http://pix.toile-libre.org/?img=1525871937.png 15:19 <+catphish> veek: you could run wget with "-t 1" for only one try and see if it produces an error 15:20 <+catphish> you have a seriously ugly window manager, you should fix that first 15:20 < veek> heh i like it that way 15:20 <+catphish> lol 15:21 <+catphish> generally TCP is very robust and should be able to keep a download going no matter how bad the network conditions are 15:25 < veek> pox on that - let's try indoors - bbl 15:25 < ||cw> well, to a point 15:35 < drathir> catphish: get right if wifi conection not killed it should timeout and reconnect after some amount of time in my opinion.... 15:42 * drathir also would try to verify if someone could+ not try attack router with deauth requests or similar ddos... 15:43 < veek> drathir, ah! is there a way to spy on the airwaves.. airodump-ng ? 15:43 < veek> all i get are a bunch of channels and stuff 15:44 < veek> wifi sniffer.. 15:44 < drathir> veek: yep check if there isnt station attempt to connect or similar name with different mac... 15:45 < drathir> veek: it could be even a lot of station names with same mac... 15:46 < veek> ah yep macchanger :p 15:47 < drathir> veek: switch modes it will show You associated stations too... 16:59 < marktiell0> Hello. I've coded a Socks5 proxy Server on android. It works perfectly with non-SSL sites, but around 1/3 of the times on SSL websites I get Java Connection Reset exception. This only happens when I try the app on Android, on desktop it works perfectly: https://i.imgur.com/gEzHvVz.png 17:00 < djph> probably MTU 17:01 < marktiell0> @djph: this is what I get when I use curl https://imgur.com/EcSNqak 17:01 < marktiell0> really really weird 17:02 < marktiell0> you still think it is MTU issue? 17:04 < djph> don't care enough to parse out a gif when text would work even better 17:04 < marktiell0> ok, sorry, will upload the text in a sec 17:04 < ||cw> especially one that loops around so fast you can't possible parse the output 17:05 < djph> ||cw: maybe he thinks we're all adderal-addicted millennials like him? 17:05 < marktiell0> https://ghostbin.com/paste/7sje5 17:06 < marktiell0> https://ghostbin.com/paste/7sje5/raw (raw version) 17:07 < djph> you're getting a bad message authentication code (MAC) 17:08 < djph> IOW something's getting corrupted en-route (such as an HTTPS stream over a path with the wrong MTU) 17:10 < marktiell0> (speaking from a noob): so, theoretically, if I reduce buffer size and send packets I should not have this issue anymore? Any tip on how to solve this issue? I'd like to have deeper understanding 17:10 < marktiell0> if you have any resources I can look into I would be grateful 17:10 < ||cw> https://github.com/openssl/openssl/pull/3927 17:11 < ||cw> update your libs? 17:11 < marktiell0> I'm using JDK 9 build on android app 17:12 < marktiell0> I've already tried doing this but with no success. Again, I tried the same android app that I was running on emulator (with that error) on my desktop PC and it works 100% of the time 17:12 < ||cw> and curl? 17:13 < ||cw> ddi you google the error message? 17:13 < marktiell0> ||cw: I don't think it's a curl issue, I tried with firefox aswell 17:13 < ||cw> it's an issue with the libraries that curl and firefox use for ssl 17:13 < ||cw> specifically to work around an issue with a java library being too picky 17:14 < ||cw> the java library seems "right" by the specs, just nothing else is so picky 17:15 < marktiell0> ||cw: updating curl just now, will let you know in a sec if it's that the issue, thanks 17:15 < ||cw> the *libraries*, not curl itself 17:16 < ||cw> again, did you google the error message? 17:16 < marktiell0> yep, thought updating curl would update also the dependencies 17:17 < marktiell0> but if that is an openssl library issue, why would it work when I run the server on desktop and not on mobile? 17:18 < ||cw> that's a really good java programming question, and not a networking one at all 17:19 < ||cw> IDK crap about java. other than it is inconsistent and hides too many things from you 17:20 < marktiell0> well, thank you anyway, I will look into MTU and see if I can get anywhere 17:21 < lpapp> hi, should I prepend or append a local network nameserver to the company nameservers? 17:21 < lpapp> resolvconf.conf seems to indicate that I should prepend, but will that not add additional delay to most of the DNS queries to the outer world? 17:28 < ||cw> lpapp: you prepend so that the external server don't know what local names you're looking up. also more and more ISP dns servers will ALWAYS return an IP even for unknown names in order to redirect you through their search page, which some people actually do find useful 17:29 < ||cw> lpapp: but better yet, just use your lcoal DNS server can configure it to forward and cache external 17:48 < ghostyy> well, i followed whoevers advice it was and tried to read the strongswan documentation, turns out some of the options i see in peoples config files are literally not even documented 18:24 < Evan1929838484> I have some questions 18:31 < Evan1929838484> Can ip spoofing be performed on external servers? 18:36 < ash_work> what are the slashes in this image: https://packetpushers.net/wp-content/uploads/2014/02/L3-After1.png (eg ge-2/0/0) 18:36 < tomreyn> depends on the source and target network configurations. with BCP 38 this should not happen 18:36 < tomreyn> Evan1929838484: ^ 18:37 < tomreyn> ash_work: chassis and port # 18:38 < tomreyn> .nnn are probably vlan ids 18:38 < ash_work> chassis number? 18:39 < UncleDrax> yes 18:39 < tomreyn> routers are usually clustered 18:39 < ash_work> a chassis number is something that identifies a specific device? 18:39 < UncleDrax> so like if you have stacked switches or something similar. really it's just a grouping 18:39 < ash_work> oh?... that's counter-intuitive wording if I understand it 18:40 < ash_work> unless "stacked" is a virtual concept 18:41 < UncleDrax> 'stacked' here means multiple devices connected together and being operated by a single control plane. ie: I could stack 4x 24 port c3750ME together and get 1 logical 96-port switch 18:42 < UncleDrax> but really, again, to answer the root question it's just a grouping. that group ID may corelate to a chassis member number, a line card number, or something else. 18:42 < ash_work> is that just firmware on the switch that allows it to be grouped into a control plane? 18:42 < mast> Just think "I like my switches like I like my women" 18:42 < UncleDrax> ground up and in the freezer? 18:42 < UncleDrax> wait.. strike that. -.- 18:42 < ash_work> well "chassis" is still a counter-intuitive word, imo 18:42 < UncleDrax> why? 18:43 < ash_work> because that typically describes a physical housing 18:43 < UncleDrax> yeap, and? 18:43 < ash_work> I would have thought a chassis # referred to a specific device... not a group of devices 18:44 < UncleDrax> but you can stack a series of physical devices together to work as a single logical unit. ergo, you need some way to refer to the port in chassis #1, chassis #2, etc.. right? 18:44 < ash_work> since a group of devices, at least in this case, is more abstract... "plane" was a better word (for me at least) and helped me understand this better 18:44 < mast> Yes UncleDrax. Go on 18:44 < ash_work> oh... so it ' 18:45 < ash_work> damn apostrophes being next to enter 18:45 < ash_work> so it _does_ refer to a specific device (possibly) _within_ a group? 18:48 < UncleDrax> so for example, I have a 7606 here. I have a 24-port SFP line card in slot 4. those interfaces are numbered gi4/0 to gi4/24. 18:48 < UncleDrax> the SUP card is in slot 6, it has 2 ports. gi6/1 and gi6/2 18:48 < UncleDrax> in slot 5, i have a 4 port 10G card.. te5/1 - te5/4 18:48 < UncleDrax> that makes sense now? 18:49 < UncleDrax> so the bonus slash (preceeding) could be if I had multiple of those, operating as 1 logical unit. so you could have te1/5/1 and te2/5/1 18:50 < UncleDrax> (don't think you can do that with 7600 series, but that gets the idea across) 18:51 < acos> Numbering is not ez 18:52 < UncleDrax> ash_work: it's just how Cisco does it. (although many vendors use a similar system) 18:52 < Evan1929838484> i h8 google a ton 18:53 < acos> 8.8.8.8 has been great to me. 18:53 < Evan1929838484> they are constantly taking statistics of what im doing on my phone and i cant do anything about it 18:53 < ash_work> UncleDrax: so the article using that image was written in 2014; is that still a sensible setup? 18:54 < UncleDrax> firewall -> router -> switches -> servers. sure, seems fine to me. the fundementals haven't changed in the last 20 years pretty much, and that's all that diagram outlines, plus some VRFs 18:56 < UncleDrax> people are coming up with ways to automate networking by adding more complexity to it (for good, bad, or indifferent) and coming up with fancy words for those designs, but it still boils down to 'I route and switch some packets from Clients to Servers' 19:10 < tjt263> Why does some software require manual port forwarding at the router to traverse NAT, while others just work ? 19:10 < djph> Universal Plug and Pray 19:10 < djph> also, it's evil 19:11 < djph> also, also, it depends on whether the program is listening for *unsolited* connections (such as a webserver does) 19:12 < djph> UncleDrax: wait, firewall before the router? 19:12 < djph> err, nevermind, I'm thinking backwards. 19:12 < UncleDrax> djph: some ppl do that, sure.. i sorta just hand-waved it as some enterprisey thign 19:12 < UncleDrax> i don't speak 'Enterprise'.. it makes no sense to me half the time 19:13 < djph> UncleDrax: yeah, I've done (hardware) firewalls after ... but now that I think about it, all the rules are written "sourced from this network, and then being sent into the router" 19:16 < tjt263> Why is it evil 19:19 < djph> tjt263: UPnP? because it's a simple protocol - request: "hey please forward port 12345 to IP 192.168.1.100" // router: "SURE THING!" 19:20 < c|oner> I always turned uPNP on the in the days where I used torrents and xbox 19:20 < UncleDrax> and many routers that implement it do so poorly, or people put UPnP speaking devices on raw internet and they become abused. 19:20 < tjt263> So, it's doing what it's told, why is that evil 19:21 < djph> tjt263: "hi, this is $dirty-backdoor-trojan; please open port 12345 to my host IP" 19:21 < UncleDrax> SURE THING 19:21 < djph> there is *no* authentication that it's something that the user wants / is aware of 19:21 < UncleDrax> and many home-scale devices have zero auditing on it 19:22 < tjt263> so, where does that request come from 19:22 < djph> UncleDrax: hell, next version will probably be ---> router: SURE THING! OH, and here's 45678 and 9876 as well, since my database says programs opening 12345 use those two a lot as well!" 19:22 < UncleDrax> could be anything that generates a properly formatted request. 19:22 < UncleDrax> ha.. probably. 19:22 < tjt263> The software, right? 19:23 < djph> tjt263: "the software" being anything on any computer / tablet / phone sending a properly formatted request. 19:23 < UncleDrax> djph: you forgot 'refrigerator','thermostate','IP-Camera DVR'.. etc..etcc 19:24 < UncleDrax> *thermostat 19:24 < UncleDrax> .. IP door bell.. IP door lock.. 19:24 < djph> UncleDrax: true, I keep forgetting most people don't fill the ethernet jack on their fridge with epoxy. 19:24 < djph> IP vibrator ... 19:24 < UncleDrax> ... ethernet jack on a fridge? do they actually have those? 19:24 < UncleDrax> i figure they would all be wifi 19:24 < djph> I got the first revision. 19:25 < UncleDrax> sounds more secure 19:25 < djph> (i.e. had to make it myself with naught but thinnet and an 80x24 screen) 19:26 < djph> only real downside is we only had red-lenses for the cameras, so every time I try telling it to open, "I'm sorry Dave, I'm afraid I can't do that" 19:26 < djph> ... my name's not even dave! :( 19:26 < UncleDrax> heh 19:26 < tjt263> So, youre saying, instead of setting up port forwarding specifically for SSH or VNC or RDP or whatever else, that normally requires that kind of manual port forwarding fuckaround, i could just send a HTTP request to the routers UPNP port and it'll just forward it to any local ip address i tell it to? 19:27 < djph> no, it's not HTTP 19:27 < djph> but yeah, you could conceivably do that. 19:28 < acos> We on that IOT talk? 19:28 < tjt263> Cool. that's actually what i want to do 19:29 < djph> acos: nah, we're up to taking bets on time-to-compromise for tjt263's network. 19:30 < tjt263> I don't really see the problem with that. it seems more useful than anything. 19:30 < djph> until you stop willfully ignoring "there is no validation in it whatsoever" 19:31 < acos> My money on -50 sec. Bet the NSA already 3 layers deep inside. 19:31 < winsoff> Alright, total noob question 19:31 < tjt263> So, why is that a problem? 19:32 < djph> you don't wanna set up a port forward for port 80, fine, whatever. But by setting up upnp, that little trojan you accidentally caught ALSO can poke holes in your firewalls ... with no knowledge on your part. 19:32 < winsoff> Can I just say my ip address is x.y.z.q (ipv4) and have the router still properly route to me? 19:32 < winsoff> Or is this what subnets are for? 19:32 < winsoff> djph, isn't upnp ubiquitous now 19:32 < djph> winsoff: provided the router knows how to get from "where it is" to "where you are" 19:32 < djph> winsoff: sure, but thankfully it's opt-in 19:32 <+pppingme> winsoff netmasks give your ip context, the ability to mathmatically determine whats on your network and what isn't 19:33 < djph> (well, at least on the kit I use. Maybe consumer kit is the other way around) 19:34 < djph> winsoff: ^ what pppingme said. brainfarted on you not providing a netmask 19:35 < winsoff> pppingme, so I can't do some layer-3 attack where I come onto the network and say I'm [insert google's ip address], and then have the router say "YOU SURE ARE," and have everyone on the local network route to me instead of google. 19:35 < djph> no 19:36 <+pppingme> from a pure ip perspective, you could add a 2nd ip (and thus 2nd subnet) to your router that happens to be google's range (assuming for simplicity a single ip range/subnet) 19:37 < tjt263> well it's more for the benefit of others; my friend want's help with something but he's clueless about computers. So, i could just write a quick script to let my ssh client reach his ssh server, even though there is a NAT router in between. The SSH server is responsible for it's own security 19:39 < tjt263> Afterall the purpose of NAT isn't to a firewall anyway, is it? So, i'd say if that's a problem for you, you should use a dedicated firewall. Right? 19:40 < SporkWitch> tjt263: if you need to reach multiple hosts running the same service behind NAT masquerade you would need to run the services on different ports and set up forwarding. Alternatively, if you need to reach arbitrary hosts, you'd want to look into a VPN. 19:40 < UncleDrax> tjt263: UPnP issues are not so much for packets in flight, it's 'Are you authorized to make this request?' 19:40 < SporkWitch> tjt263: no, NAT is not security, though it does provide obfuscation. 19:41 < djph> tjt263: that's a perfect case for a reverse-ssh tunnel, not upnp. 19:41 < SporkWitch> tjt263: using a VPN, you connect to it from outside the network, and have it relay traffic destined for that LAN subnet over the VPN 19:42 < djph> ^ or a VPN too 19:43 < tjt263> djph: yeah, but instead of a reverse shell.. with upnp, it could just bind directly, couldn't it? 19:44 < cthu|> at work, we got this lengthy expensive OWASP training. First I thought it's gonna be lame like the one we had before about phishing, spam and other obvious crap 19:44 < cthu|> but this gorgeous training begins from explaining what OSI is and how OWASP attacks map on it 19:44 < cthu|> beautiful! 19:44 < tjt263> owasp is good 19:45 < cthu|> I wish every piece of crap in computer science would map themselves on OSI. I have to do it myself most of the times when learning new stuff 19:45 < djph> tjt263: so you're advocating setting up your *NOT COMPUTER PEOPLE* friends with a service that'll blindly set up any port forwards it's asked for 19:45 < tjt263> Not sure what you mean cthu| 19:45 < ash_work> whats a controller node? 19:46 < cthu|> like when I learn, say, websockets. I want to know when I interact with 4, 5, 6 and 7 19:46 < cthu|> it improves the understanding and simplifies debugging significantly 19:47 < tjt263> djph: i wouldn't say i'm advocating it. I'm undecided. That's why i'm asking questions about it. But it seems useful to me. 19:48 < tjt263> and it seems relatively simple, which is nice 19:50 < djph> tjt263: again, it's stupid as fuck. You're opening the doors for a whole host of other problems. 19:50 < djph> Use a VPN, or a script that sets up a reverse-ssh tunnel, rather than upnp 19:50 < djph> *especially* since these people are "not computer people" 19:51 < tjt263> okay ladies and gentlemen, trying to understand something better before forming an opinion.. stupid as fuck 19:51 < tjt263> Now that's out of the way 19:52 < djph> tjt263: you're continually ignoring that UPnP is a blind "you got it boss!" setting. 19:52 < tjt263> Sometimes i want that shit 19:52 < djph> If you turn it on, *any* and *every* request, from anywhere on your LAN, WILL be honored. 19:54 < djph> yes, it is "easy" since you don't have to open ports explicitly. But do you really want random ports being opened without your knowledge? 19:54 < SporkWitch> tjt263: UPnP is one thing for outbound; don't ever do it for inbound 19:56 <+pppingme> SporkWitch problem is, a lot of users dont' understand the difference, "I just want my {fill in the blank} to work" 19:56 < SporkWitch> pppingme: which is what we've been explaining to him 19:58 < tjt263> sometimes people just want shit to work. Not everyone has an education in computer science. i didn't invent upnp. i don't manufacture network hardware. I'm not responsible for it being there. but i'm more interested in understanding how things work and how they can be made useful 19:59 < SporkWitch> tjt263: which is why we're explaining why it's a terrible solution and offering better alternatives 20:00 < SporkWitch> tjt263: the VPN would be the easiest, especially if the router supports hosting a VPN server directly (asus is really nice about this, since they offer a free DDNS service with their routers that doesn't require regular "i'm still using it" emails, and they also have good VPN server options on the router itself) 20:01 < _AxS_> hey all ... i'm trying to figure out how to deal with ip addresses for i.e. VMs that migrate from one DC to another. At this point I'm not even sure what to search for though to learn... anyone here ever had to deal with such a thing? 20:01 < tjt263> It sounds like upnp is already prevalent 20:02 < tjt263> In typical home consumer routers 20:02 < acos> _AxS_: will you be re ipping? 20:02 < SporkWitch> tjt263: yes, for OUTBOUND. Home networks do not typically filter outbound traffic, and UPnP allows services inside NAT to set up temporary forwarding rules to ensure they can be reached from outside, without having to manually set up forwarding and static IPs. Allowing it for INBOUND is just dumb, as we've been trying to explain. It effectively eliminates your firewall. 20:03 < SporkWitch> tjt263: the _right_ way to achieve your goal is port forwarding if you need to access specific hosts, or a VPN if you need to access arbitrary hosts 20:03 < _AxS_> acos: you mean after migrating, switching the address to something on the new local network? right now yes, but i'm mainly interested in ways to not need to do that 20:04 < djph> SporkWitch: I've never seen UPNP for "outbound" connections ... (firewalls permissive and all) 20:05 < djph> SporkWitch: I mean, turning on UPNP on a test router, plugging a playstation into it, and letting $game configure itself pokes holes for inbound connections ... 20:05 < SporkWitch> djph: i've only ever seen UPnP for devices inside the NAT; possible i'm misunderstanding exactly how UPnP works 20:06 < SporkWitch> djph: yeah, that's what i mean; apologies if i articulated it poorly 20:06 < djph> SporkWitch: OHHH, you're thinking he's talking about listening to port 1900 WAN-side? 20:06 < tjt263> my question wasn't what's the best way to do xyz. Someone said upnp is evil. I asked why. 20:06 < SporkWitch> djph: yeah, it sounded like he wanted to let stuff outside request it open ports 20:06 < SporkWitch> tjt263: in which case, asked and answered 20:06 < djph> UPNP is evil because it allows *any* host on your LAN that sends a valid request get ports forwarded to it. 20:07 < winsoff> pppingme, and for the local network, that would then be a way to receive traffic meant for outbound-to-google? that's super interesting to me 20:07 < _AxS_> ..and by 'host', any random software running on said host. 20:07 < tjt263> that doesn't sound evil to me. 20:07 < winsoff> djph, i think a lot of home gateways have it enabled by default, aka opt-out 20:07 < _AxS_> could be malware.. 20:07 < _AxS_> could be whatever. 20:07 < djph> *anything* sending a properly formatted UPnP request gets permitted (barring something else already having asked for it) 20:07 < cthu|> so sometimes it helps to hold a ddos attack by just configuring a low-level local or even a hardware firewall, but what to do when the channel gets physically cluttered? 20:07 < djph> winsoff: thank god I got out of that kit 20:07 < cthu|> like with the, say, icmp flood 20:07 < djph> cthu|: get a bigger channel? 20:08 < cthu|> what if the channel is the biggest? 20:08 < cthu|> available 20:08 < cthu|> wouldn't my ISP be the next step? 20:08 < cthu|> wouldn't they be interested in removing that flood? 20:08 < cthu|> to the best of their ability that it 20:10 < _AxS_> i would be very surprised if ISPs didn't have rate limiters on icmp and other traffic already.. whether those limits are less than the max your channel can handle, i dunno 20:10 < cthu|> well ddosers can be intelligent 20:10 < cthu|> they can spam with different protocols 20:10 < djph> tjt263: ugh, fine ... if you don't like "evil"... it's too fucking stupid of a protocol to even consider the real possibility of a bad actor *ever* sending a valid request to it. It is such a fucking glaring omission for *2013* that everyone involved should have their ietf credentials revoked. 20:11 < tjt263> Right, so i can use that to help my buddy remotely, without having to explain how to forward a port, etc. it sounds like i can just take care of that from the other side of the world by just sending a upnp request. Right? I mean it sounds like that's what it's there for anyway. If i understand it 20:11 < cthu|> I think the best way to go is hide the real IP 20:11 < cthu|> from anyone 20:11 < cthu|> only expose CDNs 20:11 < shtrb> _AxS_ icmp and a list of speed test sites are set into a high priority list (get the best QoS) 20:11 < cthu|> let them take a hit 20:11 < _AxS_> tjt263: it would likely still be -easier- to tell him how to forward a port than to try and do it via upnp. 20:11 < djph> tjt263: NO, the UPNP daemon is on your *BUDDY'S LAN* and is ALWAYS going to open whatever port(s) any malware on his PC asks for 20:13 < tjt263> i thought upnp was a daemon living in the router, not his pc or laptop or whatever 20:13 < shtrb> tjt263, deamons exist everywhere 20:14 < _AxS_> tjt263: it is. default-disabled. so he'll have to go into the router to enable it. then he'll have to do something on his host to make the host tell the router to open the port and forward it to the host. 20:14 < djph> tjt263: it is. and it's just listening to port 1900 (LAN-side) for requests to set up whatever NAT / firewall rules are necessary. 20:14 < _AxS_> actually it may not be default-disabled. 20:14 < tjt263> i scan a lot of routers. I see a lot of upnp 20:15 < djph> There is *ZERO* authentication that a given host (or application on said host) should even be opening that port in the first place 20:15 < Psi-Jack> Open to the world? :( 20:15 < UncleDrax> UPnP is a protocol. so anything that can generate compliant traffic can 'speak' UPnP 20:15 < Psi-Jack> Heh, UPnProxy. 20:16 < djph> UncleDrax: or it's random traffic on UDP1900 that his "scanner(tm)" is calling UPnP 20:16 < Psi-Jack> Kinda glad, personally, that the EdgeRouter's comes with a decently setup UPnP service, disabled by default, but configurable to allow specific rules. 20:17 < djph> Psi-Jack: one of the few implementations that isn't outright cancer (not that I use it in any case) 20:17 < Psi-Jack> Yep. 20:17 < tjt263> right, no authentication. I understand that. 20:17 < Psi-Jack> I use it, but on my segmented network. 20:17 < UncleDrax> I for one throw away every UDP/1900 pkt that comes across my customer edge 20:18 < _AxS_> tjt263: so what's the end goal, out of curiosity? 20:19 < tjt263> The end goal of what exactly 20:19 < tjt263> Upnp? 20:19 < _AxS_> tjt263: doing this port-forwarding thing you're enquiring on upnp about 20:22 < _AxS_> tjt263: you seem to be thinking of upnp as a tool you can use to do something.. just wondering what that something is 20:24 < tjt263> well, it sounded like the goal is to forwards ports automatically, in a NAT situation. But now i'm not sure 20:25 < djph> tjt263: that's exactly what it does, with *zero* authentication that the request is "safe" to do. 20:25 < _AxS_> tjt263: your goal. not upnp's goal. 20:25 < UncleDrax> it does that. but you should not rely on it, and it's not secure so you should avoid using it. much akin to 'I can use a 1968 Ford Pickup truck as a hammer' and it will work, even if it's ill advised to do so. 20:26 < djph> tjt263: that is, UPnP will just as readily "automatically" forward ports 80 and 443 to a webserver, as it will forward any other random port that any other random malware asks for. 20:26 < tjt263> I asked why some network applications just work. but others require manual port forwarding. Someone said upnp. 20:26 < UncleDrax> well also some other applications just handle NAT better 20:26 < djph> UPnP is *one* reason that they may 'just work'. Others are that they connect to a central Command and Control server (e.g. Teamviewer) ... 20:26 < _AxS_> tjt263: ah. well, that's one reason. another is because they 'dial out' to a central service and so they don't need port-forwarding to bypass NAT 20:26 < UncleDrax> because they are setup different, or have thier own NAT-punchthrough system in place 20:30 < tjt263> Well that's how computers work. Right? They follow instructions. If it didn't do what it was told, it would be useless. convenience and security is a balancing act 20:30 < E1ephant> oh boy 20:34 < SporkWitch> have you USED windows? it fails to follow instructions all the time :P 20:34 < mast> These meatballs are shit 20:35 < mast> Unless its one instruction is: be an unusable piece of garbage 20:37 < djph> tjt263: and we're telling you that given the current design, the negatives associated with UPnP far outweigh any convenience factor that it may have. 20:37 < djph> mast: no no, its one instruction is "infuriate the operator as much as possible" 20:38 < E1ephant> a good carpenter doesn't blame his tools? 20:38 < E1ephant> windows is fine :P 20:38 < shtrb> HCF is the best one 20:39 < SporkWitch> E1ephant: that implies the carpenter isn't being forced by his boss to use a shoe to hammer in his nails 20:39 < _AxS_> E1ephant: wha? of course they do -- the hammer is what caused the broken thumb, the dull blade is what caused the milamine to tear ... 20:39 < djph> E1ephant: I doubt even a good carpenter would want to use a hammer to drive a screw 20:39 < E1ephant> anyone using NUCs for openstack? 20:39 < _AxS_> E1ephant: no, but am intrigued.. 20:39 < E1ephant> hehe 20:39 < E1ephant> but COUNTER-STRIKE 20:39 < mast> We'll I'm a mediocre carpenter and piss on that tool 20:39 < tjt263> For the record my foremost focus is generally security. and it's become apparent to me that people have gone security insane. It's getting to the point where it's become so fcking inconvenient to access your own shit. When you leave the house do you activate a perimeter alarm, open an attack dog patrolled acid moat, with galvanized sharks swimming in it, with fricking laser beams attached to their foreheads, and sentry 20:39 < tjt263> towers manned by armed guards in hazmat suits..... if i'm concerned about security, i close the windows and lock the door. 20:40 < mast> :P 20:40 < mast> I'd be using my mac if a capacitor hadn't blown on it 20:40 < E1ephant> tjt263: I don't see so much focus on physical security 20:40 < E1ephant> more software and virtual security 20:40 < djph> tjt263: yeah, but the difference is you (probably) live in a relatively "safe(tm)" neighborhood, right? 20:41 < tjt263> Speaking of sentry towers. I used to play age of empires. And that's what i always think about when it comes to port forwarding. 20:41 < _AxS_> tjt263: the problem though is that with technology it's -so freaking easy- to have doors not only unlocked, but left wide-open, that you don't even realize are there 20:41 < tjt263> Actually it's pretty bad 20:41 < tjt263> Around here 20:41 < E1ephant> I want a bunch of actual ssd compute nodes, but quiet, and not workstation sized 20:41 < tjt263> Well, it's not good 20:42 < E1ephant> let us play aoe2 20:42 < tjt263> _AxS_: that's right, i agree 20:42 < djph> tjt263: so, would you say that leaving your doors wide open is a bad idea? 20:43 < _AxS_> djph: tjt263: or in the case of upnp, having doors closed but giving everyone in a 100 mile radius the keys. 20:43 < djph> _AxS_: I was gonna say "giving your dog a big red button that unlocked the doors for anyone who walks by" 20:43 < _AxS_> djph: heh yep that works too 20:45 < sanzspark> Hi everyone. I need a simple cost effective (even 4 port) switch that can limit upload and download speed per port. Looking to share internet with neighbors and everyone has their own router/firewall. ISP gives us a /27 subnet 20:45 < sanzspark> what do you recommend 20:45 < Dalton> a 4 port switch 20:46 < djph> sanzspark: tell your cheapass neighbors to buy their own internet. 20:46 < _AxS_> a switch that will rate-limit each port... not likely. a quad-nic in a server running pfSense would do it though 20:47 < sanzspark> djph: lol we cant 20:47 < sanzspark> its a lease thing 20:47 < _AxS_> s/switch/cheap 4-port switch/ 20:47 < shtrb> sanzspark, LEDE ? 20:47 < tjt263> djph: well, i wouldn't say it's a good idea. 9 times out of 10 i don't even lock the door. but that's more of a personal thing 20:47 < djph> then be 200% sure that your ISP will allow it. 20:47 < sanzspark> _AxS_: pfsense cant 20:47 < sanzspark> already checked 20:47 < shtrb> sanzspark, tc 20:47 < djph> else, you're gonna be the one up shit creek when they come for "theft of services" 20:47 < _AxS_> sanzspark: ? sure it can. its a pain in the ass but it can... 20:47 < Dalton> buy a decent Edge Router and route each IP to a neighbour 20:48 < sanzspark> we have pfsense and mikrotik but none provide an elegant solution 20:48 < sanzspark> _AxS_: it cant share the IPs 20:48 < sanzspark> a switch has no management or NAT headache 20:49 < sanzspark> shtrb: what is LEDE and tc? 20:49 < djph> tjt263: upnp is giving the dog a buton that'll open the doors for anyone. explicit port forwarding, while it leaves the door open, at least has conditions on it (e.g. "must be to port 80") -- with a further presumption that you've taken the steps to secure the server running on port80 against getting hacked... 20:49 < shtrb> LEDE or openwrt are open source firmwares, tc is the tool to limit speed you can use for that 20:50 < djph> suppose it's an equivalent to an invite to have people over -- "come on in, we'll be in the back yard, so won't hear you knock" 20:50 * SporkWitch has been toying with the idea of setting up port knocking for shits and giggles 20:50 < E1ephant> so yeah you don't want to do this on a switch 20:50 < shtrb> but your switch/router should have at least 32 mb 20:50 < E1ephant> that will be expensive 20:50 < E1ephant> do this on your router 20:50 < E1ephant> software is cheap 20:50 < djph> SporkWitch: I did it once, apparently hitting ports 1,2,3,4,5 is trivial 20:51 < tjt263> djph: okay, that sounds about right 20:51 < sanzspark> E1ephant: why not? technical reason plz 20:51 < shtrb> snatcher, but you can even use a pi if you have one just sitting in your storageroom 20:51 < _AxS_> sanzspark: ok lets roll back here a bit -- you want to "share" what for ips? you mean have a single ipv4 subnet? 20:51 < E1ephant> sanzspark: software is cheap, hardware is expensive. 20:52 < sanzspark> it's a /27 ISP gives us 20:52 < E1ephant> also, you bottlekneck for contention is on the router 20:52 < shtrb> electricbear, a pi cost $35 20:52 < sanzspark> we have 3 different networks 20:52 < tjt263> djph: so it sounds like my ssh example is plausible 20:52 < E1ephant> the LAN isn't a source of contention I would guess? 20:52 < djph> tjt263: note that the "backyard party" is equivalent to explicit port forwards 20:52 < sanzspark> _AxS_: ^^^ 20:52 < SporkWitch> djph: i mean, yeah, it's just a pseudo-passphrase sent in the clear, but still, something fun to play with 20:52 < djph> and NOT UPNP (UPnP is still giving the dog an "open doors!!!" button) 20:52 < sanzspark> and each neighbor wants direct access to ISP to obtain their own public ip out of the /27 20:53 < SporkWitch> sanzspark: it's your connection, they're the ones begging 20:53 < Terminus> sanzspark: if you've got mikrotiks but you're having NAT headaches, i don't think there's a simple bandwidth limiting solution that you can easily configure. 20:53 < sanzspark> we want to limit bandwidth at switch level 20:53 < tjt263> djph: oh 20:53 < sanzspark> Terminus: yeah, mikrotik ppl suggested get a "smart" switch would be better 20:53 < djph> SporkWitch: yeah, I did it to like a rpi running an ssh server (and firewalled to hell in terms of getting to any other part of my LAN) 20:54 < sanzspark> Terminus: ^^ 20:54 < tjt263> But still 20:54 < _AxS_> sanzspark: ah,ok. so, if this were done in pfsense, you make limiters on each LAN port (and likely WAN port too) and then bridge them. 20:54 < Terminus> sanzspark: i was gonna say either https://mikrotik.com/product/RB260GS. the cheapest ubnt is $199. 20:54 < sanzspark> SporkWitch: yes, it is but we need don't want to for example fix their IPSEC / NAT issues so we want them to obtain IP from ISP directly 20:54 < sanzspark> Terminus: ubnt? 20:54 < Terminus> sanzspark: well of course if you want a switch you buy a switch. 20:55 < sanzspark> _AxS_: but passing public IP on pfSense downstream is not easy 20:55 < djph> tjt263: look, in the time we've spent continually telling you that UPnP is bad, the port-forward on your end, and reverse-ssh tunneling script could've been done 20:55 < E1ephant> if they are getting different ISP service, why doesn't the ISP do three demarcs? 20:55 < marktiell0> What could be the problem between this request https://i.imgur.com/gcC8Spc.jpg (success) and this other one https://i.imgur.com/HLq0sVo.png (failure)? Why RST without even FIN? 20:55 < _AxS_> sanzspark: you need to set it up s.t. there's no WAN (or no LAN, depending on how you want to look at it). 20:55 < Terminus> sanzspark: ubnt switch https://store.ubnt.com/collections/routing-switching/products/edgeswitch-8-150w 20:55 < sanzspark> so I am wondering if you guys know of any switches that can limit upload / download and is the cheapest simplest dumbest thing? 20:56 < sanzspark> i guess it won't be dumb and should be managed switch 20:56 < tjt263> So what's the threat? That someone else uses upnp to inject malicious traffic to a port that's bound to nothing? 20:56 < djph> E1ephant: appparently sanzspark is the "owner" of a /27 from the ISP, he also has three cheapass neighbors who want to use his connection 20:56 < _AxS_> sanzspark: you're getting pricey to get a managed switch that does rate limiting on ports, afaik... 20:56 < ||cw> sanzspark: ubnt edgeswitches should be to do it, but it's not simple or dumb. it's actually quite a complex things. there is no such thing as simple rate limiting 20:56 < djph> tjt263: no, that malware you (or your friends, whoever) pickup opens a port without you even knowing about it. 20:57 < E1ephant> confused as to how you still wouldn't just term them all to /31s or whatever 20:57 < sanzspark> Terminus: have you worked with ubnt switches before? can they truly limit download and upload? 20:57 < Terminus> sanzspark: if you have a /27, you shouldn't even be doing NAT so i don't know why you're having NAT problems. 20:57 < shtrb> djph, sharing is caring (and reducing cost while getting a good service is a very good thing ) 20:57 < Terminus> sanzspark: dunno. it's been years and i used their APs. 20:57 < djph> E1ephant: honestly, I'd just 1:1 NAT the cheapasses and have at it 20:57 < E1ephant> there will be no contention or congestion to police on at the switch, why police there?\ 20:57 < djph> shtrb: sharing is also against the TOS (here) ;) 20:57 < E1ephant> sounds reasonable too 20:57 < E1ephant> (1:1 NAT) 20:57 < sanzspark> Terminus: focus please - I said I don't want to do NAT. That was in regards to pfSense. 20:58 < shtrb> djph, wtf ? you can't share your ISP account between clients ? 20:58 < ||cw> you don't have to do nat with pfsense 20:58 < _AxS_> shtrb: depends on the TOS of the ISP 20:58 < shtrb> any router share traffic between clients (laptop) 20:58 < djph> shtrb: not between me and my three closest neighbors I can't 20:58 < shtrb> wow 20:58 < sanzspark> ||cw: all the good things in life have something bad in them :) so how hard is it to setup ubnt with rate limit? 20:58 < sanzspark> what is hard? 20:58 < djph> shtrb: do try to keep up. 20:58 < SporkWitch> shtrb: it's not uncommon. some nastier ones will go farther and say you can't even let someone in the same house use it, but it's not unusual to say you can't share with people outside the home 20:58 < Terminus> sanzspark: lulz. also, did you not say "a switch has no management or NAT headache" which indicates to me that your problem is simply configuration. 20:59 < shtrb> djph, I'm aware he wish to share his acocunt I'm surprised it against TOS 20:59 < ||cw> sanzspark: you have to define QoS classes, then setup the diffserv with in and out rules, and there are limitations 20:59 < shtrb> SporkWitch, nice to know 20:59 < sanzspark> ||cw: pfsense can NOT do it; it was already talked in the channel; they have an issue with public IP passing downstream 20:59 < djph> shtrb: where do you live where your ISP doesn't care if you re-transmit your connection to every house on your block? 20:59 < sanzspark> Terminus: yes, a switch doesn't - pfSense does 20:59 < sanzspark> Mikrotik does 20:59 < SporkWitch> shtrb: and pretty much all ISPs in the US say you can't host servers (though not all _actually_ care; my fibre ISP says not to run servers, yet they'll sell me a 1G/100M pipe with a static IP; they know exactly what that's for lol 20:59 < sanzspark> that's what I meant so I want to stay away from those for this project 20:59 < _AxS_> sanzspark: could you elaborate on that issue? doesn't that just depend on how you set up the topology in pfsense? 21:00 < Terminus> just install openbsd. i know it can handle it just fine because i've done it with openbsd before. 21:00 < djph> SporkWitch: mine says "don't do anything bad, other than that, have at it" 21:00 < ||cw> sanzspark: idk why you're even bothering. unless someone is trying to torrent with some insane number of connections the bandwidth will already split nicely 21:00 < _AxS_> (which is what pfsense is -- openbsd , or well freebsd) 21:00 < detha> shtrb:here, I have never seen an ISP without the 'cannot resell' in their T&C 21:00 < shtrb> djph, I'm having really shitty service from my ISP , but sharing the access was never an issue (had them block everything and demand a CA installation , had speed and transparnt proxy ) but that never 21:00 < sanzspark> _AxS_: I was told pfSense can NOT pass public IP to client and do traffic shapping as well 21:00 < shtrb> detha, he is not reselling (acording to him) he is sharing 21:01 < _AxS_> sanzspark: do you want traffic shaping or rate limiting? 21:01 < _AxS_> sanzspark: two different things, those 21:01 < detha> shtrb: unless he is sharing without any compensation, it falls under the 'resell' benner 21:01 < sanzspark> ||cw: I have to bother with bandwidth; there are phones on this network and ppl are paying for their share which is not equal 21:01 < sanzspark> it's a fiber and 1000mbps and someone has 50mbps 21:01 < ||cw> so set QoS for SIP traffic 21:02 < sanzspark> _AxS_: it is not doable on pfSense - if you know a way suggest it plz 21:02 < ||cw> oh, so you set up artificial agreements before checking if it's even possible? 21:02 < shtrb> detha, I thought reselling is only if he takes money (not even getting laid for internet access) 21:02 < djph> detha: hell, if not 'resell', it probably falls under the "your residential service is for the property listed in the contract, and only that property' banner 21:02 < sanzspark> shtrb: sharing :) 21:02 < _AxS_> sanzspark: i did. set up limiters on each port, then bridge the limiters together. 21:03 < djph> for example, from Charter / TWC / Spectrum --> Use. The Service is designed for personal and family use (residential use only) within a single household. 21:03 < sanzspark> _AxS_: now pass public IPs to clients 21:03 < detha> djph: funnily enough, not all contracts here have that language. However, they all have the 'can not be resold for money or other forms of compensation' 21:03 < sanzspark> and make IPSEC working without doing anything on pfSense 21:04 < _AxS_> sanzspark: if you don't make pfsense NAT or otherwise have the firewall in the way, it'll all 'just work'. 21:04 < sanzspark> the neighbor wants full control of their IP obtained from ISP - can't bother us with changes 21:04 < djph> [...] Subscriber will not resell or redistribute, or enable others to resell or redistribute, access to the Service in any manner, including, but not limited to, through the use of wireless technology. [...] 21:04 < E1ephant> djph: they sell commercial ethernet and DIA products too 21:04 < tjt263> djph: you think upnp is bad. I get it. You don't have to keep reiterating that. I'm not telling you to use it. i want to increase my objective understanding of the protocol. If you have an opinion or advice, great. Tell me once. I wont forget. 21:04 < sanzspark> _AxS_: don't make pfsense NAT? what do you mean? pfSense has a NAT feature; how can u remvoe it 21:04 < E1ephant> :) 21:04 < shtrb> djph, that mean no guest wifi clients 21:04 < _AxS_> sanzspark: you disable it. 21:04 < E1ephant> sanzspark: turn it off? 21:05 < sanzspark> disable it? 21:05 < _AxS_> sanzspark: just because by default its set to NAT from "WAN" to "LAN" doesn't mean you need to. 21:05 < sanzspark> there is a button? lol 21:05 < _AxS_> sanzspark: yes. general setup i think. 21:05 < _AxS_> if not, Firewall->NAT 21:05 < sanzspark> i didn't know that 21:05 < shtrb> djph, you can't even use an AP for your car to connnect 21:06 < ||cw> sanzspark: might also look into the ERPoe-5, it's about $160 21:06 < sanzspark> "Disable Firewall Disable all packet filtering. Note: This converts pfSense into a routing only platform! Note: This will also turn off NAT! To only disable NAT, and not firewall rules, visit the Outbound NAT page." 21:06 < djph> The Service is provided for your use only (unless otherwise specifically stated) and you agree not to, whether for a fee or without charge, reproduce, duplicate [...] For example, you agree that the Service is not to be used to trunk or facilitate public internet access ("Hotspots") or any other public use of the Service 21:06 < _AxS_> sanzspark: right. exactly what you want to do -- make it routing-only. 21:06 < djph> ^ from AT&T 21:06 < sanzspark> ||cw: thati s a manged switch? 21:07 < ||cw> it's a router 21:07 < sanzspark> ubiquiti - k - but you said very hard to configure which means probably things are not working? 21:07 < djph> shtrb: yes I can. the car is a device owned by me, on my property, and connected to my network. 21:07 < sanzspark> have you ever used it in scenario i described? or similar 21:07 * _AxS_ should get one of those ERPoe-5's though, they look nice... 21:07 < ||cw> IDK if it has the QoS features you want, but ubnt's support and forums can tell you 21:07 < djph> sanzspark: ||cw ER-5 is entirely the wrong device. 21:08 < sanzspark> ||cw: not looking for QoS but rather simple download and upload limit but I guess it's the same 21:08 < ||cw> sanzspark: that's QoS 21:08 < sanzspark> would this have to be like a Queue thing? 21:08 < _AxS_> sanzspark: QoS is easier to set. 21:08 < ||cw> qos is a lot of things, that's one of them 21:08 < sanzspark> _AxS_: ok, once router is in that mode then it doesn't obtain any of the /27 from ISP? 21:08 < sanzspark> I mean pfsense 21:10 < _AxS_> sanzspark: router-only means it doesn't do NAT. then you either route between interfaces (which is doable by assigning each IP to its own /31 subnet on each lan port), or you bridge the interfaces together and traffic just flows. I'd recommend routing, personally. 21:10 < _AxS_> You/they will need NAT though unless there's actually just one device on their networks. 21:12 < sanzspark> _AxS_: I mean how would the setup be in general? 21:12 < sanzspark> ISP > pfSense (acting as a switch) > Router A (obtains first IP in /27) 21:12 < sanzspark> ISP > pfSense (acting as a switch) > Router B (obtains second IP in /27) 21:12 < sanzspark> ISP > pfSense (acting as a switch) > Router C (obtains third IP in /27) 21:12 < sanzspark> like that? ^ 21:12 < sanzspark> or would pfSense also obtain one of /27 IPs? 21:13 < djph> _AxS_: they're pretty meh, TBH. It's just an ERL and a 4-port (3-usable) switch crammed into a slightly larger case than the ERL 21:13 < _AxS_> djph: oh.. 21:13 < ||cw> generally with you get a block of IPs, you put the first one on your router (pfsense) and the other devices use that IP as its gateway 21:13 < djph> if you want 5 ports, with (24v, passive) PoE on your router, get an ER-X-SFP 21:14 < djph> or if you only need one PoE output, the ER-X 21:14 < _AxS_> djph: thx! 21:14 < _AxS_> sanzspark: what ||cw said 21:15 < _AxS_> sanzspark: pfsense isn't acting as a switch though, its acting as a router. 21:15 < djph> or, if you need more than 3 routed ports, the ER-4 or ER-6 (new-this-year models), or the ER-8 / ER-8-PRO (older, but still great), or if you need 10g, the ER-Infinity (IIRC ER-8-XG is the real model number but, meh) 21:15 < _AxS_> sanzspark: and i expect Router in your text above is actually "Gateway/NAT/Firewall" ? 21:16 < sanzspark> ||cw: using pfsense router as gateway means when they browse Google, then Google see pfSense IP? 21:16 < _AxS_> sigh.. 10G.. that'll be nice.. 21:16 < _AxS_> sanzspark: no thats just with NAT. you're not doing NAT so no. 21:16 < djph> NOTE that ERL, ER4/6/8, ER-PRO, ER-Infinity are all *routers*, and do not do any switching at all. The ER-5 is a weird hybrid. The ER-x / ER-X-SFP are different CPUs (IIRC, Mediatek), and can be configured to be 100% switch, or 100% router, or anything in between (although they give up backplane speed for this flexibility) 21:17 < sanzspark> because if Google see pfSense router IP then there goes IPSEC down the toilet 21:17 < sanzspark> and neighbor will call me everyday to do crap for them 21:17 < sanzspark> you know what i mean right 21:17 < _AxS_> sanzspark: the pfsense box is just one more point in the tracepath, its not the final destination. 21:17 < sanzspark> so should I setup the rest IPs as virtual IPs and distribute to each LAN port? 21:18 < sanzspark> _AxS_: as long as IPSEC works without my intervention and it works on all IPs 21:18 < sanzspark> so if customer wants to open a port 80 i don't want to get invovled; do whatever you want 21:18 < sanzspark> it's ok if if pfsense is in the tracepath... 21:18 < _AxS_> sanzspark: sec i gotta look at documentation.. but no, you tell them what their IP is and they configure it. or you set up DHCP to do it for you. 21:18 < ash_work> when you see a diagram with two lines coming out of one interface (amongst many) what does that say to you? 21:19 < ash_work> that there is a virtual interface using said port? 21:19 < sanzspark> _AxS_: I rather not setup DHCP either if possible 21:19 < _AxS_> sanzspark: then the client needs to set their WAN ip up static 21:19 < sanzspark> but if i am forced and that's the only thing I don't mind 21:19 < ||cw> sanzspark: no, it's routed just like all the other routers on the internet 21:19 < SporkWitch> ash_work: link the diagram 21:19 < sanzspark> _AxS_: they will setup static; that would be beautiful 21:20 < ash_work> https://goo.gl/images/zhnTck 21:20 < sanzspark> ||cw: sorry, what was the "no" for 21:20 < _AxS_> sanzspark: ok, so the only thing i need to confirm is the subnets. been too long since ive done that part... 21:20 < sanzspark> means pfsense would be like as if it was one of my ISP's routers upstream? 21:20 < ||cw> right 21:20 < sanzspark> cool 21:20 < sanzspark> _AxS_: I will wait for you to confirm 21:21 < sanzspark> Also, you said I can rate limit per port using this method; just remember that is still a requirement 21:21 < SporkWitch> ash_work: probably a virtual interface; that's a poorly labeled diagram 21:21 < _AxS_> sanzspark: or someone else that does this day-to-date will just chime in and tell you 21:21 < djph> sanzspark: how is the /27 being handed to you? are you ONLY getting a /27, or is there a /30 for your router beforehand? 21:22 < djph> FURTHERMORE, is the ISP cool with you redistributing it ... because if not, they can get pretty nasty when they nail you (I've worked with WISPS - shutting off the service permanently / refusing to do further business with you is the *NICE* approach) 21:24 <+xand> ha, my ISP has an option for "I'm a communications provider" for when you want to share 21:25 < djph> xand: well, sure - and that's probably a business account / contract / relationship, innit? 21:25 < SporkWitch> "get going boys, DPI on everything and triple the price!" 21:25 < djph> xand: or can you do that on a residential link, hmm? :P 21:26 <+xand> djph: yes you can 21:26 <+xand> also a routed /28 21:26 < djph> xand: and no increase in price or anything else (e.g. "forced upgrade" from a "residential" to a "commercial" link)? 21:27 <+xand> nope 21:27 < djph> O_O 21:27 <+xand> it's just not very cheap to begin with, but then you can get support from the owner on IRC if you want 21:27 < E1ephant> is this sonic.net or something? 21:27 < djph> well, okay, that might change things 21:27 < E1ephant> smells like a sanfran ISP :) 21:27 <+xand> aaisp, it's a UK One 21:27 < E1ephant> oh smashing 21:28 < E1ephant> that is pretty flexible with openconnect eh? 21:30 < UncleDrax> that was exciting. broke DHCPd somehow for a bit. 21:30 <+xand> er 21:32 < sanzaspark> djph: it is only one /27 from isp 21:32 < sanzaspark> _AxS_: yeah, I hope it's possible because I have pfsense on site and can get another pfsense too; but pfsense ppl said not possible 21:33 < sanzaspark> _AxS_: I think even IP delegation is not easy 21:33 < _AxS_> sanzaspark: sorry phonecall; will be afk for another 10-20min 21:34 < E1ephant> the pfsense people, or some people in the pfsense IRC channel? 21:34 < E1ephant> how is it not easy 21:34 < felda> who dare speak of PFSENSE?! 21:34 < E1ephant> if the ISP is handling contention though, why do you need to worry about it? 21:37 < _AxS_> sanzaspark: how many ips are each of the three networks getting? 21:37 < Terminus> felda: LOL for the past 30 minutes, i've just been thinking that if i'm given the choice between pfsense and openbsd, i'll take openbsd. 21:38 < felda> pfsense is bae 21:38 < _AxS_> Terminus: isn't it all the same thing, pfsense is just a web-gui that sits on top? 21:38 < felda> pfsense runs on freebsd so no 21:38 < _AxS_> ah. 21:39 < Terminus> _AxS_: no. pfsense runs on freebsd. also, i find that that GUI just interferes with my configs. 21:39 < felda> it could eventually be ported to openbsd, but if they were to port they would most likely move to some sort of linux kernel 21:39 < Poster|n> freebsd/pfsense uses a port of OpenBSD's pf, though from what I understand it's a few revisions behind OpenBSD itself 21:39 < felda> Terminus is an old greyneckbeard that only use VI to configure files 21:39 < Terminus> the implementation of pf in openbsd and freebsd have diverged already anyway. 21:40 < Terminus> felda: damned right! except for the old greyneckbeard. i'm neither old, grey, or have a neckbeard. =P 21:40 < felda> pfsense is a fork of the old m0n0wall that used pf on freebsd 21:40 < felda> so instead of moving back to openbsd they just stuck on freebsd 21:40 < felda> for better or for worse ¯\_(ツ)_/¯ 21:40 < Johnjay> wat's the difference between openbsd and freebsd? 21:40 * Johnjay gets confused with all these free- this and open- that names 21:41 < Johnjay> it's even worse when evil overlords name their front groups something like the Freedom For Good and High-IQ Things Foundation 21:41 < Terminus> Johnjay: openbsd focuses on security. freebsd is more of a general purpose OS. that's one difference. 21:42 < felda> that's the big one that I always see 21:42 < UncleDrax> This person probably spells it out better then I ever could: https://www.unixmen.com/freebsd-vs-openbsd/ 21:42 < felda> the OpenBSD team makes a lot of great stuff from what I hear 21:43 < Terminus> there's also the part where you can configure a router with openbsd with their minimal install including BGP and OSPF. dunno if the freebsd minimal install can do that as well. 21:43 < Terminus> felda: sure. openssh is one of the great stuff they made. 21:43 < Johnjay> the heuristic i use is that Open- stuff is generally corporate backed 21:43 < Johnjay> and free- stuff is generally FSF backed 21:43 < felda> if you want minimal pfsense is not your firewall lol 21:43 < Terminus> Johnjay: not with openbsd it isn't. 21:43 < Johnjay> ok 21:44 <+xand> cue fight to the death between RMS and Theo 21:44 < Terminus> i only use openbsd for where i need strictly networking stuff. i'm not gonna run a highly loaded public facing http server on openbsd. 21:45 < Johnjay> even though it focuses on security? 21:45 < Terminus> whether said http server is part of "networking stuff" is subject to debate. 21:45 < Terminus> Johnjay: not when you need the performance and linux is good enough in that department. 21:46 < _AxS_> sanzaspark: ok. sort-of back. so what you want to do is split your /27 into three subnets. how many ips do you want each network to have out of that /27 ? 21:47 < _AxS_> sanzaspark: you can make three /29's pretty easily for instance 21:47 < Terminus> freebsd i'll probably only ever use as the base for freenas. freebsd itself just takes too much work to maintain. i'll take my binary linux packages with all the features i could possibly need. 21:47 < UncleDrax> and many you will never need ;p 21:47 < UncleDrax> Gentoo4lyfe 21:48 < UncleDrax> .. sorry, couldn't resist. please ignore the previous 2 lines 21:48 < Terminus> lul gentoo. i spent a week compiling for gentoo back around 2003. not gonna do that again. 21:48 < _AxS_> UncleDrax: heh. yeah lets not go there in here :) 21:48 < winsoff> Terminus, probably wouldn't take a week this time. 21:48 < Terminus> UncleDrax: i actually tried with freebsd. enabling features just for samba was already a pain. 21:48 < E1ephant> USE flags rule 21:48 < E1ephant> debian drools 21:49 < Terminus> winsoff: yeah but i'm completely fine with debian and centos. *shrug* 21:50 < turtle> how was "enabling features" for samba on freebsd a pain? 21:50 < _AxS_> i'm rather curious about that one too -- isn't it a single build with everything enabled, same as it is more or less everywhere else? 21:53 < Terminus> turtle: too many knobs. ACLs, winbind, vfs, etc. 21:54 < Terminus> for a simple file sharing setup, the prebuilt samba package on freebsd is fine. for more complicated stuff, it gets to be a pain. 21:56 < turtle> so is it checking the dialog box that's too hard or which part exactly? 21:59 < UncleDrax> fortunately I haven't had to touch Samba in forever.. I always found it annoying just because 21:59 < UncleDrax> but that predated any UI to do it 22:00 < Terminus> turtle: that doesn't scale. to scale you need a build box and package stuff, etc. i don't want to do that work. i just want to apt install foo. base package doesn't have everything i need? it's modularized so apt install foo-bar. 22:02 < Terminus> don't get me wrong, i love some stuff on freebsd. i like their zfs work for example. it's just not my primary server OS. 22:03 < turtle> yeah, checking a box one time is pretty hard i agree. i can dig it. 22:03 < Terminus> *sigh* 22:03 < ||cw> it's not like samba is humongous, just install it all and enable what you need 22:05 < ||cw> and acl is just something samba can use, or not. modern filesystems have it enabled by default anyway 22:05 < Terminus> ||cw: that's only samba though. in any case, i'm done with this topic. 22:06 < sanzaspark> _AxS_: one IP per neighbore 22:07 < _AxS_> sanzaspark: that's it? ok even easier. 22:08 < sanzaspark> _AxS_: doesn't have to be split evenly; one IP per neighbore. Right now only two neighbors sharing (one is us, one is neighbor-A) 22:08 < sanzaspark> my bad - actually there is a neighbor-B as well 22:09 < sanzaspark> _AxS_: yes, that's it - one IP per neighbor 22:09 < cluelessperson> anyone know if google has a public ip api? 22:10 <+xand> a what api? 22:12 < _AxS_> sanzaspark: ok. so setting up /30 networks for each neighbor would work. lower IP is the neighbor's gateway (and is the ip address of the iterface in pfsense), and upper IP is the static ip the neighbor uses 22:12 < turtle> ||cw: literally everything he listed is in the default samba package. 22:14 < _AxS_> sanzaspark: in the firewall config you'll want to specify default rules allowing everything, except you'll want to mke sure to block access to pfSense itself except on your network 22:16 < _AxS_> sanzaspark: outside of that, follow the traffic-shaping/QoS guide. 22:17 < _AxS_> cluelessperson: what is it you're looking for exactly? a way to query via google what your public ip address is? 22:19 < sanzaspark> _AxS_: no need for outbound NAT setup? 22:19 < _AxS_> sanzaspark: correct 22:19 < sanzaspark> and how do I assign /30 ip? 22:19 < sanzaspark> dhcp server? 22:19 < sanzaspark> or virtual ip? 22:20 < _AxS_> sanzaspark: in your "Interfaces" setup. you have one interface for each network right? 22:21 < sanzaspark> _AxS_: correct 22:22 < cluelessperson> _AxS_: yes 22:22 < sanzaspark> it's an Alix3D - with 3 ports; would that work? or doesn't have enought porst 22:22 < _AxS_> sanzaspark: ... three plus wan? or 22:23 < sanzaspark> _AxS_: nope 22:23 < _AxS_> sanzaspark: can you VLAN any of this? 22:23 < sanzaspark> hmmm...I can put a dumb switch on one of the ports of pfsense 22:23 < sanzaspark> and VLAN? 22:23 < sanzaspark> or I guess then the other side has to identify VLAN? 22:23 < E1ephant> lol 22:24 < _AxS_> sanzaspark: i think you need a separate network/port.. i've never done traffic shaping or limiting without it at least.. 22:25 < _AxS_> sanzaspark: is there a managed switch anywhere? 22:25 < sanzaspark> _AxS_: let's assume I get another hardware.... 22:25 < E1ephant> way overcomplicating this, for little to no gain. 22:25 < sanzaspark> no managed switch 22:25 < sanzaspark> i will get a 4 port or 5 port hardware 22:25 < sanzaspark> what is next 22:25 < sanzaspark> ? 22:26 < _AxS_> yeah... so that makes this harder. 22:26 < sanzaspark> _AxS_: say i have a 4 four port, then what 22:27 < joro_> hi guys, is it possible connecting to Xorg server from another PC to my PC... is there any script for Xlib with TCP/IP integration or something like that ?im nub sorry 22:28 < _AxS_> joro_: Xorg has that built in but is likely disabled. iirc the x11 protocol isn't very secure 22:28 < E1ephant> you can forward X over ssh as well 22:29 < joro_> can i do so over telnet ? 22:29 < E1ephant> u wot m8 22:29 < E1ephant> please don't 22:29 < E1ephant> "Please clap." 22:30 < _AxS_> sanzaspark: write down the /30 network segments you'll slice off to your neighbors and configure them on each interface in the "interfaces" section. 22:30 < _AxS_> sanzaspark: and then go to the firewall rules, and make a rule that allows all traffic. 22:31 < _AxS_> sanzaspark: ..and then you're done. except for the traffic shaping, that you do by following their guide. 22:31 < _AxS_> sanzaspark: if you don't know how to determine network subnets, you'll want to do a bit of googling.. 22:33 < sanzaspark> _AxS_: you mean I define the /30 IP on the interface? 22:34 < _AxS_> sanzaspark: yes. 22:34 < sanzaspark> so the neighbor would not pickup /30 on their own router? 22:34 < sanzaspark> the same /30 will be on pfsense interface and on neighbor router???? 22:35 < _AxS_> sanzaspark: yes. a /30 has two usable Ip's. pfsense gets one on its interface, the neighbor router gets the other. /30 subnet on each one. neighbor router gets your pfsense interface ip as its "default gateway": 22:35 < sanzaspark> ah i see 22:35 < ||cw> setting up all those /30's seems overkill for this. 22:36 < sanzaspark> ||cw: it's not being used otherwise anyways now 22:36 < sanzaspark> so it's not an overkill 22:36 < sanzaspark> setting useless anyways 22:36 < _AxS_> ||cw: it likely is.. but he wants a purely-routed solution so 22:36 < sanzaspark> _AxS_: and then I should traffic shape by port right? 22:36 < _AxS_> sanzaspark: by interface, yeah. 22:36 < sanzaspark> by *interface* 22:37 < sanzaspark> what would be the best scheduler type? 22:37 < _AxS_> sanzaspark: or any other way you want to do it. point being, you can do what you need now and you don't have NAT in the way for your neighbors to complain 22:37 < sanzaspark> so neighbor browsing google, then google sees their public ip and not the interface public ip - right? 22:37 < sanzaspark> *as the source* 22:38 < _AxS_> sanzaspark: the neighbor's router public ip is the ip shown, yes. 22:38 < sanzaspark> and they want to do IPSEC they simply use their own router ip and it works without us interferring or opening any ports or protocols 22:39 < sanzaspark> also, the neighbor can open port 80 for themselves without asking us or any of the ~65k ports or even GRE or any other protocol 22:39 < _AxS_> sanzaspark: correct. THAT SAID, you do still have a firewall that controls access. so you need to add a rule to allow all traffic 22:39 < sanzaspark> _AxS_: I understand, that is just one rule for all outbound traffic and another rule to block to our interface and the other neighbor interface 22:40 < sanzaspark> _AxS_: even GRE and other protocols work? 22:40 < _AxS_> sanzaspark: anything that works on ipv4 (that you allow through the firewall) will work. if you allow all, then it'll all work 22:40 < acos> Having issues with pfsense in a vm lol. It's a mess. 22:40 < _AxS_> acos: make sure hardware offload is disabled 22:40 < acos> Can't stand how it blocks outside management on local ips 22:41 < acos> Can never reach web gui had to try and drop the firewall was crazy 22:41 < felda> ??? 22:41 < felda> you mean WAN blocking RFC and BOGON networks? 22:41 < sanzaspark> _AxS_: how do I allow inbound? 22:41 < acos> It applys some default fields that yes that 22:41 < sanzaspark> I thought I only have to do outbound rules 22:41 < felda> you can turn that off in the WAN interface so you can access it from outside 22:41 < _AxS_> sanzaspark: you're still thinking NAT. 22:41 < sanzaspark> oh k yes 22:42 < sanzaspark> firewall tab only 22:42 < acos> Hmmm will have to try it again 22:42 < sanzaspark> _AxS_: so under firewall rules what rules must I make to cover EVERYTHING that IPV4 supports? 22:42 < _AxS_> sanzaspark: "Rules" blocks inbound on each interface. so make a default allow-all rule and you should be fine. but add rules that block access to the pfsense GUI and such for any networks that shouldn't have it 22:43 < felda> acos are you attempting to access the pfsense webgui from inside pfsense's LAN or via its WAN interface? 22:45 < acos> Well both lol. Was trying to get expierenc3 with it as a vm in vmware workstation 22:46 < felda> you cannot access the WebGUI from the WAN using a local address because by default the WAN interface blocks local network addresses. You can enter Interfaces > WAN and uncheck that to help give access. Then in Firewall > Rules > WAN create a rule allowing your subnet access to pfsense 22:46 < _AxS_> acos: generally you don't want to allow access to it from WAN, ever, so it comes that way by default. gotta add rules if you do. 'pf -d' or whatever on the shell fixes that quick though so you can make changes. 22:47 < acos> Ah makes sense. Just trying to lab it. Not production use. 22:47 < acos> I hear it's got lots of nice features 22:48 < felda> it can be configured to do a lot yes 22:48 < acos> Dhcp pools and dns stuff mainly to test. 22:49 < acos> So I can test hardware devices that exhaust dhcp pools lol 22:50 <+pppingme> in a test environment, set dhcp leases very short 22:52 < acos> Will do thanks. 22:53 < acos> What was that linux os vyros that's switch? 22:54 < sanzaspark> _AxS_: when trying to add a firewall rule, I get asked for Protocol type and port range. Do I have to create many rules? 22:54 < sanzaspark> to cover everything*? 22:54 < _AxS_> sanzaspark: no you can choose "any" which lets you specify all of them 22:55 < sanzaspark> ops 22:55 < sanzaspark> right 22:55 < sanzaspark> k good so that is for inbound rules 22:55 < sanzaspark> that goes on WAN or on each interface port? 22:56 < sanzaspark> each interface I guess because each interface is WAN now 22:56 < sanzaspark> right ? 23:02 < _AxS_> sanzaspark: each interface, yes 23:18 < CrowX-> Can you recommend me a free backup software that works on both mac and windows? It should support automated backups to a remote server. 23:18 < CrowX-> the remote server should be our private server 23:18 < CrowX-> so no cloud storage provided by the software is needed. 23:18 < sanzaspark> to a remote server, or like Google drive? 23:19 < sanzaspark> CrowX-: ^^ 23:19 < djph> windows (crap) backup tool (e.g. over a VPN to a mapped samba share) ... rsync. 23:19 < E1ephant> in b4 nexytcloud 23:19 < djph> rsync would be the best, but Windows is lacking. 23:20 < xamithan> backula 23:20 < koala_man> is rsync bad on native Windows? 23:20 < cluelessperson> CrowX-: automated backups of what? 23:20 < djph> koala_man: it's not there more than "bad" 23:20 < CrowX-> sanzaspark, google drive would be nice addition, but not mandatory 23:20 < cluelessperson> koala_man: Windwos doesn't support rsync that well but there are tools. 23:21 < djph> koala_man: the only "free" one I know of for win is its own tool :( 23:21 < koala_man> really, wow. I've been using it through cygwin but out of convenience rather than necessity 23:21 < djph> unless you start doing stuff like running cygwin (or maybe get lucky with WSL) 23:21 < xamithan> wsl still can't really open network sockets 23:22 < koala_man> does rsync even open sockets? I thought the default was just invoking system ssh 23:23 < xamithan> No idea, I fire up mobaxterm if I want to rsync on windows 23:24 < koala_man> CrowX-: the server isn't windows or mac though, right? 23:24 < xamithan> A lot of people use powershell|batch scripts and winSCP 23:24 < xamithan> I'd still use bacula for free over those solutions 23:24 < CrowX-> koala_man, most likely linux, but we can probably make it anything 23:25 < CrowX-> it can also be google drive 23:25 < Advarium> WinSCP is life 23:26 < djph> if you're a Windows Admin, I guess. 23:30 < CrowX-> It's windows desktops we'll be backing up 23:30 < CrowX-> and some mac os 23:31 < qman__> I use BackupPC, for windows I use the rsyncd method and deltacopy as the rsyncd server 23:32 < acos> Dd is my fave backup 23:32 < acos> Wonder what compression ratio I can get with gzip 23:35 <+pppingme> acos don't forget, you can pass a -9 to gzip and it will compress tighter (of course at the expense of more cpu, time, etc..) 23:37 < acos> Sounds reasonable. 23:37 < acos> But can that gziped image be mounted compressed? 23:47 < ||cw> the problem with dd for backups is that it's a full raw copy, including all the unreferenced data. though i guess that's actually a plus if your backup is for recovery/forensic purposes. 23:47 < SporkWitch> acos: rsync 23:48 < ||cw> and if your mount tool supports compression, you can mount it squashfs is one example 23:48 < ||cw> but moutning a gzipped ntfs image? not likely 23:50 < ||cw> but you could use fusecompress and copy your image into that and then mount the image from the fuse mounted 23:50 < ||cw> RIP your cpu and ram though 23:50 < koala_man> blerk, disk image based backups are not awesome 23:50 < koala_man> except for reimaging purposes 23:51 < koala_man> deltas are ridiculous, partial restore is annoying, and it requires either an lvm style snapshotting layer or taking the system offline 23:51 < ||cw> which they are completely awesome for, especially for blackbox systems like CNC controllers 23:51 < koala_man> indeed 23:53 < ||cw> oh dear. 11 year old UPS wants new batteries 23:53 < koala_man> I have two AAs if you want 23:54 < ||cw> what kind of boot converter would I need to get 2000VA from that? 23:54 < ||cw> boost^ 23:56 <+pppingme> ||cw I could see mounting gzip'd ntfs as RO --- Log closed Thu May 10 00:00:14 2018